Keep your eyes on this space, we'll be adding new talks frequently!

DEF CON 101 Presentations

DEF CON 101: The Panel. Mike Petruzzi (wiseacre), Senior Cyber Security Penetration Tester Nikita Kronenberg Not a Security Researcher, DEF CON PushPin Plug Russ Rogers Chief of Operations, DEF CON DEF CON has changed for the better since the days at the Alexis Park. It has evolved from a few speaking tracks to an event that still offers the speakers, but also Villages, where you can get hands-on experience and Demo Labs where you can see tools in action. Of course, there is still the entertainment and Contest Area, as well as, Capture The Flag. There is so much more to DEF CON than there was in the past and it is our goal to help you get the best experience possible. In addition to introducing each of the different aspects and areas of DEF CON, we have a panel of speakers that will talk about how they came to be part of DEF CON and their personal experiences over the years. Mike Petruzzi has been hacking managers for over 25 years. Mike is a Senior Cyber Security Penetration Testing Specialist working at various Federal Civil Agencies for the last 15 years. Yup, that's the title he was given. Naturally, he got all his IT experience as the result of selling beer, wine and liquor. He has tricked everyone into believing that he can do anything at all. Twitter: @wiseacre_mike Nikita works full time for DEF CON doing stuff, and things. She is DEF CON’s administrator, director of the CFP review board, speaker liaison, workshop manager, and overall cat herder. Helping out over the past decade she has been involved in some capacity for over a dozen departments, activities, contests, and events. She provides annoyance, planning, and support in many ways, thus dubbed the “administrator of chaos”. If you hate the schedule, or are mad your talk was rejected, you can blame her. Nikita likes to think of herself as approachable, and loves to make people feel welcome at DEF CON, despite having R.B.F. Her hardest job yet was writing a serious third person bio. Twitter: @niki7a PushPin is an uptight, perfectionist, who is very rarely content working with idiots and enjoys his Jell-O Pudding cups. He can neither confirm nor deny working for any of the three letter agencies that oversee WMDs, high energy weapons [LASERS, YO], and play around with other countries. It is literally impossible to see him without his laptop at any given time during the day and has been told frequently to put it away in public; otherwise, you’ll find him at work devoid of any form of social life. I hate you all, seriously.. Twitter: @X72 Plug is a Mexican immigrant that immigrated to the States at age 18. While learning to read English found a 2600 magazine that lead him to his first LA2600 meeting in 1998, from that point forward he has been a computer security enthusiast. Over the years he has worked a System's Administrator with a focus in security, eventually moving full time to work in information security. Plug currently works as a Senior Security Engineer securing the network of a prominent finance and foreign exchange company. He is also working on a volunteer project to teach 5th graders basic computer security skills. In his free time he enjoys playing with synthesizers and modular systems, when possible he volunteers his time to computer security events. This is Russ’ 17th year as a DEF CON goon, and he has over 25 years experience in hacking. Russ first learned to program around the 1982 timeframe, when he received a Timex Sinclair, which used only programs keyed in via BASIC. He’s been involved in a numbers of aspects of DEF CON over the years, including the vendors, contests, DEF CON Groups, security, Hardware Hacking Village, and planning. Russ currently works a the Chief of Operations, where he depends heavily upon the other experienced hackers and goons that help run the world’s largest hacker conference. Return to Top

When the Secretary of State says: “Please Stop Hacking Us…” David An Former U.S. State Department Senior American officials routinely hold dialogues with foreign officials to discuss cyber espionage. However, if a cyber attack can be performed through proxy servers jumping several countries before reaching the U.S., then can anyone ever be sure of who is really behind the attack? Yet we often see newspaper headlines clearly identifying that one country is hacking another country through state-sponsored, cyber criminal, or hacktivist means. Even if government cyber analysts with TS/SCI security clearances have high confidence in the identity of an attacker based on forensics and human intelligence, what are the challenges in effectively addressing the topic in a diplomatic or military dialogue with the attacker country? Two major roadblocks in cyber diplomacy are the "attribution problem," and the related "disclosure dilemma." If there is indeed an attribution problem--when a country cannot be sure which other state is hacking it because a third country could be using it as a proxy--then a country could never accuse another countries of state-sponsored cyber attacks. Yet, countries routinely accuse others of cyber attacks, the public sees this in newspapers almost every day, and it is often an important topic in bilateral dialogues. Furthermore, the disclosure dilemma occurs when a country has both incentives and disincentives to disclose details on how it was hacked. On one hand, evidence will prove its case, but on another hand, evidence will make the attacker more savvy and careful not to repeat the same mistakes next time. Disclosure could create a stronger adversary. These are major concerns in the practice of cyber diplomacy today. My presentation identifies how government-to-government cyber diplomacy works, examines the attribution problem and disclosure dilemma more fully, and shows how the U.S. approaches this topic differently with partners versus potential adversaries. This is not a technical presentation, but rather it is a policy presentation on cyber diplomacy drawing from political science and my diplomatic experience. David was a tenured U.S. diplomat before leaving the U.S. government to consult for the private sector, and to write policy and academic papers. At the State Department, he was the senior political-military affairs officer covering the East Asia region and his responsibilities included coordinating diplomatic dialogues, formulating plans with the Pentagon, notifying Congress of U.S. arms sales, writing the Secretary of State’s talking points, and traveling overseas with the Secretary of State and Secretary of Defense for bilateral dialogues. His other assignments included the U.S. embassies in Beijing, Tokyo, Wellington; U.S. consulates in Sydney and Perth; American Institute in Taiwan; and U.S. Pacific Command. He completed his B.A. at UC Berkeley; M.A. in international affairs and business management, and political science Ph.D. courses at UC San Diego. Obligatory disclaimer: The comments are his own, and do not represent the U.S. government. Since Jeff Moss famously said in 2013: “Feds, we need some time apart,” David emphasizes that he is no longer a fed. Return to Top

Game of Hacks: Play, Hack & Track Amit Ashbel Product Evangelist Checkmarx Maty Siman CTO and Founder Checkmarx Fooling around with some ideas we found ourselves creating a hacker magnet. Game of Hacks, built using the node.js framework, displays a range of vulnerable code snippets challenging the player to locate the vulnerability. A multiplayer option makes the challenge even more attractive and the leaderboard spices up things when players compete for a seat on the iron throne. Within 24 hours we had 35K players test their hacking skills...we weren't surprised when users started breaking the rules. Join us to: Play GoH against the audience in real time and get your claim for fame

Understand how vulnerabilities were planted within Game of Hacks

See real attack techniques (some caught us off guard) and how we handled them

Learn how to avoid vulnerabilities in your code and how to go about designing a secure application

Hear what to watch out for on the ultra-popular node.js framework. Check it out at www.Gameofhacks.com Amit Ashbel joined Checkmarx From Trusteer (acquired by IBM). He has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities over the years, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats and the hi-tech security industry. Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israel Defense Forces (IDF), where he established and led a development team in the IDF’s Information Security Center. Maty regularly speaks at IT security conferences and is CISSP certified since 2003. Web: www.Gameofhacks.com Return to Top

Abusing XSLT for Practical Attacks Fernando Arnaboldi Senior Security Consultant at IOActive Over the years, XML has been a rich target for attackers due to flaws in its design as well as implementations. It is a tempting target because it is used by other programming languages to interconnect applications and is supported by web browsers. In this talk, I will demonstrate how to use XSLT to produce documents that are vulnerable to new exploits. XSLT can be leveraged to affect the integrity of arithmetic operations, lead to code logic failure, or cause random values to use the same initialization vector. Error disclosure has always provided valuable information, but thanks to XSLT, it is possible to partially read system files that could disclose service or system's passwords. Finally, XSLT can be used to compromise end-user confidentiality by abusing the same-origin policy concept present in web browsers. This presentation includes proof-of-concept attacks demonstrating XSLT’s potential to affect production systems, along with recommendations for safe development. Fernando Arnaboldi is a senior security researcher and consultant at IOActive, Inc. He has over 10 years of experience in the security research space (Deloitte, Core Security Technologies and IOActive) and holds a Bachelor's degree in Computer Science. Return to Top

RFIDiggity: Pentester Guide to Hacking HF/NFC and UHF RFID Francis Brown Partner - Bishop Fox Shubham Shah Security Analyst at Bishop Fox Have you ever attended an RFID hacking presentation and walked away with more questions than answers? This talk will finally provide practical guidance for penetration testers on hacking High Frequency (HF - 13.56 MHz) and Ultra-High Frequency (UHF – 840-960 MHz). This includes Near Field Communication (NFC), which also operates at 13.56 MHz and can be found in things like mobile payment technologies, e.g., Apple Pay and Google Wallet. We'll also be releasing a slew of new and free RFID hacking tools using Arduino microcontrollers, Raspberry Pis, phone/tablet apps, and even 3D printing. This presentation will NOT weigh you down with theoretical details or discussions of radio frequencies and modulation schemes. It WILL serve as a practical guide for penetration testers to better understand the attack tools and techniques available to them for stealing and using RFID tag information, specifically for HF and UHF systems. We will showcase the best-of-breed in hardware and software that you'll need to build an RFID penetration toolkit. Our goal is to eliminate pervasive myths and accurately illustrate RFID risks via live attack DEMOS: High Frequency / NFC – Attack Demos: HF physical access control systems (e.g., iCLASS and MIFARE DESFire 'contactless smart card' product families) Credit cards, public transit cards, passports (book), mobile payment systems (e.g., Apple Pay, Google Wallet), NFC loyalty cards (e.g., MyCoke Rewards), new hotel room keys, smart home door locks, and more

Ultra-High Frequency – Attack Demos: Ski passes, enhanced driver's licenses, passports (card), U.S. Permanent Resident Card ('green card'), trusted traveler cards

