Talk/Event Schedule

Friday

Friday - 05:00 PDT

Friday - 06:00 PDT

Friday - 07:00 PDT

Friday - 08:00 PDT

Friday - 09:00 PDT

Friday - 10:00 PDT

Friday - 11:00 PDT

Friday - 12:00 PDT

Friday - 13:00 PDT

Friday - 14:00 PDT

Friday - 15:00 PDT

Friday - 16:00 PDT

Friday - 17:00 PDT

Friday - 18:00 PDT

Friday - 19:00 PDT

Friday - 20:00 PDT

Friday - 21:00 PDT

Friday - 22:00 PDT

Friday - 23:00 PDT

Talk/Event Descriptions

CON - Friday - 10:00-17:59 PDT

In-Person Contest Friday and Saturday: 10:00-18:00; Sunday: 10:00-12:00

The Return of ? Cube

? Cube returns, weaving a tale that transcends the ordinary. This year, engagement is not just a theme—it's a journey through the multidimensional realms of hacking. Progressive Puzzles: Unlock the secrets of each compartment as you journey through progressively harder puzzles. From the Front's gentle introduction to the Top's formidable challenges, the Cube invites you to engage with the spectrum of cybersecurity domains. Physical Entry Unleashed: In a bold evolution, physical entry becomes a key component. Navigate the tangible aspects of physical entry, decoding not only in the digital realm but also as you immerse yourself physically in the enigmatic sides of ? Cube. Cryptic Narratives: As each compartment unfolds, the narrative of engagement takes shape. The puzzles, touching on encryption, penetration testing, and beyond. Silent Intricacies: Engage not only with the puzzles but also with the silent intricacies woven into the physical challenges. Decrypt messages, decipher patterns, and embrace the essence of Defcon as you navigate the unseen and the tangible. Embark on the Engage Journey: ? Cube calls upon the curious and the bold. Embark on a journey where the puzzles transcend the digital divide, demanding both mental acuity and physical prowess. H4QEG5LCMUQEAICEMVTGG33OEAZTEICSMVQWI6JAORXSAZLOM5QWOZJ7

BICV - Friday - 14:00-14:59 PDT

One of the best ways to learn something is to teach others about it. BYOCTF is a CTF framework (really a concept) that allows CTF players to contribute challenges for other players to solve and earn points as a reward. The purpose of the framework is to allow people to think about the learning experience of others. Everyone can learn how to become a CTF challenge developer.

I'm a hacker person that sometimes does cool things. Hacker, husband, and father of 4 (2 human, 2 dogs). Veteran and occasional entrepreneur. I have worked in automation, security, development, infrastructure orchestration, training, network and software administration, and support. Full-stack IT FTW. Currently, I work as a penetration tester for a shipping and logistics firm. Previously, I worked as a trainer on behalf of the Arkansas Dept. of Education where taught both Cybersecurity and Computer Science concepts to public school teachers all across Arkansas (under previous governor, not the current one.). See more about that here.

Remember kids, hacking is more than the bad actions of bad actors.

CON - Friday - 10:00-17:59 PDT

The AutoDriving CTF contest focuses on the emerging security challenges in autonomous driving systems. Various levels of self-driving functionalities, such as AI-powered perception, sensor fusion and route planning, are entering the product portfolio of automobile companies. From the security perspective, these AI-powered components not only contain common security problems such as memory safety bugs, but also introduce new threats such as physical adversarial attacks and sensor manipulations. Two popular examples of physical adversarial attacks are camouflage stickers that interfere with vehicle detection systems, and road graffitis that disturb lane keeping systems. The AI-powered navigation and control relies on the fusion of multiple sensor inputs, and many of the sensor inputs can be manipulated by malicious attackers. These manipulations combined with logical bugs in autonomous driving systems pose severe threats to road safety.

We design autonomous driving CTF (AutoDriving CTF) contests around the security challenges specific to these self-driving functions and components.

The goals of the AutoDriving CTF are the followings:

• Demonstrate security implications of autonomous driving system design decisions through hands-on challenges, increase the awareness of potential risks in security professionals, and encourage them to propose defense solutions and tools to detect such risks.
• Provide CTF challenges that allow players to learn attack and defense practices related to autonomous driving in a well-controlled, repeatable, and visible environment.
• Build a set of vulnerable autonomous driving components that can be used for security research and defense evaluation.

The contest is based on a Jeopardy style of CTF game with a set of independent challenges. A typical contest challenge includes a backend that runs autonomous driving components in simulated or real environments, and a frontend that interacts with the players. This year's contest will follow the style of last year and includes the following types of challenges:

• “attack”: such as constructing adversarial patches and spoofing fake sensor inputs,
• “forensics”: such as investigating a security incident related to autonomous driving,
• “detection”: such as detecting spoofed sensor inputs and fake obstacles,
• “crashme on road!”: such as creating dangerous traffic scenarios to expose logical errors in autonomous driving systems.
• “smart planner”: such as creating intelligent path planners for dangerous tasks that are difficult for human drivers

Most of these challenges will be developed using game-engine based autonomous driving simulators, such as CARLA and SVL. The following link contains some challenge videos, summaries from AutoDriving CTF at DEF CON 29 and DEF CON 30 https://drive.google.com/drive/folders/1JSVarIaQBmseLC9XqkfrxnRQto4WM225?usp=sharing https://www.youtube.com/channel/UCPPsKbVpxwk-464KIzr8xKw

What's new in 2024

This year, we will unlock new traffic conflict scenarios that are observed from real-world driving logs such as Jaywalk and double parked vehicles. New difficulty levels will be added to challenges in such scenarios by integrating real downstream AI modules such as object tracking from open-source autonomous driving software like Apollo, Autoware and OpenPilot.

In order to enable the audience to experience the challenges more directly, we plan to set up a vehicle wheel controller on site and provide a driving game this year. Audiences can drive themselves to compete with the self-driving vehicle in some of the challenges. Driving game demo: https://drive.google.com/drive/folders/1LIzJJ1I3Eqj_e0_ntX5eFu82U9ObiEYB?usp=sharing

For players

• What do players need to do to participate AutoDriving CTF? Most of the challenges do not require domain knowledge of autonomous driving software or adversarial machine learning, although knowledge of those helps. For example, the players can generate images the way they like (e.g., drawing, photoshopping) to fool the AI-components or write a short python script to control the vehicle. Some challenges, such as incident forensics likely would require players to learn domain knowledge such as sensor information format and how fusion works.

• What do we expect players to learn through the CTF event? Players can (1) gain a deep understanding of real-world autonomous driving systems' design, implementation, and their corresponding security properties and characteristics; and (2) learn the attack and defense practices related to autonomous driving in a well-controlled, repeatable, visible, and engaging environment.

CON - Friday - 10:00-17:59 PDT

The AutoDriving CTF contest focuses on the emerging security challenges in autonomous driving systems. Various levels of self-driving functionalities, such as AI-powered perception, sensor fusion and route planning, are entering the product portfolio of automobile companies. From the security perspective, these AI-powered components not only contain common security problems such as memory safety bugs, but also introduce new threats such as physical adversarial attacks and sensor manipulations. Two popular examples of physical adversarial attacks are camouflage stickers that interfere with vehicle detection systems, and road graffitis that disturb lane keeping systems. The AI-powered navigation and control relies on the fusion of multiple sensor inputs, and many of the sensor inputs can be manipulated by malicious attackers. These manipulations combined with logical bugs in autonomous driving systems pose severe threats to road safety.

We design autonomous driving CTF (AutoDriving CTF) contests around the security challenges specific to these self-driving functions and components.

The goals of the AutoDriving CTF are the followings:

• Demonstrate security implications of autonomous driving system design decisions through hands-on challenges, increase the awareness of potential risks in security professionals, and encourage them to propose defense solutions and tools to detect such risks.
• Provide CTF challenges that allow players to learn attack and defense practices related to autonomous driving in a well-controlled, repeatable, and visible environment.
• Build a set of vulnerable autonomous driving components that can be used for security research and defense evaluation.

The contest is based on a Jeopardy style of CTF game with a set of independent challenges. A typical contest challenge includes a backend that runs autonomous driving components in simulated or real environments, and a frontend that interacts with the players. This year's contest will follow the style of last year and includes the following types of challenges:

• “attack”: such as constructing adversarial patches and spoofing fake sensor inputs,
• “forensics”: such as investigating a security incident related to autonomous driving,
• “detection”: such as detecting spoofed sensor inputs and fake obstacles,
• “crashme on road!”: such as creating dangerous traffic scenarios to expose logical errors in autonomous driving systems.
• “smart planner”: such as creating intelligent path planners for dangerous tasks that are difficult for human drivers

Most of these challenges will be developed using game-engine based autonomous driving simulators, such as CARLA and SVL. The following link contains some challenge videos, summaries from AutoDriving CTF at DEF CON 29 and DEF CON 30 https://drive.google.com/drive/folders/1JSVarIaQBmseLC9XqkfrxnRQto4WM225?usp=sharing https://www.youtube.com/channel/UCPPsKbVpxwk-464KIzr8xKw

What's new in 2024

This year, we will unlock new traffic conflict scenarios that are observed from real-world driving logs such as Jaywalk and double parked vehicles. New difficulty levels will be added to challenges in such scenarios by integrating real downstream AI modules such as object tracking from open-source autonomous driving software like Apollo, Autoware and OpenPilot.

In order to enable the audience to experience the challenges more directly, we plan to set up a vehicle wheel controller on site and provide a driving game this year. Audiences can drive themselves to compete with the self-driving vehicle in some of the challenges. Driving game demo: https://drive.google.com/drive/folders/1LIzJJ1I3Eqj_e0_ntX5eFu82U9ObiEYB?usp=sharing

For players

• What do players need to do to participate AutoDriving CTF? Most of the challenges do not require domain knowledge of autonomous driving software or adversarial machine learning, although knowledge of those helps. For example, the players can generate images the way they like (e.g., drawing, photoshopping) to fool the AI-components or write a short python script to control the vehicle. Some challenges, such as incident forensics likely would require players to learn domain knowledge such as sensor information format and how fusion works.

• What do we expect players to learn through the CTF event? Players can (1) gain a deep understanding of real-world autonomous driving systems' design, implementation, and their corresponding security properties and characteristics; and (2) learn the attack and defense practices related to autonomous driving in a well-controlled, repeatable, visible, and engaging environment.

ESV - Friday - 10:00-17:59 PDT

This series of self-guided labs will introduce even the most novice hacker to the world of embedded device firmware and software exploitation. First-come first-served, don't miss a chance try out these labs and get started with embedded device hacking.

