Saturday at 15:00 - 17:00 in Capri Room

Lounge Format

Ever wondered if there was such thing as a “hacker-friendly” member of Congress? We found some and convinced them to come to DEF CON so you can meet them too! In this first-of-its-kind DEF CON session, two of the most hacker-friendly Congress critters will join DEF CON for an engaging and interactive session with the security research community.



Join the Atlantic Council’s Cyber Statecraft Initiative for a candid discussion with Representatives Will Hurd (R-TX) and James Langevin (D-RI). The two Congressmen will share their thoughts on the latest developments in cybersecurity policymaking on the Hill and provide a unique opportunity for the audience to ask questions, exchange ideas, and maybe even answer some of the Congressmen’s questions.

Rep. Will Hurd (R-TX)

Rep Hurd was born and raised in San Antonio, Texas. He attended John Marshall High School and Texas A&M University, where he majored in Computer Science and served as Student Body President.



After college, Will served as an undercover officer in the CIA in the Middle East and South Asia for nearly a decade, collecting intelligence that influenced the National Security agenda. Upon leaving the CIA, he became a Senior Advisor with a cybersecurity firm, covering a wide range of complex challenges faced by manufacturers, financial institutions, retailers, and critical infrastructure owners. He was also a partner with a strategic advisory firm helping businesses expand into international markets.



In 2015, Will was elected to the 114th Congress and currently serves on the Committee of Oversight and Government Reform and chairs the Information Technology Subcommittee. He also sits on the Committee on Homeland Security and is the Vice Chair of the Border and Maritime Security Subcommittee. In 2017, Will was appointed by Speaker Ryan to serve on the House Permanent Select Intelligence Committee, to replace Representative Mike Pompeo upon his confirmation as Director of the CIA.

Rep. James Langevin (D-RI)

Rep. Langevin first ran for office in 1986, when he was elected a Delegate to Rhode Island’s Constitutional Convention and served as its secretary. Two years later, he won election to the Rhode Island House of Representatives.



In 1994, Langevin defeated a Republican incumbent to become the nation’s youngest Secretary of State. He transformed the office into “the people’s partner in government” and took on the challenge of reforming Rhode Island’s outdated election system. Langevin also established the state’s Public Information Center and, with Brown University, published “Access Denied,” which examined the General Assembly’s compliance with the Open Meetings Law and documented routine and widespread violations.



In 1998, Langevin easily won re-election to his second term as Secretary of State, achieving the largest plurality of any general officer in this century, and in 2000, he made a successful run for the U.S. House of Representatives, where he has served the Second Congressional District ever since.



Langevin graduated from Rhode Island College and earned a Master’s Degree in Public Administration from the Kennedy School of Government at Harvard University. He resides in Warwick, Rhode Island

Back to top

DC to DEF CON: Q&A with Congressmen James Langevin and Will Hurd

Sunday at 15:00 in 101 Track

Representative James Langevin (D-RI)

Representative Will Hurd (R-TX)

Joshua Corman Director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center

The past year has seen major disruptions at the intersection of security and society. “Cybersecurity” has been thrust into the public consciousness frighteningly widely and quickly. Issues of public policy impact our colleagues and our community, beyond the technology layer. Some in the public policy community are actively encouraging our community to engage, recognizing the need for a technically literate voice of reason from the security research community. DEF CON is proud to host two members of Congress, who braved their way from DC to DEF CON as ambassadors from their community to ours.



Joshua Corman will engage Rep. Jim Langevin (D-RI) and Rep. Will Hurd (R-TX), in a candid, on-the-record “fireside chat” style conversation. DEF CON attendees will hear their perspectives on the state of cyber policy and what can be done to improve technical literacy in the dialogs. The members will also reflect on their experience at DEF CON, hanging out with hackers, and how they can make their voice known in the public policy conversation.

Rep. Will Hurd (R-TX)

Rep Hurd was born and raised in San Antonio, Texas. He attended John Marshall High School and Texas A&M University, where he majored in Computer Science and served as Student Body President.



After college, Will served as an undercover officer in the CIA in the Middle East and South Asia for nearly a decade, collecting intelligence that influenced the National Security agenda. Upon leaving the CIA, he became a Senior Advisor with a cybersecurity firm, covering a wide range of complex challenges faced by manufacturers, financial institutions, retailers, and critical infrastructure owners. He was also a partner with a strategic advisory firm helping businesses expand into international markets.



In 2015, Will was elected to the 114th Congress and currently serves on the Committee of Oversight and Government Reform and chairs the Information Technology Subcommittee. He also sits on the Committee on Homeland Security and is the Vice Chair of the Border and Maritime Security Subcommittee. In 2017, Will was appointed by Speaker Ryan to serve on the House Permanent Select Intelligence Committee, to replace Representative Mike Pompeo upon his confirmation as Director of the CIA.

Rep. James Langevin (D-RI)

Rep. Langevin first ran for office in 1986, when he was elected a Delegate to Rhode Island’s Constitutional Convention and served as its secretary. Two years later, he won election to the Rhode Island House of Representatives.



In 1994, Langevin defeated a Republican incumbent to become the nation’s youngest Secretary of State. He transformed the office into “the people’s partner in government” and took on the challenge of reforming Rhode Island’s outdated election system. Langevin also established the state’s Public Information Center and, with Brown University, published “Access Denied,” which examined the General Assembly’s compliance with the Open Meetings Law and documented routine and widespread violations.



In 1998, Langevin easily won re-election to his second term as Secretary of State, achieving the largest plurality of any general officer in this century, and in 2000, he made a successful run for the U.S. House of Representatives, where he has served the Second Congressional District ever since.



Langevin graduated from Rhode Island College and earned a Master’s Degree in Public Administration from the Kennedy School of Government at Harvard University. He resides in Warwick, Rhode Island

Joshua Corman



Joshua Corman is the director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center and a founder of I am The Cavalry (dot org). Corman previously served as CTO for Sonatype, director of security intelligence for Akamai, and in senior research and strategy roles for The 451 Group and IBM Internet Security Systems. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to the world's increasing dependence on digital infrastructure. Josh's unique approach to security in the context of human factors, adversary motivations, and social impact has helped position him as one of the most trusted names in security. He also serving as an adjunct faculty for Carnegie Mellon's Heinz College and on the 2016 HHS Cybersecurity Task Force.

Back to top

The spear to break the security wall of S7CommPlus Saturday at 10:00 in Track 4 20 minutes | Exploit Cheng ICS Security Researcher, NSFOCUS Zhang Yunhai Security researcher of NSFOCUS Security Team In the past few years, attacks against industrial control systems (ICS) have increased year over year. Stuxnet in 2010 exploited the insecurity of the S7Comm protocol, the communication protocol used between Siemens Simatic S7 PLCs to cause serious damage in nuclear power facilities. After the exposure of Stuxnet, Siemens has implemented some security reinforcements into the S7Comm protocol. The current S7CommPlus protocol implementing encryption has been used in S7-1200 V4.0 and above, as well as S7-1500, to prevent attackers from controlling and damaging the PLC devices.

Is the current S7CommPlus a real high security protocol? This talk will demonstrate a spear that can break the security wall of the S7CommPlus protocol. First, we use software like Wireshark to analyze the communications between the Siemens TIA Portal and PLC devices. Then, using reverse debugging software like WinDbg and IDA we can break the encryption in the S7CommPlus protocol. Finally, we write a MFC program which can control the start and the stop of the PLC, as well as value changes of PLC's digital and analog inputs & outputs.

Based on the research above, we present two security proposals at both code level and protocol level to improve the security of Siemens PLC devices. Cheng

Cheng Lei is an Industrial Control System Security researcher at NSFOCUS. His interest is mainly about PLC and DCS vulnerability exploitation and security enhancement. Over the years he has released three Siemens CVE vulnerability Zhang Yunhai

is a security researcher of NSFOCUS Security Team, working on computer security for more than a decade.He has spoken at security conferences such as Blackhat and BlueHat. He has won the Microsoft Mitigation Bypass Bounty 4 years in a row since 2014.

Back to top

Uncovering useful and embarrassing info with Maltego Standby Speakers at in 45 minutes | Demo Andrew MacPherson Ops/Dev - Paterva The talk has two sections - useful and embarrassing.



In the 'useful' section of this fun filled talk we show how we combine the power of Maltego and Shodan to hunt for ICS devices on the Internet. We tackle the difficult problem of finding the function, owners and locations of these devices using OSINT and Maltego. The result is a one click sequence of transforms that makes finding interesting ICS devices child's play. In the 'embarrassing' section we look at how network footprinting (which we've refined to an art in Maltego) becomes useful for identifying and profiling people who's job description involves lots of lies and who probably does not want to be associated with the data that's out there on them. Andrew MacPherson

Andrew Macpherson is the operations manager at Paterva. With a degree in Information Science and an uncanny knowledge of cat memes he successfully 0day'd at Paterva in 2007. With a decade of graphing, arguing and tea making he has proved to be a valuable asset at the company. Aside from Maltego'ing everything that looks like a nail he also has a keen interest in hardware and security.



@paterva

@andrewmohawk

Back to top

Controlling IoT devices with crafted radio signals Friday at 13:00 in 101 Track 45 minutes | Demo, Tool Caleb Madrigal Hacker, FireEye/Mandiant In this talk, we'll be exploring how wireless communication works. We'll capture digital data live (with Software-Defined Radio), and see how the actual bits are transmitted. From here, we'll see how to view, listen to, manipulate, and replay wireless signals. We'll also look at interrupting wireless communication, and finally, we'll even generate new radio waves from scratch (which can be useful for fuzzing and brute force attacks). I'll also be demoing some brand new tools I've written to help in the interception, manipulation, and generation of digital wireless signals with SDR. Caleb Madrigal

Caleb Madrigal is a programmer who enjoys hacking and mathing. He is currently working as a senior software engineer on Incident Response software at Mandiant/FireEye. Most of his recent work has been in Python, Jupyter, Javascript, and C. Caleb has been into security for a while... in high school, he wrote his own (bad) cryptography and steganography software. In college, he did a good bit of "informal pen testing". Recently, Caleb has been playing around with SDR, IoT hacking, packet crafting, and a good bit of math/probability/AI/ML.