Schematics and Arduino code will be released, and 100 lucky audience members will receive one of a handful of new flavors of our Tastic RFID Thief custom PCB, which they can insert into almost any commercial RFID reader to steal badge info or use as a MITM backdoor device capable of card replay attacks. New versions include extended control capabilities via Arduino add-on modules such as Bluetooth low energy (BLE) and GSM/GPRS (SMS messaging) modules. This DEMO-rich presentation will benefit both newcomers to RFID penetration testing as well as seasoned professionals. Francis Brown, CISA, CISSP, MCSE, is a Managing Partner at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions as well as U.S. and foreign governments. Before joining Stach & Liu, Francis served as an IT Security Specialist with the Global Risk Assessment team of Honeywell International where he performed network and application penetration testing, product security evaluations, incident response, and risk assessments of critical infrastructure. Prior to that, Francis was a consultant with the Ernst & Young Advanced Security Centers and conducted network, application, wireless, and remote access penetration tests for Fortune 500 clients. Francis has presented his research at leading conferences such as Black Hat USA, DEF CON, RSA, InfoSec World, ToorCon, and HackCon and has been cited in numerous industry and academic publications. Francis holds a Bachelor of Science and Engineering from the University of Pennsylvania with a major in Computer Science and Engineering and a minor in Psychology. While at Penn, Francis taught operating system implementation, C programming, and participated in DARPA-funded research into advanced intrusion prevention system techniques. Shubham Shah is a Security Analyst at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. Shubham's primary areas of expertise are application security assessment, source code review, and mobile application security. Shubham is a former bug bounty hunter who has submitted medium-high risk bugs to the bug bounties of large corporations such as PayPal, Facebook, and Microsoft. He regularly conducts web application security research and frequently contributes to the security of open-source projects. He has presented at Ruxcon and is known in Australia for his identification of high-profile vulnerabilities in the infrastructures of major mobile telecommunication companies. Prior to joining Bishop Fox, Shubham worked at EY. At EY, he performed web application security assessments and application penetration tests. Additionally, Shubham has been a contractor for companies such as Atlassian. As a contractor, he conducted external web application security penetration tests. Shubham also develops and maintains open-source projects such as Websec Weekly that assist the web application security industry. Twitter: @bishopfox

Facebook: https://www.facebook.com/BishopFoxConsulting

LinkedIn: https://www.linkedin.com/company/bishop-fox Return to Top

It's The Only Way To Be Sure: Obtaining and Detecting Domain Persistence Grant Bugher Perimeter Grid When a Windows domain is compromised, an attacker has several options to create backdoors, obscure his tracks, and make his access difficult to detect and remove. In this talk, I discuss ways that an attacker who has obtained domain administrator privileges can extend, persist, and maintain control, as well as how a forensic examiner or incident responder could detect these activities and root out an attacker. Grant Bugher has been hacking and coding since the early 90's and working professionally in information security for the last 11 years. He is currently a security consultant and engineer for a cloud service provider, and has previously been an architect, program manager and software engineer on a variety of online services, developer tools and platforms. Grant is a prior speaker at BlackHat and DEF CON and a regular DEF CON attendee since DEF CON 16. Most of his research and work is on cloud computing and storage platforms, application security, and detecting attacks against web-scale applications. Twitter: @fishsupreme

Web: http://perimetergrid.com Return to Top

Introduction to SDR and the Wireless Village DaKahuna satanklawz In many circumstances, we all have to wear different hats when pursuing hobbies, jobs and research. This session will discuss the exploration and use of software defined radio from two perspectives; that of a security researcher and Ham Radio operator. We will cover common uses and abuses of hardware to make them work like transceivers that the Ham crowed is use too, as well as extending the same hardware for other research applications. Additionally we will highlight some of the application of this knowledge for use at The Wireless Village! Come and join this interactive session; audience participation is encouraged. By day DaKahuna works for a small defense contractor as a consultant to large government agencies providing critical reviews of customer organizations compliance with Federal Information Systems information Security Act (FISMA) requirements, effectiveness of their implementation of National Institute for Science and Technology (NIST) Special Publication requirements, cyber security policies, cyber security program plans, and governmental standards and guidance. By night he enjoys roaming the airwaves , be it the amateur radio bands or wireless networks. He is a father of two, grandfather to three, 24 year Navy veteran communicator, holder of an amateur radio Extra Class license and a staunch supporter and exerciser of his 2nd Amendment rights who enjoys shooting targets out to 1200 yards. Satanklawz has been in the information security realm for 15 years. He built and sold a wireless ISP, worked info sec in the financial services industry and now is a public servant of sorts. His hobbies and interests have always involved radio in some sort of fashion. When he has spare time, he is completing his PhD, teaches, create mischief, and is working on his dad jokes. Flowers, red and blue, satanklawz loves *SDR*. This is a haiku. Return to Top

Guests N’ Goblins: Exposing Wi-Fi Exfiltration Risks and Mitigation techniques Peter Desfigies Cyber Security Investigations Unit, TELUS Security Solutions Joshua Brierton Sr. Security Analyst, TELUS Communications Naveed Ul Islam Managing Consultant, TELUS Wi-Fi is a pervasive part of everyone’s everyday life. Whether it be home networks, open hotspots at cafés, corporate networks or corporate guest networks they can be found virtually everywhere. Fortunately, for the security minded, some steps are taken to secure these weak points in one’s infrastructure. Usually this is done through some form of registration page which is common in the case of guest networks. But is this enough? And what new threats could be unleashed from even the most isolated of Wi-Fi networks? In the most paranoid of cases, companies will generally attempt to isolate Wi-Fi networks from their official networks in order to protect their own assets from attacks, while still ensuring that Wi-Fi is convenient for end users. But there is another way to attack a company that could be damaging to the host company and harmful to other targets. This presentation will go over the utilization of various techniques of getting onto and getting out through publicly accessible Wi-Fi networks for nefarious purposes, termed Wi-Fi Exfiltration. Through this technique one is able to obfuscate their identity by using the host of the Wi-Fi’s identity, thus implicating the host in the attack. During the presentation we will cover the findings through our tests along with a list of recommendations for what can be done to mitigate this risk. This is a must attend session to all security professionals and high level management. Peter Desfigies is a Security Consultant at TELUS Communications Inc. where he works with a team of other operations analysts to proactively investigate and analyze customer traffic, while also providing threat intelligence on attacks, campaigns, and zero-days in order to protect customer’s environment and enhance their security posture. During his time at TELUS, he has worked with a variety of teams providing LAN, WAN, Telco, Security and hardware break/fix support, and now Security Analysis for government and corporate customer. Prior to TELUS, he worked for 12 years in IT operation roles to provide backbone network support including DNS, SMTP, POP, dialup, T1 to OC12 , and Ethernet at various companies, with the bulk of his experience at UUNET / MCI. Joshua Brierton is a Sr. Security Analyst at TELUS Communications Inc. where he works with a team of SIEM specialists to provide customers with a cloud SIEM service offering. Primarily working on rule development and user work flows his other interests in the field includes developing tools to help automate and expedite repetitive work to increase user efficiency. During his time at TELUS he has worked with various teams providing security solutions from VPN services to IPS services along with outsourced development for a variety of other well-known SIEM’s. Prior to TELUS he worked for 5 years with Intellitactics Inc. doing development and device support for the content of the SIEM they provided. Collectively Josh has been working with a variety of SIEM’s for 10 years. Naveed Ul Islam (BEE Telecom/DSP, CISSP, SABSA-SCF) is a Managing Consultant at TELUS and Security Intelligence architect within the TELUS Cyber Security Investigation Unit. Naveed’s other interests are in application forensics and enterprise security architecture. Naveed’s prior duties with TELUS include securing of then world’s largest PKI infrastructure known as Secure Channel. In addition, he was responsible for secure implementation of TELUS Health Space infrastructure. He led application security practices within TELUS Health, where he was able to incorporate software security lifecycle into software development practices. Also, he has been a part of security incident response and penetration testing teams. Previous to TELUS, Naveed was a security consultant for Microsoft USA, where he performed security and privacy audits of Microsoft’s core-business related websites. He has secured several key sites such as Microsoft XBOX 360 host web site and Microsoft’s internal auction site known as Micronews. Return to Top

Let's Encrypt - Minting Free Certificates to Encrypt the Entire Web Peter Eckersley Electronic Frontier Foundation James Kasten Electronic Frontier Foundation Yan Zhu Electronic Frontier Foundation Let's Encrypt is a new certificate authority that is being launched by EFF in collaboration with Mozilla, Cisco, Akamai, IdenTrust, and a team at the University of Michigan. It will issue certificates for free, using a new automated protocol called ACME for verification of domain control and issuance. This talk will describe the features of the CA and available clients at launch; explore the security challenges inherent in building such a system; and its effect on the security of the CA marketplace as a whole. We will also update our place on the roadmap to a Web that uses HTTPS by default. Peter Eckersley is Chief Computer Scientist for the Electronic Frontier Foundation. He leads a team of technologists who watch for technologies that, by accident or design, pose a risk to computer users' freedoms—and then look for ways to fix them. They write code to make the Internet more secure, more open, and safer against surveillance and censorship. They explain gadgets to lawyers and policymakers, and law and policy to gadgets. Aside from Let's Encrypt, Peter's other work at EFF has included privacy and security projects such as Panopticlick, HTTPS Everywhere, SSDI, and the SSL Observatory; helping to launch a movement for open wireless networks; fighting to keep modern computing platforms open; and running the first controlled tests to confirm that Comcast was using forged reset packets to interfere with P2P protocols. Peter holds a PhD in computer science and law from the University of Melbourne. James Kasten is a PhD candidate in Computer Science and Engineering at the University of Michgan and a STIET fellow. James is also a contractor at the Electronic Frontier Foundation. His research focuses on practical network security and PKI. James has published on the state of TLS, its certificate ecosystem and its vulnerabilities. Most notably, James has helped design the protocol and launch the technology behind Let's Encrypt. Yan is a security engineer at Yahoo, mostly working on End-to-End email encryption and improving TLS usage. She is also a Technology Fellow at EFF and a core developer of Let's Encrypt, HTTPS Everywhere, Privacy Badger Firefox, and SecureDrop. Yan has held a variety of jobs in the past, ranging from hacking web apps to composing modern orchestra music. She got a B.S. from MIT in 2012 and is a proud PhD dropout from Stanford. Yan has been a speaker at HOPE, DEFCON 22, jQuerySF, Real World Crypto, SXSW, and various other human gatherings. She is @bcrypt on Twitter. Return to Top

