Talk/Event Schedule


Sunday


This Schedule is tentative and may be changed at any time. Check at an Info Booth for the latest.

 

Sunday - 06:00


Return to Index  -  Locations Legend
Meetups - Paris - Outside at base of Eiffel Tower - DEFCON 27 4X5K run -

 

Sunday - 09:00


Return to Index  -  Locations Legend
ASV - Flamingo 3rd Floor - Mesquite Room - (09:30-09:50) - 'Shifting the DevSecOps Culture, Taking away the sugar piece and giving the pile to ants' - Vandana Verma Sehgal
BCV - Flamingo 3rd Floor - Laughlin III Room - (09:45-09:50) - Welcome Note
BCV - Flamingo 3rd Floor - Laughlin III Room - (09:50-10:40) - Crypto currency heist - the story so far ... - Ryan Rubin
BTVT - Flamingo - 3rd Floor- Savoy Room - Evaded MicrosoftATA? **But** You Are Completely Exposed By Event Log - 9ian1i
RTV - Flamingo 3rd Floor - Laughlin I,II Rooms - State of Red Team Services Roundtable - Wesley McGrew
SKY - Bally's Jubilee Tower - 2nd Floor - Jubilee Ballroom - Cyber Ninjas and YOU - Dr. Russ Handorf, Kurt Opsahl

 

Sunday - 10:00


Return to Index  -  Locations Legend
AIV - Bally's Resort (Indigo) Tower 26th Floor - Skyview Room 3 - end - Behavioral Biometrics and Context Analytics: Risk Based Authentication Re-Imagined - Jesus Solano, David Camacho
AIV - Bally's Resort (Indigo) Tower 26th Floor - Skyview Room 3 - end - (10:30-11:15) - From Noisy, Distorted data-sets to excellent prediction models - Tal Leibovich, Shimon Noam Oren
ASV - Flamingo 3rd Floor - Mesquite Room - 'History of the worst Android app ever: mAadhaar' - fs0c131y
ASV - Flamingo 3rd Floor - Mesquite Room - (10:30-10:50) - 'Exploiting and Securing iOS Apps using OWASP iGoat' - Swaroop Yermalkar
AVV - Bally's Event Center - Ideas whose time has come: CVD, SBOM, and SOTA - Katie, Art
AVV - Bally's Event Center - (10:30-10:59) - Wireless Attacks on Aircraft Instrument Landing System - Harshad
BCV - Flamingo 3rd Floor - Laughlin III Room - cont...(09:50-10:40) - Crypto currency heist - the story so far ... - Ryan Rubin
BCV - Flamingo 3rd Floor - Laughlin III Room - (10:40-11:05) - Distributed Decentralized Security for Bitcoin Wallets - Ali Meer
BHV - Planet Hollywood - Melrose 1-3 Rooms - Opening Words - Jen Goldsack
BHV - Planet Hollywood - Melrose 1-3 Rooms - (10:15-10:59) - A Minor Threat - Mike Kijewski
BTVT - Flamingo - 3rd Floor- Savoy Room - Who Dis? Who Dis? The Right Way To Authenticate - Lak5hmi5udheer, dhivus
CLV - Flamingo 3rd Floor - Reno I Room - Mining Malevolence: Cryptominers in the Cloud - Cheryl Biswas
CLV - Flamingo 3rd Floor - Reno I Room - (10:45-11:30) - The Effectiveness Of Continuous Bug Hunting In Cloud Environments
CPV - Planet Hollywood - Celebrity 1,2 Ballrooms - (10:30-10:59) - Don't Forget to Wipe - Michael Portera
DC - Paris - Track 1 - Backdooring Hardware Devices By Injecting Malicious Payloads On Microcontrollers - Sheila Ayelen Berta
DC - Paris - Track 2 - Adventures In Smart Buttplug Penetration (testing) - smea
DC - Paris - Track 3 - Hacking WebAssembly Games with Binary Instrumentation - Jack Baker
DC - Paris - Track 4 - Your Secret Files Are Mine: Bug Finding And Exploit Techniques On File Transfer App Of All Top Android Vendors - Xiangqian Zhang, Huiming Liu
DL - Planet Hollywood - Sunset 2 - Zigbee Hacking: Smarter Home Invasion with ZigDiggity - Francis Brown, Matt Gleason
DL - Planet Hollywood - Sunset 3 - Vulmap: Online Local Vulnerability Scanners Project - Yavuz Atlas, Fatih Ozel
DL - Planet Hollywood - Sunset 4 - USB-Bootkit – New Bookit via USB Interface in Supply Chain Attacks - Haowen Bai
DL - Planet Hollywood - Sunset 5 - Rhodiola - Utku Sen
DL - Planet Hollywood - Sunset 6 - QiLing - KaiJern, Lau, Dr. Nguyen Anh Quynh
ETV - Flamingo - 3rd Floor - Reno II Room - Who's Tracking Your Body? Health Apps And Your Privacy
HTS - Bally's Event Center - AIS C2 - Julian Blacno
HTS - Bally's Event Center - (10:30-11:30) - Yacht Hacking – from SatCom to Engine control - Stephan Gerling
LPV - Bally's - Platinum II Ballroom - (10:15-10:45) - Intro to Lockpicking -
Meetups - Paris LeCafe lle St. Louis - (10:30-12:30) - Hackaday Breakfast at DEFCON -
MOV - Bally's - Resort (Indigo) Tower 26th Floor - Skyview 4 - end of - MimbleWimble, a Story of Blockchain Privacy - Gus Clarke and Leland Lee
PHVT - Bally's Resort (Indigo) Tower 26th floor - Wi-Fi Threat Modeling and Monitoring - Besim Altinok and Can Kurnaz
RCV - Planet Hollywood - Celebrity 5 Ballroom - Using OSINT for Competitive Intelligence - Chris Kirsch
RCV - Planet Hollywood - Celebrity 5 Ballroom - (10:25-10:59) - Mining for Gold: A Framework for Accessing Pastebin’s Hidden Treasures - Mike Landeck
RTV - Flamingo 3rd Floor - Laughlin I,II Rooms - (10:30-11:30) - Your Adversary Within - Adam Mashinchi
SKY - Bally's Jubilee Tower - 2nd Floor - Jubilee Ballroom - Hacking LE Systems: A Hacker Cop Makes a Case for More Hacker Cops - karver
VMV - Planet Hollywood - Melrose 4 Room - Exploring Voter Roll Manipulation and Fraud Detection with Voter Files - Nakul Bajaj
VMV - Planet Hollywood - Melrose 4 Room - (10:30-10:59) - Defending Democracy: Working with Election Officials to Improve Election Security - Liz Howard, Justin Burns_Trevor Timmons, Jared Dearing, Monica Childers

 

Sunday - 11:00


Return to Index  -  Locations Legend
AIV - Bally's Resort (Indigo) Tower 26th Floor - Skyview Room 3 - end - cont...(10:30-11:15) - From Noisy, Distorted data-sets to excellent prediction models - Tal Leibovich, Shimon Noam Oren
AIV - Bally's Resort (Indigo) Tower 26th Floor - Skyview Room 3 - end - (11:15-11:59) - Faults in our Pi Stars: Security Issues and Challenges in Deep Reinforcement Learning - Vahid Behzadan
ASV - Flamingo 3rd Floor - Mesquite Room - WORKSHOP 'Offensive Python: Custom Scripts for Pentests' - Fletcher Heisler
AVV - Bally's Event Center - In The Air And On The Air: Aviation Radio Systems - Exploding Lemur
AVV - Bally's Event Center - (11:30-11:59) - An introduction to the ARINC standards - Karl
BCV - Flamingo 3rd Floor - Laughlin III Room - cont...(10:40-11:05) - Distributed Decentralized Security for Bitcoin Wallets - Ali Meer
BCV - Flamingo 3rd Floor - Laughlin III Room - Reflections on Blockchain Security - Jan Gorzny
BCV - Flamingo 3rd Floor - Laughlin III Room - (11:30-12:20) - Bitcoin Honeypot - Wallet on floor of the Internet - Gordon Draper
BHV - Planet Hollywood - Melrose 1-3 Rooms - Blue Team Bio II - Genetic and Epigenetics Backups - Mr_Br!ml3y
BHV - Planet Hollywood - Melrose 1-3 Rooms - (11:45-12:30) - Biopiracy on the High Seas - Marla Valentine
BTVT - Flamingo - 3rd Floor- Savoy Room - BloodHound From Red to Blue - Mathieu Saulnier
CLV - Flamingo 3rd Floor - Reno I Room - cont...(10:45-11:30) - The Effectiveness Of Continuous Bug Hunting In Cloud Environments
CLV - Flamingo 3rd Floor - Reno I Room - (11:30-12:15) - Is the cloud secure? How can you modernize your infrastructure defensive mechanisms in the cloud
CPV - Planet Hollywood - Celebrity 1,2 Ballrooms - Empowering Gateways with Functional Encryption - Yolan Romailler
DC - Paris - Track 1 - The ABC of Next-Gen Shellcoding - Hadrien Barral, Rémi Géraud-Stewart, Georges-Axel Jaloyan
DC - Paris - Track 2 - SDR Against Smart TVs: URL and Channel Injection Attacks - Pedro Cabrera Camara
DC - Paris - Track 3 - Exploiting Qualcomm WLAN and Modem Over The Air - Xiling Gong, Peter Pi
DC - Paris - Track 4 - Say Cheese - How I Ransomwared Your DSLR Camera - Eyal Itkin
DL - Planet Hollywood - Sunset 2 - cont...(10:00 - 11:50) - Zigbee Hacking: Smarter Home Invasion with ZigDiggity - Francis Brown, Matt Gleason
DL - Planet Hollywood - Sunset 3 - cont...(10:00 - 11:50) - Vulmap: Online Local Vulnerability Scanners Project - Yavuz Atlas, Fatih Ozel
DL - Planet Hollywood - Sunset 4 - cont...(10:00 - 11:50) - USB-Bootkit – New Bookit via USB Interface in Supply Chain Attacks - Haowen Bai
DL - Planet Hollywood - Sunset 5 - cont...(10:00 - 11:50) - Rhodiola - Utku Sen
DL - Planet Hollywood - Sunset 6 - cont...(10:00 - 11:50) - QiLing - KaiJern, Lau, Dr. Nguyen Anh Quynh
HTS - Bally's Event Center - cont...(10:30-11:30) - Yacht Hacking – from SatCom to Engine control - Stephan Gerling
HTS - Bally's Event Center - (11:30-11:59) - Surviving Maritime Vulnerability Disclosure - R3doubt
LBV - Flamingo - Carson City II Room - Lock Bypass 101
LPV - Bally's - Platinum II Ballroom - Hurt by high security - Cryo
Meetups - Paris LeCafe lle St. Louis - cont...(10:30-12:30) - Hackaday Breakfast at DEFCON -
MOV - Bally's - Resort (Indigo) Tower 26th Floor - Skyview 4 - end of - Handling broken cryptography and building a new one. Past, present, and future of Zcoin - Reuben Yap
MOV - Bally's - Resort (Indigo) Tower 26th Floor - Skyview 4 - end of - (11:30-13:30) - Zcoin Station -
MOV - Bally's - Resort (Indigo) Tower 26th Floor - Skyview 4 - end of - (11:45-12:30) - Walking Through the High-Level Math Behind Bulletproofs, a Zero-Knowledge Proof - Cathie Yun
PHVT - Bally's Resort (Indigo) Tower 26th floor - Head in the Clouds - Matt Nash
PHVW - Bally's Resort (Indigo) Tower 26th floor - Threat Hunting with Suricata - Josh Stroschein, Jason Williams, Jack Mott, Travis Green
RCV - Planet Hollywood - Celebrity 5 Ballroom - AttackSurfaceMapper: Automate and Simplify the OSINT Process - Andreas Georgiou and Jacob Wilkin
RCV - Planet Hollywood - Celebrity 5 Ballroom - (11:25-11:59) - Prize Distribution / Closing Note
RTV - Flamingo 3rd Floor - Laughlin I,II Rooms - cont...(10:30-11:30) - Your Adversary Within - Adam Mashinchi
SKY - Bally's Jubilee Tower - 2nd Floor - Jubilee Ballroom - How to hack like a journalist - Nodyah (@nodyah_)
VMV - Planet Hollywood - Melrose 4 Room - (11:30-11:59) - Securing Your Election Infrastructure: Plan and Prepare to Defend Your Election Systems, People, and Processes - Robert Anderson