@caleb_madrigal, calebmadrigal.com

Back to top

Real-time RFID Cloning in the Field Thursday at 15:00 in 101 Track 2 20 minutes | Demo, Tool, Audience Participation Dennis Maldonado Adversarial Engineer - LARES Consulting Ever been on a job that required you to clone live RFID credentials? There are many different solutions to cloning RFID in the field and they all work fine, but the process can be slow, tedious, and error prone. What if there was a new way of cloning badges that solved these problems? In this presentation, we will discuss a smarter way for cloning RFID in the field that is vastly more efficient, useful, and just plane cool. We will go over the current tools and methods for long-range RFID cloning, than discuss and demonstrate a new method that will allow you to clone RFID credentials in the field in just seconds, changing the way you perform red team engagements forever. Dennis Maldonado

Dennis Maldonado is a Security Consultant at LARES Consulting. His current work includes penetration testing, red teaming, and security research. Dennis' focus is encompassing all forms information security into an assessment in order to better simulate a real world attack against systems and infrastructure. As a security researcher and evangelist, Dennis spends his time sharing what he knows about Information Security with anyone willing to learn. Dennis co-founded Houston Locksport in Houston, Texas where he shares his love for lock-picking and physical security as well as Houston Area Hackers Anonymous (HAHA), a meet-up for hackers and InfoSec professionals in the Houston area. Dennis is also a returning speaker to DEF CON having spoken at DEF CON 23 and DEF CON 24.



@DennisMald

Back to top

Twenty Years of MMORPG Hacking: Better Graphics, Same Exploits Saturday at 13:00 in Track 3 45 minutes | Demo, Exploit Manfred (@_EBFE) Security Analyst at Independent Security Evaluators In theme with this year's DEF CON this presentation goes through a 20 year history of exploiting massively multiplayer online role-playing games (MMORPGs). The presentation technically analyzes some of the virtual economy-devastating, low-hanging-fruit exploits that are common in nearly every MMORPG released to date. The presenter, Manfred (@_EBFE), goes over his adventures in hacking online games starting with 1997's Ultima Online and subsequent games such as Dark Age of Camelot, Anarchy Online, Asherons Call 2, ShadowBane, Lineage II, Final Fantasy XI/XIV, World of Warcraft, plus some more recent titles such as Guild Wars 2 and Elder Scrolls Online and many more!



The presentation briefly covers the exploit development versus exploit detection/prevention arms race and its current state. Detailed packet analysis and inference on what the code looks like server side in order for some of the exploits to be possible is presented.



This presentation includes a live demonstration of at least one unreleased exploit to create mass amounts of virtual currency in a recent and popular MMORPG. Manfred (@_EBFE)

Manfred (@_EBFE) has been reverse engineering and exploiting MMORPGs for 20 years. During that time, he ran a successful business based solely on exploiting online games in order to supply virtual goods to retailers. He has reverse engineered communication protocols for over 22 well known and popular MMORPGs and in certain cases circumvented anti tampering and software/hardware fingerprinting countermeasures. Manfred is currently a security researcher and analyst at Independent Security Evaluators (@ISEsecurity).



@_EBFE

Back to top

Malicious CDNs: Identifying Zbot Domains en Masse via SSL Certificates and Bipartite Graphs Sunday at 13:00 in Track 3 45 minutes | Art of Defense Thomas Mathew OpenDNS (Cisco) Dhia Mahjoub Head of Security Research, Cisco Umbrella (OpenDNS) Prior research detailing the relationship between malware, bulletproof hosting, and SSL gave researchers methods to investigate SSL data only if given a set of seed domains. We present a novel statistical technique that allow us to discover botnet and bulletproof hosting IP space by examining SSL distribution patterns from open source data while working with limited or no seed information. This work can be accomplished using open source datasets and data tools.



SSL data obtained from scanning the entire IPv4 namespace can be represented as a series of 4 million node bipartite graphs where a common name is connected to either an IP/CIDR/ASN via an edge. We use the concept of relative entropy to create a pairwise distance metric between any two common names and any two ASNs. The metric allows us to generalize the concept of regular and anomalous SSL distribution patterns.



Relative entropy is useful in identifying domains that have anomalous network structures. The domains we found in this case were related to the Zbot proxy network. The Zbot proxy network contains a structure similar to popular CDNs like Akamai, Google, etc but instead rely on compromised devices to relay their data. Through layering these SSL signals with passive DNS data we create a pipeline that can extract Zbot domains with high accuracy. Thomas Mathew

Thomas Mathew is a Security Researcher at OpenDNS (now part of Cisco) where he works on implementing pattern recognition algorithms to classify malware and botnets. His main interest lies in using various time series techniques on network sensor data to identify malicious threats. Previously, Thomas was a researcher at UC Santa Cruz, the US Naval Postgraduate School, and as a Product and Test Engineer at handsfree streaming video camera company Looxcie, Inc. He presented at ISOI APT, BruCon, FloCon and Kaspersky SAS. Dhia Mahjoub

Dr. Dhia Mahjoub is the Head of Security Research at Cisco Umbrella (OpenDNS). He leads the core research team focused on large scale threat detection and threat intelligence and advises on R&D strategy. Dhia has a background in networks and security, has co-authored patents with OpenDNS and holds a PhD in graph algorithms applied on Wireless Sensor Networks problems. He regularly works with prospects and customers and speaks at conferences worldwide including Black Hat, Defcon, Virus Bulletin, BotConf, ShmooCon, FloCon, Kaspersky SAS, Infosecurity Europe, RSA, Usenix Enigma, ACSC, NCSC, and Les Assises de la sécurité.

Back to top

Trojan-tolerant Hardware & Supply Chain Security in Practice Saturday at 14:00 in Track 2 45 minutes | Art of Defense, Demo, Tool Vasilios Mavroudis Doctoral Researcher, University College London Dan Cvrcek Co-founder, Enigma Bridge Ltd The current consensus within the security industry is that high-assurance systems cannot tolerate the presence of compromised hardware components. In this talk, we challenge this perception and demonstrate how trusted, high-assurance hardware can be built from untrusted and potentially malicious components.



The majority of IC vendors outsource the fabrication of their designs to facilities overseas, and rely on post-fabrication tests to weed out deficient chips. However, such tests are not effective against: 1) subtle unintentional errors (e.g., malfunctioning RNGs) and 2) malicious circuitry (e.g., stealthy Hardware Trojans). Such errors are very hard to detect and require constant upgrades of expensive forensics equipment, which contradicts the motives of fabrication outsourcing.



In this session, we introduce a high-level architecture that can tolerate multiple, malicious hardware components, and outline a new approach in hardware compromises risk management. We first demo our backdoor-tolerant Hardware Security Module built from low-cost commercial off-the-shelf components, benchmark its performance, and delve into its internals. We then explain the importance of "component diversification" and "non-overlapping supply chains", and finally discuss how "mutual distrust" can be exploited to further reduce the capabilities of the adversaries. Vasilios Mavroudis

Vasilios Mavroudis is a doctoral researcher in the Information Security Group at University College London. He studies security and privacy aspects of digital ecosystems, with a focus on emerging technologies and previously unknown attack vectors.



He is currently working on a high-assurance cryptographic hardware. In cooperation with industrial partners, he has recently prototyped a high-assurance hardware architecture, that maintains its security properties even in the presence of malicious hardware components.



Past works include his recent publication on the ultrasound tracking ecosystem which received wide-spread attention and is considered the seminal work on that ecosystem, and auditing tools for the Public Key Infrastructure of Deutsche Bank. Moreover, he has participated in an international consortium studying large-scale security threats in telecommunication networks, and cooperated with UC Santa Barbara in several projects, including a detection system for evasive web-malware.



Vasilios holds an Information Security MSc from UCL, and a BSc on Computer Science from University of Macedonia, Greece. Dan Cvrcek

Dan Cvrcek is a security architect and engineer learning how to run his start-up Enigma Bridge. He has extensive experience with large banking systems from operational procedures to system architectures: Swift, card payment processing, UK Faster Payments, large key management systems. His hardware encounters include smart cards, custom and embedded systems, and hardware security modules, from design, testing, defences to attacks. He reverse-engineered a hidden API of Chrysalis-ITS crypto modules (now SafeNet) with Mike Bond, Steven Murdoch and others. Dan got his uni degrees (PhD and Associate Prof.) from Brno University of Technology, and had fun as a post-doc at the University of Cambridge (2003-2004, 2007-2008), Deloitte London (2008-2009), start-ups, freelance security consultant (2010-2016) - clients include Barclays and Deutsche Bank, co-founded Enigma Bridge in 2015.



@dancvrcek

Contributor Acknowledgement:

The Speakers would like to acknowledge the following for their contribution to the presentation.



George Danezis, Professor (University College London)

Petr Svenda, Security Researcher (Masaryk University)

Back to top

Where are the SDN Security Talks? Thursday at 10:00 in 101 Track2 45 minutes | Demo, Tool Jon Medina Protiviti Software Defined Networking is no longer a fledgling technology. Google, Amazon, Facebook, and Verizon all rely on the scalability, programmability, flexibility, availability, and yes, security provided by SDN. So why has there only ever been one DEF CON speaker presenting on SDN and security?



This talk will provide a brief introduction to SDN and security, demonstrate ways of compromising and securing a Software Defined Network and will illustrate new ways of using the power of open source SDN coupled with machine learning to maintain self-defending networks. Jon Medina

Jon Medina (@ackSec) is a security nerd who has worked in networking and security capacities for everything from the Department of Defense, to the Fortune 500, to state and local government. He currently works for Protiviti providing security consulting for a wide variety of clients and industries. His interests outside of work include traveling, hockey, strange beers, and his bulldog. He's spoken at Shmoocon, BSides, and many other security events and conferences.



@ackSec

Back to top

Exploiting 0ld Mag-stripe information with New technology Thursday at 15:20 in 101 Track 2 20 minutes | Demo, Tool, Exploit Salvador Mendoza Hacker A massive attack against old magnetic stripe information could be executed with precision implementing new technology. In the past, a malicious individual could spoof magstripe data but in a slow and difficult way. Also brute force attacks were tedious and time-consuming. Technology like Bluetooth could be used today to make a persistent attack in multiple magnetic card readers at the same time with audio spoof.



