The Ether Wars: Exploits, counter-exploits and honeypots on Ethereum

Sunday at 14:00 in Track 3
45 minutes | Demo, Tool

Bernhard Mueller ConsenSys Diligence

Daniel Luca

Ethereum smart contracts are Turing-complete programs that mediate transfers of money. It doesn't come as a surprise that all hell is breaking loose on the Ethereum blockchain.

In this talk, we'll introduce Karl, an Ethereum blockchain monitor, and Scrooge McEtherface, an auto-exploitation bot that extracts Ether from vulnerable smart contracts. Scrooge uses symbolic execution to detect vulnerable states that live up to three transactions deep and constructs exploit payloads using the Z3 constraint solver.

We'll also examine the game-theoretic consequences of Scrooge's existence. What if multiple bots compete for exploiting the same contracts? How about honeypots that counter-exploit bots? Is it possible to cheat those honeypots? When all is said and done, who is going to end up stealing money from whom?

During the talk, we'll show many examples for vulnerable contracts, honeypots, and counter-honeypots, explain the role of transaction ordering and frontrunning, and launch a little challenge for the audience.

Bernhard Mueller
Bernhard Mueller is an OG security engineer and researcher with experience in a variety of fields including Internet protocols, web apps, operating systems, server software and blockchain technology. His work in mobile and blockchain security has earned him two "Best Research" Pwnie Award nominations (and one win). In the Ethereum community he is known for creating the Mythril symbolic analyzer.

Twitter: @muellerberndt
LinkedIn: https://www.linkedin.com/in/bernhardm/

Daniel Luca
Daniel is a self-taught developer with experience in multiple programming languages. Having a hacker mindset he always tests the limits of software or hardware he interacts with. He likes to experiment with new technologies, always trying to develop his available toolchain. When he isn't glued to a computer screen, he likes to snowboard, read and meditate. He currently does security audits and builds tools for ConsenSys Diligence and the Ethereum ecosystem.

Twitter: @cleanunicorn
LinkedIn: https://www.linkedin.com/in/luca-daniel-5227267/

Defending environments and hunting malware with osquery

Friday, 1430-1830 in Flamingo, Red Rock VII

Guillaume Ross Hacker
Julian Wayte Security Professional

In this workshop, you will learn how to defend Linux and Windows environments with osquery, using techniques that could easily be adapted to Mac and containerized environments. Then, we will look at how we can leverage osquery to hunt for malware and attackers, as well as how we could use osquery in a controlled environment to do some basic malware analysis.

We will cover osquery deployment scenarios and configurations as well as ways we can implement it to improve the security of servers and workstations.

Specifically, we will use osquery to monitor specific security configurations, detect lateral movement, detect malware, and even see how we can use it in lab environments to analyze malware.

If you have never used osquery before, this workshop will get you started. If you have used osquery before, this workshop will help you get the most out of it, by allowing you to develop queries and an understanding of the schema and how it can be applied to protect environments and detect attacks.

The topics covered will include:

* Setup, configuration and flags
* Logging results
* Building simple to complex queries
* Monitoring for lateral movement
* Tracking important security configurations on Windows and Linux
* Detecting malware
* Performing basic malware analysis on a VM with osquery

Skill Level Beginner

Prerequisites: Basic understanding of Linux and Windows. Mac and Docker optional. No knowledge of osquery itself is needed.

Materials: A computer with a SSH and RDP client. Linux and Windows systems in the cloud will be provided. Local Linux and Windows VMs are welcome as well, but not necessary.

Max students: 60

Registration: https://www.eventbrite.com/e/defending-environments-and-hunting-malware-with-osquery-red-rock-vii-tickets-63606251009
(Opens 8-Jul-19)

Guillaume Ross
Guillaume has worked as a security engineer and consultant, as a manager of blue teams, and way before that, as an enterprise IT person focused on endpoints. Guillaume is currently the Principal Security Researcher at Uptycs, finding new ways to defend systems using the power of osquery. He is also a trainer for Pluralsight, producing training content around topics such as network security monitoring.

Having worked for startups as well as Fortune50 companies, he knows how to build a security program, but having had to do the work, he also dislikes doing meaningless "best practices" work that has no practical value, and really enjoys leveraging the great open source software available to all of us.

Guillaume has spoken and given workshops at various conferences like BSidesLV, Thotcon and Northsec on many topics, including mobile security, endpoint security, logging and monitoring and much more.

Julian Wayte
Julian Wayte is a security professional with 20 years’ experience in IT data and security solutions. Julian graduated from the University of Western Australia with degrees in Mechanical Engineering and Computer Science. Hi early work was in Data Warehousing and CRM before helping to develop the NORA (Non Obvious Relationship Awareness) technology at SRD, which was later acquired by IBM. During his time at IBM, Julian worked with the Guardium Data Activity Monitoring and Data Encryption security products before becoming hooked on osquery and moving to Uptycs in 2019.