Ubiquity Forensics - Your iCloud and You Sarah Edwards Test Engineer, Parsons Corporation & Author/Instructor, SANS Institute Ubiquity or "Everything, Everywhere” - Apple uses this term describe iCloud related items and its availability across all devices. iCloud enables us to have our data synced with every Mac, iPhone, iPad, PC as well as accessible with your handy web browser. You can access your email, documents, contacts, browsing history, notes, keychains, photos, and more all with just a click of the mouse or a tap of the finger - on any device, all synced within seconds. Much of this data gets cached on your devices, this presentation will explore the forensic artifacts related to this cached data. Where is the data stored; how to look at it; how is it synced; and what other sensitive information can be found that you may not have known existed! Sarah is an digital forensic analyst who has worked with various federal law enforcement agencies. She has performed a variety of investigations including computer intrusions, criminal, counter intelligence, counter-narcotic, and counter terrorism. Sarah's research and analytical interests include Mac forensics, mobile device forensics, digital profiling, and malware reverse engineering. Sarah has presented at many industry conferences including; Shmoocon, CEIC, various Bsides, DEF CON, and the SANS DFIR Summit. Sarah is author and instructor of the SANS Mac Forensic Analysis Course - FOR518. Return to Top

Crypto for Hackers Eijah Founder, Demonsaw Hacking is hard. It takes passion, dedication, and an unwavering attention to detail. Hacking requires a breadth of knowledge spread across many domains. We need to have experience with different platforms, operating systems, software packages, tools, programming languages, and technology trends. Being overly deficient in any one of these areas can add hours to our hack, or even worse, bring us total failure. And while all of these things are important for a well-rounded hacker, one of the key areas that is often overlooked is cryptography. In an era dominated by security breaches, an understanding of encryption and hashing algorithms provides a tremendous advantage. We can better hone our attack vectors, especially when looking for security holes. A few years ago I released the first Blu-Ray device key, AA856A1BA814AB99FFDEBA6AEFBE1C04, by exploiting a vulnerability in an implementation of the AACS protocol. As hacks go, it was a simple one. But it was the knowledge of crypto that made it all possible. This presentation is an overview of the most common crypto routines helpful to hackers. We'll review the strengths and weaknesses of each algorithm, which ones to embrace, and which ones to avoid. You'll get C++ code examples, high-level wrapper classes, and an open-source library that implements all the algorithms. We'll even talk about creative ways to merge algorithms to further increase entropy and key strength. If you've ever wanted to learn how crypto can give you an advantage as a hacker, then this talk is for you. With this information you'll be able to maximize your hacks and better protect your personal data. Eijah is the founder of demonsaw, a secure and anonymous content sharing platform, and a Senior Programmer at a world-renowned game development studio. He has over 15 years of software development and IT Security experience. His career has covered a broad range of Internet and mid-range technologies, core security, and system architecture. Eijah has been a faculty member at multiple colleges, has spoken about security and development at conferences, and holds a master’s degree in Computer Science. Eijah is an active member of the hacking community and is an avid proponent of Internet freedom. Twitter: @demon_saw

Web: https://www.demonsaw.com

Facebook: https://www.facebook.com/Demonsaw

Github: https://github.com/eijah/demonsaw

Email: eijah at demonsaw dot com Return to Top

Extending Fuzzing Grammars to Exploit Unexplored Code Paths in Modern Web Browsers Saif El-Sherei Analyst, SensePost Etienne Stalmans Analyst, SensePost Fuzzing is a well-established technique for finding bugs, hopefully exploitable ones, by brute forcing inputs to explore code paths in an application. In recent years, fuzzing has become a near mandatory part of any major application's security team efforts. Our work focused on fuzzing web browsers, a particularly difficult challenge given the size and quality of some of their security teams, the existing high-quality fuzzers available for this, and, of late, bug bounty programs. Despite this, our improved fuzzing approach was able to find four confirmed bugs within Google Chrome and two within Microsoft Internet Explorer 11. The bugs had varying potential exploitability. Interestingly, some had been independently discovered indicating others are active in this field. The work is on going, and we hope to have more before the presentation. As browsers continue to grow as the new universal interface for devices and applications, they have become high value targets for exploitation. Additionally, with the growth of browser fuzzing since 2004, this is a complex field to get started in. Something we hope to help address. Our research and presentation will consist of two parts: The first part is an introduction to fuzzing for the security practitioner. Here we combine the approaches, tool sets and integrations between tools we found to be most effective into a recipe for fuzzing various browsers and various platforms. The second part is a description of our work and approach used to create, and extend, browser fuzzing grammars based on w3c specifications to discover new and unexplored code paths, and find new browser security bugs. In particular, example of real bugs found in the Chrome and IE browser will be demonstrated. Saif is the body double for Borat, but couldn't pull off a mankini and ended up in information security. His focus is on fuzzing and vulnerability research. Etienne hopes he will outlive his beard, but in the meantime, this hacking schtick pays for beard oil. His other interests lie in mobile applications and no-sql databases. Both are analysts within SensePost's London office. Return to Top

Secure Messaging for Normal People Justin Engler Senior Security Engineer, iSEC Partners "Secure" messaging programs and protocols continue to proliferate, and crypto experts can debate their minutiae, but there is very little information available to help the rest of the world differentiate between the different programs and their features. This talk will discuss the types of attacks various secure messaging features can defend against so those who are tech-savvy but not crypto-experts can make informed decisions on which crypto applications to use. This talk is intended for people with no preexisting cryptography knowledge. There will be no math or programming knowledge required. The goal is to explain secure messaging concepts such as PKI, PFS, and key validation without diving into heavier crypto, math, or programming content. Justin Engler is a Principal Security Engineer with NCC Group. Justin has been involved in application security assessments of many open and closed source messaging applications and other related technologies. He has spoken previously at DEF CON, BlackHat, Toorcon, and other regional events. Justin has 5 years of security consulting experience and has been involved in security, software development, and IT professionally for over 10 years. Return to Top

Seeing through the Fog Zack Fasel Urbane Security Yes. "The Cloud" (drink). Even though many of us would much like to see use of public clouds decline, they're not going away any time soon. And with such, a plethora of companies now have revolutionary new solutions to solve your "cloud problems". From crypto to single sign on with two step auth, proxies to monitoring and DLP, every vendor has a solution, even cloud based for the cloud! What we haven't seen is much of an open source or community lead solution to these problems. So let's change that. Zack will review the laundry list of security problems with various cloud providers (and their pluthera of APIs), provide some easy fixes to the common issues seen, and introduce a few new open source tools to help monitor and defend the data and access in the wild. Zack Fasel is a Founding Partner at Urbane Security, a solutions-focused vendor-agnostic information security services firm focusing on providing innovative defense, sophisticated offense and refined compliance services. Heading up Urbane's Research and Security Services divisions, Zack brings his years of diverse internal and external experience to drive Urbane's technical solutions to organizations top pain points. His previous research and presentations at conferences have spread across numerous domains including Windows authentication flaws, femtocells, open source defensive security solutions and unique network and application attack vectors. When not selling out, he can be found lost in the untz unce wubs, dabbling in instagram food photography, or eating scotch and drinking gummy bears (that's right, right?). More information on him can be found at zfasel.com and on Urbane Security at UrbaneSecurity.com. Twitter: @zfasel Return to Top

Linux Containers: Future or Fantasy? Aaron Grattafiori Principal Security Consultant, iSEC Partners/NCC Group Containers, a pinnacle of fast and secure deployment or a panacea of false security? In recent years Linux containers have developed from an insecure and loose collection of Linux kernel namespaces to a production-ready OS virtualization stack. In this talk, the audience will first learn the basics of how containers function, understanding namespaces, capabilities and cgroups in order to see how Linux containers and the supporting kernel features can offer an effective application and system sandboxing solution yet to be widely deployed or adopted. Understanding LXC or Docker use, weaknesses and security for PaaS and application sandboxing is only the beginning. Leveraging container technologies is rapidly becoming popular within the modern PaaS and devops world but little has been publicly discussed in terms of actual security risks or guarantees. Understanding prior container vulnerabilities or escapes, and current risks or pitfalls in major public platforms will be explored in this talk. I'll cover methods to harden containers against future attacks and common mistakes to avoid when using systems such as LXC and Docker. This will also include an analysis and discussion of techniques such as Linux kernel hardening, reduced capabilities, Mandatory Access Controls (MAC), the User kernel namespace and seccomp-bpf (syscall filtering); all of which help actually contain containers. The talk will end on some methods for creating minimal, highly-secure containers and end on where containers are going and why they might show up where you least expect them. Aaron Grattafiori (@dyn___) is a Principal Security Consultant and Research Lead with iSEC Partners/NCC Group. A jack-of-all-security, Aaron leads projects dealing with complex system analysis, mobile and web application security to network, protocol, and design reviews to red teams and other hybrid testing. With over nine years of security experience, Aaron utilizes a wide array of technology skills, historical research and security knowledge to consistently discover critical vulnerabilities. Aaron has spoke on a wide range of topics at security conferences such as Blackhat, DEF CON Kids, Toorcon:Seattle+SanDiego, ToorCamp, Source Seattle, EELive! and SecureWorld in addition to being a guest speaker at Stanford University. Prior to working at iSEC Partners, Aaron worked as a Security Consultant for Security Innovation and is a retired long time member of the Neg9 CTF team. This will be Aaron's 12th DEF CON, w00t! Twitter: @dyn___ Return to Top