 

Sunday - 12:00


Return to Index  -  Locations Legend
ASV - Flamingo 3rd Floor - Mesquite Room - cont...(11:00-12:59) - WORKSHOP 'Offensive Python: Custom Scripts for Pentests' - Fletcher Heisler
BCV - Flamingo 3rd Floor - Laughlin III Room - cont...(11:30-12:20) - Bitcoin Honeypot - Wallet on floor of the Internet - Gordon Draper
BCV - Flamingo 3rd Floor - Laughlin III Room - (12:20-13:10) - A single global public-utility blockchain & cryptosystem - Derek Moore
BHV - Planet Hollywood - Melrose 1-3 Rooms - cont...(11:45-12:30) - Biopiracy on the High Seas - Marla Valentine
BHV - Planet Hollywood - Melrose 1-3 Rooms - (12:30-13:15) - Getting Skin in the Game - cyberlass
BTVT - Flamingo - 3rd Floor- Savoy Room - An Introduction To Malware Analysis - Understudy77
CLV - Flamingo 3rd Floor - Reno I Room - cont...(11:30-12:15) - Is the cloud secure? How can you modernize your infrastructure defensive mechanisms in the cloud
CLV - Flamingo 3rd Floor - Reno I Room - (12:15-12:59) - Phishing in the cloud era
CPV - Planet Hollywood - Celebrity 1,2 Ballrooms - Security and privacy of dating apps - Alex Lomas and Alan Monie
DC - Paris - Track 1 - I'm In Your Cloud... Pwning Your Azure Environement - Dirk-jan Mollema
DC - Paris - Track 2 - Malproxying: Leave Your Malware at Home - Hila Cohen, Amit Waisel
DC - Paris - Track 3 - HTTP Desync Attacks: Smashing into the Cell Next Door - albinowax
DC - Paris - Track 4 - Help Me, Vulnerabilities. You're My Only Hope - Jacob Baines
ETV - Flamingo - 3rd Floor - Reno II Room - Ethics Training Workshop
HTS - Bally's Event Center - Closing Ceremony and Awards - R3doubt
LPV - Bally's - Platinum II Ballroom - Intro to Lockpicking -
LPV - Bally's - Platinum II Ballroom - (12:45-13:45) - The Right Way To Do Wrong: Physical security secrets of criminals and professionals alike - Patrick McNeil
Meetups - Bally's - Vendors Room - Book Signing - Matt Burrough - Pentesting Azure Applications - Matt Burrough
Meetups - Paris LeCafe lle St. Louis - cont...(10:30-12:30) - Hackaday Breakfast at DEFCON -
Meetups - Planet Hollywood - Santa Monica 4 Room - Friends of Bill W. -
MOV - Bally's - Resort (Indigo) Tower 26th Floor - Skyview 4 - end of - cont...(11:30-13:30) - Zcoin Station -
MOV - Bally's - Resort (Indigo) Tower 26th Floor - Skyview 4 - end of - cont...(11:45-12:30) - Walking Through the High-Level Math Behind Bulletproofs, a Zero-Knowledge Proof - Cathie Yun
MOV - Bally's - Resort (Indigo) Tower 26th Floor - Skyview 4 - end of - (12:30-12:59) - The Future of Accessible Mining - Kristy-Leigh Minehan
PHVT - Bally's Resort (Indigo) Tower 26th floor - CIRCO: [Cisco Implant Raspberry Controlled Operations] - Emilio Couto
PHVW - Bally's Resort (Indigo) Tower 26th floor - cont...(11:00-13:59) - Threat Hunting with Suricata - Josh Stroschein, Jason Williams, Jack Mott, Travis Green
RTV - Flamingo 3rd Floor - Laughlin I,II Rooms - WebSploit 2.0 Release and an Intense Introduction to Hacking Web Applications and APIs - Omar Santos
SKY - Bally's Jubilee Tower - 2nd Floor - Jubilee Ballroom - Broken Arrow - Anon.
VMV - Planet Hollywood - Melrose 4 Room - Keynote Remarks: Representative Eric Swalwell (CA-15) - Representative Eric Swalwell (CA-15)

 

Sunday - 13:00


Return to Index  -  Locations Legend
BCV - Flamingo 3rd Floor - Laughlin III Room - cont...(12:20-13:10) - A single global public-utility blockchain & cryptosystem - Derek Moore
BCV - Flamingo 3rd Floor - Laughlin III Room - Hyperledger Fabric Security Essentials
BHV - Planet Hollywood - Melrose 1-3 Rooms - cont...(12:30-13:15) - Getting Skin in the Game - cyberlass
BHV - Planet Hollywood - Melrose 1-3 Rooms - (13:15-13:59) - Chinese Military Combined Arms Effects - Bio-Weapons - Red Dragon 1949
BTVT - Flamingo - 3rd Floor- Savoy Room - Blue Team Village Closing Ceremony
CPV - Planet Hollywood - Celebrity 1,2 Ballrooms - Ironically, iOS robocall-blocking apps are violating your privacy - Dan Hastings
DC - Paris - Track 1 - [ MI CASA-SU CASA ] My 192.168.1.1 is Your 192.168.1.1 - Elliott Thompson
DC - Paris - Track 2 - Sound Effects: Exploring Acoustic Cyber-weapons - Matt Wixey
DC - Paris - Track 3 - Owning The Cloud Through Server-Side Request Forgery - Ben Sadeghipour, Cody Brocious (Daeken)
DC - Paris - Track 4 - Want Strong Isolation? Just Reset Your Processor - Anish Athalye
LPV - Bally's - Platinum II Ballroom - cont...(12:45-13:45) - The Right Way To Do Wrong: Physical security secrets of criminals and professionals alike - Patrick McNeil
MOV - Bally's - Resort (Indigo) Tower 26th Floor - Skyview 4 - end of - cont...(11:30-13:30) - Zcoin Station -
MOV - Bally's - Resort (Indigo) Tower 26th Floor - Skyview 4 - end of - (13:30-13:59) - Where We Go from Here: Closing Remarks and Game - Diego “rehrar” Salazar
PHVT - Bally's Resort (Indigo) Tower 26th floor - Augmenting the (Security) Onion: Facilitating Enhanced Detection and Response with Open Source Tools - Wes Lambert
PHVW - Bally's Resort (Indigo) Tower 26th floor - cont...(11:00-13:59) - Threat Hunting with Suricata - Josh Stroschein, Jason Williams, Jack Mott, Travis Green
RGV - Flamingo - 3rd Floor - Carson City II - Lockpicking "Extras" - Jared Dygert
SKY - Bally's Jubilee Tower - 2nd Floor - Jubilee Ballroom - Lotta Years - Pyr0, Liz Borden
VMV - Planet Hollywood - Melrose 4 Room - cont...(12:00-13:00) - Keynote Remarks: Representative Eric Swalwell (CA-15) - Representative Eric Swalwell (CA-15)

 

Sunday - 14:00


Return to Index  -  Locations Legend
ASV - Flamingo 3rd Floor - Mesquite Room - WORKSHOP 'Exploiting Bad Crypto Found in the Wild!' - João Pena Gil
BCV - Flamingo 3rd Floor - Laughlin III Room - Contest Results -  Peter Kacherginsky
BCV - Flamingo 3rd Floor - Laughlin III Room - Vote of Thanks
BHV - Planet Hollywood - Melrose 1-3 Rooms - Biohacking & Biosecurity - Anne A. Madden
DC - Paris - Track 1 - Firmware Slap: Automating Discovery of Exploitable Vulnerabilities in Firmware - Christopher Roberts
DC - Paris - Track 2 - Cheating in eSports: How to Cheat at Virtual Cycling Using USB Hacks - Brad Dixon
DC - Paris - Track 4 - Contests Awards Ceremony - Contests & Events Goons

 

Sunday - 15:00


Return to Index  -  Locations Legend
ASV - Flamingo 3rd Floor - Mesquite Room - cont...(14:00-15:59) - WORKSHOP 'Exploiting Bad Crypto Found in the Wild!' - João Pena Gil
DC - Paris - Track 4 - cont...(14:00-15:30) - Contests Awards Ceremony - Contests & Events Goons

 

Sunday - 16:00


Return to Index  -  Locations Legend
ASV - Flamingo 3rd Floor - Mesquite Room - Networking & Challenges - Networking & Challenges
DC - Tracks 1,2,3 - Closing Ceremonies - The Dark Tangent & Goons

 

Sunday - 17:00


Return to Index  -  Locations Legend
DC - Tracks 1,2,3 - cont...(16:00-17:59) - Closing Ceremonies - The Dark Tangent & Goons

Talk/Event Descriptions


 

ASV - Flamingo 3rd Floor - Mesquite Room - Sunday - 10:30-10:50


10:30-10:50

"Exploiting and Securing iOS Apps using OWASP iGoat"

Is your product or application has a mobile app? Do you use any of AWS services? Are your product security engineers working on mobile application security? Looking for information about the importance of mobile app security? If your answer is yes to any of these questions then this talk is for you!

This talk will discuss recent case studies of critical findings in mobile apps and also help to adopt skills required to perform penetration testing / security audit of iOS applications using free an open source tool - OWASP iGoat.

Swaroop Yermalkar


Return to Index    -    Add to    -    ics Calendar file

 

ASV - Flamingo 3rd Floor - Mesquite Room - Sunday - 10:00-10:20


10:00-10:20

"History of the worst Android app ever: mAadhaar"

Beginning of 2018, I analysed the official Android app of an Indian governmental program called Aadhaar. Aadhaar is a 12-digit unique identity number that can be obtained by residents of India, based on their biometric and demographic data. With 1.234 billion holders, Aadhaar is the biggest identification program of the world.

The surprise was huge when I discovered multiple vulnerability in this application used by millions of people.

From the analyse of the app, the description of the vulnerabilities, the attempt of responsible disclosure to the Indian Government, to the media impact of this work, this presentation gives the full story of this incredible journey.

fs0c131y


Return to Index    -    Add to    -    ics Calendar file

 

ASV - Flamingo 3rd Floor - Mesquite Room - Sunday - 09:30-09:50


09:30-09:50

"Shifting the DevSecOps Culture, Taking away the sugar piece and giving the pile to ants"

We have been talking about the technical angle of DevSecOps. How do I go about building the DevSecOps culture in the organisation? So far Generally corporates are trying to have all three Plays and teams Dev, Sec and Ops team together. However, the Ideal DevSecOps idea is each individual should know what is happening in the whole process. If person or team has issues/concern, then anyone can stand-up and take the DevSecOps further. Instead of giving the sugar cube to the individuals give them the who Pile of sugar to the Ants (aka teams), incase something fails the other teams can balance the situation or stand up for each other.

This talk will portray Call to action from different teams. What should a Developer should do, what a security and Operations person should do? How to bring the teams to work together. Example – Earlier security teams used to sit in a room alone. Now security team sits with operations and Dev teams.

