Talk/Event Schedule


Sunday


This Schedule is tentative and may be changed at any time. Check at an Info Booth for the latest.

 

Sunday - 06:00


Return to Index  -  Locations Legend
Meetup - corner of W Flamingo and Las Vegas Blvd underneath the circular temple structure - Defcon 26 4X5K run -

 

Sunday - 09:00


Return to Index  -  Locations Legend
SKY - Flamingo 3rd Flr - Virginia City Rm - Master Baiting! Dont Click Bait, Click Yourself - BACE16

 

Sunday - 10:00


Return to Index  -  Locations Legend
AIV - Caesars Promenade Level - Florentine BR 3 - Generating Labeled Data From Adversary Simulations With MITRE ATT&CK - Brian Genz
AIV - Caesars Promenade Level - Florentine BR 3 - (10:40-10:59) - AI DevOps: Behind the Scenes of a Global Anti-Virus Company's Machine Learning Infrastructure - Alex Long
BCOS - Caesars Promenade Level - Pompeian BR 1 - The Good, the Bad, and the Private: Building and Breaking Safe Cryptocurrencies - Sarang Noether
BCOS - Caesars Promenade Level - Pompeian BR 1 - (10:45-10:59) - Contest winners, prizes, showcase and awards - Michael Schloh
BHV - Caesars Promenade Level - Pisa/Palermo/Siena Rms - WELCOME TO THE LAST DAY OF BHV! - Staff
BHV - Caesars Promenade Level - Pisa/Palermo/Siena Rms - (10:15-10:59) - Exploiting immune defences - can malware learn from biological viruses? - Guy Propper
CPV - Caesars Promenade Level - Milano BR 1,2 - (10:30-11:00) - Geolocation and Homomorphic Encryption - Nicholas Doiron
DC - Track 101 - Flamingo 3rd Flr - Sunset BR - The Mouse is Mightier than the Sword - Patrick Wardle
DC - Track 1 - Caesars Emperor's Level - Palace BR - Rock appround the clock: Tracking malware developers by Android "AAPT" timezone disclosure bug - Sheila A. Berta, Sergio De Los Santos
DC - Track 2 - Caesars Promenade South - Octavius BR 12-24 - Defending the 2018 Midterm Elections from Foreign Adversaries - Joshua M Franklin , Kevin Franklin
DC - Track 3 - Caesars Pool Level - Forum BR 1-11,25 - For the Love of Money: Finding and exploiting vulnerabilities in mobile point of sales systems - Leigh-Anne Galloway, Tim Yunusov
DL - Table 1 - Caesars Promenade Emperor's Level - Outside Track 1 - nzyme - Lennart Koopmann
DL - Table 2 - Caesars Promenade Emperor's Level - Outside Track 1 - GyoiThon - Isao Takaesu, Masuya Masafumi, Toshitsugu Yoneyama,
DL - Table 3 - Caesars Promenade Emperor's Level - Outside Track 1 - CHIRON - Rod Soto, Joseph Zadeh
DL - Table 4 - Caesars Promenade Emperor's Level - Outside Track 1 - PCILeech - Ulf Frisk, Ian Vitek
DL - Table 5 - Caesars Promenade Emperor's Level - Outside Track 1 - Passionfruit - Zhi Zhou, Yifeng Zhang
DL - Table 6 - Caesars Promenade Emperor's Level - Outside Track 1 - Conformer - Mikhail Burshteyn
Meetup - HHV - Caesars Pool Level - Forum 17-19 - (10:30-10:59) - Breakfast at Defcon -
RCV - Caesars Promenade Level - Florentine BR 1,2 -   - HackaThon Product(s) Shocase by Participants
RCV - Caesars Promenade Level - Florentine BR 1,2 - (10:50-11:20) - Winning a SANS 504 CTF without winning a SANS CTF - Wbbigdave
SKY - Flamingo 3rd Flr - Virginia City Rm - Facial Recognition - Let me let you in on a secret - Stumbles The Drunk

 

Sunday - 11:00


Return to Index  -  Locations Legend
AIV - Caesars Promenade Level - Florentine BR 3 - GAN to the dark side: A case study of attacking machine-learning systems to empower defenses - Li Chen
BCOS - Caesars Promenade Level - Pompeian BR 1 - Monero's Differentiated Community - Justin Ehrenhofer
BCOS - Caesars Promenade Level - Pompeian BR 1 - (11:30-11:59) - Privacy and Blockchain: A Boundary Object Perspective - Robin "midipoet" Renwick
BHV - Caesars Promenade Level - Pisa/Palermo/Siena Rms - Jumping the Epidermal Barrier - Vlad Gostomelsky and Dr. Stan Naydin
CPV - Caesars Promenade Level - Milano BR 1,2 - Two-Steps to Owning MFA - Sherrie Cowley, Dennis Taggart
DC - Track 101 - Flamingo 3rd Flr - Sunset BR - Searching for the Light: Adventures with OpticSpy - Joe Grand
DC - Track 1 - Caesars Emperor's Level - Palace BR - Breaking Extreme Networks WingOS: How to own millions of devices running on Aircrafts, Government, Smart cities and more. - Josep Pi Rodriguez
DC - Track 2 - Caesars Promenade South - Octavius BR 12-24 - Politics and the Surveillance State. The story of a young politician's successful efforts to fight surveillance and pass the nation's strongest privacy bills. - Daniel Zolnikov
DC - Track 3 - Caesars Pool Level - Forum BR 1-11,25 - Demystifying MS17-010: Reverse Engineering the ETERNAL Exploits - zerosum0x0
DL - Table 1 - Caesars Promenade Emperor's Level - Outside Track 1 - cont...(10:00-11:50) - nzyme - Lennart Koopmann
DL - Table 2 - Caesars Promenade Emperor's Level - Outside Track 1 - cont...(10:00-11:50) - GyoiThon - Isao Takaesu, Masuya Masafumi, Toshitsugu Yoneyama,
DL - Table 3 - Caesars Promenade Emperor's Level - Outside Track 1 - cont...(10:00-11:50) - CHIRON - Rod Soto, Joseph Zadeh
DL - Table 4 - Caesars Promenade Emperor's Level - Outside Track 1 - cont...(10:00-11:50) - PCILeech - Ulf Frisk, Ian Vitek
DL - Table 5 - Caesars Promenade Emperor's Level - Outside Track 1 - cont...(10:00-11:50) - Passionfruit - Zhi Zhou, Yifeng Zhang
DL - Table 6 - Caesars Promenade Emperor's Level - Outside Track 1 - cont...(10:00-11:50) - Conformer - Mikhail Burshteyn
PHV - Caesars Promenade Level - Neopolitan BR - Microcontrollers and Single Board Computers for Hacking, Fun and Profit - gh057
PHW - Caesars Promenade Level - Neopolitan BR - Advanced APT Hunting with Splunk - Ryan Kovar and John Stoner
RCV - Caesars Promenade Level - Florentine BR 1,2 - cont...(10:50-11:20) - Winning a SANS 504 CTF without winning a SANS CTF - Wbbigdave
RCV - Caesars Promenade Level - Florentine BR 1,2 - (11:25-12:55) - Stalker In A Haystack - MasterChen
SKY - Flamingo 3rd Flr - Virginia City Rm - Sex Work After SESTA - Maggie Mayhem

 

Sunday - 12:00


Return to Index  -  Locations Legend
BCOS - Caesars Promenade Level - Pompeian BR 1 - Stealing Crypto 2 Factor Isn't a Factor - Rod Soto and Jason Malley
BCOS - Caesars Promenade Level - Pompeian BR 1 - (12:30-12:59) - Monero Project's Vulnerability Response Process - Anonimal
BHV - Caesars Promenade Level - Pisa/Palermo/Siena Rms - cont...(11:00-12:15) - Jumping the Epidermal Barrier - Vlad Gostomelsky and Dr. Stan Naydin
BHV - Caesars Promenade Level - Pisa/Palermo/Siena Rms - (12:15-12:59) - Selfie or Mugshot? - Anne Kim
CPV - Caesars Promenade Level - Milano BR 1,2 - Implementing a Library for Pairing-based Transform Cryptography - Bob Wall, Colt Frederickson
DC - Track 101 - Flamingo 3rd Flr - Sunset BR - Breaking Smart Speakers: We are Listening to You. - Wu HuiYu, Qian Wenxiang
DC - Track 1 - Caesars Emperor's Level - Palace BR - Last mile authentication problem: Exploiting the missing link in end-to-end secure communication - Thanh Bui, Siddharth Rao
DC - Track 2 - Caesars Promenade South - Octavius BR 12-24 - Attacking the macOS Kernel Graphics Driver - Yu Wang
DC - Track 3 - Caesars Pool Level - Forum BR 1-11,25 - Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulnerabilities - Matt Knight, Ryan Speers
DL - Table 2 - Caesars Promenade Emperor's Level - Outside Track 1 - Expl-iot—IoT Security Testing and Exploitation framework - Aseem Jakhar
DL - Table 3 - Caesars Promenade Emperor's Level - Outside Track 1 - DejaVU—An Open Source Deception Framework - Bhadreshkumar Patel, Harish Ramadoss
DL - Table 6 - Caesars Promenade Emperor's Level - Outside Track 1 - GUI Tool for OpenC2 Command Generation - Efrain Ortiz
Meetup - Caesars - Promenade Level - Office 4 behind Info Booth near Promenade South - Friends of Bill W -
PHV - Caesars Promenade Level - Neopolitan BR - Fishing for Phishers. The Enterprise Strikes Back! - Joseph Muniz, Aamir Lakhani
PHW - Caesars Promenade Level - Neopolitan BR - cont...(11:00-12:59) - Advanced APT Hunting with Splunk - Ryan Kovar and John Stoner
RCV - Caesars Promenade Level - Florentine BR 1,2 - cont...(11:25-12:55) - Stalker In A Haystack - MasterChen
RCV - Caesars Promenade Level - Florentine BR 1,2 - Mapping Social Media with Facial Recognition - Jacob Wilkin
RCV - Caesars Promenade Level - Florentine BR 1,2 - (12:25-12:40) - Hackathon and CTF Prizes, and a Group Photo - Recon Village Team
RCV - Caesars Promenade Level - Florentine BR 1,2 - (12:45-12:59) - Closing Note - Shubham Mittal / Sudhanshu Chauhan
SKY - Flamingo 3rd Flr - Virginia City Rm - JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and face recognition - and frankly, everywhere else - Guy Barnhart-Magen and Ezra Caltum

 

Sunday - 13:00


Return to Index  -  Locations Legend
BCOS - Caesars Promenade Level - Pompeian BR 1 - Village summary - Diego "rehrar" Salazar
BHV - Caesars Promenade Level - Pisa/Palermo/Siena Rms - Getting Skin in the Game: Biohacking & Business - Cyberlass
BHV - Caesars Promenade Level - Pisa/Palermo/Siena Rms - (13:45-13:45) - PWN to OWN my own Heart. Journey into hacking my own pacemake - Veronica Schmit
CPV - Caesars Promenade Level - Milano BR 1,2 - Integrating post-quantum crypto into real-life applications - Christian Paquin
DC - Track 101 - Flamingo 3rd Flr - Sunset BR - Trouble in the tubes: How internet routing security breaks down and how you can do it at home - Lane Broadbent
DC - Track 1 - Caesars Emperor's Level - Palace BR - Man-In-The-Disk - Slava Makkaveev
DC - Track 1 - Caesars Emperor's Level - Palace BR - (13:30-13:50) - Asura: A huge PCAP file analyzer for anomaly packets detection using massive multithreading - Ruo Ando
DC - Track 2 - Caesars Promenade South - Octavius BR 12-24 - Micro-Renovator: Bringing Processor Firmware up to Code - Matt King
DC - Track 2 - Caesars Promenade South - Octavius BR 12-24 - (13:30-13:50) - Lost and Found Certificates: dealing with residual certificates for pre-owned domains - Ian Foster, Dylan Ayrey
DC - Track 3 - Caesars Pool Level - Forum BR 1-11,25 - barcOwned—Popping shells with your cereal box - Michael West, magicspacekiwi (Colin Campbell)
DC - Track 3 - Caesars Pool Level - Forum BR 1-11,25 - (13:30-13:50) - Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking - ldionmarcil
DL - Table 2 - Caesars Promenade Emperor's Level - Outside Track 1 - cont...(12:00-13:50) - Expl-iot—IoT Security Testing and Exploitation framework - Aseem Jakhar
DL - Table 3 - Caesars Promenade Emperor's Level - Outside Track 1 - cont...(12:00-13:50) - DejaVU—An Open Source Deception Framework - Bhadreshkumar Patel, Harish Ramadoss
DL - Table 6 - Caesars Promenade Emperor's Level - Outside Track 1 - cont...(12:00-13:50) - GUI Tool for OpenC2 Command Generation - Efrain Ortiz
PHV - Caesars Promenade Level - Neopolitan BR - What Do You Want to be When You Grow Up? - Damon "ch3f" Small
SKY - Flamingo 3rd Flr - Virginia City Rm - Game Runner 2049: The Battles Fought by the King of the Replicants - Nick Cano

 

Sunday - 14:00


Return to Index  -  Locations Legend
DC - Track 101 - Flamingo 3rd Flr - Sunset BR - Betrayed by the keyboard: How what you type can give you away - Matt Wixey
DC - Track 1 - Caesars Emperor's Level - Palace BR - Your Watch Can Watch You! Gear Up for the Broken Privilege Pitfalls in the Samsung Gear Smartwatch - Dongsung Kim, Hyoung-Kee Choi
DC - Track 2 - Caesars Promenade South - Octavius BR 12-24 - Hacking BLE Bicycle Locks for Fun and a Small Profit - Vincent Tan
DC - Track 3 - Caesars Pool Level - Forum BR 1-11,25 - One bite and all your dreams will come true: Analyzing and Attacking Apple Kernel Drivers - Xiaolong Bai, Min (Spark) Zheng

 

Sunday - 15:00


Return to Index  -  Locations Legend
DC - Track 1 - Caesars Emperor's Level - Palace BR - PANEL: DEF CON GROUPS - Brent White (B1TK1LL3R), Jeff Moss (The Dark Tangent), Jayson E. Street, S0ups, Tim Roberts (byt3boy), Casey Bourbonnais, April
DC - Track 2 - Caesars Promenade South - Octavius BR 12-24 - What the Fax!? - Yaniv Balmas, Eyal Itkin
DC - Track 3 - Caesars Pool Level - Forum BR 1-11,25 - Fuzzing Malware For Fun & Profit. Applying Coverage-guided Fuzzing to Find and Exploit Bugs in Modern Malware - Maksim Shudrak

 

Sunday - 16:00


Return to Index  -  Locations Legend
DC - Track 1 - Caesars Emperor's Level - Palace BR - DEF CON Closing Ceremonies - The Dark Tangent

 

Sunday - 17:00


Return to Index  -  Locations Legend
DC - Track 1 - Caesars Emperor's Level - Palace BR - cont...(16:00-17:45) - DEF CON Closing Ceremonies - The Dark Tangent

Talk/Event Descriptions


 

RCV - Caesars Promenade Level - Florentine BR 1,2 - Sunday - 10:00-10:50


 

No description available


Return to Index    -    Add to    -    ics Calendar file

 

PHW - Caesars Promenade Level - Neopolitan BR - Sunday - 11:00-12:59


Advanced APT Hunting with Splunk

You wanna learn how to hunt the APTs? This is the workshop for you. Using a real-worldish dataset, this workshop will teach you how to hunt the "fictional" APT group Taedonggang. We discuss the Diamond model, hypothesis building, LM Kill Chain, and Mitre Att&ck framework and how these concepts can frame your hunting. Then we look deep in the data using Splunk and OSINT to find the APT activity riddling a small startup's network. We walk you through detecting lateral movement, the P of APT, and even PowerShell Empire. Then at the end, we give you a similar dataset and tools to take home and try newly learned techniques yourself.