How to Shot Web: Web and mobile hacking in 2015 Jason Haddix Director of Technical Operations, Bugcrowd 2014 was a year of unprecedented participation in crowdsourced and static bug bounty programs, and 2015 looks like a trendmaker. Join Jason as he explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools, and tips make you better at hacking websites and mobile apps to claim those bounties. Convert edge-case vulnerabilities to practical pwnage even on presumably heavily tested sites. These are tips and tricks that the every-tester can take home and use. Jason will focus on philosophy, discovery, mapping, tactical fuzzing (XSS, SQLi, LFI, ++), CSRF, web services, and mobile vulnerabilities. In many cases we will explore these attacks down to the parameter, teaching the tester common places to look when searching for certain bugs. In addition he will cover common evasions to filters and as many time saving techniques he can fit in. Jasonis the Director of Technical Operations at Bugcrowd. Jason trains and works with internal application security engineers to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. He also works with Bugcrowd to improve the security industries relations with the researchers. Jason’s interests and areas of expertise include, mobile penetration testing, black box web application auditing, network/infrastructural security assessments, binary reverse engineering, and static analysis. Return to Top

Alice and Bob are Really Confused David Huerta Cryptoparty Organizer There have been over 20 cryptoparties in New York City, in which people are introduced to open source cryptography software. This doesn't always go smoothly. Usability experts have only recently being included in the design process for encryption tools, but by and large what we have to work with were designed by cryptography experts in the 90s. I'll be going over some pain points between real-world users and their real-life encounters with open source cryptography tools. David Huerta ships critical art in suspicious packages and helps organize cryptoparties, which bring technologists and everyone else in New York together to learn how to protect their online privacy. Before arriving in New York, he dropped out of Arizona State University and was one of the founding members for HeatSync Labs, an Arizona hackerspace which brings makers, hackers, and the occasional futurist together to build things and teach others how to do the same. Return to Top

LTE Recon and Tracking with RTLSDR Ian Kline Wolf Den Associates Since RTLSDR became a consumer grade RX device, numerous talks and open source tools enabled the community to monitor airplanes, ships, and cars... but come on, what we really want to track are cell phones. If you know how to run cmake and have $50 to pick up an RTLSDR-E4000, I'll make sure you walk out of here with the power to monitor LTE devices around you on a slick Kibana4 dashboard. You'll also get a primer on geolocating the devices if you've got a second E4000 and some basic soldering skills. Ian has 10 years of experience studying the global RF emissions environment. Professionally, he uses this knowledge to rapidly hack up communication platforms and conduct RF surveys for pentesting and red teaming activities. Personnally, he can be found listening to satellites and building databses of all the cars that park on his block with TPMS. He currently supports Wolf Den Associates as Red Team leader and Digital Signature Specialist. Return to Top

Forensic Artifacts From a Pass the Hash Attack Gerard Laygui Security Researcher A pass the hash (PtH) attack is one of the most devastating attacks to execute on the systems in a Windows domain. Many system admins are unaware about this type of attack and the amount of damage it can do. This presentation is for the system admins that don't have a full time forensics person working with them. This presentation will help identify key windows events and explain why these events are important. The presentation will also show various free tools that can assist in examining some of the common evidence left behind. The presentation will explain and demonstrate a pass the hash attack against common windows systems in an example domain. In the end, the presentation may offer some insight into what an attacker wants and needs to use PtH to pivot in a network. Gerard has been in the IT industry for almost 20 years. He has held various network admin, system admin, web admin and security related positions throughout his career. He currently works for a Fortune 50 company doing compromise forensics and malware reverse engineering. Return to Top

I’m A Newbie Yet I Can Hack ZigBee – Take Unauthorized Control Over ZigBee Devices LI Jun Graduate student from CUIT(Chengdu University of Information Technology , Chengdu ,China),Intern at Qihoo 360 Technology Co. Ltd. YANG Qing Team Leader of Unicorn Team, Qihoo 360 Technology Co. Ltd. With the advent of the Internet of Things，more and more objects are connected via various communication protocols like Bluetooth，Z-wave，WiFi , ZigBee etc. Among those protocols ZigBee accounts for the largest market share，it has been adapted to various applications like WSN（Wireless Sensor Network），Smart Home . Over the last few years, large amount of research has been conducted on the security of ZigBee. In this presentation we will introduce a new technique to beat the security of ZigBee, we found the “signature” of the location of the security key . We will go through a specific example and share the thinking process along the way. The techniques used throughout this example can be generalized and used by other hardware reverse engineers. LI Jun is currently a hardware security intern in Unicorn Team of Qihoo 360 ,China. He is also a second year graduate student at Chengdu University of Information Technology. He received his bachelor’s degree from University of Electronic Science and Technology of China in 2013.During his college life, he switched between different majors, 2 years in Automobile Electronics,2 years in Electronic and Electric Engineering. He is interested in the security of the Internet of Things and the security of automobile electronics. Linkedin: LI Jun

Weibo: GoRushing

Twitter：@bravo_fighter YANG Qing is the team leader of Unicorn Team in Qihoo 360 Technology Co. Ltd. He has rich experiences in wireless and hardware security area, including WiFi penetration testing, cellular network interception, IC card cracking etc. His interests also cover embedded system hacking, firmware reversing, automotive security, and software radio .He is the first one who reported the vulnerabilities of WiFi system and RF IC card system used in Beijing subway. Return to Top

Are We Really Safe? - Bypassing Access Control Systems Dennis Maldonado Security Consultant - KLC Consulting Access control systems are everywhere. They are used to protect everything from residential communities to commercial offices. People depend on these to work properly, but what if I had complete control over your access control solution just by using my phone? Or perhaps I input a secret keypad combination that unlocks your front door? You may not be as secure as you think. The world relies on access control systems to ensure that secured areas are only accessible to authorized users. Usually, a keypad is the only thing stopping an unauthorized person from accessing the private space behind it. There are many types of access control systems from stand-alone keypads to telephony access control. In this talk, Dennis will be going over how and where access control systems are used. Dennis will walk through and demonstrate the tips and tricks used in bypassing common access control systems. This presentation will include attack methods of all nature including physical attacks, RFID, wireless, telephony, network, and more. Dennis Maldonado is a Security Consultant at KLC Consulting. His current work includes vulnerability management, penetration testing, infrastructure risk assessment and security research. Dennis’ focus is encompassing all forms information security into an assessment in order to better simulate a real world attack against systems and infrastructure. As a security researcher and evangelist, Dennis spends his time sharing what he knows about Information Security with anyone willing to learn. Dennis has presented at numerous workshops and meetups in the Houston area. Dennis co-founded Houston Locksport in Houston, Texas where he shares his love for lock-picking physical security. Twitter: @DennisMald Return to Top

Sorry, Wrong Number: Mysteries Of The Phone System - Past and Present "Unregistered436" Patrick McNeil Security Architect "Snide" Owen Security Researcher Exploring the phone system was once the new and exciting realm of “phone phreaks,” an ancestor of today’s computer “hackers.” The first phreaks “owned” and explored the vague mysteries of the telephone network for a time until their activities drew too much attention from the phone companies and law enforcement. The phone system evolved, somewhat, in an attempt to shut them out, and phreaking became both difficult and legally dangerous. Such events paralleled a new personal computer “revolution” wherein phone phreaks made the transition from the secret subtleties of telephony to the new and mystical frontier of personal computing. Private BBS(s) and, eventually, the Internet was not only the next logical step forward, but also provided “safer” alternatives that still allowed for the thrill of exploring the mysteries of a new modern age. Telephony, and voice security in general, became, as the years passed, something of a lost art to all but those who remember... In this presentation we begin our adventure with a journey back in time, starting in the post-war Film Noir era of the 40’s and 50’s, when users required an operator at the switchboard to make a call, investigating some of the early roots of phreaking that many have forgotten. We will briefly take a look at the weaknesses of early telephone systems and the emergence of the original phreaks in the 50’s and 60’s who found and exploited them. Our journey will also allow us to demonstrate how some of the same basic phreaking approaches are still applicable to today’s "advanced" VoIP systems. Certainly the initial creation and emergence of VoIP opened a variety of attack vectors that were covered at security conferences at the time. Commercial VoIP adoption, however, remained stagnant until standards and carriers caught up. Some VoIP hacking tools were left unmaintained, and VoIP wasn’t the sexy and mysterious attack vector it once was with the exception of tricksters who found old or insecure systems to be easy targets. Due to increased VoIP adoption over the last few years, however, telephony attacks are provocative once again. As hardboiled VoIP detectives, we’ll unravel the mysteries of the curious, shadowy, and secretive world of phreaks, tricksters, and VoIP hackers. We’ll compare and contrast old school phreaking with new advances in VoIP hacking. We’ll explain how voice systems are targeted, how they are attacked using old and new methods, and how to secure them - with demonstrations along with practical and actionable tips along the way. We may even drop a new VoIP telephony phishing tool to fuse the past and the present.. Patrick spoke about telephony fraud last year at DEF CON Skytalks (“How To Make Money Fast Using A Pwned PBX”), and is a #telephreak at heart. He has over twenty years of experience, mostly with telecom manufacturers, and spent time in charge of product security for the communications security business of a fortune 100 company. When not working you can find him practicing Kung Fu, brewing beer, or picking locks with Oak City Locksport. Twitter: @unregistered436 Owen used to be a professional developer code monkey. He’s worked in various IT fields including Server Administration, DevOps, Application Security and most recently as a penetration tester. He enjoys tinkering with various technologies, and has experimented for prolonged periods with PBXs and the obscure side of VoIP. Twitter: @linuxblog Return to Top