Don't Red-Team AI Like a Chump

Friday at 11:00 in Track 1
45 minutes | Demo, Tool

Ariel Herbert-Voss PhD student, Harvard University

AI needs no introduction as one of the most overhyped technical fields in the last decade. The subsequent hysteria around building AI-based systems has also made them a tasty target for folks looking to cause major mischief. However, most of the popular proposed attacks specifically targeting AI systems focus on the algorithm rather than the system in which the algorithm is deployed. We’ll begin by talking about why this threat model doesn’t hold up in realistic scenarios, using facial detection and self-driving cars as primary examples. We will also learn how to more effectively red-team AI systems by considering the data processing pipeline as the primary target.

Ariel Herbert-Voss
Ariel Herbert-Voss is a PhD student at Harvard University, where she specializes in adversarial machine learning, cybersecurity, mathematical optimization, and dumb internet memes. She is an affiliate researcher at the MIT Media Lab and at the Vector Institute for Artificial Intelligence. She is a co-founder and co-organizer of the DEF CON AI Village, and loves all things to do with malicious uses and abuses of AI.

Twitter: @adversariel

Duplicating Restricted Mechanical Keys

Friday at 10:00 in Track 4
45 minutes | Exploit

Bill Graydon President and Principal, Physical Security Analytics

Robert Graydon Principal, GGR Security

Secure facilities in North America use lock systems like Medeco, Abloy, Assa and Mul-T-Lock partly to resist lock picking, but also to prevent the duplication and creation of unauthorised keys. Places such as the White House and the Canadian Parliament buildings go so far as to use a key profile exclusive to that facility to ensure that no-one is able to obtain key blanks on which to make a copy. However, there are tens of thousands of unrestricted key blank profiles in existence - many match very closely to these restricted key blanks, and can be used instead of the real blanks to cut keys on. Moreover, keys are just pieces of metal - we will present numerous practical techniques to create restricted keys without authorisation - including new attacks on Medeco, Mul-T-Lock and Abloy key control systems. We will touch on all aspects of key control, including patents and interactive elements, and discuss how to defeat them and how facility managers can fight back against these attacks.

Bill Graydon
Bill Graydon is a principal at GGR Security Consultants, and is active in research in electronic surveillance and alarm systems, human psychology in a secure environment and locking systems analysis. He received a Masters in computer engineering and a certificate in forensic engineering from the University of Toronto, applying this at GGR to develop rigorous computational frameworks to model and improve security in the physical world.

Website: https://ggrsecurity.com/DEFCON

Robert Graydon
Robert is a principal at GGR security. With a strong interest driving him forward, he is researching lock manipulation, picking, bypass, and other vulnerabilities, to discover and evaluate possible flaws or methods of attack. He has well-honed skills such as lock picking, decoding, locksmithing, as well as a thorough understanding of the mechanics and function of many types of high security locks, and electronic security systems and components, allowing him to effectively search for and test methods of cracking high security systems.

EAPHammer

Friday from 12:00 – 13:50 in Sunset 1 at Planet Hollywood
Audience: Offensive security professionals, security analysts and network administrators, executive leadership, end-users

Gabriel Ryan

EAPHammer is a toolkit for performing targeted rogue access point attacks against enterprise wireless infrastructure. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus has been placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration.

This summer will mark the third anniversary of EAPHammer since it was released at DEF CON Demo Labs and BlackHat Arsenal in 2017. It's also the most exciting and complete version of the tool yet, with the addition of a number of features that were requested directly by users at Demo Labs in 2018.

EAPHammer now supports most of the bleeding edge attacks that have been discovered by the wireless community over the past few years, including:

- WPA3 Transition Mode and Security Group Downgrade Attacks
- Reflection and Invalid Curve attacks against EAP-pwd
- GTC-Downgrade, Fixed Challenge, and EAP Relay attacks against WPA/2-EAP
- PMKID attacks against WPA/2-PSK networks
- Known Beacons Attack and Legacy SSL Support
- External Certificate Handling and Import

Perhaps most excitingly, we've also included some never-before-seen attacks against Opportunistic Wireless Encryption (OWE), which is better known as "Enhanced Open".

https://github.com/s0lst1ce/eaphammer

Gabriel Ryan
Gabriel Ryan is an offensive security R&D and consultant at SpecterOps. He is the author of EAPHammer, a toolkit for performing targeted rogue access point attacks against enterprise wireless networks. Gabriel has presented at DEF CON, DerbyCon, Hackfest, and several Security BSides conferences on topics ranging from infrastructure security to access control protocols and red team tradecraft. His professional interests include wireless security, systems internals, low-level programming, and infrastructure automation.

