HTTP Desync Attacks: Smashing into the Cell Next Door Sunday at 12:00 in Track 3

45 minutes | Demo, Tool albinowax Head of Research, PortSwigger HTTP requests are traditionally viewed as isolated, standalone entities. In this session, I'll introduce techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $50k in bug bounties.



Using these targets as case studies, I’ll show you how to delicately amend victim's requests to route them into malicious territory, invoke harmful responses, and lure credentials into your open arms. I’ll also demonstrate using backend reassembly on your own requests to exploit every modicum of trust placed on the frontend, gain maximum privilege access to internal APIs, poison web caches, and compromise my favourite login page.



Although documented over a decade ago, a fearsome reputation for difficulty and collateral damage has left this attack optimistically ignored for years while the web's susceptibility grew. By applying fresh ideas and new techniques, I’ll unveil a vast expanse of vulnerable systems ranging from huge content delivery networks to bespoke backends, and ensure you leave equipped to devise your own desync techniques and tailor attacks to your target of choice. albinowax

James Kettle is Head of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on using web cache poisoning to turn caches into exploit delivery systems. James has extensive experience cultivating novel attack techniques, including server-side RCE via Template Injection, client-side RCE via malicious formulas in CSV exports, and abusing the HTTP Host header to poison password reset emails and server-side caches. He has spoken at numerous prestigious venues including both BlackHat USA and EU, and OWASP AppSec USA and EU.



Twitter: @albinowax

Website: https://skeletonscribe.net/

Back to top

Want Strong Isolation? Just Reset Your Processor Sunday at 13:00 in Track 4

45 minutes | Demo, Tool Anish Athalye PhD student at MIT Today's systems sandbox code through traditional techniques: memory protection and user-kernel mode. Even high-security devices like hardware cryptocurrency wallets use such an architecture. Unfortunately, this arrangement has a history of security bugs due to misconfigured protection hardware, bugs in kernel code, hardware bugs, and side channels.



This talk proposes a new approach to isolation for devices like crypto wallets: separate the user and kernel onto two CPUs and multiplex processes by completely resetting the user processor between tasks so that there is no leakage.



Processor reset is more complicated than might be expected. Simply asserting the reset line isn't enough to clear all CPU-internal state, but it turns out that software can be used to clear this state. However, reasoning about the correctness of such code is challenging. This talk presents a tool that can be used to develop and formally verify the correctness of reset code for a given CPU implementation.



This talk also walks through a design of a wallet based on this reset-based isolation technique, discusses known security vulnerabilities in current designs such as the Ledger and Trezor wallets (including bugs in MPU misconfiguration, system calls, and drivers), and explores how a reset-based design could prevent such vulnerabilities. Anish Athalye

Anish is a PhD student at MIT working on systems, security, and formal verification. He is currently interested in making hardware wallets more secure. In his free time, he enjoys bending neural networks to his will: among other exploits, he has mastered the art of transfiguration (as far as computers are concerned), exemplified by turning a turtle into a rifle.



Twitter: @anishathalye

Websites: anish.io (academic), anishathalye.com(blog)

Back to top

HackPac: Hacking Pointer Authentication in iOS User Space Friday at 13:00 in Track 1

45 minutes | Demo, Tool, Exploit Xiaolong Bai Min (Spark) Zheng Pointer Authentication (in short, PAuth) is the latest security mechanism in iOS. It is proposed to protect the integrity of pointers with hardware-assisted encryption, thus eliminating the threats of code-reuse attacks. In PAuth, a cryptographic signature called PAC is calculated from a pointer value and inserted into the pointer. When the pointer is about to be used, the PAC is extracted and verified whether it is consistent with the original pointer value. In this way, PAuth is able to ensure that the pointers are not tampered. iOS deployed PAuth in user-space system services, protecting pointers that may affect the control flow and preventing code-reuse attacks like ROP and JOP.



However, in our study, we found that a fatal flaw in the implementation of iOS PAuth makes user-space system services till vulnerable to code-reuse attacks. The flaw is: iOS uses the same signing key in different user-space processes. This flaw allows a signed pointer from a malicious process can be correctly verified in a system service, thus making it possible to launch JOP. In this talk, we will explain how we found the flaw and why it is inevitable. In advance, we will demonstrate how to leverage this flaw and launch JOP attacks in a PAuth-protected system service. Also, we will propose a new tool, PAC-gadget, to automatically find JOP gadgets in PAuth-protected binaries. Xiaolong Bai

Xiaolong Bai (twitter@bxl1989, github@bxl1989) is a security engineer in Alibaba Orion Security Lab. Before joining Alibaba, he received his Ph.D. degree in Tsinghua University. He has published several research papers on top conferences including IEEE S&P, Usenix Security, CCS, NDSS, and presented his research in Black Hat, DEF CON, HITB, CanSecWest, etc. He has been acknowledged by famous vendors, including Apple, Google, Facebook, Evernote, and Tencent for his contribution in discovering the vulnerabilities in their systems and improving the security of their products. He is a member of the OverSky team for private jailbreaking development.



Twitter: @bxl1989

Website: https://xiaolongbai.weebly.com/

Github: https://github.com/bxl1989/ Min (Spark) Zheng

Min (Spark) Zheng (twitter@SparkZheng, github@zhengmin1989) is a security expert in Alibaba Orion Security Lab. He received his Ph.D. degree in the CSE department of the CUHK. His research focuses on malware analysis, smartphone (Android & iOS) security, system design and implementation. Before receiving Alibaba A-Star offer award in 2015, he worked in FireEye, Baidu and Tencent. He was the champion of GeekPwn 2014 and AliCTF 2015. He won the “best security researcher” award in FIT 2016 for detecting the iOS/macOS vulnerabilities, XcodeGhost virus and WormHole RCE vulnerability. He is a member of the OverSky team for private jailbreaking development. He presented his research in DEF CON, HITB, BlackHat, RUXCON, etc.



Twitter: @SparkZheng

Back to top

Help Me, Vulnerabilities. You're My Only Hope Sunday at 12:00 in Track 4

45 minutes | Tool, Exploit Jacob Baines Research Engineer, Tenable MikroTik routers keep getting owned. They’ve been exploited by advanced threats like VPNFilter, Slingshot APT, and Trickbot. They’ve been compromised by coin miners, botnets, and who knows what else. With each new campaign the security industry publishes new indicators of compromise and everyone moves on.



However, MikroTik administrators operate in a sandbox. They have very limited access to the router’s underlying file system and almost no ability to directly interact with the Linux operating system. Due to these limitations, file hashes cannot answer the fundamental question that is asked again and again on the MikroTik forums, “Have I been compromised?”



It’s time the users had their question answered. In this talk, I’ll present three vulnerabilities that can help MikroTik administrators break out of the sandbox. I’ll show how to use these vulnerabilities to help determine if the router has been compromised. Jacob Baines

Jacob is the founding member of Tenable's Zero Day Research group. He focuses much of his research efforts on routers and other IoT devices. Sometimes he even finds vulnerabilities.



Twitter: @junior_baines

Back to top

Hacking WebAssembly Games with Binary Instrumentation Sunday at 10:00 in Track 3

45 minutes | Demo, Tool Jack Baker WebAssembly is the newest way to play video games in your web browser. Both Unity3d and Unreal Engine now support WebAssembly, meaning the amount of WebAssembly games available is growing rapidly. Unfortunately the WebAssembly specification is missing some features game hackers might otherwise rely on. In this talk I will demonstrate adapting a number of game hacking techniques to WebAssembly while dealing with the limitations of the specification.



For reverse engineers, I will show how to build and inject your own "watchpoints" for debugging WebAssembly binaries and how to insert symbols into a stripped binary.



For game hackers, I will show how to use binary instrumentation to implement some old-school game hacking tricks and show off some new ones.



I will be releasing two tools: a binary instrumentation library built for modifying WebAssembly binaries in the browser, and a browser extension that implements common game hacking methods a la Cheat Engine. Jack Baker

Jack Baker is a professional vulnerability researcher and amateur video game hacker. His primary areas of expertise include web application security, embedded reverse engineering, and Tony Hawk's Pro Skater 3.



Github: https://github.com/Qwokka

Back to top

The ABC of Next-Gen Shellcoding Sunday at 11:00 in Track 1

45 minutes | Demo, Tool Hadrien Barral Hacker Rémi Géraud-Stewart Hacker Georges-Axel Jaloyan PhD Student at ENS Shellcodes are short executable stubs that are used in various attack scenarios, whenever code execution is possible. After briefly recalling how they work in general and what interesting things they can do, besides obviously running a reverse-shell, we'll have to deal with the reality that shellcodes are usually not particularly stealthy, due in part to the very suspicious presence of non-printable characters. In a tutorial-like fashion, we'll address increasingly more complex constraints. As a reward, we reveal new methods for writing in particular alphanumeric shellcodes and attacking platforms for which (to the best of our knowledge) no such shellcode was previously known.



Don't know anything about constrained shellcodes? Do not worry: we'll start from the ground up. Black-belt in shellcoding? We have you covered, stay until the end were we'll get our hands dirty! Hadrien Barral

Hadrien Barral is an R&D engineer, focusing on Operating Systems, Security and High-Assurance software. In his spare time, he enjoys hacking on various and obscure systems. Rémi Géraud-Stewart

Rémi Géraud-Stewart is a cryptologist and security expert with Ecole normale superieure in Paris, focusing on intrusion and cyberwarfare. Georges-Axel Jaloyan

Georges-Axel Jaloyan is a PhD student at Ecole normale supérieure in Paris focusing on formal methods applied to reverse-engineering, in collaboration with the French Alternative Energies and Atomic Energy Commission (CEA).

Back to top

Are Quantum Computers Really A Threat To Cryptography? A Practical Overview Of Current State-Of-The-Art Techniques With Some Interesting Surprises Thursday at 12:00 in DC101, Paris Theatre

45 minutes | Demo Andreas Baumhof Vice President Quantum Technologies, QuintessenceLabs Inc. Shor's Algorithm for factoring integer numbers is the big threat to cryptography (RSA/ECC) as it reduces the complexity from exponential to polynomial, which means a Quantum Computer can reduce the time to crack RSA-2048 to a mere 10 seconds. However current noisy NISQ type quantum computers are very limited to something like 16 bit RSA keys. And the quality of the current qubits is so bad that error-correction comes at a massive cost of at least 100 times the amount of qubits.