Ryan Kovar fought in the cyberwars and has been doing cybery things for almost 20 years. Now he is a Principal Security Strategist at Splunk building cool stuff, talking about security thingies, and helping other people fight their battles. He hates printers.

John Stoner is a Principal Security Strategist at Splunk. During his career he has worked in operations, consulting and solutions engineering. In his current role, he leverages his many years of experience in log management, SIEM, security operations and threat intelligence to provide solutions that drive greater situational awareness for organizations.


Return to Index    -    Add to    -    ics Calendar file

 

AIV - Caesars Promenade Level - Florentine BR 3 - Sunday - 10:40-10:59


AI DevOps: Behind the Scenes of a Global Anti-Virus Company’s Machine Learning Infrastructure

Alex Long

“Thus far, the security community has treated machine learning as a research problem. The painful oversight here is in thinking that laboratory results would translate easily to the real world, and as such, not devoting sufficient focus to bridging that gap. Researchers enjoy the luxuries of neat bite-sized datasets to experiment upon, but the harsh reality of millions of potentially malicious files streaming in daily soon hits would-be ML-practitioners in the face like a tsunami-sized splash of ice water. And while in research there’s no such thing as ““too much”” data, dataset sizes challenge real-world cyber security professionals with tough questions: ““How will we store these files efficiently without hampering our ability to use them for day-to-day operations?”” or ““How do we satisfy competing use-cases such as the need to analyze specific files and the need to run analyses across the entire dataset?”” Or maybe most importantly: ““Will my boss have a heart-attack when he sees my AWS bill?””

In this talk, we will provide a live demonstration of the system we’ve built using a variety of AWS services including DynamoDB, Kinesis, Lambda, as well as some more cutting edge AWS services such as Redshift and ECS Fargate. We will go into depth about how the system works and how it answers the difficult questions of real world ML such as the ones listed above. This talk will provide a rare look into the guts of a large-scale machine learning production system. As a result, it will give audience members the tools and understanding to confidently tackle such problems themselves and ultimately give them a bedrock of immediately practical knowledge for deploying large-scale on-demand deep learning in the cloud.”

Alex Long is currently working as a programmer on the Sophos Datascience Team where he builds tools, scalable backends, and cool visualizations to support the team’s research. His latest work has been on creating an online platform for researchers to publish, evaluate, and distribute their latest AI models, thus streamlining the process of productizing AI breakthroughs.


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 1 - Caesars Emperor's Level - Palace BR - Sunday - 13:30-13:50


Asura: A huge PCAP file analyzer for anomaly packets detection using massive multithreading

Sunday at 13:30 in Track 1
20 minutes | Tool

Ruo Ando Center for Cybersecurity Research and Development, National Institute of Informatics, Japan

Recently, the inspection of huge traffic log is imposing a great burden on security analysts. Unfortunately, there have been few research efforts focusing on scalablility in analyzing very large PCAP file with reasonable computing resources. Asura is a portable and scalable PCAP file analyzer for detecting anomaly packets using massive multithreading. Asura's parallel packet dump inspection is based on task-based decomposition and therefore can handle massive threads for large PCAP file without considering tidy parameter selection in adopting data decomposition. Asura is designed to scale out in processing large PCAP file by taking as many threads as possible.

Asura takes two steps. First, Asura extracts feature vector represented by associative containers of <sourceIP, destIP> pair. By doing this, the feature vector can be drastically small compared with the size of original PCAP files. In other words, Asura can reduce packet dump data into the size of unique <sourceIP, destIP> pairs (for example, in experiment, Asura's output which is reduced in first step is about 2% compared with the size of original libpcap files). Second, a parallel clustering algorithm is applied for the feature vector which is represented as {<sourceIP, destIP>, V[i]} where V[i] is aggregated flow vector. In second step, Asura adopts an enhanced Kmeans algorithm. Concretely, two functions of Kmeans which are (1)calculating distance and (2)relabeling points are improved for parallel processing.

In experiment, in processing public PCAP datasets, Asura can identified 750 packets which are labeled as malicious from among 70 million (about 18GB) normal packets. In a nutshell, Asura successfully found 750 malicious packets in about 18GB packet dump. For Asura to inspect 70 million packets, it took reasonable computing time of around 350-450 minutes with 1000-5000 multithreading by running commodity workstation. Asura will be released under MIT license and available at author's GitHub site on the first day of DEF CON 26.

Ruo Ando
Ruo Ando is associate professor of NII (National Institute of Informatics) by special appointment in Japan. He has Ph.D of computer science. Before joining NII, he was engaged in research project supported by US AFOSR in 2003 (Grant Number AOARD 03-4049). He has presented his researches in PacSec2011 (BitTorrent crawler) and GreHack2013 (DNS security). He was co-presenter of SysCan2009 and FrHack2009 (Virtual machine instrospection). His current research interest is network security.


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 2 - Caesars Promenade South - Octavius BR 12-24 - Sunday - 12:00-12:45


Attacking the macOS Kernel Graphics Driver

Sunday at 12:00 in Track 2
45 minutes | Demo, Exploit

Yu Wang Senior Staff Engineer at Didi Research America

Just like the Windows platform, graphic drivers of macOS kernel are complicated and provide a large promising attack surface for EoPs and sandbox escapes from low-privileged processes. After auditing part of the binaries, I discovered a number of vulnerabilities last year. Including, NULL pointer dereference, stack-based buffer overflow, arbitrary kernel memory read and write, use-after-free, etc. Some of these vulnerabilities were reported to Apple Inc., such as the CVE-2017-7155, CVE-2017-7163, CVE-2017-13883.

In this presentation, I will share with you the detailed information about these vulnerabilities. Furthermore, from the attacker's perspective, I will also reveal some new exploit techniques and zero-days.

Yu Wang
Yu Wang is a senior staff engineer at Didi Research America. He has previously presented on Syscan360 2012/2013, Hitcon 2013, Black Hat USA 2014, Black Hat ASIA 2016, Black Hat USA Arsenal 2018 and other conferences.


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 3 - Caesars Pool Level - Forum BR 1-11,25 - Sunday - 13:00-13:30


barcOwned—Popping shells with your cereal box

Sunday at 13:00 in Track 3
20 minutes | Demo

Michael West Technical Advisor at CyberArk

magicspacekiwi (Colin Campbell) Web Developer

Barcodes and barcode scanners are ubiquitous in many industries and work with untrusted data on labels, boxes, and even phone screens. Most scanners also allow programming via barcodes to manipulate and inject keystrokes. See the problem? By scanning a few programming barcodes, you can infect a scanner and access the keyboard of the host device, letting you type commands just like a Rubber Ducky. This culminates in barcOwned—a small web app that allows you to program scanners and execute complex, device-agnostic payloads in seconds. Possible applications include keystroke injection (including special keys), infiltration and exfiltration of data on air-gapped systems, and good ol' denial of service attacks.

Michael West
Michael West, aka T3h Ub3r K1tten, is a National Technical Advisor at CyberArk who likes cats. His homelab has over 640 kilobytes of RAM. Michael presents regularly at Dallas Hackers Association and enjoys combining his software dev background with infosec to build tools for others. His interests include OSINT, amateur radio, and scanning long barcodes on the beach.

@t3hub3rk1tten, https://mwe.st, https://barcowned.com

magicspacekiwi (Colin Campbell)
magicspacekiwi, aka Colin Campbell, is a Web Developer with a focus on user experience and considers security an important (but often neglected) part of that experience. They've managed to log over 1500 hours in Overwatch while being stuck in plat. Ask them about their nginx configs.


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 101 - Flamingo 3rd Flr - Sunset BR - Sunday - 14:00-14:45


Betrayed by the keyboard: How what you type can give you away

Sunday at 14:00 in 101 Track, Flamingo
45 minutes |

Matt Wixey Vulnerability R&D Lead, PwC

Attribution is hard. Typically, the most useful identifiers—IP addresses, email address, domains, and so on—are also the easiest things to spoof, obfuscate, or anonymise. Whilst more advanced techniques, such as correlating malicious activity with timezones, or linking attacks through the use of similar techniques or malware, can be useful, they tend to take investigators further away from the individuals responsible; at best, some inference about the country or specific actor group/collective can be made.

In this talk, I present a method for linking incidents to individual attackers with a high degree of accuracy, based on extremely fine-grained behavioural characteristics. This involves an investigatory technique known as "case linkage analysis" (CLA), which uses granular aspects of crime scene behaviours to link common offenders together through statistical comparison. It's been applied to some crime types before, but never to cyber attacks.

I'll cover how CLA works, its advantages and disadvantages, and how it has previously been applied to a range of crimes, from burglary to homicide. I'll place it within the context of personality psychology, biometrics, forensic criminology, offender profiling, and forensic linguistics; and will walk through applying it practically.

I'll then show the results of a novel experiment I conducted applying CLA to network intrusion attacks, which involved logging the keystrokes of volunteer attackers across different simulated intrusions, breaking these down into specific behaviours and syntax, and using these to link individuals to their offences. The end result: the way you type commands, including your choice and order of syntax, switches, and options, can form distinctive behavioural signatures, which can be used to link attackers together. Linking accuracy rates as high as 99% were achieved.

Finally, I'll talk about the implications for both defenders and everyone else (particularly focusing on the privacy implications), explore ways in which these techniques could be defeated, and outline some ideas for future research in these areas.

Matt Wixey
Matt leads technical research for the PwC Cyber Security practice in the UK, works on its Ethical Hacking team, and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.

@darkartlab


Return to Index    -    Add to    -    ics Calendar file

 

Meetup - HHV - Caesars Pool Level - Forum 17-19 - Sunday - 10:30-10:59


Title:
Breakfast at Defcon

Sunday's cure for the @defcon hangover is our annual #BreakfastAtDefcon. Join @Hackaday and @Tindie in the Hardware Hacking Village on Sunday at 10:30!
More Info: https://hackaday.com/2018/08/08/sunday-breakfast-at-def-con-2/

Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 1 - Caesars Emperor's Level - Palace BR - Sunday - 11:00-11:45


Breaking Extreme Networks WingOS: How to own millions of devices running on Aircrafts, Government, Smart cities and more.

Sunday at 11:00 in Track 1
45 minutes | Demo, Exploit

Josep Pi Rodriguez Senior security consultant, IOActive

Extreme network's embedded WingOS (Originally created by Motorola) is an operating system used in several wireless devices such as access points and controllers. This OS is being used in Motorola devices, Zebra devices and Extreme network's devices. This research started focusing in an access point widely used in many Aircrafts by several worldwide airlines but ended up in something bigger in terms of devices affected as this embedded operating system is not only used in AP's for Aircrafts but also in Healthcare, Government, Transportation, Smart cities, small to big enterprises... and more.

Based on public information, we will see how vulnerable devices are actively used (outdoors) in big cities around the world. But also in Universities, Hotels,Casinos, Big companies, Mines, Hospitals and provides the Wi-Fi access for places such as the New york City Subway.

In this presentation we will show with technical details how several critical vulnerabilities were found in this embedded OS. First we will introduce some internals and details about the OS and then we will show the techniques used to reverse engineering the mipsN32 ABI code for the Cavium Octeon processor. It will be discussed how some code was emulated to detect how a dynamic password is generated with a cryptographic algorithm for a root shell backdoor. Besides, it will be shown how some protocols used by some services were reverse engineered to find unauthenticated heap and stack overflow vulnerabilities that could be exploitable trough Wireless or Ethernet connection.

This OS also uses a proprietary layer 2/3 protocol called MiNT. This protocol is used for communication between WingOS devices through VLAN or IP. This protocol was also reverse engineered and remote heap/stack overflow vulnerabilities were found on services using this protocol and will be shown. As a live demonstration, 2 devices will be used to exploit a remote stack overflow chaining several vulnerabilities as the attacker could do inside an aircraft (or other scenarios) through the Wi-Fi. As there are not public shellcodes for mipsN32 ABI, the particularities of creating a Shellcode for mipsN32 ABI will be also discussed.

Josep Pi Rodriguez
Josep Pi Rodriguez is experienced in network penetration and web application testing, reverse engineering, industrial control systems, transportation, RF, embedded systems, vulnerability research, exploit development, and malware analysis. As a senior consultant at IOActive, Mr. Rodriguez performs penetration testing, identifies system vulnerabilities and researches cutting-edge technologies. Mr. Rodriguez has performed security services and penetration tests for numerous global organizations and a wide range of financial, technical, and educational institutions. He has presented at international conferences including Immunity infiltrate, Hack in paris and Japan CCDS iot conference.


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 101 - Flamingo 3rd Flr - Sunset BR - Sunday - 12:00-12:45


Breaking Smart Speakers: We are Listening to You.

Sunday at 12:00 in 101 Track, Flamingo
45 minutes | Demo, Exploit

Wu HuiYu Security Researcher At Tencent Blade Team

Qian Wenxiang Security Researcher At Tencent Blade Team

In the past two years, smart speakers have become the most popular IoT device, Amazon_ Google and Apple have introduced their own smart speaker products. Most of these smart speakers have natural language recognition, chat, music playback, IoT device control, shopping, and so on. Manufacturers use artificial intelligence technology to make smart speakers have similar human capabilities in the chat conversation. However, with the smart speakers coming into more and more homes, and the function is becoming more powerful, its security has been questioned by many people. People are worried that smart speakers will be hacked to leak their privacy, and our research proves that this concern is very necessary.

In this talk, we will present how to use multiple vulnerabilities to achieve remote attack some of the most popular smart speakers. Our final attack effects include silent listening, control speaker speaking content and other demonstrations. And we're also going to talk about how to extract firmware from BGA packages Flash chips such as EMMC, EMCP, NAND Flash, etc. In addition, it contains how to turn on debug interfaces and get root privileges by modifying firmware content and Re-soldering Flash chips, which can be of great help for subsequent vulnerability analysis and debugging. Finally, we will play several demo videos to demonstrate how we can remotely access some Smart Speaker Root permissions and use smart speakers for eavesdropping and playing voice.