Private companies, banks, trains, subways, hotels, schools and many others services are still using magstripe information to even make monetary transactions, authorize access or to generate "new" protocols like MST(Magnetic Secure Transmission) During decades the exploitation of magstripe information was an acceptable risk for many companies because the difficulty to achieve massive attacks simultaneously was not factible. But today is different.



Transmitting magstripe information in audio files is the faster and easier way to make a cross-platform magstripe spoofer. But how an attacker could transmit the audio spoof information to many magnetic card readers at the same time? In this talk, we will discuss how an attacker could send specific data or achieve a magstripe jammer for credit card terminals, PoS or any card reader. Also, how it could be implemented to generate brute force attacks against hotel door locks or tokenization processes as examples. Salvador Mendoza

Salvador Mendoza is a security researcher focusing in tokenization processes, mag-stripe information and embedded prototypes. He has presented on tokenization flaws and payment methods at Black Hat USA, DEF CON, DerbyCon, Ekoparty, BugCON and Troopers. Salvador designed different tools to pentest mag-stripe and tokenization processes. In his designed toolset includes MagSpoofPI, JamSpay, TokenGet and lately SamyKam.



@Netxing

Blog: salmg.net

Back to top

"Tick, Tick, Tick. Boom! You're Dead." — Tech & the FTC Friday at 16:00 in Track 4 45 minutes Whitney Merrill Privacy, eCommerce & Consumer Protection Counsel, Electronic Arts Terrell McSweeny Commissioner, Federal Trade Commission The Federal Trade Commission is a law enforcement agency tasked with protecting consumers from unfair and deceptive practices. Protecting consumers on the Internet and from bad tech is nothing new for the FTC. We will take a look back at what the FTC was doing when DEF CON first began in 1993, and what we've been doing since. We will discuss enforcement actions involving modem hijacking, FUD advertising, identity theft, and even introduce you to Dewie the e-Turtle. Looking forward, we will talk about the FTC's future protecting consumers' privacy and data security and what you can do to help. Whitney Merrill

Whitney Merrill is a hacker, ex-fed, and lawyer. She's currently a privacy attorney at Electronic Arts (EA), and in her spare time, she runs the Crypto & Privacy Village (come say hi!). Recently, she served her country as an attorney at the Federal Trade Commission where she worked on a variety of consumer protection matters including data security, privacy, and deceptive marketing and advertising. Whitney received her J.D. and master's degree in Computer Science from the University of Illinois at Urbana-Champaign.



@wbm312 Terrell McSweeny

Terrell McSweeny serves as a Commissioner of the Federal Trade Commission. This year marks her fourth time at DEF CON . When it comes to tech issues, Commissioner McSweeny has focused on the valuable role researchers and hackers can play protecting consumer data security and privacy. She opposes bad policy and legislative proposals like mandatory backdoors and the criminalization of hacking and believes that enforcers like the FTC should work with the researcher community to protect consumers. She wants companies to implement security by design, privacy by design and data ethics design - but recognizes that, in the absence of regulation, enforcement and research are the only means of holding companies accountable for the choices they make in the ways that they hold and use consumer data.



@TMcSweenyFTC

Back to top

Friday the 13th: JSON attacks! Sunday at 14:00 in Track 4 45 minutes | Demo, Exploit Alvaro Muñoz Principal Security Researcher,Hewlett Packard Enterprise Oleksandr Mirosh Senior Security QA Engineer, Hewlett Packard Enterprise 2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution (RCE from now on) gadget finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues.



One of the most suggested solutions for avoiding Java deserialization issues was to move away from Java Deserialization altogether and use safer formats such as JSON. In this talk, we will analyze the most popular JSON parsers in both .NET and Java for potential RCE vectors.



We will demonstrate that RCE is also possible in these libraries and present details about the ones that are vulnerable to RCE by default. We will also discuss common configurations that make other libraries vulnerable.



In addition to focusing on JSON format, we will generalize the attack techniques to other serialization formats. In particular, we will pay close attention to several serialization formats in .NET. These formats have also been known to be vulnerable since 2012 but the lack of known RCE gadgets led some software vendors to not take this issue seriously. We hope this talk will change this. With the intention of bringing the due attention to this vulnerability class in .NET, we will review the known vulnerable formats, present other formats which we found to be vulnerable as well and conclude presenting several gadgets from system libraries that may be used to achieve RCE in a stable way: no memory corruption — just simple process invocation.



Finally, we will provide recommendations on how to determine if your code is vulnerable, provide remediation advice, and discuss alternative approaches. Alvaro Muñoz

Alvaro Muñoz (@pwntester) works as Principal Software Security Researcher with HPE Security Fortify, Software Security Research (SSR). His research focuses on different programming languages and web application frameworks searching for vulnerabilities or unsafe uses of APIs. Before joining the research team, he worked as an Application Security Consultant helping enterprises to deploy their application security programs. Muñoz has presented at many Security conferences including DEF CON , RSA, AppSecEU, Protect, DISCCON, etc and holds several infosec certifications, including OSCP, GWAPT and CISSP, and is a proud member of int3pids CTF team. He blogs at http://www.pwntester.com.



@pwntester Oleksandr Mirosh

Oleksandr Mirosh has over 9 years of computer security experience, including vulnerability research, penetration testing, reverse engineering, fuzzing, developing exploits and consulting. He is working for HPE Software Security Research team investigating and analyzing new threats, vulnerabilities, security weaknesses, new techniques of exploiting security issues and development vulnerability detection, protection and remediation rules. In the past, he has performed a wide variety of security assessments, including design and code reviews, threat modelling, testing and fuzzing in order to identify and remove any existing or potentially emerging security defects in the software of various customers.

Back to top

CableTap: Wirelessly Tapping Your Home Network Saturday at 16:00 in Track 3 45 minutes | Demo, Tool, Exploit Marc Newlin Security Researcher at Bastille Networks Logan Lamb Security Researcher at Bastille Networks Chris Grayson Founder and Principal Engineer at Web Sight.IO We discovered a wide array of critical vulnerabilities in ISP-provided, RDK-based wireless gateways and set-top boxes from vendors including Cisco, Arris, Technicolor, and Motorola. Our research shows that it was possible to remotely and wirelessly tap all Internet and voice traffic passing through the affected gateways, impacting millions of ISP customers.



Imagine for a moment that you want a root shell on an ISP-provided wireless gateway, but you're tired of the same old web vulns. You want choice. Maybe you want to generate the passphrase for the hidden Wi-Fi network, or log into the web UI remotely using hard-coded credentials.



Don't have an Internet connection? Not to worry! You can just impersonate a legitimate ISP customer and hop on the nearest public hotspot running on another customer's wireless gateway. Once online, you can head on over to GitHub and look at the vulnerability fixes that haven't yet been pushed to customer equipment.



In this talk, we will take you through the research process that lead to these discoveries, including technical specifics of each exploit. After showcasing some of the more entertaining attack chains, we will discuss the remediation actions taken by the affected vendors. Marc Newlin

Marc is a wireless security researcher at Bastille, where he discovered the MouseJack and KeySniffer vulnerabilities affecting wireless mice and keyboards. A glutton for challenging side projects, Marc competed solo in two DARPA challenges, placing third in the DARPA Shredder Challenge, and second in the first tournament of the DARPA Spectrum Challenge. Logan Lamb

Logan joined Bastille Networks in 2014 as a security researcher focusing on applications of SDR to IoT. Prior to joining Bastille Networks, he was a member of CSIR at Oak Ridge National Lab where his focus was on symbolic analysis of binaries and red-teaming critical infrastructure. Chris Grayson

Christopher Grayson (OSCE) is the founder and principal engineer at Web Sight.IO. In this role he handles all operations, development, and research efforts. Christopher is an avid computing enthusiast hailing from Atlanta, Georgia. Having made a habit of pulling things apart in childhood, Chris has found his professional home in information security. Prior to founding Web Sight.IO, Chris was a senior penetration tester at the security consultancy Bishop Fox, and a research scientist at the Georgia Institute of Technology. During his tenure at these organizations, Chris became a specialist in network penetration testing and in the application of academic tactics to the information security industry, both of which contributed to his current research focus of architecting and implementing high-security N-tier systems. Chris attended the Georgia Institute of Technology where he received a bachelor's degree in computational media, a master's degree in computer science, and where he organized and led the Grey H@t student hacking organization.

Back to top

DNS - Devious Name Services - Destroying Privacy & Anonymity Without Your Consent Saturday at 12:00 in Track 3 45 minutes | Art of Defense Jim Nitterauer Senior Security Specialist, AppRiver, LLC You've planned this engagement for weeks. Everything's mapped out. You have tested all your proxy and VPN connections. You are confident your anonymity will be protected. You fire off the first round and begin attacking your target. Suddenly something goes south. Your access to the target site is completely blocked no matter what proxy or VPN you use. Soon, your ISP contacts you reminding you of their TOS while referencing complaints from the target of your engagement. You quickly switch MAC addresses and retry only to find that you are quickly blocked again!



What happened? How were you betrayed? The culprit? Your dastardly DNS resolvers and more specifically, the use of certain EDNS0 options by those resolvers.



This presentation will cover the ways in which EDNS OPT code data can divulge details about your online activity, look at methods for discovering implementation by upstream DNS providers and discuss ways in which malicious actors can abuse these features. We will also examine steps you can take to protect yourself from these invasive disclosures.



The details covered will be only moderately technical. Having a basic understanding of RFC 6891 and general DNS processes will help in understanding. We will discuss the use of basic tools including Wireshark, Packetbeat, Graylog and Dig. Jim Nitterauer

Currently a Senior Security Specialist at AppRiver, LLC., his team is responsible for global network deployments and manages the SecureSurf global DNS infrastructure and SecureTide global spam & virus filtering infrastructure as well as all internal applications. They also manage security operations for the entire company. He holds a CISSP certification. He is also well-versed in ethical hacking and penetration testing techniques and has been involved in technology since the late 1980s when punch cards were still a thing.



