Detecting Blue Team Research Through Targeted Ads Saturday at 13:30 in Track 2

20 minutes | 0x200b Hacker When my implant gets discovered how will I know? Did the implant stop responding for some benign reason or is the IR team responding? With any luck they'll upload the sample somewhere public so I can find it, but what if I can find out if they start looking for specific bread crumbles in public data sources? At some point without any internal data all blue teams turn to OSINT which puts their searches within view of the advertising industry. In this talk I will detail how I was able to use online advertising to detect when a blue team is hot on my trail. 0x200b

I'm just a Security researcher who's always using tools in unintended ways. I'm a defender by trade, I work on understating the adversary then designing the mitigations based on what I've learned. Currently I work at the intersection of healthcare and the cloud, designing systems that make it harder for the adversary to operate.

Back to top

Hacking PLCs and Causing Havoc on Critical Infrastructures Saturday at 11:00 in 101 Track, Flamingo

45 minutes | Demo, Exploit Thiago Alves Ph.D. Student and Graduate Research Assistant at the University of Alabama in Huntsville Programmable Logic Controllers (PLCs) are devices used on a variety of industrial plants, from small factories to critical infrastructures like nuclear power plants, dams and wastewater systems. Although PLCs were made robust to sustain tough environments, little care was taken to raise defenses against potential cyber threats. As a consequence, threats started pouring in and causing havoc. During this presentation I will talk about the architecture of a PLC and how it can be p0wned. There will be some live demonstration attacks against 3 different brands of PLCs (if the demo demons allow it, if not I will just show a video). Additionally, I will demonstrate two vulnerabilities I recently discovered, affecting the Rockwell MicroLogix 1400 series and the Schneider Modicon M221 controllers. Thiago Alves

Thiago Alves received his B.S. degree in electrical engineering from the"Pontifícia Universidade Católica" (PUC) in 2013. In 2014 he created OpenPLC, the world's first open source industrial controller. OpenPLC is being used as a valuable tool for control system research and education. The OpenPLC project has contributions from several universities and private companies, such as Johns Hopkins and FreeWave Technologies. In 2017 Thiago won first place in CSAW, the world's largest student-run cybersecurity competition, with his innovative embedded security solution for OpenPLC. Currently Thiago is a Ph.D. student at the University of Alabama in Huntsville. His research interests include cybersecurity for SCADA systems, industrial controllers and embedded systems.

Back to top

Asura: A huge PCAP file analyzer for anomaly packets detection using massive multithreading Sunday at 13:30 in Track 1

20 minutes | Tool Ruo Ando Center for Cybersecurity Research and Development, National Institute of Informatics, Japan Recently, the inspection of huge traffic log is imposing a great burden on security analysts. Unfortunately, there have been few research efforts focusing on scalablility in analyzing very large PCAP file with reasonable computing resources. Asura is a portable and scalable PCAP file analyzer for detecting anomaly packets using massive multithreading. Asura's parallel packet dump inspection is based on task-based decomposition and therefore can handle massive threads for large PCAP file without considering tidy parameter selection in adopting data decomposition. Asura is designed to scale out in processing large PCAP file by taking as many threads as possible.



Asura takes two steps. First, Asura extracts feature vector represented by associative containers of <sourceIP, destIP> pair. By doing this, the feature vector can be drastically small compared with the size of original PCAP files. In other words, Asura can reduce packet dump data into the size of unique <sourceIP, destIP> pairs (for example, in experiment, Asura's output which is reduced in first step is about 2% compared with the size of original libpcap files). Second, a parallel clustering algorithm is applied for the feature vector which is represented as {<sourceIP, destIP>, V[i]} where V[i] is aggregated flow vector. In second step, Asura adopts an enhanced Kmeans algorithm. Concretely, two functions of Kmeans which are (1)calculating distance and (2)relabeling points are improved for parallel processing.



In experiment, in processing public PCAP datasets, Asura can identified 750 packets which are labeled as malicious from among 70 million (about 18GB) normal packets. In a nutshell, Asura successfully found 750 malicious packets in about 18GB packet dump. For Asura to inspect 70 million packets, it took reasonable computing time of around 350-450 minutes with 1000-5000 multithreading by running commodity workstation. Asura will be released under MIT license and available at author's GitHub site on the first day of DEF CON 26. Ruo Ando

Ruo Ando is associate professor of NII (National Institute of Informatics) by special appointment in Japan. He has Ph.D of computer science. Before joining NII, he was engaged in research project supported by US AFOSR in 2003 (Grant Number AOARD 03-4049). He has presented his researches in PacSec2011 (BitTorrent crawler) and GreHack2013 (DNS security). He was co-presenter of SysCan2009 and FrHack2009 (Virtual machine instrospection). His current research interest is network security.

Back to top

One bite and all your dreams will come true: Analyzing and Attacking Apple Kernel Drivers Sunday at 14:00 in Track 3

45 minutes | Demo, Tool, Exploit Xiaolong Bai Security Engineer, Alibaba Inc. Min (Spark) Zheng Security Expert, Alibaba Inc. Though many security mechanisms are deployed in Apple's macOS and iOS systems, some old-fashioned or poor-quality kernel code still leaves the door widely open to attackers. Especially, as kernel's critical components, device drivers are frequently exploited to attack Apple systems. In fact, bug hunting in Apple kernel drivers is not easy since they are mostly closed-source and heavily relying on object-oriented programming. In this talk, we will share our experience of analyzing and attacking Apple kernel drivers. In specific, we will introduce a new tool called Ryuk. Ryuk employs static analysis techniques to discover bugs by itself or assist manual review.



In addition, we further combine static analysis with dynamic fuzzing for bug hunting in Apple drivers. In specific, we will introduce how we integrate Ryuk to the state-of-art Apple driver fuzzer, PassiveFuzzFrameworkOSX, for finding exploitable bugs.



Most importantly, we will illustrate Ryuk's power with several new vulnerabilities that are recently discovered by Ryuk. In specific, we will show how we exploit these vulnerabilities for privilege escalation on macOS 10.13.3 and 10.13.2. We will not only explain why these bugs occur and how we find them, but also demonstrate how we exploit them with innovative kernel exploitation techniques. Xiaolong Bai

Xiaolong Bai (twitter@bxl1989, github@bxl1989) is a security engineer in Alibaba Orion Security Lab. Before joining Alibaba, he received his Ph.D. degree in Tsinghua University. He has published several research papers on top conferences including IEEE S&P, Usenix Security, CCS, NDSS, and presented his research in Black Hat USA and Hack In The Box. He has been acknowledged by famous vendors, including Apple, Google, Facebook, Evernote, and Tencent for his contribution in discovering the vulnerabilities in their systems and improving the security of their products. He is a member of the OverSky team for private jailbreaking development.



@bxl1989 Min (Spark) Zheng

Min (Spark) Zheng (twitter@SparkZheng, github@zhengmin1989) is a security expert in Alibaba Orion Security Lab. He received his Ph.D. degree in the CSE department of the CUHK. His research focuses on malware analysis, smartphone (Android & iOS) security, system design and implementation. Before receiving Alibaba A-Star offer award in 2015, he worked in FireEye, Baidu and Tencent. He was the champion of GeekPwn 2014 and AliCTF 2015. He won the"best security researcher" award in FIT 2016 for detecting the iOS/macOS vulnerabilities, XcodeGhost virus and WormHole RCE vulnerability. He is a member of the OverSky team for private jailbreaking development. He presented his research in DEF CON, HITB, BlackHat, RUXCON, etc.



@SparkZheng

Back to top

You may have paid more than you imagine—Replay Attacks on Ethereum Smart Contracts Saturday at 10:00 in Track 3

45 minutes | Demo, Exploit Zhenxuan Bai Freelance Security Researcher Yuwei Zheng Senior Security Researcher, Unicorn Team, 360 Technology Senhua Wang Freelance Security Researcher Kunzhe Chai Leader of PegasusTeam at 360 Radio Security Research Department, 360 Technology In this paper, a new replay attack based on Ethereum smart contracts is presented. In the token transfer, the risk of replay attack cannot be completely avoided when the sender's signatures are abused, which can bring the loss to users. And the reason is that the applying scope of the signatures is not properly designed in the smart contracts. To test and verify this loophole, we selected two similar smart contracts for our experiment, at the same time, we used our own accounts in these two contracts to carry out the experiment. Because the same signatures of the two contracts were used in the experiment, we got a double income from sender successfully. The experiment verified that the replay attack is really exist. Besides, the replay attack may exist in multiple smart contracts. We calculated the number of smart contracts with this loophole, as well as the corresponding transaction activities, which find some Ethereum smart contracts are risked for this loophole. According to the vulnerability of the contract signature, the risk level is calibrated and depicted. Furthermore, the replay attack pattern is extended to within contract, cross contract and cross chain, which provide the pertinence and well reference for protection. Finally, the countermeasures are proposed to fix this vulnerability. Zhenxuan Bai

Zhenxuan Bai is a freelance Security Researcher interests in smart contract and blockchain, consultant of UnicornTeam. He is a co-researcher of the decryption blackberry project, which manage to decrypt Blackberry BBM, PIN message and BIS secure mail without keys. Yuwei Zheng

Yuwei Zheng is a senior security researcher at Radio Security Department of 360 Technology, core member of UnicornTeam. He cracked the protocols of Blackberry BBM, PIN message, BIS secure mail, and successfully decrypted the messages without keys. He is currently focusing on the security research of cellular network, IoT system, and mobile baseband. He had presented his research works at top level security conferences like BlackHat, DEF CON, HITB etc. Senhua Wang

Senhua Wang is a freelance Security Researcher interested in smart contract and blockchain, consultant of UnicornTeam Kunzhe Chai

Leader of PegasusTeam at 360 Radio Security Research Department in 360 Technology. He focuses on wireless security, including attack-defense research. He is the person in charge of the attack and defense technology of Skyscan Wireless Intrusion and Prevention System, One of the authors of the well-known wireless security tool MDK4. He leads his team to share the research results at HITB, HITCON, Blackhat, China ISC etc.



twitter@swe3per

Back to top

What the Fax!? Sunday at 15:00 in Track 2

45 minutes | Demo, Tool, Exploit, Audience Participation Yaniv Balmas Security Researcher, Check Point Software Technologies Eyal Itkin Security Researcher, Check Point Software Technologies Unless you've been living under a rock for the past 30 years or so, you probably know what a fax machine is. For decades, fax machines were used worldwide as the main way of electronic document delivery. But this happened in the 1980s. Humanity has since developed far more advanced ways to send digital content, and fax machines are all in the past, right? After all, they should now be nothing more than a glorified museum item. Who on earth is still using fax machines?