ESV - Friday - 10:00-17:59 PDT

If you've never popped open an embedded device and tried to get a simple shell, this is the lab for you. This is a first-come first-served workshop where you can walk through the step by step instructions to finding and connecting to a debug interface on an embedded device.

TCV - Friday - 11:00-13:59 PDT

The "5G Security Infrastructure" workshop at DEFCON begins with an overview of 5G infrastructure security. Module 1 covers 5G security architecture, RAN architecture, deployment models, critical components, and assessment methods. Module 2 examines new 5G protocols and their security impacts, including SBA, HTTP2, JSON API, N32 interface, PFCP, and SEPP. Module 3 explores network access security, SIM card security, 5G AKA, SUPI, and SUCI. Module 4 presents a 5G threat case study, with hands-on activities in UE & PT configuration, RAN security, and API testing

Akib, Founder and Director of Matrix Shell Technologies, has over 12 years of experience in Telecom Security. He has served diverse telecom operators across India, Africa, and the Middle East, specializing in signaling protocols and technologies like GSM, UMTS, LTE, 5G, and VoLTE. He has led numerous penetration testing projects, disclosed a GSM vulnerability in 2012, and worked with various open-source telecom platforms. Akib has also delivered training at Black Hat and DEFCON, contributing significantly to the cybersecurity community. His education includes a Bachelor's in Engineering (CSE) and certifications in ISO 17025:2017 and 5G.

CON - Friday - 10:00-17:59 PDT

AND!XOR creates electronic badges filled with hacker challenges. We love doing this, especially coming up with unique ways for hackers to earn them. Introducing the newest member of our hacker-fam: 5N4CK3Y (Snackey). 5N4CK3Y is a vending machine hardware hacking project from AND!XOR. We retrofitted it into an IoT CTF based badge dispensing machine, bling and all. Find a flag on our web hosted CTF platform, you get a 5N4CK3Y dispense code, punch it in, and a badge is vended to you! There are a variety of challenges to earn a badge as well others to continue working on the badge itself once obtained. These span from hardware hacking, reverse engineering, OSINT, network security, and cryptography to name a few. There's a little bit of everything, so it's a perfect way to learn something at one of the many DEF CON villages and talking with people you meet, then attempt one of the CTF challenges to dispense a badge. Hardware hacking is our passion and we want people to learn on badges, but more importantly that there's a lot to learn at DEF CON so our CTF will hopefully serve a desire to learn something new and meet new friends while trying to earn a badge and hack it further.

QTV - Friday - 12:15-12:59 PDT

This talk is aimed at non-experts and anyone who wants to stay ahead of the curve in a world where encryption rules are about to change dramatically. Whether you believe cryptographically relevant quantum computers are 10 or 100 years away, the first steps towards cryptographic agility that are being mandated within a couple of years. We'll explore the mind-bending math behind lattice-based and other exotic cryptosystems. Then, we'll get our hands dirty, dissecting real-world attacks launched against the finalists in the NIST PQC competition. Pwn the future of cryptography!

Konstantinos is the Director of Quantum Computing Services at Protiviti. He helps companies get ready for quantum opportunities and threats. He has been involved in the quantum computing industry since 2012, and in InfoSec since the 90s. He is a frequent speaker at RSA, Black Hat, Defcon, and dozens of conferences worldwide. He hosts Protiviti’s Post-Quantum World podcast and is our Venerable Village Elder here at Quantum Village.

ICSV - Friday - 12:00-12:59 PDT

Andrew is formally a ships engineer and now spends much of his time pen testing ships. Along the way he's found the weirdest ways that IT/OT segregation has been broken, often through 3rd party technology suppliers. From VDRs to ICMS to safety management systems to fire control to azipods to... you name it he's broken it.

Cruising adds another layer of complexity, bringing together customer entertainment, restaurant and billing systems. The scope for segregation errors is multiplied.

The headline of this talk is tale about a misconfigured golf simulator onboard, that led to compromise of almost the entire vessel.

Andrew leads PTP’s hardware security team. He covers all systems that aren't general purpose computers e.g. ICS, IoT, phones, cars, ships, and planes. He has considerable experience of reverse engineering, researching, and finding vulnerabilities in these systems. He’s a proficient electrical and electronics engineer, giving him great knowledge of underlying hardware and engineering.

He advises companies on building secure products. This ranges from the nitty-gritty of securing devices against physical attack, through to developing complete connected platforms that make use of defence-in-depth. He trains people on how to attack and defend hardware, with customers ranging from medical device manufacturers through to police forensics teams. Andrew has presented at DEF CON, BlackHat, hardwear.io, 44CON, multiple BSides events, and to private audiences such as the GSMA and NCSC.

RFV - Friday - 16:00-16:25 PDT

This presentation is a practical introduction into 802.11ah HaLow WiFi. It starts with a brief description of the IEEE 802.11ah standard, history, and specification and includes a short survey of currently available 802.11ah chipsets and devices. One of these, the TaiXin TXW8301 chipset, is described in detail including hardware, firmware, configuration, and software tools. The radio waveform characteristics are presented as is information in using SDRs to capture and decode the WiFi frames. The presentation concludes with a brief description of the practical uses of 802.11ah devices.

Ronald Broberg is a cyber security engineer formerly with Lockheed Martin and currently with Dark Wolf Solutions where he hacks drones, clones, and cellular phones.

Robert Van Etta has 19 years of experience in hacking embedded systems and firmware analysis. He has previously worked in USAF Cyber Defense Operations and is now a Senior Penetration Tester at Dark Wolf Solutions.

BBV - Friday - 12:15-13:45 PDT

Server-Side Request Forgery is now one of the most widely recognized and significant vulnerabilities that bug hunters should have in their arsenal. This interactive workshop covers basic exploitation of SSRF, as well as tackling more intricate vulnerabilities that involve chaining multiple exploits, a thorough comprehension of the target's infrastructure, and other advanced techniques.

Pre-Prerequisites

• Basic understanding of web application hacking
• Knowledge of Web Proxies
• Working laptop
• Working WiFi (Will not be doable without access to a working WiFi)
• Caido (BurpSuite or similar works too!)

Ben Sadeghipour, also known as NahamSec, is an ethical hacker, content creator, and keynote speaker. With a passion for cybersecurity that began in his teenage years, Ben's professional journey as a bug bounty hunter took off in 2014. He has played a role in helping organizations identify and remediate thousands of security vulnerabilities across a wide range of web and mobile applications in tech giants such as Amazon, Apple, Google, Airbnb, Snapchat, Zoom, and even the US Department of Defense. Ben helps others learn ethical hacking, bug bounty hunting, and reconnaissance techniques. He has also created training materials and content for conferences such as OWASP, DEFCON, and BSides.

ASV - Friday - 10:00-17:59 PDT

A variety of aviation infrastructure has been compromised by hackers. Immerse yourself into challenges where you are tasked as an aviation cyber defense participant to identify attacks/attackers, stop attacks, and restore normal operations. As a participant your first step is to register ahead and read the rules at: https://aisac.cyberskyline.com/events/aisac-defcon and bring your own laptop to the venue. You can participate in the virtual challenges from Friday, but the more critical in-person challenges are only available at certain times during Village open hours!

RTV - Friday - 12:00-12:50 PDT

As more scrutiny is placed on the endpoint, threat actors are turning to DevOps and CI/CD platforms for initial access, escalation, and lateral movement. This workshop will showcase how these platforms can be used to pivot from on-prem to cloud, from cloud to on-prem, and how to push malicious code through pipelines to obtain additional access or establish persistence.

Attendees will get hands-on and perform field-tested, OPSEC-conscious techniques against full CI/CD pipelines. Come add TTPs to your toolkit and see why DevOps is the target-rich environment modern adversaries are looking to exploit.

DC - Friday - 15:00-15:45 PDT

Windows Hello is touted by Microsoft as the modern de facto authentication scheme on Windows platforms, supporting authentication and encryption backed by biometrics. In a world that is quickly accelerating towards a passwordless existence, what new threats do we face in this complex landscape? We will take a deep dive into the inner working of Windows Hello. Via the release of a new tool, it will be demonstrated how an attacker on a fully compromised Windows host can leverage secrets backed by Windows Hello biometrics without needing the biometric data that protects them. We will also show how the hardware protections of Windows Hello and its accompanying Primary Refresh Tokens can be defeated, making it possible to use Windows Hello for identity persistency and PRT stealing, in some cases even without Administrator access on the host.

• link
• link
• link
• link
• link

After a 20 year career within the software development space, Ceri was looking for a new challenge and moved into pen testing back in 2019. During that time he has created and contributed to several open source offensive tools such as Rubeus, BOFNET and SweetPotato and on the odd occasion contributed to projects on the defensive side too. After speaking at DEF CON 31 for the first-time last year, he is now back for more. He currently works as a red team operator and offensive security dev at Pen Test Partners.

Dirk-jan Mollema is a hacker and researcher of Active Directory and Microsoft Entra (Azure AD) security. In 2022 he started his own company, Outsider Security, where he performs penetration tests and reviews of enterprise networks and cloud environments. He blogs at dirkjanm.io, where he publishes his research, and shares updates on the many open source security tools he has written over the years. He presented previously at TROOPERS, DEF CON, Black Hat and BlueHat and has been awarded as one of Microsoft's Most Valuable Researchers multiple times.

PSV - Friday - 16:00-16:30 PDT

Are you looking to install or upgrade a physical access control system? Having installed, repaired and upgraded dozens of large and small access control system installations, I have found that many vendors install a minimum viable product that can leave your new system unreliable and trivial to bypass.

This session will give you the tools and knowledge you need to work with your installer to implement your system using best practices in the following areas:

• Wiring, supervision, encryption and tamper-resistance
• Choosing clone-resistant badges and securely programming badge readers
• Securing controller equipment and managing issued badges
• Maintaining the system for maximum security and uptime

As a low voltage hardware junkie, Tim has had the opportunity to design, expand, upgrade and repair numerous physical access control, alarm and video systems, including a stint at a security vendor where he was certified in Lenel access and video. Tim works today at SailPoint as a Cybersecurity Network Engineer.

APV - Friday - 13:00-14:59 PDT

Join us for an exhilarating container security CTF where you can go head-to-head with your peers. In this session, we will explore the world of container security, including image analysis, enumeration, and the most up-to-date container escape techniques. Put your skills to the test and compete for the top spot! Participants will gain valuable knowledge in container security and have the chance to win some exciting prizes. Don't miss out on this thrilling opportunity to showcase your expertise!