Jim has presented at NolaCon, ITEN WIRED, BSides Las Vegas, BSides Atlanta, CircleCityCon and several smaller conferences. He regularly attends national security conferences and is passionate about conveying the importance of developing, implementing and maintaining security policies for organizations. His talks convey unique and practical techniques that help attendees harden their security in practical and easy-to-deploy ways.



Jim is a senior staff member with BSides Las Vegas, a member of the ITEN WIRED Planning Committee and the president of the Florida Panhandle (ISC)2 Chapter. When not at the computer, Jim can be found working out, playing guitar, traveling or just relaxing with an adult beverage.



Twitter: @jnitterauer

LinkedIn: https://www.linkedin.com/in/jnitterauer/

Back to top

Linux-Stack Based V2X Framework: All You Need to Hack Connected Vehicles Saturday at 14:00 in Track 3 45 minutes | Demo, Tool p3n3troot0r (Duncan Woodbury) Hacker ginsback (Nicholas Haltmeyer) Hacker Vehicle-to-vehicle (V2V) and, more generally, vehicle-to-everything (V2X) wireless communications enable semi-autonomous driving via the exchange of state information between a network of connected vehicles and infrastructure units. Following 10+ years of standards development, particularly of IEEE 802.11p and the IEEE 1609 family, a lack of available implementations has prevented the involvement of the security community in development and testing of these standards. Analysis of the WAVE/DSRC protocols in their existing form reveals the presence of vulnerabilities which have the potential to render the protocol unfit for use in safety-critical systems. We present a complete Linux-stack based implementation of IEEE 802.11p and IEEE 1609.3/4 which provide a means for hackers and academics to participate in the engineering of secure standards for intelligent transportation systems. p3n3troot0r (Duncan Woodbury)

Car hacker by trade, embedded systems security engineer by day. Entered the field of cyberauto security in 2012 through the Battelle CAVE red team and had the opportunity to improve the world by hacking transportation systems. Co-founded multiple security companies focused on building tools for automated exploitation of automotive systems (http://www.silent-cyber.com/), open-source frameworks for V2X, secure digital asset management, and 3D printing electric cars (https://hackaday.com/tag/lost-pla/) out of your garage (http://fosscar.faikvm.com/trac/). DEF CON lurker since the age of 17, recently having joined forces with friends and mentors to organize and host the DEF CON Car Hacking Village.



p3n3troot0r began working V2X with ginsback two years ago and realized the opportunity, in lieu of any open-source or full-stack V2X implementation, to bring the security community in to the driver's seat in the development of next-gen cyberauto standards. Together they have engaged the thought leaders in this space, and via the long-awaited integration of this stack into the mainline Linux kernel, the global development community is given the opportunity to participate in the development of automated and connected transportation systems. ginsback (Nicholas Haltmeyer)

AI researcher and security professional. Began work in automotive security through the DEF CON Car Hacking Village and have since developed V2X software and routing schemes. Extensive experience in signal processing and RF hacking, including vital sign monitoring, activity recognition, and biometric identification through RF.



Given the (abyssal) state of automotive cybersecurity, ginsback aims to develop and field tools for V2X that open collaboration with the hacker community. As intelligent transit reaches critical mass, attacks on V2X infrastructure have the potential to cause incredible damage. ginsback partnered with p3n3troot0r to develop a free as in freedom V2X interface and extend an invitation for the community to discover and fix flaws in the design of what will soon be a massive network of connected vehicles.

Back to top

Weaponizing Machine Learning: Humanity Was Overrated Anyway Sunday at 14:00 in Track 2 45 minutes | Demo, Tool Dan "AltF4" Petro Senior Security Associate, Bishop Fox Ben Morris Security Analyst, Bishop Fox At risk of appearing like mad scientists, reveling in our latest unholy creation, we proudly introduce you to DeepHack: the open-source hacking AI. This bot learns how to break into web applications using a neural network, trial-and-error, and a frightening disregard for humankind.



DeepHack can ruin your day without any prior knowledge of apps, databases - or really anything else. Using just one algorithm, it learns how to exploit multiple kinds of vulnerabilities, opening the door for a host of hacking artificial intelligence systems in the future.



This is only the beginning of the end, though. AI-based hacking tools are emerging as a class of technology that pentesters have yet to fully explore. We guarantee that you'll be either writing machine learning hacking tools next year, or desperately attempting to defend against them.



No longer relegated just to the domain of evil geniuses, the inevitable AI dystopia is accessible to you today! So join us and we'll demonstrate how you too can help usher in the destruction of humanity by building weaponized machine learning systems of your own - unless time travelers from the future don't stop us first. Dan "AltF4" Petro

Dan Petro is a Senior Security Associate at Bishop Fox, a consulting firm providing cybersecurity services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing and network penetration testing.



Dan likes to hear himself talk, often resulting in conference presentations including several consecutive talks at Black Hat USA and DEF CON in addition to appearances at HOPE, BSides, and ToorCon. He is widely known for the tools he creates: the Rickmote Controller (a Chromecast-hacking device), Untwister (a tool used for breaking pseudorandom number generators) and SmashBot (a merciless Smash Bros noob-pwning machine). He also organizes Root the Box, a capture the flag security competition.



Dan holds has a Master of Science in Computer Science from Arizona State University and still doesn't regret it.



@BishopFox

@2600altf4 Ben Morris

Ben Morris is a Security Analyst at Bishop Fox, a consulting firm providing cybersecurity services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing, network penetration testing, and red-teaming.



Ben also enjoys performing drive-by pull requests on security tools and bumbling his way into vulnerabilities in widely used PHP and .NET frameworks and plugins. Ben has also contributed to Root the Box, a capture the flag security competition.

Back to top

Teaching Old Shellcode New Tricks Friday at 13:00 in Track 2 45 minutes | Demo Josh Pitts Hacker Metasploit x86 shellcode has been defeated by EMET and other techniques not only in exploit payloads but through using those payloads in non-exploit situations (e.g. binary payload generation, PowerShell deployment, etc..). This talk describes taking Metasploit payloads (minus Stephen Fewer's hash API), incorporating techniques to bypass Caller/EAF[+] checks (post ASLR/DEP bypass) and merging those techniques together with automation to make something better. Josh Pitts

Josh Pitts has over 15 years experience conducting physical and IT security assessments, IT security operations support, penetration testing, malware analysis, reverse engineering and forensics. Josh has worked in US Government contracting, commercial consulting, and silicon valley startups. He likes to write code that patches code with other code via The Backdoor Factory (BDF), has co-authored an open-source environmental keying framework (EBOWLA), and once served in the US Marines.



@midnite_runr

Back to top

Popping a Smart Gun Saturday at 17:00 in Track 4 45 minutes | Demo, Exploit Plore Hacker Smart guns are sold with a promise: they can be fired only by authorized parties. That works in the movies, but what about in real life? In this talk, we explore the security of one of the only smart guns available for sale in the world. Three vulnerabilities will be demonstrated. First, we will show how to make the weapon fire even when separated from its owner by a considerable distance. Second, we will show how to prevent the weapon from firing even when authorized by its owner. Third, we will show how to fire the weapon even when not authorized by its owner, with no prior contact with the specific weapon, and with no modifications to the weapon. Plore

Plore is an electrical engineer and embedded software developer based in the United States. At DEF CON 24, he spoke about cracking high-security electronic safe locks.



@_plore

Back to top

Digital Vengeance: Exploiting the Most Notorious C&C Toolkits Saturday at 15:00 in Track 4 45 minutes | Demo, Tool, Exploit Professor Plum Hacker Every year thousands of organizations are compromised by targeted attacks. In many cases the attacks are labeled as advanced and persistent which suggests a high level of sophistication in the attack and tools used. Many times, this title is leveraged as an excuse that the events were inevitable or irresistible, as if the assailants' skill set is well beyond what defenders are capable of. To the contrary, often these assailants are not as untouchable as many would believe.



If one looks at the many APT reports that have been released over the years some clear patterns start to emerge. A small number of Remote Administration Tools are preferred by actors and reused across multiple campaigns. Frequently sited tools include Gh0st RAT, Plug-X, and XtremeRAT among others. Upon examination, the command and control components of these notorious RATs are riddled with vulnerabilities. Vulnerabilities that can be exploited to turn the tables from hunter to hunted.



The presentation will disclose several exploits that could allow remote execution or remote information disclosure on computers running these well-known C&C components. It should serve as a warning to those actors who utilize such toolsets. That is to say, such actors live in glass houses and should stop throwing stones. Professor Plum

Professor Plum is an experienced reverse engineer, developer, and digital forensics examiner. He holds a graduate degree in Information Security from Johns Hopkins University, and has worked numerous computer incident investigations spanning the globe. He currently works as a Senior Threat Researcher for a Fortune 500 cybersecurity company and previously worked for the Department of Defense performing vulnerability research, software development, and Computer Network Operations.



@professor__plum

Back to top

The Internet Already Knows I'm Pregnant Friday at 17:00 in Track 4 45 minutes | Exploit Cooper Quintin Staff Technologist - EFF Kashmir Hill Journalist - Gizmodo Media Women's health is big business. There are a staggering number of applications for Android to help people keep track of their monthly cycle, know when they may be fertile, or track the status of their pregnancy. These apps entice the user to input the most intimate details of their lives, such as their mood, sexual activity, physical activity, physical symptoms, height, weight, and more. But how private are these apps, and how secure are they really? After all, if an app has such intimate details about our private lives it would make sense to ensure that it is not sharing those details with anyone such as another company or an abusive partner/parent. To this end EFF and Journalist Kashmir Hill have taken a look at some of the privacy and security properties of over a dozen different fertility and pregnancy tracking apps. Through our research we have uncovered several privacy issues in many of the applications as well as some notable security flaws as well as a couple of interesting security features. Cooper Quintin

Cooperq is a security researcher and programmer at EFF. He has worked on projects such as Privacy Badger, Canary Watch, Ethersheet, and analysis of state sponsored malware. He has also performed security trainings for activists, non profit workers and ordinary folks around the world. He previously worked building websites for non-profits, such as Greenpeace, Adbusters, and the Chelsea Manning Support Network. He also was a co-founder of the Hackbloc hacktivist collective. In his spare time he enjoys playing music and participating in street protests.