Evil eBPF In-Depth: Practical Abuses of an In-Kernel Bytecode Runtime

Friday at 11:00 in Track 4
45 minutes | Demo, Exploit

Jeff Dileo Research Director, NCC Group

eBPF (or "extended" Berkeley Packet Filter) is a bytecode instruction set and virtual machine used as a safe computing environment within the Linux kernel to perform arbitrary programmatic actions. It is a redesign of Linux's original in-kernel BPF bytecode VM used to power features like tcpdump filters. eBPF has an entirely different set of capabilities and instructions, with its primary goal being to serve as a JIT-able virtual machine instruction set that can be targeted by compilers of a memory-safe "restricted C" language. In the Linux kernel, it is actively being applied to anything and everything to provide performant programmatic capabilities to userland that extend traditionally kernel-based functionality.

In this exploit development focused talk, we will first introduce eBPF and discuss several nefarious techniques enabled by the technology. As we do so, we will cover the respective sets of APIs, file descriptor types, and other eBPF machinery that enable such techniques, building up from various forms of hidden IPC channels to full-fledged rootkits. Within this talk, we will walk through the implementations of the techniques we discuss so that attendees will walk away with the knowledge of how to implement their own variants. Along the way we will discuss novel container breakout techniques and interesting "dual-purpose" eBPF features that enable the development of mutative syscall hooks that work for processes that work for processes already attached by a debugger. Finally, we will provide insight on how defenders should begin to attempt to detect and recover from such abuses, when possible at all.

This presentation significantly extends on work we first presented at 35C3, which focused more heavily on the underlying aspects of general eBPF-based kernel tracing. In contrast, this talk will demo new techniques and include substantially improved versions of techniques presented previously as proofs-of-concept.

Jeff Dileo
Jeff Dileo (chaosdata) is a security consultant by day, and sometimes by night. He hacks on embedded systems, mobile apps and devices, web apps, and complicated things that don't have names. He likes candy and arguing about text editors and window managers he doesn't actually use.

Twitter: @chaosdatumz

Evil Mainframe Jr: Mainframe hacking from recon to privesc

Friday, 1000-1400 in Flamingo, Red Rock I

Soldier of Fortran Hacker

Big Endian Smalls Director of North American Operations for RSM Partners

Mainframes power every industry you care about. Yet hackers have no idea how to even begin approaching this these big iron beasts. Where do you even start? VTAM? CICS? TSO? This workshop aims to give you the tools and language you can use to hack a mainframe. Starting with reconnaissance and ending with privilege escalation this workshop will walk you through all the tools and techniques you can use to hack a mainframe in 2019. Students will be introduced to the platform by being allowed to explore the operating system and allowing students to understand the weaknesses within. Students will also get introduced to open source tools and libraries available for all the steps of a penetration test including Nmap, metasploit, python scripts, REXX scripts and even HLASM. The majority of the workshop will be spent performing instructor led hands on mainframe testing with the tools available. Goals for each segment will be laid out with appropriate time afforded to students to allow them the ability to gain a deep understanding of how a test could and should be performed. Exercises will be based on real world attack scenarios developed by the trainers. This training specifically focuses on z/OS.

Skill Level Intermediate

Prerequisites: Background in penetration testing/red team and knowledge of tools like nmap, metasploit and scripting languages like Python/Ruby

Materials: Laptop capable of running a VM, power for their laptop.

Max students: 24

Registration: https://www.eventbrite.com/e/evil-mainframe-jr-mainframe-hacking-from-recon-to-privesc-red-rock-i-tickets-63439560433
(Opens 8-Jul-19)

Soldier of Fortran
Philip Young, aka Soldier of FORTRAN, is a leading expert in all things mainframe hacking. Having spoken and taught at conferences around the world, including DEFCON, RSA, BlackHat and keynoting at both SHARE and GSE Europe, he has established himself as the thought leader in mainframe penetration testing. Since 2013 Philip has released tools to aid in the testing of mainframe security and contributed to multiple opensource projects including Nmap, allowing those with little mainframe capabilities the chance to test their mainframes. His hope is that through raising awareness about mainframe security more organizations will take their risk profile seriously.