APV - Friday - 15:00-16:59 PDT

Join us for a revealing exploration of open-source trust and its vulnerabilities. In this captivating activity, we will delve into the fascinating world of developer credibility and the unsettling phenomenon of faking GitHub contributions. With open source becoming an integral part of software development, we find ourselves relying on strangers to provide us with code. Trust is often based on factors like the number of stars on a package or the credibility of the package’s maintainer on GitHub. However, what if I told you that all of this could be convincingly spoofed?

Tal brings over 7 years of experience to her role as a supply chain security research team lead within Checkmarx Supply Chain Security group. She is in charge of detecting tracking and stopping Opensource attacks.

Ori Ron, an experienced Application Security Researcher at Checkmarx, joined the company in 2016. With over eight years of expertise in the field, Ori specializes in identifying and mitigating security vulnerabilities in software systems. His research spans the application security aspects of many programming languages, technologies, and environments.

"Vulnerability" is part of my daily vocabulary at Checkmarx, and I never get sick of it. I dub myself a 'self-certified idiot' because I love learning and hatching ideas. So much, that I've made brainstorming a hobby and kickstarted a team initiative to keep us on the pulse of InfoSec. As a result, we have learned about CVSSv4 before it was cool.

Well, CVSSv4 isn't cool yet since it's yet to be fully adopted, but in the meantime, I've researched and come up with this talk. I wasn't given the opportunity to win a 'Best Speaker' award yet. However, I published a few blog posts for Checkmarx and am brewing many other initiatives. I'm also currently studying to pass the CEH certification. Contributing to the AppSec Village at RSAC in San Francisco last year. Check.

Beyond the keyboard, you catch me reading, writing, or practicing martial arts. As in cybersecurity, I seek constant learning.

APV - Friday - 11:00-12:59 PDT

Find the reachable one! You’ve got 18x18 inch game board, 5 cards, 5 code weaknesses, and a 5-minute sand timer, ready, set, go! You'll have 5 minutes to place the cards in the correct order and find the true positive(s). The winner? Whoever finds the solution in the shortest amount of time!

APV - Friday - 11:00-12:59 PDT

Before you can deal with secrets sprawl, you first need to understand how deep the issue of plaintext secrets can be. Improperly stored and shared secrets are a problem beyond just the top layer of code you put in production. It affects feature branches, old commits, logs, and communication and collaboration tools.

In this exercise, you will be challenged to find all the secrets and then use a special tool to quickly validate the secrets and your work. Walk away from this exercise ready to apply the lessons learned to make your organization safer in no time.

Dwayne has been working as a Developer Relations professional since 2015 and has been involved in tech communities since 2005. He loves sharing his knowledge, and he has done so by giving talks at over a hundred events worldwide. Dwayne currently lives in Chicago. Outside of tech, he loves karaoke, live music, and performing improv.

APV - Friday - 15:00-16:59 PDT

Before you can deal with secrets sprawl, you first need to understand how deep the issue of plaintext secrets can be. Improperly stored and shared secrets are a problem beyond just the top layer of code you put in production. It affects feature branches, old commits, logs, and communication and collaboration tools.

In this exercise, you will be challenged to find all the secrets and then use a special tool to quickly validate the secrets and your work. Walk away from this exercise ready to apply the lessons learned to make your organization safer in no time.

Dwayne has been working as a Developer Relations professional since 2015 and has been involved in tech communities since 2005. He loves sharing his knowledge, and he has done so by giving talks at over a hundred events worldwide. Dwayne currently lives in Chicago. Outside of tech, he loves karaoke, live music, and performing improv.

APV - Friday - 13:00-14:59 PDT

It's in the Cards! Pick 5 cards with random levels of difficulty. Answer questions ranging from true/false to multiple choice to spot the vulnerable code. Test your knowledge on risky deployment scenarios, rack up the points, and get to the top of the leaderboard to win!

APV - Friday - 11:00-12:59 PDT

Put your skills to the test in this challenge and try to find all the vulnerabilities in the code. We have a wide range of challenges, from easy to advanced in various languages. Can you find them all?

"Vulnerability" is part of my daily vocabulary at Checkmarx, and I never get sick of it. I dub myself a 'self-certified idiot' because I love learning and hatching ideas. So much, that I've made brainstorming a hobby and kickstarted a team initiative to keep us on the pulse of InfoSec. As a result, we have learned about CVSSv4 before it was cool.

Well, CVSSv4 isn't cool yet since it's yet to be fully adopted, but in the meantime, I've researched and come up with this talk. I wasn't given the opportunity to win a 'Best Speaker' award yet. However, I published a few blog posts for Checkmarx and am brewing many other initiatives. I'm also currently studying to pass the CEH certification. Contributing to the AppSec Village at RSAC in San Francisco last year. Check.

Beyond the keyboard, you catch me reading, writing, or practicing martial arts. As in cybersecurity, I seek constant learning.

BTV - Friday - 11:45-13:30 PDT

Are you curious about accessing and collecting triage data from Android devices? I was. This workshop is designed for the defender that doesn't know much about Android or how to access it to collect forensic triage data, but would like to understand the subject better. This workshop gives a solid foundation for accessing Android devices and collecting data from them. It will cover:

• Installing and using an Android emulator
• How does an Android emulator differ from an actual Android device
• Using the Android Debug Bridge (ADB) to send commands to Android
• Collecting triage data using ADB or natively on the Android device
• Side loading and running a Linux executable on an Android device
• Remote access to the Android native AChoirX collector over TCP
• Collecting triage data both locally and remotely
• Transferring the collected data using ADB, SFTP, and S3
• Things to look out for. Android is very different from Windows, MacOS, and Linux
• Limitations and caveats

This workshop requires Windows 10 or 11. We will install and play with Android Studio, install and play with ADB, and run AChoirX collections both remotely and locally. It is highly recommended that the student come to the workshop with Android Studio, ADB, and AChoirX already installed on their machine. We will make a small amount of time to install the software, but will not be able to troubleshoot any installation issues.

After discovering that the Android Operating System commands nearly 44% of the total Operating Systems market (Windows is about 27%). I set about to see if the AChoirX triage collection program could run on it. Since Android is a Linux variant, and AChoirX already ran on Windows, MacOS, and Linux, it seemed very likely that I could make it work.

In a short time I went from knowing nearly nothing about Android to creating both a remote and local triage collector for Android. This workshop will walk the student through how I created both remote and local triage collection systems for Android. It does not cover analysis of the artifacts, but will cover how to collect data from an Android device (and the limitations) using Free and Open Source tools.

RTV - Friday - 13:00-13:50 PDT

In this session, we'll translate PCAPs, STIX objects, or detection repositories into attack scenarios and send test data to a data lake/SIEM to test detection logic and organizational context. We'll write scenarios in descriptive language, and give public access to a bunch of scenario content for participants to use and contribute to, as well as leave with the data to test your environment with at home if you want, and public access to the free tools to use scenarios.

ADV - Friday - 10:00-17:59 PDT

Adversary Simulator booth is a volunteer assisted activity, which has hands-on adversary emulation plans and exercises specific to a wide variety of threat-actors; these are meant to provide the participants with a better understanding of adversarial attack emulation. The booth will be hosting a simulated environment meant to recreate enterprise infrastructure, operational technology environment, which serves targets for various attack simulations.The hands-on simulator booth also hosts an activity, which would need the participants to generate their own adversary emulation plans to assess the efficacy of the defense systems based on publicly available cyber threat intelligence.

ADV - Friday - 10:00-10:59 PDT

Abhijith B R, also known by the pseudonym Abx, has more than a decade of experience in the offensive cyber security industry. Currently he is involved with multiple organizations as a consulting specialist, to help them build offensive security operations programs, improve their current security posture, assess cyber defense systems, and bridge the gap between business leadership and cyber security professionals. Abhijith’s professional exposure is stretched across multiple industries and various other sectors.

As the founder of Adversary Village, Abhijith spearheads a community driven initiative exclusively focused on adversary simulation, adversary tactics, purple teaming, threat-actor/ransomware research-emulation, and offensive security-adversary tradecraft.

Breaking up bureaucracy since 2008, Ken Kato is a leader in large-scale digital transformation for highly regulated industries. It’s his belief that success comes from changing how teams work with each other toward a common goal. Whether it’s an austere data center with bare-metal servers, global-scale cloud deployments, or terrestrial networking in the far reaches of space, it always comes back to the people.

Ken’s recent accomplishments include: being a founding member of USAF Kessel Run, the first federal software factory; building Black Pearl, the Navy’s premiere DevSecOeps platform; and working with the White House to secure and scale critical cyber-infrastructure. But technology alone can’t solve complex problems. With this in mind, Ken balances his years of experience with industry data to develop sustainable strategies for organizational growth and predict how decisions made today will be survivable in the years ahead.

Vivek Ramachandran is a security researcher, book author, speaker-trainer, and serial entrepreneur with over two decades of experience in offensive cybersecurity. He is currently the founder of SquareX, building a browser-native security product focused on detecting, mitigating, and threat-hunting web attacks against enterprise users and consumers. Prior to that, he was the founder of Pentester Academy (acquired in 2021), which has trained thousands of customers from government agencies, Fortune 500 companies, and enterprises from over 140+ countries. Before that, Vivek’s company built an 802.11ac monitoring product sold exclusively to defense agencies. Vivek discovered the Caffe Latte attack, broke WEP Cloaking, conceptualized enterprise Wi-Fi Backdoors, and created Chellam (Wi-Fi Firewall), WiMonitor Enterprise (802.11ac monitoring), Chigula (Wi-Fi traffic analysis via SQL), Deceptacon (IoT Honeypots), among others. He is the author of multiple five-star-rated books in offensive cybersecurity, which have sold thousands of copies worldwide and have been translated into multiple languages. He has been a speaker/trainer at top security conferences such as Blackhat USA, Europe and Abu Dhabi, DEFCON, Nullcon, Brucon, HITB, Hacktivity, and others. Vivek’s work in cybersecurity has been covered in Forbes, TechCrunch, and other popular media outlets. In a past life, he was one of the programmers of the 802.1x protocol and Port Security in Cisco’s 6500 Catalyst series of switches. He was also one of the winners of the Microsoft Security Shootout contest held in India among a reported 65,000 participants. He has also published multiple research papers in the field of DDoS, ARP Spoofing Detection, and Anomaly-based Intrusion Detection Systems. In 2021, he was awarded an honorary title of Regional Director of Cybersecurity by Microsoft for a period of three years, and in 2024 he joined the BlackHat Arsenal Review Board.