While the world is pre-occupied whether we have universal quantum computers big enough for Shor's algorithm, Quantum Annealing is stealing the show with having factored a 20-bit number just in January this year using 97 qubits. And these qubits are actually good enough to factor bigger numbers. If we assume a linear scalability, we'd "only" need around 10,000 qubits to factor a 2048bit RSA key. D-Wave announced a quantum computer with 5,640 qubits, so that puts it within reach soon.



So, could Quantum Annealing be more of a threat to cryptography than Shor's algorithm on universal quantum computers? How do these algorithms work? How do they achieve a polynomial complexity to what traditional computers need exponential time? What impact will this have on the competition from NIST for the design of post-quantum-cryptography algorithms? Andreas Baumhof

Andreas Baumhof is Vice President Quantum Technologies at Quintessence Labs. He is responsible for all developments relating to Quantum Technologies such as Quantum Random Number Generator, Quantum Key Distribution or Quantum Computing in general. Before this role, Andreas was CTO for ThreatMetrix Inc, the global leader in digital identities, where he was responsible for software engineering. He helped lead the company to a very successful exit and a 830m USD acquisition by Lexis Nexis/RELX. Andreas holds a mathematics degree from the University of Munich. In his spare time he enjoys mountain biking, snowboarding and spending time with his family.



Twitter: @abaumhof

LinkedIn: https://www.linkedin.com/in/abaumhof/

Back to top

Backdooring Hardware Devices By Injecting Malicious Payloads On Microcontrollers Sunday at 10:00 in Track 1

45 minutes | Demo, Tool Sheila Ayelen Berta Security Researcher Is targeting microcontrollers worth the effort? Nowadays, they are responsible for controlling a wide range of interesting systems, e.g., physical security systems, car’s ECUs, semaphores, elevators, sensors, critical components of industrial systems, some home appliances and even robots.



In this talk, it will be explained how microcontrollers can be backdoored too. After a quick review of basic knowledge about uC, we will dive into three different approaches to achieve payload injection, from basic to advanced techniques. The first method consists on locating the entry point of the firmware and inject our payload there, this is an easy way to execute it at least once. As a second -and more complex- technique, we will backdoor the EUSART communication injecting a malicious payload at the code routine of that hardware peripheral; we will be able to get the right memory address by inspecting the GIE, PEIE and polling process at the uC interrupt vector. Finally, the third technique allow us to take control of the microcontroller’s program flow by manipulating the stack writing memory addresses at the TOS; with this we can execute a payload made with instructions already written in the original program, performing it just like a ROP-chain technique. Sheila Ayelen Berta

Sheila Ayelen Berta is an Information Security Specialist and Developer, who started at 12 years-old by herself. At the age of 15, she wrote her first book about Web Hacking, published by RedUSERS Editorial in several countries. Over the years, Sheila has discovered lots of vulnerabilities in popular web applications and softwares. She also has given courses of Hacking Techniques in universities and private institutes in Argentina. Sheila currently works as Security Researcher who specializes in offensive techniques, reverse engineering and exploit writing. She is also a developer in ASM (microcontrollers and microprocessors x86/x64), C/C++, Golang and Python. Sheila is an international speaker who has spoken at important security conferences such as Black Hat Briefings, DEF CON 26, DEF CON 25 CHV, HITB, HackInParis, Ekoparty, IEEE ArgenCon, Hack.Lu, OWASP Latam Tour and others.



Twitter: @UnaPibaGeek

Back to top

Behind the Scenes: The Industry of Social Media Manipulation Driven by Malware Friday at 10:00 in Track 3

45 minutes Olivier Bilodeau Cybersecurity Research Lead at GoSecure Masarah Paquet-Clouston Cybersecurity Researcher at GoSecure This talk is the grand finale of a four-year long investigation that started with analyzing an IoT botnet, to discovering the structured industry that exists behind social media manipulation (SMM). SMM is the deliberate act of paying for popularity with followers or activity on social media.



Adopting a bottom-up approach, the thorough methodology undertook to study the botnet will be presented: from building honeypots, infecting them with malware and conducting a man-in-the-middle-attack on the honeypots’ traffic to access the decrypted HTTPS content between the C&Cs and social networks. Then, the various investigative paths taken to analyze this large data set, leading to the discovery of industry actors involved in the supply chain of social media manipulation, will be presented. These investigative paths include traffic analysis, various OSINT approaches to reveal and understand actors, reverse-engineering the software that automates the use and creation of fake accounts, forum investigations, and qualitative profiling. All actors involved in the industry will be mapped, from malware authors, to reseller panels, and customers of fake popularity.



The potential profitability of the industry will then be discussed, as well as the revenue division in the chain, demonstrating that the ones making the highest revenue per fake follower sold are not the malware authors, but rather those at the end of the chain. Olivier Bilodeau

Olivier Bilodeau is leading the Cybersecurity Research team at GoSecure. With more than 10 years of infosec experience, he enjoys attracting malware in honeypots, writing tools for malware research, reverse-engineering all-the-things and vulnerability research. Passionate communicator, Olivier has spoken at several conferences like BlackHat Europe, DefCcon, Botconf, SecTor, Derbycon, HackFest and many more. Invested in his community, he co-organizes MontréHack, a monthly workshop focused on applied information security, and NorthSec, Montreal's community conference and Capture-The-Flag.



Twitter: @obilodeau

Website: https://gosecure.net/blog/ Masarah Paquet-Clouston

Masarah Paquet-Clouston is a security researcher at GoSecure, a PhD student at Simon Fraser University in criminology and one of Canada’s decorated 150 scientific innovators. With her background in economics and criminology, she specializes in the study of markets behind illicit online activities. She published in several peer-reviewed journals, such as Social Networks, Global Crime and the International Journal for the Study of Drug Policy, and presented at various international conferences including Virus Bulletin, Black Hat Europe, Botconf and the American Society of Criminology.



Twitter: @masarahclouston

Website: https://gosecure.net/blog/

Back to top

.NET Malware Threats: Internals And Reversing Saturday at 15:00 in Track 4

45 minutes Alexandre Borges Security Researcher at Blackstorm Security .NET malware is well-known by security analysts, but even existing many tools such as dnSpy,.NET Reflector, de4dot and so on to make the analysis easier, most professionals have used them as a black box tool, without concerning to .NET internals, structures, MSIL coding and details. In critical cases, it is necessary have enough knowledge about internal mechanisms and to debug these .NET threats using WinDbg.



Unfortunately, .NET malware samples have become very challenger because it is so complicated to deobfuscated associated resources, as unpacking and dumping them from memory. Furthermore, most GUI debugging tools does an inside view of mechanisms such as CRL Loader, Managed Heap, Synchronization issues and Garbage Collection.



In the other side, .NET malware threats are incredibly interesting when analyzed from the MSIL instruction code, which allows to see code injections using .MSIL and attempts to compromise .NET Runtime keep being a real concern.



The purpose of this presentation is to help professionals to understand .NET malware threats and techniques by explaining concepts about .NET internals, mechanisms and few reversing techniques. Alexandre Borges

Alexandre Borges is a Security Researcher, who has been daily working on Reverse Engineering and Digital Forensic Analysis for many years. He has taught training courses about Malware and Memory Analysis, Digital Forensics Analysis and Mobile Forensics around the world. Furthermore, Alexandre is the creator and maintener of Malwoverview triage tool: https://github.com/alexandreborges/malwoverview.



Alexandre has spoken in several conferences such as DEF CON USA (2018), DEF CON CHINA (2019), CONFidence Conference 2019, HITB 2019 Amsterdam, H2HC Conference (2015/2016), BSIDES Sao Paulo (2019/2018/2017/2016) and BHACK Conference (2018).



Finally, it is a referee of Digital Investigation:The International Journal of Digital Forensics & Incident Response (https://www.journals.elsevier.com/digital-investigation/editorial-board)



Twitter: @ale_sp_brazil

LinkedIn: http://www.linkedin.com/in/aleborges

Website: http://www.blackstormsecurity.com/bs/en/en_articles.html, Tool: https://github.com/alexandreborges/malwoverview

Back to top

The JOP ROCKET: A Supremely Wicked Tool for JOP Gadget Discovery, or What to Do If ROP Is Too Easy Friday at 16:00 in Track 4

20 minutes | Demo, Tool Dr. Bramwell Brizendine Assistant Professor of Computer and Cyber Sciences, Dakota State University Dr. Joshua Stroschien Assistant Professor of Cyber Security/Network & Security Administration, Dakota State University Return-oriented Programming (ROP) has been the predominate code-reuse attack for over a decade, but there are other options. Many mitigations can detect ROP due to heuristics, but these fail to detect Jump-oriented Programming (JOP). The JOP ROCKET is a reverse engineering framework dedicated to facilitating JOP exploits. It allows hackers to discover JOP gadgets. This includes dispatcher gadget's, which helps to subvert and direct the control flow, and functional gadgets, our primitives. This tool provides numerous options to give hackers flexibility on how to find gadgets, to narrow and expand possibilities. Additionally, the tool uses opcode-splitting to discover many unintended gadgets. All gadgets are classified based on operation as well as registers used and affected. Thus, hackers could easily obtain the desired functional gadgets, such as MOV EBX, [VALUE], using simple language commands. Because of JOP's much more complex set up, the tool provides this classification, so time isn’t wasted hunting through results.



JOP is rarely done in the wild. Part of that complexity is in set up, but another part is the lack of dedicated tools. Having to find JOP gadgets manually could be time-consuming and require expertise. JOP ROCKET simplifies that, allowing the JOP gadgets to be found quickly and easily.



This talk will give brief content on ROP, and then it introduces JOP and its history. Then we will dive into JOP ROCKET, discussing its features, how to use it to find JOP gadgets, and how to set up your own JOP exploit. We will then demo the tool. Dr. Bramwell Brizendine

Dr. Bramwell Brizendine graduated with a Ph.D. in Cyber Operations in May, 2019. He holds master's degrees in Computer Science and Information Assurance. Bramwell is a professor at Dakota State University where he teaches topics such as reverse engineering, software exploitation, and malware analysis. Bramwell is the creator of the the JOP ROCKET, or the Jump-oriented Programming Reversing Open Cyber Knowledge Expert Tool. Bramwell has been interested in code-reuse attacks for several years. Bramwell was overcome by the urge to present a tool that made JOP more practical and useful for hackers who may wish to attempt using this more arcane class of code-reuse attacks. The JOP ROCKET is a by product of his doctoral dissertation. Dr. Joshua Stroschien

Dr. Josh Stroschien is a professor at Dakota State University. Dr. Josh Stroschein teaches undergraduate and graduate courses in cyber security with a focus on malware analysis, reverse engineering and software exploitation. His research interests include malware analysis and software exploitation. Outside of DSU, you can find Josh providing training at such venues as DerbyCon, Hack-In-The-Box and ToorCon.