Backdooring Git John Menerick Security @ NetSuite Join us for a fun-filled tour of source control management and services to talk about how to backdoor software. We will focus on one of the most popular, trendy SCM tools and related services out there – Git. Nothing is sacred. Along the way, we will expose the risks and liabilities one is exposed to by faulty usage and deployments. When we are finished, you will be able to use the same tools and techniques to protect or backdoor popular open source projects or your hobby project. John Menerick works on Security @ NetSuite. John’s interests include cracking clouds, modeling complex systems, developing massive software-defined infrastructures, and is the outlier in your risk model. Return to Top

Hacking SQL Injection for Remote Code Execution on a LAMP stack Nemus Software Engineer Remember that web application you wrote when you where first learning PHP? Ever wonder how vulnerable that code base is? Through the perspective of an attacker you will see how SQL injection can lead to data loss and system compromise. This presentation will take you through the techniques and tools used to take control of a PHP web application starting from an injection point moving to PHP web shells, and ending with a Linux wildcard attack. Nemus works as a software engineer in the payment industry developing software that transfers money between banking systems. He is a founding member of 801 Labs, a hackerspace located in Salt Lake City, and is an active member of his local DEF CON group DC801. Nemus has a BS in Computer Science and is a certified GIAC Web Application Penetration Tester (GWAPT). Twitter: @Nemus801 Return to Top

Abusing native Shims for Post Exploitation Sean Pierce Technical Intelligence Analyst for iSIGHT Partners Shims offer a powerful rootkit-like framework that is natively implemented in most all modern Windows Operating Systems. This talk will focus on the wide array of post-exploitation options that a novice attacker could utilize to subvert the integrity of virtually any Windows application. I will demonstrate how Shim Database Files (sdb files / shims) are simple to create, easy to install, flexible, and stealthy. I will also show that there are other far more advanced applications such as in-memory patching, malware obfuscation, evasion, and system integrity subversion. For defenders, I am releasing 6 open source tools to prevent, detect, and block malicious shims. Sean Pierce is a Technical Intelligence Analyst for iSIGHT Partners. Sean currently specializes in reverse engineering malware & threat emulation and in the past has worked on incident response, botnet tracking, security research, automation, and quality control. Prior working at iSIGHT Partners, he was an academic researcher and part time lecturer at the University of Texas at Arlington where he earned a Bachelors of Computer Engineering with a minor in Math. Sean also does freelance consulting, penetration testing, forensics, and computer security education. He is an Eagle Scout and enjoys learning how things work. Twitter: @secure_sean Return to Top

Hacker in the Wires Dr. Phil Polstra Professor, Bloomsburg University This talk will show attendees how to use a small ARM-based computer that is connected inline to a wired network for penetration testing. The computer is running a full-featured penetration testing Linux distro. Data may be exfiltrated using the network or via a ZigBee mesh network or GSM modem. The device discussed in this talk is easily integrated into a powerful penetration test that is performed with an army of ARM-based small computer systems connected by XBee or ZigBee mesh networking. Some familiarity with Linux and penetration testing would be helpful, but not required. Phil was born at an early age. He cleaned out his savings at age 8 in order to buy a TI99-4A computer for the sum of $450. Two years later he learned 6502 assembly and has been hacking computers and electronics ever since. Dr. Phil currently works as a professor at Bloomsburg University of Pennsylvania. His research focus over the last few years has been on the use of microcontrollers and small embedded computers for forensics and pentesting. Phil has developed a custom pentesting Linux distro and related hardware to allow an inexpensive army of remote pentesting drones to be built using the BeagleBone Black computer boards. This work is described in detail in Phil's book "Hacking and Penetration Testing With Low Power Devices" (Syngress, 2015). Prior to entering academia, Phil held several high level positions at well-known US companies. He holds a couple of the usual certs one might expect for someone in his position. When not working, he likes to spend time with his family, fly, hack electronics, and has been known to build airplanes. Twitter: @ppolstra

http://facebook.com/ppolstra Return to Top

A Hacker’s Guide to Risk Bruce Potter The Shmoo Group When the latest and greatest vulnerability is announced, the media and PR frenzy can be dizzying. However, when the dust settles, how do we actually measure the risk represented by a given vulnerability. When pen testers find holes in an organization, is it really “ZOMG, you’re SO 0WNED!” or is it something more manageable and controlled? When you’re attempting to convince the boss of the necessity of the latest security technology, how do really rank the importance of the technology against the threats facing the organization. Understanding risk can be tricky, especially in an industry that often works on gut feelings and values quantity over quality. But risk and risk management doesn’t need to be complicated. With a few basic formulas and access to some simple models, understanding risk can be a straightforward process. This talk will discuss risk, why its important, and the poor job the hacker community has done when it comes to properly assessing risk. It will also touch on some existing risk assessment and management systems, as well as provide worked examples of real world vulnerabilities and systems and the risks they pose. Finally, this talk will examine some practical guidance on how you, as hackers, security researchers, and security practitioners can better measure risk in your day to day life Bruce Potter is the founder of The Shmoo Group, one of the organizers of ShmooCon, and a director at KEYW Corporation. Bruce's lack of degrees and certifications hasn't stopped him from discussing infosec in numerous articles, books, and presentations. Bruce has been in the computer security field for nearly 2 decades which means he is getting old and increasingly jaded. His primary focus areas are trusted computing, cyber security risk management (yikes!), and large scale vulnerability analysis. Bruce believes that while attackers have the upper hand, we can still do better with the tools we have than most people realize. Bruce also believes in using fake names when ordering coffee but occasionally uses his real name to throw people off his scent. Twitter: @gdead Return to Top

Chellam – a Wi-Fi IDS/Firewall for Windows Vivek Ramachandran Founder, SecurityTube.net and Pentester Academy This talk will introduce techniques to detect Wi-Fi attacks such as Honeypots, Evil Twins, Mis-association , Hosted Network based backdoors etc. on a Windows client without the need for custom hardware or drivers. Our attack detection techniques will work for both Encrypted (WPA/WPA2 PSK and Enterprise) and Unencrypted networks. We will also release a proof of concept tool implementing our detection techniques. Even though the focus of this talk is Windows, the same principles can be used to protect other Operating Systems, both workstation and mobile. Vivek Ramachandran discovered the Caffe Latte attack, broke WEP Cloaking and publicly demonstrated enterprise Wi-Fi backdoors. He is the author of "Backtrack 5: Wireless Penetration Testing" which has sold over 13,000+ copies worldwide. He is the founder of SecurityTube.net and runs SecurityTube Training & Pentester Academy which has trained professionals from 90 countries. He has spoken/trained at DEF CON, Blackhat USA/Europe/Abu Dhabi, Brucon, Hacktivity etc. conferences. Twitter: @securitytube

Facebook: https://www.facebook.com/pagesectube Return to Top

Hardware and Trust Security: Explain it like I’m 5 Teddy Reed Security Engineer Facebook Nick Anderson Research Scientist There are a lot of presentations and suggestions that indicate HSMs, TrustZone, AMT, TrEE, SecureBoot, Attestation, TPMs, IOMMU, DRTM, etc. are silver bullets. What does it all mean, should we be afraid, excited, hopeful? Hardware-based security features are not the end of the world, nor its savior, but they can be fun and useful. Although these technologies are vulnerability research targets, their trust concepts can be used to build secure software and devices. This primer covers practical defensive uses of existing and upcoming hardware security and mobile trust technologies. We will overview the strengths, pitfalls, gotchas of these esoteric acronyms; and explain the capabilities of related features built into consumer and enterprise laptops, mobile, and embedded devices. Let’s take a tour around the wild world of hardware and trust security! Teddy is a Security Engineer at Facebook developing production security tools. He is very passionate about trustworthy, safe, and secure code development. He loves open source and collaborative engineering when scale, resiliency, and performance enable defensive and protective software design. Teddy has published at security conferences on trusted computing, hardware trusted systems, UAVs, botnet development, human performance engineering, competition game theory, biometric vulnerabilities, and PaaS API vulnerabilities. Nick Anderson is a research scientist at a US super serious secret laboratory. When Nick is not fighting cyber warriors in the cyber threatscape in his cyber career, he is actively engaged in malware research and enjoys failing at web development. Nick received his masters degree from NYU Polytechnic School of Engineering after completing his bachelors degree in Mathematics from the University of Wyoming. Return to Top

Bruce Schneier Q&A Bruce Schneier CTO, Resilient Systems Bruce Schneier Talks Security. Come hear about what's new, what's hot, and what's hype in security. NSA surveillance, airports, voting machines, ID cards, cryptography -- he'll talk about what's in the news and what matters. Always a lively and interesting talk. Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of 12 booksincluding the New York Times best-seller Data and Goliath: The Hidden Values to Collect Your Data and Control Your Worldas well as hundreds of articles, essays, and academic papers. His influential newsletter Crypto-Gram and his blog Schneier on Security are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundations Open Technology Institute, a board member of the Electronic Frontier Foundation, and an advisory board member of the Electronic Privacy Information Center. He is the CTO of Resilient Systems. Twitter: @schneierblog Return to Top

