Talk/Event Schedule


Sunday


This Schedule is tentative and may be changed at any time. Check at an Info Booth for the latest.

 

Sunday - 06:00


Return to Index  -  Locations Legend
Meetups - Paris - Outside at base of Eiffel Tower - DEFCON 27 4X5K run -

 

Sunday - 09:00


Return to Index  -  Locations Legend
BCV - Flamingo 3rd Floor - Laughlin III Room - (09:45-09:50) - Welcome Note
BCV - Flamingo 3rd Floor - Laughlin III Room - (09:50-10:40) - Hyperledger Fabric Security Essentials - Larry Suto
BTVT - Flamingo - 3rd Floor- Savoy Room - Evaded MicrosoftATA? **But** You Are Completely Exposed By Event Log - 9ian1i
RTV - Flamingo 3rd Floor - Laughlin I,II Rooms - State of Red Team Services Roundtable - Wesley McGrew

 

Sunday - 10:00


Return to Index  -  Locations Legend
AVV - Bally's Event Center - Ideas whose time has come: CVD, SBOM, and SOTA - Katie, Art
AVV - Bally's Event Center - (10:30-10:59) - Wireless Attacks on Aircraft Instrument Landing System - Harshad
BCV - Flamingo 3rd Floor - Laughlin III Room - cont...(09:50-10:40) - Hyperledger Fabric Security Essentials - Larry Suto
BCV - Flamingo 3rd Floor - Laughlin III Room - (10:40-11:05) - Distributed Decentralized Security for Bitcoin Wallets - Ali Meer
BHV - Planet Hollywood - Melrose 1-3 Rooms - Opening Words - Jen Goldsack
BHV - Planet Hollywood - Melrose 1-3 Rooms - (10:15-10:59) - A Minor Threat - Mike Kijewski
BTVT - Flamingo - 3rd Floor- Savoy Room - Who Dis? Who Dis? The Right Way To Authenticate - Lak5hmi5udheer, dhivus
CLV - Flamingo 3rd Floor - Reno I Room - Mining Malevolence: Cryptominers in the Cloud - Cheryl Biswas
CPV - Planet Hollywood - Celebrity 1,2 Ballrooms - Don’t Forget to Wipe - Michael Portera
DC - Paris - Track 1 - Backdooring Hardware Devices By Injecting Malicious Payloads On Microcontrollers - Sheila Ayelen Berta
DC - Paris - Track 2 - Adventures In Smart Buttplug Penetration (testing) - smea
DC - Paris - Track 3 - Hacking WebAssembly Games with Binary Instrumentation - Jack Baker
DC - Paris - Track 4 - Your Secret Files Are Mine: Bug Finding And Exploit Techniques On File Transfer App Of All Top Android Vendors - Xiangqian Zhang, Huiming Liu
DL - Planet Hollywood - Sunset 2 - Zigbee Hacking: Smarter Home Invasion with ZigDiggity - Francis Brown, Matt Gleason
DL - Planet Hollywood - Sunset 3 - Vulmap: Online Local Vulnerability Scanners Project - Yavuz Atlas, Fatih Ozel
DL - Planet Hollywood - Sunset 4 - USB-Bootkit – New Bookit via USB Interface in Supply Chain Attacks - Haowen Bai
DL - Planet Hollywood - Sunset 5 - Rhodiola - Utku Sen
DL - Planet Hollywood - Sunset 6 - QiLing - KaiJern, Lau, Dr. Nguyen Anh Quynh
ETV - Flamingo - 3rd Floor - Reno II Room - Who's Tracking Your Body? Health Apps And Your Privacy
PHVT - Bally's - Indigo Tower - 26th Floor - Wi-Fi Threat Modeling and Monitoring - Besim Altinok and Can Kurnaz
RCV - Planet Hollywood - Celebrity 5 Ballroom - Using OSINT for Competitive Intelligence - Chris Kirsch
RCV - Planet Hollywood - Celebrity 5 Ballroom - (10:25-10:59) - Mining for Gold: A Framework for Accessing Pastebin’s Hidden Treasures - Mike Landeck
RTV - Flamingo 3rd Floor - Laughlin I,II Rooms - (10:30-11:30) - WebSploit 2.0 Release and an Intense Introduction to Hacking Web Applications and APIs - Omar Santos

 

Sunday - 11:00


Return to Index  -  Locations Legend
AVV - Bally's Event Center - In The Air And On The Air: Aviation Radio Systems - Exploding Lemur
AVV - Bally's Event Center - (11:30-11:59) - An introduction to the ARINC standards - Karl
BCV - Flamingo 3rd Floor - Laughlin III Room - cont...(10:40-11:05) - Distributed Decentralized Security for Bitcoin Wallets - Ali Meer
BCV - Flamingo 3rd Floor - Laughlin III Room - Reflections on Blockchain Security - Jan Gorzny
BCV - Flamingo 3rd Floor - Laughlin III Room - (11:30-12:20) - Bitcoin Honeypot - Wallet on floor of the Internet - Gordon Draper
BHV - Planet Hollywood - Melrose 1-3 Rooms - Blue Team Bio II - Genetic and Epigenetics Backups - Mr_Br!ml3y
BHV - Planet Hollywood - Melrose 1-3 Rooms - (11:45-12:30) - Biopiracy on the High Seas - Marla Valentine
BTVT - Flamingo - 3rd Floor- Savoy Room - Atomic Threat Coverage: ATT&CK In Action! - yugoslavskiy
CLV - Flamingo 3rd Floor - Reno I Room - cont...(10:00-11:50) - Mining Malevolence: Cryptominers in the Cloud - Cheryl Biswas
CLV - Flamingo 3rd Floor - Reno I Room - (11:50-12:15) - Securing Multi-cloud Kubernetes - Josh Mize
CPV - Planet Hollywood - Celebrity 1,2 Ballrooms - Empowering Gateways with Functional Encryption - Yolan Romailler
DC - Paris - Track 1 - The ABC of Next-Gen Shellcoding - Hadrien Barral, Rémi Géraud-Stewart, Georges-Axel Jaloyan
DC - Paris - Track 2 - SDR Against Smart TVs: URL and Channel Injection Attacks - Pedro Cabrera Camara
DC - Paris - Track 3 - Exploiting Qualcomm WLAN and Modem Over The Air - Xiling Gong, Peter Pi
DC - Paris - Track 4 - Say Cheese - How I Ransomwared Your DSLR Camera - Eyal Itkin
DL - Planet Hollywood - Sunset 2 - cont...(10:00 - 11:50) - Zigbee Hacking: Smarter Home Invasion with ZigDiggity - Francis Brown, Matt Gleason
DL - Planet Hollywood - Sunset 3 - cont...(10:00 - 11:50) - Vulmap: Online Local Vulnerability Scanners Project - Yavuz Atlas, Fatih Ozel
DL - Planet Hollywood - Sunset 4 - cont...(10:00 - 11:50) - USB-Bootkit – New Bookit via USB Interface in Supply Chain Attacks - Haowen Bai
DL - Planet Hollywood - Sunset 5 - cont...(10:00 - 11:50) - Rhodiola - Utku Sen
DL - Planet Hollywood - Sunset 6 - cont...(10:00 - 11:50) - QiLing - KaiJern, Lau, Dr. Nguyen Anh Quynh
LBV - Flamingo - Carson City II Room - Lock Bypass 101
PHVT - Bally's - Indigo Tower - 26th Floor - Head in the Clouds - Matt Nash
PHVW - Bally's - Indigo Tower - 26th Floor - Threat Hunting with Suricata - Josh Stroschein, Jason Williams, Jack Mott, Travis Green
RCV - Planet Hollywood - Celebrity 5 Ballroom - AttackSurfaceMapper: Automate and Simplify the OSINT Process - Andreas Georgiou and Jacob Wilkin
RCV - Planet Hollywood - Celebrity 5 Ballroom - (11:25-11:59) - Prize Distribution / Closing Note
RTV - Flamingo 3rd Floor - Laughlin I,II Rooms - cont...(10:30-11:30) - WebSploit 2.0 Release and an Intense Introduction to Hacking Web Applications and APIs - Omar Santos

 

Sunday - 12:00


Return to Index  -  Locations Legend
BCV - Flamingo 3rd Floor - Laughlin III Room - cont...(11:30-12:20) - Bitcoin Honeypot - Wallet on floor of the Internet - Gordon Draper
BCV - Flamingo 3rd Floor - Laughlin III Room - (12:20-13:10) - A single global public-utility blockchain & cryptosystem - Derek Moore
BHV - Planet Hollywood - Melrose 1-3 Rooms - cont...(11:45-12:30) - Biopiracy on the High Seas - Marla Valentine
BHV - Planet Hollywood - Melrose 1-3 Rooms - (12:30-13:15) - Getting Skin in the Game - cyberlass
BTVT - Flamingo - 3rd Floor- Savoy Room - An Introduction To Malware Analysis - Understudy77
CLV - Flamingo 3rd Floor - Reno I Room - cont...(11:50-12:15) - Securing Multi-cloud Kubernetes - Josh Mize
CLV - Flamingo 3rd Floor - Reno I Room - (12:15-12:59) - Phishing in the cloud era - Ashwin Vamshi
CPV - Planet Hollywood - Celebrity 1,2 Ballrooms - Security and privacy of dating apps - Alex Lomas, Alan Monie
DC - Paris - Track 1 - I'm In Your Cloud... Pwning Your Azure Environement - Dirk-jan Mollema
DC - Paris - Track 2 - Malproxying: Leave Your Malware at Home - Hila Cohen, Amit Waisel
DC - Paris - Track 3 - HTTP Desync Attacks: Smashing into the Cell Next Door - albinowax
DC - Paris - Track 4 - Help Me, Vulnerabilities. You're My Only Hope - Jacob Baines
ETV - Flamingo - 3rd Floor - Reno II Room - Ethics Training Workshop -
Meetups - Planet Hollywood - Santa Monica 4 Room - Friends of Bill W. -
PHVT - Bally's - Indigo Tower - 26th Floor - CIRCO: [Cisco Implant Raspberry Controlled Operations] - Emilio Couto
PHVW - Bally's - Indigo Tower - 26th Floor - cont...(11:00-13:59) - Threat Hunting with Suricata - Josh Stroschein, Jason Williams, Jack Mott, Travis Green
RTV - Flamingo 3rd Floor - Laughlin I,II Rooms - Panel and Active Discussions: Red Team Career Advise - Multiple

 

Sunday - 13:00


Return to Index  -  Locations Legend
BCV - Flamingo 3rd Floor - Laughlin III Room - cont...(12:20-13:10) - A single global public-utility blockchain & cryptosystem - Derek Moore
BCV - Flamingo 3rd Floor - Laughlin III Room - Crypto currency heist - the story so far ... - Ryan Rubin
BHV - Planet Hollywood - Melrose 1-3 Rooms - cont...(12:30-13:15) - Getting Skin in the Game - cyberlass
BHV - Planet Hollywood - Melrose 1-3 Rooms - (13:15-13:59) - Chinese Military Combined Arms Effects - Bio-Weapons - Red Dragon 1949
BTVT - Flamingo - 3rd Floor- Savoy Room - Blue Team Village Closing Ceremony
CPV - Planet Hollywood - Celebrity 1,2 Ballrooms - Ironically, iOS robocall-blocking apps are violating your privacy - Dan Hastings
DC - Paris - Track 1 - [ MI CASA-SU CASA ] My 192.168.1.1 is Your 192.168.1.1 - Elliott Thompson
DC - Paris - Track 2 - Sound Effects: Exploring Acoustic Cyber-weapons - Matt Wixey
DC - Paris - Track 3 - Owning The Clout Through Server-Side Request Forgery - Ben Sadeghipour, Cody Brocious (Daeken)
DC - Paris - Track 4 - Want Strong Isolation? Just Reset Your Processor - Anish Athalye
PHVT - Bally's - Indigo Tower - 26th Floor - Augmenting the (Security) Onion: Facilitating Enhanced Detection and Response with Open Source Tools - Wes Lambert
PHVW - Bally's - Indigo Tower - 26th Floor - cont...(11:00-13:59) - Threat Hunting with Suricata - Josh Stroschein, Jason Williams, Jack Mott, Travis Green
RGV - Flamingo - 3rd Floor - Carson City II - Lockpicking "Extras" - Jared Dygert