The answer, to our great horror, is EVERYONE. State authorities, banks, service providers and many others are still using fax machines, despite their debatable quality and almost non-existent security. In fact, using fax machines is often mandatory and considered a solid and trustworthy method of delivering information.



What the Fax?! We embarked on a journey with the singular goal of disrupting this insane state of affairs. We went to work, determined to show that the common fax machine could be compromised via mere access to its fully exposed and unprotected telephone line -- thus completely bypassing all perimeter security protections and shattering to pieces all modern-day security concepts.



Join us as we take you through the strange world of embedded operating systems, 30-year-old protocols, museum grade compression algorithms, weird extensions and undebuggable environments. See for yourself first-hand as we give a live demonstration of the first ever full fax exploitation, leading to complete control over the entire device as well as the network, using nothing but a standard telephone line.



This talk is intended to be the canary in the coal mine. The technology community cannot sit idly by while this ongoing madness is allowed to continue. The world must stop using FAX! Yaniv Balmas

Yaniv Balmas is a software engineer and a seasoned professional in the security field. He wrote his very first piece of code in BASIC on the new Commodore-64 he got for his 8th birthday. As a teenager, he spent his time looking for ways to hack computer games and break BBS software. This soon led to diving into more serious programming, and ultimately, the security field where he has been ever since. Yaniv is currently leading the security research group at Check Point Software Technologies where he deals mainly with analyzing malware and vulnerability research.



@ynvb Eyal Itkin

Eyal Itkin is a vulnerability researcher in the Malware and Vulnerability Research group at Check Point Software Technologies. Eyal has an extensive background in security research, that includes years of experience in embedded network devices and protocols, bug bounties from all popular interpreter languages, and an award by Microsoft for his CFG enhancement white paper. When not breaking PTP or I2P, he loves bouldering, swimming, and thinking about the next target for his research.



@EyalItkin

Back to top

Rock appround the clock: Tracking malware developers by Android "AAPT" timezone disclosure bug Sunday at 10:00 in Track 1

45 minutes | Demo Sheila A. Berta Security Researcher at Eleven Paths Sergio De Los Santos Head of Innovation and Lab at Eleven Paths Are you a malware developer for Android devices? We have very bad news for you: the Android-SDK packager (aapt) is leaking your time zone! We have found a bug inside this Android-SDK's component that relies in not properly setting the value of a variable used as an argument for localtime() function, when setting the "Last Modified" field for the Android App's files. Because of this, the time zone of anyone using the Android-SDK packager to generate their APKs is leaked. The curious thing is that, despite of this bug inside aapt, the problem goes even beyond aapt itself: its roots goes deep into an incorrect handling errors in the operative system functions localtime() (Windows) and localtime_r() (UNIX).



Because of in the world of Threat Intelligence determining the attacker's geographical location of is one of the most valuable data for attribution techniques, we focused our research in taking advantage of this bug for tracking Android malware developers. In addition to this, we have discovered another very effective way to find out the developer's time zone, based on a calculation of times extracting the GMT timestamp from the Android's app files and the UTC timestamp of the self-signed,"disposable" certificate added to the application (most common cases in malware developers). This is what we call: Rock appround the clock! Using these two different techniques, we have crunched some numbers with our 10 million apps database to determine how these leaked time zones (with one or another technique) are related with malware and which are the countries that generate more Android malicious applications, what is the possible relation between time zone and"malware likelihood" among other interesting numbers.



But that's not all, we have another bad news for malware developers: no IDE (even Android Studio) removes metadata from the files added to the Android app. We will show examples with real cases in which, after analyzing the metadata of files inside the .apk, we got to know country, language, or even more specific geographical location of the developer and -in some cases- the name of the suppose-to-be-anonymous developer! Finally, we will share the scripts we have built to get all this information with just a simple click. Sheila A. Berta

Sheila Ayelen Berta is an Information Security Specialist and Developer, who started at 12 years-old by herself. At the age of 15, she wrote her first book about Web Hacking, published by RedUSERS Editorial in several countries. Over the years, she has discovered lots of vulnerabilities in popular web applications, softwares and given courses of Hacking Techniques in universities and private institutes. Sheila currently works at Eleven Paths as Security Researcher who specializes in offensive techniques, reverse engineering and exploit writing. She is also a developer in ASM (microcontrollers, x32/x64), C/C++ and Python. Sheila is an international speaker who has spoken at important security conferences such as Black Hat EU 2017, DEF CON 25 CHV, HITBSecConf, Ekoparty Security Conference, IEEE ArgenCon, Hack.Lu, OWASP Latam Tour and others.



@UnaPibaGeek Sergio De Los Santos

Sergio De Los Santos is currently head of innovation and labs in Eleven Paths, responsible for researching, creating new projects, tools and prototypes. In the past (2005-2013), he was a Technical consultant in Hispasec (where VirusTotal was developed for 10 years), responsible for antifraud, vulnerabilities alert and other services mostly bank industry oriented. Sergio is responsible for the most veteran security newsletter in spanish. Since 2000 he has worked as an auditor and technical coordinator, written three technical security books and one about the history of security. He has an informatics degree, a master in software engineering and artificial intelligence and has been awarded with Microsoft MVP Consumer Security title in 2013-2017. He is a teacher and director of different courses, masters and lectures in universities and private companies.



@ssantosv

Back to top

Ring 0/-2 Rootkits: bypassing defenses Thursday at 12:00 in 101 Track, Flamingo

45 minutes | Alexandre Borges Malware and Security Researcher at Blackstorm Security Advanced malware such as TDL4, Rovnix, Gapz, Omasco, Mebromi and others have exposed in recent years various techniques used to circumvent the usual defenses and have shown how much companies are not prepared to deal with these sophisticated threats.



Although the industry has implemented new protections such as Virtualized Based Security, Windows SMM Security Mitigation Table (WSMT), Kernel Code Signing, HVCI, ELAM, Secure Boot, Boot Guard, BIOS Guard, and many others, it is still unknown the professionals of the architecture of these protections, what are the components attacked by these contemporary malwares in the context of BIOS / UEFI and what are the tricks used by them. Precisely because of the lack of adequate understanding, most machines (BIOS / UEFI + operating system) remain vulnerable in the same way as a few years ago.



In addition, there are a growing number of malwares that have used kernel drivers to circumvent limitations and protections in order to gain full access to the operating system and data. Exactly for these reasons, it is necessary to understand the way that malwares act as device drivers and what are the mechanisms used by these threats to infect an operating system.



The purpose of this presentation is to show clearly and without too much details that often hinders understanding, how these threats act, which components are attacked, what are the techniques used by these advanced malware to subvert the system and how existing protections work . Alexandre Borges

Alexandre has been working as Malware and Security researcher at Blackstorm Security, where he is daily involved with malware analysis cases, forensic and fraud investigations, reverse engineering and exploit development projects. In the past, Alexandre worked as instructor at Sun Microsystems for ten years and Symantec for six years.



Nowadays, he is reviewer of"The Journal of Digital Forensics, Security and Law", referee on "Digital Investigation—The International Journal of Digital Forensics & Incident Response" and member of the Digital Law and Compliance Committee at OAB/SP.



Slides and articles written by Alexandre are available on: http://www.blackstormsecurity.com/bs/en/en_articles.html



@ale_sp_brazil, http://www.linkedin.com/in/aleborges, http://www.blackstormsecurity.com

Back to top

Trouble in the tubes: How internet routing security breaks down and how you can do it at home Sunday at 13:00 in 101 Track, Flamingo

45 minutes | Demo, Tool Lane Broadbent Security Engineer, Vivint We all protect our home networks, but how safe is your data once it leaves on its journey to the latest cat pictures? How does your traffic make it to its destination and what threats does it face on its way? What is BGP and why should you care?



In this talk, I'll explain the basic structure of the network that is the Internet and the trust relationships on which it is built. We'll explore several types of attacks that you may have seen in the news that exploit this relationship to bring down websites, steal cryptocurrency, and monitor dissidents.



Because talking about bringing down the Internet isn't as much fun as doing, I'll show how to create a mini Internet using Mininet and demonstrate the attacks without the need for a BGP router or a lawyer. Finally, because nation states shouldn't get to have all the fun, I'll use Scapy and some novel techniques to demonstrate how a compromised router can be used to prevent attribution, frame a friend, or create a covert communication channel. Lane Broadbent

Lane Broadbent is a Security Engineer performing threat hunting and full stack security engineering for Vivint, a tech company focused on IoT and home security. With over a decade of experience in research, pen testing, and jack of all trades systems administration, Lane now works to secure IoT devices and the systems that interact with them. In his free time, Lane tries to best the corporate NTP pool with parts salvaged from thrift stores.

Back to top

Last mile authentication problem: Exploiting the missing link in end-to-end secure communication Sunday at 12:00 in Track 1

45 minutes | Demo, Exploit Thanh Bui Security Researcher, Aalto University, Finland Siddharth Rao Security Researcher, Aalto University, Finland With "Trust none over the Internet" mindset, securing all communication between a client and a server with protocols such as TLS has become a common practice. However, while the communication over Internet is routinely secured, there is still an area where such security awareness is not seen: inside individual computers, where adversaries are often not expected.



This talk discusses the security of various inter-process communication (IPC) mechanisms that local processes and applications use to interact with each other. In particular, we show IPC-related vulnerabilities that allow a non-privileged process to steal passwords stored in popular password managers and even second factors from hardware tokens. With passwords being the primary way of authentication, the insecurity of this "last mile" causes the security of the rest of the communication strands to be obsolete. The vulnerabilities that we demonstrate can be exploited on multi-user computers that may have processes of multiple users running at the same time. The attacker is a non-privileged user trying to steal sensitive information from other users. Such computers can be found in enterprises with centralized access control that gives multiple users access to the same host. Computers with guest accounts and shared computers at home are similarly vulnerable. Thanh Bui

Thanh Bui is a doctoral candidate in the"Secure systems" group of Aalto University, Finland. His research focuses on analyzing and designing secure network protocols and distributed systems. He is a past Erasmus Mundus fellow and holds double master's degrees from Aalto University, Finland and KTH Royal Institute of Technology, Sweden. Siddharth Rao

Siddharth (Sid) Rao is a doctoral candidate in the"Secure systems" group of Aalto University, Finland. He specializes in the security analysis of communication protocols, and his current interest lies in pedagogical study of the 'lack of authentication' in different systems. He is a past Erasmus Mundus fellow and holds double master's degrees from Aalto University, Finland and University of Tartu, Estonia. He has been Ford-Mozilla Open Web Fellow at European Digital Rights (EDRi), where helped to define policies related to data protection, surveillance, copyright, and network neutrality. He has previous spoken at security conferences such as Blackhat and Troopers.