Applied Intelligence: Using Information That's Not There Michael Schrenk Security Researcher Organizations continue to unknowingly leak trade secrets on the Internet. To those in the know, these leaks are a valuable source of competitive intelligence. This talk describes how the speaker collects competitive intelligence for his own online retail business. Specifically, you learn how he combines, trends, and analyzes information within specific contexts to manufacture useful data that is real, but technically doesn't exist on it's own. For example, you will learn about the trade secrets that are hidden within sequential numbers, how he uses collected intelligence to procure inventory, and how and why he gauges the ongoing health of his industry and that of his competitors. And on a related note, you'll also learn how the federal government nearly exposed an entire generation to identity fraud. Michael Schrenk has presented six DEF CON talks on intelligence and organizational privacy, including last year's talk "You're Leaking Trade Secrets". He has developed Internet-based intelligence campaigns since 1995 for organizations as diverse as: Fortune 500 Companies, Private Investigators, Asian Art Dealers, and Investigative Journalists. His adventures in intelligence have taken him around the world, with speaking opportunities in The Middle East, Eastern Europe, The UK, Silicon Valley, and most places in between. Mike is also the author of "Webbots, Spiders, and Screen Scrapers (2007 & 2012, No Starch Press, San Francisco)". He is again teaming with No Starch Press to write a non-technical Intelligence and Counterintelligence book scheduled for publication in Q1 2016. Twitter: @mgschrenk

Facebook: facebook.com/webbots Return to Top

I Am Packer And So Can You Mike Sconzo Security Researcher Automating packer and compiler/toolchain detection can be tricky and best and downright frustrating at worst. The majority of existing solutions are old, closed source or aren’t cross platform. Originally, a method of packer identification that leveraged some text analysis algorithms was presented. The goal is to create a method to identify compilers and packers based on the structural changes they leave behind in PE files. This iteration builds upon previous work of using assembly mnemonics for packer detection and grouping. New features and analysis are covered for identification and clustering of PE files. Mike Sconzo has been around the Security Industry for quite some time, and is interested in creating and implementing new methods of detecting unknown and suspicious network activity as well as different approaches for file/malware analysis. This includes looking for protocol anomalies, patterns of network traffic, and various forms of static and dynamic file analysis. He works on reversing malware, tool creation for analysis, and threat intelligence. Currently a lot of his time is spent doing data exploration and tinkering with statistical analysis and machine learning. Return to Top

NSM 101 for ICS Chris Sistrunk Sr. ICS Security Consultant, FireEye Is your ICS breached? Are you sure? How do you know? The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith. Chris Sistrunk is a Senior Consultant at Mandiant, focusing on cyber security for industrial control systems (ICS) and critical infrastructure. Prior to joining Mandiant, Chris was a Senior Engineer at Entergy (over 11 years) where he was the Subject Matter Expert (SME) for SCADA systems. He has 10 years of experience in SCADA systems with tasks such as standards development, system design, database configuration, testing, commissioning, troubleshooting, and training. He was the co-overseer of the SCADA, relay, and cyber security labs at Entergy for 6 years. Chris has been working with Adam Crain of Automatak on Project Robus, an ICS protocol fuzzing project that has found and helped fix many implementation vulnerabilities in DNP3, Modbus, and Telegyr 8979. Chris helped organize the first ICS Village, which debuted at DEF CON 22. He is a Senior Member of IEEE, Mississippi Infragard President, member of the DNP Users Group, and also is a registered PE in Louisiana. He holds a BS in Electrical Engineering and MS in Engineering and Technology Management from Louisiana Tech University. Chris also founded and organizes BSidesJackson, Mississippi's only cyber security conference. Twitter: @chrissistrunk

https://www.facebook.com/chrissistrunk Return to Top

Beyond the Scan: The Value Proposition of Vulnerability Assessment Damon Small Security Researcher Vulnerability Assessment is, by some, regarded as one of the least “sexy” capabilities in information security. However, it is the presenter’s view that it is also a key component of any successful infosec program, and one that is often overlooked. Doing so serves an injustice to the organization and results in many missed opportunities to help ensure success in protecting critical information assets. The presenter will explore how Vulnerability Assessment can be leveraged “Beyond the Scan” and provide tangible value to not only the security team, but the entire business that it supports. Damon Small began his career studying music at Louisiana State University. Pursuing his desire to actually make money, he took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Following the dotcom bust in the early 2000s, Small began focusing on cyber security. This has remained his passion, and over the past 15 years as a security professional he has supported infosec initiatives in the healthcare, defense, and oil and gas industries. In addition to his Bachelor of Arts in Music, Small completed the Master of Science in Information Assurance degree from Norwich University in 2005. Twitter: @damonsmall Return to Top

The Bieber Project: Ad Tech 101, Fake Fans and Adventures in Buying Internet Traffic Mark Ryan Talabis Chief Security Scientist, zVelo In the past year, I found myself immersed in the multi-billion dollar digital advertising industry. This gave me the opportunity to investigate the unique security challenges and issues facing the industry. It was a shock to me at first how complex the advertising ecosystem was particularly in the advent of programmatic advertising. But I dove in head first and learned a lot which I would like to share with my fellow security professionals. During this time, I got involved with unscrupulous publishers, apathetic ad networks, angry advertisers and activist malware researchers. I encountered self proclaimed experts with fantastic claims, vendors using scare tactics, and a glaring disconnect between the security and ad tech worlds. In this presentation, I would like to be able to provide the audience with my experience plus a number of things. Among which are: Provide security professionals a 101 type of introduction to the world of digital advertising ecosystem. Among the things we will tackle is what is programmatic advertising, what the roles are of the different players like ad networks are and how money is made off all this interplay.

Provide the audience a perspective on what security challenges the advertising industry is facing and opportunities for us security professionals to be involved. We all know about malvertising and its a big deal to us security guys but there are bigger, and in an advertisers perspective, more relevant issues that needs to be taken care of first. All of this will be discussed in this talk.

An introduction about the different and creative ways unscrupulous publishers can pad their earnings. We will be talking about hidden ads, ad stacking, intrusive ads, auto-refreshes, popups, popunders, blackhat SEO techniques and dirty inventory.

An in depth discussion on the problems caused by non-human traffic (NHT). We will talk about what it is, why is it a problem, how it is generated, and more importantly, how do we catch it? In fact, this presentation is named the “Bieber Project” which is the experiment which I leveraged to understand non-human traffic and determine how we can identify it. Mark Ryan Talabis is the Chief Security Scientist for zVelo Inc where he conducts research on advertising fraud and non-human traffic. He is also formerly the Director of the Cloud Business Unit of FireEye. He is an alumni member of the Honeynet Project and a member of the anti-malware working group of the Interactive Advertising Bureau (IAB) where he is contributing in the promotion of threat intel sharing across the advertising industry. His current work focuses on helping the advertisers and ad networks in finding ways to identify non-human traffic through various browser impression and behavioral based anomaly detection techniques. This also includes work on detecting various impression and click padding techniques by unscrupulous publishers. He is a graduate of Harvard University and is a co-author of two books from Elsevier Syngress: "Information Security Analytics: Finding Security Insights, Patterns, and Anomalies in Big Data" (2014) and "Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis" (2012). Techniqies He has presented in various security and academic conferences and organizations around the world including Blackhat, DEF CON, Shakacon, INFORMS, INFRAGARD, ISSA, and ISACA. Return to Top

Hijacking Arbitrary .NET Application Control Flow Topher Timzen Security Researcher - Intel This speech will demonstrate attacking .NET applications at runtime. I will show how to modify running applications with advanced .NET and assembly level attacks that alter the control flow of any .NET application. New attack techniques and tools will be released to allow penetration testers and attackers to carry out advanced post exploitation attacks. This presentation gives an overview of how to use these tools in a real attack sequence and gives a view into the .NET hacker space. Topher Timzen has had a research emphasis on reverse engineering malware, incident response and exploit development. He has instructed college courses in malware analysis and memory forensics while managing a cybersecurity research lab. Focusing on .NET memory hijacking, he has produced tools that allow for new post exploitation attack sequences. Topher is currently a Security Researcher at Intel. Twitter: @TTimzen Return to Top

Hackers Hiring Hackers - How to Do Things Better Tottenkoph Security Consultant, Rapid7 IrishMASMS Hacker There are a lot of talks about how to be a better pen tester and workshops that show you how to use all of the cool new tools that are available to make our jobs easier, but there are only a few talks that address what some of us consider to be the hardest part of getting a job in security: the hiring process. The information security field is in desperate need of people with the technical skills hackers have to fill a myriad of roles within organizations across the world. However, both sides of the table are doing horribly when it comes to hiring and interviewing for work. Organizations are doing poorly trying to communicate expectations for a job, there are people going to interviews without knowing how to showcase their (limited or vast) experience, and some people posture themselves so poorly that the hiring managers don’t think the candidates are really interested in the job. This talk takes the experiences of the speakers as both interviewers and interviewees as well as from others within the scene in order to help better prepare hackers to enter (or move within) “the industry” as well as let the people making hiring decisions know what they can do to get the people and experience they need for their teams. Tottenkoph has been hacking for the past 10 years and is currently a security consultant for Rapid7. Tottie has spoken at several hacker cons and is currently pursuing her Master’s degree in Industrial and Organizational Psychology, planning to apply its practices to the hacker and infosec communities. Twitter: @Tottenkoph IrishMASMS is an old school hacker, fighting the good fight in Computer Network Defence (CND)/blue team efforts for over 16 years. Been lurking about since DEF CON 10, DJing the B&W ball at DEF CON 18 (with quite a few AP pool shindigs and private parties along the way). Panel member at HOPE 5, presenter at a couple of Notacon’s, and some other conferences that are hard to remember what really happened. Having progressed through the ranks to hiring manager and director level, he has experienced the pain from both sides of the hiring process and desires to improve the situation for the InfoSec community. Is this where we mention cyberderp? Twitter: @IrishMASMS Return to Top