@cooperq Kashmir Hill

Kashmir Hill is a journalist who writes about privacy and security. She is a senior reporter at Gizmodo Media and has previously written for Fusion, Forbes Magazine and Above The Law.



@kashhill

Back to top

From "One Country - One Floppy" to "Startup Nation" - the story of the early days of the Israeli hacking community, and the journey towards today's vibrant startup scene Saturday at 16:00 in Track 2 45 minutes | Hacker History Inbar Raz Principal Researcher, PerimeterX Inc. Eden Shochat Equal Partner, Aleph The late 80's and early 90's played a pivotal role in the forming of the Israeli tech scene as we know it today, producing companies like Checkpoint, Waze, Wix, Mobileye, Viber and billions of dollars in fundraising and exits. The people who would later build that industry were in anywhere from elementary school to high school, and their paths included some of the best hacking stories of the time (certainly in the eyes of the locals). The combination of extremely expensive Internet and international dial system, non-existent legal enforcement and a lagging national phone company could not prevent dozens of hungry-for-knowledge kids from teaching themselves the dark arts of reversing, hacking, cracking, phreaking and even carding. The world looked completely different back then and we have some great stories for you. We will cover the evolution of the many-years-later-to-be-named-Cyber community, including personal stories from nearly all categories. Come listen how the Israeli Cyber "empire" was born, 25 years ago, from the perspectives of 2:401/100 and 2:401/100.1. Inbar Raz

Inbar has been reverse engineering for nearly as long as he has been living. It started with a screwdriver, pliers, wire cutters, and his grandfather's ECG machine, and gradually transitioned into less destructive research. In 1984, aged 9, he started programming on his Dragon 64. At 13 he got his first PC - Amstrad PC1512 - and within a year was already into reverse engineering. It wasn't long before he discovered how to access the X.25 network, Bitnet and Fidonet, and through high-school he was a key figure in the Israeli BBS scene.



Inbar spent most of his career in the Internet and Data Security field, and the only reason he's not in jail right now is because he chose the right side of the law at an early age. In fact, nowadays he commonly lectures about Ethical Hacking and Coordinated Vulnerability Disclosure.



Inbar specializes in outside-the-box approach to analyzing security and finding vulnerabilities, and is currently the Principal Researcher at PerimeterX, researching and educating the public on Automated Attacks on Websites.



@inbarraz

https://www.linkedin.com/in/inbar-raz-90a7913/ Eden Shochat

Eden Shochat builds stuff, most recently Aleph, +$330MM venture capital fund; The Junction, voted #1 startup program in Israel; face.com, a massive face recognition API acquired by Facebook; Aternity, the leading user-centric enterprise IT platform, acquired by Riverbed; and GeekCon, Europe's biggest makers conference. Eden grew up in Nigeria, where he was bored into assembly programming for the Z80 chip, graduated into the demo and cracking scenes while being thrown out of high-school but ended up being a (somewhat) productive member of society.



@eden

https://www.linkedin.com/in/edens/

Back to top

PEIMA (Probability Engine to Identify Malicious Activity): Using Power Laws to address Denial of Service Attacks Sunday at 10:20 in Track 2 20 minutes | Art of Defense, Demo, Tool Redezem Hacker Denial of service. It requires a low level of resources and knowledge, it is very easy to deploy, it is very common and it is remarkable how effective it is overall. PEIMA is a brand new method of client side malicious activity detection based on mathematical laws, usually used in finance, text retrieval and social media analysis, that is fast, accurate, and capable of determining when denial of service attacks start and stop without flagging legitimate heavy interest in your server erroneously. However, denial of service attacks aren't the only type of anomalous activity you can look at with PEIMA. Learn what kinds of unusual identifying metrics you can get out of your network and users to help detect intrusions and, ultimately, defend your assets. Redezem

Redezem hails from the southern hemisphere, specifically Perth, Australia, the most isolated capital city on the planet. He's been an avid computer tinkerer in this desolate, sunny, beach-ridden wasteland from a young age, and has been a "hacker" since he stole his dad's passwords to get at the internet as a kid. Having worked part time as a web application developer during his undergraduate degree in computer science, he specialised into intrusion detection in his honours year, and is currently performing his PhD into new and fantastic network anomaly detection mechanisms at Curtin University. He currently also lectures, and works part-time as a security consultant.

Back to top

An ACE Up the Sleeve: Designing Active Directory DACL Backdoors Friday at 16:00 in Track 3 45 minutes | Demo Andy Robbins Red Team Lead Will Schroeder Offensive Engineer Active Directory (AD) object discretionary access control lists (DACLs) are an untapped offensive landscape, often overlooked by attackers and defenders alike. The control relationships between AD objects align perfectly with the "attackers think in graphs" philosophy and expose an entire class of previously unseen control edges, dramatically expanding the number of paths to complete domain compromise.



While DACL misconfigurations can provide numerous paths that facilitate elevation of domain rights, they also present a unique chance to covertly deploy Active Directory persistence. It's often difficult to determine whether a specific AD DACL misconfiguration was set intentionally or implemented by accident. This makes Active Directory DACL backdoors an excellent persistence opportunity: minimal forensic footprint, and maximum plausible deniability.



This talk will cover Active Directory DACLs in depth, our "misconfiguration taxonomy", and enumeration/analysis with BloodHound's newly released feature set. We will cover the abuse of AD DACL misconfigurations for the purpose of domain rights elevation, including common misconfigurations encountered in the wild. We will then cover methods to design AD DACL backdoors, including ways to evade current detections, and will conclude with defensive mitigation/detection techniques for everything described. Andy Robbins

As a Red Team lead, Andy Robbins has performed penetration tests and red team assessments for a number of Fortune 100 commercial clients, as well as federal and state agencies. Andy presented his research on a critical flaw in the ACH payment processing standard in 2014 at DerbyCon and the ISC2 World Congress, and has spoken at other conferences including DEF CON , BSidesLV, ekoparty, ISSA International, and Paranoia Conf in Oslo. He has a passion for offensive development and red team tradecraft, and helps to develop and teach the "Adaptive Red Team Tactics" course at BlackHat USA.



@_wald0 Will Schroeder

Will Schroeder is a offensive engineer and red teamer. He is a co-founder of Empire/Empyre, BloodHound, and the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a Microsoft PowerShell MVP. He has presented at a number of conferences, including DEF CON , DerbyCon, Troopers, BlueHat Israel, and various Security BSides.



@harmj0y

Back to top

Using GPS Spoofing to control time Friday at 14:00 in 101 Track 45 minutes | Tool David "Karit" Robinson Security Consultant, ZX Security GPS is central to a lot of the systems we deal with on a day-to-day basis. Be it Uber, Tinder, or aviation systems, all of them rely on GPS signals to receive their location and/or time.



GPS Spoofing is now a valid attack vector and can be done with minimal effort and cost. This raises some concerns when GPS is depended upon by safety of life applications. This presentation will look at the process for GPS and NMEA (the serial format that GPS receivers output) spoofing, how to detect the spoofing attacks and ways to manipulate the time on GPS synced NTP servers. We will also explore the implications when the accuracy of the time on your server can no longer be guaranteed. David "Karit" Robinson

Dave/Karit has worked in the IT industry for over 10 years. In this time he has developed a skillset that encompasses various disciplines in the information security domain. Dave is currently part of team at ZX Security in Wellington and works as a penetration tester. Since joining ZX Security Dave has presented at Kiwicon, BSides Canberra and Unrestcon and also at numerous local meetups; along with running training at Kiwicon and Syscan. He has a keen interest in lock-picking and all things wireless.



@nzkarit

Back to top

Wiping out CSRF Thursday at 13:00 in 101 Track 2 45 minutes | Art of Defense, Demo Joe Rozner Senior Software Security Engineer, Prevoty CSRF remains an elusive problem due to legacy code, legacy frameworks, and developers not understanding the problem or how to protect against it. Wiping out CSRF introduces primitives and strategies for building solutions to CSRF that can be bolted on to any http application where http requests and responses can be intercepted, inspected, and modified. Modern frameworks have done a great job at providing solutions to the CSRF problem that automatically integrate into the application and solve most of the conditions. However, many existing apps and new apps that don't take advantage of these frameworks or use them incorrectly are still plagued with this problem. Wiping out CSRF will provide an in depth overview of the various reasons that CSRF occurs and provide payload examples to target those specific issues and variations. We'll see live demos of these attacks and the protections against them. Next we'll look at how to compose these primitives into a complete solution capable of solving most cases of CSRF explaining the limits and how to layer them to address potential short comings. Finally we'll finish by looking at Same Site Cookies, a new extension to cookies that could be the final nail in the coffin, and see how to use the prior solution as a graceful degradation for user agents that don't support it yet. Joe Rozner

Joe (@jrozner) is a software engineer at Prevoty where he has built semantic analysis tools, language runtimes, generalized solutions to common vulnerability classes, and designed novel integration technology leveraging runtime memory patching. He has a passion for reverse engineering, exploitation, teaching, and sharing research with others. He is the undisputed champion of the Brawndo and Booze competition from DEF CON s past with his Irish Car Mutilator winning in both the drink and dip categories.



@jrozner

Back to top

The Black Art of Wireless Post Exploitation Sunday at 12:00 in 101 Track 45 minutes | Demo, Tool Gabriel "solstice" Ryan Gotham Digital Science Most forms of WPA2-EAP have been broken for nearly a decade. EAP-TTLS and EAP-PEAP have long been susceptible to evil twin attacks, yet most enterprise organizations still rely on these technologies to secure their wireless infrastructure. The reason for this is that the secure alternative, EAP-TLS, is notoriously arduous to implement. To compensate for the weak perimeter security provided by EAP-TTLS and EAP-PEAP, many organizations use port based NAC appliances to prevent attackers from pivoting further into the network after the wireless has been breached. This solution is thought to provide an acceptable balance between security and accessibility. The problem with this approach is that it assumes that EAP is exclusively a perimeter defense mechanism. In this presentation, we will present a novel type of rogue access point attack that can be used to bypass port-based access control mechanisms in wireless networks. In doing so, we will challenge the assumption that reactive approaches to wireless security are an acceptable alternative to strong physical layer protections such as WPA2-EAP using EAP-TLS. Gabriel "solstice" Ryan

Gabriel is a pentester, CTF player, and Offsec R&D. He currently works for Gotham Digital Science, where he provides full scope red team penetration testing capabilities for a diverse range of clients. Previously he has worked at OGSystems and Rutgers University. He also is a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. Things that make him excited include obscure wireless attacks, evading antivirus, and playing with fire. In his spare time, he enjoys live music and riding motorcycles.