Markku Antikainen received the M.Sc. degrees in security and mobile computing from Aalto University, Espoo, Finland, and the Royal Institute of Technology, Stockholm, Sweden, in 2011. In 2017, he received a Ph.D. degree from Aalto University, Espoo, Finland. His doctoral thesis was on the security of Internet-of-things and software-defined networking. He currently works as a post-doctoral researcher at Helsinki Institute for Information Technology, Finland

Tuomas Aura received the M.Sc. and Ph.D. degrees from Helsinki University of Technology, Espoo, Finland, in 1996 and 2000, respectively. His doctoral thesis was on authorization and availability in distributed systems. He is a Professor of computer science and engineering with Aalto University, Espoo, Finland. Before joining Aalto University, he worked with Microsoft Research, Cambridge, U.K. He is interested in network and computer security and the security analysis of new technologies.

Back to top

Reverse Engineering Windows Defender's Emulator Saturday at 15:00 in Track 2

45 minutes | Demo, Tool Alexei Bulazel Hacker Windows Defender Antivirus's mpengine.dll implements the core of Defender's functionality in an enormous ~11 MB, 30,000+ function DLL.



In this presentation, we'll look at Defender's emulator for analysis of potentially malicious Windows binaries on the endpoint. To the best of my knowledge, there has never been a conference talk or publication on reverse engineering any antivirus binary emulator before.



We'll cover a range of topics including emulator internals—machine code to intermediate language translation and execution; memory management; Windows API emulation; NT kernel emulation; file system and registry emulation; integration with Defender's antivirus features; the virtual environment; etc.—building custom tooling for instrumenting the emulator; tricks that binaries can use to evade or subvert analysis; and attack surface within the emulator.



Attendees will leave with an understanding of how modern antivirus software conducts emulation-based dynamic analysis on the endpoint, and how attackers might go about subverting or attacking these systems. I'll publish code for a binary for exploring the emulator from within, patches that I developed for instrumenting Defender built on top of Tavis Ormandy's loadlibrary project, and IDA scripts to help with analyzing mpengine.dll and Defender's "VDLLs" Alexei Bulazel

Alexei Bulazel (@0xAlexei) is a security researcher at ForAllSecure. He also provides expertise on reverse engineering and cyber policy at River Loop Security. Alexei has previously presented his research at venues such as Black Hat, REcon, and ShmooCon, among many others, and has published scholarly work at USENIX WOOT and ROOTS. Alexei is a proud alumnus of RPISEC.



@0xAlexei

Back to top

A Journey Into Hexagon: Dissecting a Qualcomm Baseband Thursday at 13:00 in 101 Track, Flamingo

45 minutes | Seamus Burke Hacker Mobile phones are quite complicated and feature multiple embedded processors handling wifi, cellular connectivity, bluetooth, and other signal processing in addition to the application processor. Have you ever been curious about how your phone actually makes calls and texts on a low level? Or maybe you want to learn more about the internals of the baseband but have no clue where to start. We will dive into the internals of a qualcomm baseband, tracing it's evolution over the years until its current state. We will discuss the custom, in-house DSP architecture they now run on, and the proprietary RTOS running on it. We will also cover the architecture of the cellular stack, likely places vulnerabilities lie, and exploit mitigations in place. Finally we will cover debugging possibilities, and how to get started analyzing the baseband firmware—how to differentiate between RTOS and cellular functions, how to find C std library functions, and more. Seamus Burke

Seamus Burke is an undergraduate student at UMBC pursing a degree in CS, he has been working in the security field field since he was 16 and has held a variety of positions from SOC analyst to malware analyst, to vulnerability researcher. Currently his research focus is on cellular baseband and kernel rootkits. When he's not staring at IDA, he likes to spend his time wrenching on cars and racing.



@AlternateAdmin

Back to top

Relocation Bonus: Attacking the Windows Loader Makes Analysts Switch Careers Saturday at 17:00 in Track 2

45 minutes | Demo, Tool Nick Cano Senior Security Architect @ Cylance The arbiters of defense wield many static analysis tools; disassemblers, PE viewers, and anti-viruses are among them. When you peer into their minds, these tools reveal their perilous implementations of PE file parsing. They assume PE files come as-is, but the Windows Loader actually applies many mutations (some at the command of the PE itself) before execution ever begins. This talk is about bending that loader to one's whim with the Relocations Table as a command spell. It will demonstrate how the loader can be instrumented into a mutation engine capable of transforming an utterly mangled PE file into a valid executable. This method starts with multiple ASLR Preselection attacks that force binary mapping at a predictable address. It then mangles the PE file, garbling any byte not required prior to relocation. Finally, it embeds a new Relocations Table which, when paired with a preselected base address, causes the loader to reconstruct the PE and execute it with ease. This isn't a packer or a POC, it is a PE rebuilder which generates completely valid, stable, and vastly tool-breaking executables. This talk will show you how this attack twists the protocols of a machine against the controls meant to protect it. It flexes on tools with various look-what-I-can-break demonstrations and, if you write similar tools, it'll make you rethink how you do it. Nick Cano

Nick is a self-taught software engineer, hacker, and an avid CTFer. He started coding when he was 11 and planted his roots in video game hacking by 14. His game hacking endeavors lead to a profitable business which became the foothold for his career. Nick is the author of"Game Hacking: Developing Autonomous Bots for Online Games," and has spoken about topics such as malware analysis, Windows internals, game hacking, and memory forensics at DEF CON, DerbyCon, HOPE, and other prestigious conferences. Previously a Senior Engineer at Bromium and currently a Senior Architect at Cylance, he's using his Windows internals experience to help make advances with endpoint protection, detection, and response.



https://twitter.com/nickcano93, https://nickcano.com/, https://github.com/nickcano

Back to top

Project Interceptor: avoiding counter-drone systems with nanodrones Saturday at 15:00 in 101 Track, Flamingo

45 minutes | Demo, Tool, Audience Participation David Melendez Cano R&D Embedded Systems Engineer. Albalá Ingenieros S.A. Antidrone system industries have arised. Due to several, and even classic, vulnerabilities in communication systems now used by drones , anti-drone systems are able to take down those drone by means of well documented attacks.



Drone/antidrone competition has already been set into the scene. This talk provides a new vision about drone protection against anti-drone systems, presenting "The Interceptor Project", a hand-sized nano drone based on single-core tiniest Linux Board: Vocore2.



This Linux board manages a WiFi (side/hidden) bidirectional channel communication that cannot be deauthenticated and it is replay-resistant, keeping all 802.11 hacking capabilities and standard utilities as any other WiFi hacker drone, with only the built-in adapter of the tiny Vocore2. Also, a "just in case", fallback control by SDR is implemented taking advantage of all the goods that SDR radio gives. All embedded into a hand-sized aircraft to make detection and mitigation a real and new pain, with a very low budget: About $70. David Melendez Cano

David Melendez Cano, Spain, works as R&D software engineer for TV Studio manufacturer company, Albalá Ingenieros S.A. in Madrid. He has won several prices in robotic contests and he has been a speaker at Nuit Du Hack, RootedCON, NoConName, Codemotion, HKOSCON, etc. Author of the book "Hacking con Drones" and robot builder.



@taiksontexas

Back to top

You'd better secure your BLE devices or we'll kick your butts ! Saturday at 12:00 in Track 2

45 minutes | Demo, Tool, Exploit Damien "virtualabs" Cauquil Head of Research & Development, Digital Security Sniffing and attacking Bluetooth Low Energy devices has always been a real pain. Proprietary tools do the job but cannot be tuned to fit our offensive needs, while opensource tools work sometimes, but are not reliable and efficient. Even the recently released Man-in-the-Middle BLE attack tools have their limits, like their complexity and lack of features to analyze encrypted or short connections.



Furthermore, as vendors do not seem inclined to improve the security of their devices by following the best practices, we decided to create a tool to lower the ticket: BtleJack. BtleJack not only provides an affordable and reliable way to sniff and analyze Bluetooth Low Energy devices and their protocol stacks, but also implements a brand new attack dubbed "BtleJacking" that provides a way to take control of any already connected BLE device.



We will demonstrate how this attack works on various devices, how to protect them and avoid hijacking and of course release the source code of the tool.



Vendors, be warned: BLE hijacking is real and should be considered in your threat model. Damien "virtualabs" Cauquil

Damien is a senior security researcher who joined Digital Security in 2015 as the head of research and development. He discovered how wireless protocols can be fun to hack and quickly developed BtleJuice, one of the first Bluetooth Low Energy MitM framework.



Damien presented at various security conferences including DEF CON, Hack In Paris, Chaos Communication Camp, Chaos Communication Congress, and a dozen times at Nuit du Hack, one of the oldest security conference.

Back to top

Building the Hacker Tracker Thursday at 15:00 in 101 Track, Flamingo

20 minutes | Whitney Champion Senior Systems Engineer Seth Law Application Security Consultant, Redpoint Security In 2012, back when DEF CON still fit in the Riviera (RIP), I recognized a gap to fill. I wanted to create a mobile version of the paper DEF CON booklet that everyone could use at the con.



I was unable to attend the conference that year. I was 8 months pregnant with my first child, and because I couldn't be there in person, I spent a lot of time wishing I was.



So I built it. I spent countless hours pouring my heart into what became the Hacker Tracker, shiny graphics and all, and was committing code up until the minute I went into labor.



Fast forward a few years: Seth was frustrated with the lack of a mobile app for iOS while attending DEF CON. Subsequently, he found the Android version of Hacker Tracker and reached out to me about creating an iOS version. I was thrilled that someone wanted to join me and help grow the project. Not long after that, I recruited Chris to work on the app as well.