Wu HuiYu
Wu HuiYu is a security researcher at Tencent Blade Team of Tencent Security Platform Department. Now his job is mainly focus on IoT security research and mobile security research. He is also a bug hunter, winner of GeekPwn 2015, and speaker of HITB 2018 AMS & POC2017.

Qian Wenxiang
Qian Wenxiang is a security researcher at the Tencent Blade Team of Tencent Security Platform Department. His is focusing on security research of IoT devices. He also performed security audits for web browsers. He was on the top 100 of annual MSRC list (2016 & 2017 ). He published a book called "Whitehat Talk About Web Browser Security ".


Return to Index    -    Add to    -    ics Calendar file

 

Demolabs - Table 3 - Caesars Promenade Emperor's Level - Outside Track 1 - Sunday - 10:00-11:50


CHIRON

Sunday 08/12/18 from 1000-1150 at Table Three
Defense

Rod Soto

Joseph Zadeh

Home-based open source network analytics and machine learning threat detection

CHIRON is a home analytics based on ELK stack combined with Machine Learning threat detection framework AKTAION. CHIRON parses and displays data from P0f, Nmap, and BRO IDS. CHIRON is designed for home use and will give great visibility to home internet devices (IOT, Computers, Cellphones, Tablets, etc). CHIRON is integrated with AKTAION which detects exploit delivery ransomware/phishing.

https://github.com/jzadeh/chiron-elk

Rod Soto
Rod Soto. Director of Security Research at JASK.AI Founder Pacific Hackers Conference, Co-founder Hack The Valley

Joseph Zadeh
Joseph Zadeh. Director of Data science at JASK.AI Co-founder Hack the Valley


Return to Index    -    Add to    -    ics Calendar file

 

RCV - Caesars Promenade Level - Florentine BR 1,2 - Sunday - 12:45-12:59


Closing Note

No description available


Return to Index    -    Add to    -    ics Calendar file

 

Demolabs - Table 6 - Caesars Promenade Emperor's Level - Outside Track 1 - Sunday - 10:00-11:50


Conformer

Sunday 08/12/18 from 1000-1150 at Table Six
Offense, AppSec

Mikhail Burshteyn

Conformer is a penetration testing tool, mostly used for external assessments to perform password based attacks against common webforms. Conformer was created from a need for password guessing against new web forms, without having to do prior burp work each time, and wanting to automate such attacks. Conformer is modular with many different parameters and options that can be customized to make for a powerful attack. Conformer has been used in countless assessments to obtain valid user credentials for accessing the internal environment through VPN, other internal resources or data to further the assessment.

https://github.com/mikhbur/conformer

Mikhail Burshteyn
Mikhail Burshteyn is a security consultant at CDW, performing Penetration Tests. Mikhail currently performs External, Internal, Wireless, and Social Engineering assessments, testing the capabilities for wide range of clients and industries. He is interested in research in various security topics, including Networking, Web Apps, and Active Directory.


Return to Index    -    Add to    -    ics Calendar file

 

BCOS - Caesars Promenade Level - Pompeian BR 1 - Sunday - 10:45-10:59


Title: Contest winners, prizes, showcase and awards

Speakers: Michael Schloh

Description:
No description available



Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 1 - Caesars Emperor's Level - Palace BR - Sunday - 16:00-17:45


DEF CON Closing Ceremonies

Sunday at 16:00 in Track 1
105 minutes | Audience Particption

The Dark Tangent

DEF CON Closing Ceremonies

The Dark Tangent


Return to Index    -    Add to    -    ics Calendar file

 

Meetup - corner of W Flamingo and Las Vegas Blvd underneath the circular temple structure - Sunday - 06:00-06:59


Title:
Defcon 26 4X5K run

"Good Livin" is returning to DefCon 26, because maybe you want a little more! Maybe you feel like getting up at 5:30 in Vegas. Maybe you didn't stop the night before. Maybe because 6 AM is the coolest time for a run in Vegas (It's only 80!) Who cares let's go for a run!
We hit all the hot spots on the 4x5K @defcon with @whereiskurt ! Details here. https://www.reddit.com/r/Defcon/comments/8rcc5m/defcon_26_4_x_5k_is_on_again/ . . .
Also don't forget a World Run by Hackers https://www.eventbrite.com/e/world-run-by-hackers-5th-edition-registration-47811111321 . . . for even more running.
More info: @Agent__X__ tweet

Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 2 - Caesars Promenade South - Octavius BR 12-24 - Sunday - 10:00-10:45


Defending the 2018 Midterm Elections from Foreign Adversaries

Sunday at 10:00 in Track 2
45 minutes | Demo, Tool

Joshua M Franklin Hacker

Kevin Franklin Hacker

Election Buster is an open source tool created in 2014 to identify malicious domains masquerading as candidate webpages and voter registration systems. During 2016, fake domains were used to compromise credentials of a Democratic National Committee (DNC) IT services company, and foreign adversaries probed voter registration systems. The tool now cross-checks domain information against open source threat intelligence feeds, and uses a semi-autonomous scheme for identifying phundraising and false flag sites via ensembled data mining and deep learning techniques. We identified Russian nationals registering fake campaign sites, candidates deploying defensive—and offensive—measures against their opponents, and candidates unintentionally exposing sensitive PII to the public. This talk provides an analysis of our 2016 Presidential Election data, and all data recently collected during the 2018 midterm elections. The talk also details technological and procedural measures that government offices and campaigns can use to defend themselves.

Joshua M Franklin
Joshua Franklin has over a decade of experience working with election technology, and is a security engineer at the National Institute of Standards and Technology (NIST) focusing on cellular and electronic voting security. Prior to NIST, Joshua worked at the U.S. Election Assistance Commission gathering hands-on experience with a variety of voting technologies. Joshua managed federal certification efforts and alongside election officials, labs, and manufacturers across the United States. Joshua recently co-chaired the Election Cybersecurity Working Group, and was the principal author for the security portions of the next generation of federal voting system standards.

Kevin Franklin
Kevin Franklin has several decades of technology experience in big data. He possesses an undergraduate degree in Engineering from Mississippi State University and a masters degree in Computer Science from Southern Polytechnic University.


Return to Index    -    Add to    -    ics Calendar file

 

Demolabs - Table 3 - Caesars Promenade Emperor's Level - Outside Track 1 - Sunday - 12:00-13:50


DejaVU—An Open Source Deception Framework

Sunday 08/12/18 from 1200-1350 at Table Three
Offense/Defense

Bhadreshkumar Patel

Harish Ramadoss

Deception techniques—if deployed well—can be very effective for organizations to improve network defense and can be a useful arsenal for blue teams to detect attacks at very early stage of cyber kill chain. But the challenge we have seen is deploying, managing and administering decoys across large networks. Although there are lot of commercial tools in this space, we haven't come across open source tools which can achieve this.

With this in mind, we have developed DejaVu which is an open source deception framework which can be used to deploy, configure and administer decoys centrally across the infrastructure. A web-based management console can be used by the defender to deploy multiple interactive decoys (HTTP Servers,SQL,SMB,FTP,SSH,client side–NBNS) strategically across their network on different VLANs. Logging and alerting dashboard displays detailed information about the alerts generated and can be further configured to generate high accuracy alert; and how these alerts should be handled.

Decoys can also be placed on the client VLANs to detect client side attacks such as responder/LLMNR attacks using client side decoys. Additionally, common attacks which the adversary uses to compromise such as abusing Tomcat/SQL server for initial foothold can be deployed as decoys, luring the attacker and enabling detection.

https://github.com/bhdresh/Dejavu

Bhadreshkumar Patel
Bhadreshkumar Patel is a Reverse Engineer by nature and Security Specialist/Pentester by profession with 10 years of experience in offensive and defensive side of security. Likes to code, break stuff, play with controllers. Got lucky in finding zero days in Facebook, NGFW, wireless routers, HMS etc. Dejavu is Bhadresh's first conference submission, but not his first contribution to the security community.

Harish Ramadoss
Harish Ramadoss has over seven years of experience in offensive security space focusing on application and infrastructure security assessments. Led large scale penetration testing engagements for various clients across Finance, Government and Defense.


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 3 - Caesars Pool Level - Forum BR 1-11,25 - Sunday - 11:00-11:45


Demystifying MS17-010: Reverse Engineering the ETERNAL Exploits

Sunday at 11:00 in Track 3
45 minutes | Demo, Tool, Exploit, Audience Participation

zerosum0x0 Hacker

MS17-010 is the most important patch in the history of operating systems, fixing remote code execution vulnerabilities in the world of modern Windows. The ETERNAL exploits, written by the Equation Group and dumped by the Shadow Brokers, have been used in the most damaging cyber attacks in computing history: WannaCry, NotPetya, Olympic Destroyer, and many others.

Yet, how these complicated exploits work has not been made clear to most. This is due to the ETERNAL exploits taking advantage of undocumented features of the Windows kernel and the esoteric SMBv1 protocol.

This talk will condense years of research into Windows internals and the SMBv1 protocol driver. Descriptions of full reverse engineering of internal structures and all historical background info needed to understand how the exploit chains for ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY work will be provided.

This talk will also describe how the MS17-010 patch fixed the vulnerabilities, and identify additional vulnerabilities that were patched around the same time.

zerosum0x0
zerosum0x0 is the author of all MS17-010 ETERNAL Metasploit exploit modules and was the first to reverse engineer the DOUBLEPULSAR backdoor. He has taught workshops on Windows internals at DEF CON and to government agencies.

@zerosum0x0


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 3 - Caesars Pool Level - Forum BR 1-11,25 - Sunday - 12:00-12:45


Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulnerabilities

Sunday at 12:00 in Track 3
45 minutes | Demo, Tool, Exploit

Matt Knight Senior Security Engineer, Cruise Automation

Ryan Speers Director of Research, Ionic Security

In this session, we introduce an open source hardware and software framework for fuzzing arbitrary RF protocols, all the way down to the PHY. While fuzzing has long been relied on by security researchers to identify software bugs, applying fuzzing methodologies to RF and hardware systems has historically been challenging due to siloed tools and the limited capabilities of commodity RF chipsets.

We created the TumbleRF fuzzing orchestration framework to address these shortfalls by defining core fuzzing logic while abstracting a hardware interface API that can be mapped for compatibility with any RF driver. Thus, supporting a new radio involves merely extending an API, rather than writing a protocol-specific fuzzer from scratch.

Additionally, we introduce Orthrus, a low-cost 2.4 GHz offensive radio tool that provides PHY-layer mutability to offer Software Defined Radio-like features in a flexible and low-latency embedded form factor. By combining the two, researchers will be able to fuzz and test RF protocols with greater depth and precision than ever before.

Attendees can expect to leave this talk with an understanding of how RF and hardware physical layers actually work, and how to identify security issues that lie latent in these designs.

Matt Knight
Matt Knight (@embeddedsec) is a Senior Security Engineer with Cruise Automation, where he works on securing autonomous cars and the infrastructure that supports them. Matt also leads the RF practice at River Loop Security, an embedded systems security and design consultancy. With specific interests in RF networks and physical layers, he notably reverse engineered the LoRa PHY based on blind signal analysis, and has run several trainings on RF reverse engineering fundamentals. Matt holds a BE in Electrical Engineering from Dartmouth College.

@embeddedsec

Ryan Speers
Ryan Speers (@rmspeers) is a security researcher and developer who enjoys embedded systems, low-power radio protocols, and reversing proprietary systems. He has worked in offensive and defensive roles on networks, Windows, micro controllers, and many things in-between. As co-founder at River Loop Security, he tests embedded systems for security issues, and helps clients build more secure systems. He is also Director of Research for Ionic Security where he leads system and cryptographic research. He has previously spoken at a number of security conferences and written some articles for journals ranging from peer-reviewed academic publications to PoC||GTFO.

@rmspeers


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 3 - Caesars Pool Level - Forum BR 1-11,25 - Sunday - 13:30-13:50


Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking

Sunday at 13:30 in Track 3
20 minutes | Demo

ldionmarcil Pentester at GoSecure

When caching servers and load balancers became an integral part of the Internet's infrastructure, vendors introduced "Edge Side Includes" (ESI), a technology allowing malleability in caching systems. This legacy technology, still implemented in nearly all popular HTTP surrogates (caching/load balancing services), is dangerous by design and brings a yet unexplored vector for web-based attacks.

The ESI language consists of a small set of instructions represented by XML tags, served by the backend application server, which are processed on the Edge servers (load balancers, reverse proxies). Due to the upstream-trusting nature of Edge servers, ESI engines are not able to distinguish between ESI instructions legitimately provided by the application server and malicious instructions injected by a malicious party. We identified that ESI can be used to perform SSRF, bypass reflected XSS filters (Chrome), and perform Javascript-less cookie theft, including HTTPOnly cookies.

Identified affected vendors include Akamai, Varnish, Squid, Fastly, WebSphere, WebLogic, F5, and countless language-specific solutions (NodeJS, Ruby, etc.). This presentation will start by introducing ESI and visiting typical infrastructures leveraging it. We will then delve into identification, exploitation of popular ESI engines, and mitigation.

ldionmarcil
Louis is a Security Analyst working at GoSecure in Montreal where he specializes in offensive appsec and pentest on medium to large scale organizations. Seasoned CTF participant and sometimes finalist with the DCIETS team, he has also written challenges for various competitions. Having recently obtained his Software Engineering degree, he dabbles in various research engagements between pentests.

@ldionmarcil


Return to Index    -    Add to    -    ics Calendar file

 

Demolabs - Table 2 - Caesars Promenade Emperor's Level - Outside Track 1 - Sunday - 12:00-13:50


Expl-iot—IoT Security Testing and Exploitation framework

Sunday 08/12/18 from 1200-1350 at Table Two
IoT Testers- Pentesters- IoT developers- Offense- Hardware

Aseem Jakhar

Expl-iot is an open source flexible and extendable framework for IoT Security Testing and exploitation. It will provide the building block for writing exploits and other IoT security assessment test cases with ease. Expliot will support most IoT communication protocols, firmware analysis, hardware interfacing functionality and test cases that can be used from within the framework to quickly map and exploit an IoT product or IoT Infrastructure.It will help the security community in writing quick IoT test cases and exploits. The objectives of the framework are: 1. Easy of use 2. Extendable 3. Support for hardware, radio and IoT protocol analysisWe released Expl-iot ruby version in 2017. Once we started implementing hardware and radio functionality, we realized that ruby does not have much support for hardware and radio analysis which led us to deprecate it and re-write it in python to support more functionality. We are currently working on the python3 version and will release it in a month. The new beta release is envisioned to have support for UART(serial), ZigBee, BLE, MQTT, CoAP (next version will have support for JTAG, I2C and SPI) and few miscellaneous test cases.

https://bitbucket.org/aseemjakhar/expliot_framework

Aseem Jakhar
Aseem Jakhar is the Director, research at Payatu Software Labs http://payatu.com a boutique security testing company specializing in IoT, Embedded, cloud, mobile security testing. He is the founder of null-The open security community, registered not-for-profit organization http://null.co.in and also the founder of nullcon security conference http://nullcon.net and hardwear.io security conference. He has worked on various security software including UTM appliances, messaging/security appliances, anti-spam engine, anti-virus software, bayesian engine to name a few. He currently spends his time researching on IoT security and hacking things. He is an active speaker and trainer at security conferences like AusCERT, Black Hat, Brucon, Defcon, Hack.lu, Hack in Paris, Hack In The Box, PHDays and many more. He has authored various open source security software including


Return to Index    -    Add to    -    ics Calendar file

 

BHV - Caesars Promenade Level - Pisa/Palermo/Siena Rms - Sunday - 10:15-10:59


Title: Exploiting immune defences - can malware learn from biological viruses?