Big Endian Smalls
Chad Rikansrud, aka Big Endian Smalls, is the Director of North American Operations for RSM Partners - a world leader in IBM mainframe security consulting services. Chad is a nationally recognized security industry speaker, with appearances at: DEF CON, RSA2017, SHARE, and other regional conferences. Most of Chad's 20-year career has been in technology leadership for the financial services industry where he has held various senior leadership positions, including worldwide datacenter operations, infrastructure and recovery responsibility, as well as enterprise-wide system z storage

EXPLIoT - IoT Security Testing and Exploitation Framework

Friday from 14:00 – 15:50 in Sunset 3 at Planet Hollywood
Audience: Offense, Hardware, IoT, Pentesters

Aseem Jakhar & Murtuja Bharmal

EXPLIoT is a framework for security testing and exploiting IoT products and IoT infrastructure. Source code and documentation - https://gitlab.com/expliot_framework/expliot It provides a set of plugins (test cases) which are used to perform the assessment and can be extended easily with new ones. The name EXPLIoT (pronounced expl-aa-yo-tee) is a pun on the word exploit and explains the purpose of the framework i.e. IoT exploitation. It can be used as a standalone tool for IoT security testing and more interestingly, it provides building blocks for writing new plugins/exploits and other IoT security assessment test cases with ease. EXPLIoT supports most IoT communication protocols, hardware interfacing functionality and test cases that can be used from within the framework to quickly map and exploit an IoT product or IoT Infrastructure. It will help the security community in writing quick IoT test cases and exploits. Currently, the framework has support for analyzing and exploiting various IoT, radio and hardware protocols including BLE, CAN, DICOM, MQTT, Modbus, I2C, SPI, UART We have released a comprehensive documentation including User and Developer guide to help the security community kick start quickly and easily with the framework.

https://gitlab.com/expliot_framework/expliot

Aseem Jakhar
Aseem Jakhar is the Director, research at Payatu Software Labs https://payatu.com a security testing company specialized in IoT, Embedded, cloud, mobile security. He is the founder of null-The open security community, a registered not-for-profit organization https://null.co.in and also organizes https://nullcon.net and https://hardwear.io security conferences. He has worked on various security software including UTM appliances, messaging/security appliances, anti-spam engine, anti-virus software, bayesian engine to name a few. He currently spends his time researching on IoT security and hacking things. He is an active speaker and trainer at security conferences like AusCERT, Black Hat, Brucon, Defcon, Hack.lu, Hack in Paris, Hack In The Box, PHDays and many more. He has authored various open source security software including:

- EXPLIoT - IoT Exploitation Framework
- DIVA (Damn Insecure and Vulnerable App) for Android
- Jugaad/Indroid - Linux Thread injection kit for x86 and ARM
- Dexfuzzer - Dex file format fuzzer

Murtuja Bharmal
Murtuja Bharmal is an application and network security enthusiast, having 15+ years of industry experience on the offensive as well as the defensive side of security. He is the Co-Founder and Director at Payatu Software Labs, a security testing company specialized in IoT, Embedded, cloud, mobile security. He is also the Founder of null (The Open Security Community) - http://null.co.in, nullcon (International security conference) - http://nullcon.net and hardwear.io security conference - http://hardwear.io. He has worked extensively on network and web application security assessment and served various financial organizations in India, Middle East, South East Asia, and Europe in a personal and professional capacity. He is X-IBMer and has worked on IBM-ISS (Internet Security System) product as Senior System Engineer. He started his career as a security product developer and developed a UTM (Unified Threat Management) product with features such as Firewall, IPS, VPN, and Application Proxies.

Exploit Development for Beginners

Friday, 1000-1400 in Flamingo, Red Rock VII

Sam Bowne Proprietor, Bowne Consulting

Elizabeth Biddlecome Senior Researcher, Bowne Consulting

Learn how to take control of Windows and Linux servers running vulnerable software, in a hands-on CTF-style workshop. We begin with easy command injections and SQL injections, and proceed through binary exploits incuding buffer overflows on the stack and the heap, format string vulnerabilities, and race conditions.

After this workshop, you will understand how memory is used by software, and why computers are so easily tricked into executing bytes as code that entered the system as data.

We will exploit 32-bit and 64-bit Intel systems, and also ARM-based systems. We will examine modern Windows defenses in detail and learn how to defeat them, including ASLR, DEP, stack cookies, and SEHOP.

Previous experience with C and assembly language is helpful but not required. Participants will need a laptop that can run VMware or VirtualBox virtual machines.

All materials and challenges are freely available at samsclass.info, and will remain available after the workshop ends.

Skill Level Intermediate

Prerequisites: Familiarity with C programming and assembly language is helpful, but not essential.

Materials: A laptop capable of running a virtual machine in VMware or VirtualBox.

Max students: 70

Registration: https://www.eventbrite.com/e/exploit-development-for-beginners-red-rock-vii-tickets-63608704347
(Opens 8-Jul-19)

Sam Bowne
Sam Bowne is the proprietor of Bowne Consulting and an instructor at City College San Francisco, and has been teaching hacking and security classes for ten years. He has presented talks and workshops at Defcon, HOPE, RSA, BSidesLV, BSidesSF, and many other conferences. He has a CISSP and a PhD and is a DEF CON Black Badge co-winner.