@s0lst1c3

github.com/s0lst1c3

solstice.me

blog.gdssecurity.com

Back to top

Taking Windows 10 Kernel Exploitation to the next level - Leveraging write-what-where vulnerabilities in Creators Update Saturday at 17:00 in Track 2 45 minutes | Demo, Exploit Morten Schenk Security Advisor, Improsec Since the release of Windows 10 and especially in the Anniversary and Creators Updates, Microsoft has continued to introduce exploit mitigations to the Windows kernel. These include full scale KASLR and blocking kernel pointer leaks.



This presentation picks up the mantle and reviews the powerful read and write kernel primitives that can still be leveraged despite the most recent hardening mitigations. The presented techniques include abusing the kernel-mode Window and Bitmap objects, which Microsoft has attempted to lock down several times. Doing so will present a generic approach to leveraging write-what-where vulnerabilities.



A stable and precise kernel exploit must be able to overcome KASLR, most often using kernel driver leaks. I will disclose several previously unknown KASLR bypasses in Windows 10 Creators Update. Obtaining kernel-mode code execution on Windows has become more difficult with the randomization of Page Table entries. I will show how a generic de-randomization of the Page Table entries can be performed through dynamic reverse engineering. Additionally, I will present an entirely different method which makes the usage of Page Table entries obsolete. This method allocates an arbitrary size piece of executable kernel pool memory and transfers code execution to it through hijacked system calls Morten Schenk

Morten Schenk (@blomster81) is a security advisor and researcher at Improsec ApS, with a background in penetration testing, red teaming and exploit development. Having a high craving for learning and torture based on taking certifications like OSCP, OSCE and OSEE, Morten's research is specifically focused on binary exploitation and mitigation bypasses on Windows. He blogs about his research at https://improsec.com/blog/



@Blomster81

Back to top

Social Engineering The News Standby Speaker 45 minutes Michael Schrenk It might be called "fake news" but at it's heart, it's the latest wave of social engineering. This apolitical talk explores the similarities between traditional social engineering and today's "fake news". During this talk, Michael Schrenk will show how social engineers use OPSEC (Operations Security) to plan a successful social attack. Additionally, you'll also learn the about the economics of "fake news", who's making the money, and how much, and how information is weaponized. This talk will also reveal that the news has been socialized for a long time, and that socially engineered news lead to the start of the Spanish American War. We'll also explore techniques to guard against social engineering in general, and specifically in the media. Michael Schrenk

While best known in The USA for his work with botnets and webbots, Michael Schrenk is known across Europe for teaching Investigative Journalists privacy and hacking techniques. In addition, he has developed multiple weekend workshops for The Centre for Investigative Journalism at City College in London England. Along with his teaching, Michael has also gathered data for some of the biggest news agencies in Europe. Today, Mike is based right here in Las Vegas, Nevada.



@mgschrenk

www.schrenk.com

Back to top

Total Recall: Implanting Passwords in Cognitive Memory Sunday at 11:00 in 101 Track 45 minutes Tess Schrodinger What is cognitive memory? How can you "implant" a password into it? Is this truly secure? Curiosity around these questions prompted exploration of the research and concepts surrounding the idea of making the authentication process more secure by implanting passwords into an individual's memory. The result? The idea is that you are not able to reveal your credentials under duress but you are still able to authenticate to a system. We will begin with an understanding of cognitive memory. Implicit versus explicit memory will be defined. The concepts of the subconscious, unconscious, and consciousness will be addressed. The stages of memory pertaining to encoding, storage and retrieval as well as the limitations of human memory along with serial interception sequence learning training will round out our build up to the current research and experimentation being done with the proposal to implant passwords into an individual's cognitive memory. Tess Schrodinger

Tess is a security engineer and researcher with over twenty years of experience in security and counterintelligence. Her areas of interest are Insider Threat, Quantum Computing, Security Awareness, Cryptography, and Triathlons.



@TessSchrodinger

Back to top

Open Source Safe Cracking Robots - Combinations Under 1 Hour! (Is it bait? Damn straight it is.) Friday at 12:00 in Track 2 45 minutes | Demo, Tool, Exploit Nathan Seidle Founder, SparkFun Electronics We've built a $200 open source robot that cracks combination safes using a mixture of measuring techniques and set testing to reduce crack times to under an hour. By using a motor with a high count encoder we can take measurements of the internal bits of a combination safe while it remains closed. These measurements expose one of the digits of the combination needed to open a standard fire safe. Additionally, 'set testing' is a new method we created to decrease the time between combination attempts. With some 3D printing, Arduino, and some strong magnets we can crack almost any fire safe. Come checkout the live cracking demo during the talk! Nathan Seidle

Nathan Seidle is the founder of SparkFun Electronics in Boulder, Colo. Nathan founded SparkFun in 2003 while an undergraduate student studying electrical engineering. After building the company across 14 years to over 130 employees he now heads the SparkX Lab within SparkFun, tinkering, hacking and building new products.



Nathan has built a large catalog of off the beaten path projects including a 12' GPS clock, a wall sized Tetris interface, an autonomous miniature electric bat-mobile, a safe cracking robot, and a hacked bathroom scale to measure the weight of his beehive. He believes strongly in the need to teach the next generation of technical citizens.



Nathan is a founding member of the Open Source Hardware Association. He has served on the board of OSHWA and continues to promote and serve the organization. Nathan has been invited to the White House to participate in discussions around intellectual property policy and patent reform and attended multiple White House Maker Faires. Nathan has spoken in front of Congress on copyright and trademark policy. He has presented on the many facets of manufacturing and open hardware at the National Science Foundation, Google, and Sketching in Hardware. Nathan has guest lectured at numerous institutions including MIT, Stanford and West Point Academy.



In their off time, Nathan and his wife Alicia can be found making rather silly electronics projects together for their local Public Library, their nieces and nephews, and Burning Man. Nathan and Alicia live in Boulder, Colorado with their pet tree Alfonso.



@chipaddict, @sparkfun, www.sparkfun.com

Back to top

Man in the NFC Sunday at 14:00 in Track 3 45 minutes | Demo, Tool Haoqi Shan Wireless security researcher Jian Yuan Wireless security researcher NFC (Near Field Communication) technology is widely used in security, bank, payment and personal information exchange fields now, which is highly well-developed. Corresponding, the attacking methods against NFC are also emerged in endlessly. To solve this problem, we built a hardware tool which we called "UniProxy". This tool contains two self-modified high frequency card readers and two radio transmitters, which is a master-slave way. The master part can help people easily and successfully read almost all ISO 14443A type cards, (no matter what kind of this card is, bank card, ID card, Passport, access card, or whatever. No matter what security protocol this card uses, as long as it meets the ISO 14443A standard) meanwhile replaying this card to corresponding legal card reader via slave part to achieve our "evil" goals. The master and slave communicate with radio transmitters and can be apart between 50 - 200 meters. Haoqi Shan

Haoqi Shan is currently a wireless/hardware security researcher in UnicornTeam of 360 Radio Security Research Dept. He focuses on Wi-Fi penetration, GSM system, embedded device hacking, building hacking tools, etc. He made serial presentations about Femto cell hacking, RFID hacking and LTE devices hacking on DEF CON , Cansecwest, Syscan360 and HITB, etc. Jian Yuan

Yuan Jian is a security researcher in UnicornTeam of 360 Radio Security Research Dept. He is mainly focused on the security of Internet of things, NFC, GPS, etc. He was a speaker at the DEF CON Car Hacking Village.

Contributor Acknowledgement:



The Speakers would like to acknowledge Yuan Jian, for his contribution to the presentation. Yuan Jian is a security researcher in UnicornTeam of 360 Radio Security Research Dept. He is mainly focused on the security of Internet of things, NFC, GPS, etc. He was a speaker at the DEF CON Car Hacking Village.

Back to top

Driving down the rabbit hole Saturday at 12:00 in 101 Track 45 minutes | Demo Mickey Shkatov Security Researcher, McAfee. Jesse Michael Security Researcher, McAfee. Oleksandr Bazhaniuk Security Researcher Over the past few years, cars and automotive systems have gained increasing attention as cyber-attack targets. Cars are expensive. Breaking cars can cost a lot. So how can we find vulnerabilities in a car with no budget? We’ll take you with us on a journey from zero car security validation experience through the discovery and disclosure of multiple remotely-exploitable automotive vulnerabilities. Along the way, we’ll visit a wrecking yard, reassemble (most) of a 2015 Nissan Leaf in our lab, discuss how we picked our battles, fought them, and won. During our talk, we’ll examine the details of three different classes of vulnerabilities we found in this vehicle, how they can be exploited, and the potential ramifications to the owner of their real-world exploitation. We’ll also discuss the broader scope of the vulnerabilities discovered, how they extend beyond just this specific vehicle, and what the industry can do better to prevent these types of problems in the future. Mickey Shkatov

Mickey Shkatov is a security researcher and a member of the McAfee Advanced Threat Research team. His areas of expertise include vulnerability research, hardware and firmware security, and embedded device security



@HackingThings Jesse Michael

Jesse Michael has been working in security for over a decade and is currently a member of the McAfee Advanced Threat Research team who spends his time causing trouble and finding low-level hardware security vulnerabilities in modern computing platforms



@jessemichael Oleksandr Bazhaniuk

Oleksandr Bazhaniuk is a security researcher and reverse engineer with background in automation of binary vulnerability analysis. He is also a co-founder of DCUA, the first DEF CON group in Ukraine.



@ABazhaniuk

Back to top

Here to stay: Gaining persistency by abusing advanced authentication mechanisms Saturday at 17:00 in 101 Track 45 minutes | Demo Marina Simakov Security researcher, Microsoft Igal Gofman Security researcher, Microsoft Credentials have always served as a favorite target for advanced attackers, since these allow to efficiently traverse a network, without using any exploits.