CON - Friday - 10:00-17:59 PDT

Adversary Village proudly presents "Adversary Wars CTF", an official contest at DEF CON, where the participants will have to pose as adversaries and replicate adversarial actions against each element of a “target” organization. Adversary Wars would have real world simulation of CTF scenarios and challenges, where the participants can perform various attacks and learn new attack vectors, TTPs, techniques, etc. To visualize the CTF environment, the contest area will feature a miniature model of the city made using interlocking-plastic-bricks. The breached components OR organization buildings will be physically marked in the city model as the CTF progresses.

We are excited to be back at DEF CON as an official contest this year. Adversary Wars CTF will be located in the contest area for DEF CON 32.​

ADV - Friday - 10:00-17:59 PDT

Adversary Adventure is a Choose-Your-Own-Adventure model interactive table-top exercise game, where everyone can participate and choose various tasks. The participants can choose to play as an attacker who performs adversarial activities against a target, a defender who deals with a potential breach, as a CISO who is managing a ransomware attack, or even as management executives going through a table-top exercise.

PLV - Friday - 14:00-14:45 PDT

Cyber-financial crimes devastate marginalized communities, robbing them of economic opportunity and hard earned civil rights. This panel issues an urgent call to action to cyber advocates: join forces in pioneering policy solutions that enhance community resilience against these persistent threats to our global community. Our experts go beyond critiquing existing laws to envision groundbreaking models prioritizing the voices of impacted groups. We'll explore how to effectively amplify grassroots initiatives fostering digital awareness and empowerment from the ground up. This is a roadmap for multi-stakeholder collaboration - uniting policy leaders, corporate innovators, government officials, hackers, and advocates. Together we can build robust frameworks that embed civil rights into the core of cybersecurity strategy and implementation.

Nicole Tisdale is a fifteen-year national security expert and former Director at The White House - National Security Council and the U.S. Congress' House Committee on Homeland Security. Nicole’s policy expertise encompasses cybersecurity, counterintelligence, and election security. Nicole founded Advocacy Blueprints, a policy consulting and advocacy training firm. Her creation and commitment cyber-impact policy is evidenced by her writing The Hidden Injustice of Cyberattacks for WIRED Magazine and her commitment to civic engagement for advocates highlighted in her book “Right to Petition.” She serves in several advisor and fellowship positions, including Aspen Digital, POPVOX Foundation, and Omidyar Networks.

Kemba Walden is President of the Paladin Global Institute and former Acting National Cyber Director at the White House Office of the National Cyber Director (ONCD). Kemba also served a decade at the Department of Homeland Security (DHS) and three years at Microsoft. Since 2019, Kemba has been an adjunct professor of information security law and regulatory compliance at Georgetown University’s School of Continuing Studies, which she balances with her duties as a member of the Council on Foreign Relations and Atlantic Council Board of Directors, as well as co-chair of the Aspen Digital U.S. Cybersecurity Group.

Jake Braun served in the White House as Acting Principal Deputy National Cyber Director from May 2023 to July 2024. Prior to joining the White House Office of the National Cyber Director, he was appointed by President Joseph Biden as Senior Counselor to the Secretary of Homeland Security. Braun is also a lecturer at the University of Chicago’s Harris School of Public Policy Studies and Chairman of the Cyber Policy Initiative there.

From 2009 to 2011, Braun served as White House Liaison to the U.S. Department of Homeland Security. Braun is also co-founder of the DEF CON Voting Machine Hacking Village (Voting Village) hacker conference."

Elizabeth Eigner is a Security Policy Strategist in Microsoft's Global Cybersecurity Policy, where she oversees its marginalized user protection initiatives, tailoring Microsoft’s cybersecurity approach to the needs of marginalized communities. Elizabeth also leads Microsoft’s High-risk User and Human Rights Defender Protection initiative. Prior to joining Microsoft, Elizabeth worked at the Washington Technology Industry Association (WTIA), where she provided policy and strategic guidance on expanding digital access to underserved Washington communities, and MIT Solve, Massachusetts Institute of Technology’s social impact accelerator, where she collaborated with tech-based social entrepreneurs around the world solving challenges related to digital inclusion and equity.

CON - Friday - 13:00-14:59 PDT

Welcome to the “AI Art Battle" Generative AI Art Contest!

This unique competition invites creative minds to dive into the world of artificial intelligence and art. The challenge is to craft the most imaginative prompts that will be used by generative AI models to create artwork.

Contestants will not be creating the art themselves; instead, they will focus on designing prompts for well-known topics that push the boundaries of creativity and innovation.

How It Works:

Select a Topic: Contestants will choose from a list of random topics.

These could range from historical events, famous literary works, mythical creatures, futuristic landscapes, to iconic pop culture references.

Craft a Prompt:

Using their creativity, contestants will write a detailed prompt designed to guide AI models in generating original artwork. The prompts should be clear, imaginative, and offer enough detail to spark the AI's artistic capabilities.

Submission: Each contestant will submit their prompt and the intended outcome.

AI Generation: The submitted prompts will be fed into a generative AI art model, which will create corresponding artworks based on the prompts.

A random panel will determine who the winners are.

Schedule: - 13:00 - 13:30 setup - 13:30 - 14:00 qualifiers - 14:00 - 15:00 contest

AIV - Friday - 16:00-16:59 PDT

Christina will speak to the latest MITRE ATLAS community efforts focused on capturing and sharing cross community data on real world AI incidents, expanding the community’s data on vulnerabilities that can arise when using open-source AI models or data, especially for vulnerabilities that fall outside of the scope of CVE/CWE, and developing mitigations to defend against these AI security threats and vulnerabilities.

MITRE ATLAS () is a public knowledge base of adversary tactics and techniques based on real-world attack observations and realistic demonstrations from artificial intelligence (AI) red teams and security groups. There are a growing number of vulnerabilities in AI-enabled systems as the incorporation of AI increases the attack surfaces of existing systems beyond those of traditional cyberattacks. We developed ATLAS to raise community awareness and readiness for these unique threats, vulnerabilities, and risks in the broader AI assurance landscape.

AIV - Friday - 10:00-17:59 PDT

Join us at the AI Village for interactive demonstrations at the intersection of AI and security. Attempt to hijack and manipulate autonomous robots using large language models and generative AI. Fool your friends by creating deep fakes with a state-of-the-art setup from Bishop Fox, complete with DSLR camera, green screen, and props. Finally, put your social engineering awareness to the test with DARPA’s deep fake analysis system, designed to identify and attribute manipulated and synthetic media. Don’t miss this opportunity to engage with adversarial AI technologies and learn about their implications on the future, at DEF CON 32!

AIV - Friday - 13:30-14:30 PDT

AI’ll be watching you will cover attacking an embedded AI on a family of popular security cameras with over 100,000 combined reviews on Amazon. The camera’s embedded AI system is used for on-device person detection, a system that filters notifications based on whether a person is detected. Traditionally the camera would alert the owner if any motion was detected, meaning that an attacker would have to have no motion be detected, but now with the embedded AI making decisions, an attacker needs to only appear not to be human. While this may seem a simple task, dressing up as a giant bush would be noticeable by the people around the attacker, meaning that a successful attack against this system requires the on-camera AI to be tricked while not alerting nearby people to any suspicious disguises.

In this talk we will cover the steps we took to research and gain access to the device in order to perform greybox attacks against its embedded AI. We will demonstrate how we rooted an older version of the device to gain access to how the models were brought to the camera. We will show how the knowledge we gained while reverse engineering let us download the models for any arbitrary device or firmware and, eventually, how we were able to exploit and gain root on the newer, more secure device. We will show the audience our process in which we discovered and reverse-engineered a proprietary model format that we had never seen before. Finally, we will show how, once we understood the model, we were able to perform attacks against both it and the camera.

The purpose of this talk is to raise awareness about the insecurity of embedded AI as well as to demonstrate how known attack techniques can be used on never-before-seen models, showcasing that AI/ML research has truly passed the infant stage and has reached a point where developed methods can be broadly applied.

Kasimir Schulz, Principal Security Researcher at HiddenLayer, is a leading expert in uncovering zero-day exploits and supply chain vulnerabilities in AI. His work has been featured in BleepingComputer and Dark Reading, and he has spoken at conferences such as FS-ISAC and Black Hat. Kasimir leads the development of advanced tools for automating vulnerability detection and implementing large-scale patches, fortifying systems against supply chain attacks. His dedication to proactive defense measures sets a new standard in cybersecurity resilience.

MISC - Friday - 10:00-17:59 PDT

MISC - Friday - 14:00-14:59 PDT

Esta conferencia se centrará en el actor amenaza UXHIL, responsable de la distribución del malware URSA, ofreciendo una visión profunda basada en ciberinteligencia. Exploraremos cómo este actor ha estado distribuyendo el malware, las tácticas, técnicas y procedimientos (TTPs) que utiliza y cómo es su cadena de infección. Los asistentes aprenderán a identificar y analizar estos patrones para desarrollar estrategias efectivas de mitigación.

Jesika Juarez es una analista con casi cinco años de experiencia en el campo de inteligencia de amenazas en el equipo de Cyber Threat Intelligence en Deloitte México. Especializada en análisis de malware, investigación forense y técnicas de OSINT (Open Source Intelligence), ha desempeñado un papel crucial en la identificación, análisis y mitigación de amenazas cibernéticas avanzadas. Jesika es egresada de la Facultad de Estudios Superiores Aragón de la carrera de Ingeniería en Computación, la cual cuenta con una certificación de Malware Analysis y Digital Forensics impartidas por Elearnsecurity

Armando Aguilar es un analista de inteligencia de ciberamenazas con más de 6 años de experiencia en la identificación, análisis y mitigación de amenazas que se encuentran afectado a México y Latinoamérica. Actualmente, es miembro del equipo de Threat Intelligence en una de las instituciones financieraa más grandes de México.

ASV - Friday - 11:00-11:30 PDT

Richard Branson is oft quoted with the quip that the quickest way to become a millionaire in the Airline Industry is to start as a billionaire. An Industry constrained by high fixed capital costs, bi-lateral capacity treaties, airport slots and curfews, labour etc; Airlines use the practice of revenue management to fill planes, maximise earnings and keep competitors at bay. But you’re not interested in an economics talk – this is a hacker con. I’m here to provide a birds-eye view and introduction into how fares and ticketing work, debunking some myths while outlining system constraints and limitations that introduce vulnerabilities. As an outcome, attendees should gain an introductory understanding of airline industry pricing, published fares and terminology. With most blogged 'deals' patched quicker than RCEs, the deeper understanding of not what but how, facilitates a progression for those interested to interact on more specialised discussion forums.