 

Sunday - 14:00


Return to Index  -  Locations Legend
BCV - Flamingo 3rd Floor - Laughlin III Room - Contest Results
BCV - Flamingo 3rd Floor - Laughlin III Room - Vote of Thanks
BHV - Planet Hollywood - Melrose 1-3 Rooms - Biohacking & Biosecurity - Anne A. Madden
DC - Paris - Track 1 - Firmware Slap: Automating Discovery of Exploitable Vulnerabilities in Firmware - Christopher Roberts
DC - Paris - Track 2 - Cheating in eSports: How to Cheat at Virtual Cycling Using USB Hacks - Brad Dixon
DC - Paris - Track 3 - The Ether Wars: Exploits, counter-exploits and honeypots on Ethereum - Bernhard Mueller, Daniel Luca
DC - Paris - Track 4 - Contests Awards Ceremony - Contests & Events Goons

 

Sunday - 15:00


Return to Index  -  Locations Legend
DC - Paris - Track 4 - cont...(14:00-15:30) - Contests Awards Ceremony - Contests & Events Goons

 

Sunday - 16:00


Return to Index  -  Locations Legend
DC - Tracks 1,2,3 - Closing Ceremonies - The Dark Tangent & Goons

 

Sunday - 17:00


Return to Index  -  Locations Legend
DC - Tracks 1,2,3 - cont...(16:00-17:59) - Closing Ceremonies - The Dark Tangent & Goons

Talk/Event Descriptions


 

DC - Paris - Track 1 - Sunday - 13:00-13:45


[ MI CASA-SU CASA ] My 192.168.1.1 is Your 192.168.1.1

Sunday at 13:00 in Track 1
45 minutes | Demo, Tool

Elliott Thompson Senior Security Consultant, SureCloud Ltd

Your browser thinks my 192.168.1.1 is the same as your 192.168.1.1. Using a novel combination of redirects, Karma, JavaScript and caching we demonstrate that it’s viable to attack internal management interfaces without ever connecting to your network. Using the MICASA-SUCASA tool it’s possible to automate the exploitation of hundreds of interfaces at once. This presentation will introduce the attack vector and demonstration, but also the public release of the MICASA-SUCASA tool.

Elliott Thompson
The alphabet soup: OSCP, CTL/CCT-APP Senior pentester and researcher for the last 3 years, with hundreds of successful engagements behind me. Passionate about security and involved in various article pieces for infosec magazine, the BBC and the UK consumer watchdog Which?. Last year I discovered and disclosed an exploit on some Android tablets that allowed RCE through the tag. [ CVE-2018-16618 ]


Return to Index    -    Add to    -    ics Calendar file

 

BHV - Planet Hollywood - Melrose 1-3 Rooms - Sunday - 10:15-10:59


10:15 AM: A Minor Threat: What healthcare technology companies can learn about infosec from the Washington DC Punk Scene: 1979-1992
Speaker: Mike Kijewski

Abstract: The changes healthcare IT and medical device companies need to make to their product development processes to address infosec challenges are radical. Many of these same challenges were overcome by the Washington DC punk scene in the 80s and 90s. Bands from Minor Threat to Fugazi used information sharing and first-principles thinking to bring lasting change to the music industry. If you are responsible for the security of healthcare software, its time to think like a punk.

Speaker Bio: Mike is the cofounder of MedCrypt, a medical device cybersecurity startup based in San Diego, CA.

T: @mikekijewski

Return to Index    -    Add to    -    ics Calendar file

 

BCV - Flamingo 3rd Floor - Laughlin III Room - Sunday - 12:20-13:10


A single global public-utility blockchain & cryptosystem

No description available


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 2 - Sunday - 10:00-10:45


Adventures In Smart Buttplug Penetration (testing)

Sunday at 10:00 in Track 2
45 minutes | Demo, Tool

smea

Analysts believe there are currently on the order of 10 billions Internet of Things (IoT) devices out in the wild. Sometimes, these devices find their way up people's butts: as it turns out, cheap and low-power radio-connected chips aren't just great for home automation - they're also changing the way we interact with sex toys. In this talk, we'll dive into the world of teledildonics and see how connected buttplugs' security holds up against a vaguely motivated attacker, finding and exploiting vulnerabilities at every level of the stack, ultimately allowing us to compromise these toys and the devices they connect to.

smea
smea got his start making video games for closed consoles like the Nintendo DS using whatever hacks were available at the time. At some point consoles started getting actual security features and he transitioned from just making homebrew software to actually making the jailbreaks that let people run it. He's best known for his work on the Nintendo 3DS and Wii U but has also done exploitation work against high profile web browsers and virtualization stacks. Now he hacks buttplugs, apparently.

Twitter: @smealum
Github: https://github.com/smealum


Return to Index    -    Add to    -    ics Calendar file

 

BTVT - Flamingo - 3rd Floor- Savoy Room - Sunday - 12:00-12:59


An Introduction To Malware Analysis

Sunday 12:00, Savoy Ballroom, Flamingo (Blue Team Village) (1H)

@Understudy77 is an obsessive clicker of links, Shawn is a current Paranoid and Head of Security Operations at Verizon Media with a past history of Incident Response, threat hunting, and malware analysis.

A mostly live demo of base concepts of malware analysis using a multitude of tools on a Dridex sample pulled from a phishing campaign from PDF attachment to executable installation. The main point is to show people some base tools to dive headfirst into analysis of suspicious files.


Return to Index    -    Add to    -    ics Calendar file

 

AVV - Bally's Event Center - Sunday - 11:30-11:59


An introduction to the ARINC standards

Speaker – Karl

Synopsis

ARINC is a 90-year-old company originally created to coordinate and support radio communications for airlines. Since then, ARINC has developed several standards to promote interoperability between manufacturers of line-replaceable units (LRUs.) This talk will cover major ARINC standards, such as ACARS (an air-to-ground messaging system), 429 (the CAN bus of aviation), and AFDX, and explain why it’s completely impossible to control a 737 through a compromised in-flight entertainment system.

About the Speaker

Karl Koscher is a research scientist at the University of Washington where he specializes in wireless and embedded systems security. In 2011, he led the first team to demonstrate a complete remote compromise of a car over cellular, Bluetooth, and other channels.


Return to Index    -    Add to    -    ics Calendar file

 

BTVT - Flamingo - 3rd Floor- Savoy Room - Sunday - 11:00-11:59


Atomic Threat Coverage: ATT&CK In Action!

Sunday 11:00, Savoy Ballroom, Flamingo (Blue Team Village) (1H)

@yugoslavskiy is leading Threat Detection team at Tieto Security Operations Center (SOC) in Czech Republic, Ostrava. Before that, he was responsible for processes and systems architecture development of Informzaschita SOC in Moscow, Russia. Daniil spent more than six years in Practical Computer Security and Network Monitoring domains. He holds OSCP, CCNP Security, GCFA and GNFA certifications. He had talks at Code Europe, CONFidence, Amsterdam FIRST Technical Colloquium, x33fcon, EU MITRE ATT&CK community workshops, presenting Intelligence-Driven Defence approach implementation and MITRE ATT&CK operationalization. Daniil is also member of GIAC Advisory Board, Krakow 2600 Meetings coordinator and creator of Atomic Threat Coverage project.

We will present our project which allows to automatically generate actionable analytics, designed to combat threats (based on the MITRE ATT&CK adversary model) from Detection, Response, Mitigation and Simulation perspectives. This way Atomic Threat Coverage represents a Core of Security Operations Center, creating analytics database with all entities, mapped to all meaningful, actionable metrics, ready to use, ready to share and show to leadership, customers and colleagues.


Return to Index    -    Add to    -    ics Calendar file

 

RCV - Planet Hollywood - Celebrity 5 Ballroom - Sunday - 11:00-11:25


LIGHTENING TALK

AttackSurfaceMapper: Automate and Simplify the OSINT Process

1100 - 1125


Return to Index    -    Add to    -    ics Calendar file

 

PHVT - Bally's - Indigo Tower - 26th Floor - Sunday - 13:00-13:59


Augmenting the (Security) Onion: Facilitating Enhanced Detection and Response with Open Source Tools

Wes Lambert, Senior Engineer at Security Onion Solutions

As network defenders, we face evolving threats every day. We need to truly understand our computer networks, and gain greater context around events occurring within them. To do this, we can use completely free and open source tools, augmenting a platform like Security Onion, to assist in threat hunting, responding to alerts, tracking events, automating analysis of files extracted from network data streams, and even performing remote host-based forensics. This presentation discusses how freely available tools can be integrated to empower teams to effectively monitor, track, and investigate events to help lower risk and increase security posture within their organizations.

Wes Lambert (Twitter: @therealwlambert) is a Senior Engineer at Security Onion Solutions, where he helps companies to implement enterprise security monitoring solutions and better understand their computer networks. He is a huge fan of open source software projects, and loves to solve problems and enhance organizational security using completely free and easily deployable tools.


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 1 - Sunday - 10:00-10:45


Backdooring Hardware Devices By Injecting Malicious Payloads On Microcontrollers

Sunday at 10:00 in Track 1
45 minutes | Demo, Tool

Sheila Ayelen Berta Security Researcher

Is targeting microcontrollers worth the effort? Nowadays, they are responsible for controlling a wide range of interesting systems, e.g., physical security systems, car’s ECUs, semaphores, elevators, sensors, critical components of industrial systems, some home appliances and even robots.

In this talk, it will be explained how microcontrollers can be backdoored too. After a quick review of basic knowledge about uC, we will dive into three different approaches to achieve payload injection, from basic to advanced techniques. The first method consists on locating the entry point of the firmware and inject our payload there, this is an easy way to execute it at least once. As a second -and more complex- technique, we will backdoor the EUSART communication injecting a malicious payload at the code routine of that hardware peripheral; we will be able to get the right memory address by inspecting the GIE, PEIE and polling process at the uC interrupt vector. Finally, the third technique allow us to take control of the microcontroller’s program flow by manipulating the stack writing memory addresses at the TOS; with this we can execute a payload made with instructions already written in the original program, performing it just like a ROP-chain technique.

Sheila Ayelen Berta
Sheila Ayelen Berta is an Information Security Specialist and Developer, who started at 12 years-old by herself. At the age of 15, she wrote her first book about Web Hacking, published by RedUSERS Editorial in several countries. Over the years, Sheila has discovered lots of vulnerabilities in popular web applications and softwares. She also has given courses of Hacking Techniques in universities and private institutes in Argentina. Sheila currently works as Security Researcher who specializes in offensive techniques, reverse engineering and exploit writing. She is also a developer in ASM (microcontrollers and microprocessors x86/x64), C/C++, Golang and Python. Sheila is an international speaker who has spoken at important security conferences such as Black Hat Briefings, DEF CON 26, DEF CON 25 CHV, HITB, HackInParis, Ekoparty, IEEE ArgenCon, Hack.Lu, OWASP Latam Tour and others.

Twitter: @UnaPibaGeek


Return to Index    -    Add to    -    ics Calendar file

 

BHV - Planet Hollywood - Melrose 1-3 Rooms - Sunday - 14:00-14:59


2:00 PM: Biohacking & Biosecurity: How to innovate with biohacking and synthetic biology while avoiding an apocalypse
Speaker: Anne A. Madden

Abstract: The democratization of synthetic bio tools fuels innovation, but also poses risks, such as the creation of new organisms with unknown capabilities. For decades scientists have safely hacked natures pipeline to grow unknown natural microbesfinding those that make antibiotics and better beers, while avoiding those that make the worlds deadliest chemicals. We can leverage key learnings from this parallel field of bioprospecting to foster innovation while keeping humanity alive in the process.

Speaker Bio: Dr. Madden is a microbe wrangler, an innovation consultant, and TED speaker. Her mission is to reveal the utility of the microscopic world around us. Shes discovered a novel microbial species, characterized new antibiotics, and identifying new yeasts for better beer technology from inside wasps.