Vandana Verma Sehgal


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 1 - Sunday - 13:00-13:45


[ MI CASA-SU CASA ] My 192.168.1.1 is Your 192.168.1.1

Sunday at 13:00 in Track 1
45 minutes | Demo, Tool

Elliott Thompson Senior Security Consultant, SureCloud Ltd

Your browser thinks my 192.168.1.1 is the same as your 192.168.1.1. Using a novel combination of redirects, Karma, JavaScript and caching we demonstrate that it’s viable to attack internal management interfaces without ever connecting to your network. Using the MICASA-SUCASA tool it’s possible to automate the exploitation of hundreds of interfaces at once. This presentation will introduce the attack vector and demonstration, but also the public release of the MICASA-SUCASA tool.

Elliott Thompson
The alphabet soup: OSCP, CTL/CCT-APP Senior pentester and researcher for the last 3 years, with hundreds of successful engagements behind me. Passionate about security and involved in various article pieces for infosec magazine, the BBC and the UK consumer watchdog Which?. Last year I discovered and disclosed an exploit on some Android tablets that allowed RCE through the tag. [ CVE-2018-16618 ]


Return to Index    -    Add to    -    ics Calendar file

 

BHV - Planet Hollywood - Melrose 1-3 Rooms - Sunday - 10:15-10:59


10:15 AM: A Minor Threat: What healthcare technology companies can learn about infosec from the Washington DC Punk Scene: 1979-1992
Speaker: Mike Kijewski

Abstract: The changes healthcare IT and medical device companies need to make to their product development processes to address infosec challenges are radical. Many of these same challenges were overcome by the Washington DC punk scene in the 80s and 90s. Bands from Minor Threat to Fugazi used information sharing and first-principles thinking to bring lasting change to the music industry. If you are responsible for the security of healthcare software, its time to think like a punk.

Speaker Bio: Mike is the cofounder of MedCrypt, a medical device cybersecurity startup based in San Diego, CA.

T: @mikekijewski

Return to Index    -    Add to    -    ics Calendar file

 

BCV - Flamingo 3rd Floor - Laughlin III Room - Sunday - 12:20-13:10


A single global public-utility blockchain & cryptosystem

No description available


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 2 - Sunday - 10:00-10:45


Adventures In Smart Buttplug Penetration (testing)

Sunday at 10:00 in Track 2
45 minutes | Demo, Tool

smea

Analysts believe there are currently on the order of 10 billions Internet of Things (IoT) devices out in the wild. Sometimes, these devices find their way up people's butts: as it turns out, cheap and low-power radio-connected chips aren't just great for home automation - they're also changing the way we interact with sex toys. In this talk, we'll dive into the world of teledildonics and see how connected buttplugs' security holds up against a vaguely motivated attacker, finding and exploiting vulnerabilities at every level of the stack, ultimately allowing us to compromise these toys and the devices they connect to.

smea
smea got his start making video games for closed consoles like the Nintendo DS using whatever hacks were available at the time. At some point consoles started getting actual security features and he transitioned from just making homebrew software to actually making the jailbreaks that let people run it. He's best known for his work on the Nintendo 3DS and Wii U but has also done exploitation work against high profile web browsers and virtualization stacks. Now he hacks buttplugs, apparently.

Twitter: @smealum
Github: https://github.com/smealum


Return to Index    -    Add to    -    ics Calendar file

 

HTS - Bally's Event Center - Sunday - 10:00-10:30


AIS C2

No description available


Return to Index    -    Add to    -    ics Calendar file

 

BTVT - Flamingo - 3rd Floor- Savoy Room - Sunday - 12:00-12:59


An Introduction To Malware Analysis

Sunday 12:00, Savoy Ballroom, Flamingo (Blue Team Village) (1H)

@Understudy77 is an obsessive clicker of links, Shawn is a current Paranoid and Head of Security Operations at Verizon Media with a past history of Incident Response, threat hunting, and malware analysis.

A mostly live demo of base concepts of malware analysis using a multitude of tools on a Dridex sample pulled from a phishing campaign from PDF attachment to executable installation. The main point is to show people some base tools to dive headfirst into analysis of suspicious files.


Return to Index    -    Add to    -    ics Calendar file

 

AVV - Bally's Event Center - Sunday - 11:30-11:59


An introduction to the ARINC standards

Speaker – Karl

Synopsis

ARINC is a 90-year-old company originally created to coordinate and support radio communications for airlines. Since then, ARINC has developed several standards to promote interoperability between manufacturers of line-replaceable units (LRUs.) This talk will cover major ARINC standards, such as ACARS (an air-to-ground messaging system), 429 (the CAN bus of aviation), and AFDX, and explain why it’s completely impossible to control a 737 through a compromised in-flight entertainment system.

About the Speaker

Karl Koscher is a research scientist at the University of Washington where he specializes in wireless and embedded systems security. In 2011, he led the first team to demonstrate a complete remote compromise of a car over cellular, Bluetooth, and other channels.


Return to Index    -    Add to    -    ics Calendar file

 

RCV - Planet Hollywood - Celebrity 5 Ballroom - Sunday - 11:00-11:25


LIGHTENING TALK

AttackSurfaceMapper: Automate and Simplify the OSINT Process

1100 - 1125


Return to Index    -    Add to    -    ics Calendar file

 

PHVT - Bally's Resort (Indigo) Tower 26th floor - Sunday - 13:00-13:59


Augmenting the (Security) Onion: Facilitating Enhanced Detection and Response with Open Source Tools

Wes Lambert, Senior Engineer at Security Onion Solutions

As network defenders, we face evolving threats every day. We need to truly understand our computer networks, and gain greater context around events occurring within them. To do this, we can use completely free and open source tools, augmenting a platform like Security Onion, to assist in threat hunting, responding to alerts, tracking events, automating analysis of files extracted from network data streams, and even performing remote host-based forensics. This presentation discusses how freely available tools can be integrated to empower teams to effectively monitor, track, and investigate events to help lower risk and increase security posture within their organizations.

Wes Lambert (Twitter: @therealwlambert) is a Senior Engineer at Security Onion Solutions, where he helps companies to implement enterprise security monitoring solutions and better understand their computer networks. He is a huge fan of open source software projects, and loves to solve problems and enhance organizational security using completely free and easily deployable tools.


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 1 - Sunday - 10:00-10:45


Backdooring Hardware Devices By Injecting Malicious Payloads On Microcontrollers

Sunday at 10:00 in Track 1
45 minutes | Demo, Tool

Sheila Ayelen Berta Security Researcher

Is targeting microcontrollers worth the effort? Nowadays, they are responsible for controlling a wide range of interesting systems, e.g., physical security systems, car’s ECUs, semaphores, elevators, sensors, critical components of industrial systems, some home appliances and even robots.

In this talk, it will be explained how microcontrollers can be backdoored too. After a quick review of basic knowledge about uC, we will dive into three different approaches to achieve payload injection, from basic to advanced techniques. The first method consists on locating the entry point of the firmware and inject our payload there, this is an easy way to execute it at least once. As a second -and more complex- technique, we will backdoor the EUSART communication injecting a malicious payload at the code routine of that hardware peripheral; we will be able to get the right memory address by inspecting the GIE, PEIE and polling process at the uC interrupt vector. Finally, the third technique allow us to take control of the microcontroller’s program flow by manipulating the stack writing memory addresses at the TOS; with this we can execute a payload made with instructions already written in the original program, performing it just like a ROP-chain technique.

Sheila Ayelen Berta
Sheila Ayelen Berta is an Information Security Specialist and Developer, who started at 12 years-old by herself. At the age of 15, she wrote her first book about Web Hacking, published by RedUSERS Editorial in several countries. Over the years, Sheila has discovered lots of vulnerabilities in popular web applications and softwares. She also has given courses of Hacking Techniques in universities and private institutes in Argentina. Sheila currently works as Security Researcher who specializes in offensive techniques, reverse engineering and exploit writing. She is also a developer in ASM (microcontrollers and microprocessors x86/x64), C/C++, Golang and Python. Sheila is an international speaker who has spoken at important security conferences such as Black Hat Briefings, DEF CON 26, DEF CON 25 CHV, HITB, HackInParis, Ekoparty, IEEE ArgenCon, Hack.Lu, OWASP Latam Tour and others.

Twitter: @UnaPibaGeek


Return to Index    -    Add to    -    ics Calendar file

 

AIV - Bally's Resort (Indigo) Tower 26th Floor - Skyview Room 3 - end - Sunday - 10:00-10:30


Behavioral Biometrics and Context Analytics: Risk Based Authentication Re-Imagined

No description available


Return to Index    -    Add to    -    ics Calendar file

 

BHV - Planet Hollywood - Melrose 1-3 Rooms - Sunday - 14:00-14:59


2:00 PM: Biohacking & Biosecurity: How to innovate with biohacking and synthetic biology while avoiding an apocalypse
Speaker: Anne A. Madden

Abstract: The democratization of synthetic bio tools fuels innovation, but also poses risks, such as the creation of new organisms with unknown capabilities. For decades scientists have safely hacked natures pipeline to grow unknown natural microbesfinding those that make antibiotics and better beers, while avoiding those that make the worlds deadliest chemicals. We can leverage key learnings from this parallel field of bioprospecting to foster innovation while keeping humanity alive in the process.

Speaker Bio: Dr. Madden is a microbe wrangler, an innovation consultant, and TED speaker. Her mission is to reveal the utility of the microscopic world around us. Shes discovered a novel microbial species, characterized new antibiotics, and identifying new yeasts for better beer technology from inside wasps.

T: @AnneAMadden

Return to Index    -    Add to    -    ics Calendar file

 

BHV - Planet Hollywood - Melrose 1-3 Rooms - Sunday - 11:45-12:30


11:45 AM: Biopiracy on the High Seas: lessons learned from purloined tarantulas and viral pandemics
Speaker: Marla Valentine

Abstract: You wouldnt steal a car! You wouldnt steal a movie! But would you steal genetic code!? Venture into the high seas where no international laws regulate the patenting of genetic discoveries. From scientists threatened with extradition for identifying new species to calculable deaths based on sub par vaccinations; this lecture will cover the panoply of laws concerning developing genomic technologies in the high seas (or lack thereof) derived from preexisting statutes ratified by sovereign states.

Speaker Bio: Dr. Valentine has explored the gamut of ocean sciences from wrestling sharks and alligators to exploring the darkest depths of the sea floor. Using a decade research experience Dr. Valentine now works at the forefront of scientific policy.

Return to Index    -    Add to    -    ics Calendar file

 

BCV - Flamingo 3rd Floor - Laughlin III Room - Sunday - 11:30-12:20


Bitcoin Honeypot - Wallet on floor of the Internet

No description available


Return to Index    -    Add to    -    ics Calendar file

 

BTVT - Flamingo - 3rd Floor- Savoy Room - Sunday - 11:00-11:59


BloodHound From Red to Blue

Sunday 11:00, Savoy Ballroom, Flamingo (Blue Team Village) (1H)

Mathieu Saulnier is a “Security Enthusiast” @h3xstream. He has held numerous positions as a consultant within several of Quebec’s largest institutions. For the last 6 years he has been focused on putting in place a few SOC and has specialized in detection (Blue Team), content creation and mentorship. He currently holds the title of « Senior Security Architect » and acts as “Adversary Detection Team Lead” and “Threat Hunting Team Lead” for Bell Canada, one of Canada’s largest carrier. In the last 12 months he gave talks at GoSec (Montreal), BSidesCharm (Baltimore), NorthSec (Montreal) and BsidesLV he is also scheduled to speak at Derbycon.

BloodHound was originally built for Pentesters to easily identify highly complex attack paths but it can also be used to improve the overall security posture of your Active Directory. We will start with a short introduction to graph databases and how the different parts of Bloodhound work. We will then discuss some useful tips on using the GUI to visualize various attack paths then we will venturing into the world of custom Cypher Queries. Using this new knowledge, we will set off on a path of destruction, targeting the attack paths in our environment and visualizing the effects of our planned remediations on these attack paths.