Now, 6 years since its inception, a small team supports the app development across iOS and Android and the apps are being used by half a dozen different conferences, representing several thousand users.



From nothing to something, we've experienced quite a bit in 6 years. Join us as we share our moments of joy, fear, and panic,"things not to do", and more. Whitney Champion

Whitney is a systems architect in South Carolina. She has held several roles throughout her career- security engineer, systems engineer, mobile developer, cloud architect, consulting architect, to name a few. In the last 15 years, she has worked on operations teams, support teams, development teams, and consulting teams, in both the private and public sector, supporting anywhere from a handful of users to hundreds of thousands. No matter the role, security has always been an area of passion and focus.



@shortxstack Seth Law

Seth is an independent security consultant with Redpoint Security in Salt Lake City, where he performs security research and consulting for a various clients. He spends the majority of his time thinking up ways to exploit and secure applications, but has been known to pull out an IDE as the need arises. Over the course of his career, Seth has honed application security skills using offensive and defensive techniques, including tool development and research. He has an (un)healthy obsession with all things security related and regularly heads down the rabbit hole to research the latest vulnerability or possible exposures. Seth can regularly be found at developer meetups and security get-togethers, whether speaking or learning.



@sethlaw

Back to top

DEF CON Closing Ceremonies Sunday at 16:00 in Track 1

105 minutes | Audience Particption The Dark Tangent DEF CON Closing Ceremonies The Dark Tangent



Back to top

Outsmarting the Smart City Saturday at 16:00 in 101 Track, Flamingo

45 minutes | Demo, Exploit Daniel "unicornFurnace" Crowley Research Baron, IBM X-Force Red Mauro Paredes Hacker Jen "savagejen" Savage Hacker The term"smart city" evokes imagery of flying cars, shop windows that double as informational touchscreens, and other retro-futuristic fantasies of what the future may hold. Stepping away from the smart city fantasy, the reality is actually much more mundane. Many of these technologies have already quietly been deployed in cities across the world. In this talk, we examine the security of a cross-section of smart city devices currently in use today to reveal how deeply flawed they are and how the implications of these vulnerabilities could have serious consequences.



In addition to discussing newly discovered pre-auth attacks against multiple smart city devices from different categories of smart city technology, this presentation will discuss methods for how to figure out what smart city tech a given city is using, the privacy implications of smart cities, the implications of successful attacks on smart city tech, and what the future of smart city tech may hold. Daniel "unicornFurnace" Crowley

Daniel has been working in infosec since 2004, is TIME's 2006 Person of the Year, and brews his own beer. Daniel is the primary author of both the Magical Code Injection Rainbow, a configurable vulnerability testbed, and FeatherDuster, an automated cryptanalysis tool.



@dan_crowley Mauro Paredes

Mauro has many years of experience performing penetration testing and security assessments for clients in Canada, USA, Germany, Mexico and Venezuela. Mauro has experience across several industries, including finance, telecommunication, e-commerce, technology providers, retail, energy, healthcare, logistics and transportation, government; and education. Jen "savagejen" Savage

Jennifer Savage has over a decade of experience in tech including penetration testing, vulnerability assessment, vulnerability management, software development, technical management, and consulting services for companies ranging from startups to the Fortune 100.



@savagejen

Back to top

DEF CON 101 Panel Thursday at 15:30 in 101 Track, Flamingo

105 minutes | Audience Participation HighWiz Founder, DC 101 Nikita Director of Content & Coordination, DEF CON Roamer CFP Vocal Antagonizer Chris "Suggy" Sumner Co-Founder, Online Privacy Foundation Jericho "Squirrel" Wiseacre Former Doer Of Things Shaggy The Mountain Ten years ago, DEF CON 101 was founded by HighWiz as a way to introduce n00bs to DEF CON. The idea was to help attendees get the best experience out of DEF CON (and also tell them how to survive the weekend!). The DEF CON 101 panel has been a way for people who have participated in making DEF CON what it is today to share those experiences and, hopefully, inspire attendees to expand their horizons. DEF CON offers so much more than just talks and the DEF CON 101 panel is the perfect place to learn about all things DEF CON so you, dear reader, can get the best experience possible. The panel will end with the time honored tradition of "Name the n00b" where lucky attendees will be brought up on stage to introduce themselves to you and earn the coveted 101 n00b handle. Don't worry if you don't make it on to the stage, there will be plenty of other prizes for you to enjoy! HighWiz

HighWiz is born of glitter and moon beams and he has all the right moves. He is the things that sweet dreams are made of and nightmares long to be... Years ago, with the help of some very awesome people*, he set about to create an event that would give the n00bs of DEF CON a place to feel welcomed and further their own pursuit of knowledge. For years he has held onto the simple tenet that "You get out of DEF CON what you put into it". HighWiz is the fabled Man on the Mountain whom people seek to gain a taste of his forbidden knowledge. He is a rare sighting at DEF CON only to be glimpsed by those lucky few. HighWiz is a member of the DEF CON CFP Review Board and Security Tribe.



*Some (but not all) of the people HighWiz would like to thank for helping to make 101 into what it is today : Runnerup, Wiseacre, Nikita, Roamer, Shaggy, Lockheed, Pyr0, Zac, V3rtgio, 1o57, Neil, Sethalump, AlxRogan, Jenn, Zant, MalwareUnicorn, Clutch, TheDarkTangent, Siviak, Ripshy, Valkyrie, Xodia, Flipper and all the members of Security Tribe.



@highwiz Nikita

For over 15 years, Nikita has worked to ensure DEF CON runs as smoothly as one can expect from a hacker conference. In addition to planning a vast array of details prior to DEF CON and thwarting issues while onsite, she also serves as the Director of Content for the CFP Review Board.



@niki7a Roamer

Appearing in a cloud of (cigarette) smoke, Roamer is a man full of whiskey and ideas. He has appeared at DEF CON since before (almost) the beginning. He is a renown author, speaker, pontificator and is famous for giving the most entertaining Worldwide Wardrive talk. He is also the Grand Vizier of All Things Vendor—you are welcome. When Roamer speaks, people listen. And often fall in love. Chris "Suggy" Sumner

Chris "Suggy" Sumner is the polite one. He is a co-founder of the not-for-profit Online Privacy Foundation, who contribute to the field of online behavioural research. Suggy is also the CFP review board's undisputed fence sitting champion.



@5uggy Jericho

Since 1992, Jericho has been poking about the hacker/security scene. His experience has allowed him to develop (and deliver—often in the form of rants) a great perspective on many topics, mostly security related. He has been a speaker at security conferences worldwide, primarily for the free travel to exotic locales. A founding member of Attrition.org, he was also the content manager for the Open Source Vulnerability Database (OSVDB) and an officer in the Open Security Foundation (OSF). He is a champion of security industry integrity and small misunderstood creatures. He epitomizes the saying, "Why be a pessimist? It won't work, anyway."



@attritionorg Wiseacre

Wiseacre was introduced to DEF CON by Roamer. Though he appeared at his first DEF CON because of the Capture the Flag contest, Roamer and HighWiz showed him how to make DEF CON so much more than simply attending the talks. From then on he made a point to participate in as much as he could. Of course, this was all within the limits of social anxiety so, if it allowed participation as a wallflower, he was in! Now, he wants to make sure everyone else gets to know as much as possible about this year's conference. In his private life, Mike hacks managers and is happy anyone listens to him at all.



wiseacre_mike Shaggy

Shaggy has the Voice of Barry White, the brains of Albert Einstein and the soul of Bea Arthur. He has a few philosophies on life: He believes that while the righteous keep moving forward, those with clean hands become stronger and stronger . That the field of battle between God and Satan is the human soul. It is in the soul that the battle rages every moment of life. He also believes that one should Start by doing what's necessary; then do what's possible; and suddenly you are doing the impossible. Because You learn to speak by speaking, to study by studying, to run by running, to work by working, and just so, you learn to love by loving. All those who think to learn in any other way deceive themselves.

Back to top

D0 N0 H4RM: A Healthcare Security Conversation Friday at 20:00 in Octavius 9

Fireside Hax Christian"quaddi" Dameff MD Emergency physician, Clinical Informatics fellow at The University of California San Diego. Jeff "r3plicant" Tully MD Pediatrician, Anesthesiologist, University of California Davis Kirill Levchenko PhD Associate Professor of Computer Science, University of California San Diego Beau Woods Hacker Roberto Suarez Hacker Jay Radcliffe Hacker Joshua Corman Hacker David Nathans Hacker Healthcare cybersecurity is in critical condition. That's not FUD, that's the bottom line from the Congressionally mandated Health Care Industry Cybersecurity Task Force report released just last year, a year which also saw the twin specters of WannaCry and NotPetya take down entire hospital systems while over half a million implanted pacemakers were recalled in the fallout of one of the most (ir?)responsible disclosures in recent memory. It's enough to make any concerned white hat reach for a stiff drink. And that's where we come in. After an incredibly successful, near-fire-code-violating jam packed session at DC25 as an Evening Lounge, 'D0 N0 H4rm' is diving deeper and going longer as it transforms into a Fireside Hax, assembling an even larger and more distinguished panel of expert hackers, policymakers, wonks, and health care providers to continue discussing, dissecting, and most importantly, debating the ways to keep patients safe in an increasingly perilous space. Featuring continuous audience interaction and with the same loose and informal flow that characterized the initial, libation rich hotel room gatherings, moderators quaddi and r3plicant invite you to add your voice to this incredibly important conversation. Pin this one down quickly, pre-registration is going to go fast. Christian "quaddi" Dameff MD

Christian (quaddi) Dameff MD is an emergency medicine doctor, former open capture the flag champion, prior DEF CON speaker, and researcher. Published works include topics such as therapeutic hypothermia after cardiac arrest, novel drug targets for myocardial infarction patients, and other Emergency Medicine related works with an emphasis on CPR optimization. Security research topics including hacking critical healthcare infrastructure, medical devices and the effects of malware on patient care. This is his fourteenth DEF CON.



@cdameffmd Jeff "r3plicant" Tully MD

Jeff (r3plicant) Tully MD is an anesthesiologist, pediatrician, and researcher with an interest in understanding the ever-growing intersections between healthcare and technology. Prior to medical school he worked on"hacking" the genetic code of Salmonella bacteria to create anti-cancer tools, and throughout medical training has remained involved in the conversations and projects that will secure healthcare and protect our patients as we face a brave new world of remote care, implantable medical devices, and biohacking.