T: @AnneAMadden

Return to Index    -    Add to    -    ics Calendar file

 

BHV - Planet Hollywood - Melrose 1-3 Rooms - Sunday - 11:45-12:30


11:45 AM: Biopiracy on the High Seas: lessons learned from purloined tarantulas and viral pandemics
Speaker: Marla Valentine

Abstract: You wouldnt steal a car! You wouldnt steal a movie! But would you steal genetic code!? Venture into the high seas where no international laws regulate the patenting of genetic discoveries. From scientists threatened with extradition for identifying new species to calculable deaths based on sub par vaccinations; this lecture will cover the panoply of laws concerning developing genomic technologies in the high seas (or lack thereof) derived from preexisting statutes ratified by sovereign states.

Speaker Bio: Dr. Valentine has explored the gamut of ocean sciences from wrestling sharks and alligators to exploring the darkest depths of the sea floor. Using a decade research experience Dr. Valentine now works at the forefront of scientific policy.

Return to Index    -    Add to    -    ics Calendar file

 

BCV - Flamingo 3rd Floor - Laughlin III Room - Sunday - 11:30-12:20


Bitcoin Honeypot - Wallet on floor of the Internet

No description available


Return to Index    -    Add to    -    ics Calendar file

 

BHV - Planet Hollywood - Melrose 1-3 Rooms - Sunday - 11:00-11:45


11:00 AM: Blue Team Bio II - Genetic and Epigenetics Backups
Speaker: Mr_Br!ml3y

Abstract: Editing genes is getting easier as knowledge of various genomes and technology advance. This will enable repair of genetic damage caused by external carcinogens provided that a known prior DNA sequence is available. This presentation discusses leveraging backup methodologies in IT to DNA applications to remediate genetic and epigenetic damage. Coding DNA into digital form at the base pair and transposon (amino acid specifyng) levels will be discussed.

Speaker Bio: Mr_Br!ml3y has nine years of public sector info sec experience, and is currently working on a doctorate in environmental engineering, focused on contaminant transport/isolation. He has presented at DefCon BioHacking Village for four years, focusing on computational aspects of biohacking.

Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 2 - Sunday - 14:00-14:45


Cheating in eSports: How to Cheat at Virtual Cycling Using USB Hacks

Sunday at 14:00 in Track 2
45 minutes | Demo, Tool

Brad Dixon Security Consultant, Carve Systems

Athletes are competing in virtual cycling by riding real bikes on stationary trainers which power the in-game athletic performance. Riders train and compete online against each other. New racing teams are even competing in Union Cycliste Internationale (UCI) sanctioned events. Better at hacking than riding? Me, too. I’ll expand on the dubious achievements of prior cycling cheaters by showing how to use the open source USBQ toolkit to inspect and modify USB communications between the Zwift application and the wireless sensors that monitor and control the stationary trainer. USBQ is a Python module and application that uses standard hardware, such as the Beaglebone Black, to inspect and modify communications between USB devices and the host. You’ll ride away with a lesson on building your own customized USB man-in-the-middle hacking tool, too.

Brad Dixon
Brad once told his parents that if they gave him a Commodore 64 it would be the last computer he’d ever want. He never got that Commodore 64. Nevertheless Brad managed to become a computer nerd at a young age. Brad studied Computer Engineering at Georgia Tech and jumped into embedded software engineering. He worked for many years helping developers to design embedded Linux into telecom, network, and mobile products. Brad also took a turn as a product manager for embedded development tools and a mobile location analytics product. At Carve he hacks IoT, embedded, and Linux systems.

Github: https://github.com/rbdixon


Return to Index    -    Add to    -    ics Calendar file

 

BHV - Planet Hollywood - Melrose 1-3 Rooms - Sunday - 13:15-13:59


1:15 PM: Chinese Military Combined Arms Effects - Bio-Weapons
Speaker: Red Dragon 1949

Abstract: During "Chinese Military Combined Arms Effects - Bio-Weapons" attendees will receive a field experience based discussion from within the People's Republic of China regarding the People'sLiberation Army's use of bio-weapons.

Speaker Bio: Independent security researcher who has met authors of China's Unrestricted Warfare & a US Marine

T: @RedDragon1949

Return to Index    -    Add to    -    ics Calendar file

 

PHVT - Bally's - Indigo Tower - 26th Floor - Sunday - 12:00-12:59


CIRCO: [Cisco Implant Raspberry Controlled Operations]

Emilio Couto, eKio Security

Designed under Raspberry Pi and aimed for Red Team Ops, we take advantage of "Sec/Net/Dev/Ops" enterprise tools to capture network credentials in a stealth mode. Using a low profile hardware & electronics camouflaged as simple network outlet box to be sitting under/over a desk. CIRCO include different techniques for network data exfiltration to avoid detection. This tool gather information and use a combination of honeypots to trick Automation Systems to give us their network credentials!

Emilio Couto (Twitter: @ekio_jp) is a Security Consultant with more than 20 years of experience in the network and security field. Born and raised in Argentina, he is currently located in Japan where multitasking between language, culture and technologies is a must. Over the last decade focusing mainly on Finance IT. In his spare time he enjoys playing with RFID, computers and home made IoT devices. Over the last 5 years presenting tools in conferences (Black Hat Asia, HITB, AV Tokyo and SECCON)


Return to Index    -    Add to    -    ics Calendar file

 

DC - Tracks 1,2,3 - Sunday - 16:00-17:59


Closing Ceremonies

Sunday at 16:00 in Paris Ballroom
120 minutes

The Dark Tangent & Goons

DEF CON 27 draws to a close. Prizes awarded, Black Badge winners announced, thanks given, future plans revealed.


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 4 - Sunday - 14:00-15:30


Contests Awards Ceremony

Sunday at 14:00 in Track 4
90 minutes

Contests & Events Goons

You've seen the Contests, you've played in a Contest, you've won a Contest and may have lost a Contest! Whatever the outcome was, come join as as we celebrate the winners and contestants of our DEF CON 27 Contests! DEF CON 27 Contests and Events Closing Ceremonies will be August 11th at 14:00 in Track 4. Black Badge winning Contests will still be honored at the main DEF CON 27 Closing Ceremonies on August 11th at 16:00 in the Paris Ballroom!


Return to Index    -    Add to    -    ics Calendar file

 

BCV - Flamingo 3rd Floor - Laughlin III Room - Sunday - 13:10-13:59


Crypto currency heist - the story so far ...

No description available


Return to Index    -    Add to    -    ics Calendar file

 

Meetups - Paris - Outside at base of Eiffel Tower - Sunday - 06:00-06:59


Title:
DEFCON 27 4X5K run

DEF CON 27 Let's go for a run 4X5K Announcement
The 4X5K is returning to DefCon 27. Come running, because maybe you like your mornings sweaty! 0530 is the perfect time to either wind down your evening or start up your day! 0600 is of course the coolest time for a run in Vegas (It's only 80!) But who really cares, running is fun, let's go for a run!

Meet up at 0600 (6 AM) at the base of the Paris Hotel and Casino Eiffel tower outside on Thursday-Sunday (8/9-8/12/2019) for 5.1K fun run. Run departs at 0610. We've got two pace groups. The fast group is for people that run an average pace of around 9:00-minute miles or better. If you run slower than an average pace of 9:00-minute miles you're in the not fast group. This is basically so everyone ends up in the same place at the end. At either pace, do it all four days and it's a half marathon (21K).

Routes will vary but will mostly likely be strip-centric. Printed route maps will be displayed before the run.

Safety Brief: It's Vegas, weird stuff will happen, it always does. Be aware that wet concrete is super slippery, broken glass is not your friend, and randos abound! If people harass you, just keep running. You are fast, and they are lame. Some random people may want to join in. This is cool, until it's not. Watch for traffic along the route. It's going to be hot. Hydrate before, during, and after. There can be a surprising number of stairs to climb on these runs, especially when we run south along the strip. Help each other out. Don't die.

The organizers (of which there are very few) are interested in talking to sponsors and past attendees about how we can awesome up this event. We're looking at you, fitness tracker companies: maybe we'll stop dropping 0days if you buy us some water and bananas.

I will see you there.

Follow @Agent __ X __ & @whereiskurt on Twitter for updates, and follow the hashtag #DEFCON4X5K
DEF CON 27 Let's go for a run 4X5K Announcement

Return to Index    -    Add to    -    ics Calendar file

 

BCV - Flamingo 3rd Floor - Laughlin III Room - Sunday - 10:40-11:05


Distributed Decentralized Security for Bitcoin Wallets

No description available


Return to Index    -    Add to    -    ics Calendar file

 

CPV - Planet Hollywood - Celebrity 1,2 Ballrooms - Sunday - 10:00-09:59


Don’t Forget to Wipe

No description available


Return to Index    -    Add to    -    ics Calendar file

 

CPV - Planet Hollywood - Celebrity 1,2 Ballrooms - Sunday - 11:00-10:59


Empowering Gateways with Functional Encryption

No description available


Return to Index    -    Add to    -    ics Calendar file

 

ETV - Flamingo - 3rd Floor - Reno II Room - Sunday - 12:00-12:59


Title:
Ethics Training Workshop


Return to Index    -    Add to    -    ics Calendar file

 

BTVT - Flamingo - 3rd Floor- Savoy Room - Sunday - 09:00-09:59


Evaded MicrosoftATA? **But** You Are Completely Exposed By Event Log

Sunday 09:00, Savoy Ballroom, Flamingo (Blue Team Village) (1H)

@9ian1i is a security researcher, core member of 0keeTeam, Information Security Department of Qihoo 360 Technology Company. He specializes in the construction of Blue Team and security architecture, especially the auto-detection of security vulnerabilities.

Due to internal environment of Windows domains is always too tolerant, and enterprises are more concerned about border defenses than internal security, the penetration behavior based on Windows Active Directory has become more and more popular and aggressive. The emergence of MicrosoftATA allows BlueTeam to perceive and discover most domain penetration activities, however, there are many bypassing techniques for MicrosoftATA recently, and the detection dimension of MicrosoftATA is not comprehensive enough, especially the persistence part. It's a compelling problem whether the Red Team can ensure their behaviors not to be detected after bypassing the detection of MicrosoftATA. In my recent research, the security event log of domain controller details the activity of entities in the domain. Most AD Attacks leave traces in the logs. These logs can be collected and analyzed in real time, helping you quickly detect attacks before an attacker compromises the domain controller. I will detail how to find exceptional behavior from a large number of domain controller security event logs and use a variety of analysis approaches to determine attacks, while taking into account false alarm rate. It's worth mentioning that we don't collect security event log of all computers, only domain controllers. As a result, these ideas are applicable in a large-scale intranet environment, helping Blue Team build its own Advanced Threat Analytics.


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 3 - Sunday - 11:00-11:45


Exploiting Qualcomm WLAN and Modem Over The Air

Sunday at 11:00 in Track 3
45 minutes | Demo, Exploit

Xiling Gong Consultant, NCC Group

Peter Pi Senior Security Researcher of Tencent Blade Team

In this talk, we will share our research in which we successfully exploit Qualcomm WLAN in FIRMWARE layer, break down the isolation between WLAN and Modem and then fully control the Modem over the air.

Setup the real-time debugger is the key. Without the debugger, it's difficult to inspect the program flow and runtime status. On Qualcomm platform, subsystems are protected by the Secure Boot and unable to be touched externally. We'll introduce the vulnerability we found in Modem to defeat the Secure Boot and elevate privilege into Modem locally so that we can setup the live debugger for baseband.

The Modem and WLAN firmware is quite complex and reverse engineering is a tough work. Thanks to the debugger, we finally figure out the system architecture, the components, the program flow, the data flow, and the attack surfaces of WLAN firmware. We'll share these techniques in detail, along with the zero-days we found on the attack surfaces.

There are multiple mitigations on Qualcomm baseband, including DEP, stack protection, heap cookie, system call constraint, etc. All the details of the exploitation and mitigation bypassing techniques will be given during the presentation.

Starting from Snapdragon 835, WLAN firmware is integrated into the Modem subsystem as an isolated userspace process. We'll discuss these constraints, and then leverage the weakness we found to fully exploit into Modem.

Xiling Gong
Xiling Gong is a Senior Security Researcher of Tencent Blade Team. He has discovered many vulnerabilities of vendors like Google and Qualcomm. He is the speaker of CanSecWest 2018.