Return to Index    -    Add to    -    ics Calendar file

 

BHV - Planet Hollywood - Melrose 1-3 Rooms - Sunday - 11:00-11:45


11:00 AM: Blue Team Bio II - Genetic and Epigenetics Backups
Speaker: Mr_Br!ml3y

Abstract: Editing genes is getting easier as knowledge of various genomes and technology advance. This will enable repair of genetic damage caused by external carcinogens provided that a known prior DNA sequence is available. This presentation discusses leveraging backup methodologies in IT to DNA applications to remediate genetic and epigenetic damage. Coding DNA into digital form at the base pair and transposon (amino acid specifyng) levels will be discussed.

Speaker Bio: Mr_Br!ml3y has nine years of public sector info sec experience, and is currently working on a doctorate in environmental engineering, focused on contaminant transport/isolation. He has presented at DefCon BioHacking Village for four years, focusing on computational aspects of biohacking.

Return to Index    -    Add to    -    ics Calendar file

 

Meetups - Bally's - Vendors Room - Sunday - 12:00-12:59


Title:
Book Signing - Matt Burrough - Pentesting Azure Applications

All signings take place at the No Starch Press table in the vendor area. Check https//nostarch.com/defcon/ for updates.
Twitter post

Return to Index    -    Add to    -    ics Calendar file

 

SKY - Bally's Jubilee Tower - 2nd Floor - Jubilee Ballroom - Sunday - 12:00-12:59


Broken Arrow

August 11, 2019    12:00 - 13:00
Bally's, Jubilee Tower - Pacific BR - 2nd Floor

Anon.

The talk will discuss the use of social media to detect physical surveillance, technical countermeasures for surveillance devices, lessons learned with forensics and the ways to protect oneself against leaving data behind. I became involved in this field after enduring years of physical and verbal abuse. I was beaten by my spouse and denied food on a regular basis when home from the field. The former spouse had been an admin for my business when I worked in the Intelligence Community. When they moved out, they left behind the Mac Pro used for my business, an image of the iPhone used to support my business and the MacBook used for my business. I had provided forensic services to the intelligence community since 2000 and specialized in Mac products. This was a godsend. I was able to navigate the legal e-discovery requirements on my own devices, recover data in innovate ways that I never considered with the Intel Community.
Every action was legal and admissible.


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 2 - Sunday - 14:00-14:45


Cheating in eSports: How to Cheat at Virtual Cycling Using USB Hacks

Sunday at 14:00 in Track 2
45 minutes | Demo, Tool

Brad Dixon Security Consultant, Carve Systems

Athletes are competing in virtual cycling by riding real bikes on stationary trainers which power the in-game athletic performance. Riders train and compete online against each other. New racing teams are even competing in Union Cycliste Internationale (UCI) sanctioned events. Better at hacking than riding? Me, too. I’ll expand on the dubious achievements of prior cycling cheaters by showing how to use the open source USBQ toolkit to inspect and modify USB communications between the Zwift application and the wireless sensors that monitor and control the stationary trainer. USBQ is a Python module and application that uses standard hardware, such as the Beaglebone Black, to inspect and modify communications between USB devices and the host. You’ll ride away with a lesson on building your own customized USB man-in-the-middle hacking tool, too.

Brad Dixon
Brad once told his parents that if they gave him a Commodore 64 it would be the last computer he’d ever want. He never got that Commodore 64. Nevertheless Brad managed to become a computer nerd at a young age. Brad studied Computer Engineering at Georgia Tech and jumped into embedded software engineering. He worked for many years helping developers to design embedded Linux into telecom, network, and mobile products. Brad also took a turn as a product manager for embedded development tools and a mobile location analytics product. At Carve he hacks IoT, embedded, and Linux systems.

Github: https://github.com/rbdixon


Return to Index    -    Add to    -    ics Calendar file

 

BHV - Planet Hollywood - Melrose 1-3 Rooms - Sunday - 13:15-13:59


1:15 PM: Chinese Military Combined Arms Effects - Bio-Weapons
Speaker: Red Dragon 1949

Abstract: During "Chinese Military Combined Arms Effects - Bio-Weapons" attendees will receive a field experience based discussion from within the People's Republic of China regarding the People'sLiberation Army's use of bio-weapons.

Speaker Bio: Independent security researcher who has met authors of China's Unrestricted Warfare & a US Marine

T: @RedDragon1949

Return to Index    -    Add to    -    ics Calendar file

 

PHVT - Bally's Resort (Indigo) Tower 26th floor - Sunday - 12:00-12:59


CIRCO: [Cisco Implant Raspberry Controlled Operations]

Emilio Couto, eKio Security

Designed under Raspberry Pi and aimed for Red Team Ops, we take advantage of "Sec/Net/Dev/Ops" enterprise tools to capture network credentials in a stealth mode. Using a low profile hardware & electronics camouflaged as simple network outlet box to be sitting under/over a desk. CIRCO include different techniques for network data exfiltration to avoid detection. This tool gather information and use a combination of honeypots to trick Automation Systems to give us their network credentials!

Emilio Couto (Twitter: @ekio_jp) is a Security Consultant with more than 20 years of experience in the network and security field. Born and raised in Argentina, he is currently located in Japan where multitasking between language, culture and technologies is a must. Over the last decade focusing mainly on Finance IT. In his spare time he enjoys playing with RFID, computers and home made IoT devices. Over the last 5 years presenting tools in conferences (Black Hat Asia, HITB, AV Tokyo and SECCON)


Return to Index    -    Add to    -    ics Calendar file

 

DC - Tracks 1,2,3 - Sunday - 16:00-17:59


Closing Ceremonies

Sunday at 16:00 in Paris Ballroom
120 minutes

The Dark Tangent & Goons

DEF CON 27 draws to a close. Prizes awarded, Black Badge winners announced, thanks given, future plans revealed.


Return to Index    -    Add to    -    ics Calendar file

 

HTS - Bally's Event Center - Sunday - 12:00-12:59


Closing Ceremony and Awards

No description available


Return to Index    -    Add to    -    ics Calendar file

 

BCV - Flamingo 3rd Floor - Laughlin III Room - Sunday - 14:00-14:10


Contest Results

No description available


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 4 - Sunday - 14:00-15:30


Contests Awards Ceremony

Sunday at 14:00 in Track 4
90 minutes

Contests & Events Goons

You've seen the Contests, you've played in a Contest, you've won a Contest and may have lost a Contest! Whatever the outcome was, come join as as we celebrate the winners and contestants of our DEF CON 27 Contests! DEF CON 27 Contests and Events Closing Ceremonies will be August 11th at 14:00 in Track 4. Black Badge winning Contests will still be honored at the main DEF CON 27 Closing Ceremonies on August 11th at 16:00 in the Paris Ballroom!


Return to Index    -    Add to    -    ics Calendar file

 

BCV - Flamingo 3rd Floor - Laughlin III Room - Sunday - 09:50-10:40


Crypto currency heist - the story so far ...

No description available


Return to Index    -    Add to    -    ics Calendar file

 

SKY - Bally's Jubilee Tower - 2nd Floor - Jubilee Ballroom - Sunday - 09:00-09:59


Cyber Ninjas and YOU

August 11, 2019    09:00 - 10:00
Bally's, Jubilee Tower - Pacific BR - 2nd Floor

Dr. Russ Handorf
Kurt Opsahl

Learn how the FBI, DoJ and EFF have teamed up to create a process to help protect security researchers over the last couple of years. Examples will be given.


Return to Index    -    Add to    -    ics Calendar file

 

Meetups - Paris - Outside at base of Eiffel Tower - Sunday - 06:00-06:59


Title:
DEFCON 27 4X5K run

DEF CON 27 Let's go for a run 4X5K Announcement
The 4X5K is returning to DefCon 27. Come running, because maybe you like your mornings sweaty! 0530 is the perfect time to either wind down your evening or start up your day! 0600 is of course the coolest time for a run in Vegas (It's only 80!) But who really cares, running is fun, let's go for a run!

Meet up at 0600 (6 AM) at the base of the Paris Hotel and Casino Eiffel tower outside on Thursday-Sunday (8/9-8/12/2019) for 5.1K fun run. Run departs at 0610. We've got two pace groups. The fast group is for people that run an average pace of around 9:00-minute miles or better. If you run slower than an average pace of 9:00-minute miles you're in the not fast group. This is basically so everyone ends up in the same place at the end. At either pace, do it all four days and it's a half marathon (21K).

Routes will vary but will mostly likely be strip-centric. Printed route maps will be displayed before the run.

Safety Brief: It's Vegas, weird stuff will happen, it always does. Be aware that wet concrete is super slippery, broken glass is not your friend, and randos abound! If people harass you, just keep running. You are fast, and they are lame. Some random people may want to join in. This is cool, until it's not. Watch for traffic along the route. It's going to be hot. Hydrate before, during, and after. There can be a surprising number of stairs to climb on these runs, especially when we run south along the strip. Help each other out. Don't die.

The organizers (of which there are very few) are interested in talking to sponsors and past attendees about how we can awesome up this event. We're looking at you, fitness tracker companies: maybe we'll stop dropping 0days if you buy us some water and bananas.

I will see you there.

Follow @Agent __ X __ & @whereiskurt on Twitter for updates, and follow the hashtag #DEFCON4X5K
DEF CON 27 Let's go for a run 4X5K Announcement

Return to Index    -    Add to    -    ics Calendar file

 

VMV - Planet Hollywood - Melrose 4 Room - Sunday - 10:30-10:59


Title:
Defending Democracy: Working with Election Officials to Improve Election Security

10:30 AM Defending Democracy: Working with Election Officials to Improve Election Security
Liz Howard, Counsel, Democracy Program, Brennan Center for Justice
Justin Burns, Chief Information Security Officer, Washington Secretary of State
Trevor Timmons, Chief Information Officer, Colorado Secretary of State
Jared Dearing, Executive Director, Kentucky State Board of Elections
Monica Childers (moderator), Product Manager for Risk-Limiting Audits, VotingWorks

Return to Index    -    Add to    -    ics Calendar file

 

BCV - Flamingo 3rd Floor - Laughlin III Room - Sunday - 10:40-11:05


Distributed Decentralized Security for Bitcoin Wallets

No description available


Return to Index    -    Add to    -    ics Calendar file

 

CPV - Planet Hollywood - Celebrity 1,2 Ballrooms - Sunday - 10:30-10:59


Title:
Don't Forget to Wipe - Michael Portera (NOT RECORDED)

ABSTRACT
On June 29, 2018, Toys R Us shut its doors to the public after filing Chapter 11 bankruptcy. The months leading up to that day consisted of liquidating its assets, including the hardware found in local stores. While everything should have been sanitized before being let go, it wasnt for many stores. In this talk, well review what was leaked and what should've been done to protect the information.

BIO
Michael is a Red Team Operator at Millennium Corporation supporting a Full Spectrum Red Team. His previous experiences focused on threat hunting and security analytics. Hes been featured in the official Raspberry Pi magazine (MagPi) and has given several talks at conferences including Shmoocon and Layer8. He enjoys maker culture, CTFs, arcade games, and dance parties with his toddler.

Return to Index    -    Add to    -    ics Calendar file

 

CPV - Planet Hollywood - Celebrity 1,2 Ballrooms - Sunday - 11:00-11:59


Title:
Empowering Gateways with Functional Encryption - Yolan Romailler (NOT RECORDED)

ABSTRACT
Have you heard of Functional Encryption (FE)? You might be surprised to learn it's more than just encryption that functions. If you have heard of it, you might be associating it with a sort of homomorphic encryption, which is not wrong, but not exactly right either. Let's take a look at what FE is, along with a few examples. We will also cover some usage of FE schemes nowadays, how they are quickly evolving and learn about the bleeding edge libraries that empower you to use it in your codebase today. Finally, we will cover some of the cool things you could do with it, such as end-to-end encryption between a client and a server, and yet have local decision making based in-between at the gateway level!