Website: https://0xevilc0de.com

Back to top

A Hacker Guide To Deep-Learning Based Side Channel Attacks Friday at 14:00 in Track 3

45 minutes | Demo, Tool Elie Bursztein Google Jean Michel Picod Google This talk explores how AI is revolutionizing hardware side-channel attacks and what this new wave of attacks mean for the future of hardware cryptography. Based on the lessons learned while successfully attacking many hardware AES implementations using deep-learning this talk discuss why those attacks are fundamentally more efficient and details how to conduct then in practice. Elie Bursztein

Elie Bursztein leads Google' security & anti-abuse research team. He has authored over fifty research papers in the field for which he was awarded 6 best papers awards and multiple industry distinctions including the Black Hat pwnie award. Born in Paris, he received a Ph.D from ENS-cachan in 2008 before working at Stanford University and ultimately joining Google in 2011.



Twitter @elie

Website: https://elie.net Jean Michel Picod

Jean-Michel Picod is currently working at Google Switzerland. He holds an engineering degree in computer systems, networks and security. He has contributed on several open source projects (GoodFET, pynids, etc.) and published several open source tools such as DPAPIck, OWADE, scapy-radio, forensic scripts,



Twitter: @jmichel_p

Website: https://www.j-michel.org/

Back to top

SDR Against Smart TVs: URL and Channel Injection Attacks Sunday at 11:00 in Track 2

45 minutes | Demo, Tool Pedro Cabrera Camara Founder, Ethon Shield Software-defined-radio has revolutionized the state of the art in IoT security and especially one of the most widespread devices: Smart TV. This presentation will show in detail the HbbTV platform of Smart TV, to understand and demonstrate two attacks on these televisions using low cost SDR devices: TV channel and HbbTV server impersonation (channel and URL injection). This last attack will allow more sophisticated remote attacks: social engineering, keylogging, crypto-mining, and browser vulnerability assessment. Pedro Cabrera Camara

Industrial and Electronics Engineer, Pedro is an enthusiast of Software Defined Radio and UAVs, which has worked for 12 years in the main Spanish telecommunications operators, conducting security audits and pentesting in mobile and fixed networks. In addition to working with telecommunications operators, Pedro leads open source projects such as intrusion detection systems for GSM, UMTS and LTE networks, which has led him to study the various fake stations attacks and existing solutions. In recent years he has participated in security events in the United States (RSA, CyberSpectrum, DEF CON DemoLabs), Asia (BlackHat Trainings) and Europe (Rootedcon, Euskalhack, AlligatorCON)



Twitter: @PcabreraCamara

Website: http://www.fakebts.com

Back to top

Defeating Bluetooth Low Energy 5 PRNG for Fun and Jamming Saturday at 12:00 in Track 2

45 minutes | Demo, Tool Damien Cauquil (virtualabs) Senior Security Researcher @ Econocom Digital.Security Bluetooth Low energy version 5 has been published in late 2016, but we still have no sniffer supporting this specific version (and not that much compatible devices as well). The problem is this new version introduces a new channel hopping algorithm that renders previous sniffing tools useless as devices can no longer be attacked and connections analyzed. This new algorithm is based on a brand new pseudo-random number generator (PRNG) to provide better collision avoidance while kicking out all of our good old sniffing tools.



Unless some random hacker manages to break this not-that-strong PRNG and upgrades his BLE sniffing tool to support this algorithm ;). In this talk, we will explain why this PRNG is vulnerable and how it can be easily defeated to sniff and jam communications between two BLE 5 devices. A new version of BtleJack will be released during this talk, providing an efficient way to sniff BLE 5 connections to our fellow IoT hacker family. Damien Cauquil (virtualabs)

Damien is a senior security researcher who joined Digital Security in 2015 as the head of research and development. He discovered how wireless protocols can be fun to hack and quickly developed BtleJuice, one of the first Bluetooth Low Energy MitM framework, and BtleJack, a BLE swiss-army knife released in 2018.



Damien presented at various security conferences including DEF CON, Hack In Paris, Chaos Communication Camp, Chaos Communication Congress, BruCon, Hack.lu, anda dozen times at Nuit du Hack, one of the oldest French hacking conference.



Twitter: @virtualabs

Back to top

Malproxying: Leave Your Malware at Home Sunday at 12:00 in Track 2

45 minutes | Demo, Tool Hila Cohen Security Researcher, XM Cyber Amit Waisel Senior Technical Leader, XM Cyber During a classic cyber attack, one of the major offensive goals is to execute code remotely on valuable machines. The purpose of that code varies on the spectrum from information extraction to physical damage. As defenders, our goal is to detect and eliminate any malicious code activity, while hackers continuously find ways to bypass the most advanced detection mechanisms. It’s an endless cat-and-mouse game where new mitigations and features are continuously added to the endpoint protection solutions and even the OS itself in order to protect the users against newly discovered attack techniques. In this talk, we present a new approach for malicious code to bypass most of endpoint protection measures. Our approach covertly proxies the malicious code operations over the network, never deploying the actual malicious code on the victim side. We are going to execute code on an endpoint, without really storing the code on disk or loading it to memory. This technique potentially allows attackers to run malicious code on remote victims, in such a way that the code is undetected by the victim’s security solutions. We denote this technique as “malproxying”. Hila Cohen

Hila Cohen is a passionate Security Researcher at XM Cyber, where she investigates new attack techniques and develops detection and mitigation capabilities. Hila has a vast knowledge in the fields of malware analysis, reverse engineering and incident response. Amit Waisel

Amit Waisel is a Senior Technical Leader at XM Cyber. He is a seasoned data security expert with vast experience in cyber offensive projects. Prior to XM Cyber, Amit filled multiple data security positions in the Israeli intelligence community. Amit is well experienced with malware detection and analysis techniques, operating system internals and security-oriented software development. He graduated with honors from Tel Aviv University with a MSc. in Computer Science.

Back to top

Contests Awards Ceremony Sunday at 14:00 in Track 4

90 minutes Contests & Events Goons You've seen the Contests, you've played in a Contest, you've won a Contest and may have lost a Contest! Whatever the outcome was, come join as as we celebrate the winners and contestants of our DEF CON 27 Contests! DEF CON 27 Contests and Events Closing Ceremonies will be August 11th at 14:00 in Track 4. Black Badge winning Contests will still be honored at the main DEF CON 27 Closing Ceremonies on August 11th at 16:00 in the Paris Ballroom!

Back to top

Closing Ceremonies Sunday at 16:00 in Paris Ballroom

120 minutes The Dark Tangent & Goons DEF CON 27 draws to a close. Prizes awarded, Black Badge winners announced, thanks given, future plans revealed.

Back to top

How You Can Buy AT&T, T-Mobile, and Sprint Real-Time Location Data on the Black Market Saturday at 12:00 in Track 1

45 minutes Joseph Cox Senior Staff Writer, Motherboard Major US telecommunications companies AT&T, T-Mobile, and Sprint have been quietly selling access to their customers’ real-time location data, including cell tower information as well as highly precise GPS data. Through a complex network of dodgy data aggregators and middlemen companies, this data access eventually trickled down to a slew of different industries, used car salesman, landlords, and hundreds of bounty hunters, likely without your knowledge or informed consent. In this talk, based on leaked documents, sources, and first hand experience, Joseph will explain how this data industry works, the players involved, and also how the data access is available on the black market, where it can be used in any way an attacker fancies: Joseph paid a source $300 to successfully locate a phone in New York. Joseph Cox

Joseph is an investigative reporter for Motherboard, the science and technology section of VICE. He covers cybersecurity, the digital underground, and social media platforms.



Twitter: @josephfcox

Back to top

Practical Key Search Attacks Against Modern Symmetric Ciphers Friday at 14:00 in Track 4

45 minutes | Demo Daniel "ufurnace" Crowley Research Baron, X-Force Red Daniel Pagan Student, Georgia Tech In theory, brute force key recovery attacks against modern ciphers like AES should be impractical with the current state of computer hardware. It's often said that recovering an AES key should take longer than the remainder of the life of the sun. However, this assumes that keys are chosen properly, and that there is no way to determine whether a key is the correct one after a candidate key is used to decrypt a captured ciphertext.



In practice, these conditions do not always hold. In much the same way that hash functions are impossible to reverse but hash cracking is still a practical attack, in the real world it is often possible to perform practical key search attacks. In this talk, we will discuss the common mistakes and common conditions that allow for practical brute force recovery of keys for modern block ciphers such as AES. We will also discuss optimizations to speed up key search efforts, and present our FOSS tool, which implements our approach. Daniel "ufurnace" Crowley

Daniel Crowley is the head of research and a penetration tester for X-Force Red. Daniel denies all allegations regarding unicorn smuggling and questions your character for even suggesting it. Daniel is the primary author of both the Magical Code Injection Rainbow, a configurable vulnerability testbed, and FeatherDuster, an automated cryptanalysis tool. Daniel enjoys climbing large rocks and is TIME magazine's 2006 person of the year. Daniel has been working in the information security industry since 2004 and is a frequent speaker at conferences including Black Hat, DEF CON, Shmoocon, and SOURCE. Daniel does his own charcuterie and brews his own beer. Daniel's work has been included in books and college courses. Daniel also holds the noble title of Baron in the micronation of Sealand. Daniel Pagan

Daniel Pagan is a student at Georgia Tech, a DEF CON TV goon, and a Lord in the micronation of Sealand.

Back to top

I Know What You Did Last Summer: 3 Years of Wireless Monitoring at DEF CON Friday at 16:00 in Track 2

20 minutes | Demo, Tool d4rkm4tter (Mike Spicer) Hacker For the past 3 years d4rkm4tter has been obsessed with monitoring the wireless networks at DEF CON. This talk will take you on a journey through the successes and failures that lead to the creation of the WiFiCactus and the over 1 TB of data captured. A history of each capture project including a summary of the most interesting pieces of data will be shown.



Many people spread a lot of fear, uncertainty and doubt about the wireless environments during DEF CON. This presentation aims to bring some clarity to what is really happening in the airwaves during one of the largest hacker conferences in the world. This will include presenting data on the attacks and sensitive information that exists in the airwaves. This presentation will demonstrate the risks of using wireless networks and information leaks that can be captured by anyone who is passively listening. Countermeasures and protection strategies will be provided to help you avoid having your data captured by those who might be listening.