Speaker: Guy Propper
Abstract:
Biological viruses have existed and evolved for millions of years, maliciously exploiting host cells for survival. How have they done this, and what can we learn from it?
Extremely advanced mechanisms for privilege escalation, persistence, and defence evasion have been used by biological viruses long before malware was first written.
This talk will provide an understanding of what mechanisms are used by biological viruses to exploit immune defences, persist, and survive in the arms race with the immune system.
Surprising differences between malware and virus actions will be shown, and some mechanisms which are used by viruses, but have not been adopted, or even attempted by malware, will be revealed.
No biological background is needed, only an open mind.

Return to Index    -    Add to    -    ics Calendar file

 

SKY - Flamingo 3rd Flr - Virginia City Rm - Sunday - 10:00-10:59


Title:
Facial Recognition - Let me let you in on a secret

Stumbles The Drunk

@stumblesthedrunk

Facial Recognition - Let me let you in on a secret

Facial Recognition is being inserted in to the authentication and verification process of our Driver Licences, Passports, and other unimportant government documents. Let's talk about how it short falls and how to #$@! with it.


Return to Index    -    Add to    -    ics Calendar file

 

PHV - Caesars Promenade Level - Neopolitan BR - Sunday - 12:00-12:59


Fishing for Phishers. The Enterprise Strikes Back!

Joseph Muniz, Cisco
Aamir Lakhani, Fortinet

Phishing and social engineering has been around since Han Solo has flown the Millennium Flacon. The typically response is deleting the messages and giving the middle finger however, what more could be done to strike back? This talk will cover how to build an artificial environment and develop anti phishing tools used to respond to phishing attempts. Results could include owning the attacker's box "hypothetically" since some legal boundaries could be crossed.

Joseph Muniz is an architect at Cisco Systems. Aamir Lakhani (Twitter: @SecureBlogger) is a lead researcher at Fortinet. Together, they have spoken at various conferences including the infamous Social Media Deception RSA talk quoted by many sources found by searching "Emily Williams Social Engineering." They are also making their fourth appearance for the DEF CON Wall of Sheep. Both speakers have written books together including a recent title Digital Forensics for Network Engineers released on Cisco Press late February 2018. They have been friends for years and continue to collaborate on research and other projects.


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 3 - Caesars Pool Level - Forum BR 1-11,25 - Sunday - 10:00-10:45


For the Love of Money: Finding and exploiting vulnerabilities in mobile point of sales systems

Sunday at 10:00 in Track 3
45 minutes | Demo, Tool

Leigh-Anne Galloway Cyber Security Resilience Lead, Positive Technologies

Tim Yunusov Hacker

These days it's hard to find a business that doesn't accept faster payments. Mobile Point of Sales (mPOS) terminals have propelled this growth lowering the barriers for small and micro-sized businesses to accept non-cash payments. Older payment technologies like mag-stripe still account for the largest majority of all in-person transactions. This is complicated further by the introduction of new payment standards such as NFC. As with each new iteration in payment technology, inevitably weaknesses are introduced into this increasingly complex payment eco-system.

In this talk, we ask, what are the security and fraud implications of removing the economic barriers to accepting card payments; and what are the risks associated with continued reliance on old card standards like mag-stripe? In the past, testing for payment attack vectors has been limited to the scope of individual projects and to those that have permanent access to POS and payment infrastructure. Not anymore!

In what we believe to be the most comprehensive research conducted in this area, we consider four of the major mPOS providers spread across the US and Europe; Square, SumUp, iZettle and Paypal. We provide live demonstrations of new vulnerabilities that allow you to MitM transactions, send arbitrary code via Bluetooth and mobile application, modify payment values for mag-stripe transactions, and a vulnerability in firmware; DoS to RCE. Using this sampled geographic approach, we are able to show the current attack surface of mPOS and, to predict how this will evolve over the coming years.

For audience members that are interested in integrating testing practices into their organization or research practices, we will show you how to use mPOS to identify weaknesses in payment technologies, and how to remain undetected in spite of anti-fraud and security mechanisms.

Leigh-Anne Galloway
Leigh-Anne Galloway is a Security Researcher who specializes in the areas of application and payment security. Leigh-Anne started her career in incident response, leading investigations into payment card data breaches. This is where she discovered her passion for security advisory and payment technologies. She has presented and authored research on ATM security, application security and payment technology vulnerabilities, and has previously spoken at DevSecCon, BSides, Hacktivity, 8dot8, OWASP, and Troopers.

@L_AGalloway

Tim Yunusov
Tim Yunusov is a Senior Expert in the area of banking security and application security. He has authored multiple research in these areas including "Apple Pay replay attacks" (Black Hat USA 2017), "7 sins of ATM protection against logical attacks" (PacSec, POC), "Bruteforce of PHPSESSID", "XML Out-Of-Band" (Black Hat EU), and is rated in the Top Ten Web Hacking Techniques by WhiteHat Security. He regularly speaks at conferences and has previously spoken at CanSecWest, Black Hat USA, Black Hat EU, HackInTheBox, Nullcon, NoSuchCon, Hack In Paris, ZeroNights and Positive Hack Days.

@a66at


Return to Index    -    Add to    -    ics Calendar file

 

Meetup - Caesars - Promenade Level - Office 4 behind Info Booth near Promenade South - Sunday - 12:00-12:59


Title:
Friends of Bill W

For all those Friends of Bill W. looking for a meeting or just a quiet moment to regroup, we have you covered with meetings throughout #DEFCON - Noon &5pm Thurs-Sat, Noon Sun. The location is Office 4 Behind the @dcib.

Stop by, refresh yourself.

We\x92ll be here.

Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 3 - Caesars Pool Level - Forum BR 1-11,25 - Sunday - 15:00-15:45


Fuzzing Malware For Fun & Profit. Applying Coverage-guided Fuzzing to Find and Exploit Bugs in Modern Malware

Sunday at 15:00 in Track 3
45 minutes | Demo, Tool, Exploit

Maksim Shudrak Senior Offensive Security Researcher, Salesforce

Practice shows that even the most secure software written by the best engineers contain bugs. Malware is not an exception. In most cases their authors do not follow the best secure software development practices thereby introducing an interesting attack scenario which can be used to stop or slow-down malware spreading, defend against DDoS attacks and take control over C&Cs and botnets. Several previous researches have demonstrated that such bugs exist and can be exploited. To find those bugs it would be reasonable to use coverage-guided fuzzing.

This talk aims to answer the following two questions: ___ we defend against malware by exploiting bugs in them ? How can we use fuzzing to find those bugs automatically ?

The author will show how we can apply coverage-guided fuzzing to automatically find bugs in sophisticated malicious samples such as botnet Mirai which was used to conduct one of the most destructive DDoS in history and various banking trojans. A new cross-platform tool implemented on top of WinAFL will be released and a set of 0day vulnerabilities will be presented.

Do you want to see how a small addition to HTTP-response can stop a large-scale DDoS attack or how a smart bitflipping can cause RCE in a sophisticated banking trojan? If the answer is yes, this is definitely your talk.

Maksim Shudrak
Maksim is a security researcher, hacker who loves vulnerabilities hunting, fuzzing acrobatics and complex malicious samples reversing. Maksim had a change to work on binary instrumentation, Windows operating system emulators and malware analysis at large cyber security companies around the world.

https://github.com/mxmssh, https://www.linkedin.com/in/mshudrak


Return to Index    -    Add to    -    ics Calendar file

 

SKY - Flamingo 3rd Flr - Virginia City Rm - Sunday - 13:00-13:59


Title:
Game Runner 2049: The Battles Fought by the King of the Replicants

Nick Cano
@nickcano93

Game Runner 2049: The Battles Fought by the King of the Replicants

"XenoBot is an engineered player, provided to cheaters for use in-game. It's enhanced reaction speed and inability to tire made it ideal for power leveling.

After a series of technological breakthroughs, it's use became ubiquitous and Tibia became a botter haven.

The collapse of fair play in the early 2000's led to the rise of DarkstaR, as his bot masked it's synthetic properties and averted detection.

Through XenoBot, DarkstaR acquired the keys to a line of botted characters that would silently obey and benefit him.

Many usurpers in-game guilds, software crackers, and DDoSers came forth. They hunted him to prove themselves.

Those he defeated still know him by the name... Game Runner

This is a talk for gamers and hackers about the battles I fought during a decade selling an MMORPG bot. I'll talk about what it was like to wield a surveillance system comprised of thousands of botted characters providing me with military-grade in-game intelligence. I'll outline the lessons I learned fighting off massive DDoS attacks on my own, including how I turned the laser on a mirror. I'll share a funny story about how serendipity convinced a forum that I had hacked them, as well as the the time I actually mass-hacked hundreds of users on a forum where child-porn was talked about with normalcy. I'll go into how CloudFlare doxxed me to that forum and how I hacked my way to the top of the situation without anyone being the wiser. After these and other tales, I hope you'll walk away from this talk laughing at my shenanigans while also having learned a few things about game development, hacking, and how to outmaneuver your opposition."


Return to Index    -    Add to    -    ics Calendar file

 

AIV - Caesars Promenade Level - Florentine BR 3 - Sunday - 11:00-11:40


GAN to the dark side: A case study of attacking machine-learning systems to empower defenses

Li Chen

“There has been a surge of interest in using machine learning (ML) to automatically detect malware through their dynamic behaviors. These approaches indeed have achieved much higher accurate detection rate and lower false positive rate. ML in threat detection has demonstrated to be a good cop to guard platform security. However should we fully trust ML-powered security? Here, we juxtapose the resiliency and trustworthiness of ML algorithms for security, in the case study of ransomware detection. We propose RD-Fool, an AI-based system to bypass ML-based ransomware detection.

In this talk, we examine the perspectives of ML assuming the role of both a good cop and a bad cop. We first train a variety of deep learning and classical machine learning classifiers for ransomware detection using data collected from file I/O and registry events. We show the classifiers can achieve great performance in terms of classification accuracy and false positive rate for ransomware detection. Then we examine the resiliency of these classifiers using our proposed system RD-Fool. RD-Fool uses random forest and generative adversarial networks (GAN) to generate samples which can bypass the ransomware detectors. We demonstrate both exploratory and causative attacks using RD-Fool, where exploratory attack aims at bypassing the ransomware detector during inference phase, and causative attack aims at poisoning the training data to perturb the ML decision boundary.

The key advantages of RD-Fool include quick identification of the blind spots of the victim ML model and efficient generation of realistic and evasive samples. We examine the quality of the crafted sample using the perturbation distance and the Silhouette score. Our results and discoveries pose interesting and alarming issues such as how much should we trust or utilize ML for better security. “

Li Chen is a data scientist and research scientist in the Security and Privacy Lab at Intel Labs, where she focuses on developing state-of-the-art robust machine learning and deep learning algorithms for security analytics including applications in malware detection and image classification in the adversarial setting. She is also the co-primary investigator (PI) and research lead at the Intel Science & Technology Center for Adversary-Resilient Security Analytics. She designs the roadmaps with Intel and Georgia Tech PIs to jointly meet both industrial and academic research objectives. She provides research direction and in-depth technical guidance to advance the ARSA research agenda. Prior to joining Intel Labs, Li was a Data Scientist in Software and Services Group at Intel, where she focused on developing advanced and principled machine learning methods for cloud workload characterization and cloud computing performance. Li Chen received her Ph.D. degree in Applied Mathematics and Statistics from Johns Hopkins University. Her research interests primarily include machine learning, statistical pattern recognition, random graph inference, data mining, and inference for high-dimensional data. Her research has been featured in a number of pioneering scientific and engineering journals and conferences including IEEE Transactions on Pattern Analysis and Machine Intelligence, Annals of Applied Statistics, Parallel Computing, AAAI Conference on Artificial Intelligence and SPIE. She has given more than 30 technical presentations, including at the Joint Statistical Meeting (the largest statistics conference in North America), AAAI conference, International Joint Conference on Artificial Intelligence, and Spring Research Conference on Statistics and Industry Technology.


Return to Index    -    Add to    -    ics Calendar file

 

AIV - Caesars Promenade Level - Florentine BR 3 - Sunday - 10:00-10:40


Generating Labeled Data From Adversary Simulations With MITRE ATT&CK 

Brian Genz

“Attackers have a seemingly endless arsenal of tools and techniques at their disposal, while defenders must continuously strive to improve detection capabilities across the full spectrum of possible vectors. The MITRE ATT&CK Framework provides a useful collection of attacker tactics and techniques that enables a threat-focused approach to detection. 

This technical talk will highlight key lessons learned from an internal adversary simulation at a Fortune 100 company that evolved into a series of data science experiments designed to improve threat detection. ”

Brian Genz is a Security Engineer focused on threat hunting, security data science, threat intelligence, and security orchestration, automation & response. He brings experience in the defense intelligence, manufacturing, and financial sectors in the areas of incident response, digital forensics, vulnerability management, and security architecture consulting. He has presented at Derby Con, Circle City Con, CypherCon, the ISSA International Conference, ISACA, InfraGard, and other venues. Brian also serves as adjunct faculty in the information security program at Milwaukee Area Technical College.


Return to Index    -    Add to    -    ics Calendar file

 

CPV - Caesars Promenade Level - Milano BR 1,2 - Sunday - 10:30-11:00


Title:
Geolocation and Homomorphic Encryption

10:30am

Geolocation and Homomorphic Encryption
When
Sun, August 12, 10:30am 11:00am
Description
Speaker
------
Nicholas Doiron

Abstract
--------
How often are apps asking for your location? Lat/lng coordinates reveal a lot about you, but we share them every day with web services to look up our location and find nearby businesses.

What if it were possible to encrypt the coordinates which we were searching, and a web service could find results for us anyway? This talk shows sample code of homomorphic encryption being used in geo/location searches (Paillier cryptosystem, JavaScript and Python), and potential futures for private geodata.

Bio
-----------------
Nick is a web developer and mapmaker currently at McKinsey & Company's New York City office. Previously he worked at One Laptop per Child, Code for America, and the Museum of Modern Art.