Moreover, compromising the network might not be sufficient, as attackers strive to obtain persistency, which requires the use of advanced techniques to evade the security mechanisms installed along the way.



One of the challenges adversaries must face is: How to create threats that will continuously evade security mechanisms, and even if detected, ensure that control of the environment can be easily regained?



In this talk, we briefly discuss some of the past techniques for gaining persistency in a network (using local accounts, GPOs, skeleton key, etc.) and why they are insufficient nowadays.



Followed by a comprehensive analysis of lesser known mechanisms to achieve persistency, using non-mainstream methods (such as object manipulation, Kerberos delegation, etc.).



Finally, we show how defenders can secure their environment against such threats. Marina Simakov

Marina Simakov is a security researcher at Microsoft, with a specific interest in network based attacks.



She holds an M.Sc in computer science, with several published articles. Gave a talk at BlueHat IL 2016 regarding attacks on local accounts.



@simakov_marina Igal Gofman

Igal Gofman is a security Researcher at Microsoft. Igal has a proven track record in network security, research oriented development and threat intelligence.



His research interests include network security, intrusion detection and operating systems.



Before Microsoft, Igal was a Threat Response Team Lead at Check Point Software Technologies leading the development of the intrusion detection system.



@IgalGofman

Back to top

Abusing Webhooks for Command and Control Saturday at 11:20 in 101 Track 20 minutes | Demo, Tool Dimitry Snezhkov Security Consultant, X-Force Red, IBM You are on the inside of the perimeter. And maybe you want to exfiltrate data, download a tool, or execute commands on your command and control server (C2). Problem is - the first leg of connectivity to your C2 is denied. Your DNS and ICMP traffic is being monitored. Access to your cloud drives is restricted. You've implemented domain fronting for your C2 only to discover it is ranked low by the content proxy, which is only allowing access to a handful of business related websites on the outside.



We have all been there, seeing frustrating proxy denies or triggering security alarms making our presence known.

Having more choices when it comes to outbound network connectivity helps. In this talk we'll present a technique to establish such connectivity with the help of HTTP callbacks (webhooks). We will walk you through what webhooks are, how they are used by organizations. We will then discuss how you can use approved sites as brokers of your communication, perform data transfers, establish almost realtime asynchronous command execution, and even create a command-and-control communication over them, bypassing strict defensive proxies, and even avoiding attribution.



Finally, we'll release the tool that will use the concept of a broker website to work with the external C2 using webhooks. Dimitry Snezhkov

Dimitry Snezhkov does not like to refer to himself in the third person ;) but when he does he is a Sr. Security Consultant for X-Force Red at IBM, currently focusing on offensive security testing, code hacking and tool building.



@Op_Nomad

Back to top

Phone system testing and other fun tricks Friday at 15:00 in Track 2 45 minutes | Demo, Tool "Snide" Owen Hacker Phone systems have been long forgotten in favor of more modern technology. The phreakers of the past left us a wealth of information, however while moving forward the environments as a whole have become more complex. As a result they are often forgotten, side tracked or neglected to be thoroughly tested. We’ll cover the VoIP landscape, how to test the various components while focussing on PBX and IVR testing. The security issues that may be encountered are mapped to the relative OWASP category for familiarity. Moving on I’ll demonstrate other fun ways that you can utilize a PBX within your future offensive endeavours. "Snide" Owen

"Snide" Owen has worked in various IT fields from tech support to development. Combining that knowledge he moved into the security field by way of Application Security and is now on an offensive security research team. He enjoys both making and breaking, tinkering with various technologies, and has experimented for prolonged periods with PBX's and the obscure side of VoIP.

Back to top

Hacking travel routers like it's 1999 Friday at 10:20 in Track 2 20 minutes | Demo, Exploit Mikhail Sosonkin Security Researcher, Synack Inc. Digital nomads are a growing community and they need internet safety just like anyone else. Trusted security researchers have warned about the dangers of traveling through AirBnB’s. Heeding their advice, I purchased a HooToo TM06 travel router to create my own little enclave while I bounce the globe. Being a researcher myself, I did some double checking.



So, I started fuzzing and reverse engineering. While the TM06 is a cute and versatile little device - protection against network threats, it is not. In this talk, I will take you on my journey revealing my methodology for discovering and exploiting two memory corruption vulnerabilities. The vulnerabilities are severe and while they’ve been reported to the vendor, they are very revealing data points about the security state of such devices. While the device employs some exploitation mitigations, there are many missing. I will be showing how I was able to bypass them and what mitigations should’ve been employed, such as NX-Stack/Heap, canaries, etc, to prevent me from gaining arbitrary shellcode execution.



If you’re interested in security of embedded/IoT systems, travel routers or just good old fashioned MIPS hacking, then this talk is for you! Mikhail Sosonkin

Mikhail Sosonkin is a Security Researcher at Synack where he digs into the security aspects of low level systems. He enjoys automating aspects of reverse engineering and fuzzing in order to better understand application internals. Mikhail has a CS degree from NYU, where he has also taught Application Security, and a Software Engineering masters from Oxford University. Being a builder and a hacker at heart, his interests are in vulnerability analysis, automation, malware and reverse engineering. Mikhail much enjoys speaking at such conferences as ZeroNights in Moscow and DEF CON in Las Vegas!



@hexlogic, Blog http://debugtrap.com/

Back to top

Genetic Diseases to Guide Digital Hacks of the Human Genome: How the Cancer Moonshot Program will Enable Almost Anyone to Crash the Operating System that Runs You or to End Civilization... Sunday at 12:00 in Track 4 45 minutes John Sotos Chief Medical Officer, Intel Corporation The human genome is, fundamentally, a complex open-source digital operating system (and set of application programs) built on the digital molecules DNA and RNA.



The genome has thousands of publicly documented, unpatchable security vulnerabilities, previously called "genetic diseases." Because emerging DNA/RNA technologies, including CRISPR-Cas9 and especially those arising from the Cancer Moonshot program, will create straightforward methods to digitally reprogram the genome in free-living humans, malicious exploitation of genomic vulnerabilities will soon be possible on a wide scale.



This presentation shows the breathtaking potential for such hacks, most notably the exquisite targeting precision that the genome supports — in effect, population, and time — spanning annoyance to organized crime to civilization-ending pandemics far worse than Ebola.



Because humans are poor at responding to less-than-immediate threats, and because there is no marketplace demand for defensive technologies on the DNA/RNA platform, the hacker community has an important role to play in devising thought-experiments to convince policy makers to initiate defensive works, before offensive hacks can be deployed in the wild. Hackers can literally save the world... from ourselves. John Sotos

John Sotos is Chief Medical Officer at Intel Corporation. He has been programming computers continuously since 1970, excepting four years of medical school at Johns Hopkins, where he also trained as a transplantation cardiologist. His professional interests include hacking the medical diagnostic process, first with a book on edge cases, called "Zebra Cards: An Aid to Obscure Diagnosis," followed by six years as a medical technical consultant on the popular television series "House, MD." His masters degree in artificial intelligence is from Stanford, and he is a co-founder of Expertscape.com. He is a long-time air rescue flight surgeon for the National Guard; however, the opinions presented here are his own, and do not necessarily represent those of the Department of Defense or Intel.



www.intel.com

www.sotos.com

Back to top

Exploiting Continuous Integration (CI) and Automated Build systems Sunday at 11:00 in Track 3 45 minutes | Demo, Tool, Exploit spaceB0x Sr. Security Engineer at LeanKit Inc. Continuous Integration (CI) systems and similar architecture has taken new direction, especially in the last few years. Automating code builds, tests, and deployments is helping hordes of developers release code, and is saving companies a great amount of time and resources. But at what cost? The sudden and strong demand for these systems have created some widely adopted practices that have large security implications, especially if these systems are hosted internally. I have developed a tool that will help automate some offensive testing against certain popular CI build systems. There has been a large adoption of initiating these builds through web hooks of various kinds, especially changes to public facing code repositories. I will start with a brief overview of some of the more popular CI tools and how they are being used in many organizations. This is good information for understanding, at a high level, the purpose of these systems as well as some security benefits that they can provide. From there we will dive into specific examples of how these different CI implementations have created vulnerabilities (in one case to a CI vendor themselves). Last we will explore the tool, its purpose, and a demonstration of its use. This tool takes advantage of the configurations of various components of the build chain to look for vulnerabilities. It then has the capability to exploit, persist access, command and control vulnerable build containers. Most of the demonstration will revolve around specific CI products and repositories, however the concepts are applicable across most build systems. The goal here is to encourage further exploration of these exploitation concepts. The tool is built "modularly" to facilitate this. If you are new to CI and automated build systems, or if you have been doing it for years, this talk and tool will help you to better secure your architecture spaceB0x

spaceB0x is extremely dedicated to his work in information security. He is the Sr. Security Engineer at a software company called LeanKit. He likes, and occasionally succeeds at, security dev-opsing, web application and network penetration testing, and some other security things. He has written tools for secure key management within automation infrastructures, capturing netflow data, and pwning automated build systems. He loves the hacker community, learning new things, and exploring new ideas.



@spaceB0xx

Website: www.untamedtheory.com

Back to top

Breaking Wind: Adventures in Hacking Wind Farm Control Networks Saturday at 10:20 in 101 Track 20 minutes Jason Staggs Security Researcher at the University of Tulsa Wind farms are becoming a leading source for renewable energy. The increased reliance on wind energy makes wind farm control systems attractive targets for attackers. This talk explains how wind farm control networks work and how they can be attacked in order to negatively influence wind farm operations (e.g., wind turbine hijacking). Specifically, implementations of the IEC 61400-25 family of communications protocols are investigated (i.e., OPC XML-DA). This research is based on an empirical study of a variety of U.S. based wind farms conducted over a two year period. We explain how these security assessments reveal that wind farm vendor design and implementation flaws have left wind turbine programmable automation controllers and OPC servers vulnerable to attack. Additionally, proof-of-concept attack tools are developed in order to exploit wind farm control network design and implementation vulnerabilities. Jason Staggs

Dr. Jason Staggs is an independent information security researcher with strong interests in critical infrastructure protection, telecommunications, penetration testing, network security and digital forensics. Jason has spoken at national and international conferences, authored various peer-reviewed publications and lectured undergraduate and graduate level courses on a variety of cyber security topics. His expertise in digital forensics has enabled him to provide invaluable assistance to law enforcement agencies at the local, state and federal levels in order to solve high-profile cybercrimes. In his spare time, Jason enjoys reverse engineering proprietary network stacks in embedded devices and diving through ancient RFCs to demystify obscure network protocols. Jason attended graduate school at The University of Tulsa where he earned his M.S. and Ph.D. degrees in Computer Science.