With the number of connected devices around us, there has never been a better time to start wardriving or warwalking. Everyone is capable of profiling wireless data around them thanks to cheap hardware and open source tools. As hackers it is important for us to discover issues and vulnerabilities while validating claims of security by software and hardware vendors. Monitoring wireless communication is a great way to start validating those claims. All of the hardware and methods used will be provided so that anyone can do this type of monitoring on their own. Hack the Planet! d4rkm4tter (Mike Spicer)

d4rkm4tter is a mad scientist hacker who likes to meddle with hardware and software. He is particularly obsessed with wireless. He has a degree in computer science from Southern Utah University which he has put to use building and breaking a wide array of systems. These include web application pentesting, wireless monitoring and tracking as well as good old fashioned reverse engineering. He is the creator of the #WiFiCactus and has been seen presenting Demolabs at DEF CON and DEF CON China Beta. He is a Kismet cultist and active in the wireless and wardriving communities.



Twitter: @d4rkm4tter

Website: palshack.org

Back to top

D0 N0 H4RM: A Healthcare Security Conversation Friday at 20:00 in Firesides Lounge

120 minutes Christian “quaddi” Dameff Medical Director of Security at The University of California San Diego Jeff “r3plicant” Tully MD Anesthesiologist at The University of California Davis Suzanne Schwartz MD Associate Director for Science and Strategic Partnerships at the US Food and Drug Administration FDA Marie Moe PhD Researcher and Hacker Billy Rios Founder of Whitescope Jay Radcliffe Security Researcher at Thermo Fisher Scientific Technology’s promise flows within medicine like blood through veins. With every drip of life-saving medicine given to the smallest babies, with every paced beat of a broken heart, connected tech has changed the way we treat patients and offers near limitless potential to improve our health and wellness. But it’s taken an army of dedicated protectors to ensure that such promise isn’t outweighed by peril- and hackers are fighting on the front lines to safeguard medical devices and infrastructure so they remain worthy of our trust. Join docs quaddi and r3plicant as they once again curate a selection of medicine’s finest hackers and allies for D0 N0 H4RM- the uniquely DEF CON conversation between the unsung heroes in the healthcare space- security researchers and advocates working to protect patients one broken med device at a time. Spun from an off-con hotel room gathering between friends into progressively in demand talks at DC 25 and 26, we’ve returned to bring you insight and inspiration- divorced from the spin and formality of an increasingly industry-saturated landscape- from the people whose primary goal is to kick ass and save lives. Christian “quaddi” Dameff

Christian (quaddi) Dameff MD is an emergency medicine doctor, former open capture the flag champion, prior DEF CON/RSA/Blackhat/HIMSS speaker, and security researcher. He is currently the Medical Director of Cybersecurity at The University of California San Diego. Published works include topics such as therapeutic hypothermia after cardiac arrest, novel drug targets for myocardial infarction patients, and other Emergency Medicine related works with an emphasis on CPR optimization. Published security research topics including hacking critical healthcare infrastructure, medical devices and the effects of malware on patient care. This is his fifteenth DEF CON.



Twitter: @CdameffMD Jeff “r3plicant” Tully MD

Jeff (r3plicant) Tully is an anesthesiologist, pediatrician and security researcher with an interest in understanding the ever-growing intersections between healthcare and technology.



Twitter: @JeffTullyMD Suzanne Schwartz MD

Dr.Suzanne Schwartz’s programmatic efforts in medical device cybersecurity extend beyond incident response to include raising awareness, educating, outreach, partnering and coalition-building within the Healthcare and Public Health Sector (HPH) as well as fostering collaborations across other government agencies and the private sector. Suzanne has been recognized for Excellence in Innovation at FDA’s Women’s History Month on March 1st 2018 for her work in Medical Device Cybersecurity. Suzanne chairs CDRH’s Cybersecurity Working Group, tasked with formulating FDA’s medical device cybersecurity policy. She also co-chairs the Government Coordinating Council (GCC) for the HPH Critical Infrastructure Sector, focusing on the sector’s healthcare cybersecurity initiatives. Marie Moe PhD

Dr. Marie Moe cares about public safety and securing systems that may impact human lives, this is why she joined the grassroots organisation “I Am The Cavalry". Marie is a Research Manager at SINTEF, the largest independent research organisation in Scandinavia, and has a PhD in information security. She is also an Associate Professor at the Norwegian University of Science and Technology. She has experience as a team leader at NorCERT, where she did incident handling of cyberattacks against Norway’s critical infrastructure. She is currently doing research on the security of her own personal critical infrastructure, an implanted pacemaker that is generating every single beat of her heart. Marie loves to break crypto protocols, but gets angry when the broken crypto is in her own body.



Twitter: @MarieGMoe Billy Rios

Billy is the founder of Whitescope LLC, a startup focused on embedded device security. Billy is recognized as one of the world’s most respected experts on emerging threats related to Industrial Control Systems (ICS), Critical Infrastructure (CI), and, medical devices. He discovered thousands of security vulnerabilities in hardware and software supporting ICS and critical infrastructure. Billy provided the research that led to the FDA’s first cybersecurity safety advisory and research which helped spur the FDA’s pre-market cybersecurity guidance. Billy is a contributing author to Hacking: The Next Generation, The Virtual Battlefield, and Inside Cyber Warfare. He currently holds a Master of Science in Information Systems, an MBA, and a Masters of Military Operational Arts and Science.



Twitter: @XSSniper Jay Radcliffe

Jay Radcliffe (CISSP) has been working in the computer security field for over 20 years. Coming from the managed security services industry as well as the security consultation field, Jay has helped organizations of every size and vertical secure their networks and data. Jay presented ground-breaking research on security vulnerabilities in multiple medical devices and was featured on national television as an expert on medical device cybersecurity. As a Type I diabetic, Jay brings a lifetime of being a patient to helping medical facilities secure their critical data without compromising patient care. Not only is Jay a prolific public speaker, but also works with legal firms on expert witness consultation related to IoT and cybersecurity issues. Jay holds a Master's degree in Information Security Engineering from SANS Technology Institute, as well as a Bachelor's degree in Criminal Justice/Pre-Law from Wayne State University. SC Magazine named him one of the Top Influential IT Security Thinkers in 2013.



Twitter: @JRadcliffe02

Back to top

DEF CON 101 Panel Thursday at 15:00 in DC101, Paris Theatre

105 minutes Highwiz Nikita Will n00bz Shaggy SecBarbie Tottenkoph The DEF CON 101 Panel is the place to go to learn about the many facets of DEF CON and to begin your DEF CONian Adventure. The idea is to help attendees get the best experience out of DEF CON (and also tell them how to survive the weekend!). It is a way for people who have participated in making DEF CON what it is today to share those experiences and, hopefully, inspire attendees to expand their horizons. DEF CON offers so much more than just talks and the DEF CON 101 panel is the perfect place to learn about all things DEF CON so you, dear reader, can get the best experience possible. The panel will end with the time honored tradition of "Name the n00b" where lucky attendees will be brought up on stage to introduce themselves to you and earn the coveted 101 n00b handle. Don't worry if you don't make it on to the stage, you can stick around for the n00b party after the panel and get your handle then! Highwiz

HighWiz is born of glitter and moon beams and he has all the right moves. He is the things that sweet dreams are made of and nightmares long to be... Years ago, with the help of some very awesome people*, he set about to create an event that would give the n00bs of DEF CON a place to feel welcomed and further their own pursuit of knowledge. For years he has held onto the simple tenet that "You get out of DEF CON what you put into it". HighWiz is the fabled Man on the Mountain whom people seek to gain a taste of his forbidden knowledge. He is a rare sighting at DEF CON only to be glimpsed by those lucky few. HighWiz is a member of the DEF CON CFP Review Board and Security Tribe.



*Some (but not all) of the people HighWiz would like to thank for helping to make 101 into what it is today : Runnerup, Wiseacre, Nikita, Roamer, Shaggy, Lockheed, Pyr0, Zac, V3rtgio, 1o57, Neil, Sethalump, AlxRogan, Jenn, Zant, MalwareUnicorn, Clutch, TheDarkTangent, Siviak, Tuna, Ripshy, Valkyrie, Suggy, Flipper and all the members of Security Tribe. Shout outs to Security Tribe, GH, QC and The LonelyHackersClub



Twitter: @HighWiz Nikita

DEF CON, Director of Content & Coordination. Wife & Mom. Chicken Soup repairwoman. SecurityTribe. ☠🦄🌈🤓 Into: hacks 💡 snacks 🌮 shellacs 💅🏻



Twitter: @Niki7a Will

Will was summoned to life through the trials of fire, fueled by the alcohol and excitement of DEF CON 25. He arose from those ashes of his former life into a malware making, maple syrup drinking n00b with a new attitude on life and lots of fury to share. On a path of creation and destruction, Will is on a relentless quest to conquer anyone that doubts him and maybe one day leave a mark that is just nearly as bright as the Phoenix itself. n00bz

(or his n00bzness or el n00berino if you’re not into the whole brevity thing) pays the bills by working for a Silicon Valley company protecting the F500 doing Compliance and IT Security Globally by way of Wall Street and D&T. He grew up tying up phone lines across South Florida with his Bosun whistle. His love for all things wireless are due to his love of software defined radio and hatred of getting up to change the TV channel when the remote was lost. He has spoken at DEF CON, HackMiami (%27), DerbyCon and when advised of his right to remain silent, plead the fif! Shaggy

Shaggy is a penetration tester by day and a renaissance man at night. He enjoys mastering new things and breaking anything put in front of him. When he is not messing around with technology he is making things with wood, performing card tricks, and seducing the masses with his warm gently voice. SecBarbie

Known on the dark web as “l'initiateur du parti” and “не стоит недооценивать ее”, Erin Jacobs (best known as @SecBarbie) has been attending DEF CON for over 15 years. Erin is a member of the DEF CON CFP Review Board, has DJed both DEF CON and DEF CON China, is an organizer of DC 312, and a past DEF CON speaker. Outside of DEF CON, she’s a Founding Partner at Urbane Security, an avid traveler, and a fan of great Champagne, wine, and dining. You can find more about her under @SecBarbie, or, if you’re up for the challenge, dunes hinder sniff huddle auburn meeting arsenic wizard dizzy lipstick spying enmity highway muppet woven woken puffin atlas python iris sprig mouth yellow hexagon hexagon ;) Tottenkoph

Tottenkoph has been going to DEF CON for over 10 years and has spent the past several cons volunteering as the Workshop department lead as well as serving on the Workshop Review Board. Tottie has spoken on things from security flaws in digital billboards to drunken insights on what random episodes of Babylon 5 *really* meant. She thinks the perfect date is April 25th, overuses exclamation points in text-based comms, and is excited to have a chance to meet/speak with more new attendees!