Elizabeth Biddlecome
Elizabeth Biddlecome is a senior researcher at Bowne Consulting, an independent consultant, and a part-time instructor at City College San Francisco, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.

Finding Vulnerabilities at Ecosystem-Scale

Friday, 1000-1400 in Flamingo, Red Rock IV

Isaac Evans Hacker

r2c is writing and helping others write tools to exploit and eradicate entire vulnerability classes at scale. In this workshop, we'll show how to develop program analysis tools that can be depended on in analysis pipelines and quickly run at massive scale. If you've ever wondered "but surely, no programmer would upload something that does that do NPM" this is the place to be! Our command line tool for local analyzer development is freely available and publicly documented—we'll show you how to get started and invite you to collaborate with us on to build pipelines that use pre-computed intermediary representations that we already have. We'll also show how to use our collaborative triage tools with impact prioritization that can quickly allow turning these analysis results into bug-bounty submissions. No program (static/dynamic) analysis background required (though it is helpful!) Motivated developers should be able to make at least one bug bounty submission by the end of the workshop.

Skill Level Intermediate

Prerequisites: Basic programming knowledge (what is a function call?), able to run docker hello-world as user, able to write and run small programs, very comfortable with command line interfaces

Materials: Laptop with network access, OSX or Linux available (Windows ok with WSL installed)

Max students: 80

Registration: https://www.eventbrite.com/e/finding-vulnerabilities-at-ecosystem-scale-red-rock-iv-tickets-63608247982
(Opens 8-Jul-19)

Isaac Evans
Isaac Evans is the leader of a small startup working on giving security tools directly to developers. Previously, he conducted research into binary exploitation bypasses for techniques like control-flow integrity and novel hardware defenses on new architectures like RISC-V as a researcher at the US Defense Department under a SFS program and at MIT Lincoln Laboratory. Isaac received his BS/MS degrees in EECS from MIT. Other interests include next-generation programming languages, secure-by-design frameworks, software-defined radio, and the intersection of cryptography and public policy.

Flatline

Friday from 12:00 – 13:50 in Sunset 4 at Planet Hollywood
Audience: Hardware and OpSec.

East

Flatline is a deterministic hardware credential manager. It can generate passwords, burner accounts, shortlinks, and BIP39 seeds. Based on a single mnemonic seed, with Flatline it is possible to store millions of dollars in cryptocurrency, and shortlinks that map to sensitive or stolen data. Store a criminal empire in your head, maintain a map of leaked documents that are hosted on the internet while storing nothing on your local disk, or maintain access to your assets when your house burns down and you have to flee to eastern Europe.

https://gitlab.com/e4st/flatline

East
East is a professional megalomaniac and dedicated troll. He lives in an underground bunker on an island in the south Pacific, where he spends his days eating Doritos, playing Counter Strike, and plotting world domination. When he is not busy destabilizing foreign governments, his hobbies include trolling phone scammers, hang gliding, and golf.

Hachi: An Intelligent threat mapper

Friday from 10:00 – 11:50 in Sunset 5 at Planet Hollywood
Audience: Defense, Malware, Threat Intelligence

Parmanand Mishra

ATT&CK framework has become a benchmark in the security domain. ATT&CK provides data about each technique used across different attack stages. Hachi was created to contribute to the ATT&CK community. Hachi is based on the radare2 framework and uses data provided by ATT&CK to map the symptoms of malware on ATT&CK matrix.

Following modules of Hachi make this tool a great addition to an analyst’s or company’s armaments:

• Threat Intel: Hachi provides threat intelligence data like a possible parent campaign or author of a malware file.
• Malware behavior: It uncovers core malware behaviors using automated static analysis coupled with symbolic execution to explore multiple execution paths and maps it on ATT&CK matrix.
• RESTful API: Hachi provides RESTful API which enables this tool to seamlessly integration with malware processing frameworks.
• Visualization: It allows for the creation of detailed visual reports.
• Integration with Threat Intel feeds: It can be integrated with different threat intelligence feeds for enhanced security or expanded insights.

The primary aim of this tool is to act as a force multiplier for the InfoSec community and aid the analysis of malware.

https://github.com/Kart1keya/Hachi

Parmanand Mishra
Parmanand Mishra is a security enthusiast who is currently working as Senior Malware Researcher at Qualys Inc. He works on malware analysis and adversary simulation based on ATT&CK and loves creating tools on the same. He has spoken at security conferences like c0c0n and goes by Kart1keya on GitHub.