@jefftullymd Kirill Levchenko PhD

Beau Woods

Beau Woods is a leader with the I Am The Cavalry grassroots initiative, an Entrepreneur in Residence at the US Food and Drug Administration, a Cyber Safety Innovation Fellow with the Atlantic Council, and Founder/CEO of Stratigos Security. Beau has consulted with Global 100 corporations, the White House, members of Congress, foreign governments, and NGOs on some of the most critical cybersecurity issues of our time. Beau's focus is on Internet of Things (IoT) technologies where cybersecurity intersects public safety and human life issues, including healthcare, automotive, energy, oil and gas, aviation, transportation, and other sectors. Beau is a published author, frequent public speaker, often quoted in media, and is often engaged for public or private speaking venues. Roberto Suarez

Roberto Suarez is a product security and privacy professional in the medical device and healthcare IT industry. At BD, Roberto is responsible for developing a Product Security Center of Excellence that drives process, capability and maturity to build products that are secure by design with transparency and control in mind. Giving product teams exposure to cyber security training and events, building their in-house expertise and promoting a company-wide community for product security is what Roberto is passionate about. Jay Radcliffe

Jay Radcliffe is a Senior Security Consultant and Researcher. He is an offensive penetration tester with a knack for hardware hacking and embedded device security. He has given dozens of presentations at conferences around the world including DEF CON and Blackhat including several on the security of insulin pumps. Joshua Corman

Joshua Corman is a Founder of I am The Cavalry (dot org) and CSO for PTC. Corman previously served as Director of the Cyber Statecraft Initiative for the Atlantic Council, CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research & strategy roles for The 451 Group and IBM Internet Security Systems. He co-founded RuggedSoftware and IamTheCavalry to encourage new security approaches in response to the world's increasing dependence on digital infrastructure. Josh's unique approach to security in the context of human factors, adversary motivations and social impact has helped position him as one of the most trusted names in security. He also serves as an adjunct faculty for Carnegie Mellon's Heinz College and on the 2016 HHS Cybersecurity Task Force. David Nathans

David Nathans currently serves as a Product Security Manager for Siemens Healthcare, where he specializes in building cybersecurity programs and Security Operation Centers. Having previously held prominent positions in the defense, retail, managed security and healthcare industries, Nathans has a wealth of cybersecurity knowledge which he shares to help protect companies from this growing threat. His experiences and lessons learned also stem from his time building security programs at one of the largest breached retail companies in history as well as working all over the world as a cyber-operations officer for the U.S. Air Force

Back to top

Your Bank's Digital Side Door Friday at 17:00 in 101 Track, Flamingo

45 minutes | Demo, Tool Steven Danneman Security Engineer, Security Innovation Why does my bank's website require my MFA token but Quicken sync does not? How is using Quicken or any personal financial software different from using my bank's website? How are they communicating with my bank? These questions ran through my head when balancing the family checkbook every month.



Answering these questions led me to deeply explore the 20 year old Open Financial Exchange (OFX) protocol and the over 3000 North American banks that support it. They led me to the over 30 different implementations running in the wild and to a broad and inviting attack surface presented by these banks' digital side doors.



Now I'd like to guide you through how your Quicken, QuickBooks, Mint.com, or even GnuCash applications are gathering your checking account transactions, credit card purchases, stock portfolio, and tax documents. We'll watch them flow over the wire and learn about the jumble of software your bank's IT department deploys to provide them. We'll discuss how secure these systems are, that keep track of your money, and we'll send a few simple packets at several banks and count the number of security WTFs along the way.



Lastly, I'll demo and release a tool that fingerprints an OFX service, describes its capabilities, and assesses its security. Steven Danneman

Steven Danneman is a Security Engineer at Security Innovation in Seattle, WA, making software more secure through targeted penetration testing. Previously, he lead the development team responsible for all authentication and identity management within the OneFS operating system. Steven is also a finance geek, who opens bank accounts as a hobby and loves a debate about the efficient-market hypothesis.



@sdanndev, https://www.linkedin.com/in/sdanneman/, sdann-dev.blogspot.com

Back to top

PANEL: DEF CON GROUPS Sunday at 15:00 in Track 1

45 minutes | Audience Participation Brent White (B1TK1LL3R) DEF CON Groups Global Coordinator Jeff Moss (The Dark Tangent) Founder, DEF CON Jayson E. Street DEF CON Groups Global Ambassador S0ups Tim Roberts (byt3boy) Casey Bourbonnais April Wright Do you love DEF CON? Do you hate having to wait for it all year? Well, thanks to DEF CON groups, you're able to carry the spirit of DEF CON with you year round, and with local people, transcending borders, languages, and anything else that may separate us!



In this special event, your DEF CON groups team who works behind the scenes to make DCG possible will introduce themselves and provide status updates. After we're done talking, the remainder of time will be an informal open floor right there in the room to mingle and talk all things DCG.



There will be a:



Designated area in the room for those wanting to start/join a group

Designated area in the room for those wanting to share project ideas Brent White (B1TK1LL3R)

Bio Coming Soon Jeff Moss (The Dark Tangent)

Bio Coming Soon Jayson E. Street

Bio Coming Soon S0ups

Bio Coming Soon Tim Roberts (byt3boy)

Bio Coming Soon Casey Bourbonnais

Bio Coming Soon April Wright

Bio Coming Soon

Back to top

Your Voice is My Passport Friday at 16:00 in Track 3

45 minutes | Demo, Exploit _delta_zero Senior Data Scientist, Salesforce Azeem Aqil Senior Security Software Engineer, Salesforce Financial institutions, home automation products, and offices near universal cryptographic decoders have increasingly used voice fingerprinting as a method for authentication. Recent advances in machine learning and text-to-speech have shown that synthetic, high-quality audio of subjects can be generated using transcripted speech from the target. Are current techniques for audio generation enough to spoof voice authentication algorithms? We demonstrate, using freely available machine learning models and limited budget, that standard speaker recognition and voice authentication systems are indeed fooled by targeted text-to-speech attacks. We further show a method which reduces data required to perform such an attack, demonstrating that more people are at risk for voice impersonation than previously thought. _delta_zero

_delta_zero performs machine learning on log data by day, and writes his dissertation on malware datasets by night. He was voted"most likely to create Skynet" by @alexcpsec, and he toys with offensive uses for machine learning in his free time. He has spoken at BlackHat USA, DEF CON, SecTor, BSidesLV/Charm, and the NIPS workshop on Machine Deception.



@_delta_zero Azeem Aqil

Azeem Aqil is a security engineer at Salesforce. He works on building and maintaining the detection and response infrastructure that powers Salesforce security. Azeem is an academic turned hacker who has published and spoken at various academic security conferences.

Back to top

The ring 0 façade: awakening the processor's inner demons Saturday at 13:30 in Track 1

20 minutes | Demo, Tool Christopher Domas Your computer is not yours. You may have shelled out thousands of dollars for it. It may be sitting right there on your desk. You may have carved your name deep into its side with a blowtorch and chisel. But it's still not yours. Some vendors are building secret processor registers into your system's hardware, only accessible by shadowy third parties with trusted keys. We as the end users are being intentionally locked out and left in the dark, unable to access the heart of our own processors, while select organizations are granted full control of the internals of our CPUs. In this talk, we'll demonstrate our work on how to probe for and unlock these previously invisible secret registers, to break into all-powerful features buried deep within the processor core, to finally take back our own computers. Christopher Domas

Christopher Domas is a security researcher and embedded systems engineer, currently investigating scalable IoT security. He is best known for releasing impractical solutions to non-existent problems, including the world's first single instruction C compiler (M/o/Vfuscator), toolchains for generating images in program control flow graphs (REpsych), showing that all programs can be reduced to the same instruction stream (reductio), and the branchless DOOM meltdown mitigations. His more relevant work includes the sandsifter processor fuzzer, the binary visualization tool ..cantor.dust.., and the memory sinkhole x86 privilege escalation exploit.



@xoreaxeaxeax

Back to top

GOD MODE UNLOCKED: Hardware Backdoors in [redacted] x86 CPUs Friday at 14:00 in Track 1

45 minutes | Demo, Tool, Exploit Christopher Domas Complexity is increasing. Trust eroding. In the wake of Spectre and Meltdown, when it seems that things cannot get any darker for processor security, the last light goes out. This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in some x86 processors, and they're buried deeper than we ever imagined possible. While this research specifically examines a third-party processor, we use this as a stepping stone to explore the feasibility of more widespread hardware backdoors. Christopher Domas

Christopher Domas is a security researcher and embedded systems engineer, currently investigating scalable IoT security. He is best known for releasing impractical solutions to non-existent problems, including the world's first single instruction C compiler (M/o/Vfuscator), toolchains for generating images in program control flow graphs (REpsych), showing that all programs can be reduced to the same instruction stream (reductio), and the branchless DOOM meltdown mitigations. His more relevant work includes the sandsifter processor fuzzer, the binary visualization tool ..cantor.dust.., and the memory sinkhole x86 privilege escalation exploit.



@xoreaxeaxeax

Back to top

One-liners to Rule Them All Friday at 11:00 in Track 2

45 minutes | Demo egypt Security Analyst, Black Hills Information Security William Vu Security Researcher, Rapid7 It began with the forging of the command line. And some things that should not have been forgotten, were lost. History became legend, legend became myth.



Sometimes you just need to pull out the third column of a CSV file. Sometimes you just need to sort IP addresses. Sometimes you have to pull out IP addresses from the third column and sort them, but only if the first column is a particular string and for some reason the case is random.



In this DEF CON 101 talk, we'll cover a ton of bash one-liners that we use to speed up our hacking. Along the way, we'll talk about the concepts behind each of them and how we apply various strategies to accomplish whatever weird data processing task comes up while testing exploits and attacking a network. egypt

egypt is a penetration tester for Black Hills Information Security and a contributor to the Metasploit Project. He is not a country.



@egyp7 William Vu

William Vu is a security researcher at Rapid7 who works on the Metasploit Project.