ASV - Friday - 16:00-16:30 PDT

Automatic Dependent Surveillance – Contract (ADS-C) is a satellite-based aviation datalink application used to monitor aircraft in remote regions. It is a crucial method for air traffic control to track aircraft where other protocols such as ADS-B lack connectivity. Even though it has been conceived more than 30 years ago, and other legacy communication protocols in aviation have shown to be vulnerable, ADS-C’s security has not been investigated so far in the literature. We conduct a first investigation to close this gap. First, we compile a comprehensive overview of the history, impact, and technical details of ADS-C and its lower layers. Second, we build two software-defined radio receivers in order to analyze over 120’000 real-world ADS-C messages. We further illustrate ADS-C’s lack of authentication by implementing an ADS-C transmitter, which is capable of generating and sending arbitrary ADS-C messages. Finally, we use the channel control offered through a software-defined ADS-C receiver and transmitter as a basis for an in-depth analysis of the protocol weaknesses of the ADS-C system. The found vulnerabilities range from passively tracking aircraft to actively altering the position of actual aircraft through attacks on the downlink and the uplink. We assess the difficulty and impact of these attacks and discuss potential countermeasures.

We will further look at satellite-based ADS-B receivers and discuss their security and how they relate to ADS-C.

Martin Strohmeier is a Senior Scientist at the Swiss Cyber Defence Campus, where he is responsible for vulnerability research programmes into aircraft, satellites and cars. His work was published in all major systems security conferences, totalling more than 100 publications to date. He has also spoken previously at the DEFCON Aerospace Village and co-organized CTFs there.

DC - Friday - 15:00-15:45 PDT

Do you consider the list of mobile apps you use and the frequency at which you use them private information? What about the GPS coordinates of the cell towers to which your smartphone connects? The Android framework restricts third-party apps from freely obtaining this information – unless the user explicitly grants the app access. Android is a diverse ecosystem that comes with many benefits, but device vendors can still unintentionally expose app usage and device location in a variety of ways. We uncover privacy leaks of both types of data, where pre-loaded vendor software exposes app usage and location to co-located software. We also explore various local exposures of this data, where it is leaked to resources that do not require any special permissions or privileges to access.

We discovered these leakages across several major vendors, including Samsung, Nokia, Transsion brands (i.e., Tecno, Infinix, and Itel), and additional vendors that utilize a pre-installed Qualcomm app for performance monitoring. We cover each of these exposures in detail. App usage reveals the subset of the apps that the user actually interacts with, which can be collected, combined with location data, and analyzed for advertising, profiling, and establishing user pattern-of-life.

1. link
2. link
3. link
4. link
5. link
6. link
7. link
8. link
9. link
10. link
11. link
12. link
13. link
14. link
15. link
16. link
17. link
18. link
19. link
20. link
21. link
22. link
23. link
24. link
25. link

Dr. Ryan Johnson is a Senior Director, R&D at Quokka (formerly Kryptowire). His research interests are static and dynamic analysis of Android apps and reverse engineering. He is a co-founder of Quokka and has presented at DEF CON, Black Hat (USA, Asia, & MEA), IT-Defense, and @Hack. His research in Android security has been assigned dozens of CVEs and is responsible for discovering the Adups spyware that affected millions of Android smartphones.

SOC - Friday - 21:00-01:59 PDT

The Arcade Party is back! Come play your favorite classic arcade games while jamming out to Keith Myers DJing. Your favorite custom built 16 player LED foosball table will be ready for some competitive games. This epic party, free for DEF CON 32 attendees to enjoy and play, is hosted by the Military Cyber Professionals Association (a tech ed charity) and friends.

BTV - Friday - 14:00-15:59 PDT

Join BTV and the Aerospace Village for a large-scale interactive tabletop exercise with a game show panel format. Participants will walk through a security incident within input from security pros, tabletop experts, and aerospace insiders. The host will invite answers and prizes may fly through the air as our subject matter experts weigh in on the response effort with snark but no judgment.

Join BTV and the Aerospace Village for a large-scale interactive tabletop exercise with a game show panel format. Participants will walk through a security incident within input from security pros, tabletop experts, and aerospace insiders. The host will invite answers and prizes may fly through the air as our subject matter experts weigh in on the response effort with snark but no judgment.

ASV - Friday - 10:00-17:59 PDT

ARINC 664 is an extension to IP networking that adds deterministic QoS for Aircraft Systems over Ethernet. Sit down and learn about how the extensions to 802.3 is used on aircraft, how that flight critical data is transferred in a timely matter, and how to manipulate the data on these networks. This progressive difficulty CTF provides a fun and informative way of approaching ARINC 664 networking.

APV - Friday - 11:00-12:59 PDT

AI Goat is a deliberately vulnerable AI infrastructure designed to help security enthusiasts and pen-testers understand and exploit AI-specific vulnerabilities based on the OWASP AI Top 10. This arsenal session will demonstrate how to deploy AI Goat, explore various vulnerabilities, and guide participants in exploiting these weaknesses. Attendees will engage hands-on with the tool, gaining practical experience in AI security. Deployment scripts will be open-source and available after the session.

Ofir Yakobi is a Security Researcher at Orca Security. With almost a decade of experience in detecting cybercriminals, malware research, and unveiling numerous security issues for high-profile companies, she brings her expertise in breaking and strengthening cloud vendors. She's as passionate at uncovering vulnerabilities as she is at picking her next travel destination.

Shir is a Cloud Security security and martial arts enthusiast! With a background in endpoints and servers cyber security, Shir once led research ventures to enhance departmental security. Now, Shir blends cybersecurity expertise with martial arts finesse, creating a formidable combination in the digital and physical realms

APV - Friday - 11:00-12:59 PDT

Imagine GCHQ's CyberChef integrated in BurpSuite with live modification of requests at your fingertips. That's exactly what we had in mind when we built the Cyber Security Transformation Chef (CSTC) a few years ago. The CSTC is an extension to the popular BurpSuite Proxy built for experts working with web applications. It enables users to define recipes that are applied to outgoing or incoming HTTP requests/ responses automatically. Whatever quirks and specialties an application might challenge you with during an assessment, the CSTC has you covered. Furthermore, it allows to quickly apply custom formatting to a chosen message, if a more detailed analysis is needed

Matthias Göhring is security consultant and penetration tester at usd AG, an information security company based in Germany with the mission #moresecurity. He is Head of usd HeroLab, the division of usd specialized in technical security assessments. In addition, he holds lectures at Technical University Darmstadt and University of Applied Sciences Darmstadt on ethical hacking and penetration testing. In previous scientific work, he focused on network and communication security as well as software security.

Florian Haag is a managing security consultant at usd AG with experience in penetration testing, software security assessments as well as code reviews. He is specialized in penetration tests of thick client applications, leveraging his background in software development to reverse engineer proprietary client applications and network protocols. In addition, he maintains several open source tools for web application pentesting presented at international conferences like BlackHat and DEF CON.

APV - Friday - 13:00-13:59 PDT

With our open-source tool GraphQL Armor we want to take GraphQL security to the next level. GraphQL Armor is a dead-simple yet highly customizable security middleware for various GraphQL server engines. It offers advanced protection against common vulnerabilities like query depth, complexity, and rate limiting.

In this session, we’ll dive into the technical details, demonstrating how to identify GraphQL-specific vulnerabilities, integrate GraphQL Armor into your current setup, and customize it to your needs.

Former pentester for the French Intelligence Services. Former Machine Learning Research @ Apple.

Tristan Kalos, co-founder and CEO at Escape, draws from a background as a software engineer and Machine Learning Researcher at UC Berkeley. Motivated by firsthand experience witnessing a client's database stolen through an API in 2018, he has since become an expert in API security, helping security engineers and developers worldwide building secure applications. He is an experienced keynote and conference speaker, presenting at Forum InCyber, bSides, APIdays, GraphQL conf, and other international software development and cyber security conferences.

APV - Friday - 15:00-15:59 PDT

HunterBounter is an open-source tool designed to automate the scanning processes of tools like OpenVAS and ZAP Proxy using multiple Docker containers. Each container establishes a VPN connection to bypass security measures like IP bans during automated scans. The tool simplifies automated scanning for bug bounty hunters and penetration testers. Development is ongoing to integrate more open-source products for mobile, web application, and network scanning.

More information about the tool: https://hunterbounter.com Source code: https://github.com/hunterbounter

Demo Platform: https://panel.hunterbounter.com Username: AppSecVillage Password: gX8Q.Ja7!RMHD.kzSp!Zyu?AWGV

Utku Yildirim is an experienced cybersecurity professional with a strong background in penetration testing and security evaluation. Currently working as a Senior Penetration Tester at Hoffmann Cybersecurity in the Netherlands. He also continues his role as a penetration tester at Cobalt.io. Utku has a diverse skill set encompassing network, web, API, and mobile application security testing.

His certifications include OSCE, OSCP, OSWP, and CRTO, among others. He has discovered multiple CVEs and has been recognized in international competitions such as NATO Locked Shields.

Utku is also a seasoned speaker, having presented at notable conferences like DEF CON 30 (Aerospace Village) , DEF CON 31(Telecom Village) and BSides Oslo, where he shared his insights on UAV security and SS7 hacking.

APV - Friday - 15:00-15:59 PDT

As the adoption of CI/CD practices continues to grow, securing these pipelines has become increasingly important. However, identifying vulnerabilities in CI/CD pipelines can be daunting, especially at scale. In this talk, we present our tooling, which we intend to release as open-source software to the public that helped us uncover hundreds of vulnerabilities in popular open-source projects' CI/CD pipelines.

RAVEN (Risk Analysis and Vulnerability Enumeration for CI/CD) is a powerful security tool designed to perform massive scans for GitHub Actions CI workflows and digest the discovered data into a Neo4j database. With RAVEN, we were able to identify and address potential security vulnerabilities in some of the most popular repositories hosted on GitHub, including FreeCodeCamp, Fluent UI by Microsoft, and much more. This tool provides a reliable and scalable solution for security analysis, enabling users to query the database and gain insights about their codebase's security posture

Elad is a passionate security researcher with a focus on software supply chain and web application security. He dedicates his time to writing security research tools and finding vulnerabilities across a broad spectrum, from open-source projects and web applications to IoT devices and pretty much anything with an IP address.

Oreen Livni is a passionate security researcher specializing in application and supply chain security, Domain, and networking. With a focus on software supply chain vulnerabilities. Alongside his professional commitments, he immerses himself in art, gardening, and the world of surfing, always seeking new experiences. With an unwavering commitment to staying updated on the latest security trends, he embraces new challenges and strives to make a difference in the cybersecurity landscape.

RCV - Friday - 12:00-12:59 PDT

This is an AMA/Podcast that will be recorded on-site.