Back to top

Panel: DEF CON Groups Friday at 22:15 in Firesides Lounge

45 minutes Brent White / B1TK1LL3R Global Coordinator Jayson E. Street Ambassador Darington Web Master April Wright Welcoming Committee & Liaison Tim Roberts (byt3boy) Volunteer Casey Bourbonnais Volunteer s0ups Social media Do you love DEF CON? Do you hate having to wait for it all year? Well, thanks to DEF CON groups, you're able to carry the spirit of DEF CON with you year round, and with local people, transcending borders, languages, and anything else that may separate us!In this fireside chat, your DEF CON groups team who works behind the scenes to make DCG possible will invite group leaders to share how they started their groups, how they found meeting space, how they decide what content to present each meeting, and other topics. Potential new group leaders can find out how to start and run a local group, and existing group leaders and members can share and get operational ideas for running the best group possible. During the Fireside chat, we'll have the ability to keep it an open forum for questions and ideas, as well as a great opportunity to meet other groups. Brent White / B1TK1LL3R





Twitter: @brentwdesign Jayson E. Street





Twitter: @jaysonstreet Darington





Twitter: @darington April Wright





Twitter: @aprilwright Tim Roberts (byt3boy)





Twitter: @ZanshinH4x Casey Bourbonnais





Twitter: @Bourbonnais_c s0ups





Twitter: @ynots0ups

Back to top

Are Your Child's Records at Risk? The Current State of School Infosec Friday at 14:00 in Track 2

45 minutes Bill Demirkapi Independent Security Researcher From credit reporting agencies to hotel enterprises, major data breaches happen daily. However, when was the last time we considered the data security of children and middle-level education students? The infosec community spends so much time thinking about enterprise security and user privacy, but who looks after those who can't defend themselves? Unknown to most, there are only just a handful of major educational software providers—and flaws in any of them can lead to massive holes which expose the confidential information of our rising generation, this speaker included. Additionally, while many dismiss educational data as “just containing grades”, the reality is that these systems store extremely sensitive information from religious beliefs, health and vaccine-related data, to even information about parental abuse and drug use in the family.



This talk will cover never-before-seen research into the handful of prominent educational software companies, the vulnerabilities that were found, the thousands of schools and millions of students affected, and the personal fallout of such research. Vulnerabilities discussed will range from blind SQL injection to leaked credentials for the entire kingdom. If a high school student can compromise the data of over 5 million students and teachers, what can APT do? Bill Demirkapi

Bill is a 17-year-old high school student with an intense passion for the information security field. Bill's interests include game hacking, reverse engineering malware, and breaking things. Next year, Bill will be attending the Rochester Institute of Technology where he hopes to grow his career and knowledge in the enormous field of Cybersecurity. In his pursuit to make the world a better place, Bill constantly looks for the next big vulnerability following the motto "break anything and everything".



Twitter: https://twitter.com/BillDemirkapi

Blog: https://d4stiny.github.io

Back to top

Evil eBPF In-Depth: Practical Abuses of an In-Kernel Bytecode Runtime Friday at 11:00 in Track 4

45 minutes | Demo, Exploit Jeff Dileo Research Director, NCC Group eBPF (or "extended" Berkeley Packet Filter) is a bytecode instruction set and virtual machine used as a safe computing environment within the Linux kernel to perform arbitrary programmatic actions. It is a redesign of Linux's original in-kernel BPF bytecode VM used to power features like tcpdump filters. eBPF has an entirely different set of capabilities and instructions, with its primary goal being to serve as a JIT-able virtual machine instruction set that can be targeted by compilers of a memory-safe "restricted C" language. In the Linux kernel, it is actively being applied to anything and everything to provide performant programmatic capabilities to userland that extend traditionally kernel-based functionality.



In this exploit development focused talk, we will first introduce eBPF and discuss several nefarious techniques enabled by the technology. As we do so, we will cover the respective sets of APIs, file descriptor types, and other eBPF machinery that enable such techniques, building up from various forms of hidden IPC channels to full-fledged rootkits. Within this talk, we will walk through the implementations of the techniques we discuss so that attendees will walk away with the knowledge of how to implement their own variants. Along the way we will discuss novel container breakout techniques and interesting "dual-purpose" eBPF features that enable the development of mutative syscall hooks that work for processes that work for processes already attached by a debugger. Finally, we will provide insight on how defenders should begin to attempt to detect and recover from such abuses, when possible at all.



This presentation significantly extends on work we first presented at 35C3, which focused more heavily on the underlying aspects of general eBPF-based kernel tracing. In contrast, this talk will demo new techniques and include substantially improved versions of techniques presented previously as proofs-of-concept. Jeff Dileo

Jeff Dileo (chaosdata) is a security consultant by day, and sometimes by night. He hacks on embedded systems, mobile apps and devices, web apps, and complicated things that don't have names. He likes candy and arguing about text editors and window managers he doesn't actually use.



Twitter: @chaosdatumz

Back to top

The Tor Censorship Arms Race: The Next Chapter Friday at 11:00 in Track 2

45 minutes | Tool Roger Dingledine The Tor Project Tor is a free-software anonymizing network that helps people around the world use the Internet in safety. But who cares how good Tor's privacy is, if your government prevents you from reaching the Tor network?



In the beginning, some countries filtered torproject.org by DNS (so we made website mirrors and an email autoresponder for downloading Tor), and then some countries blocked Tor relays by IP address (so we developed bridges, which are essentially unlisted relays), and then some countries blocked Tor traffic by Deep Packet Inspection (so we developed pluggable transports to transform Tor flows into benign-looking traffic).



Then things got weird, with China's nationwide active probing infrastructure to enumerate bridges, with Amazon rolling over to Russia's threats when Telegram used "domain fronting" to get around blocking, with Turkey blocking Tor traffic by DPI in more subtle ways, with Venezuela and Ethiopia and Iran trying new tricks, and more.



In this talk I'll get you up to speed on all the ways governments have tried to block Tor, walk through our upcoming steps to stay ahead of the arms race, and give you some new—easier—ways that let you help censored users reach the internet safely. Roger Dingledine

Roger Dingledine is president and co-founder of the Tor Project, a nonprofit that develops free and open source software to protect people from tracking, censorship, and surveillance online.



Wearing one hat, Roger works with journalists and activists on many continents to help them understand and defend against the threats they face. Wearing another, he is a lead researcher in the online anonymity field, coordinating and mentoring academic researchers working on Tor-related topics. Since 2002 he has helped organize the yearly international Privacy Enhancing Technologies Symposium (PETS).



Among his achievements, Roger was chosen by the MIT Technology Review as one of its top 35 innovators under 35, he co-authored the Tor design paper that won the Usenix Security "Test of Time" award, and he has been recognized by Foreign Policy magazine as one of its top 100 global thinkers.



Twitter: @RogerDingledine

Back to top

Cheating in eSports: How to Cheat at Virtual Cycling Using USB Hacks Sunday at 14:00 in Track 2

45 minutes | Demo, Tool Brad Dixon Security Consultant, Carve Systems Athletes are competing in virtual cycling by riding real bikes on stationary trainers which power the in-game athletic performance. Riders train and compete online against each other. New racing teams are even competing in Union Cycliste Internationale (UCI) sanctioned events. Better at hacking than riding? Me, too. I’ll expand on the dubious achievements of prior cycling cheaters by showing how to use the open source USBQ toolkit to inspect and modify USB communications between the Zwift application and the wireless sensors that monitor and control the stationary trainer. USBQ is a Python module and application that uses standard hardware, such as the Beaglebone Black, to inspect and modify communications between USB devices and the host. You’ll ride away with a lesson on building your own customized USB man-in-the-middle hacking tool, too. Brad Dixon

Brad once told his parents that if they gave him a Commodore 64 it would be the last computer he’d ever want. He never got that Commodore 64. Nevertheless Brad managed to become a computer nerd at a young age. Brad studied Computer Engineering at Georgia Tech and jumped into embedded software engineering. He worked for many years helping developers to design embedded Linux into telecom, network, and mobile products. Brad also took a turn as a product manager for embedded development tools and a mobile location analytics product. At Carve he hacks IoT, embedded, and Linux systems.



Github: https://github.com/rbdixon

Back to top

State of DNS Rebinding - Attack & Prevention Techniques and the Singularity of Origin Saturday at 15:00 in Track 3

45 minutes | Demo, Tool Gerald Doussot Principal Security Consultant, NCC Group Roger Meyer Principal Security Consultant, NCC Group Do you want to know how you can exploit DNS rebinding 10x faster, bypass prevention mechanisms, interactively browse the victim's internal network, and automate the whole process during your next red team exercise?



This talk will teach you how and give you an easy-to-use tool to do it.



First, we will cover in detail the subtleties that make DNS rebinding attacks more effective in practice, including techniques and operational conditions that make it faster and more reliable. We'll also explain how to bypass commonly recommended security controls, dispelling attack and defense misconceptions that have been disseminated in blogs and social media posts.



This talk will include a number of demos using Singularity, our open source DNS rebinding attack framework that includes all the parts you need to get started pwning today, including: Remote code execution and exfiltration payloads for common dev tools and software

Practical scanning and automation techniques to maximize the chance of controlling targeted services We'll also show an interesting post-exploitation technique that allows you to browse a victim browser network environment via the attacker's browser without the use of HTTP proxies.



You'll leave this talk with the knowledge and tools to immediately start finding and exploiting DNS rebinding bugs. Gerald Doussot

Gerald Doussot is a Principal Security Consultant at NCC Group, with over 20 years experience in information technology. Gerald has undertaken defensive and offensive security roles, including the design, implementation and management of security solutions, software development, integration and security Testing. Roger Meyer

Roger Meyer is a Principal Security Engineer at NCC Group with extensive experience in managing and leading complex engagements. Roger specializes in web application security, network penetration testing, configuration reviews, and secure software development and architecture design.