BIO
Yolan is a security researcher at Kudelski Security delving into (and dwelling on) cryptography, crypto-coding, blockchains technologies and other fun things. He has spoken at Black Hat USA, BSidesLV, DEF CON and North Sec, on topics including automation in cryptography, public keys vulnerabilities, ECC and presented at FDTC the first known practical fault attack against the EdDSA signature scheme. Yolan tweets as @anomalroil

Return to Index    -    Add to    -    ics Calendar file

 

BTVT - Flamingo - 3rd Floor- Savoy Room - Sunday - 09:00-09:59


Evaded MicrosoftATA? **But** You Are Completely Exposed By Event Log

Sunday 09:00, Savoy Ballroom, Flamingo (Blue Team Village) (1H)

@9ian1i is a security researcher, core member of 0keeTeam, Information Security Department of Qihoo 360 Technology Company. He specializes in the construction of Blue Team and security architecture, especially the auto-detection of security vulnerabilities.

Due to internal environment of Windows domains is always too tolerant, and enterprises are more concerned about border defenses than internal security, the penetration behavior based on Windows Active Directory has become more and more popular and aggressive. The emergence of MicrosoftATA allows BlueTeam to perceive and discover most domain penetration activities, however, there are many bypassing techniques for MicrosoftATA recently, and the detection dimension of MicrosoftATA is not comprehensive enough, especially the persistence part. It's a compelling problem whether the Red Team can ensure their behaviors not to be detected after bypassing the detection of MicrosoftATA. In my recent research, the security event log of domain controller details the activity of entities in the domain. Most AD Attacks leave traces in the logs. These logs can be collected and analyzed in real time, helping you quickly detect attacks before an attacker compromises the domain controller. I will detail how to find exceptional behavior from a large number of domain controller security event logs and use a variety of analysis approaches to determine attacks, while taking into account false alarm rate. It's worth mentioning that we don't collect security event log of all computers, only domain controllers. As a result, these ideas are applicable in a large-scale intranet environment, helping Blue Team build its own Advanced Threat Analytics.


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 3 - Sunday - 11:00-11:45


Exploiting Qualcomm WLAN and Modem Over The Air

Sunday at 11:00 in Track 3
45 minutes | Demo, Exploit

Xiling Gong Consultant, NCC Group

Peter Pi Senior Security Researcher of Tencent Blade Team

In this talk, we will share our research in which we successfully exploit Qualcomm WLAN in FIRMWARE layer, break down the isolation between WLAN and Modem and then fully control the Modem over the air.

Setup the real-time debugger is the key. Without the debugger, it's difficult to inspect the program flow and runtime status. On Qualcomm platform, subsystems are protected by the Secure Boot and unable to be touched externally. We'll introduce the vulnerability we found in Modem to defeat the Secure Boot and elevate privilege into Modem locally so that we can setup the live debugger for baseband.

The Modem and WLAN firmware is quite complex and reverse engineering is a tough work. Thanks to the debugger, we finally figure out the system architecture, the components, the program flow, the data flow, and the attack surfaces of WLAN firmware. We'll share these techniques in detail, along with the zero-days we found on the attack surfaces.

There are multiple mitigations on Qualcomm baseband, including DEP, stack protection, heap cookie, system call constraint, etc. All the details of the exploitation and mitigation bypassing techniques will be given during the presentation.

Starting from Snapdragon 835, WLAN firmware is integrated into the Modem subsystem as an isolated userspace process. We'll discuss these constraints, and then leverage the weakness we found to fully exploit into Modem.

Xiling Gong
Xiling Gong is a Senior Security Researcher of Tencent Blade Team. He has discovered many vulnerabilities of vendors like Google and Qualcomm. He is the speaker of CanSecWest 2018.

Twitter: @Gxiling

Peter Pi
Peter Pi is a Senior Security Researcher of Tencent Blade Team. He has discovered many vulnerabilities of vendors like Google, Microsoft, Apple, Qualcomm, Adobe and Tesla. He was the #1 researcher of Google Android VRP in year 2016. He has spoken at many famous security conferences such as BlackHat, CanSecWest, HITB GSEC and Hitcon.

Twitter: @tencent_blade


Return to Index    -    Add to    -    ics Calendar file

 

VMV - Planet Hollywood - Melrose 4 Room - Sunday - 10:00-10:30


Title:
Exploring Voter Roll Manipulation and Fraud Detection with Voter Files

10:00 AM Exploring Voter Roll Manipulation and Fraud Detection with Voter Files
Nakul Bajaj, High School Researcher, University of Michigan Research co-authored by Kevin Chang, Post Bacc Researcher, University of Michigan

Return to Index    -    Add to    -    ics Calendar file

 

AIV - Bally's Resort (Indigo) Tower 26th Floor - Skyview Room 3 - end - Sunday - 11:15-11:59


Faults in our Pi Stars: Security Issues and Challenges in Deep Reinforcement Learning

No description available


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 1 - Sunday - 14:00-14:45


Firmware Slap: Automating Discovery of Exploitable Vulnerabilities in Firmware

Sunday at 14:00 in Track 1
45 minutes | Demo, Tool

Christopher Roberts

DARPA’s Grand Cyber Challenge foretold an ominous future stricken with machines exploiting our code and automatically compromising our systems. Today, we have the chance to steel ourselves by creating new hope through stronger tools and techniques to find our bugs before our big-brother nation-states can take advantage. The firmware holding our phones, our routers, and our cars is our weakest link and it demands new methods of finding exploitable vulnerabilities. This talk will present Firmware Slap, the culmination of concolic analysis and semi-supervised firmware function learning. Each binary or library in a given firmware provides slices of information to accelerate and enable fault-resistant concolic analysis. These techniques provide a method of knowing where our vulnerabilities are and how we can trigger them.

Christopher Roberts
Christopher Roberts is a security researcher at REDLattice Inc. He has extensive vulnerability research experience in embedded systems and program analysis frameworks. He competes and speaks in George Mason’s competitive cyber club. He’s known for building several tools which automatically solve and produce flags from pwnable and reversing CTF problems. (Zeratool) (PinCTF)

Github: https://github.com/ChrisTheCoolHut


Return to Index    -    Add to    -    ics Calendar file

 

Meetups - Planet Hollywood - Santa Monica 4 Room - Sunday - 12:00-12:59


Title:
Friends of Bill W.

For all those Friends of Bill W. looking for a meeting or just a quiet moment to regroup, we have you covered with meetings throughout #DEFCON - Noon & 5pm Thurs-Sat, Noon Sun. The location is SANTA MONICA 4 in Planet Hollywood.
Return to Index    -    Add to    -    ics Calendar file

 

AIV - Bally's Resort (Indigo) Tower 26th Floor - Skyview Room 3 - end - Sunday - 10:30-11:15


From Noisy, Distorted data-sets to excellent prediction models

No description available


Return to Index    -    Add to    -    ics Calendar file

 

BHV - Planet Hollywood - Melrose 1-3 Rooms - Sunday - 12:30-13:15


12:30 PM: Getting Skin in the Game: Biohacking & Business
Speaker: cyberlass
Abstract: Lets talk biohacking, technology and business. We are a community that is innovating and creating mostly in non-commercial and academic spaces. As we have grown so have the opportunities, sometimes in unexpected places. My company, Livestock Labs, is bringing its biometric implant to market in cows first. Started by body augmenters, the company is proving what we all know that when we get funding and dedicated time our projects take off. This session tries to shed some light on learning to business as a biohacker and what other funding models we might explore. I want to encourage other biohackers to take the leap and see what amazing things they can accomplish.

Speaker Bio: Biohacker, IT nerd and COO of Livestock Labs, Amanda Plimpton has lessons learned from biohackers entering commercial spaces. She wants the biohacking community to have more opportunities for its talented, passionate members to contribute in commercial, academic and non-profit sectors.

T: @cyberlass

Return to Index    -    Add to    -    ics Calendar file

 

Meetups - Paris LeCafe lle St. Louis - Sunday - 10:30-12:30


Title:
Hackaday Breakfast at DEFCON

Will you be at @DEFCON? Join us for the @Hackaday x Tindie Breakfast at DEF CON on Sunday, Aug 11 and bring your Hacks
Announcement Tweet
eventbrite info/register page

Return to Index    -    Add to    -    ics Calendar file

 

SKY - Bally's Jubilee Tower - 2nd Floor - Jubilee Ballroom - Sunday - 10:00-10:59


Hacking LE Systems: A Hacker Cop Makes a Case for More Hacker Cops

August 11, 2019    10:00 - 11:00
Bally's, Jubilee Tower - Pacific BR - 2nd Floor

karver

We need hacker cops. We need people in law enforcement who understand tech, aren't afraid of it, and can ensure exploiting it won't extend to exploiting our freedoms. We have the power to use technology in a responsible way to better protect our communities without stepping into a dystopian novel.

As police forces strive to modernize, we need to provide guidance and a voice of reason. We can ensure that aspiring hackers, whose crime is curiosity, are encouraged to use their powers for good rather than prosecuted. We can work to tear-down the perception that hackers are evil, propagate the openness and tolerance baked-into the hacker ethos, and devise creative solutions in a public institution that sorely needs them.

Marrying hacking with policing implies a healthy dose of double-think, but hackers know how to work in gray areas. We can effect change by being that change.

In this session we'll talk about local policing, enforcing the law without being a jerk, real examples of the often abysmal security in law enforcement software, and how you can make things better, whether you're ready to leave your high-paying private sector job yet or not.


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 3 - Sunday - 10:00-10:45


Hacking WebAssembly Games with Binary Instrumentation

Sunday at 10:00 in Track 3
45 minutes | Demo, Tool

Jack Baker

WebAssembly is the newest way to play video games in your web browser. Both Unity3d and Unreal Engine now support WebAssembly, meaning the amount of WebAssembly games available is growing rapidly. Unfortunately the WebAssembly specification is missing some features game hackers might otherwise rely on. In this talk I will demonstrate adapting a number of game hacking techniques to WebAssembly while dealing with the limitations of the specification.

For reverse engineers, I will show how to build and inject your own "watchpoints" for debugging WebAssembly binaries and how to insert symbols into a stripped binary.

For game hackers, I will show how to use binary instrumentation to implement some old-school game hacking tricks and show off some new ones.

I will be releasing two tools: a binary instrumentation library built for modifying WebAssembly binaries in the browser, and a browser extension that implements common game hacking methods a la Cheat Engine.

Jack Baker
Jack Baker is a professional vulnerability researcher and amateur video game hacker. His primary areas of expertise include web application security, embedded reverse engineering, and Tony Hawk's Pro Skater 3.

Github: https://github.com/Qwokka


Return to Index    -    Add to    -    ics Calendar file

 

MOV - Bally's - Resort (Indigo) Tower 26th Floor - Skyview 4 - end of - Sunday - 11:00-11:30


11:00-11:30

Handling broken cryptography and building a new one. Past, present, and future of Zcoin

Reuben Yap, COO of Zcoin

Zcoin launched with the Zerocoin protocol, which was riddled with critical security issues. Reuben will talk through the team’s response to these and its development and research journey.
He will share the most important lessons and what the Monero community can learn from their experiences.


Return to Index    -    Add to    -    ics Calendar file

 

PHVT - Bally's Resort (Indigo) Tower 26th floor - Sunday - 11:00-11:59


Head in the Clouds

Matt Nash, Security Consultant at NCC Group

Availability, scalability, agility, and automation - "The Cloud" brings all of these to your fingertips. Improperly configured, it can also be a security incident waiting to happen. In this talk, we'll cover open source tools to help paint a current, accurate picture of your cloud security posture, share some insight from first-hand experience, and show examples of how you can use this approach within your organization.