Back to top

Lost and Found Certificates: dealing with residual certificates for pre-owned domains Sunday at 13:30 in Track 2

20 minutes | Demo, Tool Ian Foster Hacker Dylan Ayrey Hacker When purchasing a new domain name you would expect that you are the only one who can obtain a valid SSL certificate for it, however that is not always the case. When the domain had a prior owner(s), even several years prior, they may still possess a valid SSL certificate for it and there is very little you can do about it.



Using Certificate Transparency, we examined millions of domains and certificates and found thousands of examples where the previous owner for a domain still possessed a valid SSL certificate for the domain long after it changed ownership. We will review the results from our ongoing large scale quantitative analysis over past and current domains and certificates. We'll explore the massive scale of the problem, what we can do about it, how you can protect yourself, and a proposed process change to make this less of a problem going forwards.



We end by introducing BygoneSSL, a new tool and dashboard that shows an up to date view of affected domains and certificates using publicly available DNS data and Certificate Transparency logs. BygoneSSL will demonstrate how widespread the issue is, let domain owners determine if they could be affected, and can be used to track the number of affected domains over time. Ian Foster

Ian enjoys researching systems and networking problems and solutions in an effort to make the world more secure. He has published research papers analyzing the new gTLD land rush and crawling and parsing most WHOIS records. From demonstrating how insecure aftermarket OBD "dongles" can be used to compromise and take over automobiles; to measuring the paths an email traverses online with encryption in an effort to increase integrity, authenticity, and confidentiality; and more. During the day Ian is a Security Engineer fighting for the users. Dylan Ayrey

Dylan is a security engineer, who in his free time authors lots of open source projects, such as truffleHog. He graduated college in 2015 and has been working in security ever since.

Back to top

Defending the 2018 Midterm Elections from Foreign Adversaries Sunday at 10:00 in Track 2

45 minutes | Demo, Tool Joshua M Franklin Hacker Kevin Franklin Hacker Election Buster is an open source tool created in 2014 to identify malicious domains masquerading as candidate webpages and voter registration systems. During 2016, fake domains were used to compromise credentials of a Democratic National Committee (DNC) IT services company, and foreign adversaries probed voter registration systems. The tool now cross-checks domain information against open source threat intelligence feeds, and uses a semi-autonomous scheme for identifying phundraising and false flag sites via ensembled data mining and deep learning techniques. We identified Russian nationals registering fake campaign sites, candidates deploying defensive—and offensive—measures against their opponents, and candidates unintentionally exposing sensitive PII to the public. This talk provides an analysis of our 2016 Presidential Election data, and all data recently collected during the 2018 midterm elections. The talk also details technological and procedural measures that government offices and campaigns can use to defend themselves. Joshua M Franklin

Joshua Franklin has over a decade of experience working with election technology, and is a security engineer at the National Institute of Standards and Technology (NIST) focusing on cellular and electronic voting security. Prior to NIST, Joshua worked at the U.S. Election Assistance Commission gathering hands-on experience with a variety of voting technologies. Joshua managed federal certification efforts and alongside election officials, labs, and manufacturers across the United States. Joshua recently co-chaired the Election Cybersecurity Working Group, and was the principal author for the security portions of the next generation of federal voting system standards. Kevin Franklin

Kevin Franklin has several decades of technology experience in big data. He possesses an undergraduate degree in Engineering from Mississippi State University and a masters degree in Computer Science from Southern Polytechnic University.

Back to top

For the Love of Money: Finding and exploiting vulnerabilities in mobile point of sales systems Sunday at 10:00 in Track 3

45 minutes | Demo, Tool Leigh-Anne Galloway Cyber Security Resilience Lead, Positive Technologies Tim Yunusov Hacker These days it's hard to find a business that doesn't accept faster payments. Mobile Point of Sales (mPOS) terminals have propelled this growth lowering the barriers for small and micro-sized businesses to accept non-cash payments. Older payment technologies like mag-stripe still account for the largest majority of all in-person transactions. This is complicated further by the introduction of new payment standards such as NFC. As with each new iteration in payment technology, inevitably weaknesses are introduced into this increasingly complex payment eco-system.



In this talk, we ask, what are the security and fraud implications of removing the economic barriers to accepting card payments; and what are the risks associated with continued reliance on old card standards like mag-stripe? In the past, testing for payment attack vectors has been limited to the scope of individual projects and to those that have permanent access to POS and payment infrastructure. Not anymore!



In what we believe to be the most comprehensive research conducted in this area, we consider four of the major mPOS providers spread across the US and Europe; Square, SumUp, iZettle and Paypal. We provide live demonstrations of new vulnerabilities that allow you to MitM transactions, send arbitrary code via Bluetooth and mobile application, modify payment values for mag-stripe transactions, and a vulnerability in firmware; DoS to RCE. Using this sampled geographic approach, we are able to show the current attack surface of mPOS and, to predict how this will evolve over the coming years.



For audience members that are interested in integrating testing practices into their organization or research practices, we will show you how to use mPOS to identify weaknesses in payment technologies, and how to remain undetected in spite of anti-fraud and security mechanisms. Leigh-Anne Galloway

Leigh-Anne Galloway is a Security Researcher who specializes in the areas of application and payment security. Leigh-Anne started her career in incident response, leading investigations into payment card data breaches. This is where she discovered her passion for security advisory and payment technologies. She has presented and authored research on ATM security, application security and payment technology vulnerabilities, and has previously spoken at DevSecCon, BSides, Hacktivity, 8dot8, OWASP, and Troopers.



@L_AGalloway Tim Yunusov

Tim Yunusov is a Senior Expert in the area of banking security and application security. He has authored multiple research in these areas including "Apple Pay replay attacks" (Black Hat USA 2017), "7 sins of ATM protection against logical attacks" (PacSec, POC), "Bruteforce of PHPSESSID", "XML Out-Of-Band" (Black Hat EU), and is rated in the Top Ten Web Hacking Techniques by WhiteHat Security. He regularly speaks at conferences and has previously spoken at CanSecWest, Black Hat USA, Black Hat EU, HackInTheBox, Nullcon, NoSuchCon, Hack In Paris, ZeroNights and Positive Hack Days.



@a66at

Back to top

It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded devices for fun and profit Friday at 12:00 in 101 Track, Flamingo

45 minutes | Demo Morgan ``indrora'' Gangwere Hacker With the proliferation of Linux-based SoCs -- you've likely got one or two in your house, on your person or in your pocket -- it is often useful to look "under the hood" at what is running; Additionally, in-situ debugging may be unavailable due to read-only filesystems, memory is often limited, and other factors keep us from attacking a live device. This talk looks at attacking binaries outside their native environment using QEMU, the Quick Emulator, as well as techniques for extracting relevant content from devices and exploring them. Morgan ``indrora'' Gangwere

Morgan is a student at the University of New Mexico where he studies an unrelated topic entirely, but does network security because it's interesting. Previously, he's spoken on subjects such as web proxies, community engagement, and typesetting. He started working with computers when he was a young child and hasn't given them up since, even if his wrists seem to disagree.

Back to top

Playback: a TLS 1.3 story Friday at 15:00 in Track 2

45 minutes | Demo Alfonso García Alguacil Senior Penetration Tester, Cisco Alejo Murillo Moya Red Team Lead EMEAR, Cisco TLS 1.3 is the new secure communication protocol that should be already with us. One of its new features is 0-RTT (Zero Round Trip Time Resumption) that could potentially allow replay attacks. This is a known issue acknowledged by the TLS 1.3 specification, as the protocol does not provide replay protections for 0-RTT data, but proposed countermeasures that would need to be implemented on other layers, not at the protocol level. Therefore, the applications deployed with TLS 1.3 support could end up exposed to replay attacks depending on the implementation of those protections.



This talk will describe the technical details regarding the TLS 1.3 0-RTT feature and its associated risks. It will include Proof of Concepts (PoC) showing real-world replay attacks against TLS 1.3 libraries and browsers. Finally, potential solutions or mitigation controls would be discussed that will help to prevent those attacks when deploying software using a library with TLS 1.3 support. Alfonso García Alguacil

Alfonso Garcia Alguacil is a penetration tester and security consultant with 7 years of experience. Words like exploit, code or binary would quickly catch his attention. He currently works at Cisco as a senior security consultant. Alejo Murillo Moya

Alejo Murillo Moya has been always passionate about security with 10+ years of experience as a penetration tester and security consultant, achieving during that journey important technical certifications like CREST and GIAC GSE. He is currently working at Cisco as a red teaming lead and managing security consultant.

Back to top

Having fun with IoT: Reverse Engineering and Hacking of Xiaomi IoT Devices Saturday at 14:00 in 101 Track, Flamingo

45 minutes | Demo, Tool, Exploit Dennis Giese Hacker While most IoT accessory manufacturers have a narrow area of focus, Xiaomi, an Asian based vendor, controls a vast IoT ecosystem, including smart lightbulbs, sensors, cameras, vacuum cleaners, network speakers, electric scooters and even washing machines. In addition, Xiaomi also manufactures smartphones. Their products are sold not only in Asia, but also in Europe and North America. The company claims to have the biggest IoT platform worldwide.



In my talk, I will give a brief overview of the most common, Wi-Fi based, Xiaomi IoT devices. Their devices may have a deep integration in the daily life (like vacuum cleaners, smart toilet seats, cameras, sensors, lights).



I will focus on the features, computational power, sensors, security and ability to root the devices. Let’s explore how you can have fun with the devices or use them for something useful, like mapping Wi-Fi signal strength while vacuuming your house. I will also cover some interesting things I discovered while reverse engineering Xiaomi's devices and discuss which protections were deployed by the developers (and which not).



Be prepared to see the guts of many of these devices. We will exploit them and use them to exploit other devices. Dennis Giese

Dennis is a grad student at TU Darmstadt and a researcher at Northeastern University. He was a member of one european ISP's CERT for several years.



While being interested in physical security and lockpicking, he enjoys applied research and reverse engineering malware and all kind of devices.



His latest victim is the Xiaomi IoT cloud. Hehas presented at the Chaos Communication Congress and the REcon BRX.