QARK: Android App Exploit and SCA Tool Tony Trummer Staff Information Security Engineer/LinkedIn Tushar Dalvi Sr. Security Engineer/LinkedIn Ever wonder why there isn't a metasploit-style framework for Android apps? We did! Whether you're a developer trying to protect your insecure app from winding up on devices, an Android n00b or a pentester trying to pwn all the things, QARK is just what you've been looking for! This tool combines SCA, teaching and automated exploitation into one, simple to use application! Tony Trummer (@SecBro1) - has been working in the IT industry for nearly 20 years and has been focused on application security for the last 5 years. He is currently an in-house penetration tester for LinkedIn, running point on their mobile security initiatives and has been recognized in the Android Security Acknowledgements. When he's not hacking, he enjoys thinking about astrophysics, playing devil's advocate and has been known to dust his skateboard off from time-to-time. Twitter: @SecBro1

LinkedIn: www.linkedin.com/in/tonytrummer Tushar Dalvi (@tushardalvi) - Loves breaking web applications and ceramic bowls. Tushar Dalvi is a security enthusiast, and currently works as a Senior Information Security Engineer at LinkedIn. He specializes in the area of application security, with a strong focus on vulnerability research and assessment of mobile applications. Previously, Tushar has worked as a security consultant at Foundstone Professional Services (McAfee) and as a Senior developer at ACI Worldwide. Twitter: @tushardalvi

LinkedIn: www.linkedin.com/in/tdalvi Return to Top

Hacking Web Apps Brent White Security Consultant, Solutionary, Inc. Assessing the security posture of a web application is a common project for a penetration tester and a good skill for developers to know. In this talk, I'll go over the different stages of a web application pen test, from start to finish. We'll start with the discovery phase to utilize OSINT sources such as search engines, sub-domain brute-forcing and other methods to help you get a good idea of targets "footprint", all the way to fuzzing parameters to find potential SQL injection vulnerabilities. I'll also discuss several of the tools and some techniques that I use to conduct a full application penetration assessment. After this talk, you should have a good understanding of what is needed as well as where to start on your journey to hacking web apps. Brent is an Offensive Security Consultant at Solutionary‹An NTT Group Security Company and has spoken at numerous security conferences, including DEF CON 22‹SE Village. He has held the role of Web/Project Manager and IT Security Director at the headquarters of a global franchise company. His experience includes Internal and External Penetration Assessments, Social Engineering and Physical Security Assessments, Wireless and Application Vulnerability Assessments and more. Twitter: @BrentWDesign Return to Top

And That's How I Lost My Other Eye: Further Explorations In Data Destruction Zoz Robotics Engineer and Security Researcher How much more paranoid are you now than you were four years ago? Warrantless surveillance and large-scale data confiscation have brought fear of the feds filching your files from black helicopter territory into the mainstream. Recent government snatch-and-grabs have run the gamut from remotely imaging foreign servers to straight up domestic coffeeshop muggings, so if you think you might need to discard a lot of data in hurry you're probably right. In their legendary DEF CON 19 presentation Shane Lawson, Bruce Potter and Deviant Ollam kicked off the discussion, and now it's time for another installment. While purging incriminating material residing on spinning disks remains the focus, the research has been expanded to encompass solid state storage and mobile solutions to your terabyte trashing needs. With best efforts to comply with the original constraints, the 2015 update features more analysis of the efficacy of kinetic projectiles, energetic materials and high voltages for saving your freedom at the potential cost of only a redundant body part... or two. Zoz is a robotics engineer, rapid prototyping specialist and lifelong enthusiast of the pyrotechnic arts. Once he learned you could use a flamethrower and a coffee creamer bomb to fake a crop circle for TV he realized there are really no limits to creative destruction. Return to Top

Presentations

Malware in the Gaming Micro-economy Zack Allen Lead Research Engineer, ZeroFOX Rusty Bower Information Security Engineer Microeconomics focuses on how patterns of supply and demand determine price and output in individual markets [1]. Within recent years, micro-economies have flourished within the video game industry. Companies like Valve rely heavily on a business model that depends on gamers making purchases for in-game items. Players can trade these items in bulk for a rare item, make bets on a competitive gaming match or gift the item for a charity event. While originally well-intentioned, creating these micro-economies also created an incentive for criminals to scam and even steal from unsuspecting victims. Traditional scams date as far back to games like Diablo or Runescape where players were duped in trade windows and in game messaging systems were used to steal items. These low-tech strategies are effective, but recently a new, high-tech scam strategy has emerged relying upon malware specifically targeting the Steam micro-economy. Over the last year, we have collected and reversed dozens of samples of malware that target Steam users. Pieces of malware can be sophisticated RAM scrapers that pilfer an item in memory and send trade requests through the Steam trading API, or as simple as a remote login service. The end result is the same - the hacker loots the victim’s backpack of in game items to sell them on the market for profit. This talk focuses on the techniques we have found in these samples, surveys of victims of these scams and the distribution of money lost from them (up to the $1000s of dollars for users in some cases) and the defenses Steam has put in place to combat this hacker underground. Zack Allen is an RIT graduate, majoring in Information Security. He is also an alum of the Advanced Course for Engineering (ACE) held at AFRL every summer. After working for a government contractor, he joined the exciting startup world and is currently a Research team lead at ZeroFOX. His security specialties include research and development, threat intelligence, tool creation and red teaming. Rusty Bower graduated from the Rochester Institute of Technology with a degree in Information Security. He has been employed at Lockheed Martin and Palantir Technologies tackling a variety of security challenges. His experience is mainly focused in security operations, incident response, tool development, and infrastructure management. He is currently an Information Security Engineer in the Los Angeles area, tackling security challenges at scale. Return to Top

How to secure the keyboard chain Paul Amicelli Student from IT Engineering School - ESIEA in Laval, France Baptiste David Engineer from IT Engineer School - ESIEA in Laval, France Keyloggers are hardware or software tools that record keystrokes. They are an overlooked threat to the computer security and user’s privacy. As they are able to retrieve all sensitive information typed on a keyboard in an almost invisibly way , they need to be seriously considered both for companies and individuals. Almost all the security measures against keyloggers are post-active and static. *So what if the solution were to be proactive, and use the same technology as keyloggers do, in order to fool them ? This is all about this presentation, a way of fooling all known and unknown keyloggers (physicals, kernel-mode and user-mode) through a kernel mode driver developed under Windows. The technical details will be presented during the presentation, as well as the results and propositions. Basically, the idea is to use a kernel mode driver which encrypts each keyboard key hit, at a very low level in the system (near the driver port). The encryption is made according to a common key, exchanged with a client application which needs to ensure that the entered text is secured and not recorded. After the driver has encrypted a key, it spreads it to the entire system. Thus, only the client application, holding the encryption key, can decrypt the keyboard key. In this way, the whole system is fooled. Paul Amicelli is a French engineering student at ESIEA, an IT Engineering School in Laval, France. Fascinated by the world of computer security, he is currently involved as a student researcher in the Operational Cryptology and Virology research lab of its school, where some projects like the encryption solution Gostcrypt, in which he is taking part of, are developed. Prior to that, he has done a two-year preparatory class for the Grandes Ecoles in mathematics and physics (CPGE). Baptiste David is a computer science engineer who has been working for the CVO laboratory for many years. His research areas are based on operational and offensive computer security for protection of critical systems. He is specialized n reverse engineering, kernel development and malware analysis. He has especially worked on GostCrypt and many antivirus project for many years. He made numerous conferences all over the world about security and offensive techniques. Return to Top

How to hack your way out of home detention AmmonRa Security Researcher Home detention and criminal tracking systems are used in hostile environments, and because of this, the designers of these trackers incorporate a range of anti-removal and tamper detection features. Software security, however, is an area on which less focus is placed. This talk will cover practical attacks against home detention tracking systems, with a focus on software security. Intercepting and modifying tracking information sent from the device in order to spoof the tracker’s location will be demonstrated. General information about how home detention tracking systems operate will be discussed, including the differences between older proximity based systems which used landlines, and newer models which use GPS and cellular networks. Topics will include how to (legally) get hold of and test a real world device, and how to use cheap software defined radios to spoof GSM cell towers. Focus will be on the details of how one particular device is constructed, how it operates and the vulnerabilities it was found to contain. How these vulnerabilities can be exploited and the challenges of doing so in the wild will also be covered. AmmonRa is a former dev who now works in infosec as a pentester. Both at work and in his spare time AmmonRa hacks things. As well as hacking computers, AmmonRa is a DIY cyborg, designing and implanting in himself a range of devices, including NFC/RFID chips, biometric sensors and subdermal lights. Twitter: @amm0nra Return to Top

Fun with Symboliks atlas dude at Grimm Asking the hard questions... and getting answer! Oh binary, where art thine vulns? Symbolic analysis has been a "thing" for 20 years, and yet it's still left largely to the obscure and the academic researchers (and NASA). several years ago, Invisigoth incorporated the Symboliks subsystem into the Vivisect binary analysis framework. due to that inclusion, the very nature of binary analysis has been broken down, rethought, and arisen out of the ashes. this talk will give an introduction into Symboliks, Graph Theory, and the path forward for reverse engineering and vulnerability research, all from an interactive Python session or scripts. A four time winner of DEF CON capture the flag and retired captain of the team "1@stplace", over the past decade atlas has proved expertise in programmatic reverse-engineering, automated vulnerability discovery and exploitation, and braking into or out of nearly every type of computer system/subsystem. areas of specialty include exmpedded/IoT exploitation, power systems and industrial control systems exploitation, automotive exploitation, and client/server/application exploitation. Twitter: @at1as Return to Top

Quantum Computers vs. Computers Security Jean-Philippe Aumasson Principal Cryptographer, Kudelski Security, Switzerland We've heard about hypothetical quantum computers breaking most of the public-key crypto in use—RSA, elliptic curves, etc.—and we've heard about "post-quantum" systems that resist quantum computers. We also heard about quantum computers' potential to solve other problems considerably faster than classical computers, such as discrete optimization, machine learning, or code verification problems. And we heard about a commercial quantum computer, and we heard vendors of quantum key distribution or quantum random number generators promise us security as solid as the laws of physics. Still, most of us are clueless regarding: How quantum computers work and why they could solve certain problems faster than classical computers?