Twitter: @Gxiling

Peter Pi
Peter Pi is a Senior Security Researcher of Tencent Blade Team. He has discovered many vulnerabilities of vendors like Google, Microsoft, Apple, Qualcomm, Adobe and Tesla. He was the #1 researcher of Google Android VRP in year 2016. He has spoken at many famous security conferences such as BlackHat, CanSecWest, HITB GSEC and Hitcon.

Twitter: @tencent_blade


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 1 - Sunday - 14:00-14:45


Firmware Slap: Automating Discovery of Exploitable Vulnerabilities in Firmware

Sunday at 14:00 in Track 1
45 minutes | Demo, Tool

Christopher Roberts

DARPA’s Grand Cyber Challenge foretold an ominous future stricken with machines exploiting our code and automatically compromising our systems. Today, we have the chance to steel ourselves by creating new hope through stronger tools and techniques to find our bugs before our big-brother nation-states can take advantage. The firmware holding our phones, our routers, and our cars is our weakest link and it demands new methods of finding exploitable vulnerabilities. This talk will present Firmware Slap, the culmination of concolic analysis and semi-supervised firmware function learning. Each binary or library in a given firmware provides slices of information to accelerate and enable fault-resistant concolic analysis. These techniques provide a method of knowing where our vulnerabilities are and how we can trigger them.

Christopher Roberts
Christopher Roberts is a security researcher at REDLattice Inc. He has extensive vulnerability research experience in embedded systems and program analysis frameworks. He competes and speaks in George Mason’s competitive cyber club. He’s known for building several tools which automatically solve and produce flags from pwnable and reversing CTF problems. (Zeratool) (PinCTF)

Github: https://github.com/ChrisTheCoolHut


Return to Index    -    Add to    -    ics Calendar file

 

Meetups - Planet Hollywood - Santa Monica 4 Room - Sunday - 12:00-12:59


Title:
Friends of Bill W.

For all those Friends of Bill W. looking for a meeting or just a quiet moment to regroup, we have you covered with meetings throughout #DEFCON - Noon & 5pm Thurs-Sat, Noon Sun. The location is SANTA MONICA 4 in Planet Hollywood.
Return to Index    -    Add to    -    ics Calendar file

 

BHV - Planet Hollywood - Melrose 1-3 Rooms - Sunday - 12:30-13:15


12:30 PM: Getting Skin in the Game: Biohacking & Business
Speaker: cyberlass
Abstract: Lets talk biohacking, technology and business. We are a community that is innovating and creating mostly in non-commercial and academic spaces. As we have grown so have the opportunities, sometimes in unexpected places. My company, Livestock Labs, is bringing its biometric implant to market in cows first. Started by body augmenters, the company is proving what we all know that when we get funding and dedicated time our projects take off. This session tries to shed some light on learning to business as a biohacker and what other funding models we might explore. I want to encourage other biohackers to take the leap and see what amazing things they can accomplish.

Speaker Bio: Biohacker, IT nerd and COO of Livestock Labs, Amanda Plimpton has lessons learned from biohackers entering commercial spaces. She wants the biohacking community to have more opportunities for its talented, passionate members to contribute in commercial, academic and non-profit sectors.

T: @cyberlass

Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 3 - Sunday - 10:00-10:45


Hacking WebAssembly Games with Binary Instrumentation

Sunday at 10:00 in Track 3
45 minutes | Demo, Tool

Jack Baker

WebAssembly is the newest way to play video games in your web browser. Both Unity3d and Unreal Engine now support WebAssembly, meaning the amount of WebAssembly games available is growing rapidly. Unfortunately the WebAssembly specification is missing some features game hackers might otherwise rely on. In this talk I will demonstrate adapting a number of game hacking techniques to WebAssembly while dealing with the limitations of the specification.

For reverse engineers, I will show how to build and inject your own "watchpoints" for debugging WebAssembly binaries and how to insert symbols into a stripped binary.

For game hackers, I will show how to use binary instrumentation to implement some old-school game hacking tricks and show off some new ones.

I will be releasing two tools: a binary instrumentation library built for modifying WebAssembly binaries in the browser, and a browser extension that implements common game hacking methods a la Cheat Engine.

Jack Baker
Jack Baker is a professional vulnerability researcher and amateur video game hacker. His primary areas of expertise include web application security, embedded reverse engineering, and Tony Hawk's Pro Skater 3.

Github: https://github.com/Qwokka


Return to Index    -    Add to    -    ics Calendar file

 

PHVT - Bally's - Indigo Tower - 26th Floor - Sunday - 11:00-11:59


Head in the Clouds

Matt Nash, Security Consultant at NCC Group

Availability, scalability, agility, and automation - "The Cloud" brings all of these to your fingertips. Improperly configured, it can also be a security incident waiting to happen. In this talk, we'll cover open source tools to help paint a current, accurate picture of your cloud security posture, share some insight from first-hand experience, and show examples of how you can use this approach within your organization.

Matt Nash works in a variety of realms, including internal/external network infrastructure, cloud architecture, web applications, automated teller machines (ATMs), physical security, social engineering, digital forensics and incident response, and wireless. As well, these assessments span a number of industries: oil and gas energy, utility, manufacturing, software development, financial, and retail. With more infrastructure and resources moving into "the cloud", at a staggering pace, building a skillset in large-scale cloud review was an obvious choice. Matt holds a B.S. in Food and Resource Economics, and is totally qualified to speak on this topic.


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 4 - Sunday - 12:00-12:45


Help Me, Vulnerabilities. You're My Only Hope

Sunday at 12:00 in Track 4
45 minutes | Tool, Exploit

Jacob Baines Research Engineer, Tenable

MikroTik routers keep getting owned. They’ve been exploited by advanced threats like VPNFilter, Slingshot APT, and Trickbot. They’ve been compromised by coin miners, botnets, and who knows what else. With each new campaign the security industry publishes new indicators of compromise and everyone moves on.

However, MikroTik administrators operate in a sandbox. They have very limited access to the router’s underlying file system and almost no ability to directly interact with the Linux operating system. Due to these limitations, file hashes cannot answer the fundamental question that is asked again and again on the MikroTik forums, “Have I been compromised?”

It’s time the users had their question answered. In this talk, I’ll present three vulnerabilities that can help MikroTik administrators break out of the sandbox. I’ll show how to use these vulnerabilities to help determine if the router has been compromised.

Jacob Baines
Jacob is the founding member of Tenable's Zero Day Research group. He focuses much of his research efforts on routers and other IoT devices. Sometimes he even finds vulnerabilities.

Twitter: @junior_baines


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 3 - Sunday - 12:00-12:45


HTTP Desync Attacks: Smashing into the Cell Next Door

Sunday at 12:00 in Track 3
45 minutes | Demo, Tool

albinowax Head of Research, PortSwigger

HTTP requests are traditionally viewed as isolated, standalone entities. In this session, I'll introduce techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $50k in bug bounties.

Using these targets as case studies, I’ll show you how to delicately amend victim's requests to route them into malicious territory, invoke harmful responses, and lure credentials into your open arms. I’ll also demonstrate using backend reassembly on your own requests to exploit every modicum of trust placed on the frontend, gain maximum privilege access to internal APIs, poison web caches, and compromise my favourite login page.

Although documented over a decade ago, a fearsome reputation for difficulty and collateral damage has left this attack optimistically ignored for years while the web's susceptibility grew. By applying fresh ideas and new techniques, I’ll unveil a vast expanse of vulnerable systems ranging from huge content delivery networks to bespoke backends, and ensure you leave equipped to devise your own desync techniques and tailor attacks to your target of choice.

albinowax
James Kettle is Head of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on using web cache poisoning to turn caches into exploit delivery systems. James has extensive experience cultivating novel attack techniques, including server-side RCE via Template Injection, client-side RCE via malicious formulas in CSV exports, and abusing the HTTP Host header to poison password reset emails and server-side caches. He has spoken at numerous prestigious venues including both BlackHat USA and EU, and OWASP AppSec USA and EU.

Twitter: @albinowax
Website: https://skeletonscribe.net/


Return to Index    -    Add to    -    ics Calendar file

 

BCV - Flamingo 3rd Floor - Laughlin III Room - Sunday - 09:50-10:40


Hyperledger Fabric Security Essentials

No description available


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 1 - Sunday - 12:00-12:45


I'm In Your Cloud... Pwning Your Azure Environement

Sunday at 12:00 in Track 1
45 minutes | Demo, Tool, Exploit

Dirk-jan Mollema Security Expert - Fox-IT

After having compromised on-premise for many years, there is now also the cloud! Now your configuration mistakes can be accessed by anyone on the internet, without that fancy next-gen firewall saving you. With this talk I’ll share my current research on Azure privileges, vulnerabilities and what attackers can do once they gain access to your cloud, or how they can abuse your on-premise cloud components. We start with becoming Domain Admin by compromising Azure AD Sync, sync vulnerabilities that allow for Azure admin account takeover and insecure Single Sign On configurations. Up next is cloud roles and privileges, backdooring Azure AD with service accounts, escalating privileges as limited admin and getting past MFA without touching someone's phone. Then we finish with cloud integrations, also known as "how a developer can destroy your whole infrastructure with a single commit": Exploring Azure DevOps, backdooring build pipelines, dumping credentials and compromising Azure Resource Manager through connected services. Besides all the fun we'll also look into how this translates into the questions you should ask yourself before moving things to the cloud and how this differs from on-premise.

Dirk-jan Mollema
Dirk-jan is one of the core researchers of Active Directory and Azure AD at Fox-IT. Amongst the open source tools published to advance the state of AD research are aclpwn, krbrelayx, mitm6, ldapdomaindump and a Python port of BloodHound. He blogs at dirkjanm.io, where he publishes about new Active Directory attack chains, which included the discovery of the PrivExchange vulnerability. He is also co-author of ntlmrelayx and contributor to several other open source tools and libraries. After discovering that breaking stuff is a lot of fun he never looked back at his freelance web developer days, but is still thankful for the knowledge and experience that those days provided him.

Twitter: @_dirkjan
Website: dirkjanm.io


Return to Index    -    Add to    -    ics Calendar file

 

AVV - Bally's Event Center - Sunday - 10:00-10:30


Ideas whose time has come: CVD, SBOM, and SOTA

Speakers – Katie and Art

Synopsis

From origins in general purpose computing, Coordinated Vulnerability Disclosure (CVD), Software Bill Of Materials (SBOM), and Secure Over-The-Air (SOTA) updates have been implemented or considered in safety sectors including industrial control systems, medical devices, and ground transportation. These common software security practices are becoming widespread global norms, turning up in public policy, international standards, and national law (often in sector-specific safety regulation).

About the Speakers

Art Manion is the Vulnerability Analysis Technical Manager at the CERT Coordination Center (CERT/CC), part of the Software Engineering Institute at Carnegie Mellon University. He coordinates vulnerability disclosures and says things like “Don’t Use IE,” “Replace CPU hardware,” and “CVSS is inadequate.”


Return to Index    -    Add to    -    ics Calendar file

 

AVV - Bally's Event Center - Sunday - 11:00-11:30


In The Air And On The Air: Aviation Radio Systems

No description available


Return to Index    -    Add to    -    ics Calendar file

 

CPV - Planet Hollywood - Celebrity 1,2 Ballrooms - Sunday - 13:00-12:59


Ironically, iOS robocall-blocking apps are violating your privacy

No description available


Return to Index    -    Add to    -    ics Calendar file

 

RGV - Flamingo - 3rd Floor - Carson City II - Sunday - 13:00-13:59


Title:
Lockpicking "Extras"

Not a how-to, Jared Dygert will cover things like pick concealment, creating your own picks, alternatives to traditional lockpicks (found or improvised picks), what different picks are best for, and more. Jared is an avid lock enthusiast, rock climber, and gamer. He's been picking locks ever since he was a kid and has no intention of stopping.
Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 2 - Sunday - 12:00-12:45


Malproxying: Leave Your Malware at Home

Sunday at 12:00 in Track 2
45 minutes | Demo, Tool

Hila Cohen Security Researcher, XM Cyber

Amit Waisel Senior Technical Leader, XM Cyber

During a classic cyber attack, one of the major offensive goals is to execute code remotely on valuable machines. The purpose of that code varies on the spectrum from information extraction to physical damage. As defenders, our goal is to detect and eliminate any malicious code activity, while hackers continuously find ways to bypass the most advanced detection mechanisms. It’s an endless cat-and-mouse game where new mitigations and features are continuously added to the endpoint protection solutions and even the OS itself in order to protect the users against newly discovered attack techniques. In this talk, we present a new approach for malicious code to bypass most of endpoint protection measures. Our approach covertly proxies the malicious code operations over the network, never deploying the actual malicious code on the victim side. We are going to execute code on an endpoint, without really storing the code on disk or loading it to memory. This technique potentially allows attackers to run malicious code on remote victims, in such a way that the code is undetected by the victim’s security solutions. We denote this technique as “malproxying”.