Twitter handle of presenter(s)
------------------------------
@mapmeld

Website of presenter(s) or content
----------------------------------
https://github.com/georeactor/crypto-geofence

Return to Index    -    Add to    -    ics Calendar file

 

BHV - Caesars Promenade Level - Pisa/Palermo/Siena Rms - Sunday - 13:00-12:59


Title: Getting Skin in the Game: Biohacking & Business

Speaker: Cyberlass
About Cyberlass:
As an IT professional and biohacker Amanda Plimpton is delighted by the surge of citizen scientists who are driven to investigate, experiment and seek answers. She is interested in how the biohacking/body augmenting community can help its growing pool of talented, passionate individuals contribute to their fields from the commercial, academic or non-profit sectors. As Chief Operating Officer at Livestock Labs she is helping build a company that showcases one way biohackers can enter commercial spaces. Hoping to bring back lessons learned, she wants to keep helping grow a community that supports each other and promotes successes.
Abstract:
Let’s talk biohacking, technology and business. We are a community that is innovating and creating — mostly in non-profit and academic spaces. As we have grown so have the business opportunities, sometimes in unexpected places. My company, Livestock Labs, is bringing its biometric implant to market — in cows first. Started by grinders, the company is proving what we all know — that when we get funding and dedicated time our projects take off. This session tries to shed some light on learning to business as a biohacker and encourages other body augmenters and diyBio folks to take the leap and see what amazing things they can accomplish.

Return to Index    -    Add to    -    ics Calendar file

 

Demolabs - Table 6 - Caesars Promenade Emperor's Level - Outside Track 1 - Sunday - 12:00-13:50


GUI Tool for OpenC2 Command Generation

Sunday 08/12/18 from 1200-1350 at Table Six
Defense

Efrain Ortiz

The tool is a stand alone web self service application that graphically represents all the evolving OpenC2 commands to allow OpenC2 application developers to click and generate OpenC2 commands. The tool makes it extremely easy for even beginners to work on the creation of OpenC2 commands. The tool provides the OpenC2 command output in JSON and in curl, nodejs and python code to be easily integrate into Incident Response or Orchestration platforms.

https://github.com/netcoredor/openc2-cmdgen

Efrain Ortiz
Efrain is a Director in the Office of the CTO at Symantec Corporation. Prior to his Director role, he worked 15 years as a field pre-sales systems engineer. Efrain started his digital life on a TRS-80 Color Computer II in the 1980s. Previous to his 15 years at Symantec, he worked in various roles, from pen testing to network and systems administration. His current favorite project is working on the OpenC2 language specification.


Return to Index    -    Add to    -    ics Calendar file

 

Demolabs - Table 2 - Caesars Promenade Emperor's Level - Outside Track 1 - Sunday - 10:00-11:50


GyoiThon

Sunday 08/12/18 from 1000-1150 at Table Two
Offense

Isao Takaesu

Masuya Masafumi

Toshitsugu Yoneyama,

GyoiThon is a fully automated penetration testing tool against web server. GyoiThon nondestructively identifies the software installed on web server (OS, Middleware, Framework, CMS, etc...) using multiple methods such as machine learning, Google Hacking, pattern matching. After that, GyoiThon executes valid exploits for the identified software. Finally, GyoiThon generates report of scan results. GyoiThon executes the above processing fully automatically.

GyoiThon consists of three engines:

Traditional penetration testing tools are very inefficient because they execute all signatures. On the other hand, GyoiThon is very efficient because it executes only valid exploits for the identified software. As a result, the user's burden will be greatly reduce, and GyoiThon will greatly contribute to the security improvement of many web servers.

https://github.com/gyoisamurai/GyoiThon

Isao Takaesu
Isao Takaesu is working in Mitsui Bussan Secure Directions, Inc. as security engineer and researcher. In the past, he found out numerous vulnerabilities in server of client and he proposed countermeasures to client. He thinks that there's more and want to efficiently find out vulnerabilities. Therefore, He's focusing on artificial intelligence technology and developing fully automated penetration testing tool using machine learning.

Masuya Masafumi
Masafumi Masuya is a security engineer on the Mitsui Bussan Secure Directions, Inc. He loves network security assessment, so he found many vulnerabilities in various servers of enterprises. He is always thinking about a method to efficiently perform network security assessment, even while sleeping. He especially loves cURL and Japanese word 'Gyoi'. "Gyoi" means that there is nothing you cannot do!

Toshitsugu Yoneyama
Toshitsugu Yoneyama is a Security Researcher and Manager on the Mitsui Bussan Secure Directions, Inc. He has reported several vulnerabilities in Juniper, Nessus, Amazon, Apache and various routers. He participated alone in Hack2win which is a hacking competition in CodeBlue 2017, and he pwned several devices by remote attack and get the 3rd prize.


Return to Index    -    Add to    -    ics Calendar file

 

RCV - Caesars Promenade Level - Florentine BR 1,2 - Sunday - 12:25-12:40


Hackathon and CTF Prizes, and a Group Photo

No description available


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 2 - Caesars Promenade South - Octavius BR 12-24 - Sunday - 14:00-14:45


Hacking BLE Bicycle Locks for Fun and a Small Profit

Sunday at 14:00 in Track 2
45 minutes | Demo, Tool

Vincent Tan Senior Security Consultant, MWR InfoSecurity

Hack a lock and get free rides! (No free beer yet though...). This talk will explore the ever growing ride sharing economy and look at how the BLE "Smart" locks on shared bicycles work. The entire solution will be deconstructed and examined, from the mobile application to its supporting web services and finally communications with the lock. We will look at how to go about analysing communications between a mobile device and the lock, what works, what doesn't.

Previous talks on attacking BLE targeted the protocol itself using various hardware and software such as Ubertooth and Wireshark, which could be potentially difficult for someone new wanting to explore BLE and the ever connected IoT world. I'll simplify and stupidify the entire process such that anyone with a mobile phone and basic experience with Frida can go about breaking locks and hacking BLE the world over.

Vincent Tan
Vincent is a Senior Security Consultant at MWR Labs (the forefront of innovation and research in cyber security). He has a passion for all things"mobile" and anything"wireless". Vincent spends most of his free time focused on reverse engineering esoteric protocols, mobile devices and all things IOT to make the real(cyber)world a better and (where possible) a safer place to be for all. (All this while trying to survive by getting free rides.) Singaporean by birth, Vincent defies the local stereotype of accepting "cannot" for an answer and lives in a world of only pure possibility.


Return to Index    -    Add to    -    ics Calendar file

 

CPV - Caesars Promenade Level - Milano BR 1,2 - Sunday - 12:00-13:00


Title:
Implementing a Library for Pairing-based Transform Cryptography

12:00pm

Implementing a Library for Pairing-based Transform Cryptography
When
Sun, August 12, 12pm 1pm
Description
Speakers
-------
Bob Wall
Colt Frederickson

Abstract
--------
We will present background on transform cryptography, also known as proxy re-encryption, We start with an overview of elliptic curves over finite fields and pairings using bilinear maps and discuss how they can be used to implement cryptographic primitives. We next describe the idea of transform cryptography and enumerate desirable properties of transform cryptography schemes, then examine in more detail a specific multi-hop transform encryption scheme.

We will then describe how we implemented a library to provide the primitives required for that multi-hop transform encryption scheme. Finally, we discuss the security implications of recent advances in evaluating discrete logarithms using the special number field sieve, and why that led us to increase the key length of the scheme from 256 bits to 480 bits.

Bio
-----------------
Bob: Co-founder & CTO of IronCore Labs, a startup focused on building products to help app developers build strong security into their offerings.

Colt: Senior software engineer at IronCore Labs. Functional programming guru with a strong background in big data.

Twitter handle of presenter(s)
------------------------------
@bithead_bob, @coltfred

Website of presenter(s) or content
----------------------------------
https://github.com/IronCoreLabs/recrypt, http://ironcorelabs.com

Return to Index    -    Add to    -    ics Calendar file

 

CPV - Caesars Promenade Level - Milano BR 1,2 - Sunday - 13:00-14:00


Title:
Integrating post-quantum crypto into real-life applications

1:00pm

Integrating post-quantum crypto into real-life applications
When
Sun, August 12, 1pm 2pm
Description
Speaker
------
Christian Paquin

Abstract
--------
Quantum computers pose a grave threat to the public-key cryptography we use today. Many quantum-safe alternatives have been proposed to alleviate this problem. None of these, however, provide a perfect replacement for our conventional algorithms. Indeed, they either result in increased bandwidth, bigger keys, and/or slower runtime, thus greatly impacting their integration into crypto applications.

In this talk, Ill give an overview of the emerging post-quantum cryptography (PQC) schemes. Ill then present the lessons we have learned from our prototype integrations into real-life protocols and applications (such as TLS, SSH, and VPN), and our experiments on a variety of devices, ranging from IoT devices, to cloud servers, to HSMs. Ill discuss the Open Quantum Safe project for PQC development, and related open-source forks of OpenSSL, OpenSSH, and OpenVPN that can be used to experiment with PQC today. Ill present a demo of a full (key exchange + authentication) PQC TLS 1.3 connection.

This work sheds lights on the practicality of PQC, encouraging early adoption and experimentation by the security community.

Bio
-----------------
I am a crypto specialist in MSRs Security and Cryptography team [1]. Im currently involved in projects related to post-quantum cryptography, such as the Open Quantum Safe project [2], and leading the development of the U-Prove technology [3]. Im also interested in privacy-enhancing technologies, smart cloud encryption (e.g., searchable and homomorphic encryption), and the intersection of AI and security.

Prior to joining Microsoft in 2008, I was the Chief Security Engineer at Credentica, a crypto developer at Silanis Technology working on digital signature systems, and a security engineer at Zero-Knowledge Systems working on TOR-like systems.

[1] https://www.microsoft.com/en-us/research/group/security-and-cryptography/
[2] https://github.com/open-quantum-safe
[3] https://microsoft.com/uprove

Twitter handle of presenter(s)
------------------------------
chpaquin

Website of presenter(s) or content
----------------------------------
https://www.microsoft.com/en-us/research/people/cpaquin/

Return to Index    -    Add to    -    ics Calendar file

 

SKY - Flamingo 3rd Flr - Virginia City Rm - Sunday - 12:00-12:59


Title:
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and face recognition - and frankly, everywhere else

Guy Barnhart-Magen and Ezra Caltum
@acaltum, @barnhartguy

JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and face recognition - and frankly, everywhere else

"Exploits, Backdoors, and Hacks: words we do not commonly hear when speaking of Machine Learning (ML). In this talk, I will present the relatively new field of hacking and manipulate machine learning systems and the potential these techniques pose for active offensive research.
The study of Adversarial ML allows us to leverage the techniques used by these algorithms to find weak points and exploit them in order to achieve:
* Unexpected consequences (why did it decide this rifle is a banana?),
* Data leakage (how did they know Joe has diabetes)
* Memory corruption and other exploitation techniques (boom! RCE)
* Influence the output (input: virus, output: safe!, as seen on (DEF CON 25 - Hyrum Anderson - Evading next-gen AV using AI)[https://www.youtube.com/watch?v=FGCle6T0Jpc]).
In other words, while ML is great at identifying and classifying patterns, and an attacker can take advantage of this and take control of the system.
This talk is an extension of research made by many people, including presenters at DefCon, CCC, and others - a live demo will be shown on stage!
Garbage In, RCE Out :-)"


Return to Index    -    Add to    -    ics Calendar file

 

BHV - Caesars Promenade Level - Pisa/Palermo/Siena Rms - Sunday - 11:00-12:15


Title: Jumping the Epidermal Barrier

Speaker: Vlad Gostomelsky and Dr. Stan Naydin
Abstract:
This talk will focus on consumer grade glucose monitors - primarily continuous glucose monitors that are implantable or attach to the skin
for extended length of time and provide readings via bluetooth low energy or have RF/BLE bridges. Research was focused on security/privacy implications.

Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 1 - Caesars Emperor's Level - Palace BR - Sunday - 12:00-12:45


Last mile authentication problem: Exploiting the missing link in end-to-end secure communication

Sunday at 12:00 in Track 1
45 minutes | Demo, Exploit

Thanh Bui Security Researcher, Aalto University, Finland

Siddharth Rao Security Researcher, Aalto University, Finland

With "Trust none over the Internet" mindset, securing all communication between a client and a server with protocols such as TLS has become a common practice. However, while the communication over Internet is routinely secured, there is still an area where such security awareness is not seen: inside individual computers, where adversaries are often not expected.

This talk discusses the security of various inter-process communication (IPC) mechanisms that local processes and applications use to interact with each other. In particular, we show IPC-related vulnerabilities that allow a non-privileged process to steal passwords stored in popular password managers and even second factors from hardware tokens. With passwords being the primary way of authentication, the insecurity of this "last mile" causes the security of the rest of the communication strands to be obsolete. The vulnerabilities that we demonstrate can be exploited on multi-user computers that may have processes of multiple users running at the same time. The attacker is a non-privileged user trying to steal sensitive information from other users. Such computers can be found in enterprises with centralized access control that gives multiple users access to the same host. Computers with guest accounts and shared computers at home are similarly vulnerable.

Thanh Bui
Thanh Bui is a doctoral candidate in the"Secure systems" group of Aalto University, Finland. His research focuses on analyzing and designing secure network protocols and distributed systems. He is a past Erasmus Mundus fellow and holds double master's degrees from Aalto University, Finland and KTH Royal Institute of Technology, Sweden.

Siddharth Rao
Siddharth (Sid) Rao is a doctoral candidate in the"Secure systems" group of Aalto University, Finland. He specializes in the security analysis of communication protocols, and his current interest lies in pedagogical study of the 'lack of authentication' in different systems. He is a past Erasmus Mundus fellow and holds double master's degrees from Aalto University, Finland and University of Tartu, Estonia. He has been Ford-Mozilla Open Web Fellow at European Digital Rights (EDRi), where helped to define policies related to data protection, surveillance, copyright, and network neutrality. He has previous spoken at security conferences such as Blackhat and Troopers.


Markku Antikainen received the M.Sc. degrees in security and mobile computing from Aalto University, Espoo, Finland, and the Royal Institute of Technology, Stockholm, Sweden, in 2011. In 2017, he received a Ph.D. degree from Aalto University, Espoo, Finland. His doctoral thesis was on the security of Internet-of-things and software-defined networking. He currently works as a post-doctoral researcher at Helsinki Institute for Information Technology, Finland


Tuomas Aura received the M.Sc. and Ph.D. degrees from Helsinki University of Technology, Espoo, Finland, in 1996 and 2000, respectively. His doctoral thesis was on authorization and availability in distributed systems. He is a Professor of computer science and engineering with Aalto University, Espoo, Finland. Before joining Aalto University, he worked with Microsoft Research, Cambridge, U.K. He is interested in network and computer security and the security analysis of new technologies.


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 2 - Caesars Promenade South - Octavius BR 12-24 - Sunday - 13:30-13:50


Lost and Found Certificates: dealing with residual certificates for pre-owned domains

Sunday at 13:30 in Track 2
20 minutes | Demo, Tool

Ian Foster Hacker

Dylan Ayrey Hacker

When purchasing a new domain name you would expect that you are the only one who can obtain a valid SSL certificate for it, however that is not always the case. When the domain had a prior owner(s), even several years prior, they may still possess a valid SSL certificate for it and there is very little you can do about it.