Hacking Congress: The Enemy Of My Enemy Is My Friend

Friday at 10:00 in Track 2
45 minutes

Former Rep. Jane Harman President, The Wilson Center, Former Rep. (D-CA), aka Surfer Jane

Rep. James Langevin (D-RI)

Jen Ellis Director of Public Affairs, Rapid 7

Cris Thomas Director, X-Force Red Team, IBM, aka Space Rogue

Rep. Ted Lieu (D-CA)

A SIMULATED crisis is unfolding on a national scale, based loosely on the NotPetya attack of 2017. Triggered by a yet-unknown adversary, what started as a an isolated technical issue has quickly escalated into a society-wide event affecting millions of citizens, several industries, and spanning government jurisdictions. Who is in charge, how do they cooperate with others, and how do they make decisions? The Wilson Center, Hewlett Foundation and I Am The Calvary are teaming up to bring public policymakers together with security researchers and others to discover how our nation might respond to a wide-scale “cyber crisis”. Work in tandem with sitting Members of Congress to understand what levers of power Congress yields and how Members can address policy gaps in the future.

Former Rep. Jane Harman
The Hon. Jane Harman is President of the Wilson Center, a think tank in Washington, DC. She is a former nine-term Member of Congress who served on all the major security committees and represented an aerospace and technology hub in Southern California.

Twitter: @thewilsoncenter
Website: https://www.wilsoncenter.org/person/jane-harman

Rep. James Langevin
The Hon. Jim Langevin represents Rhode Island's 2nd Congressional district. He is Chairman of the Emerging Threats and Capabilities Subcommittee and a senior member of the Cybersecurity and Infrastructure Protection Subcommittee. Rep. Langevin is a member of the House Majority Whip Steny Hoyer's Senior Whip Team, and is responsible for educating other Democratic Members on key issues.

Twitter: @jimlangevin
Website: https://langevin.house.gov/about-me/full-biography

Jen Ellis
Jen Ellis is the Vice Preident of Community and Public Affairs at Rapid7. She works directly with security researchers, technology providers and operators, and government entities to help them understand and address cybersecurity challenges together.

Twitter: @infosecjen
Website: https://blog.rapid7.com/author/jen-ellis/

Cris Thomas
Cris Thomas works for IBM X-Force Red, and before that worked at Guardent, Trustwave, Tenable and others. Cris created the first security research think tank L0pht Heavy Industries and the video news show The Hacker News Network.

Twitter: @spacerog
Website: https://securityintelligence.com/author/cris-thomas/

Hacking ICS: From Open Source Tools to Custom Scripts

Friday, 1000-1400 in Flamingo, Red Rock V

Valerie Thomas Technical Lead, Securicon

Harry Regan Technical Lead, Securicon

Harry Thomas Technical Lead, Securicon

Recently, Industrial Control System (ICS) attacks have gained popularity in the media. However there are many misconceptions on what exactly ICS systems are and how they function. Although there are similarities to IT systems, there are a multitude of differences that an attacker needs to understand in order to properly assess this type of equipment. In this course, students will be introduced to what ICS is and isn't in terms of technology and functionality. Protocols such as Ethernet/IP, Modbus, and DNP3 will be discussed and illustrated in order for students to have a foundation to build their arsenal. Students will then explore openly available open source tools and examine the functionality of the protocols. After dissection of protocol commands and activities, the students will be led to create their own custom scripts that interact with ICS devices in the classroom.

Skill Level Beginner

Prerequisites: An understanding of basic networking concepts.

Materials: For those who want to participate in the hands-on portion of the workshop, a laptop with Kali Linux installed on the host or as a virtual machine.

Max students: 50

Registration: https://www.eventbrite.com/e/hacking-ics-from-open-source-tools-to-custom-scripts-red-rock-v-tickets-63608296126
(Opens 8-Jul-19)

Valerie Thomas
Valerie Thomas is the Technical Director and utilizes her Electrical Engineering education and security consulting background to incorporate a variety of evaluation techniques specific to ICS.

Harry Regan
Harry Regan serves as the Vice President of Consulting Services and has over 40 years of experience in IT and ICS security environments.

Harry Thomas
Harry Thomas is the Lead ICS Security Consultant and performs risk, vulnerability, and penetration tests and assessments for a multitude of ICS organizations. He's developed countless IT and ICS indicators of compromise to help protect the ICS industries against threats. He utilized both offensive and defensive skills to create, design, and implement safe ICS security practices.

HackPac: Hacking Pointer Authentication in iOS User Space

Friday at 13:00 in Track 1
45 minutes | Demo, Tool, Exploit

Xiaolong Bai

Min (Spark) Zheng

Pointer Authentication (in short, PAuth) is the latest security mechanism in iOS. It is proposed to protect the integrity of pointers with hardware-assisted encryption, thus eliminating the threats of code-reuse attacks. In PAuth, a cryptographic signature called PAC is calculated from a pointer value and inserted into the pointer. When the pointer is about to be used, the PAC is extracted and verified whether it is consistent with the original pointer value. In this way, PAuth is able to ensure that the pointers are not tampered. iOS deployed PAuth in user-space system services, protecting pointers that may affect the control flow and preventing code-reuse attacks like ROP and JOP.