Hila Cohen
Hila Cohen is a passionate Security Researcher at XM Cyber, where she investigates new attack techniques and develops detection and mitigation capabilities. Hila has a vast knowledge in the fields of malware analysis, reverse engineering and incident response.

Amit Waisel
Amit Waisel is a Senior Technical Leader at XM Cyber. He is a seasoned data security expert with vast experience in cyber offensive projects. Prior to XM Cyber, Amit filled multiple data security positions in the Israeli intelligence community. Amit is well experienced with malware detection and analysis techniques, operating system internals and security-oriented software development. He graduated with honors from Tel Aviv University with a MSc. in Computer Science.


Return to Index    -    Add to    -    ics Calendar file

 

RCV - Planet Hollywood - Celebrity 5 Ballroom - Sunday - 10:25-10:59


LIVE TOOL DEMO

Mining for Gold: A Framework for Accessing Pastebin’s Hidden Treasures

1025 - 1100


Return to Index    -    Add to    -    ics Calendar file

 

CLV - Flamingo 3rd Floor - Reno I Room - Sunday - 10:00-11:50


Speaker: Cheryl Biswas

Twitter: @3ncr1pt3d

Abstract: Cloud. It's the land of opportunity. Enterprises are doing mass migrations from older and legacy systems to harness greater power and efficiency from innovative new tech. Following that money trail are opportunistic attackers, seeking the computing strength and near-invisibility afforded by enterprise cloud environments to mine bitcoin. Cryptominers are everywhere. And yes, Virginia, they are in the Cloud.
These nebulous power-rich realms let attackers set up mining rigs to feast on enterprise resources, while flying below the detection of cloud or conventional security resources. The concern here is that once attackers gain access to our networks, they can pivot and move laterally, to find even greater reward in the vast amounts of data available. Let's talk about what we do and don't know when it comes to securing our cloud environments against malicious miners. Because it isn't just a question of what they can take – it's about the payloads they can leave behind.
Introduction: (5 min)
• Enterprise and Cloud: If you work for a major organization, you're probably undergoing or have just gone through a major migration to the Cloud. This is the big push according to a recent Gartner report, with 37% of enterprises reporting it as their top priority, and ranking at 39% for CIOs, ahead of cybersecurity (why are we not surprised).
• An Evolution of Evil: the rise of miners. Easy to get into. Low bar for entry. Starter toolkits cost $30 online. Cryptojacking increased by 4000% in 2018.
• Major miners like XMRig
• Main attack vectors: brute force credentials for access; leverage multiple vulnerabilities for access and movement internally.
• Motivation: almost 100% return on investment. No overhead
Miners in the Sky: (5 min)
• Why it's expected to continue
o The return on investment is lucrative in terms of computing power
o Lack of detection
• Most organizations don't have mature cloud security programs. By design, yes, in reality – not so much. Cloud has huge amounts of processing power with built-in auto-scaling
• attackers can operate with almost no detection
• The bigger the account, the longer attackers can go
• Enterprises are migrating to the Cloud. We love our containers: Docker, AWS, Azure.
Charting the rise of malicious miners in cloud environments by attacks: (10 min)
Overview of what we're seeing:
• attacks on containers and container management
• control panel exploitation
• theft of APIs
• spreading malicious Docker images
• leveraging current and older enterprise vulnerabilities
• EternalBlue
Let's Start Here: The attack on Tesla's AWS S3 public cloud in February 2018. Researchers at RedLock found mining malware from a wide-spread, well-concealed cryptomining campaign in Tesla's AWS cloud. RedLock found it when they scanned public internet for misconfigured and unsecured cloud servers – there's been a few of those. They saw an open server. Further investigation revealed it was running Kubernetes, the open source admin console for cloud application mgmt., which was doing cryptomining. The Kubernetes console was not password protected. The attackers found login credentials for Tesla's AWS in one of the pods. They went from there to deploy malware scripts for Stratum bitcoin mining.
Abusing exposed Docker APIs: Hundreds of vulnerable and exposed Docker hosts were abused in cryptojacking campaigns in March this year. Attackers exploited CVE-2019-5736, a runc vulnerability identified in February, that could trigger a container escape. Now, that kind of defeats the whole purpose of having a container when it means the attacker can access the host filesystem and overwrite the runc binary to run arbitrary commands on the host. Attackers scan for exposed Docker APIs on port 2375. They deployed malicious self-propagating Docker images infected with malware to load Monero miners and find other vulnerable targets via Shodan. External access to API ports will enable attackers to gain ownership of the host. They can tamper with instances running inside, drop malware, access user's servers and resources. Discussion point: Misconfiguration is prevalent – why? How can we help users do this better?
Uninstalling Cloud Security: A new cryptomining malware family that targets Linux servers gained admin rights on systems by uninstalling cloud security products. We'll talk about the Chinese-language threat actor behind this and other attacks, Rocke group. Consider how nation-state adversaries and advanced persistent threats (APTs) could seek to leverage this kind of attack in sophisticated campaigns.
Discussion point: We've seen conventional malware evade and disable existing AV. If we can't detect it, how do we protect against it? How are we extending this to malware targeting Cloud?
Targeting Elasticsearch servers: in the “Cryptosink” campaign, attackers exploit a five year old vulnerability that could lead to executing arbitrary Java code, CVE-2014-3120, that affects Elasticsearch running on both Windows and Linux platforms. They download malware that has not been detected by AV on Linux. The attackers backdoor the servers for future access, eliminate competitors on the infected system by redirecting their mining pool traffic to a sinkhole, and achieve persistence by replacing the Linux remove command.
What else could be at risk: Abusing instant metadata API. This functionality is offered by all cloud providers. If it isn't secured or monitored well, and attacker can exploit it via vulnerable reverse proxies or malicious Docker images.
What could this lead to: Once attackers are in your network, they aren't limited to just mining Monero. They have access to all your data-rich environments. If the attacker is looking for satisfaction that money can't buy, yes they can deliver a very damaging payload with ransomware or worse. Think NotPetya.
Review of Vulnerabilities & Exploits: (5 min)
• Misconfiguration: security researcher and attackers are actively seeking and finding many exposed and unsecured instances online. Human error is at the brunt of things, but Cloud isn't traditional infrastructure. It's a complex, dynamic network that requires specialized knowledge and training to do configuration right.
• EternalBlue: believe it. There are still plenty of unpatched instances out there and attackers continue to leverage this exploit to gain access, spread and move laterally within networks
• Oracle WebLogic vulnerability CVE-2019-2725: There have been a series of critical vulnerabilities in this popular enterprise software
• Remote code execution: Miners have been using a group of vulnerabilities for RCE as initial access and more
o CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities.
o CVE-2010-1871: JBoss Seam Framework
o JBoss AS 3/4/5/6: CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE
o CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.
o Hadoop YARN ResourceManager - Command Execution
o CVE-2016-3088: Apache ActiveMQ Fileserver File Upload
• PSMiner targets known vulnerabilities in Elasticsearch, Hadoop, PHP, Oracle WebLogic
• Fake certificates: attackers increasingly use this to evade detection and infiltrate conventional systems. How can we apply what we're learning to protect in the Cloud?
What we can do: (5 min)
• Countermeasures:
o rotate access keys
o restrict outbound traffic
o cryptojacking blockers for Web browsers
• Monitoring user behavior
• Follow the principle of least privilege when issuing credentials
• EternalBlue is still actively leveraged against vulnerable systems. Think third party compromise
• Visibility. Be able to see down to the process level.
• Micro-segmentation to control lateral movement and spread
• Apply, monitor and enforce best practices
• Resources like Yara rules to detect miners (will make available)
• Unusual deletions or spinning up containers
• IoCs
Conclusion and Q&A

About Cheryl: Cheryl Biswas, aka 3ncr1pt3d, is a Strategic Threat Intel Analyst with a major bank in Toronto, Canada. Cheryl has experience with security audits and assessments, privacy, DRP, project management, vendor management and change management. She has an ITIL certification and a degree in Political Science. She is actively involved in the security community as a speaker and a volunteer at conferences and encourages women and diversity in Infosec as a founding member of the "The Diana Initiative".


Return to Index    -    Add to    -    ics Calendar file

 

BHV - Planet Hollywood - Melrose 1-3 Rooms - Sunday - 10:00-10:15


10:00 AM: Opening Words
Welcome to the Biohacking Village!

Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 3 - Sunday - 13:00-13:45


Owning The Clout Through Server-Side Request Forgery

Sunday at 13:00 in Track 3
45 minutes | Demo, Tool

Ben Sadeghipour Nahamsec

Cody Brocious (Daeken)

With how many apps are running in the cloud, hacking these instances becomes easier with a simple vulnerability due to an unsanitized user input. In this talk, we’ll discuss a number of different methods that helped us exfil data from different applications using Server-Side Request Forgery (SSRF). Using these methods, we were able to hack some of the major transportation, hospitality, and social media companies and make $50,000 in rewards in 3 months.

Ben Sadeghipour
Ben is the Hacker Operations Lead at HackerOne by day, and a hacker by night. He has helped identify and exploit over 500 security vulnerabilities across 100s of web and mobile applications for companies such as Yahoo, Airbnb, Snapchat, The US Department of Defense, Yelp, and more. He also invested time in the security community, by creating a community of 200+ active hackers who share ideas and their experiences. He has also held free workshops and trainings to teach others about security and web application hacking.

Twitter: @nahamsec
Website: nahamsec.com

Cody Brocious (Daeken)
Cody is the Head of Hacker Education at HackerOne where he dedicates his time to teaching hackers to be more effective and empowered. A reverse engineer and software developer with well over a decade of experience. Cody is also the lead instructor for Hacker101, a free course for web security.

Twitter: @daeken
Website: daeken.svbtle.com


Return to Index    -    Add to    -    ics Calendar file

 

RTV - Flamingo 3rd Floor - Laughlin I,II Rooms - Sunday - 12:00-12:59


A Panel and Active Discussion: Red Team Career Advise 

A pannel of several Red Team members to talk about Red Team and Offensive Security career advise. This will also be an active discussion with the audience! This is a great opportunity to learn from others and also share your experience, highlight how you got started, and how you became a leader in your field.