Using Certificate Transparency, we examined millions of domains and certificates and found thousands of examples where the previous owner for a domain still possessed a valid SSL certificate for the domain long after it changed ownership. We will review the results from our ongoing large scale quantitative analysis over past and current domains and certificates. We'll explore the massive scale of the problem, what we can do about it, how you can protect yourself, and a proposed process change to make this less of a problem going forwards.

We end by introducing BygoneSSL, a new tool and dashboard that shows an up to date view of affected domains and certificates using publicly available DNS data and Certificate Transparency logs. BygoneSSL will demonstrate how widespread the issue is, let domain owners determine if they could be affected, and can be used to track the number of affected domains over time.

Ian Foster
Ian enjoys researching systems and networking problems and solutions in an effort to make the world more secure. He has published research papers analyzing the new gTLD land rush and crawling and parsing most WHOIS records. From demonstrating how insecure aftermarket OBD "dongles" can be used to compromise and take over automobiles; to measuring the paths an email traverses online with encryption in an effort to increase integrity, authenticity, and confidentiality; and more. During the day Ian is a Security Engineer fighting for the users.

Dylan Ayrey
Dylan is a security engineer, who in his free time authors lots of open source projects, such as truffleHog. He graduated college in 2015 and has been working in security ever since.


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 1 - Caesars Emperor's Level - Palace BR - Sunday - 13:00-13:30


Man-In-The-Disk

Sunday at 13:00 in Track 1
20 minutes | Demo, Tool, Exploit

Slava Makkaveev Security Researcher, Check Point

Most of modern OS are using sandboxing in order to prevent malicious apps from affecting other apps or even harming the OS itself. Google is constantly reinforcing Android’s sandbox protection, introducing new features to prevent any kind of sandbox bypass.

In this talk we want to shed new light on a less known attack surface which affects all Android devices and allows an attacker to hijack the communication between privileged apps and the disk, bypassing Android’s latest sandbox protection.

The problem begins when privileged apps interact with files stored in exposed areas, and even worse, some of them will unintentionally break the sandbox by insecurely appending such data to its confinements.

Can you imagine if someone could execute code in the context of your keyboard, or install an unwanted app without your consent? Well… It’s hardly within the realm of imagination.

The external storage and network based vulnerabilities we discovered, can be leveraged by the attacker to corrupt data, steal sensitive information or even take control of your device.

Slava Makkaveev
Slava Makkaveev is a Security Researcher at Check Point. Holds a PhD in Computer Science. Slava has found himself in the security field more than seven years ago and since then gained a vast experience in reverse engineering and malware analysis. Recently Slava has taken a particularly strong interest in mobile platforms and firmware security.


Return to Index    -    Add to    -    ics Calendar file

 

RCV - Caesars Promenade Level - Florentine BR 1,2 - Sunday - 12:00-12:25


Mapping Social Media with Facial Recognition - Jacob Wilkin

“Performing intelligence gathering on targets is a time consuming process, it typically starts by attempting to find a persons online presence on a variety of social media sites. What if it could be automated and done on a mass scale with hundreds or thousands of targets?

Social Mapper is a Open Source Intelligence Tool that uses facial recognition to correlate social media profiles across different sites on a large scale. It takes an automated approach to searching popular social media sites for targets names and pictures to accurately detect and group a person’s presence, outputting the results into report that a human operator can quickly review.

Social Mapper has a variety of uses in the security industry, for example the automated gathering of large amounts of social media profiles for use on targeted phishing campaigns. Facial recognition aids this process by removing false positives in the search results, so that reviewing this data is quicker for a human operator.

Social Mapper supports the following social media platforms: - LinkedIn - Facebook - Twitter - GooglePlus - Instagram - VKontakte - Weibo - Douban

Social Mapper takes a variety of input types such as: - An organisations name, searching via LinkedIn - A folder full of named images - A CSV file with names and url’s to images online”


Return to Index    -    Add to    -    ics Calendar file

 

SKY - Flamingo 3rd Flr - Virginia City Rm - Sunday - 09:00-09:59


Title:
Master Baiting! Dont Click Bait, Click Yourself

BACE16
@bace16_

Master Baiting! Dont Click Bait, Click Yourself

The talk that lives up to its name! Completely self-centered on how to work with your bait and tackle to jerk off the line of stories in your head and get back to reality. Avoid phishing by not falling for the hookers! Even yourself! Social engineering! Deep penetrating psychology mixed with blatant innuendo and enough buzzwords to make a CISO throw BitCoin at it...then make engineers figure out a POC for what this Purple Team Darknet vaporware actually does!


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 2 - Caesars Promenade South - Octavius BR 12-24 - Sunday - 13:00-13:30


Micro-Renovator: Bringing Processor Firmware up to Code

Sunday at 13:00 in Track 2
20 minutes | Demo, Tool

Matt King Hacker

The mitigations for Spectre highlighted a weak link in the patching process for many users: firmware (un)availability. While updated microcode was made publicly available for many processors, end-users are unable to directly consume it. Instead, platform and operating system vendors need to distribute firmware and kernel patches which include the new microcode. Inconsistent support from those vendors has left millions of users without a way to consume these critical security updates, until now. Micro-Renovator provides the ability to apply microcode updates without modifying either platform firmware or the operating system, through simple (and reversible) modifications to the EFI boot partition.

Matt King
Matt is a security geek responsible for ensuring platform and firmware trust at a cloud service provider, and dedicates an inordinate amount of time to updating firmware as a result. He has pen tested a broad range of systems as a product security validation lead at a prominent processor vendor, and has a history of rendering all manner of computing devices inoperable.


Return to Index    -    Add to    -    ics Calendar file

 

PHV - Caesars Promenade Level - Neopolitan BR - Sunday - 11:00-11:59


Microcontrollers and Single Board Computers for Hacking, Fun and Profit

gh057

As security researchers, we are always looking for the next device that will make our jobs easier and our research more effective. In many cases, physical gear can be expensive and limited in capability which can be prohibitive, especially in engagements where dead drops are required. However, with the skyrocketing popularity of microcontrollers and single board computers, that barrier has been reduced significantly and has created a host of new possibilities for everything from dead drops to wired and wireless network intrusion and analysis. gh057 will introduce some of the more popular options in this genre and some live demonstrations of their more fun uses. gh057 will demonstrate three devices he built to solve specific problems and that are based on these platforms: ATtiny85, ESP8266 / ES32, Raspberry Pi Finally, and as a bonus, gh057 will demonstrate a simple technique that uses Applescript and Bash that can be used to create a simple USB trojan and can be useful for end-user training.

gh057 has worked on almost every aspect of the software development lifecycle. For the majority of his career, he worked as a front-end, full stack engineer specializing in UI/UX. During this time, he was involved in development and also testing efforts, which included quality and security best practices. In the last few years, gh057 completed a career transition to application security, most notably through security evangelism roles, where he worked closely with development teams. As an application security engineer, gh057 is responsible for security best practices, which encompasses both digital and physical threat vectors. Most recently, gh057 has been the concept creator and team lead for the Day of Shecurity conference which took place on June 16th in San Francisco, CA. In his free time, he is passionate about promoting equality in the cybersecurity industry and offering mentorship to young technologists. His goal is to leave behind a better industry than the one he found when he first began his career.


Return to Index    -    Add to    -    ics Calendar file

 

BCOS - Caesars Promenade Level - Pompeian BR 1 - Sunday - 12:30-12:59


Title: Monero Project's Vulnerability Response Process

Speakers: Anonimal

Description:
No description available



Return to Index    -    Add to    -    ics Calendar file

 

BCOS - Caesars Promenade Level - Pompeian BR 1 - Sunday - 11:00-11:30


Title: Monero's Differentiated Community

Speakers: Justin Ehrenhofer

Description:
No description available



Return to Index    -    Add to    -    ics Calendar file

 

Demolabs - Table 1 - Caesars Promenade Emperor's Level - Outside Track 1 - Sunday - 10:00-11:50


nzyme

Sunday 08/12/18 from 1000-1150 at Table One
Defense, RF, WiFi/802.11

Lennart Koopmann

Detecting attackers who use WiFi as a vector is hard because of security issues inherent in the 802.11 protocol, as well as commoditized ways of near-perfect spoofing of WiFi enabled devices.

Security professionals work around this by treating WiFi traffic as insecure and encrypting data on higher layers of the protocol stack. Sophisticated attackers do not limit their efforts to jamming or tapping of wireless communication, but try to use deception techniques to trick human operators of WiFi devices into revealing secrets. The list of attacks that are possible after a user has been convinced to connect to a rogue access point that is under the attacker's control ranges from DNS spoofing to crafted captive portals that can be used for classic phishing attempts.

This is why the new nzyme release introduces its own set of WiFi deception techniques. It is turning the tables and attempts to trick attackers into attacking our own simulated, wireless infrastructure that resembles realistic clients and access points. Together with the general collection of all 802.11 management frames already offered in the existing release, nzyme now replays all relevant communication to and from our decoy transceivers to a log management system like Graylog for analysis and alerting. This combination allows tricking attackers into revealing themselves by leaving easy to identify traces during all exploitation phases.

Applying WiFi deception to defensive perimeters gives the blue team a chance to reveal, delay, and condition attackers.

https://wtf.horse/2017/10/02/introducing-nzyme-wifi-802-11-frame-recording-and-forensics/

Lennart Koopmann
Born and raised in Germany, Lennart founded the Open Source log management project Graylog in 2009 and has since then worked with many organizations on log management and security-related projects. He has an extensive background in software development and architecture. There is a high chance that you will meet Lennart at a LobbyCon somewhere in the country. Once he ran a marathon but was not very Fast.


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 3 - Caesars Pool Level - Forum BR 1-11,25 - Sunday - 14:00-14:45


One bite and all your dreams will come true: Analyzing and Attacking Apple Kernel Drivers

Sunday at 14:00 in Track 3
45 minutes | Demo, Tool, Exploit

Xiaolong Bai Security Engineer, Alibaba Inc.

Min (Spark) Zheng Security Expert, Alibaba Inc.

Though many security mechanisms are deployed in Apple's macOS and iOS systems, some old-fashioned or poor-quality kernel code still leaves the door widely open to attackers. Especially, as kernel's critical components, device drivers are frequently exploited to attack Apple systems. In fact, bug hunting in Apple kernel drivers is not easy since they are mostly closed-source and heavily relying on object-oriented programming. In this talk, we will share our experience of analyzing and attacking Apple kernel drivers. In specific, we will introduce a new tool called Ryuk. Ryuk employs static analysis techniques to discover bugs by itself or assist manual review.

In addition, we further combine static analysis with dynamic fuzzing for bug hunting in Apple drivers. In specific, we will introduce how we integrate Ryuk to the state-of-art Apple driver fuzzer, PassiveFuzzFrameworkOSX, for finding exploitable bugs.

Most importantly, we will illustrate Ryuk's power with several new vulnerabilities that are recently discovered by Ryuk. In specific, we will show how we exploit these vulnerabilities for privilege escalation on macOS 10.13.3 and 10.13.2. We will not only explain why these bugs occur and how we find them, but also demonstrate how we exploit them with innovative kernel exploitation techniques.

Xiaolong Bai
Xiaolong Bai (twitter@bxl1989, github@bxl1989) is a security engineer in Alibaba Orion Security Lab. Before joining Alibaba, he received his Ph.D. degree in Tsinghua University. He has published several research papers on top conferences including IEEE S&P, Usenix Security, CCS, NDSS, and presented his research in Black Hat USA and Hack In The Box. He has been acknowledged by famous vendors, including Apple, Google, Facebook, Evernote, and Tencent for his contribution in discovering the vulnerabilities in their systems and improving the security of their products. He is a member of the OverSky team for private jailbreaking development.

@bxl1989

Min (Spark) Zheng
Min (Spark) Zheng (twitter@SparkZheng, github@zhengmin1989) is a security expert in Alibaba Orion Security Lab. He received his Ph.D. degree in the CSE department of the CUHK. His research focuses on malware analysis, smartphone (Android & iOS) security, system design and implementation. Before receiving Alibaba A-Star offer award in 2015, he worked in FireEye, Baidu and Tencent. He was the champion of GeekPwn 2014 and AliCTF 2015. He won the"best security researcher" award in FIT 2016 for detecting the iOS/macOS vulnerabilities, XcodeGhost virus and WormHole RCE vulnerability. He is a member of the OverSky team for private jailbreaking development. He presented his research in DEF CON, HITB, BlackHat, RUXCON, etc.

@SparkZheng


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 1 - Caesars Emperor's Level - Palace BR - Sunday - 15:00-15:45


PANEL: DEF CON GROUPS

Sunday at 15:00 in Track 1
45 minutes | Audience Participation

Brent White (B1TK1LL3R) DEF CON Groups Global Coordinator

Jeff Moss (The Dark Tangent) Founder, DEF CON

Jayson E. Street DEF CON Groups Global Ambassador

S0ups

Tim Roberts (byt3boy)

Casey Bourbonnais

April Wright

Do you love DEF CON? Do you hate having to wait for it all year? Well, thanks to DEF CON groups, you're able to carry the spirit of DEF CON with you year round, and with local people, transcending borders, languages, and anything else that may separate us!

In this special event, your DEF CON groups team who works behind the scenes to make DCG possible will introduce themselves and provide status updates. After we're done talking, the remainder of time will be an informal open floor right there in the room to mingle and talk all things DCG.

There will be a:

Designated area in the room for those wanting to start/join a group
Designated area in the room for those wanting to share project ideas

Brent White (B1TK1LL3R)
Bio Coming Soon

Jeff Moss (The Dark Tangent)
Bio Coming Soon

Jayson E. Street
Bio Coming Soon

S0ups
Bio Coming Soon

Tim Roberts (byt3boy)
Bio Coming Soon

Casey Bourbonnais
Bio Coming Soon

April Wright
Bio Coming Soon


Return to Index    -    Add to    -    ics Calendar file

 

Demolabs - Table 5 - Caesars Promenade Emperor's Level - Outside Track 1 - Sunday - 10:00-11:50


Passionfruit

Sunday 08/12/18 from 1000-1150 at Table Five
iOS reverse engineer, Mobile security research

Zhi Zhou

Yifeng Zhang

Passionfruit is a cross-platform app analyze tool for iOS. It aims to provide a powerful and user friendly gui for app pentesting and reverse engineering. In this demo we’ll cover the most common tasks in iOS RE, like dumping decrypted apps from AppStore, exploring filesystem and other runtime introspections.

https://github.com/chaitin/passionfruit

Zhi Zhou
AntFinancial Zhi Zhou is a security engineer at AntFinancial LightYear Lab, who mainly focus on applied software security, including both mobile and desktop platforms. He’s been working on blackbox assessment, vulnerability exploit and new attack surface discovery. He was a speaker at BlackHat USA 2017.

Yifeng Zhang
Chaitin Tech Yifeng Zhang is a penetration tester at Chaitin Tech, working in mobile security and financial malware. He has been dedicated to developing security tools to make pen-testing more efficient and effective.