Back to top

Go NULL Yourself or: How I Learned to Start Worrying While Getting Fined for Other’s Auto Infractions Saturday at 16:30 in Track 3

20 minutes droogie Security Consultant at IOActive Input sanitization issues will always exist, although it’s surprising at how we’re still seeing amateur mistakes being made on everyday applications and systems used by millions. After making some observations against automatic license plate recognition (ALPR) data requested via the freedom of information act (FOIA) while having reminiscent conversations about old hacker tales, it turned on the evil bit, leading to some interesting ideas. We’ll go over this adventure of poking at systems using totally valid user-controlled data that causes unexpected behavior in the real world. It’s always a strange thing when you can “exploit” unexpected attack surface, due to poor specification, especially in government systems. droogie

droogie is a security researcher, interested in offensive security and hacking of retro and modern video games alike. He makes a living as a security consultant at IOActive, which helps fund his degenerate passion for hardware hacking on old video game console hardware. He’s spoken at conferences like CCC and Ruxcon and helped bring Metal Gear Online back to life, he enjoys international travel to security conferences to kick it with awesome hackers.

Back to top

Meet the EFF - Meetup Panel Saturday at 20:00 in Firesides Lounge

120 minutes Kurt Opsahl Deputy Executive Director And General Counsel, EFF Camille Fischer Frank Stanton Fellow, EFF Bennett Cyphers Staff Technologist, EFF Nathan 'nash' Sheard Grassroots Advocacy Organizer, EFF Shahid Buttar Panel Host and Director of Grassroots Advocacy, EFF Join staffers at the Electronic Frontier Foundation—the nation's premier digital civil liberties group fighting for freedom and privacy in the computer age—for a candid chat about how the law is racing to catch up with technological change.



Then meet representatives from Electronic Frontier Alliance allied community and campus organizations from across the country. These technologists and advocates are working within their communities to educate and empower their neighbors in the fight for data privacy and digital rights.



This discussion will include updates on current EFF issues such as the government's effort to undermine encryption (and add backdoors), the fight for network neutrality, discussion of our technology projects to spread encryption across the Web and emails, updates on cases and legislation affecting security research, and much more.



Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law, surveillance and technology issues that are important to you. Kurt Opsahl

Kurt Opsahl is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders' Rights Project, and is representing several companies who are challenging National Security Letters. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Groksterand CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Courtappeal. In 2014, Opsahl was elected to the USENIX Board of Directors. Camille Fischer

Camille Fischer is a Frank Stanton Fellow working on EFF’s free speech and government transparency projects. Camille came to EFF from D.C. where she worked in the Obama White House and in the Department of Commerce advocating for civil, human rights, and due process protections in national security and law enforcement policies. She also ran projects to increase consumer security and privacy, like the move to chip cards (sorry not sorry), and has war stories about ECPA Reform, MLATs, and encryption. Camille graduated from Georgetown University Law Center and the University of Georgia (Go Dawgs). She takes pics and bakes pies. Bennett Cyphers

Bennett is an engineer on the Tech Projects team, where he works on Privacy Badger and HTTPS Everywhere.



Before EFF, Bennett was at Access Now and MIT, and he has a Master's of Engineering for work on privacy-preserving machine learning. He cares about privacy, transparency, data ownership, and digital equity. He wishes ad companies would kindly stop tracking everyone. Outside of work he has hobbies and likes fun. Nathan 'nash' Sheard

As EFF's Grassroots Advocacy Organizer, nash works directly with community members and organizations to take advantage of the full range of tools provided by access to tech, while engaging in empowering action toward the maintenance of digital privacy and information security. Shahid Buttar

Shahid leads EFF's grassroots, student, and community outreach efforts. He's a constitutional lawyer focused on the intersection of community organizing and policy reform as a lever to shift legal norms, with roots in communities across the country resisting mass surveillance. From 2009 to 2015, he led the Bill of Rights Defense Committee as Executive Director.



Outside of his work at EFF, Shahid also DJs and produces electronic music, writes poetry & prose, kicks rhymes, organizes guerilla poetry insurgencies, plays capoeira, speaks truth to power on Truthout, occasionally elucidates legal scholarship, and documents counter-cultural activism for the Burning Man Journal. He also serves on the Boards of Directors of Defending Rights and Dissent, the Center for Media Justice, and the Fund for Constitutional Government.

Back to top

Rise of the Hypebots: Scripting Streetwear Saturday at 10:00 in Track 2

45 minutes | Demo finalphoenix Engineer & Hypebae Buying Supreme is even harder when most of your competitors are AI. The era of bot purchasing has arrived and more often than not, purchasing shoes, shirts, and swag, requires shell scripting. We will look at how simplistic (and how complicated) purchasing bots have become, how to write them, and what companies are trying to do to fight them, and why they’re failing at conquering the machines. finalphoenix

finalphoenix is a full-stack engineer who has been working on the web since man invented fire gifs. She likes React, Node, and the Unix fortune command. She specializes in web security and optimization, and in the process, discovered the dangerous world of automation to help her shop.



Twitter: @finalphoenix

Back to top

Reverse-Engineering 4g Hotspots for Fun, Bugs and Net Financial Loss Saturday at 15:00 in Track 2

45 minutes | Demo, Tool g richter Senior Researcher, Pen Test Partners LLP “5G is coming” (apparently). That probably means, over the next few years, more and more people are going to be using more and more cellular-connected devices for their day-to-day TCP/IP activities.



The problem is, a lot of existing 4G modems and routers are pretty insecure. We found critical remotely-exploitable flaws in a selection of devices from variety of vendors, without having to do too much work. Plus, there’s only a small pool of OEMs working seriously with cellular technologies, and their hardware (& software dependencies) can be found running in all sorts of places. Their old 4G, 3G and even 2G-era code is going to be running in these 5G-capable devices.



With a small sample of consumer 4G routers as examples, we’re going to talk about how malleable, frustrating, and insecure these devices are. We’ll run through a few examples of existing 4G routers, from low-end bargain-basement end-of-life-never-to-be-fixed to higher-end devices. root is a means to an end, rather than the goal. g richter

g richter is the single-use pseudonym of a security researcher with a particular interest in embedded devices and cellular. He has done this kind of thing for money and fun for quite a while now, but before that, he also did other things that didn’t involved as many computers. At the moment he's doing this for money at Pen Test Partners.

Back to top

We Hacked Twitter… And the World Lost Their Sh*t Over It! Saturday at 22:15 in Firesides Lounge

45 minutes Mike Godfrey Penetration Tester, INSINIA Security Matthew Carr Penetration Tester, INSINIA Security In December 2018 INSINIA Security was involved in one of the biggest hacking stories of the year. A number of “celebrities”, including Louis Theroux, Eamon Holmes and more, logged into their Twitter accounts just after Christmas to find a Tweet, from their account, saying:



“This account has been temporarily hijacked by INSINIA SECURITY”.



The tweet immediately directed people to our blog post, and the compromised accounts retweeted INSINIA’s Tweet, saying:



“This account is now under the control of @InsiniaSRT. Luckily, this has been H4CK3D to highlight an important vulnerability. The user of this account has NOT lost access to it, no data compromised and is NOT under attack. See how it was done…”.



What we did was simple. We used spoof texts to Tweet from these accounts. We NEVER had access to these accounts. We could never read DM’s. We simply passively controlled these accounts with no opportunity of getting confidential data in return.



So what did the hacking community, journalists and commentators do?! They LOST THEIR SH*T OVER IT!



“It’s unethical” “It’s a crime” “Computer Misuse Act counts for security researchers too!” “You guys are total f*cking idiots!



These are the types of things we’d heard from our peers. But why was the backlash so bad? In this talk, INSINIA explains why it was done, how it was done, how people reacted and how research can be released quickly and responsibly… Without always getting the warm reception you might expect! Mike Godfrey

Mike Godfrey, Director of INSINIA Security, started life as a “hacker” before he had hit his teens. With a professional background in Electro-technical / Electro-mechanical Engineering and almost 20 years’ experience in building and breaking computers.



Mike offers a unique perspective when it comes to varied and multi-vector attacks and is regarded as one of the UK’s most capable multi-skilled Cyber Security Specialists, gaining notoriety in the Cyber Security industry for using elements of different skills, both on hard and soft surfaces, to carry out highly technical and often highly intricate electronic attacks. One of these attacks includes hacking Costco’s high security Sentry display safe with nothing more than a magnet and a sock! This research was utilised and referenced by @Plor in his talk at DEF CON 25 – “Popping a Smart Gun”. Mike has also been lucky enough to become a DEF CON speaker in 2018, one of the proudest moments of his life!



Mike works as a Cyber Security contributor for the BBC, LBC, Channel 4 and was the Ethical Hacker who discovered the TalkTalk and O2 data breach stories.



Twitter: @MikeGHacks Matthew Carr

Matthew's previous roles including Senior Penetration Tester and Researcher at SecureLink, Europe's largest managed security services provider and Operational Security Specialist at Ikea overseeing worldwide Operational Security as part of a Specialist Team.



Matthew regularly speaks at industry events and lectures offensive security at Malmö's Technology University in Sweden.



Matthew spent over 3 years as part of an R&D team building intrusion detection software, a secure cloud platform, SIEM tools and other security software, Matthew is not only a competent red teamer but also a valuable asset to any blue team.



Matthew works as a Cyber Security contributor for the Telegraph, Talk Radio and SVT.



Twitter: @sekuryti

Back to top

Exploiting Qualcomm WLAN and Modem Over The Air Sunday at 11:00 in Track 3

45 minutes | Demo, Exploit Xiling Gong Consultant, NCC Group Peter Pi Senior Security Researcher of Tencent Blade Team In this talk, we will share our research in which we successfully exploit Qualcomm WLAN in FIRMWARE layer, break down the isolation between WLAN and Modem and then fully control the Modem over the air.



Setup the real-time debugger is the key. Without the debugger, it's difficult to inspect the program flow and runtime status. On Qualcomm platform, subsystems are protected by the Secure Boot and unable to be touched externally. We'll introduce the vulnerability we found in Modem to defeat the Secure Boot and elevate privilege into Modem locally so that we can setup the live debugger for baseband.



The Modem and WLAN firmware is quite complex and reverse engineering is a tough work. Thanks to the debugger, we finally figure out the system architecture, the components, the program flow, the data flow, and the attack surfaces of WLAN firmware. We'll share these techniques in detail, along with the zero-days we found on the attack surfaces.



There are multiple mitigations on Qualcomm baseband, including DEP, stack protection, heap cookie, system call constraint, etc. All the details of the exploitation and mitigation bypassing techniques will be given during the presentation.