MISC - Friday - 17:30-21:30 PDT

Electronic Frontier Foundation (EFF) is excited to be back at DEF CON. Our expert panelists will offer brief updates on EFF's work defending your digital rights, before opening the floor for attendees to ask their questions. This dynamic conversation centers challenges DEF CON attendees actually face, and is an opportunity to connect on common causes.

DC - Friday - 11:30-11:59 PDT

Meet an attacking MySQL honepot which can “Attack the attackers”. In 2023 we have found a CVE (CVE-2023-21980) in MySQL that allows a rogue MySQL “server” to attack a client connecting to it; attack meaning RCE on the client side. Since then we were thinking on how to use it for good. One obvious application is to create a honeypot which will attack the attackers. In 2024 we have found another RCE in mysqldump utility (CVE-2024-21096), so we have created a rogue MySQL server and weaponized it with a chain of 3 vulnerabilities: 1/ arbitrary file read 2/ RCE from 2023 (CVE-2023- 21980) 3/ the new RCE (CVE-2024-21096). With this atomic honeypot we were able to discover 2 new attacks against MySQL server. Using arbitrary file read vulnerability in MySQL we were able to download and analyze the attackers' code and then execute an “attack against attackers” using a chain of exploits.

CVE-2023-21980 CVE-2024-21096

Alexander is a Principal Security Engineer at Amazon Web Services (AWS), leading RDS Red Team. Alexander was working as MySQL principal consultant/architect for over 15 years, started with MySQL AB in 2006 (company behind MySQL database), Sun Microsystems, Oracle and then Percona. His security pentest/red teaming interest started with playing CTFs and performing opensource security research. Alexander is managing RDS (relational database as a service) Red Team at Amazon Web Services.

Martin is a Senior Security Engineer at Amazon Web Services (AWS) RDS Red Team. Prior to that, Martin spent 17 years doing security research of databases and other targets, including servers, desktop applications and hardware. Martin found more than 30 CVEs across various databases and other products.

ICSV - Friday - 10:30-10:59 PDT

In this talk we will present the ICS firing range we built and hacked to simulate an actual attack against a hydroelectric power plant and create a DFIR training from the evidence left behind. The talk aims to emphasize the importance of attack simulation in the context of critical infrastructure and the potential benefit that firing ranges can provide to such assessments.

First we will examine the motivation behind the construction and usage of a firing range, covering various aspects including: - the threats operators of critical infrastructure face, - how security assessments are conducted in an OT context and - how an ICS firing range can be utilized to support them.

Next we will discuss the intended use cases of the firing range and the scenario it was made to display, the flooding of a hydroelectric power plant. As a result, the relevant components and production processes of the plant will be outlined. Then we will present and go into detail about the design & architecture of the firing range: - individual physical and virtual networks and components, - separate Active Directory environments, - implemented security measures - specific vulnerabilities intentionally left behind.

Picking up this last bullet-point, we continue with how we hacked the firing range and performed a Red Team assessment against it, simulating an actual attack. Starting with the C2 infrastructure we set up for the attack, we will guide the audience through the kill chain in chronological order and highlight the most important and relevant steps of the attack.

Once the offensive part of the talk concludes, a shift of perspective takes place and the attack is evaluated from the defence's point-of-view: we'll show how we identified, secured and analyzed indicators of compromise left behind by the attack. This includes the analysis of network captures, Windows event logs, memory dumps and more.

This talk will be presented by not only people from NVISO as the IT security service provider who built the firing range and performed to attack against it, but also by people from VERBUND's IT security team who actively use the firing range for training. This way we can involve both the attacker's and the defence's point-of-view.

Julia Dewitz-Würzelberger is a project manager in the area of OT cyber security at VERBUND, Austria's largest energy supplier. Since 2023, she has been Head of the OT Cyber Security Lab, where she designs and implements concepts for innovative OT projects.

Her projects cover a broad spectrum, ranging from creating deception technology systems and the emulation of OT components to the operation of a quantum cryptography test setup.

As she can be interested in almost anything, she also completed a degree in anthropology and educational science before moving into IT/OT security.

Bernhard Sedlmayer is a Security Engineer and Lego enthusiast. He is responsible for the OT security of the ICS/SCADA Systems at Austria's largest electricity provider with around 130 hydropower plants. He has 20 years of experience in the energy supply industry and supports many innovative and fundamental projects in operational technology as an OT security specialist. Red Teaming and pentesting on Windows and Linux Systems is also one part of his daily to-do's.

Sarah is a Senior Consultant at NVISO, with a focus on Red Team Assessments. Complementing her cybersecurity experience, she has developed proficiency in Operational Technology (OT) assessments and continues to specialize further in this area.

She possesses a Master's degree in Applied IT Security, which has been enriched by her diverse experiences in cybersecurity roles across various companies.

In addition to her professional work, Sarah is dedicated to contributing to the community by leading workshops and delivering presentations at industry conferences.

QTV - Friday - 16:00-16:59 PDT

This talk explores security issues in quantum computing, identifying attack vectors on major platforms like IBM and IonQ. We examine vulnerabilities in popular quantum software development kits (SDKs) and workflows, highlighting flaws in authentication token management and supply chain attacks that inject malicious circuits.

We also review existing literature on vulnerabilities in Quantum Processing Units (QPUs) and present new attacks that exploit qubit reset quality to infer results from prior computations and tamper with subsequent ones. Additionally, we demonstrate how crosstalk can inject faults into circuits run by other tenants on the same QPU.

Quantum computing holds immense potential, but so does the responsibility to secure it. By understanding and addressing these vulnerabilities today, we can build a more secure quantum ecosystem.

Sorin Boloș is a software engineer turned to quantum computing. After earning his stripes in the tech world and diving deep into computer science, he had a fling with quantum computing, thanks to a flirty course by MIT, and it turned into a full-blown love affair. As a proud Qiskit Advocate, he has been spreading the quantum love through talks, courses, and hosting some cool minds. Now, he is on a mission to crack the code on quantum security.

Adrian Coleșa is an Associate Professor of Computer Science at the Technical University of Cluj-Napoca (TUCN) in Romania, where he has dedicated 26 years of service. He earned his PhD from TUCN and specializes in teaching courses such as Operating Systems (OS), Secure Coding, and Virtualization-Based Security. His primary research focus since 2013 has been in the field of cybersecurity. Additionally, he has been leading a cybersecurity master's program at TUCN since 2015. Since 2019, he has held the position of Senior Security Researcher at Bitdefender, concentrating on virtualization and operating system security. Adrian obtained the OSCP certification in 2014. He has coauthored around 40 scientific papers and six US patents, primarily in cybersecurity.

PYV - Friday - 13:00-13:59 PDT

In this workshop we present two perspectives on card present attacks - attacker's and defender's. What typical banks and card processors think of modern card present attacks? How easy is it to mitigate those without compromising on user experience?

CLV - Friday - 14:30-15:10 PDT

This talk will explore how default configurations in reference architectures of our most commonly used software supply chain services can lead to a handful of unsavory outcomes including secrets exfiltration, lateral movement, and privilege escalation within production cloud and SaaS environments. We'll take a close look at how many of the interactions between people and CI|CD services are not as safe as we think. Some examples we’ll look at:

- Abusing PRs against Github repositories allows for execution of code prior to code review & merge, for all downstream services (GH Actions, Buildkite, & Terraform)
- Multi-tenant infrastructures in CI like Buildkite lead to over-authorization & access to production cloud secrets
- Lacking Pipeline Based Access Control (PBAC) in CI services like Buildkite leads to code execution in production cloud environments

After we identify the pitfalls in our by-default configurations, we’ll demonstrate how best to modify them using available tools, services, & best practices.

Mike is a Senior Staff Security Engineer at Rippling, where he works on securing the world’s best All-In-One HR & IT Platform. Previously the technical lead for Infrastructure Security at companies such as Brex & Cruise, Mike has over thirteen years of experience securing, designing, and deploying cloud infrastructure & SaaS services.

DL - Friday - 14:00-15:45 PDT

Tommyknocker is an open source project designed to facilitate automation of continuous security control validation, bringing some of the processes developers have been using for years for regressing testing, to the security world. It allows users to easily create test scenarios using docker images and standard scripts to perform one or more test actions, followed by the ability to easily check common tooling (SIEM, IDS, Log aggregators) for any expected alerts or log entries. Using Tommyknocker, security organizations can add test cases each time a new security control is created, so that any time a change is made in the environment, the continued functioning of existing controls can be validated. Many times, security organizations will only test controls when they are first implemented, and potentially a few times a year for audit purposes. With Tommyknocker, controls can be tested multiple times per day, ensuring that alerts are raised as soon as possible when a control ceases to function correctly, or is compromised by a threat actor.

Jeremy is an accomplished software developer and lifelong hacker with a combined 10 years of experience in software development and cybersecurity. After working his way up from customer support, and earning a Master's degree in Information Security, Jeremy helped found the Security Product Engineering, Automation and Research group at VMware. Having spoken at both Blackhat Arsenal and Def Con Demolabs on his open source projects, he continues to be passionate about sharing new tools and technologies with the community. In his spare time, Jeremy enjoys gardening, camping, and tinkering with all manner of technology.

ASV - Friday - 11:30-11:59 PDT

This is going to be a lightning talk covering three short aviation cybersecurity topics. 1) What is the attack surface of an airport 2) How plane hacking is represented in the movies 3) What it takes to resolve a 3 year disclosure process for an EFB.

Ken Munro is Partner and Founder of Pen Test Partners, a firm of ethical hackers. He and colleagues hold private pilot’s licenses and have been interested in aviation security for many years. They also publish and blog about their research into aviation cyber security, covering topics from airborne connectivity, the potential risks of publicly available avionics component information, and even the entire attack surface of the modern airport. Ken and Pen Test Partners have also been invited to speak at various aviation industry events, and on aviation at specialist security events such as DEF CON’s Aerospace Village, the Global Connected Aircraft Summit, and the Aviation ISAC Summit among others.

CON - Friday - 12:00-12:59 PDT

How well do you know your man pages? Find out by teaming up with up to 3 other people (or come solo and get matched up with some new friends) and play "Aw, man...pages!". Across several rounds, your knowledge of man pages will be tested to the limit. Can you remember what command line flag is being described by its help text? Can you identify a tool just from a man page snippet? Can you provide the long-form flag when only given the short? Will you prove yourself worthy to be crowned the man page champion?

RTV - Friday - 13:00-14:50 PDT

In this workshop, we distill key tactics from the comprehensive Practical Physical Exploitation course, tailored specifically for penetration testers looking to attack Physical Access Controls (PACS).