Return to Index    -    Add to    -    ics Calendar file

 

Demolabs - Table 4 - Caesars Promenade Emperor's Level - Outside Track 1 - Sunday - 10:00-11:50


PCILeech

Sunday 08/12/18 from 1000-1150 at Table Four
Offense, Hardware, DFIR

Ulf Frisk

Ian Vitek

The PCILeech direct memory access attack toolkit was presented at DEF CON 24 and quickly became popular amongst red teamers and governments alike. Hardware sold out, FPGA support was introduced and devices are once again available! We will demonstrate how to take total control of still vulnerable systems via PCIe DMA code injection. Kernels will be subverted, full disk encryption defeated and shells spawned! Processes will be enumerated and their virtual memory abused—all by using affordable hardware and the open source PCILeech toolkit.

http://github.com/ufrisk/pcileech

Ulf Frisk
Ulf Frisk is a hacker/penetration tester working in the Swedish financial sector. Ulf focuses on penetration testing and it-security audits during daytime and low-level security research during nighttime. Ulf takes a special interest in DMA—direct memory access, and has a dark past as a developer.

Ian Vitek
Ian Vitek has a background as a pentester but now works with information security in the Swedish financial sector. Ian has held presentations at Defcon 8, 10, 12, BSidesLV and over the last years attended as a Defcon DJ (VJ Q.Alba). Interested in web, layer 2, DMA and pin bypass attacks.


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 2 - Caesars Promenade South - Octavius BR 12-24 - Sunday - 11:00-11:45


Politics and the Surveillance State. The story of a young politician's successful efforts to fight surveillance and pass the nation's strongest privacy bills.

Sunday at 11:00 in Track 2
45 minutes | Audience Participation

Daniel Zolnikov Montana State Representative

Orwell's concept of 1984 has more to do with government misuse of technology than technology itself. New technology allows for more opportunity, but unchecked, it allows for complete government control.

Representative Daniel Zolnikov is the nation's leading politician regarding privacy and surveillance and has enacted numerous laws safeguarding fourth amendment rights regarding digital communications and technology. Daniel will walk you down the road of how political misuse of technology can and will turn the Federal Government into an unprecedented nanny state that will lead to a suppressed free flow of information and fear of stepping out of line. His story includes insights on how unique left and right coalitions were formed to pass these laws in his home state of Montana, and how he prevailed against law enforcement groups who opposed implementing warrant requirements.

This discussion is aimed at sharing insights no matter your political affiliation. All of Daniel's legislation has passed with overwhelming bi-partisan support through both bodies in Montana's legislature and was signed by the governor of the opposite party. Although most speeches involving politicians tend to lead towards rhetoric, Daniel's goal is to share enough information to be able to understand why change has not taken place yet, and leave you understanding how to remedy that.

His story will give you insights into the politics that states and the nation face when reforming these issues, and his down to earth approach will bring the topic down to a level of humor and easy understanding. There is no need for any technical or political insight to be able to appreciate this topic and the work Daniel has done on behalf of the more technologically savvy enthusiasts.

The theme of DEF CON 26 would be inconsistent without taking into consideration policy and how it ties in closely with technology. Technology relies on policy, and policy has the implications of dictating the use of technology. The two can go hand in hand, or end up squaring up against each other. You are an important, and lesser heard voice in the world of aged politicians with limited vision. The Orwellian state existed due to a mixture of bad policies and technology. Although the theme focuses on technology used to disrupt the surveillance state, the other half of the battle is ensuring this state does not reach the disastrous conclusions of 1984.

Daniel believes we can move forward with technology without living in fear of our government. If you want to have some hope and direction towards the future of policy regarding surveillance and technology, Daniel will leave you with the optimism that there is still a chance that our nation can have a balanced approach that ensures 1984 does not become the norm in the future and will help you understand how to take part in this action.

Daniel Zolnikov
Daniel Zolnikov is a third term liberty-minded State Representative serving in the Montana Legislature. He is a been a strong advocate for civil rights concerning our freedoms and liberties, and limited government, and is working to make Montana the Last Best Place for future generations. As a 31-year-old representative who first served in his mid-20's, Daniel has specialized in 21st Century policy areas addressing the opportunities and risks associated with new technologies. Zolnikov has also lead on energy policy as the Chairman of the House Energy, Technology and Federal Relations Committee.

Daniel is the nation's leading legislator regarding laws protecting digital information and devices. In 2017, he passed leading legislation requiring a warrant for digital communication devices, warrant requirements for digital communications, limits on license plate readers that prevent the DEA from using Montana's information in their national vehicle tracking program and reformed and created strict limits on vehicle spot checks.

He has also successfully passed laws requiring government to get a warrant to access cellphone location information, passing the strongest Freedom of the Press legislation in the nation, protecting reporters' electronic communications from government intrusion, and give immunity from MIP laws to minors who seek emergency medical attention. He also helped lead the effort to revise Montana's outdated transportation laws to allow ride-sharing services like Uber to operate in Montana, which is expected to reduce the drunk driving epidemic in many communities.

Forbes ranked Daniel among the top"30 Under 30" policymakers in the nation, and Red Alert Politics recognized him as one of the country's Top 30 Conservatives under the age of 30. He has also received the Montana Library Association's"Intellectual Freedom Award", along with Responsibility.org's"Advancing Alcohol Responsibility" leadership award.

Daniel is a strong advocate of transparency in government, and has posted his votes on his public Facebook page. He regularly interacts with constituents on his Twitter profile, @DanielZolnikov.

Daniel received his undergraduate degree from the University of Montana where he earned three business majors in Information Systems, Marketing, and Management, along with a minor in Political Science. Outside of the Legislature, Daniel has worked as a small business consultant and is currently obtaining his MBA. Daniel enjoys fishing, swimming, and the freedom that only Big Sky Country can offer.

@DanielZolnikov, www.facebook.com/danielzolnikov, www.linkedin.com/ind/zolnikov, www.danielzolnikov.com


Return to Index    -    Add to    -    ics Calendar file

 

BCOS - Caesars Promenade Level - Pompeian BR 1 - Sunday - 11:30-11:59


Title: Privacy and Blockchain: A Boundary Object Perspective

Speakers: Robin "midipoet" Renwick

Description:
No description available



Return to Index    -    Add to    -    ics Calendar file

 

BHV - Caesars Promenade Level - Pisa/Palermo/Siena Rms - Sunday - 13:45-13:45


Title: PWN to OWN my own Heart. Journey into hacking my own pacemake

Speaker: Veronica Schmit
About Veronica:
Veronica or Vee is a Partner at DFIRLABS. She is a forensicator, avid researcher and quite literally the superglue that holds DFIRLABS together. She was previously in charge of the Free State Cyber Forensic Laboratory of the Special Investigating Unit. After deciding that this title on its own wasn’t already too much of a mouthful, she departed the SIU in order to add Malware (Reverse) Engineer, Photographer, Seamstress, Super Mom and Sleep-deprived MSc Chaser to her list. She PWN’s to own her own medical device which aids her broken heart beats, into a different rhythm, sometimes this beat is much like that of drums beating. She is passionate about medical device security and does not believe in security through obscurity. In between attending Metallica concerts and being converted into a cyborg (no really, ask her about her metal bits sometime), she completed a Diploma in Criminal Justice and Forensic Investigation from the University of Johannesburg. Deciding to brave foreign climes and curiosities, she went on to receive training in Europe on digital forensics and cyber crime investigation from the United States Department of Homeland Security. She is an Associate Member of a number of professional bodies, including the Institute of Information Technology of Professionals of South Africa, the Association of Certified Fraud Examiners, and the International Association of Computer Investigative Specialists. Veronica has contributed to several publications, including the ISC2 CCFP : Certified Computer Forensic Practitioner. She is currently juggling a Master’s thesis on ransomware, several digital forensics cases, getting a quality forensics training company off the ground, and reverse engineering ransomware whilst also keeping her two year old from walking into things. You can contact her by lighting up the night sky with the P10z0n_P1x13 beacon mounted on the top of the Twitter police department, or alternatively by email.
Abstract:
The increase of pace in the technology field has left the race for manufacturers to increase the security in medical devices. There is the theoretically possibility that your heart can be pwned. Pacemakers have become part of the internet of things. We are putting our hearts on display. This is my journey from regular hacker to gen-one cyborg to pwning my own heart that I can own the vulnerabilities to fix it. We forget that these are devices connected to flesh and blood, a person who depends on this device to have just one more heart beat. This is a journey into the inner sanctum of living with a vulnerable device in a time where technology progression has left behind security. We can no longer have security by obscurity when it comes to devices which cyborg’s like me depend on.We should not be in the business of sacrificing security for convenience or power. As a patient, I would rather sleep knowing my device has been hardened and have the inconvenience of replacing it more regularly than the converse. I feel that we, as the security community, should be addressing and assisting medical manufacturers with the security vulnerabilities in the devices that literally keep people alive. There should be more effort placed on addressing the security vulnerabilities. The simple fact is we are not dealing with just ones and zeroes. This is, for some, a life or death situation.

Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 1 - Caesars Emperor's Level - Palace BR - Sunday - 10:00-10:45


Rock appround the clock: Tracking malware developers by Android "AAPT" timezone disclosure bug

Sunday at 10:00 in Track 1
45 minutes | Demo

Sheila A. Berta Security Researcher at Eleven Paths

Sergio De Los Santos Head of Innovation and Lab at Eleven Paths

Are you a malware developer for Android devices? We have very bad news for you: the Android-SDK packager (aapt) is leaking your time zone! We have found a bug inside this Android-SDK's component that relies in not properly setting the value of a variable used as an argument for localtime() function, when setting the "Last Modified" field for the Android App's files. Because of this, the time zone of anyone using the Android-SDK packager to generate their APKs is leaked. The curious thing is that, despite of this bug inside aapt, the problem goes even beyond aapt itself: its roots goes deep into an incorrect handling errors in the operative system functions localtime() (Windows) and localtime_r() (UNIX).

Because of in the world of Threat Intelligence determining the attacker's geographical location of is one of the most valuable data for attribution techniques, we focused our research in taking advantage of this bug for tracking Android malware developers. In addition to this, we have discovered another very effective way to find out the developer's time zone, based on a calculation of times extracting the GMT timestamp from the Android's app files and the UTC timestamp of the self-signed,"disposable" certificate added to the application (most common cases in malware developers). This is what we call: Rock appround the clock! Using these two different techniques, we have crunched some numbers with our 10 million apps database to determine how these leaked time zones (with one or another technique) are related with malware and which are the countries that generate more Android malicious applications, what is the possible relation between time zone and"malware likelihood" among other interesting numbers.

But that's not all, we have another bad news for malware developers: no IDE (even Android Studio) removes metadata from the files added to the Android app. We will show examples with real cases in which, after analyzing the metadata of files inside the .apk, we got to know country, language, or even more specific geographical location of the developer and -in some cases- the name of the suppose-to-be-anonymous developer! Finally, we will share the scripts we have built to get all this information with just a simple click.

Sheila A. Berta
Sheila Ayelen Berta is an Information Security Specialist and Developer, who started at 12 years-old by herself. At the age of 15, she wrote her first book about Web Hacking, published by RedUSERS Editorial in several countries. Over the years, she has discovered lots of vulnerabilities in popular web applications, softwares and given courses of Hacking Techniques in universities and private institutes. Sheila currently works at Eleven Paths as Security Researcher who specializes in offensive techniques, reverse engineering and exploit writing. She is also a developer in ASM (microcontrollers, x32/x64), C/C++ and Python. Sheila is an international speaker who has spoken at important security conferences such as Black Hat EU 2017, DEF CON 25 CHV, HITBSecConf, Ekoparty Security Conference, IEEE ArgenCon, Hack.Lu, OWASP Latam Tour and others.

@UnaPibaGeek

Sergio De Los Santos
Sergio De Los Santos is currently head of innovation and labs in Eleven Paths, responsible for researching, creating new projects, tools and prototypes. In the past (2005-2013), he was a Technical consultant in Hispasec (where VirusTotal was developed for 10 years), responsible for antifraud, vulnerabilities alert and other services mostly bank industry oriented. Sergio is responsible for the most veteran security newsletter in spanish. Since 2000 he has worked as an auditor and technical coordinator, written three technical security books and one about the history of security. He has an informatics degree, a master in software engineering and artificial intelligence and has been awarded with Microsoft MVP Consumer Security title in 2013-2017. He is a teacher and director of different courses, masters and lectures in universities and private companies.

@ssantosv


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 101 - Flamingo 3rd Flr - Sunset BR - Sunday - 11:00-11:45


Searching for the Light: Adventures with OpticSpy

Sunday at 11:00 in 101 Track, Flamingo
45 minutes | Demo

Joe Grand Hacker

In the counter-future where we, the dissidents and hackers, have control of technology, sending secret messages through blinkenlights can let us exchange information without being detected by dystopian leaders. By modulating light in a way that the human eye cannot see, this simple, yet clever, covert channel lets us hide in plain sight. To decode such transmissions, we must employ some sort of optical receiver.

Enter OpticSpy, an open source hardware module that captures, amplifies, and converts an optical signal from a visible or infrared light source into a digital form that can be analyzed or decoded with a computer. This presentation provides a brief history of covert channels and optical communications, explores the development process and operational details of OpticSpy, and gives a variety of demonstrations of the unit in action.

Joe Grand
Joe Grand (@joegrand), also known as Kingpin, is a computer engineer, hardware hacker, former DEF CON badge designer, teacher, advisor, runner, daddy, honorary doctor, TV host, member of legendary hacker group L0pht Heavy Industries, and the proprietor of Grand Idea Studio (grandideastudio.com). He has been creating, exploring, and manipulating electronic systems since the 1980s.

@joegrand


Return to Index    -    Add to    -    ics Calendar file

 

BHV - Caesars Promenade Level - Pisa/Palermo/Siena Rms - Sunday - 12:15-12:59


Title: Selfie or Mugshot?

Speaker: Anne Kim
About Anne:
Anne Kim is a researcher and graduate student specializing in Computer Science and Molecular Biology at MIT. Professor Alex "Sandy" Pentland, head of the Human Dynamics Group at the MIT Media Lab, is the advisor for her thesis focusing on blockchain solutions for clinical trial optimization. Outside of her thesis work, Anne has done a number of different projects in quantum chemistry simulations, genome-wide association studies, natural language processing for electronic health records, and a startup in secure data sharing. Anne sees accessibility to healthcare as a right, and believes that the interface between biology, healthcare policy, and technology is a promising way to achieve that mission
Abstract:
Thanks to the use of DNA in criminal investigations, hundreds of innocent people have been exonerated from crimes they did not commit. DNA has also been used to used to arrest suspects in cold cases! In my presentation I will give a primer on the techniques used for DNA profiling and the statistics for false positives. The bulk of my presentation will be looking into the vulnerabilities of
current DNA profiling methods and how a malicious actor could actually reconstruct enough genotypic information of any innocent person from just a picture of their face. This is based on recently published Nature Genetics research and extends the methods to suggest that it would only take ~50 million face:genotype samples to have a sufficient genotypic mapping that would allow someone to recreate your 23andMe profile (602,000 SNPs) from a selfie.