Return to Index    -    Add to    -    ics Calendar file

 

CLV - Flamingo 3rd Floor - Reno I Room - Sunday - 12:15-12:59


Speaker: Ashwin Vamshi

Twitter: @_ashwin_vamshi

Abstract: Cloud services are built for increased collaboration and productivity, and provide capabilities like auto sync and API level communication. This has led enterprises to exclusively use SaaS, PaaS and IaaS services for storing and sharing critical and confidential data. End users as well as security products tend to place implicit trust in cloud vendors such as Microsoft, AWS, Google, and SaaS app vendors such as Box, Salesforce, DropBox. As a result, cybercriminals have started launching their attacks from these trusted cloud services. This talk will focus on how attackers are abusing these trusted cloud services to create Phishing attacks that are highly effective and hard to detect.
We will begin the presentation by sharing some statistics that illustrate the wide-scale adoption of cloud services by cybercriminals. In particular, we focus in on the usage of cloud services as a launching point of an attack. In the next section, we will discuss some of the novel, offensive phishing techniques that the attackers have employed, including: abusing SaaS APIs, abusing trusted API redirects, and hosting attack pages in cloud services.
We will deep dive into three specific techniques we discovered in the wild:
Targeted BEC (Business email compromise) - phishing attacks abusing popular services like S3, GCS, Azure Storage, and GCP Google's App engine. The S3, GCS, and Azure Storage based attacks used static web hosting to serve up convincing baits, complete with Amazon, Google, or Microsoft issued SSL certs. We will provide a few examples of some successful attacks of this type. The App Engine attack used an open redirect to make it appear that the bait was being delivered from Google. We provide a detailed breakdown of how this was done and what made this attack successful. At the time of writing this draft, Google shows its standard redirection notice when users click on one of these AppEngine links, making it more obvious to the user that they are being redirected.
“Default Allow” action in popular PDF readers and Annotations used in themed decoy templates. This action only warns the user that it is trying to connect to a trusted cloud service, which looks benign at face value. By taking advantage of the “default allow” action in popular PDF readers, the attacker can easily deploy multiple attacks without getting the security warning after the first alert. In this section, we provide examples of multiple attacks leveraging this techniques, including the preceding BEC.
PhaaS(Phishing-as-a-Service): Criminals hosting a full-fledged phishing infrastructure over cloud and selling it as a B-to-C model. These on-demand service based models provides an essence of a criminal version of software-as-a-service which allows purchasing site login accounts along with crafting and hosting phished links. In this section, we provide an overview of one of these services and describe how it is using public cloud services to drive its success.
The idea is to educate our audience about the new wave of sophisticated attacks abusing highly trusted services like Google and its App engine APIs, object stores in AWS/Azure/GCP and other Tier-1 SaaS applications. The attackers not only craft a “near original” phishing bait but also make it hard for security products to detect such attacks.
We will then discuss some inherent design constraints and weaknesses in these services which are benefiting the cybercriminals in creating attacks to bypass modern day security solutions. Most end users are savvy enough now to understand that links that include random IP addresses or suspicious sounding domain names should not be clicked on, but they don't have a similar awareness of risk associated with cloud services. Users tend to click on an email invite from a cloud application or a phishing document hosted in a cloud environment as it is convincing and difficult to recognize as phishing.
We will then understand the motivation behind this new trend, its monetary impact in the cybercrime market and its simplicity, which is appealing more and more novice cybercriminals into building their attack surfaces by abusing such services.
We will conclude the talk by sharing details about our responsible disclosure to tier 1 vendors and proposing detection and remediation techniques for such type of attacks

About Ashwin: Ashwin Vamshi is a Security Researcher with innate interest in targeted attacks and malwares using cloud services. His research has been quoted in Forbes and also in several infosec magazines and online portals. Currently, he is working in Netskope primarily focusing in identifying malwares, campaigns and threat actors using 'cloud as an attack vector'.


Return to Index    -    Add to    -    ics Calendar file

 

DL - Planet Hollywood - Sunset 6 - Sunday - 10:00 - 11:50


QiLing

Sunday from 10:00 – 11:50 in Sunset 6 at Planet Hollywood
Audience: Reverse Engineers, Hardware (IoT) Hackers

KaiJern, Lau & Dr. Nguyen Anh Quynh

QiLing, a cross platform and multi architecture binary emulator, it will also able to do the following:

To execute binary applications for (Windows, Mac, Linux, Android, iOS, etc) and CPU architectures (Intel, Arm, AArch64 and Mips).
To be executed multiple platforms: Windows, MacOS, Linux, BSD. Sandbox analysis, so potential malicious activities are under control.
Provide Python instrumentation framework, so users can build add-on plugins to customize runtime analysis.
Analyze & report the code execution in friendly and fully customizable high-level format.

Besides working as an independent tool, QiLing also provides plugins for disassemblers such as Ghidra & IDA Pro. QiLing is designed to be alightweight and pluginable emulator. To handle real binaries reasonably, it should be fast, and offer instrumentation capability for users to build customized analysis.

- Able to handle hardware emulation
- Dynamically patch binary during execution in order to redirecting execution flow to bypass non critical check.
- Handle full binary emulation, not just raw code without context. To achieve this, emulate some parts of OS (such as syscalls , system libraries and part of kernel).
- Enable user-customized analysis via a Python framework.

QiLing is a opensource project.

KaiJern, Lau
KaiJern (xwings), is Lab Director of The ShepherdLab, of JD Security by JD.COM. He presented his findings in different international security conferences like HITB, Codegate, QCon, KCon, Brucon, H2HC few different Defcon group and etc. He also conducted hardware Hacking course in various places around the globe.

Dr. Nguyen Anh Quynh
Dr.Nguyen Anh Quynh is a regular speaker at various industrial cybersecurity conferences such as Blackhat USA/Europe/Asia, Defcon,, Deepsec, XCon, Hitcon, Brucon, Zeronights, Tensec, H2HC, etc. He also presented his researches in academic venues such as Usenix, IEEE, ACM, LNCS. Dr. Nguyen is also the founder and maintainer: Capstone (http://capstone-engine.org), Unicorn (http://unicorn-engine.org) & Keystone (http://keystone-engine.org).


Return to Index    -    Add to    -    ics Calendar file

 

BCV - Flamingo 3rd Floor - Laughlin III Room - Sunday - 11:05-11:30


Reflections on Blockchain Security

No description available


Return to Index    -    Add to    -    ics Calendar file

 

DL - Planet Hollywood - Sunset 5 - Sunday - 10:00 - 11:50


Rhodiola

Sunday from 10:00 – 11:50 in Sunset 5 at Planet Hollywood
Audience: Offense

Utku Sen

Adversaries need to have a wordlist or combination-generation tool while conducting password guessing attacks. To narrow the combination pool, researchers developed a method named ”mask attack” where the attacker needs to assume a password’s structure. Even if it narrows the combination pool significantly, it’s still too large to use for online attacks or offline attacks with low hardware resources. In the real world, a password’s structure is an unknown value, just like the password itself. Even if we specify a password structure with masks, we are still brute forcing characters in the mask. When we analyzed Ashley Madison and Myspace wordlists, we saw that they are mostly consists of sequential alpha characters. Which means that there is a high probability that they are meaningful words. Our research shows that 30% of the Ashley Madison wordlist and 36% of Myspace wordlist contains meaningful English words. Rhodiola tool is developed to narrow the combination pool by creating a personalized wordlist for target people. It finds interest areas of a given user by analyzing his/her tweets, and builds a personalized wordlist. Wordlist consists of most used nouns & proper nouns, paired nouns & proper nouns, cities and years related to detected proper nouns.

Utku Sen
Utku Sen is a security researcher who is mostly focused on application security, network security and tool development. He presented his different tools and researches in Black Hat USA Arsenal, DEF CON Demo Labs and Packet Hacking Village in recent years. He's also nominated for Pwnie Awards on "Best Backdoor" category in 2016. He is currently working for Tear Security.


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 4 - Sunday - 11:00-11:45


Say Cheese - How I Ransomwared Your DSLR Camera

Sunday at 11:00 in Track 4
45 minutes | Demo, Exploit

Eyal Itkin Vulnerability Researcher at Check Point Software Technologies

It's a nice sunny day on your vacation, the views are stunning, and like on any other day you take out your DSLR camera and start taking pictures. Sounds magical right? But when you get back to your hotel the real shock hits you: someone infected your camera with ransomware! All your images are encrypted, and the camera is locked. How could that happen?In this talk, we show a live demo of this exact scenario. Join us as we take a deep dive into the world of the Picture Transfer Protocol (PTP). The same protocol that allows you to control your camera from your phone or computer, can also enable any attacker to do that and more. We will describe in detail how we found multiple vulnerabilities in the protocol and how we exploited them remotely(!) to take over this embedded device.But it doesn't end here. While digging into our camera, we found a reliable way to take over most of the DSLR cameras without exploiting any vulnerability at all. We simply had to ask our camera to do that for us, and it worked.

This is the first vulnerability research on the Picture Transfer Protocol, a vendor agnostic logical layer that is common to all modern-day cameras. As DSLR cameras are used by consumers and journalists alike, this opens up the door for future research on these sensitive embedded devices.

Eyal Itkin
Eyal Itkin is a vulnerability researcher in the Malware and Vulnerability Research group at Check Point Software Technologies. Eyal has an extensive background in security research, that includes years of experience in embedded network devices and protocols, bug bounties from all popular interpreter languages, and an award by Microsoft for his CFG enhancement white paper. When not breaking I2P or FAX, he loves bouldering, swimming, and thinking about the next target for his research.

Twitter: @EyalItkin


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 2 - Sunday - 11:00-11:45


SDR Against Smart TVs: URL and Channel Injection Attacks

Sunday at 11:00 in Track 2
45 minutes | Demo, Tool

Pedro Cabrera Camara Founder, Ethon Shield

Software-defined-radio has revolutionized the state of the art in IoT security and especially one of the most widespread devices: Smart TV. This presentation will show in detail the HbbTV platform of Smart TV, to understand and demonstrate two attacks on these televisions using low cost SDR devices: TV channel and HbbTV server impersonation (channel and URL injection). This last attack will allow more sophisticated remote attacks: social engineering, keylogging, crypto-mining, and browser vulnerability assessment.

Pedro Cabrera Camara
Industrial and Electronics Engineer, Pedro is an enthusiast of Software Defined Radio and UAVs, which has worked for 12 years in the main Spanish telecommunications operators, conducting security audits and pentesting in mobile and fixed networks. In addition to working with telecommunications operators, Pedro leads open source projects such as intrusion detection systems for GSM, UMTS and LTE networks, which has led him to study the various fake stations attacks and existing solutions. In recent years he has participated in security events in the United States (RSA, CyberSpectrum, DEF CON DemoLabs), Asia (BlackHat Trainings) and Europe (Rootedcon, Euskalhack, AlligatorCON)

Twitter: @PcabreraCamara
Website: http://www.fakebts.com


Return to Index    -    Add to    -    ics Calendar file

 

CLV - Flamingo 3rd Floor - Reno I Room - Sunday - 11:50-12:15


Speaker: Josh Mize

Twitter: @jgmize

Abstract: This presentation will give an overview of the security practices and lessons learned from real world incidents managing the production multi-cloud deployments of Mozilla websites. Topics include real-world examples of mitigating malicious and self-inflicted DDoS attacks, managing secrets with sops, and reducing public attack surface by routing inbound traffic via reverse tunnels from the CDN.

About Josh: Josh Mize is a Staff Site Reliability Engineer at Mozilla responsible for Mozilla’s largest web properties: mozilla.org, Mozilla Developer Network, Support, and more. As an SRE Mize wholly owns the security configuration for a multi-cloud Kubernetes deployment serving millions of users. Mize brings a unique perspective on "security at scale".


Return to Index    -    Add to    -    ics Calendar file

 

CPV - Planet Hollywood - Celebrity 1,2 Ballrooms - Sunday - 12:00-11:59


Security and privacy of dating apps

No description available


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 2 - Sunday - 13:00-13:45


Sound Effects: Exploring Acoustic Cyber-weapons

Sunday at 13:00 in Track 2
45 minutes | Tool

Matt Wixey Cyber Security Research Lead, PwC UK

While recent research has explored the capability of attacks to cause harm by targeting devices – e.g., SCADA systems, vehicles, medical implant devices - little consideration has been given to the concept of attacks affecting psychological and physiological health by targeting humans themselves.

In a first-of-its-kind study, we assessed the capability of several consumer devices to produce sound at high and low frequencies which may be imperceptible to many people, as a result of remote and local attacks, and compared the resulting sound levels to maximum recommended levels. In doing so, we tested their viability as localised acoustic weapons which could cause temporary/permanent hearing damage and/or adverse psychological effects. We examined a number of countermeasures, including a tool to detect specified frequencies above specified thresholds.

In this talk, I will cover the background of malware which has, intentionally or not, caused physical or psychological harm. I will explore previous research on the harmful effects of sound, focusing particularly on high and low frequencies, and some of the guidance which has been proposed to limit exposure to such sound. I will examine the use of imperceptible sound as applied to security research (covert channels, ultrasonic tracking beacons, etc), and will present our experiments and findings, including threat models, methodology, the attacks we developed, and the implications of our results. Finally, I will suggest a number of countermeasures and outline some possible areas for future research.

Matt Wixey
Matt is a PhD candidate at the Dawes Centre for Future Crimes, University College London, and leads technical research for the PwC Cyber Security practice in the UK. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.