Matt Nash works in a variety of realms, including internal/external network infrastructure, cloud architecture, web applications, automated teller machines (ATMs), physical security, social engineering, digital forensics and incident response, and wireless. As well, these assessments span a number of industries: oil and gas energy, utility, manufacturing, software development, financial, and retail. With more infrastructure and resources moving into "the cloud", at a staggering pace, building a skillset in large-scale cloud review was an obvious choice. Matt holds a B.S. in Food and Resource Economics, and is totally qualified to speak on this topic.


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 4 - Sunday - 12:00-12:45


Help Me, Vulnerabilities. You're My Only Hope

Sunday at 12:00 in Track 4
45 minutes | Tool, Exploit

Jacob Baines Research Engineer, Tenable

MikroTik routers keep getting owned. They’ve been exploited by advanced threats like VPNFilter, Slingshot APT, and Trickbot. They’ve been compromised by coin miners, botnets, and who knows what else. With each new campaign the security industry publishes new indicators of compromise and everyone moves on.

However, MikroTik administrators operate in a sandbox. They have very limited access to the router’s underlying file system and almost no ability to directly interact with the Linux operating system. Due to these limitations, file hashes cannot answer the fundamental question that is asked again and again on the MikroTik forums, “Have I been compromised?”

It’s time the users had their question answered. In this talk, I’ll present three vulnerabilities that can help MikroTik administrators break out of the sandbox. I’ll show how to use these vulnerabilities to help determine if the router has been compromised.

Jacob Baines
Jacob is the founding member of Tenable's Zero Day Research group. He focuses much of his research efforts on routers and other IoT devices. Sometimes he even finds vulnerabilities.

Twitter: @junior_baines


Return to Index    -    Add to    -    ics Calendar file

 

SKY - Bally's Jubilee Tower - 2nd Floor - Jubilee Ballroom - Sunday - 11:00-11:59


How to hack like a journalist

August 11, 2019    11:00 - 12:00
Bally's, Jubilee Tower - Pacific BR - 2nd Floor

Nodyah (@nodyah_)

An outline of the nexus between hackers and journalists. "Hack like a journalist" will discuss the history between these two groups, including their ever-changing reputation in society. We will go over practical tools and techniques they share, as well as some tools they should be sharing. And finally, we will delve into where their relationship is headed in our techno-dystopian future.

NOTE: This talk will touch on subjects that may be triggers for some individuals including active crime scenes and firearms.


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 3 - Sunday - 12:00-12:45


HTTP Desync Attacks: Smashing into the Cell Next Door

Sunday at 12:00 in Track 3
45 minutes | Demo, Tool

albinowax Head of Research, PortSwigger

HTTP requests are traditionally viewed as isolated, standalone entities. In this session, I'll introduce techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $50k in bug bounties.

Using these targets as case studies, I’ll show you how to delicately amend victim's requests to route them into malicious territory, invoke harmful responses, and lure credentials into your open arms. I’ll also demonstrate using backend reassembly on your own requests to exploit every modicum of trust placed on the frontend, gain maximum privilege access to internal APIs, poison web caches, and compromise my favourite login page.

Although documented over a decade ago, a fearsome reputation for difficulty and collateral damage has left this attack optimistically ignored for years while the web's susceptibility grew. By applying fresh ideas and new techniques, I’ll unveil a vast expanse of vulnerable systems ranging from huge content delivery networks to bespoke backends, and ensure you leave equipped to devise your own desync techniques and tailor attacks to your target of choice.

albinowax
James Kettle is Head of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on using web cache poisoning to turn caches into exploit delivery systems. James has extensive experience cultivating novel attack techniques, including server-side RCE via Template Injection, client-side RCE via malicious formulas in CSV exports, and abusing the HTTP Host header to poison password reset emails and server-side caches. He has spoken at numerous prestigious venues including both BlackHat USA and EU, and OWASP AppSec USA and EU.

Twitter: @albinowax
Website: https://skeletonscribe.net/


Return to Index    -    Add to    -    ics Calendar file

 

LPV - Bally's - Platinum II Ballroom - Sunday - 11:00-11:15


Title:
Hurt by high security

Presented By
Cryo


Abstract
Regularly overlooked and under discussed are the keymarks stamped on the face of SFlC locks and keys. I'll briefly detail the steps to recreate potential SFIC keys based in these codes and share a story or two from the field.

Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 1 - Sunday - 12:00-12:45


I'm In Your Cloud... Pwning Your Azure Environement

Sunday at 12:00 in Track 1
45 minutes | Demo, Tool, Exploit

Dirk-jan Mollema Security Expert - Fox-IT

After having compromised on-premise for many years, there is now also the cloud! Now your configuration mistakes can be accessed by anyone on the internet, without that fancy next-gen firewall saving you. With this talk I’ll share my current research on Azure privileges, vulnerabilities and what attackers can do once they gain access to your cloud, or how they can abuse your on-premise cloud components. We start with becoming Domain Admin by compromising Azure AD Sync, sync vulnerabilities that allow for Azure admin account takeover and insecure Single Sign On configurations. Up next is cloud roles and privileges, backdooring Azure AD with service accounts, escalating privileges as limited admin and getting past MFA without touching someone's phone. Then we finish with cloud integrations, also known as "how a developer can destroy your whole infrastructure with a single commit": Exploring Azure DevOps, backdooring build pipelines, dumping credentials and compromising Azure Resource Manager through connected services. Besides all the fun we'll also look into how this translates into the questions you should ask yourself before moving things to the cloud and how this differs from on-premise.

Dirk-jan Mollema
Dirk-jan is one of the core researchers of Active Directory and Azure AD at Fox-IT. Amongst the open source tools published to advance the state of AD research are aclpwn, krbrelayx, mitm6, ldapdomaindump and a Python port of BloodHound. He blogs at dirkjanm.io, where he publishes about new Active Directory attack chains, which included the discovery of the PrivExchange vulnerability. He is also co-author of ntlmrelayx and contributor to several other open source tools and libraries. After discovering that breaking stuff is a lot of fun he never looked back at his freelance web developer days, but is still thankful for the knowledge and experience that those days provided him.

Twitter: @_dirkjan
Website: dirkjanm.io


Return to Index    -    Add to    -    ics Calendar file

 

AVV - Bally's Event Center - Sunday - 10:00-10:30


Ideas whose time has come: CVD, SBOM, and SOTA

Speakers – Katie and Art

Synopsis

From origins in general purpose computing, Coordinated Vulnerability Disclosure (CVD), Software Bill Of Materials (SBOM), and Secure Over-The-Air (SOTA) updates have been implemented or considered in safety sectors including industrial control systems, medical devices, and ground transportation. These common software security practices are becoming widespread global norms, turning up in public policy, international standards, and national law (often in sector-specific safety regulation).

About the Speakers

Art Manion is the Vulnerability Analysis Technical Manager at the CERT Coordination Center (CERT/CC), part of the Software Engineering Institute at Carnegie Mellon University. He coordinates vulnerability disclosures and says things like “Don’t Use IE,” “Replace CPU hardware,” and “CVSS is inadequate.”


Return to Index    -    Add to    -    ics Calendar file

 

AVV - Bally's Event Center - Sunday - 11:00-11:30


In The Air And On The Air: Aviation Radio Systems

Speaker – ExplodingLemur aka Nick (@explodinglemur)

Synopsis

Both general aviation and commercial aircraft rely on a wide variety of radio systems for navigation as well as communications and data telemetry.  Learn about all the RF system dependencies to worry about the next time you’re flying the friendly skies.

About the Speaker

Nick is a security engineer with 25 years of experience in Linux system administration, networking, and infrastructure security.  He has been an amateur radio operator for 20 years and currently holds an extra-class license. He enjoys tinkering with electronics and monitoring all the radio signals he can, and can never have enough SDR peripherals or test instruments.


Return to Index    -    Add to    -    ics Calendar file

 

LPV - Bally's - Platinum II Ballroom - Sunday - 10:15-10:45


Title:
Intro to Lockpicking

Presented By
TOOOL

Abstract
New to lock picking? Haven't picked in a year and need a refresher? Don't know a half-diamond from a turner? This talk is for you! Join one of our knowledgable village volunteers as we walk you through the very basics of lock picking, from how to hold your tools to the theory behind the technique that makes lock picking possible.

Return to Index    -    Add to    -    ics Calendar file

 

LPV - Bally's - Platinum II Ballroom - Sunday - 12:00-12:30


Title:
Intro to Lockpicking

Presented By
TOOOL

Abstract
New to lock picking? Haven't picked in a year and need a refresher? Don't know a half-diamond from a turner? This talk is for you! Join one of our knowledgable village volunteers as we walk you through the very basics of lock picking, from how to hold your tools to the theory behind the technique that makes lock picking possible.

Return to Index    -    Add to    -    ics Calendar file

 

CPV - Planet Hollywood - Celebrity 1,2 Ballrooms - Sunday - 13:00-13:59


Title:
Ironically, iOS robocall-blocking apps are violating your privacy - Dan Hastings (NOT RECORDED)

ABSTRACT
Have you been getting a ton of spam calls recently? If so, its possible that youve tried one of the many apps that exist specifically to help block robocalls. I have, and I started to wonder what data these spam-blocking apps collect and where they send it. Wouldnt it be ironic if these apps sent your phone number out or didnt protect your privacy- but rather their own? I inspected the most popular robocall apps from the App Store to see if they truly cared about your privacy. After reading pages of privacy policies (so you dont have to), I found some interesting things, like phone numbers being sent to at least three different analytics companies, privacy policies being breached in numerous ways, and user data being sent out prior to users accepting the terms of the apps privacy policy. Ill also share my approach in analyzing these apps and give insight into how to inspect iOS apps for yourself to look for privacy leaks.

BIO
Dan Hastings is a Security Consultant at NCC Group. He has a background in education in the capacity of tech instructor teaching at Year Up and Abaarso School in Abaarso, Somaliland. In his free time you can find him surfing, playing music or reading privacy policies.

Return to Index    -    Add to    -    ics Calendar file

 

VMV - Planet Hollywood - Melrose 4 Room - Sunday - 12:00-13:00


Title:
Keynote Remarks: Representative Eric Swalwell (CA-15)

No description available
Return to Index    -    Add to    -    ics Calendar file

 

RGV - Flamingo - 3rd Floor - Carson City II - Sunday - 13:00-13:59


Title:
Lockpicking "Extras"

Not a how-to, Jared Dygert will cover things like pick concealment, creating your own picks, alternatives to traditional lockpicks (found or improvised picks), what different picks are best for, and more. Jared is an avid lock enthusiast, rock climber, and gamer. He's been picking locks ever since he was a kid and has no intention of stopping.
Return to Index    -    Add to    -    ics Calendar file

 

SKY - Bally's Jubilee Tower - 2nd Floor - Jubilee Ballroom - Sunday - 13:00-13:59


Lotta Years

August 11, 2019    13:00 - 14:00
Bally's, Jubilee Tower - Pacific BR - 2nd Floor

Pyr0
Liz Borden

A forum of old hackers talking about lessons learned, adventures had, and prophecies of the future.


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 2 - Sunday - 12:00-12:45


Malproxying: Leave Your Malware at Home

Sunday at 12:00 in Track 2
45 minutes | Demo, Tool

Hila Cohen Security Researcher, XM Cyber

Amit Waisel Senior Technical Leader, XM Cyber

During a classic cyber attack, one of the major offensive goals is to execute code remotely on valuable machines. The purpose of that code varies on the spectrum from information extraction to physical damage. As defenders, our goal is to detect and eliminate any malicious code activity, while hackers continuously find ways to bypass the most advanced detection mechanisms. It’s an endless cat-and-mouse game where new mitigations and features are continuously added to the endpoint protection solutions and even the OS itself in order to protect the users against newly discovered attack techniques. In this talk, we present a new approach for malicious code to bypass most of endpoint protection measures. Our approach covertly proxies the malicious code operations over the network, never deploying the actual malicious code on the victim side. We are going to execute code on an endpoint, without really storing the code on disk or loading it to memory. This technique potentially allows attackers to run malicious code on remote victims, in such a way that the code is undetected by the victim’s security solutions. We denote this technique as “malproxying”.