Starting from Snapdragon 835, WLAN firmware is integrated into the Modem subsystem as an isolated userspace process. We'll discuss these constraints, and then leverage the weakness we found to fully exploit into Modem. Xiling Gong

Xiling Gong is a Senior Security Researcher of Tencent Blade Team. He has discovered many vulnerabilities of vendors like Google and Qualcomm. He is the speaker of CanSecWest 2018.



Twitter: @Gxiling Peter Pi

Peter Pi is a Senior Security Researcher of Tencent Blade Team. He has discovered many vulnerabilities of vendors like Google, Microsoft, Apple, Qualcomm, Adobe and Tesla. He was the #1 researcher of Google Android VRP in year 2016. He has spoken at many famous security conferences such as BlackHat, CanSecWest, HITB GSEC and Hitcon.



Twitter: @tencent_blade

Back to top

MOSE: Using Configuration Management for Evil Friday at 15:00 in Track 1

45 minutes | Demo, Tool Jayson Grace Penetration Tester, Splunk Configuration Management (CM) tools are used to provision systems in a uniform manner. CM servers are prime targets for exploitation because they are connected with key machines. The tools themselves are powerful from a security standpoint: they allow an attacker to run commands on any and every connected system. Unfortunately, many security professionals do not have CM experience, which prevents them from using these tools effectively. MOSE empowers the user to weaponize an organization’s CM tools without having to worry about implementation-specific details.



MOSE first creates a binary based on user input. Once transferred to the CM server and run, this binary dynamically generates code that carries out the desired malicious behavior on specified systems. This behavior can include running arbitrary system commands, creating or deleting files, and introducing backdoors. MOSE puts the generated code in the proper place so that all targeted systems will run it on their next check-in with the server, removing the need for the user to integrate it manually.



CM tools are a powerful resource, but they have a barrier to entry. MOSE aims to remove this barrier and make post exploitation more approachable by providing a tool to translate the attacker's desired task into commands executable by the CM infrastructure. Jayson Grace

Jayson Grace is a Penetration Tester on the Product Security Team at Splunk. Previously he founded and led the Corporate Red Team at Sandia National Laboratories. He holds a BS in Computer Science from the University of New Mexico, which gave him some great knowledge and also made him fatter and added a bunch of grey hairs. He has also previously worked as a tool developer, system administrator, and DevOps engineer. Jayson is passionate about empowering engineers to create secure applications, as well as coming up with novel automation methods to break things.



Twitter: @Jayson_Grace

Website: https://techvomit.net

Back to top

Behind the Scenes of the DEF CON 27 Badge Friday at 10:00 in Track 1

45 minutes | Tool Joe Grand (Kingpin) Incorporating natural elements, complex fabrication techniques, and components rarely seen by the outside world, the DEF CON 27 Badge brings our community together through Technology's Promise. Join DEF CON's original electronic badge designer Joe Grand on a behind-the-scenes journey of this year's development process and the challenges, risks, and adventures he faced along the way. Joe Grand (Kingpin)

Joe Grand, also known as Kingpin, is a computer engineer, hardware hacker, DEF CON badge designer (14, 15, 16, 17, 18, China 1, 27), teacher, advisor, runner, daddy, honorary doctor, TV host, member of legendary hacker group L0pht Heavy Industries, and the proprietor of Grand Idea Studio (grandideastudio.com).



Twitter: @joegrand

Website: http://www.grandideastudio.com

Back to top

Unpacking Pkgs: A Look Inside Macos Installer Packages And Common Security Flaws Saturday at 16:30 in Track 1

20 minutes | Demo Andy Grant Technical Vice President, NCC Group We are hackers, we won't do as you expect or play by your rules, and we certainly don't trust you. JAR files are really ZIPs...unzip them! So are Microsoft's DOCX, XLSX, PPTX, etc. Let's open them up! macOS applications (.app "files") are really directories you can browse?! Sweet, let's do that.



Less well known but similarly prevalent are Flat Package Mac OS X Installer (.pkg) files. These are actually XAR archives that, among other things, contain many plaintext files (including shell, Perl, and Python scripts) as cpio files compressed using gzip.



In this presentation I'll walk you through extracting the contents of these installer packages, understanding their structure, and seeing how they work while highlighting where security issues can come up. To drive the point home of what can go wrong, I'll include examples of serious security issues I've seen in the wild and show you how they can be exploited to elevate privileges and gain code/command execution.



After this talk, .pkg files will no longer be opaque blobs to you. You'll walk away knowing tools and techniques to tear them open, understand how to evaluate what they're really doing on your computer, and a methodology for finding bugs in them. As a final bonus, I'll include a subtle trick or two that can be used on red teams. Andy Grant

Andy Grant is a Technical Vice President for NCC Group. While at NCC Group, Andy has worked on a wide-variety of security assessment and advisory projects. He has performed numerous application assessments on mobile (Android, iOS, WP7), desktop (OS X/macOS, Windows, Linux), and web platforms. He has also performed many internal and external network penetration tests and widget/third-party platform reviews. Andy has worked with small tech start-ups, small and large software development groups, and large financial institutions. Andy has a BS in Computer Science and an Advanced Computer Security Certificate from Stanford University.



Twitter: @andywgrant

Back to top

Duplicating Restricted Mechanical Keys Friday at 10:00 in Track 4

45 minutes | Exploit Bill Graydon President and Principal, Physical Security Analytics Robert Graydon Principal, GGR Security Secure facilities in North America use lock systems like Medeco, Abloy, Assa and Mul-T-Lock partly to resist lock picking, but also to prevent the duplication and creation of unauthorised keys. Places such as the White House and the Canadian Parliament buildings go so far as to use a key profile exclusive to that facility to ensure that no-one is able to obtain key blanks on which to make a copy. However, there are tens of thousands of unrestricted key blank profiles in existence - many match very closely to these restricted key blanks, and can be used instead of the real blanks to cut keys on. Moreover, keys are just pieces of metal - we will present numerous practical techniques to create restricted keys without authorisation - including new attacks on Medeco, Mul-T-Lock and Abloy key control systems. We will touch on all aspects of key control, including patents and interactive elements, and discuss how to defeat them and how facility managers can fight back against these attacks. Bill Graydon

Bill Graydon is a principal at GGR Security Consultants, and is active in research in electronic surveillance and alarm systems, human psychology in a secure environment and locking systems analysis. He received a Masters in computer engineering and a certificate in forensic engineering from the University of Toronto, applying this at GGR to develop rigorous computational frameworks to model and improve security in the physical world.



Website: https://ggrsecurity.com/DEFCON Robert Graydon

Robert is a principal at GGR security. With a strong interest driving him forward, he is researching lock manipulation, picking, bypass, and other vulnerabilities, to discover and evaluate possible flaws or methods of attack. He has well-honed skills such as lock picking, decoding, locksmithing, as well as a thorough understanding of the mechanics and function of many types of high security locks, and electronic security systems and components, allowing him to effectively search for and test methods of cracking high security systems.

Back to top

SELECT code_execution FROM * USING SQLite;—Gaining code execution using a malicious SQLite database Saturday at 14:00 in Track 1

45 minutes | Demo, Tool, Exploit Omer Gull Security Researcher at Check Point Software Technologies Everyone knows that databases are the crown jewels from a hacker's point of view, but what if you could use a database as the hacking tool itself? We discovered that simply querying a malicious SQLite database - can lead to Remote Code Execution. We used undocumented SQLite3 behavior and memory corruption vulnerabilities to take advantage of the assumption that querying a database is safe.



How? We created a rogue SQLite database that exploits the software used to open it.Exploring only a few of the possibilities this presents we’ll pwn password stealer backends while they parse credentials files and achieve iOS persistency by replacing its Contacts database…



The landscape is endless (Hint: Did someone say Windows 10 0-day?). This is extremely terrifying since SQLite3 is now practically built-in to any modern system.



In our talk we also discuss the SQLite internals and our novel approach for abusing them. We had to invent our own ROP chain technique using nothing but SQL CREATE statements. We used JOIN statements for Heap Spray and SELECT subqueries for x64 pointer unpacking and arithmetics. It's a new world of using the familiar Structured Query Language for exploitation primitives,laying the foundations for a generic leverage of memory corruption issues in database engines. Omer Gull

Omer Gull is a vulnerability researcher in the Malware and Vulnerability Research group at Check Point Software Technologies.



Omer has a diverse background in security research, that includes web application penetration testing, RE and exploitation.



He loves Rum, Old School Hip-Hop and Memory Corruptions.



Twitter: @GullOmer

Back to top

Next Generation Process Emulation with Binee Saturday at 14:00 in Track 4

45 minutes | Demo, Tool Kyle Gwinnup Senior Threat Researcher, Carbon Black John Holowczak Threat Researcher The capability to emulate x86 and other architectures has been around for some time. Malware analysts have several tools readily available in the public domain. However, most of the tools stop short of full emulation, halting or doing strange things when emulating library functions or system calls not implemented in the emulator. In this talk we introduce a new tool into the public domain, Binee, a Windows Process emulator. Binee creates a nearly identical Windows process memory model inside the emulator, including all dynamically loaded libraries and other Windows process structures. Binee mimics much of the OS kernel and outputs a detailed description of all function calls with human readable parameters through the duration of the process. We've designed Binee with two primary use cases in mind; data extraction at scale with a cost and speed similar to common static analysis tools, and second, for malware analysts that need a custom operating system and framework without the overhead of spinning up various configurations of virtual machines. Currently Binee can run on Windows, OS X, and Linux. Kyle Gwinnup

Kyle is a Senior Threat Researcher in Carbon Black's TAU team. He has over 10 years of experience in many areas of computer science and IT. Prior to Carbon Black, Kyle worked in finance and with the DoD in various roles ranging from network/systems administrator, software engineer, reverse engineer, penetration tester and offensive tool developer. At Carbon Black, Kyle's focus is on large scale program analysis, primarily static but moving asymptotically toward dynamic analysis.



Twitter: @switchp0rt John Holowczak

John is a Threat Researcher on Carbon Black's Threat Analysis Unit, focusing on automation of threat detection and building out infrastructure for large scale malware analysis. Within the field of threat detection and analysis, John specializes his research in binary classification, dynamic analysis and reverse engineering.