Twitter: @darkartlab


Return to Index    -    Add to    -    ics Calendar file

 

RTV - Flamingo 3rd Floor - Laughlin I,II Rooms - Sunday - 09:00-09:59


State of Red Team Services Roundtable

Wesley McGrew, Director of Cyber Operations at HORNE Cyber, leads a panel discussion, taking a frank look of the state of offense-oriented services, such as penetration tests and red team engagements. The goal is to look at the current state of offense-oriented services, and discuss what it will take for the discipline to mature and adapt.

Among the topics open for discussion:
- Terminology
- Trends in penetration testing and red teaming
- Managing large scale engagements
- Tradecraft
- Client interactions
- Effective reporting

Dr. McGrew will present questions to a panel of red team professionals, and chime in with his outlook as well. Questions for the panel will also be solicited from the audience.
The panel will try to address the issues faced by experienced red team and related service professionals, and those that manage the engagements. Those getting started in this field are encouraged to attend in order to see the evolving structure of this industry, beyond entry-level jobs.

About Dr. Wesley McGrew:  As Director of Cyber Operations at HORNE Cyber, Wesley McGrew oversees and participates in offense-oriented services for clients in many areas, including finance, healthcare, manufacturing, and national critical infrastructure. He has presented on topics of penetration testing and and malware analysis at DEF CON and Black Hat USA. He teaches a self-designed course on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley has a Ph.D. in Computer Science from Mississippi State University for his research in vulnerability analysis of SCADA HMI systems.Twitter: @McGrewSecurity


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 1 - Sunday - 11:00-11:45


The ABC of Next-Gen Shellcoding

Sunday at 11:00 in Track 1
45 minutes | Demo, Tool

Hadrien Barral Hacker

Rémi Géraud-Stewart Hacker

Georges-Axel Jaloyan PhD Student at ENS

Shellcodes are short executable stubs that are used in various attack scenarios, whenever code execution is possible. After briefly recalling how they work in general and what interesting things they can do, besides obviously running a reverse-shell, we'll have to deal with the reality that shellcodes are usually not particularly stealthy, due in part to the very suspicious presence of non-printable characters. In a tutorial-like fashion, we'll address increasingly more complex constraints. As a reward, we reveal new methods for writing in particular alphanumeric shellcodes and attacking platforms for which (to the best of our knowledge) no such shellcode was previously known.

Don't know anything about constrained shellcodes? Do not worry: we'll start from the ground up. Black-belt in shellcoding? We have you covered, stay until the end were we'll get our hands dirty!

Hadrien Barral
Hadrien Barral is an R&D engineer, focusing on Operating Systems, Security and High-Assurance software. In his spare time, he enjoys hacking on various and obscure systems.

Rémi Géraud-Stewart
Rémi Géraud-Stewart is a cryptologist and security expert with Ecole normale superieure in Paris, focusing on intrusion and cyberwarfare.

Georges-Axel Jaloyan
Georges-Axel Jaloyan is a PhD student at Ecole normale supérieure in Paris focusing on formal methods applied to reverse-engineering, in collaboration with the French Alternative Energies and Atomic Energy Commission (CEA).


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 3 - Sunday - 14:00-14:45


The Ether Wars: Exploits, counter-exploits and honeypots on Ethereum

Sunday at 14:00 in Track 3
45 minutes | Demo, Tool

Bernhard Mueller ConsenSys Diligence

Daniel Luca

Ethereum smart contracts are Turing-complete programs that mediate transfers of money. It doesn't come as a surprise that all hell is breaking loose on the Ethereum blockchain.

In this talk, we'll introduce Karl, an Ethereum blockchain monitor, and Scrooge McEtherface, an auto-exploitation bot that extracts Ether from vulnerable smart contracts. Scrooge uses symbolic execution to detect vulnerable states that live up to three transactions deep and constructs exploit payloads using the Z3 constraint solver.

We'll also examine the game-theoretic consequences of Scrooge's existence. What if multiple bots compete for exploiting the same contracts? How about honeypots that counter-exploit bots? Is it possible to cheat those honeypots? When all is said and done, who is going to end up stealing money from whom?

During the talk, we'll show many examples for vulnerable contracts, honeypots, and counter-honeypots, explain the role of transaction ordering and frontrunning, and launch a little challenge for the audience.

Bernhard Mueller
Bernhard Mueller is an OG security engineer and researcher with experience in a variety of fields including Internet protocols, web apps, operating systems, server software and blockchain technology. His work in mobile and blockchain security has earned him two "Best Research" Pwnie Award nominations (and one win). In the Ethereum community he is known for creating the Mythril symbolic analyzer.

Twitter: @muellerberndt
LinkedIn: https://www.linkedin.com/in/bernhardm/

Daniel Luca
Daniel is a self-taught developer with experience in multiple programming languages. Having a hacker mindset he always tests the limits of software or hardware he interacts with. He likes to experiment with new technologies, always trying to develop his available toolchain. When he isn't glued to a computer screen, he likes to snowboard, read and meditate. He currently does security audits and builds tools for ConsenSys Diligence and the Ethereum ecosystem.

Twitter: @cleanunicorn
LinkedIn: https://www.linkedin.com/in/luca-daniel-5227267/


Return to Index    -    Add to    -    ics Calendar file

 

PHVW - Bally's - Indigo Tower - 26th Floor - Sunday - 11:00-13:59


Threat Hunting with Suricata

Josh Stroschein, Director of Training, Open Information Security Foundation (OISF) / Suricata
Jason Williams, Jack Mott, Travis Green

Finding threats in your network traffic starts with understanding your traffic. ​More than just an IDS/IPS, Suricata can provide the visibility to solve incidents quickly and more accurately by enabling context before, during, and after an alert. In this workshop, you will learn how to leverage Suricata to generate alerts, produce protocol specific logs and identify malicious or anomalous activity in your network traffic. You will get hands-on with managing alerts through EveBox and hunting through traffic with Moloch. You will also learn how to create custom Kibana visualizations and dashboards to help focus your analysis efforts. In-depth log analysis and hands-on real-world exercises will be used to reinforce the detection techniques and tactics explained throughout the workshop. This is an ideal workshop for security analysts, blue teamers and malware researchers to get hands-on diving deep into malicious traffic and see what Suricata can do.

Prerequisites: To help prepare for this workshop, we recommend that you are familiar with the basics of network security monitoring, IDS/IPS systems and Linux environments. Familiarization with IDS rules is recommended, but not required.

Josh Stroschein (Twitter: @suricata_ids) is a subject matter expert in malware analysis, reverse engineering and software exploitation. He is an Assistant Professor of Cyber Security at Dakota State University where he teaches malware analysis, reverse engineering, software exploitation and other related security topics. Josh is also an accomplished trainer, providing training in the aforementioned subject areas at Black Hat, DerbyCon, Toorcon, Hack-In-The-Box and other public and private venues. Josh is also the Director of Training for OISF/Suricata, an author on Pluralsight and a threat researcher for Bromium.

Jason Williams (Twitter: @switchingtoguns) is a security researcher with global enterprise experience in detecting, hunting and remediating threats with open source technologies. Primarily focusing on network communications, Jason has written thousands of commercial and community Suricata rules for Emerging Threats to help defenders protect their networks. Jason participates as a Signature Development and User Training instructor for the OISF.

Jack Mott (Twitter: @malwareforme) is a security researcher who focuses on open source solutions to detect, track and hunt malware and malicious activity. He has been a signature writer for the Emerging Threats team for several years, producing community/premium Suricata signatures to help protect networks worldwide. Jack is a strong believer in the open source mission as well as helping people and organizations solve security issues with open source solutions. He resides in the USA.

Travis Green (Twitter: @travisbgreen) is a passionate Cyber Security researcher and consultant with a 20-year career that includes extensive international work leading security initiatives and advising government and military clients, consulting to enterprise businesses, and mentoring teams in best practices. Effective communicator and self-starter able to analyze data to create security policy, develop and execute strategy, and develop tools to automate processes. OISF core team member with conference presentation experience and multiple certifications.


Return to Index    -    Add to    -    ics Calendar file

 

DL - Planet Hollywood - Sunset 4 - Sunday - 10:00 - 11:50


USB-Bootkit – New Bookit via USB Interface in Supply Chain Attacks

Sunday from 10:00 – 11:50 in Sunset 4 at Planet Hollywood
Audience: Offense, Defense and Hardware.

Haowen Bai

USB-Bootkit, a new type of Bootkit via the USB interface, contains malicious code inside the USB device that gets executed every time the system boots up. The malicious device, located either on the motherboard or inside external HID devices such as the keyboard, is invisible to ordinary users and capable to re-infect the system after the OS getting reinstalled, the hard drive being formatted or even replaced.

In order to make it looks innocuous, we implanted the USB-Bootkit inside a keyboard without changing the outward appearance. Supply chain attacks could be leveraged to replace the device and modify boot sequences accordingly. Once it is used by the target, we are able to carry out attacks persistently. Legacy and UEFI mode are covered in one USB to adapt the target system automatically. In the demonstration, the attack originates from the malicious keyboard and is able to compromise the full patched Windows 10 x64 operating system since power-on. The USB-Bootkit will get disconnected automatically afterwards to avoid being discovered when the victim logs into the operating system.

https://github.com/RedDrip7/USB-Bootkit

Haowen Bai
Haowen Bai, a senior security research engineer at QiAnXin Threat Intelligence Center (@RedDrip7), has over 12 years’ work experience in network security with discovery of zero-day vulnerabilities in targeted attacks. Currently he is researching on innovative approaches to discover vulnerabilities and exploits on Windows platform, as well as to utilize big data analysis system to catch perilous threats in the wild.


Return to Index    -    Add to    -    ics Calendar file

 

RCV - Planet Hollywood - Celebrity 5 Ballroom - Sunday - 10:00-10:25


LIGHTENING TALK

Using OSINT for Competitive Intelligence

1000 - 1025


Return to Index    -    Add to    -    ics Calendar file

 

DL - Planet Hollywood - Sunset 3 - Sunday - 10:00 - 11:50


Vulmap: Online Local Vulnerability Scanners Project

Sunday from 10:00 – 11:50 in Sunset 3 at Planet Hollywood
Audience: Offense, Defense

Yavuz Atlas & Fatih Ozel

Vulmap is an open source online local vulnerability scanner project. It consists of online local vulnerability scanning scripts for Windows and Linux. These scripts can be used for defensive and offensive purposes. It is possible to conduct vulnerability assessments by using these scripts. Also they can be used for privilege escalation by pentesters/red teamers. Vulmap scans vulnerabilities on localhost, shows related exploits and downloads them. It basically, scan localhost to gather installed software information and ask Vulmon API if there are any vulnerabilities and exploits related with installed software. If any vulnerability exists, Vulmap shows CVE ID, risk score, vulnerability's detail link, exploit ids and exploit titles. Exploits can be downloaded with Vulmap also. Main idea of Vulmap is getting real-time vulnerability data from Vulmon instead of relying of a local vulnerability database. Even the most recent vulnerabilities can be detected with this approach. Also its exploit download feature helps privilege escalation process. Since most Linux installations have Python, Vulmap Linux is developed with Python while Vulmap Windows is developed with PowerShell to make it easy to run it on most Windows versions without any installation.

https://github.com/vulmon/Vulmap

Yavuz Atlas
Yavuz Atlas is a cyber security researcher. He has academic and professional experience in areas like cyber security, software development, data science and information visualization. He works as a Tech Lead for Biznet. His current work focuses on pentesting and secure code reviews. Yavuz is also developer of Vulmon project.

Fatih Ozel
Fatih Ozel specializes in web application assessments, penetration testing, and software development. He is a former software developer and an open source enthusiast. He holds a Computer engineering degree from Suleyman Demirel University. Fatih is currently working as a Penetration tester for Biznet Bilisim.


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 4 - Sunday - 13:00-13:45


Want Strong Isolation? Just Reset Your Processor

Sunday at 13:00 in Track 4
45 minutes | Demo, Tool

Anish Athalye PhD student at MIT

Today's systems sandbox code through traditional techniques: memory protection and user-kernel mode. Even high-security devices like hardware cryptocurrency wallets use such an architecture. Unfortunately, this arrangement has a history of security bugs due to misconfigured protection hardware, bugs in kernel code, hardware bugs, and side channels.

This talk proposes a new approach to isolation for devices like crypto wallets: separate the user and kernel onto two CPUs and multiplex processes by completely resetting the user processor between tasks so that there is no leakage.