Participants will embark on a journey through the ins and outs of cloning badges during physical penetration tests. Explore the intricacies of long-range, short-range, and Stealth cloning tactics, gaining hands-on experience in the art of badge duplication. Delve into the realm of implantable devices, understanding their role in modern access control exploitation.

Join us as we uncover the nuances of downgrade/upgrade attacks and the protocols that make them possible. Learn to navigate the landscape of access control systems with expert guidance, equipping yourself with the knowledge to identify and exploit vulnerabilities.

By the end of this session, you'll wield an arsenal of cutting-edge techniques, ready to transform your facility into a bastion of high-security readiness. Don't miss this opportunity to elevate your skills and refine your physical security penetration testing skills.

Ralph is a security analyst and penetration tester at Black Hills Information Security. Ralph is also a co-developer and instructor of the Practical Physical Exploitation course. Before joining BHIS, Ralph spent five years performing offensive operations on a wide range of security assessments. These assessments include physical, wireless, network, social engineering, and full simulation red teams. Before focusing on security, Ralph worked as a system administrator and network engineer for civilian and government employers. Ralph is a US Army veteran who previously worked with the United States Special Operations Command (USSOCOM) on information security challenges and threat actor simulations.

CPV - Friday - 15:00-15:30 PDT

Curious about mobile phone privacy? Come on over for this workshop with lots of direct Q&A!

Grey Fox, the callsign assigned to him by a DHS colleague, recently retired from the U.S. military after 20 years of service as an intelligence analyst, language analyst, digital network intelligence targeter, cyberspace mission leader, and digital defense education program leader. Having deployed eight times supporting front line combat teams, his experience ranges from offensive cyberspace operations planning and execution to military information support operations. Along the way, Grey Fox acquired multiple creds, including GCTI, GASF, GAWN, and CWNA. He currently instructs Digital OPSEC at the U.S. Army Security Cooperation Officer course and the U.S. Air Force Research Lab, as well as SDR foundations and Wi-Fi hacking at the U.S. Army Signal School.

RCV - Friday - 10:00-10:45 PDT

Since 2020, I have (as a BikeIndex.org cofounder) been chasing and hunting the single largest black market bike fence in modern history. This OSINT-heavy, cross-border investigation eventually blossomed into a federal court case in early 2024, so I've only able to partially share that story in public until now. By the time DEFCON happens, I'll be able to give this talk in its fullest and most unredacted form, which I haven't been able to do yet. (This talk was presented at Seattle BSIDES 2023, but even then I couldn't give 'the whole talk' because one of the key players was still being prosecuted in CA court)

In December 2021, BikeIndex.org published an article that laid out how our OSINT detective work showed residential burglars in Colorado were exporting stolen bikes to Juarez Mexico and selling them on grey-market sites there for excellent profit. This quantified a long suspected 'urban legend' in the cycling community - that high end stolen bikes went to Mexico - but also the economics of the problem, as we tracked over 1000 sales of stolen bikes and were able to capture sales data and study the black market in very great detail. (That write up is here, if you are curious:https://bikeindex.org/news/closing-the-loop-a-deep-dive-on-a-facebook-reseller-of-bikes-stolen-in )

What we did not disclose at that time was that we were infiltrating and tracking an even larger, more impressive criminal actor in the same space - one whose sales and profits reach into the millions. Through years of surveillance, OSINT work, and a lot of persistence, we eventually identified one of his US side suppliers and got them raided by law enforcement, which then snowballed into a federal prosecution in 2024.

In this talk, I'll talk about how the motivation to seek justice drives normal people to do extraordinary things with OSINT and other crafty methods to chase down bad guys and recover their stolen goods and seek justice. I'll cover some of the crazier edge cases we've run into in this space, and I'll talk about the secret shadow army of hunters and cyclists who are hunt these kinds of bad guys down online, every day.

The talk will be audience engaging, with back-and-forth and audience 'spot-the-OSINT-FAIL-here' type participation as we walk through the major breakthroughs that took this project from 'hey, that's an interesting' to names going down into a federal indictment. Specifically, I'll give an overview of how we engage with theft victims to surveil, track, identify, and take down transnational black market bike fences - who often turn out to be even crazier individuals than anybody ever expected.

MISC - Friday - 10:00-10:59 PDT

En este panel se abordará las oportunidades y desafíos que enfrentan los profesionales latinos en el campo de la ciberseguridad fuera de América Latina. Adicionalmente estudiaremos las estrategias para destacar en mercados internacionales, las habilidades clave necesarias y las redes de apoyo que pueden ayudar a los latinos a prosperar en esta industria en constante evolución. Además, se discutirán experiencias personales y consejos prácticos para navegar en entornos multiculturales y globales. Únete a nosotros para aprender cómo los latinos pueden hacer una diferencia significativa en el panorama global de la ciberseguridad.

Lenin Alevski is a Full Stack Engineer and generalist with a lot of passion for Information Security. Currently working as a Security Engineer at Google. Lenin specializes in building and maintaining Distributed Systems, Application Security and Cloud Security in general. Lenin loves to play CTFs, contributing to open-source and writing about security and privacy on his personal blog

XRV - Friday - 17:00-17:59 PDT

Using AI to pre-generate gamifie CTFs so hard even the admins won't know the answers. Exploring the visionary concept of using gamified, AI-generated barrier mazes for futuristic authentication and encryption inspired by manga. But in the great words of your Mom and mine, if we aren't breaking into something, then what is David Maynor even doing there?

David “Icer” Maynor, Secret Keeper at ThreatHunter.ai, has over 20 years of experience in information security with deep technical expertise in threat intelligence, reverse engineering, exploit development, and offensive security testing. Results-driven research, analysis, and solutions leveraging partnerships and cross-disciplinary teams, to strengthen customer and business security posture and capabilities. Served as founder, executive, and advisor within the information security startup space. Author of and contributor to several popular open-source tools, presenter and instructor, and subject matter expert contributor for print, television, and online media.

DC - Friday - 10:00-10:45 PDT

Delve into the clandestine world of the LockBit ransomware gang! In this revealing presentation, I will recount my two-year journey spent infiltrating the inner ranks of the LockBit crime syndicate. Learn about the strategies employed to earn the trust of key individuals within the syndicate, including the gang's leader, LockBitSupp.

You will see firsthand accounts of these exchanges, and I will detail the intricacies of my relationship with LockBit's leadership and its network of affiliate hackers. You will also gain insight into the unintended consequences of my actions, including how my perceived breach of their infrastructure impacted the syndicate's operations. More importantly, I will share how I assisted in unmasking the real-world person behind the mask of LockBitSupp.

Join me as I illustrate the pivotal role of human intelligence in tandem with cyber threat intelligence to combat ransomware threats. This talk offers a compelling narrative of real-world efforts to thwart ransomware activities and safeguard organizations from LockBit ransomware attacks.

• 60 min (full episode): 4/14/2024: Scattered Spider; Knife; Tasmanian Tiger - CBS News
• 60 Min Overtime (additional footage from my interview about LockBit): Infiltrating ransomware gangs on the dark web - CBS News
• Ransomware Diaries
• Ransomware Diaries: Volume 1 | Analyst1
• Ransomware Diaries V. 2: A Ransomware Hacker Origin Story (analyst1.com)
• Ransomware Diaries V. 3: LockBit's Secrets (analyst1.com)
• Ransomware Diaries Volume 5: Unmasking LockBit (analyst1.com)

Jon DiMaggio is the chief security strategist at Analyst1 and has over 16 years of experience hunting, researching, and writing about advanced cyber threats. In 2022, Jon's authored his first book, "The Art of Cyberwarfare," which earned him the prestigious SANS Difference Makers Award, solidifying his status as a thought leader in the industry. The following year, SANs recognized his work once again, awarding his most notable research, "The Ransomware Diaries," detailing his operation to infiltrate the real-world humans behind the LockBit criminal operation. Jon’s other notable achievements include his appearance on 60 Minutes, where he discussed his undercover operations infiltrating some of the world top ransomware gangs. Jon’s research has been featured in The New York Times, Wired, Bloomberg, Fox, CNN, Reuters, and other news organizations.

CON - Friday - 11:00-11:59 PDT

We’re going all in on internet freedom. Take a break from hacking the Gibson to face off with your competition at the tables—and benefit EFF! Your buy-in is paired with a donation to support EFF’s mission to protect online privacy and free expression for all. Play for glory. Play for money. Play for the future of the web. Seating is limited, so reserve your spot today.

CON - Friday - 10:00-15:59 PDT

The Beverage Chilling Contraption Contest has been un-canceled! After a fantastic afternoon of day drinking celebrating the start of the 20th BCCC we've run out of beer. It's a disaster, a catastrophe! Fortunately, we had the wherewithal to scramble a crack beverage acquisition team to the streets of Las Vegas and found more! Don't ask where. Unfortunately, like the streets of Las Vegas, it's HOT and kinda sticky. We need you to help us fix this and get that beer as cold as the barren wasteland that is our generation's dreams of home ownership!

IOTV - Friday - 17:00-17:30 PDT

This talk reveals stunning vulnerability findings in leading solar manufacturers that, when exploited, the stake is the grid. We'll explore three massive vulns in the management platform and discuss how they can be weaponized to become chilling nation security risks.

Alexandru Lazar is a Security Researcher at Bitdefender. He has red team and penetration testing experience and specializes in IoT and embedded systems with a focus on reverse engineering vulnerability assessment and exploitation. He has disclosed vulnerabilities to vendors such as Amazon Bosch LG with his research being covered by several media publications.

Dan manages the Bitdefender IoT vulnerability research program. He previously lead the design and product experience at Bitdefender. His team designed and built Bitdefender BOX, a revolutionary device that protects connected devices in smart homes.

BICV - Friday - 09:00-09:30 PDT

Meet BIC @ UK! The U.K. Chapter of Blacks In Cybersecurity is dedicated to empowering Black professionals in the United Kingdom. This session will introduce you to the regional leaders and their vision for their local chapter and members.

BICV - Friday - 10:00-10:59 PDT

Cybersecurity threats are increasingly sophisticated and pervasive. This talk provides a overview of the current threat landscape, highlighting key trends like ransomware, state-sponsored attacks, and supply chain threats. We will explore how law enforcement combats cybercrime through innovative investigation techniques, international collaboration and evolving legal frameworks. Gain actionable insights to strengthen your cybersecurity posture and understand the critical role of law enforcement in maintaining digital security.

Kevin Parker is the principal at Blacksuit Consulting and a retired FBI Special Agent. He served as the lead agent for state sponsored computer intrusion investigations and pursued foreign threat actors. Kevin investigated criminal computer intrusions, collected evidence and arrested numerous subjects while providing actionable intelligence to investigations across the FBI.