However, in our study, we found that a fatal flaw in the implementation of iOS PAuth makes user-space system services till vulnerable to code-reuse attacks. The flaw is: iOS uses the same signing key in different user-space processes. This flaw allows a signed pointer from a malicious process can be correctly verified in a system service, thus making it possible to launch JOP. In this talk, we will explain how we found the flaw and why it is inevitable. In advance, we will demonstrate how to leverage this flaw and launch JOP attacks in a PAuth-protected system service. Also, we will propose a new tool, PAC-gadget, to automatically find JOP gadgets in PAuth-protected binaries.

Xiaolong Bai
Xiaolong Bai (twitter@bxl1989, github@bxl1989) is a security engineer in Alibaba Orion Security Lab. Before joining Alibaba, he received his Ph.D. degree in Tsinghua University. He has published several research papers on top conferences including IEEE S&P, Usenix Security, CCS, NDSS, and presented his research in Black Hat, DEF CON, HITB, CanSecWest, etc. He has been acknowledged by famous vendors, including Apple, Google, Facebook, Evernote, and Tencent for his contribution in discovering the vulnerabilities in their systems and improving the security of their products. He is a member of the OverSky team for private jailbreaking development.

Twitter: @bxl1989
Website: https://xiaolongbai.weebly.com/
Github: https://github.com/bxl1989/

Min (Spark) Zheng
Min (Spark) Zheng (twitter@SparkZheng, github@zhengmin1989) is a security expert in Alibaba Orion Security Lab. He received his Ph.D. degree in the CSE department of the CUHK. His research focuses on malware analysis, smartphone (Android & iOS) security, system design and implementation. Before receiving Alibaba A-Star offer award in 2015, he worked in FireEye, Baidu and Tencent. He was the champion of GeekPwn 2014 and AliCTF 2015. He won the “best security researcher” award in FIT 2016 for detecting the iOS/macOS vulnerabilities, XcodeGhost virus and WormHole RCE vulnerability. He is a member of the OverSky team for private jailbreaking development. He presented his research in DEF CON, HITB, BlackHat, RUXCON, etc.

Twitter: @SparkZheng

Hands on Adversarial Machine Learning

Friday, 1000-1400 in Flamingo, Red Rock VI

Yacin Nadji Engineer, Security Scorecard

Machine learning has become commonplace in software engineering and will continue to grow in importance. Currently, most work focuses on improving classifier accuracy. However, as more and more models interact with the real world, practitioners must consider how resilient their models are against adversarial manipulation. Successful attacks can have serious implications, like crashing a car, misclassifying malicious code, or enabling fraud.

In this workshop, you will learn how to think like an adversary so that you can build more resilient machine learning systems. You'll discover how to use free and open source tools to construct attacks against and defenses for machine learning models, as well as how to holistically identify potential points of attack an adversary could exploit. You'll leave able to critically examine a machine learning system for weaknesses, mount attacks to surface problems, and implement and evaluate practical defenses.

Skill Level Intermediate

Prerequisites: Familiarity with Python (or similar programming language) and basic Machine Learning. For the latter, students that have preprocessed data and trained & evaluated a model will be in good shape to tackle the material.

Materials: Laptop capable of running Docker or Jupyter notebooks.

Max students: 70

Registration: https://www.eventbrite.com/e/hands-on-adversarial-machine-learning-red-rock-vi-tickets-63608585993
(Opens 8-Jul-19)

Yacin Nadji
Yacin Nadji is an engineer at Security Scorecard where he applies machine learning to identify companies' infrastructure and understand their security risk. He received his Ph.D. from the School of Computer Science at Georgia Institute of Technology with a focus in Computer Security. He has published 20 academic papers with hundreds of citations, many focused on applying ML to solve security problems.

Harnessing Weapons of Mac Destruction

Friday at 14:00 in Track 1
45 minutes | Demo, Exploit

Patrick Wardle Chief Research Officer, Digita Security

Whenever a new Mac malware specimen is uncovered, it provides a unique insight into the offensive Mac capabilities of hackers or nation-state adversaries. Better yet, such discoveries provide fully-functional capabilities that may be weaponized for our own surreptitious purposes! I mean, life is short, why write your own?

We'll begin this talk by discussing the methodology of subverting existing malware for "personal use", highlighting both the challenges and benefits of such an approach.

Next, we'll walk-thru the weaponization of various Mac malware specimens, including an interactive backdoor, a file-exfiltration implant, ransomware, and yes, even adware. Customizations include various runtime binary modifications that will coerce such malware to accept tasking from our own C&C servers, and/or automatically perform actions on our behalf.