Hila Cohen
Hila Cohen is a passionate Security Researcher at XM Cyber, where she investigates new attack techniques and develops detection and mitigation capabilities. Hila has a vast knowledge in the fields of malware analysis, reverse engineering and incident response.

Amit Waisel
Amit Waisel is a Senior Technical Leader at XM Cyber. He is a seasoned data security expert with vast experience in cyber offensive projects. Prior to XM Cyber, Amit filled multiple data security positions in the Israeli intelligence community. Amit is well experienced with malware detection and analysis techniques, operating system internals and security-oriented software development. He graduated with honors from Tel Aviv University with a MSc. in Computer Science.


Return to Index    -    Add to    -    ics Calendar file

 

MOV - Bally's - Resort (Indigo) Tower 26th Floor - Skyview 4 - end of - Sunday - 10:00-10:45


10:00-10:45

MimbleWimble, a Story of Blockchain Privacy

Gus Clarke and Leland Lee, Tari

Here we explore Mimblewimble, a blockchain construction for private transactions. How does it function and how do the three implementations in the wild differ?


Return to Index    -    Add to    -    ics Calendar file

 

RCV - Planet Hollywood - Celebrity 5 Ballroom - Sunday - 10:25-10:59


LIVE TOOL DEMO

Mining for Gold: A Framework for Accessing Pastebin’s Hidden Treasures

1025 - 1100


Return to Index    -    Add to    -    ics Calendar file

 

CLV - Flamingo 3rd Floor - Reno I Room - Sunday - 10:00-10:45


Speaker: Cheryl Biswas

Twitter: @3ncr1pt3d

Abstract: Cloud. It's the land of opportunity. Enterprises are doing mass migrations from older and legacy systems to harness greater power and efficiency from innovative new tech. Following that money trail are opportunistic attackers, seeking the computing strength and near-invisibility afforded by enterprise cloud environments to mine bitcoin. Cryptominers are everywhere. And yes, Virginia, they are in the Cloud.
These nebulous power-rich realms let attackers set up mining rigs to feast on enterprise resources, while flying below the detection of cloud or conventional security resources. The concern here is that once attackers gain access to our networks, they can pivot and move laterally, to find even greater reward in the vast amounts of data available.
Let's talk about what we do and don't know when it comes to securing our cloud environments against malicious miners. Because it isn't just a question of what they can take – it's about the payloads they can leave behind.
Introduction: (5 min)
• Enterprise and Cloud: If you work for a major organization, you're probably undergoing or have just gone through a major migration to the Cloud. This is the big push according to a recent Gartner report, with 37% of enterprises reporting it as their top priority, and ranking at 39% for CIOs, ahead of cybersecurity (why are we not surprised).
• An Evolution of Evil: the rise of miners. Easy to get into. Low bar for entry. Starter toolkits cost $30 online. Cryptojacking increased by 4000% in 2018.
• Major miners like XMRig
• Main attack vectors: brute force credentials for access; leverage multiple vulnerabilities for access and movement internally.
• Motivation: almost 100% return on investment. No overhead
Miners in the Sky: (5 min)
• Why it's expected to continue
o The return on investment is lucrative in terms of computing power
o Lack of detection
• Most organizations don't have mature cloud security programs. By design, yes, in reality – not so much. Cloud has huge amounts of processing power with built-in auto-scaling
• attackers can operate with almost no detection
• The bigger the account, the longer attackers can go
• Enterprises are migrating to the Cloud. We love our containers: Docker, AWS, Azure.
Charting the rise of malicious miners in cloud environments by attacks: (10 min)
Overview of what we're seeing:
• attacks on containers and container management
• control panel exploitation
• theft of APIs
• spreading malicious Docker images
• leveraging current and older enterprise vulnerabilities
• EternalBlue
Let's Start Here: The attack on Tesla's AWS S3 public cloud in February 2018. Researchers at RedLock found mining malware from a wide-spread, well-concealed cryptomining campaign in Tesla's AWS cloud. RedLock found it when they scanned public internet for misconfigured and unsecured cloud servers – there's been a few of those. They saw an open server. Further investigation revealed it was running Kubernetes, the open source admin console for cloud application mgmt., which was doing cryptomining. The Kubernetes console was not password protected. The attackers found login credentials for Tesla's AWS in one of the pods. They went from there to deploy malware scripts for Stratum bitcoin mining.
Abusing exposed Docker APIs: Hundreds of vulnerable and exposed Docker hosts were abused in cryptojacking campaigns in March this year. Attackers exploited CVE-2019-5736, a runc vulnerability identified in February, that could trigger a container escape. Now, that kind of defeats the whole purpose of having a container when it means the attacker can access the host filesystem and overwrite the runc binary to run arbitrary commands on the host. Attackers scan for exposed Docker APIs on port 2375. They deployed malicious self-propagating Docker images infected with malware to load Monero miners and find other vulnerable targets via Shodan. External access to API ports will enable attackers to gain ownership of the host. They can tamper with instances running inside, drop malware, access user's servers and resources. Discussion point: Misconfiguration is prevalent – why? How can we help users do this better?
Uninstalling Cloud Security: A new cryptomining malware family that targets Linux servers gained admin rights on systems by uninstalling cloud security products. We'll talk about the Chinese-language threat actor behind this and other attacks, Rocke group. Consider how nation-state adversaries and advanced persistent threats (APTs) could seek to leverage this kind of attack in sophisticated campaigns.
Discussion point: We've seen conventional malware evade and disable existing AV. If we can't detect it, how do we protect against it? How are we extending this to malware targeting Cloud?
Targeting Elasticsearch servers: in the "Cryptosink" campaign, attackers exploit a five year old vulnerability that could lead to executing arbitrary Java code, CVE-2014-3120, that affects Elasticsearch running on both Windows and Linux platforms. They download malware that has not been detected by AV on Linux. The attackers backdoor the servers for future access, eliminate competitors on the infected system by redirecting their mining pool traffic to a sinkhole, and achieve persistence by replacing the Linux remove command.
What else could be at risk: Abusing instant metadata API. This functionality is offered by all cloud providers. If it isn't secured or monitored well, and attacker can exploit it via vulnerable reverse proxies or malicious Docker images.
What could this lead to: Once attackers are in your network, they aren't limited to just mining Monero. They have access to all your data-rich environments. If the attacker is looking for satisfaction that money can't buy, yes they can deliver a very damaging payload with ransomware or worse. Think NotPetya.
Review of Vulnerabilities & Exploits: (5 min)
• Misconfiguration: security researcher and attackers are actively seeking and finding many exposed and unsecured instances online. Human error is at the brunt of things, but Cloud isn't traditional infrastructure. It's a complex, dynamic network that requires specialized knowledge and training to do configuration right.
• EternalBlue: believe it. There are still plenty of unpatched instances out there and attackers continue to leverage this exploit to gain access, spread and move laterally within networks
• Oracle WebLogic vulnerability CVE-2019-2725: There have been a series of critical vulnerabilities in this popular enterprise software
• Remote code execution: Miners have been using a group of vulnerabilities for RCE as initial access and more
o CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities.
o CVE-2010-1871: JBoss Seam Framework
o JBoss AS 3/4/5/6: CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE
o CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.
o Hadoop YARN ResourceManager - Command Execution
o CVE-2016-3088: Apache ActiveMQ Fileserver File Upload
• PSMiner targets known vulnerabilities in Elasticsearch, Hadoop, PHP, Oracle WebLogic
• Fake certificates: attackers increasingly use this to evade detection and infiltrate conventional systems. How can we apply what we're learning to protect in the Cloud?
What we can do: (5 min)
• Countermeasures:
o rotate access keys
o restrict outbound traffic
o cryptojacking blockers for Web browsers
• Monitoring user behavior
• Follow the principle of least privilege when issuing credentials
• EternalBlue is still actively leveraged against vulnerable systems. Think third party compromise
• Visibility. Be able to see down to the process level.
• Micro-segmentation to control lateral movement and spread
• Apply, monitor and enforce best practices
• Resources like Yara rules to detect miners (will make available)
• Unusual deletions or spinning up containers
• IoCs
Conclusion and Q&A

About Cheryl: Cheryl Biswas, aka 3ncr1pt3d, is a Strategic Threat Intel Analyst with a major bank in Toronto, Canada. Cheryl has experience with security audits and assessments, privacy, DRP, project management, vendor management and change management. She has an ITIL certification and a degree in Political Science. She is actively involved in the security community as a speaker and a volunteer at conferences and encourages women and diversity in Infosec as a founding member of the "The Diana Initiative".


Return to Index    -    Add to    -    ics Calendar file

 

ASV - Flamingo 3rd Floor - Mesquite Room - Sunday - 16:00-16:59


16:00-17:00

Networking & Challenges


Return to Index    -    Add to    -    ics Calendar file

 

BHV - Planet Hollywood - Melrose 1-3 Rooms - Sunday - 10:00-10:15


10:00 AM: Opening Words
Welcome to the Biohacking Village!

Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 3 - Sunday - 13:00-13:45


Owning The Cloud Through Server-Side Request Forgery

Sunday at 13:00 in Track 3
45 minutes | Demo, Tool

Ben Sadeghipour Nahamsec

Cody Brocious (Daeken)

With how many apps are running in the cloud, hacking these instances becomes easier with a simple vulnerability due to an unsanitized user input. In this talk, we’ll discuss a number of different methods that helped us exfil data from different applications using Server-Side Request Forgery (SSRF). Using these methods, we were able to hack some of the major transportation, hospitality, and social media companies and make $50,000 in rewards in 3 months.

Ben Sadeghipour
Ben is the Hacker Operations Lead at HackerOne by day, and a hacker by night. He has helped identify and exploit over 500 security vulnerabilities across 100s of web and mobile applications for companies such as Yahoo, Airbnb, Snapchat, The US Department of Defense, Yelp, and more. He also invested time in the security community, by creating a community of 200+ active hackers who share ideas and their experiences. He has also held free workshops and trainings to teach others about security and web application hacking.

Twitter: @nahamsec
Website: nahamsec.com

Cody Brocious (Daeken)
Cody is the Head of Hacker Education at HackerOne where he dedicates his time to teaching hackers to be more effective and empowered. A reverse engineer and software developer with well over a decade of experience. Cody is also the lead instructor for Hacker101, a free course for web security.

Twitter: @daeken
Website: daeken.svbtle.com


Return to Index    -    Add to    -    ics Calendar file

 

DL - Planet Hollywood - Sunset 6 - Sunday - 10:00 - 11:50


QiLing

Sunday from 10:00 – 11:50 in Sunset 6 at Planet Hollywood
Audience: Reverse Engineers, Hardware (IoT) Hackers

KaiJern, Lau & Dr. Nguyen Anh Quynh

QiLing, a cross platform and multi architecture binary emulator, it will also able to do the following:

To execute binary applications for (Windows, Mac, Linux, Android, iOS, etc) and CPU architectures (Intel, Arm, AArch64 and Mips).
To be executed multiple platforms: Windows, MacOS, Linux, BSD. Sandbox analysis, so potential malicious activities are under control.
Provide Python instrumentation framework, so users can build add-on plugins to customize runtime analysis.
Analyze & report the code execution in friendly and fully customizable high-level format.