Kevin served several years as a liaison to private sector and the Defense Industrial Base (DIB) in the roles of FBI Infragard and Strategic Partnership Coordinator. In these roles he brought security awareness and security best practices to critical infrastructure organizations.

BICV - Friday - 09:30-09:59 PDT

In this Q&A session featuring a malware engineer, the BIC community will engage with insights and inquiries!

Michaela is the founder of Blacks In Cybersecurity (BIC). She is a Penetration Tester and Researcher in the fields of BioCybersecurity & Maritime Cybersecurity. Michaela initially ventured into greater service of the Cybersecurity community through the founding and continued leadership of Blacks In Cybersecurity.

Marcus Hutchins is best known for stopping one of the largest cyberattacks in history, the 2017 WannaCry ransomware attack. At the age of 13, Marcus was given his first computer, enabling him to begin teaching himself programming. Throughout his teen years he alternated between different programming languages, learning VB, PHP, C, C++, and Assembly. Due to almost exclusively hanging around hacking communities, he eventually found himself making money writing and selling illegal hacking tools. In 2013 Marcus started MalwareTech, an anonymous blog focused on detailing the deep and technical inner workings of malware. The blog became popular among both security professionals and criminal hackers alike. As time went on, he became increasingly uncomfortable with working for cybercriminals and focused on leaving that life behind. Through his blog, Marcus had received several high paying job offers from international security companies, and gained some understanding of the cybersecurity industry. In 2016, he made the decision to transition into cybersecurity, taking a job as a research and development lead at a Los Angeles based firm. On May 2017, Marcus gained worldwide media attention after being outed as the person who stopped WannaCry, an extremely destructive ransomware virus. Reporters were able to track his MalwareTech alias back to his real identity, thrusting him into the spotlight. Three months later, he was arrested by the FBI while attending DEF CON, the world’s largest hacking convention.

CON - Friday - 10:00-17:59 PDT

A scenario-driven Capture the Flag contest, pits teams of participants against adversaries and a clock, to protect human life and public safety. Participants compete against each other on both real and simulated medical devices, integrated into the fully immersive Biohacking Village: Device Lab, laid out as a working hospital.

Challenges will be tailored for all skill levels and draw from expertise areas including forensics, RF hacking, network exploitation techniques, web security, protocol reverse engineering, hardware hacking, and others. You will hack actual medical devices and play with protocols like DICOM, HL7 and FHIR.

2024 Capture the Flag Challenge

Welcome, elite hackers and cyber sleuths, to a CTF experience like no other - the "Code D.A.R.K. : Biohacking Village CTF Challenge".

Merge the worlds of biology and cybersecurity in an adrenaline-pumping contest that tests your skills in ways you've never imagined. Thrilling and challenging cybersecurity adventure centered around a hospital setting as a scenario where participants engage in a race against time to secure or retrieve critical medical data, navigating through various cybersecurity puzzles and challenges, where participants act as guardians of critical biological data.

Unravel Biological Mysteries: Dive into a narrative where biotechnology meets cyber-warfare. Decode genetic puzzles, breach virtual lab networks, and outsmart bioinformatics security systems.

Elevate Your Hacking Game: Challenge yourself with unique biocybersecurity scenarios. This isn't your typical CTF - it's a fusion of biotech intrigue and hardcore hacking.

Compete and Collaborate: Team up with fellow biohackers and cyber warriors. Share knowledge, strategize, and show off your skills in a community where biology and bits intersect.

Gear Up for a Cyber-Biotech Showdown

Immersive Scenarios: Each challenge is a step into a world where safeguarding biological data is as critical as securing digital assets.

Skill Diversity: Whether you're a veteran hacker or a biotech enthusiast, Code D.A.R.K. offers a range of puzzles that cater to a wide array of skills and interests.

• OT/IT
• Medical devices
• Hospital infrastructure
• Regulatory and international affairs
• Robotics
• Data
• Mark your calendars and set your alarms because the action kicks off on Friday, August 9th at 1000 PDT.
• Play from anywhere in the world! CTF open hours are as follows:
  • Friday, August 9th from 10am PST - 6pm PDT
  • Saturday, August 10th from 10am PST - 6pm PDT
  • Sunday, August 11th from 10am PST - 12pm PDT

RULES

REGISTRATION

Participants may only register once for this challenge. If participants register for this challenge more than once, the whole teams with a participant that registered multiple times will be disqualified.

By registering, participants agree that their accounts may be rejected or terminated and all submissions by them and/or their Team may be disqualified if any of the information in their account is incorrect.

Participants must agree to and abide by the Code of Conduct while participating in the Biohacking Village Capture the Flag. Anyone who will conduct themselves against the CoC will be eliminated from competition and banned forever.

TEAMS

After participants register individually, they may work alone (team of one) or on one team with other challenge participants. To work on a team, they may either create a new team or join one that is pre-existing ( if a participant wishes to join a team or offer others to join, they can do so in the #ctf-st-elvis-teambuilding Discord Channel)

The maximum number of team members is five (5).

All teams must designate a Team Captain. A Team Captain serves as the official contact person for a team: this person should provide accurate and complete contact information to ensure that CTF organizers can reach their team if needed.

Each member of the team must be a registered participant in the CTF.

If participants choose to join a team, then they may not simultaneously participate as an individual or another team.

CHALLENGE SUBMISSIONS

All submissions must be received during the Challenge period. Submissions posted after the posted time frame will be disqualified.

Participants may get an answer but it will forfeit their points for that challenge. Even if the flag they tried before was similar. The decision to get the answer is final for zero points.

CHALLENGE SCORING

Each submission has set value known beforehand in the challenge description

The winning teams will be decided based on the number of the accumulated points during the CTF timeframe. In case two teams accumulate the same amount of points, the team that reached the amount of points in question faster will be the winner.

CHALLENGE DISQUALIFICATION

Whole team gets disqualified if any of the following applies:

• One or multiple team members have registered more than once
• One or multiple team members will not follow Code of Conduct (applies to any of the Biohacking village platforms or social media)
• Any offensive behaviour such as attacking the Biohacking Village infrastructure, denial of service, or escaping the boundaries set by the CTF or Device Lab environment

PRIVACY

Unless stated otherwise on the mainsite, we do not share any information about participants with anyone. Some events or conferences might have/require other rules, in that case it will be noted on the CTFd site.

BHV - Friday - 10:00-17:59 PDT

The Device Lab is highly-collaborative environment where security researchers test medical instruments, applications, and devices in real-time from participating Medical Device Manufacturers. Any potential issues are reported directly to the manufacturer, and coordinated vulnerability disclosures are produced.

As part of their product security programs, their proactive initiatives to test their products, and to enhance the cybersecurity of their medical technologies, select medical device makers are teaming up with the Biohacking Village.

These manufacturers are inviting security researchers to learn and to test their products in dedicated spaces set aside for them. Their staff will answer questions, educate researchers, and triage any potential security issues. Researchers who perform testing should expect to follow the manufacturers’ published coordinated vulnerability disclosure policy and report any potential issues found so they can be addressed. Security researchers must sign the Hippocratic Oath for Hackers and agree to the framework of boundaries and rules of engagement during and post conference engagement.

We have 10 manufacturers with 21 devices. You can find more information about the devices and each manufacturer's Vulnerability Disclosure Policy here.

CON - Friday - 12:00-16:59 PDT

Hybrid Contest Contest available online Friday 12:00 to Saturday 17:00

The BIC Village Capture The Flag is a jeopardy style event designed to practice solving challenges in multiple categories. This event seeks to not only be a series of puzzles and challenges to solve, but a gamified way to learn concepts of social justice and Black history. This event will highlight previous, current and up & coming Black individuals and their contributions to technology. This year we are excited to bring back our physical challenge room with a variety of interactive components for players to interface with.

This event also aims to bring to the forefront a range of technologies that we will expose to the community that operate in our day-to-day lives and examine their capabilities; contributing to the discussion of privacy, social justice and civil rights. Our event will allow the DEF CON community to fully engage in “Reading all the stories, learning all the technologies, and hacking all the things.”

CON - Friday - 12:00-17:59 PDT

Hybrid Contest Contest available online Friday 12:00 to Saturday 17:00

The BIC Village Capture The Flag is a jeopardy style event designed to practice solving challenges in multiple categories. This event seeks to not only be a series of puzzles and challenges to solve, but a gamified way to learn concepts of social justice and Black history. This event will highlight previous, current and up & coming Black individuals and their contributions to technology. This year we are excited to bring back our physical challenge room with a variety of interactive components for players to interface with.

This event also aims to bring to the forefront a range of technologies that we will expose to the community that operate in our day-to-day lives and examine their capabilities; contributing to the discussion of privacy, social justice and civil rights. Our event will allow the DEF CON community to fully engage in “Reading all the stories, learning all the technologies, and hacking all the things.”

CON - Friday - 12:00-17:59 PDT

The BIC Village Capture The Flag is a jeopardy style event designed to practice solving challenges in multiple categories. This event seeks to not only be a series of puzzles and challenges to solve, but a gamified way to learn concepts of social justice and Black history. This event will highlight previous, current and up & coming Black individuals and their contributions to technology. This year we are excited to bring back our physical challenge room with a variety of interactive components for players to interface with.

This event also aims to bring to the forefront a range of technologies that we will expose to the community that operate in our day-to-day lives and examine their capabilities; contributing to the discussion of privacy, social justice and civil rights. Our event will allow the DEF CON community to fully engage in “Reading all the stories, learning all the technologies, and hacking all the things.”

CON - Friday - 12:00-16:59 PDT

The BIC Village Capture The Flag is a jeopardy style event designed to practice solving challenges in multiple categories. This event seeks to not only be a series of puzzles and challenges to solve, but a gamified way to learn concepts of social justice and Black history. This event will highlight previous, current and up & coming Black individuals and their contributions to technology. This year we are excited to bring back our physical challenge room with a variety of interactive components for players to interface with.

This event also aims to bring to the forefront a range of technologies that we will expose to the community that operate in our day-to-day lives and examine their capabilities; contributing to the discussion of privacy, social justice and civil rights. Our event will allow the DEF CON community to fully engage in “Reading all the stories, learning all the technologies, and hacking all the things.”

SOC - Friday - 19:00-01:59 PDT

21:00 - 02:00 BIC Village Party with DJ Roma As the sun sets, gather around for a celebration of Reggae, Soca, Dancehall, Hiphop, Pop, R&B, Regional Hits and Caribbean Dance Style! All Flags Welcome! Rep Your Flag!