Twitter: @skipwich

Back to top

Hacking Congress: The Enemy Of My Enemy Is My Friend Friday at 10:00 in Track 2

45 minutes Former Rep. Jane Harman President, The Wilson Center, Former Rep. (D-CA), aka Surfer Jane Rep. James Langevin (D-RI) Jen Ellis Director of Public Affairs, Rapid 7 Cris Thomas Director, X-Force Red Team, IBM, aka Space Rogue Rep. Ted Lieu (D-CA) A SIMULATED crisis is unfolding on a national scale, based loosely on the NotPetya attack of 2017. Triggered by a yet-unknown adversary, what started as a an isolated technical issue has quickly escalated into a society-wide event affecting millions of citizens, several industries, and spanning government jurisdictions. Who is in charge, how do they cooperate with others, and how do they make decisions? The Wilson Center, Hewlett Foundation and I Am The Calvary are teaming up to bring public policymakers together with security researchers and others to discover how our nation might respond to a wide-scale “cyber crisis”. Work in tandem with sitting Members of Congress to understand what levers of power Congress yields and how Members can address policy gaps in the future. Former Rep. Jane Harman

The Hon. Jane Harman is President of the Wilson Center, a think tank in Washington, DC. She is a former nine-term Member of Congress who served on all the major security committees and represented an aerospace and technology hub in Southern California.



Twitter: @thewilsoncenter

Website: https://www.wilsoncenter.org/person/jane-harman Rep. James Langevin

The Hon. Jim Langevin represents Rhode Island's 2nd Congressional district. He is Chairman of the Emerging Threats and Capabilities Subcommittee and a senior member of the Cybersecurity and Infrastructure Protection Subcommittee. Rep. Langevin is a member of the House Majority Whip Steny Hoyer's Senior Whip Team, and is responsible for educating other Democratic Members on key issues.



Twitter: @jimlangevin

Website: https://langevin.house.gov/about-me/full-biography Jen Ellis

Jen Ellis is the Vice Preident of Community and Public Affairs at Rapid7. She works directly with security researchers, technology providers and operators, and government entities to help them understand and address cybersecurity challenges together.



Twitter: @infosecjen

Website: https://blog.rapid7.com/author/jen-ellis/ Cris Thomas

Cris Thomas works for IBM X-Force Red, and before that worked at Guardent, Trustwave, Tenable and others. Cris created the first security research think tank L0pht Heavy Industries and the video news show The Hacker News Network.



Twitter: @spacerog

Website: https://securityintelligence.com/author/cris-thomas/

Rep. Ted Lieu

The Hon. Ted Lieu represents California’s 33rd Congressional district. Now in his third term in Congress, Rep. Lieu currently sits on the House Judiciary Committee and House Foreign Affairs Committee. He also serves as Co-Chair of the Democratic Policy and Communications Committee and has emerged as a leader in cybersecurity in Congress.



Twitter: @RepTedLieu

Website: https://lieu.house.gov/about/full-biography

Back to top

Don't Red-Team AI Like a Chump Friday at 11:00 in Track 1

45 minutes | Demo, Tool Ariel Herbert-Voss PhD student, Harvard University AI needs no introduction as one of the most overhyped technical fields in the last decade. The subsequent hysteria around building AI-based systems has also made them a tasty target for folks looking to cause major mischief. However, most of the popular proposed attacks specifically targeting AI systems focus on the algorithm rather than the system in which the algorithm is deployed. We’ll begin by talking about why this threat model doesn’t hold up in realistic scenarios, using facial detection and self-driving cars as primary examples. We will also learn how to more effectively red-team AI systems by considering the data processing pipeline as the primary target. Ariel Herbert-Voss

Ariel Herbert-Voss is a PhD student at Harvard University, where she specializes in adversarial machine learning, cybersecurity, mathematical optimization, and dumb internet memes. She is an affiliate researcher at the MIT Media Lab and at the Vector Institute for Artificial Intelligence. She is a co-founder and co-organizer of the DEF CON AI Village, and loves all things to do with malicious uses and abuses of AI.



Twitter: @adversariel

Back to top

I'm on your phone, listening - Attacking VoIP Configuration Interfaces Saturday at 14:00 in Track 2

45 minutes | Demo, Tool, Exploit Stephan Huber Fraunhofer SIT Philipp Roskosch If toasters talking to fridges is no joke to you, then you are aware of the big Internet of Things hype these days. While all kind of devices get connected and hacked, one of the oldest class of IoT devices seems to be forgotten even though it is literally everywhere - VoIP phones.



For configuration and management purposes, VoIP phones run a web application locally on the device. We found several critical bugs (reported CVEs) in the web application as well as in the webserver which enabled us to hijack the phones. Starting with simple XSS and CSRF issues, via command injections and memory corruptions right through to remote code executions, all popular vulnerability classes can be found on those devices.



We will present our findings together with the tools and strategies we used, and will enable you to do the same with your own phones and other IoT devices.



Further, we will provide helpful ARM shell code patterns, scripts and tricks which hackers can use to find bugs. We will conclude our talk by showing that automatic tools fail to discover such vulnerabilities. Therefore, manual IoT pentesting is still required.



If you think these management interfaces are not exposed to the internet, you are wrong. In a scan, we found thousands of reachable phones vulnerable to our exploits. Stephan Huber

Stephan is a security researcher at the Testlab mobile security group at the Fraunhofer Institute for Secure Information Technology (SIT). His main focus is Android application security testing and IoT devices. He develops new static and dynamic analysis techniques for app security evaluation. He has found different vulnerabilities in well-known Android applications and the AOSP. He has delivered talks at conferences including DEF CON, HITB, AppSec and Virus Bulletin. In his spare time he enjoys teaching students Android hacking techniques.



Twitter: @teamsik

Website: www.team-sik.org Philipp Roskosch

Philipp is a security researcher of the department Secure Software Engineering at Fraunhofer SIT (Germany). His research interests center on static and dynamic security analysis in the area of mobile apps and IoT devices. Besides research, he is a penetration tester in the same field. In his spare time, he enjoys hacking as a member of TeamSIK.

Back to top

Weaponizing Hypervisors to Fight and Beat Car and Medical Devices Attacks Saturday at 10:00 in Track 1

45 minutes | Demo, Tool Ali Islam CEO, Numen Inc. Dan Regalado (DanuX) CTO, Numen Inc Historically, hypervisors have existed in the cloud for efficient utilization of resources, space, and money. The isolation feature is one of the reasons hypervisors are heavily moving to other ecosystems, like Automobiles, so that for example, if an Infotainment crashes, it does not affect other sensitive ECUs like ADAS. Blackberry QNX and AGL announced the use of hypervisors in their deployments on Cars.



The trending is real, but there is a big challenge! Most of the systems in Cars and Medical devices run on ARM, plus, protection at the hypervisor level is still limited. So, is it possible to have a framework that runs at the hypervisor level, able to monitor at the OS level and most important, capable to identify and kill threats coming into the monitored devices?



During this talk we will walk you through the steps needed to setup a framework running on Xilinx ZCU102 board able to monitor ARM-based devices and to kill malicious threats identified. Also will discuss challenges on syscall monitoring, single-stepping limitations, techniques to stay stealthy, techniques to detect and kill traditional malware seen in enterprise like Ransomware, Heap Exploits and capabilities on VM Escape attacks and feasibilty to detect Spectre-like exploits. Ali Islam

Ali Islam Khan is the Chief Executive Officer (CEO) and Co-Founder of Numen Inc. He is also an avid C programmer and has developed the core set of Numen’s Virtual Machine Introspection (VMI) capabilities. Before quitting his job to work full time on Numen, Ali was Director R&D at FireEye where he was leading the R&D efforts for FireEye’s flagship email and network products. He is the founding member of FireEye Labs where he invented & developed some of the key detection technologies used in FireEye products today. Ali has multiple patents to his name and has over 13 years’ experience in a wide range of cyber security disciplines, including cryptography, malware analysis, cyber-espionage and product development. He has successfully created and led global teams from scratch. Ali has spoken at conferences such as RSA and worked with various government agencies such as DHS, KISA on intelligence sharing efforts to counter nation-state level threats.



Khan holds an MBA from UC Berkeley and a Master’s degree in network security from Monash University, Australia. He is an AUSAID scholar and the recipient of the prestigious Golden Key Award.



Twitter: @Ali_Islam_Khan

LinkedIn: https://www.linkedin.com/in/aliislam/ Dan Regalado (DanuX)

Daniel Regalado aka DanuX is the CTO and Co-Founder of Numen Inc. He is a Mexican security researcher with more than 17 years in the scene. He has worked reversing malware and exploits at Symantec Security Response Team and FireEye Labs and lately focused on IoT threats at Zingbox. He is credited with the discovery of most of the ATM malware worldwide. He is the co-author of famous book Gray Hat Hacking and he likes to present his discoveries in major security conferences like RECon, RSA, DEF CON IoT/Car Hacking villages, BSIDES.



Twitter: @danuxx

LinkedIn: https://www.linkedin.com/in/daniel-regalado-200aa414/

Back to top

Say Cheese - How I Ransomwared Your DSLR Camera Sunday at 11:00 in Track 4

45 minutes | Demo, Exploit Eyal Itkin Vulnerability Researcher at Check Point Software Technologies It's a nice sunny day on your vacation, the views are stunning, and like on any other day you take out your DSLR camera and start taking pictures. Sounds magical right? But when you get back to your hotel the real shock hits you: someone infected your camera with ransomware! All your images are encrypted, and the camera is locked. How could that happen?In this talk, we show a live demo of this exact scenario. Join us as we take a deep dive into the world of the Picture Transfer Protocol (PTP). The same protocol that allows you to control your camera from your phone or computer, can also enable any attacker to do that and more. We will describe in detail how we found multiple vulnerabilities in the protocol and how we exploited them remotely(!) to take over this embedded device.But it doesn't end here. While digging into our camera, we found a reliable way to take over most of the DSLR cameras without exploiting any vulnerability at all. We simply had to ask our camera to do that for us, and it worked.



This is the first vulnerability research on the Picture Transfer Protocol, a vendor agnostic logical layer that is common to all modern-day cameras. As DSLR cameras are used by consumers and journalists alike, this opens up the door for future research on these sensitive embedded devices. Eyal Itkin

Eyal Itkin is a vulnerability researcher in the Malware and Vulnerability Research group at Check Point Software Technologies. Eyal has an extensive background in security research, that includes years of experience in embedded network devices and protocols, bug bounties from all popular interpreter languages, and an award by Microsoft for his CFG enhancement white paper. When not breaking I2P or FAX, he loves bouldering, swimming, and thinking about the next target for his research.



Twitter: @EyalItkin

Back to top

Meticulously Modern Mobile Manipulations Saturday at 11:00 in Track 4

45 minutes | Demo Leon Jacobs Researcher - SensePost Mobile app hacking peaked in 2015 with tools like keychain