Besides working as an independent tool, QiLing also provides plugins for disassemblers such as Ghidra & IDA Pro. QiLing is designed to be alightweight and pluginable emulator. To handle real binaries reasonably, it should be fast, and offer instrumentation capability for users to build customized analysis.

- Able to handle hardware emulation
- Dynamically patch binary during execution in order to redirecting execution flow to bypass non critical check.
- Handle full binary emulation, not just raw code without context. To achieve this, emulate some parts of OS (such as syscalls , system libraries and part of kernel).
- Enable user-customized analysis via a Python framework.

QiLing is a opensource project.

KaiJern, Lau
KaiJern (xwings), is Lab Director of The ShepherdLab, of JD Security by JD.COM. He presented his findings in different international security conferences like HITB, Codegate, QCon, KCon, Brucon, H2HC few different Defcon group and etc. He also conducted hardware Hacking course in various places around the globe.

Dr. Nguyen Anh Quynh
Dr.Nguyen Anh Quynh is a regular speaker at various industrial cybersecurity conferences such as Blackhat USA/Europe/Asia, Defcon,, Deepsec, XCon, Hitcon, Brucon, Zeronights, Tensec, H2HC, etc. He also presented his researches in academic venues such as Usenix, IEEE, ACM, LNCS. Dr. Nguyen is also the founder and maintainer: Capstone (http://capstone-engine.org), Unicorn (http://unicorn-engine.org) & Keystone (http://keystone-engine.org).


Return to Index    -    Add to    -    ics Calendar file

 

BCV - Flamingo 3rd Floor - Laughlin III Room - Sunday - 11:05-11:30


Reflections on Blockchain Security

No description available


Return to Index    -    Add to    -    ics Calendar file

 

DL - Planet Hollywood - Sunset 5 - Sunday - 10:00 - 11:50


Rhodiola

Sunday from 10:00 – 11:50 in Sunset 5 at Planet Hollywood
Audience: Offense

Utku Sen

Adversaries need to have a wordlist or combination-generation tool while conducting password guessing attacks. To narrow the combination pool, researchers developed a method named ”mask attack” where the attacker needs to assume a password’s structure. Even if it narrows the combination pool significantly, it’s still too large to use for online attacks or offline attacks with low hardware resources. In the real world, a password’s structure is an unknown value, just like the password itself. Even if we specify a password structure with masks, we are still brute forcing characters in the mask. When we analyzed Ashley Madison and Myspace wordlists, we saw that they are mostly consists of sequential alpha characters. Which means that there is a high probability that they are meaningful words. Our research shows that 30% of the Ashley Madison wordlist and 36% of Myspace wordlist contains meaningful English words. Rhodiola tool is developed to narrow the combination pool by creating a personalized wordlist for target people. It finds interest areas of a given user by analyzing his/her tweets, and builds a personalized wordlist. Wordlist consists of most used nouns & proper nouns, paired nouns & proper nouns, cities and years related to detected proper nouns.

Utku Sen
Utku Sen is a security researcher who is mostly focused on application security, network security and tool development. He presented his different tools and researches in Black Hat USA Arsenal, DEF CON Demo Labs and Packet Hacking Village in recent years. He's also nominated for Pwnie Awards on "Best Backdoor" category in 2016. He is currently working for Tear Security.


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 4 - Sunday - 11:00-11:45


Say Cheese - How I Ransomwared Your DSLR Camera

Sunday at 11:00 in Track 4
45 minutes | Demo, Exploit

Eyal Itkin Vulnerability Researcher at Check Point Software Technologies

It's a nice sunny day on your vacation, the views are stunning, and like on any other day you take out your DSLR camera and start taking pictures. Sounds magical right? But when you get back to your hotel the real shock hits you: someone infected your camera with ransomware! All your images are encrypted, and the camera is locked. How could that happen?In this talk, we show a live demo of this exact scenario. Join us as we take a deep dive into the world of the Picture Transfer Protocol (PTP). The same protocol that allows you to control your camera from your phone or computer, can also enable any attacker to do that and more. We will describe in detail how we found multiple vulnerabilities in the protocol and how we exploited them remotely(!) to take over this embedded device.But it doesn't end here. While digging into our camera, we found a reliable way to take over most of the DSLR cameras without exploiting any vulnerability at all. We simply had to ask our camera to do that for us, and it worked.

This is the first vulnerability research on the Picture Transfer Protocol, a vendor agnostic logical layer that is common to all modern-day cameras. As DSLR cameras are used by consumers and journalists alike, this opens up the door for future research on these sensitive embedded devices.

Eyal Itkin
Eyal Itkin is a vulnerability researcher in the Malware and Vulnerability Research group at Check Point Software Technologies. Eyal has an extensive background in security research, that includes years of experience in embedded network devices and protocols, bug bounties from all popular interpreter languages, and an award by Microsoft for his CFG enhancement white paper. When not breaking I2P or FAX, he loves bouldering, swimming, and thinking about the next target for his research.

Twitter: @EyalItkin


Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 2 - Sunday - 11:00-11:45


SDR Against Smart TVs: URL and Channel Injection Attacks

Sunday at 11:00 in Track 2
45 minutes | Demo, Tool

Pedro Cabrera Camara Founder, Ethon Shield

Software-defined-radio has revolutionized the state of the art in IoT security and especially one of the most widespread devices: Smart TV. This presentation will show in detail the HbbTV platform of Smart TV, to understand and demonstrate two attacks on these televisions using low cost SDR devices: TV channel and HbbTV server impersonation (channel and URL injection). This last attack will allow more sophisticated remote attacks: social engineering, keylogging, crypto-mining, and browser vulnerability assessment.

Pedro Cabrera Camara
Industrial and Electronics Engineer, Pedro is an enthusiast of Software Defined Radio and UAVs, which has worked for 12 years in the main Spanish telecommunications operators, conducting security audits and pentesting in mobile and fixed networks. In addition to working with telecommunications operators, Pedro leads open source projects such as intrusion detection systems for GSM, UMTS and LTE networks, which has led him to study the various fake stations attacks and existing solutions. In recent years he has participated in security events in the United States (RSA, CyberSpectrum, DEF CON DemoLabs), Asia (BlackHat Trainings) and Europe (Rootedcon, Euskalhack, AlligatorCON)

Twitter: @PcabreraCamara
Website: http://www.fakebts.com


Return to Index    -    Add to    -    ics Calendar file

 

VMV - Planet Hollywood - Melrose 4 Room - Sunday - 11:30-11:59


Title:
Securing Your Election Infrastructure: Plan and Prepare to Defend Your Election Systems, People, and Processes

11:30 AM Securing Your Election Infrastructure: Plan and Prepare to Defend Your Election Systems, People, and Processes
Robert Anderson, Chief Cyber Security Practitioner and President, Preying Mantis

Return to Index    -    Add to    -    ics Calendar file

 

CPV - Planet Hollywood - Celebrity 1,2 Ballrooms - Sunday - 12:00-12:59


Title:
Security and privacy of dating apps - Alex Lomas and Alan Monie (NOT RECORDED)

ABSTRACT
In 2015 research [1] found that Grindr (a predominantly gay dating app) could be used to precisely locate its users. We wondered whether the online dating industry had learnt from this previous vulnerability and made things safer for their users.
Weve found that in many cases dating apps, including Grindr, are still leaking the precise locations of their users. Whilst online dating has become more acceptable over the years, some of these apps are used by the BDSM and fetish communities, and LGBT+ users in countries with poor human rights records.
Location and identification of LGBT+ users in particular presents a threat to their jobs and personal safety, but even in more acceptable use cases, de-anonymization of users could be used to target military personnel or to stalk individuals [2][3].
We talk about some of the basics of testing to identify these flaws and present a tool that brings together several of these apps into one mapping interface for the first time to illustrate how dangerous this information leakage could be and propose solutions for the industry to enact.
[1] https://roygbiv.jezebel.com/tracking-guys-via-grindr-is-really-easy-and-grindr-doe-1681615224
[2] https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20080210/mfeltz.pdf
[3] https://securelist.com/dangerous-liaisons/82803/


BIO
Alex has worked for internet service providers and public-sector sector security blue teams before joining Pen Test Partners (PTP) in 2017. His background in designing and implementing secure networks and applications for hostile environments therefore allows him to understand and communicate the inherent trade-offs in security versus usability.

At PTP, Alex, has undertaken penetration testing of systems as diverse as banking and critical national infrastructure, and bringing his skills as a qualified pilot and aeronautical engineer to testing of the aviation sector.

Alan has many years experience in the IT industry, including working for the Defence Evaluation and Research Agency, and other government agencies.

Alan has world-class skills in both Application and Infrastructure testing and often identifies 0-days in products from hard disk encryption software to on-line collaboration tools.

Return to Index    -    Add to    -    ics Calendar file

 

DC - Paris - Track 2 - Sunday - 13:00-13:45


Sound Effects: Exploring Acoustic Cyber-weapons

Sunday at 13:00 in Track 2
45 minutes | Tool

Matt Wixey Cyber Security Research Lead, PwC UK

While recent research has explored the capability of attacks to cause harm by targeting devices – e.g., SCADA systems, vehicles, medical implant devices - little consideration has been given to the concept of attacks affecting psychological and physiological health by targeting humans themselves.

In a first-of-its-kind study, we assessed the capability of several consumer devices to produce sound at high and low frequencies which may be imperceptible to many people, as a result of remote and local attacks, and compared the resulting sound levels to maximum recommended levels. In doing so, we tested their viability as localised acoustic weapons which could cause temporary/permanent hearing damage and/or adverse psychological effects. We examined a number of countermeasures, including a tool to detect specified frequencies above specified thresholds.

In this talk, I will cover the background of malware which has, intentionally or not, caused physical or psychological harm. I will explore previous research on the harmful effects of sound, focusing particularly on high and low frequencies, and some of the guidance which has been proposed to limit exposure to such sound. I will examine the use of imperceptible sound as applied to security research (covert channels, ultrasonic tracking beacons, etc), and will present our experiments and findings, including threat models, methodology, the attacks we developed, and the implications of our results. Finally, I will suggest a number of countermeasures and outline some possible areas for future research.

Matt Wixey
Matt is a PhD candidate at the Dawes Centre for Future Crimes, University College London, and leads technical research for the PwC Cyber Security practice in the UK. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.

Twitter: @darkartlab


Return to Index    -    Add to    -    ics Calendar file

 

RTV - Flamingo 3rd Floor - Laughlin I,II Rooms - Sunday - 09:00-09:59


State of Red Team Services Roundtable

Wesley McGrew, Director of Cyber Operations at HORNE Cyber, leads a panel discussion, taking a frank look of the state of offense-oriented services, such as penetration tests and red team engagements. The goal is to look at the current state of offense-oriented services, and discuss what it will take for the discipline to mature and adapt.

Among the topics open for discussion:
- Terminology
- Trends in penetration testing and red teaming
- Managing large scale engagements
- Tradecraft
- Client interactions
- Effective reporting

Dr. McGrew will present questions to a panel of red team professionals, and chime in with his outlook as well. Questions for the panel will also be solicited from the audience.
The panel will try to address the issues faced by experienced red team and related service professionals, and those that manage the engagements. Those getting started in this field are encouraged to attend in order to see the evolving structure of this industry, beyond entry-level jobs.

About Dr. Wesley McGrew:  As Director of Cyber Operations at HORNE Cyber, Wesley McGrew oversees and participates in offense-oriented services for clients in many areas, including finance, healthcare, manufacturing, and national critical infrastructure. He has presented on topics of penetration testing and and malware analysis at DEF CON and Black Hat USA. He teaches a self-designed course on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley has a Ph.D. in Computer Science from Mississippi State University for his research in vulnerability analysis of SCADA HMI systems.Twitter: @McGrewSecurity


Return to Index    -    Add to    -    ics Calendar file

 

HTS - Bally's Event Center - Sunday - 11:30-11:59