Back to top

Hacking the Cloud Thursday at 14:00 in 101 Track 45 minutes | Demo Gerald Steere Cloud Wrecker, Microsoft Sean Metcalf CTO, Trimarc You know the ins and outs of pivoting through your target's domains. You've had the KRBTGT hash for months and laid everything bare. Or have you?



More targets today have some or all of their infrastructure in the cloud. Do you know how to follow once the path leads there? Red teams and penetration testers need to think beyond the traditional network boundaries and follow the data and services they are after. This talk will focus on how to take domain access and leverage internal access as a ticket to your target's cloud deployments.



We will also discuss round trip flights from cloud to on-premises targets and what authorizations are required to access your target's cloud deployments. While this talk is largely focused on Microsoft Azure implementations, the concepts can be applied to most cloud providers. Gerald Steere

Gerald Steere has been a member of the C+E Red Team since joining Microsoft in June 2014. He regularly dives into the deepest corners of Azure looking for vulnerabilities unique to the cloud scale environment and collecting all the creds. Prior to that, he was a security auditor and penetration tester for three civilian Federal agencies, where he acquired a love for obtaining and cracking as many passwords as possible. He has spoken on cloud security topics at multiple BlueHat events and most recently at BSides Seattle.



@darkpawh Sean Metcalf

Sean Metcalf is founder and principal consultant at Trimarc Security, LLC (www.TrimarcSecurity.com), which focuses on mitigating, detecting, and when possible, preventing modern attack techniques. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON, and DerbyCon security conferences.



Sean has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog, ADSecurity.org.



@pyrotek3

Back to top

Rage Against the Weaponized AI Propaganda Machine Friday at 11:00 in 101 Track 45 minutes | 0025 Suggy (AKA Chris Sumner) Researcher, The Online Privacy Foundation Psychographic targeting and the so called "Weaponized AI Propaganda Machine" have been blamed for swaying public opinion in recent political campaigns. But how effective are they? Why are people so divided on certain topics? And what influences their views? This talk presents the results of five studies exploring each of these questions. The studies examined authoritarianism, threat perception, personality-targeted advertising and biases in relation to support for communication surveillance as a counter-terrorism strategy. We found that people with an authoritarian disposition were more likely to be supportive of surveillance, but that those who are less authoritarian became increasingly supportive of such surveillance the greater they perceived the threat of terrorism. Using psychographic targeting we reached Facebook audiences with significantly different views on surveillance and demonstrated how tailoring pro and anti-surveillance ads based on authoritarianism affected return on marketing investment. Finally, we show how debunking propaganda faces big challenges as biases severely limit a person's ability to interpret evidence which runs contrary to their beliefs. The results illustrate the effectiveness of psychographic targeting and the ease with which individuals' inherent differences and biases can be exploited. Suggy (AKA Chris Sumner)

Suggy is the lead researcher and co-founder of the not-for-profit Online Privacy Foundation, who contribute to the field of psychological research in online contexts. He has authored papers and spoken on this topic at DEF CON and other noteworthy security, psychology, artificial intelligence and machine learning conferences. For the past 4 years, Suggy has served as a member of the DEF CON CFP review board. By day, he works in security strategy at Hewlett Packard Enterprise.



@thesuggmeister,https://www.onlineprivacyfoundation.org/

Back to top

Porosity: A Decompiler For Blockchain-Based Smart Contracts Bytecode Thursday at 12:00 in 101 Track 45 minutes | Demo, Tool Matt Suiche Founder, Comae Technologies Ethereum is gaining a significant popularity in the blockchain community, mainly due to fact that it is design in a way that enables developers to write decentralized applications (Dapps) and smart-contract using blockchain technology.



Ethereum blockchain is a consensus-based globally executed virtual machine, also referred as Ethereum Virtual Machine (EVM) by implemented its own micro-kernel supporting a handful number of instructions, its own stack, memory and storage. This enables the radical new concept of distributed applications.



Contracts live on the blockchain in an Ethereum-specific binary format (EVM bytecode). However, contracts are typically written in some high-level language such as Solidity and then compiled into byte code to be uploaded on the blockchain. Solidity is a contract-oriented, high-level language whose syntax is similar to that of JavaScript.

This new paradigm of applications opens the door to many possibilities and opportunities. Blockchain is often referred as secure by design, but now that blockchains can embed applications this raise multiple questions regarding architecture, design, attack vectors and patch deployments.



As we, reverse engineers, know having access to source code is often a luxury. Hence, the need for an open-source tool like Porosity: decompiler for EVM bytecode into readable Solidity-syntax contracts - to enable static and dynamic analysis of compiled contracts. Matt Suiche

Matt Suiche is recognized as one of the world's leading authorities on memory forensics and application virtualization.



He is the founder of the United Arab Emirates based cyber-security start-up Comae Technologies. Prior to founding Comae, he was the co-founder & Chief Scientist of the application virtualization start-up CloudVolumes which was acquired by VMware in 2014. He also worked as a researcher for the Netherlands Forensic Institute.



His most notable research contributions enabled the community to perform memory-based forensics for Mac OS X memory snapshots but also Windows hibernation files.

Since 2009, Matt has been recognized as a Microsoft Most Valuable Professional in Enterprise Security due to his various contributions to the community.



@msuiche

Back to top

Game of Chromes: Owning the Web with Zombie Chrome Extensions Sunday at 13:00 in 101 Track 45 minutes | Demo Tomer Cohen R&D Security Team Leader, Wix.com On April 16 2016, an army of bots stormed upon Wix servers, creating new accounts and publishing shady websites in mass. The attack was carried by a malicious Chrome extension, installed on tens of thousands of devices, sending HTTP requests simultaneously. This "Extension Bot" has used Wix websites platform and Facebook messaging service, to distribute itself among users. Two months later, same attackers strike again. This time they used infectious notifications, popping up on Facebook and leading to a malicious Windows-runnable JSE file. Upon clicking, the file ran and installed a Chrome extension on the victim's browser. Then the extension used Facebook messaging once again to pass itself on to more victims.



Analyzing these attacks, we were amazed by the highly elusive nature of these bots, especially when it comes to bypassing web-based bot-detection systems. This shouldn't be surprising, since legit browser extensions are supposed to send Facebook messages, create Wix websites, or in fact perform any action on behalf of the user.



On the other hand, smuggling a malicious extension into Google Web Store and distributing it among victims efficiently, like these attackers did, is let's say - not a stroll in the park. But don't worry, there are other options.



Recently, several popular Chrome extensions were found to be vulnerable to XSS. Yep, the same old XSS every rookie finds in so many web applications. So browser extensions suffer from it too, and sadly, in their case it can be much deadlier than in regular websites. One noticeable example is the Adobe Acrobat Chrome extension, which was silently installed on January 10 by Adobe, on an insane number of 30 million devices. A DOM-based XSS vulnerability in the extension (found by Google Project Zero) allowed an attacker to craft a content that would run Javascript as the extension.



In this talk I will show how such a flaw leads to full and permanent control over the victim's browser, turning the extension into zombie. Additionally, Shedding more light on the 2016 attacks on Wix and Facebook described in the beginning, I will demonstrate how an attacker can use similar techniques to distribute her malicious payload efficiently on to new victims, through popular social platforms - creating the web's most powerful botnet ever. Tomer Cohen

Tomer Cohen leads the team at Wix.com responsible for all R&D and production systems security. Previous to that, Tomer has worked as an application security expert in several firms. Tomer was also one of the founders of "Magshimim" cyber training program, which teaches development and cyber security among high-school students in the periphery of Israel.

Back to top

When Privacy Goes Poof! Why It's Gone and Never Coming Back Saturday at 12:00 in Track 2 45 minutes | 0025 Richard Thieme a.k.a. neuralcowboy "Get over it!" as Scott McNeeley said - unhelpfully. Only if we understand why it is gone and not coming back do we have a shot at rethinking what privacy means in a new context. Thieme goes deep and wide as he rethinks the place of privacy in the new social/cultural context and challenges contemporary discussions to stop using 20th century frames. Pictures don't fit those frames, including pictures of "ourselves."



We have always known we were cells in a body, but we emphasized "cell-ness". Now we have to emphasize "body-ness" and see ourselves differently. What we see depends on the level of abstraction at which we look. The boundaries we imagine around identities, psyches, private internal spaces," are violated in both directions, going in and going out, by data that, when aggregated, constitutes "us". We are known by others more deeply in recombination from metadata than we know ourselves. We are not who we think we are.



To understand privacy - even what we mean by "individuals" who want it - requires a contrary opinion. Privacy is honored in lip service, but not in the marketplace, where it is violated every day. To confront the challenges of technological change, we have to know what is happening to "us" so we can re-imagine what we mean by privacy, security, and identity. We can't say what we can't think. We need new language to grasp our own new "human nature" that has been reconstituted from elements like orange juice.



The weakest link in discussions of privacy is the definition of privacy, and the definition of privacy is not what we think. Buddhists call enlightenment a "nightmare in daylight", yet it is enlightenment still, and that kind of clarity is the goal of this presentation. Richard Thieme a.k.a. neuralcowboy

Richard Thieme is an author and professional speaker focused on the challenges posed by new technologies and the future, how to redesign ourselves to meet these challenges, and creativity in response to radical change. His column, "Islands in the Clickstream," was distributed to subscribers in sixty countries before collection as a book in 2004. When a friend at the National Security Agency said after they worked together on ethics and intelligence issues, "The only way you can tell the truth is through fiction," he returned to writing short stories, 19 of which are collected in "Mind G