What are the actual facts and what is FUD, hype, or journalistic exaggeration?

Could quantum computers help in defending classical computers and networks against intrusions?

Is it worth spending money in post-quantum systems, quantum key distribution, or in purchasing or developing of a quantum computer?

Will usable quantum computers be built in the foreseeable future? This talk gives honest answers to those questions, based on the latest research, on analyses of the researchers' and vendors' claims, and on a cost-benefit-risk analyses. We'll expose the fundamental principles of quantum computing in a way comprehensible by anyone, and we'll skip the technical details that require math and physics knowledge. Yet after this talk you'll best be able to assess the risk of quantum computers, to debunk misleading claims, and to ask the right questions. Jean-Philippe (JP) Aumasson is Principal Cryptographer at Kudelski Security, in Switzerland. He is known for designing the cryptographic functions BLAKE, BLAKE2, SipHash, and NORX. He has spoken at conferences such as Black Hat, RSA, and CCC, and initiated the Crypto Coding Standard and the Password Hashing Competition projects. He co-wrote the 2015 book "The Hash Function BLAKE". He is member of the technical advisory board of the Open Crypto Audit Project and of the Underhanded Crypto Contest. JP tweets as @veorq. Twitter: @veorq Return to Top

Key-Logger, Video, Mouse — How To Turn Your KVM Into a Raging Key-logging Monster Yaniv Balmas Security Researcher, Check Point Software Technologies Lior Oppenheim Security Researcher, Check Point Software Technologies Key-Loggers are cool, really cool. It seems, however, that every conceivable aspect of key-logging has already been covered: from physical devices to hooking techniques. What possible innovation could be left in this field? Well, that's what we used to think too. That is until we noticed that little grey box sitting there underneath a monitor, next to yesterday's dirty coffee cup. The little grey box that is most commonly known as 'KVM'. The talk will tell the tale of our long journey to transform an innocent KVM into a raging key-logging monster. We will safely guide you through the embedded wastelands, past unknown IC's, to explore uncharted serial protocols and unravel monstrous obfuscation techniques. Walking along the misty firmware woods of 8051 assembly we will challenge ambiguous functions and confront undebuggable environments. Finally, we will present a live demo of our POC code and show you that air-gapped networks might not be as segregated as you imagined. You will witness that malware code could actually reside outside your computer, persisting through reboots, wipes, formats, and even hardware replacements. You might laugh, you might cry, but one thing is certain - you will never look at your KVM the same as before. Yaniv is a software engineer and a seasoned professional in the security field. He wrote his very first piece of code in BASIC on the new Commodore-64 he got for his 8th birthday. As a teenager, he spent his time looking for ways to hack computer games and break BBS software. This soon led to diving into more serious programming, and ultimately, the security field where he has been ever since. Yaniv is currently working as a security researcher and deals mainly with analyzing malware and vulnerability research Twitter: @ynvb Lior Oppenheim is a vulnerability researcher in the Malware and Vulnerability Research group at Check Point Software Technologies. Oppenheim was trained and served in an elite technological unit performing security research in the IDF. In his spare time, he loves tap dancing, reversing, playing his guitar and pwning embedded devices. Twitter: @oppenheim1 Return to Top

Canary: Keeping Your Dick Pics Safe(r) Rob Bathurst (evilrob) Security Engineer and Penetration Tester Jeff Thomas (xaphan) Senior Cyber Security Penetration Testing Specialist The security of SSL/TLS is built on a rickety scaffolding of trust. At the core of this system is an ever growing number of Certificate Authorities that most people (and software) take for granted. Recent attacks have exploited this inherent trust to covertly intercept, monitor and manipulate supposedly secure communications. These types of attack endanger everyone, especially when they remain undetected. Unfortunately, there are few tools that non-technical humans can use to verify that their HTTPS traffic is actually secure. We will present our research into the technical and political problems underlying SSL/TLS. We will also demonstrate a tool, currently called “Canary”, that will allow all types users to validate the digital certificates presented by services on the Internet. Evilrob is a Security Engineer and Penetration Tester with over 14 years of experience with large network architecture and engineering. His current focus is on network security architecture, tool development, and high-assurance encryption devices. He currently spends his days contemplating new and exciting ways to do terrible things to all manner of healthcare related systems in the name of safety. Twitter: @knomes xaphan is a "Senior Cyber Security Penetration Testing Specialist" for a happy, non-threatening US government agency. He has been a penetration tester for 17 years, but maintains his sanity with a variety of distractions. He is the author of several ancient and obsolete security tools and the creator of DEFCOIN. Twitter: @slugbait Return to Top

Extracting the Painful (blue)tooth Matteo Beccaro Matteo Collura Do you know how many Bluetooth-enabled devices are currently present in the world? With the beginning of the IoT (Internet of Things) and Smart Bluetooth (Low energy) we find in our hands almost a zillion of them. Are they secure? What if I tell you I can unlock your Smartphone? What if I tell you I'm able to open the new shiny SmartLock you are using to secure your house's door? In this talk we will explain briefly how the Bluetooth (BDR/EDR/LE) protocols work, focusing on security aspects. We will show then some known vulnerabilities and finally we will consider deeply undisclosed ones, even with live demonstrations. Matteo Beccaro is a young security researcher. His interest focus on WiFi networks, networking and NFC implementations. He finished high school studies in July 2013 and actually he is a student at Politecnico di Torino in Computer Engineering course. He has been selected as speaker at DEF CON 21, 30C3, BlackHat US Arsenal, DEF CON 22's Skytalks and BlackHat EU 2014 and Tetcon, for his research in vulnerabilities of NFC transport systems. Since 2013 he is also pentester and security engineer at Secure Network s.r.l. Since 2015 he is also technical leader of the Security Research Team of OPFOR, the physical security division of Secure Network s.r.l. Twitter: @_bughardy_ Matteo Collura is a student of Electronics Engineering at Politecnico di Torino. He has been studying Wireless networks and in the last few years he focused on NFC. He presented the results of a progressive work of research at several conferences: DEF CON 21 (Las Vegas, 2013), 30C3 (Hamburg 2013), DEF CON Skytalks (Las Vegas, 2014), BlackHat USA 2014 Arsenal (Las Vegas). Currently he is studying Bluetooth protocols and their implementations. Twitter: @eagle1753 Return to Top

802.11 Massive Monitoring Andres Blanco Sr Researcher, Core Security Andres Gazzoli Sr Developer, Core Security Wireless traffic analysis has been commonplace for quite a while now, frequently used in penetration testing and various areas of research. But what happens when channel hopping just doesn't cut it anymore -- can we monitor all 802.11 channels? In this presentation we describe the analysis, different approaches and the development of a system to monitor and inject frames using routers running OpenWRT as wireless workers. At the end of this presentation we will release the tool we used to solve this problem. Andrés Blanco is a researcher at CoreLabs, the research arm of Core Security. His research is mainly focused on wireless, network security and privacy. He has presented at Black Hat USA Arsenal, Hacklu and Ekoparty, and has published several security advisories. Twitter: @6e726d Andrés Gazzoli works at Core Security and is part of the Core Impact Pro developer team. He is a C++ developer with extensive experience in UI development. He enjoys everything related to wireless technologies and privacy. Return to Top

Exploring Layer 2 Network Security in Virtualized Environments Ronny L. Bull Ph.D. Graduate Student, Clarkson University Jeanna N. Matthews Associate Professor, Clarkson University Cloud service providers offer their customers the ability to deploy virtual machines in a multi-tenant environment. These virtual machines are typically connected to the physical network via a virtualized network configuration. This could be as simple as a bridged interface to each virtual machine or as complicated as a virtual switch providing more robust networking features such as VLANs, QoS, and monitoring. In this paper, we explore whether Layer 2 network attacks that work on physical switches apply to their virtualized counterparts by performing a systematic study across four major hypervisor environments - Open vSwitch, Citrix XenServer, Microsoft Hyper-V Server and VMware vSphere - in seven different virtual networking configurations. First, we use a malicious virtual machine to run a MAC flooding attack and evaluate the impact on co-resident VMs. We find that network performance is degraded on all platforms and that it is possible to eavesdrop on other client traffic passing over the same virtual network for Open vSwitch and Citrix XenServer. Second, we use a malicious virtual machine to run a rogue DHCP server and then run multiple DHCP attack scenarios. On all four platforms, co-resident VMs can be manipulated by providing them with incorrect or malicious network information. Mr. Bull is a Computer Science Ph.D. graduate student at Clarkson University focusing on Layer 2 network security in virtualized environments. He presented his preliminary research involving MAC flooding attacks against virtualized networks at the DerbyCon 4.0 computer security conference held in Louisville, KY in September 2014. Mr. Bull earned an A.A.S. degree in Computer Networking at Herkimer College in 2006 and completed both a B.S. and M.S. in Computer Science at the State University of New York Institute of Technology in 2011. He was a founding faculty member of the School of Engineering at SUNY Polytechnic Institute in Utica, NY teaching undergraduate and graduate courses in both the Network and Computer Security and Telecommunications programs, and also served as an advisor to the SUNY Poly Network and Computer Security club. Mr. Bull recently made a transition to Utica College as an Assistant Professor of Computer Science with a focus in networking and cybersecurity. He also co-founded and is one of the primary organizers of the Central New York Intercollegiate Hackathon event which brings together local cybersecurity students from colleges in Central New York to compete against each other in offensive and defensive cybersecurity activities. Dr. Matthews is an Associate Professor of Computer Science at Clarkson University. Her research interests include virtualization, cl