Of course, in their pristine state, such samples are currently detected by AV products. As such we'll also walk-thru subtle modifications that will ensure our modified tools remains undetected by traditional detection approaches.

In conclusion, we'll highlight novel heuristic methods that can generically detect such threats to ensure Mac users remain protected even from such weaponized threats.

Patrick Wardle
Patrick Wardle is the Chief Research Officer at Digita Security and founder of Objective-See. Having worked at NASA and the NSA, as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware and writing free open-source security tools to protect Mac users.

http://twitch.com/patrickwardle

HVACking: Understand the Difference Between Security and Reality!

Friday at 13:00 in Track 2
45 minutes | Demo

Douglas McKee Senior Security Researcher, McAfee Advanced Threat Research

Mark Bereza Security Researcher, McAfee Advanced Threat Research

Like most modern devices, building controllers have increasingly become network connected, exposing them to a wider range of threats. If malicious actors could manipulate access control systems, boiler rooms, or temperature control for critical industrial systems, the potential for catastrophic damage is extreme.

McAfee's ATR team has discovered a 0-day vulnerability in a major building controller. This controller is a fully programmable native BACnet™ device designed to manage a wide range of building systems. By modifying BACnet broadcast traffic, a buffer overflow can be leveraged into a write-what-where (WWW) condition. This WWW leads to execution control, providing the attacker with a root shell and complete control over the device remotely. Because this attack vector is through BACnet broadcast traffic, there is no authentication mechanism for the target device, allowing anyone on the same network to communicate with it directly and exploit the vulnerability without authentication. Currently, there are over 500 of these devices connected to the internet running in BACnet/IP Broadcast Management Device (BBMD) mode. Utilizing this mode, broadcast traffic can travel over the internet, increasing the potentially devastating impact of this vulnerability.

This presentation will include a deep technical analysis of the vulnerability discovery process and demos illustrating an attack in a critical scenario. Finally, we will discuss the steps taken by the vendor to patch this vulnerability and demonstrate its effectiveness.

Douglas McKee
Douglas McKee is a senior security researcher for the McAfee Advanced Threat Research team, focused on finding new vulnerabilities in both software and hardware. Douglas has an extensive background in penetration testing, reverse engineering, malware analysis and forensics and throughout his career has provided software exploitation training to many audiences, including law enforcement. Douglas recently presented his research focused on hacking medical devices at DEF CON 26.

Twitter: @fulmetalpackets

Mark Bereza
Mark Bereza is a security researcher and new addition to McAfee's Advanced Threat Research team. A recent alumnus of Oregon State's CS systems program, Mark's work has focused primarily on vulnerability discovery and exploit development for embedded systems.

I Know What You Did Last Summer: 3 Years of Wireless Monitoring at DEF CON

Friday at 16:00 in Track 2
20 minutes | Demo, Tool

d4rkm4tter (Mike Spicer) Hacker

For the past 3 years d4rkm4tter has been obsessed with monitoring the wireless networks at DEF CON. This talk will take you on a journey through the successes and failures that lead to the creation of the WiFiCactus and the over 1 TB of data captured. A history of each capture project including a summary of the most interesting pieces of data will be shown.

Many people spread a lot of fear, uncertainty and doubt about the wireless environments during DEF CON. This presentation aims to bring some clarity to what is really happening in the airwaves during one of the largest hacker conferences in the world. This will include presenting data on the attacks and sensitive information that exists in the airwaves. This presentation will demonstrate the risks of using wireless networks and information leaks that can be captured by anyone who is passively listening. Countermeasures and protection strategies will be provided to help you avoid having your data captured by those who might be listening.

With the number of connected devices around us, there has never been a better time to start wardriving or warwalking. Everyone is capable of profiling wireless data around them thanks to cheap hardware and open source tools. As hackers it is important for us to discover issues and vulnerabilities while validating claims of security by software and hardware vendors. Monitoring wireless communication is a great way to start validating those claims. All of the hardware and methods used will be provided so that anyone can do this type of monitoring on their own. Hack the Planet!

d4rkm4tter (Mike Spicer)
d4rkm4tter is a mad scientist hacker who likes to meddle with hardware and software. He is particularly obsessed with wireless. He has a degree in computer science from Southern Utah University which he has put to use building and breaking a wide array of systems. These include web application pentesting, wireless monitoring and tracking as well as good old fashioned reverse engineering. He is the creator of the #WiFiCactus and has been seen presenting Demolabs at DEF CON and DEF CON China Beta. He is a Kismet cultist and active in the wireless and wardriving communities.

Twitter: @d4rkm4tter
Website: palshack.org