Processor reset is more complicated than might be expected. Simply asserting the reset line isn't enough to clear all CPU-internal state, but it turns out that software can be used to clear this state. However, reasoning about the correctness of such code is challenging. This talk presents a tool that can be used to develop and formally verify the correctness of reset code for a given CPU implementation.

This talk also walks through a design of a wallet based on this reset-based isolation technique, discusses known security vulnerabilities in current designs such as the Ledger and Trezor wallets (including bugs in MPU misconfiguration, system calls, and drivers), and explores how a reset-based design could prevent such vulnerabilities.

Anish Athalye
Anish is a PhD student at MIT working on systems, security, and formal verification. He is currently interested in making hardware wallets more secure. In his free time, he enjoys bending neural networks to his will: among other exploits, he has mastered the art of transfiguration (as far as computers are concerned), exemplified by turning a turtle into a rifle.

Twitter: @anishathalye
Websites: anish.io (academic), anishathalye.com(blog)


Return to Index    -    Add to    -    ics Calendar file

 

RTV - Flamingo 3rd Floor - Laughlin I,II Rooms - Sunday - 10:30-11:30


WebSploit 2.0 Release and an Intense Introduction to Hacking Web Applications and APIs 

In this talk a new version of the self-contained WebSploit VM will be released. WebSploit was created by Omar Santos for different Cybersecurity Ethical Hacking training sessions that have been delivered in several outlets.This VM contains hundreds of exercises from known intentionally vulnerable applications running in Docker containers on top of Kali Linux; and it also includes several additional tools and a mobile device emulator that can be used to test APIs. Omar will go over several demonstrations on how to get started with this collection of hundreds of exercises and participants will receive a lab guide that they can complete in their own time (which covers dozens of exercises).

About Omar Santos: Ωr is an active member of the security community, where he leads several industry-wide initiatives and standard bodies. His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants that are dedicated to increasing the security of the critical infrastructure. Omar is the author of over 20 books and video courses; numerous white papers, articles, and security configuration guidelines and best practices. Omar is a Principal Engineer of Cisco’s Product Security Incident Response Team (PSIRT) where he mentors and lead engineers and incident managers during the investigation and resolution of security vulnerabilities. Twitter: @santosomar


Return to Index    -    Add to    -    ics Calendar file

 

BTVT - Flamingo - 3rd Floor- Savoy Room - Sunday - 10:00-10:59


Who Dis? Who Dis? The Right Way To Authenticate

Sunday 10:00, Savoy Ballroom, Flamingo (Blue Team Village) (1H)

@Lak5hmi5udheer is a Security Researcher at Adobe. She holds a Master of Science in Information Security and has been in the security industry for about four years now. At Adobe, she works on reviewing architectures and providing security guidelines to various product teams. Prior to Adobe, she was at a startup doing all things Application Security and has experience with security consulting at Bishop Fox. She has also spoken about her open source projects at security conferences like RSA 2018, Appsec USA & AppSec Cali.

@dhivus is a Security Researcher at Adobe. She received her master’s degree in Information Security and Information Technology from Carnegie Mellon University in 2017. At Adobe, she provides proactive security guidance to key product teams, develops security automation tools and enjoys reviewing security of new technologies. She loves talking about her open source projects at conferences, most recent being Girls Who Code, DefendCon and CISO summit.

In today's ecosystem, verification of identity is no longer applicable just to the user; extending to microservices, cloud providers, IoT devices and many other emerging systems as well. 81% of discovered breaches are due to broken authentication, indicate it as a prevalent issue. Developers are generally aware of different authentication methods used for secure interaction between these entities, but most often lose context on best practices. In this context, we talk about popular authentication schemes like SAML, OAuth, token, magic links, adopted by developers today and emerging ones like WebAuthN. We will present incorrectly coded authentication patterns observed in disclosed reports related to these schemes. Finally, we will conclude with actionable solutions to correct these flaws realized in the form of practical guidelines. These would be security design patterns that developers or designers could refer to in their daily tasks.


Return to Index    -    Add to    -    ics Calendar file

 

PHVT - Bally's - Indigo Tower - 26th Floor - Sunday - 10:00-10:59


Wi-Fi Threat Modelling and Monitoring (WiNT)

Besim Altinok, Barikat Internet Security
Can Kurnaz, Senior Cybersecurity Consultant at KPMG Netherlands

With the widespread use of wireless Internet access, we see that the use of portable technologies is rapidly increasing. Increasing public networks and facilitating access to these networks have attracted the attention of attackers. Due to easy availability of mature honeypot creation tools, this attack is a slam dunk for even the most novice of Wi-Fi attackers. Enterprise security products have tried but failed to solve this problem with rule and lockdown based approaches. In this talk, we are going to tell a story experienced about Wi-Fi network attackers. We will practically demonstrate how using new detection and deception techniques we can make Wi-Fi clients and environmentally secure.

Besim Altinok (Twitter: @AltnokBesim) has been researching Wi-Fi security for over a decade. He created WiPi-Hunter project against Wi-Fi hackers. He is the author of a book on Wi-Fi security. Besim's work on wireless security has been published in ArkaKapi Magazine and others. He has also spoken at top conferences including BlackHat Europe, ASIA, Defcon, and others. Besim ALTINOK works currently at BARIKAT Internet Security in Turkey. Besim also founded Pentester Training project.

Can Kurnaz (Twitter: @0x43414e) is conducting penetration tests from internet and internal networks to web-based applications, network infrastructures, wireless devices, IoT devices and operational technology infrastructures such as ICS/SCADA systems and components.


Return to Index    -    Add to    -    ics Calendar file

 

AVV - Bally's Event Center - Sunday - 10:30-10:59


Wireless Attacks on Aircraft Instrument Landing Systems

Speaker – Harshad (@harshadsathaye)

Synopsis

Modern aircraft heavily rely on several wireless technologies for communications control, and navigation. Researchers demonstrated vulnerabilities in many aviation systems e.g., injecting ghost aircraft into airspace, spoof locations and manipulate key communication messages. However, the resilience of the aircraft landing systems to adversarial wireless attacks have not been studied in the open literature, despite their criticality and the increasing availability of low-cost SDR platforms. In this work, we investigate and demonstrate the vulnerability of aircraft instrument landing systems (ILS) to wireless attacks ( https://www.youtube.com/watch?v=Wp4CpyxYJq4).

In majority of airports today, commercial traffic is typically assigned some type of instrument approach into the landing phase to maintain smooth flow of traffic in and out of the airport environment. The demonstrated attacks can cause last-minute go around decisions, missing the landing zone in low visibility, and even cause crash landings depending on the level of automation in the future. We analyze the ILS waveforms and show the feasibility of spoofing such radio signals using commercially-available SDR. We show that it is possible to fully and in fine-grain control the course deviation indicator, as displayed by the ILS receiver, in real-time, and demonstrate it on aviation-grade ILS receivers. Additionally, we introduce a novel attack called the single-tone attack that significantly reduces the power requirements of the attack. We develop a tightly-controlled closed-loop ILS spoofer that autonomously adjusts the adversary’s transmitted signals based on the aircraft’s GPS location to cause an undetected off-runway landing. We demonstrate the integrated attack on an FAA certified flight-simulator’s (X-Plane) AI-based auto-land feature and show success rate with offset touchdowns of 18 meters to over 50 meters. We discuss potential countermeasures and show that unlike other aviation security issues that can be fixed with conventional crypto, they are ineffective against the demonstrated attack and securing ILS poses unique challenges.

About the Speaker

Harshad is a Ph.D. student at Northeastern University’s Khoury College of Computer Sciences. He is a cybersecurity enthusiast with research interests around wireless systems security, specifically sophisticated navigation systems that are available today. He is also involved in developing secure cyber-physical systems with Prof. Aanjhan Ranganathan and Prof. Guevara Noubir as his advisors.


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 4 - Sunday - 10:00-10:45


Your Secret Files Are Mine: Bug Finding And Exploit Techniques On File Transfer App Of All Top Android Vendors

Sunday at 10:00 in Track 4
45 minutes | Demo, Tool, Exploit

Xiangqian Zhang

Huiming Liu

Nearby sharing apps are very convenient and fast when you want to transfer files and have been pre-installed on billions of devices. However, we found that most of them will also open a door for attackers to steal your files and even more.

First, we did a comprehensive research about all top mobile vendors' pre-installed nearby sharing apps by reverse engineering. Many serious vulnerabilities are found on most of them and reported to vendors. Algorithm and design flaws in these apps can lead to file leaking and tampering, privacy leaks, arbitrary file downloads and even remote code execution. We will present all the related vulnerabilities' details and exploit techniques. Next, we conducted the same research on lots of third-party file sharing apps and found that they are even worse about security and are used by surprising more than 1 billion users. Files transferred between them are nearly naked when our MITM attack devices are nearby. Finally, we will summarize all the attack vectors and two common attack models. We will also present the attack demos and related tools.

Besides, we will present our practical mitigations. Currently, we are working with most of the top vendors to mitigate these vulnerabilities. Through this talk, we want to notify users and mobile vendors to pay more attention to this serious situation and fix it better and sooner.

Xiangqian Zhang
Xiangqian Zhang is a security researcher at Tencent Security Xuanwu Lab and his research focuses on Mobile Security and IOT Security. Xiangqian found multiple Android kernel and system security vulnerabilities.

Twitter: @h3rb0x

Huiming Liu
Huiming Liu is a security researcher at Tencent Security Xuanwu Lab and his research focuses on Mobile Security and IOT Security. Huiming has spoken at several security conferences including CanSecWest and BlackHat Asia.

Twitter: @liuhm09


Return to Index    -    Add to    -    ics Calendar file

 

DL - Planet Hollywood - Sunset 2 - Sunday - 10:00 - 11:50


Zigbee Hacking: Smarter Home Invasion with ZigDiggity

Sunday from 10:00 – 11:50 in Sunset 2 at Planet Hollywood
Audience: Offense, Hardware, Product, IoT, Zigbee, Zigbee Hacking

Francis Brown & Matt Gleason

Do you feel safe in your home with the security system armed? You may reconsider after watching a demo of our new hacking toolkit, ZigDiggity, where we target door & window sensors using an "ACK Attack". ZigDiggity will emerge as the weapon of choice for testing Zigbee-enabled systems, replacing all previous efforts. Zigbee continues to grow in popularity as a method for providing simple wireless communication between devices (i.e. low power/traffic, short distance), & can be found in a variety of consumer products that range from smart home automation to healthcare. Unfortunately, existing Zigbee hacking solutions have fallen into disrepair, having barely been maintained, let alone improved upon. Left without a practical way to evaluate the security of Zigbee networks, we've created ZigDiggity, a new open-source pentest arsenal from Bishop Fox. Updates include migration to better hardware for testing (e.g. SDRs), and a slew of newly implemented Zigbee attacks types. Our DEMO-rich presentation showcases ZigDiggity's attack capabilities by pitting it against common Internet of Things (IoT) products that use Zigbee. Come experience the future of Zigbee hacking, in a talk that the New York Times will be hailing as "a veritable triumph of the human spirit." ... ya know, probably

https://github.com/BishopFox/zigdiggity

Francis Brown
Francis Brown is the Chief Technology Officer (CTO) at Bishop Fox, a consulting firm providing cyber security services to the Fortune 1000, global financial institutions, and high-tech startups. Before founding Bishop Fox, Francis worked for Honeywell International where he performed network and application penetration testing, product security evaluations, incident response, and risk assessments of critical infrastructure. Prior to that, Francis was a consultant with the Ernst & Young. Francis holds a Bachelor of Science and Engineering from the University of Pennsylvania with a major in Computer Science and Engineering and a minor in Psychology.

Matt Gleason
Matthew Gleason is a Senior Security Associate at Bishop Fox, where he focuses on application security penetration testing, source code review, and network penetration testing. Prior to joining Bishop Fox, Matthew worked as a software engineer for Boeing, where his work involved validation testing for the AH-64E attack helicopter. Matthew holds a Master of Science from Arizona State University in Computer Science. He also has earned a Bachelor of Science in Economics and a Bachelor of Science in Mathematics from Arizona State University.


Return to Index    -    Add to    -    ics Calendar file