Return to Index    -    Add to    -    ics Calendar file

 

SKY - Flamingo 3rd Flr - Virginia City Rm - Sunday - 11:00-11:59


Title:
Sex Work After SESTA

Maggie Mayhem

@MsMaggieMayhem

Sex Work After SESTA

"Surveillance had been a fact of life for sex workers wherever they have faced prohibition. Only two elements, communication and association, can differentiate between commercial and personal sex, criminal enforcement of prostitution laws have necessarily meant targeting the speech and affiliation of perceived sex workers. Enforcement of this nature is facilitated by profiling, institutional bias, and broad overreaching policies that fundamentally violate individual human rights. This has included condoms as evidence, non-consensual medical screenings, and targeted harassment of black transgender women as well as license plate recording projects and stings that focus disrupting immigration or migrant workers.

For all of its risks, screening potential clients is safer over email than it is in person during a street based negotiation often in an isolated part of town. SESTA (Stop Enabling Sex Traffickers Act) comes at a time when compelling research demonstrates that Craigslist resulted in a 17% drop in the female homicide rate. SESTA will also put victims at risk by delaying their identification and recovery by eliminating a digital paper trail. Additionally, Section 230 of the Communications Decency Act is a vital protection for a free internet. Subverting SESTA will create greater economic disparity between sex workers and ultimately empower pimps and agencies over independent providers. "


Return to Index    -    Add to    -    ics Calendar file

 

RCV - Caesars Promenade Level - Florentine BR 1,2 - Sunday - 11:25-12:55


Stalker In A Haystack - MasterChen

In 2015, I did a Skytalk called “Automate Your Stalking”. In that talk, I used Twitter to follow my Target’s followers in an effort to monitor the target without following them directly and arousing suspicion. I’m the end, I felt like I released a method that may be dangerous in the hands of the wrong people. Now, “Stalker In A Haystack” is the antidote to my first talk.

I will be putting the power back into the hands of the people who need it. In this talk, I will demonstrate how you can determine if you are being monitored via Twitter, and by who. Isn’t it suspicious when that one handle is following everyone but you? What does that mean? Stalkers can hide in your sea of followers, and the aim of this talk is to uncover those who lie in the shadows.


Return to Index    -    Add to    -    ics Calendar file

 

BCOS - Caesars Promenade Level - Pompeian BR 1 - Sunday - 12:00-12:30


Title: Stealing Crypto 2 Factor Isn't a Factor

Speakers: Rod Soto and Jason Malley

Description:
No description available



Return to Index    -    Add to    -    ics Calendar file

 

BCOS - Caesars Promenade Level - Pompeian BR 1 - Sunday - 10:00-10:45


Title: The Good, the Bad, and the Private: Building and Breaking Safe Cryptocurrencies

Speakers: Sarang Noether

Description:
No description available



Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 101 - Flamingo 3rd Flr - Sunset BR - Sunday - 10:00-10:45


The Mouse is Mightier than the Sword

Sunday at 10:00 in 101 Track, Flamingo
45 minutes | Demo, Exploit

Patrick Wardle Chief Research Officer, Digita Security

In today's digital world the mouse, not the pen is arguably mightier than the sword. Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? click ...allowed. Authorize keychain access? click ...allowed. Load 3rd-party kernel extension? click ...allowed. Authorize outgoing network connection? click ...allowed. Luckily security-conscious users will (hopefully) heed such warning dialogues—stopping malicious code in its tracks. But what if such clicks can be synthetically generated and interact with such prompts in a completely invisible way? Well, then everything pretty much goes to hell.

Of course OS vendors such as Apple are keenly aware of this 'attack' vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately they failed.

In this talk we'll discuss a vulnerability (CVE-2017-7150) found in all recent versions of macOS that allowed unprivileged code to interact with any UI component including 'protected' security dialogues. Armed with the bug, it was trivial to programmatically bypass Apple's touted 'User-Approved Kext' security feature, dump all passwords from the keychain, bypass 3rd-party security tools, and much more! And as Apple's patch was incomplete (surprise surprise) we'll drop an 0day that (still) allows unprivileged code to post synthetic events and bypass various security mechanisms on a fully patched macOS box!

And while it may seem that such synthetic interactions with the UI will be visible to the user, we'll discuss an elegant way to ensure they happen completely invisibly!

Patrick Wardle
Patrick Wardle is the Chief Research Officer at Digita Security and founder of Objective-See. Having worked at NASA and the NSA, as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware and writing free open-source security tools to protect Mac users.

@patrickwardle


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 101 - Flamingo 3rd Flr - Sunset BR - Sunday - 13:00-13:45


Trouble in the tubes: How internet routing security breaks down and how you can do it at home

Sunday at 13:00 in 101 Track, Flamingo
45 minutes | Demo, Tool

Lane Broadbent Security Engineer, Vivint

We all protect our home networks, but how safe is your data once it leaves on its journey to the latest cat pictures? How does your traffic make it to its destination and what threats does it face on its way? What is BGP and why should you care?

In this talk, I'll explain the basic structure of the network that is the Internet and the trust relationships on which it is built. We'll explore several types of attacks that you may have seen in the news that exploit this relationship to bring down websites, steal cryptocurrency, and monitor dissidents.

Because talking about bringing down the Internet isn't as much fun as doing, I'll show how to create a mini Internet using Mininet and demonstrate the attacks without the need for a BGP router or a lawyer. Finally, because nation states shouldn't get to have all the fun, I'll use Scapy and some novel techniques to demonstrate how a compromised router can be used to prevent attribution, frame a friend, or create a covert communication channel.

Lane Broadbent
Lane Broadbent is a Security Engineer performing threat hunting and full stack security engineering for Vivint, a tech company focused on IoT and home security. With over a decade of experience in research, pen testing, and jack of all trades systems administration, Lane now works to secure IoT devices and the systems that interact with them. In his free time, Lane tries to best the corporate NTP pool with parts salvaged from thrift stores.


Return to Index    -    Add to    -    ics Calendar file

 

CPV - Caesars Promenade Level - Milano BR 1,2 - Sunday - 11:00-12:00


Title:
Two-Steps to Owning MFA

11:00am

Two-Steps to Owning MFA
When
Sun, August 12, 11am 12pm
Description
Speakers
-------
Sherrie Cowley
Dennis Taggart

Abstract
--------
Authentication is not a companys silver bullet. We will walk through common methods used in MFA including SMS, TOTP (i.e. Google Authenticator), Push Notifications, and U2F Security Keys. We will show how each method works in simple terms and the weaknesses of all of them. You will be able to generate your own TOTP six digit code and learn how to break each MFA method. You will also learn additional controls to protect your environments. This presentation will appeal to both red and blue teams.

Bio
-----------------
Sherrie Cowley has a Masters in Information Systems with an emphasis on software engineering and cyber security. She has managed help desk, software engineering, and identity and access management teams and is currently an Information Security Manager for a large organization. She has presented at SaintCon, HackWest, and multiple universities, was a keynote for Splunk Live, and acts as a liaison for InfraGard members and the FBI Cyber Task Force.

Dennis Taggart is the Sr. Penetration Tester for a large organization. He holds over five years of information security experience and has diverse interests. He earned a B.A. in Middle Eastern Studies (Arabic), an M.A. in Political Science, holds seven GIAC certs, winner of a hardware hacking village and NetWars, and is currently pursuing the MSISE from SANS.

Twitter handle of presenter(s)
------------------------------
@SherrieCowley @dennisdt3

Website of presenter(s) or content
----------------------------------
Breakingmfa.com

Return to Index    -    Add to    -    ics Calendar file

 

BCOS - Caesars Promenade Level - Pompeian BR 1 - Sunday - 13:00-13:59


Title: Village summary

Speakers: Diego "rehrar" Salazar

Description:
No description available



Return to Index    -    Add to    -    ics Calendar file

 

BHV - Caesars Promenade Level - Pisa/Palermo/Siena Rms - Sunday - 10:00-10:15


Title: WELCOME TO THE LAST DAY OF BHV!

Speaker: Staff

Return to Index    -    Add to    -    ics Calendar file

 

PHV - Caesars Promenade Level - Neopolitan BR - Sunday - 13:00-13:59


What Do You Want to be When You Grow Up?

Damon "ch3f" Small, Technical Director at NCC Group North America

Many industries have well-defined points of entry and well-understood education and training requirements. Information Security is not one of those industries. Successful infosec pros often have wildly diverse backgrounds so it is difficult to know which is the "correct" way to enter this field. As our industry has evolved and matured, what do organizations now look for in a candidate? What combination of skills, experience, and education will get you in your "dream job?" SPOILER - there are many predictors of success, and organizations have different priorities, so there is no single answer.

The speaker will describe his experiences as a 22-year veteran of IT and infosec, both from the perspective of working for internal support teams and as a client-facing consultant. In addition to direct observations, this presentation will include the perspectives of other infosec pros that currently work in various capacities in our industry. The goal is not to answer the question of how to successfully develop one's career, as such, but rather to continue the dialogue of what is important to us as we develop our future experts and leaders.

Damon Small (Twitter: @damonsmall) began his career studying music at Louisiana State University. Pursuing the changing job market, he took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Over the past 18 years as a security professional he has supported infosec initiatives in the healthcare, defense, aerospace, and oil and gas industries. In addition to his Bachelor of Arts in Music, Small completed the Master of Science in Information Assurance degree from Norwich University in 2005. His role as Technical Director includes working closely with NCC Group consultants and clients in delivering complex security assessments that meet varied business requirements.


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 2 - Caesars Promenade South - Octavius BR 12-24 - Sunday - 15:00-15:45


What the Fax!?

Sunday at 15:00 in Track 2
45 minutes | Demo, Tool, Exploit, Audience Participation

Yaniv Balmas Security Researcher, Check Point Software Technologies

Eyal Itkin Security Researcher, Check Point Software Technologies

Unless you've been living under a rock for the past 30 years or so, you probably know what a fax machine is. For decades, fax machines were used worldwide as the main way of electronic document delivery. But this happened in the 1980s. Humanity has since developed far more advanced ways to send digital content, and fax machines are all in the past, right? After all, they should now be nothing more than a glorified museum item. Who on earth is still using fax machines?

The answer, to our great horror, is EVERYONE. State authorities, banks, service providers and many others are still using fax machines, despite their debatable quality and almost non-existent security. In fact, using fax machines is often mandatory and considered a solid and trustworthy method of delivering information.

What the Fax?! We embarked on a journey with the singular goal of disrupting this insane state of affairs. We went to work, determined to show that the common fax machine could be compromised via mere access to its fully exposed and unprotected telephone line -- thus completely bypassing all perimeter security protections and shattering to pieces all modern-day security concepts.

Join us as we take you through the strange world of embedded operating systems, 30-year-old protocols, museum grade compression algorithms, weird extensions and undebuggable environments. See for yourself first-hand as we give a live demonstration of the first ever full fax exploitation, leading to complete control over the entire device as well as the network, using nothing but a standard telephone line.

This talk is intended to be the canary in the coal mine. The technology community cannot sit idly by while this ongoing madness is allowed to continue. The world must stop using FAX!

Yaniv Balmas
Yaniv Balmas is a software engineer and a seasoned professional in the security field. He wrote his very first piece of code in BASIC on the new Commodore-64 he got for his 8th birthday. As a teenager, he spent his time looking for ways to hack computer games and break BBS software. This soon led to diving into more serious programming, and ultimately, the security field where he has been ever since. Yaniv is currently leading the security research group at Check Point Software Technologies where he deals mainly with analyzing malware and vulnerability research.

@ynvb

Eyal Itkin
Eyal Itkin is a vulnerability researcher in the Malware and Vulnerability Research group at Check Point Software Technologies. Eyal has an extensive background in security research, that includes years of experience in embedded network devices and protocols, bug bounties from all popular interpreter languages, and an award by Microsoft for his CFG enhancement white paper. When not breaking PTP or I2P, he loves bouldering, swimming, and thinking about the next target for his research.

@EyalItkin


Return to Index    -    Add to    -    ics Calendar file

 

RCV - Caesars Promenade Level - Florentine BR 1,2 - Sunday - 10:50-11:20


Winning a SANS 504 CTF without winning a SANS CTF - Wbbigdave

When a security professional who is running a SANS training course challenges you to ‘Socially engineer the answer to the CTF’ out of him, you have a choice: choose something to make him laugh and garner clues to aid you in owning the network and walking away with a CTF coin, or, take it as a personal challenge and a call to own your instructor. Against better judgement, the advice of his peers (‘you shouldn’t attack a SANS instructor’) and with the threat of an ex Navy Seal above him, wbbigdave took the second path.

Learn how good reconnaissance, modern technology which is billed as an aid to connectivity and convenience, can be used to fully draw even then most switched on and vigilant of security professionals down the rabbit hole. Including but not limited to Facebook and Google who lost significant sums of money to similar techniques. Learn how to walk away with a challenge coin without winning the CTF.


Lightening Talks


Return to Index    -    Add to    -    ics Calendar file

 

DEFCON - Track 1 - Caesars Emperor's Level - Palace BR - Sunday - 14:00-14:45


Your Watch Can Watch You! Gear Up for the Broken Privilege Pitfalls in the Samsung Gear Smartwatch

Sunday at 14:00 in Track 1
45 minutes | Demo, Tool, Exploit

Dongsung Kim Graduate Student, Sungkyunkwan University

Hyoung-Kee Choi Professor, Sungkyunkwan University

You buy a brand-new smartwatch. You receive emails and send messages, right on your wrist. How convenient, this mighty power! But great power always comes with great responsibility. Smartwatches hold precious information just like smartphones, so do they actually fulfill their responsibilities?

In this talk, we will investigate if the Samsung Gear smartwatch series properly screens unauthorized access to user information. More specifically, we will focus on a communication channel between applications and system services, and how each internal Tizen OS components play the parts in access control.

Based on the analysis, we have developed a new simple tool to discover privilege violations in Tizen-based products. We will present an analysis on the Gear smartwatch which turns out to include a number of vulnerabilities in system services.

We will disclose several previously unknown exploits in this presentation. They enable an unprivileged application to take over the wireless services, the user’s email account, and more. Further discussions will center on the distribution of those exploits through a registered application in the market, and the causes of the vulnerabilities in detail.

Dongsung Kim
Dongsung Kim is a graduate student at Sungkyunkwan University, South Korea. After developing software as a profession for several years, his interests have shifted to Internet security. He participated in bug bounty programs like Jet, The New York Times, United Airlines, and at his own university. His research interests span from reverse engineering to web security.

@kid1ng

Hyoung-Kee Choi
Prof. Hyoung-Kee Choi received his Ph.D. in electrical and computer engineering from Georgia Institute of Technology in 2001. He is a professor at Sungkyunkwan University, South Korea. He joined Lancope in 2001 until his leave in 2004, where he guided and contributed to research in Internet security. His research interests span network security and vulnerability assessment.


Return to Index    -    Add to    -    ics Calendar file