Back to top

Beyond the Lulz: Black-Hat Trolling, White-Hat Trolling, Attacking and Defending Our Attention Landscape Saturday at 20:00 in Octavius 9

Fireside Hax | Matt Goerzen Researcher, Data & Society Dr. Jeanna Matthews Fellow at Data & Society, Associate Professor of Computer Science at Clarkson University Joan Donovan Media Manipulation/Platform Accountability Research Lead, Data and Society in Manhattan White hat or critical grey hat trolling? Trolling as art? Trolling as hybrid warfare? Trolling as propaganda? In this Fireside Hax, we will challenge your assumptions about trolling. Trolls are attention hackers, using social and technical means to bait journalists, set agendas, game media gatekeepers, and direct audiences. Sometimes they also have fun. We will discuss a range of trolling techniques like sockpuppeting, dogpiling, doxing, attention honeypots, and cognitive denial of service attacks that we have not seen concisely catalogued elsewhere. We will also discuss high-profile examples of trolling such as"training" the Microsoft Tay chatbot, fake Antifa accounts, Russian sockpuppet accounts, and Phineas Fisher's use of Hacking Team's twitter account--and ask attendees to consider each as black hat attacks or grey hat attempts to point out critical societal vulnerabilities that should be"patched." We will also talk about"troll the troll" accounts like ImposterBuster and YesYoureRacist and the role"white hat trolls" might play in auditing platforms or proposing platform-based controls. Time permitting, we will discuss art projects that trollishly critiqued the European Commission, Google AdSense, and the NSA. This will not be a lecture and it will not shy away from controversy. Join two members of the Media Manipulation Team at Data & Society to collectively consider the role trolling can play in pointing out the flaws in our attention/media landscape. Matt Goerzen

Matt Goerzen studies trolling techniques and cultures as part of the Media Manipulation team at Data & Society. He's also applied many of the techniques in the art world, for example by once developing an absurdist AdSense campaign ostensibly designed to sell a hideous sculpture to art collector Shaquille O'Neal, but more accurately designed to piggyback off of free clickbait media attention to inform readers about psychometric ad tech practices. He has written an academic study of contemporary artists who function as what he calls"critical trolls," arguing that trolling can be seen as an extension of the politicized attentional strategies used by the 20th-century avant-garde. His current work at Data & Society focuses on mapping the way white supremacists and state actors have appropriated trolling techniques for use in influence operations as a form of"bottom-up agenda setting." Dr. Jeanna Matthews

Jeanna Matthews is an associate professor of Computer Science at Clarkson University and a 2017-18 fellow at Data and Society where she has been collaborating with the Media Manipulation team. She was a speaker and DEF CON 23 and 24, both times on the topic of vulnerabilities in virtual networks. Her broader research interests include virtualization, cloud computing, computer security, computer networks, operating systems and algorithmic accountability and transparency. Jeanna received her Ph.D. in Computer Science from the University of California at Berkeley and is an ACM Distinguished Speaker.



@jeanna_matthews Joan Donovan

Joan Donovan is the Media Manipulation/Platform Accountability Research Lead at Data and Society in Manhattan. After completing her PhD in Sociology and Science Studies at the University of California San Diego, she was a postdoctoral fellow at the UCLA Institute for Society and Genetics, where she researched white supremacists' use of DNA ancestry tests, social movements, and technology. For several years, Joan has conducted action research with different networked social movements in order to map and improve the communication infrastructures built by protesters. In her role as a participant, she identifies information bottlenecks, decodes algorithmic behavior, and connects organizations with other like-minded networks.

Back to top

Pwning "the toughest target": the exploit chain of winning the largest bug bounty in the history of ASR program Thursday at 11:00 in 101 Track, Flamingo

45 minutes | Guang Gong Alpha Team at Qihoo 360 Wenlin Yang Alpha Team at Qihoo 360 Jianjun Dai Security researcher of Qihoo360 Alpha Team In recent years, Google has made many great efforts in exploit mitigation and attack surface reduction to strengthen the security of android system. It is becoming more and more difficult to remotely compromise Android phones especially Google’s Pixel phone.



The Pixel phone is protected by many layers of security. It was the only device that was not pwned in the 2017 Mobile Pwn2Own competition. But our team discovered a remote exploit chain—the first of its kind since the Android Security Rewards (ASR) program expansion, which could compromise The Pixel phone remotely. The exploit chain was reported to Android security team directly. They took it seriously and patched it quickly. Because of the severity and our detailed report, we were awarded the highest reward ($112,500) in the history of the ASR program.



In this talk we will detail how we used the exploit chain to inject arbitrary code into system_server process and get system user permissions. The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug related with Webassembly and SharedArrayBuffer. It is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android's libgralloc module that is used to escape from the sandbox. The way we used for sandbox escaping is very interesting, rarely talked about before. All details of vulnerabilities and mitigation bypassing techniques will be given in this talk. Guang Gong

Guang Gong (@oldfresher) is a senior security researcher of Qihoo360 and the team leader of 360 Alpha Team. His research interests included Windows rootkits, virtualization and cloud computing. He currently focuses on mobile security, especially on hunting and exploiting Android's vulnerabilities. He has spoken at several security conferences such as Black Hat, CanSecWest, PHDays, SyScan360, MOSEC, PacSec and so on. He is the winner of Mobile Pwn2Own 2015(the target: Nexus 6), Pwn0Rama 2016 (the category of mobile devices), Pwn2Own 2016 (the target: Chrome), PwnFest 2016(the target: Pixel XL), Mobile Pwn2Own 2017(the target: Galaxy S8).



@oldfresher Wenlin Yang

Wenlin Yang is a junior researcher of Qihoo 360 and the team member of 360 Alpha Team. He currently focuses on Android's vulnerabilities. He has submitted multiple bugs to Google and several other vendors in China and received some acknowledgments. Jianjun Dai

Jianjun Dai (@Jioun_dai) is a security researcher of Qihoo360 Alpha Team, he focus on Android system security research, vulnerability hunting and exploiting development. Previously, he is a security developer, major work include network protocol analysis, vulnerability detection, botnet and backdoor detection, sandbox technology research and development, etc. He have been in Android vulnerability research for more than two years, he found lots of vulnerabilities in AOSP, and won the Bug Bounty. He is a speaker at the CanSecWest conference.

Back to top

De-anonymizing Programmers from Source Code and Binaries Friday at 10:00 in Track 2

45 minutes | Rachel Greenstadt Associate Professor, Drexel University Dr. Aylin Caliskan Assistant professor of Computer Science, George Washington University Many hackers like to contribute code, binaries, and exploits under pseudonyms, but how anonymous are these contributions really? In this talk, we will discuss our work on programmer de-anonymization from the standpoint of machine learning. We will show how abstract syntax trees contain stylistic fingerprints and how these can be used to potentially identify programmers from code and binaries. We perform programmer de-anonymization using both obfuscated binaries, and real-world code found in single-author GitHub repositories and the leaked Nulled.IO hacker forum. Rachel Greenstadt

Dr. Rachel Greenstadt (PI) is an Associate Professor of Computer Science at Drexel University where she teaches graduate-level courses in computer security, privacy, and machine learning. She founded the Privacy, Security, and Automation Laboratory at Drexel University in 2008. Dr. Greenstadt was among the first to explore the effect of adversarial attacks on stylometric methods, and the first to demonstrate empirically how stylometric methods can fail in adversarial settings while succeeding in non-adversarial settings.



She has a history of speaking at hacker conferences including DEF CON 14, ShmooCon 2009, 31C3, and 32C3.



Dr. Greenstadt's scholarship has been recognized by the privacy research community. She is an alum of the DARPA Computer Science Study Group and a recipient of the NSF CAREER Award. Her work has received the PET Award for Outstanding Research in Privacy Enhancing Technologies and the Andreas Pfitzmann Best Student Paper Award. She currently serves as co-editor-in-chief of the journal Proceedings on Privacy Enhancing Technologies (PoPETs). Her research has been featured in the New York Times, the New Republic, Der Spiegel, and other local and international media outlets.



@ragreens Dr. Aylin Caliskan

Aylin Caliskan is an assistant professor of computer science at George Washington University. Her research interests include the emerging science of bias in machine learning, fairness in artificial intelligence, data privacy, and security. Her work aims to characterize and quantify aspects of natural and artificial intelligence using a multitude of machine learning and language processing techniques. In her recent publication in Science, she demonstrated how semantics derived from language corpora contain human-like biases. In addition, she developed novel privacy attacks to de-anonymize programmers using code stylometry. Her presentations on both de-anonymization and bias in machine learning are the recipients of best talk awards. Her work on semi-automated anonymization of writing style furthermore received the Privacy Enhancing Technologies Symposium Best Paper Award. Her research has received extensive press coverage across the globe. Aylin holds a PhD in Computer Science from Drexel University and a Master of Science in Robotics from the University of Pennsylvania. She has previously spoken at 29C3, 31C3, 32C3, and 33C3.



@aylin_cim

Back to top

Automated Discovery of Deserialization Gadget Chains Friday at 16:00 in 101 Track, Flamingo

45 minutes | Tool Ian Haken Senior Security Software Engineer, Netflix Although vulnerabilities stemming from the deserialization of untrusted data have been understood for many years, unsafe deserialization continues to be a vulnerability class that isn't going away. Attention on Java deserialization vulnerabilities skyrocketed in 2015 when Frohoff and Lawrence published an RCE gadget chain in the Apache Commons library and as recently as last year's Black Hat, Muñoz and Miroshis presented a survey of dangerous JSON deserialization libraries. While much research and automated detection technology has so far focused on the discovery of vulnerable entry points (i.e. code that deserializes untrusted data), finding a "gadget chain" to actually make the vulnerability exploitable has thus far been a largely manual exercise. In this talk, I present a new technique for the automated discovery of deserialization gadget chains in Java, allowing defensive teams to quickly identify the significance of a deserialization vulnerability and allowing penetration testers to quickly develop working exploits. At the conclusion we will also be releasing a FOSS toolkit which utilizes this methodology and has been used to successfully develop many deserialization exploits in both internal applications and open source projects. Ian Haken

Ian Haken is a senior security software engineer at Netflix where he works on the platform security team to develop tools and services that defend the Netflix platform. Before working at Netflix, he spent two years as security researcher at Coverity where he developed defensive application security tools and helped to develop automated discovery of security vulnerabilities through static software analysis. He received his Ph.D. in mathematics from the University of California, Berkeley in 2014 with a focus in computability theory and algorithmic information theory.

Back to top

4G—Who is paying your cellular phone bill? Friday at 14:00 in Track 2

45 minutes | Demo, Exploit Dr. Silke Holtmanns Distinguished Member of Technical Staff, Security Expert, Nokia Bell Labs Isha Singh Master student, Aalto University in Helsinki (Finland Cellular networks are connected with each other through a worldwide private, but not unaccessible network, called IPX network. Through this network user related information is exchanged for roaming purposes or for cross-network communication. This private network has been breached by criminals and nation states. Cellular networks are extremely complex and many attacks have been already been found e.g. DoS, location tracking, SMS interception, data interception. Many attacks have been seen in practice, but not all attack are understood and not all attack avenues using the IPX network have been explored. This presentation shows how a S9 interface in 4G networks, which is used for charging related user information exchange between operators can be exploited to perform fraud attacks. A demonstration with technical details will be given and guidance on practical countermeasures. Dr. Silke Holtmanns

Silke is a security expert at Nokia Bell Labs (Research branch of Nokia). She holds a PhD in Mathematics and has 18 years of experience in mobile security research and standardization. In her current research she investigates new and existing mobile network security attacks using SS7, Diameter and GTP protocols via the interconnection network and how to counter those attacks in 4G/5G networks. She found many 4G related IPX attacks and countermeasures e.g. Location Tracking (NATO CyCon), DoS (Black Hat EU 2016), cellular data interception (34C3 Chaos Computer Congress). She drives in the operator association GSMA the security of cellular network and being responsible there for the Diameter Signaling Security Specification. She served as a special matter expert on cellular security to the US Federal Communication Commission and to the European Union Agency for Network and Information Security. She is rapporteur of ten 3GPP security specifications and has a long track record of security publications.



Currently, she is actively supporting the 5G Roaming security developments. For her the interesting part is fixing problems in world wide network without breaking it, not finding an issue.



@SHoltmanns Isha Singh

Isha is a master student at Aalto University in Helsinki (Finland) and doing her Thesis research work at Nokia Bell Labs under supervision of Professor Raimo Kantola. She is completing her Master's in Wireless Communication as major subject and Machine Learning as minor. Her research covers smart city environmental perception from ambient cellular signals and 5G Ubiquitous sensing. She is passionate about IoT devices and their security in 5G scenario. She has experiences on embedded devices (Arduino, Raspberry Pi) for multiple projects like Analog to Digital converter used in optical communication. Presently she is exploring Cybersecurity, starting from the mobile communication core network security. Testing for vulnerabilities and loopholes and providing solutions using Machine Learning.

Back to top

Breaking Smart Speakers: We are Listening to You. Sunday at 12:00 in 101 Track, Flamingo

45 minutes | Demo, Exploit Wu HuiYu Security Researcher At Tencent Blade Team Qian Wenxiang Security Researcher At Tencent Blade Team In the past two years, smart speakers have become the most popular IoT device, Amazon_ Google and Apple have introduced their own smart speaker products. Most of these smart speakers have natural language recognition, chat, music playback, IoT device control, shopping, and so on. Manufacturers use artificial intelligence technology to make smart speakers have similar human capabilities in the chat conversation. However, with the smart speakers coming into more and more homes, and the function is becoming more powerful, its security has been questioned by many people. People are worried that smart speakers will be hacked to leak their privacy, and our research proves that this concern is very necessary.



In this talk, we will present how to use multiple vulnerabilities to achieve remote attack some of the most popular smart speakers. Our final attack effects include silent listening, control speaker speaking content and other demonstrations. And we're also going to talk about how to extract firmware from BGA packages Flash chips such as EMMC, EMCP, NAND Flash, etc. In addition, it contains how to turn on debug interfaces and get root privileges by modifying firmware content and Re-soldering Flash chips, which can be of great help for subsequent vulnerability analysis and debugging. Finally, we will play several demo videos to demonstrate how we can remotely access some Smart Speaker Root permissions and use smart speakers for eavesdropping and playing voice. Wu HuiYu

Wu HuiYu is a security researcher at Tencent Blade Team of Tencent Security Platform Department. Now his job is mainly focus on IoT security research and mobile security research. He is also a bug hunter, winner of GeekPwn 2015, and speaker of HITB 2018 AMS & POC2017. Qian Wenxiang

Qian Wenxiang is a security researcher at the Tencent Blade Team of Tencent Security Platform Department. His is focusing on security research of IoT devices. He also performed security audits for web browsers. He was on the top 100 of annual MSRC list (2016 & 2017 ). He published a book called "Whitehat Talk About Web Browser Security ".

Back to top

Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking Sunday at 13:30 in Track 3

20 minutes | Demo ldionmarcil Pentester at GoSecure When caching servers and load balancers became an integral part of the Internet's infrastructure, vendors introduced "Edge Side Includes" (ESI), a technology allowing malleability in caching systems. This legacy technology, still implemented in nearly all popular HTTP surrogates (caching/load balancing services), is dangerous by design and brings a yet unexplored vector for web-based attacks.



The ESI language consists of a small set of instructions represented by XML tags, served by the backend application server, which are processed on the Edge servers (load balancers, reverse proxies). Due to the upstream-trusting nature of Edge servers, ESI engines are not able to distinguish between ESI instructions legitimately provided by the application server and malicious instructions injected by a malicious party. We identified that ESI can be used to perform SSRF, bypass reflected XSS filters (Chrome), and perform Javascript-less cookie theft, including HTTPOnly cookies.



Identified affected vendors include Akamai, Varnish, Squid, Fastly, WebSphere, WebLogic, F5, and countless language-specific solutions (NodeJS, Ruby, etc.). This presentation will start by introducing ESI and visiting typical infrastructures leveraging it. We will then delve into identification, exploitation of popular ESI engines, and mitigation. ldionmarcil

Louis is a Security Analyst working at GoSecure in Montreal where he specializes in offensive appsec and pentest on medium to large scale organizations. Seasoned CTF participant and sometimes finalist with the DCIETS team, he has also written challenges for various competitions. Having recently obtained his Software Engineering degree, he dabbles in various research engagements between pentests.



@ldionmarcil

Back to top

Digital Leviathan: a comprehensive list of Nation-State Big Brothers (from huge to little ones Saturday at 14:00 in Track 2

20 minutes | Eduardo Izycki Hacker Rodrigo Colli Hacker In his notorious book Leviathan, the XVII century English philosopher Thomas Hobbes stated that: we should give our obedience to an unaccountable sovereign otherwise what awaits us is a state of nature that closely resembles civil war—a situation of universal insecurity. It looks like a lot of current political leaders have red and found the teachings of Hobbes applicable to modern day online life.



We witness the rise of the Digital Leviathan. The same apps and applications that people use to connect, express opinions and dissatisfaction are used by governments (even democratic ones) to perform surveillance and censorship.



This talk will focus on evidence of Nation-State spying, performing surveillance, and censorship. The aim is to present a systematical approach of data regarding cyber attacks against political targets (NGO/political groups/media outlets/opposition), acquisition and/or use of spywares from private vendors, requested content/metadata from social media/content providers, and blocking of websites/censorship reported by multiple sources.



The findings of the research imply that:

- 25 nations that have already used cyber offensive capabilities against political targets.

- 60 nations acquired/developed spyware.

- 117 nations requested content/metadata from social media/content providers.

- 21 countries perform some level of censorship to online content. Eduardo Izycki

Eduardo Izycki and Rodrigo Colli are both independent researchers with experience on information security and incident response. They worked in private-public task force for threat and risk assessment to major events in Brazil during the Confederations Cup 2013, World Cup 2014 and Olympic Games 2016. Rodrigo Colli



Back to top

Vulnerable Out of the Box: An Evaluation of Android Carrier Devices Friday at 12:00 in Track 1

45 minutes | Audience Participation, Exploit Ryan Johnson Director of Research at Kryptowire Angelos Stavrou CEO at Kryptowire Pre-installed apps and firmware pose a risk due to vulnerabilities that can be pre-positioned on a device, rendering the device vulnerable on purchase. This means that the vulnerabilities are present even before the user enables wireless communications and starts installing third-party apps. To quantify the exposure of the Android end-users to vulnerabilities residing within pre-installed apps and firmware, we analyzed a wide range of Android vendors and carriers using devices spanning from low-end to flagship. Our primary focus was exposing pre-positioned threats on Android devices sold by United States (US) carriers, although our results affect devices worldwide. We will provide details of vulnerabilities in devices from all four major US carriers, as well two smaller US carriers, among others. The vulnerabilities we discovered on devices offered by the major US carriers are the following: arbitrary command execution as the system user, obtaining the modem logs and logcat logs, wiping all user data from a device (i.e., factory reset), obtaining and modifying a user’s text messages, sending arbitrary text messages, and getting the phone numbers of the user’s contacts, and more. All of the aforementioned capabilities are obtained outside of the normal Android permission model. Including both locked and unlocked devices, we provide details for 37 unique vulnerabilities affecting 25 Android devices with 11 of them being sold by US carriers. In this talk, we will present our framework that is capable of discovering 0-day vulnerabilities from binary firmware images and applications at scale allowing us to continuously monitor devices across different manufacturers and firmware versions. During the talk, we plan to perform a live demo of how our system works. Ryan Johnson

Ryan Johnson is a PhD student at George Mason University in Fairfax, VA. His research interests are static and dynamic analysis of Android apps and reverse engineering. He is a co-founder of Kryptowire LLC. Angelos Stavrou

Dr. Angelos Stavrou founded Kryptowire LLC, and he is an Associate Professor at George Mason University (GMU) and the Director of the Center for Assurance Research and Engineering (CARE) at GMU.

Back to top

NSA Talks Cybersecurity Friday at 11:00 in Track 1

45 minutes | Rob Joyce The National Security Agency (NSA) has authorities for both foreign intelligence and cyber security. This unique position gives NSA insights into the ways networks are exploited and the methods that are effective in defending against threats. Over time, NSA has adapted the focus of its security efforts and continues to evolve with technologies and the adversaries we face. The talk will look back at some of the inflection points that have influenced NSA and US Government cybersecurity efforts and look at what is necessary to stay safe in the new environment. Rob Joyce

Rob Joyce (@RGB_Lights) has been with the Nation Security Agency (NSA) for 29 years and has led organizations doing both foreign intelligence and cybersecurity work. He is the Senior Advisor for Cybersecurity, having recently returned from the White House as the Cybersecurity Coordinator where he worked national policy, synchronizing activity across the government and partners. His previous assignment was leading Tailored Access Operations (TAO), the organization developing tools, techniques and capabilities to exploit computers for