DEF CON 24 Presentations

DIY Nukeproofing: A New Dig at 'Datamining' 3AlarmLampScooter Hacker Does the thought of nuclear war wiping out your data keep you up at night? Don't trust third party data centers? Few grand burning a hole in your pocket and looking for a new Sunday project to keep you occupied through the fall? If you answered yes to at least two out of three of these questions, then 3AlarmLampscooter's talk on extreme pervasive communications is for you! You'll learn everything from calculating radiation half layer values to approximating soil stability involved in excavating your personal apocalypse-proof underground data fortress. 3AlarmLampScooter is an enigmatic armored mammal of the genus homo sapiens sapiens sapiens troglodyte found in caves and tunnels across the southeastern United States. As moderator of the subreddit /r/Neutron, 3AlarmLampscooter's enunciation espouses pervasive communication via excavation to protect from radiation and conflagration. When above-ground, 3AlarmLampscooter is a vocal transhumanism advocate developing 3D printed construction materials.



Reddit: /u/3AlarmLampScooter

Back to top

The Remote Metamorphic Engine: Detecting, Evading, Attacking the AI and Reverse Engineering Amro Abdelgawad Founder, Immuneye As a matter of fact, it is all about time to reverse engineer the most complex piece of code. Code complicity techniques are usually used just to increase the time and effort needed for reverse engineering. The desired effect of code complicity can be magnified using mechanisms that decrease and narrow the allowed time frame for any reverse engineering attempt into few milliseconds. Such approach can be applied using a metamorphic engine that is aware of the time dimension.



Beyond metamorphic applications for AV evasion, in this talk, we will present a novel approach to resist and evade reverse engineering using a remote metamorphic engine that generates diversified morphed machine code of a very short expiration lifetime. Our approach is based on a client-server model using challenge-response communication protocol made of morphed machine code rather than data. We will show how any reverse engineering attempt on such model will be forced to execute or emulate the morphed code. Thus the code will always have an upper hand to detect, evade and attack the reverse engineering environment. Our approach is immune to static code analysis as the functionalities and the communication protocol used are dynamically diversified remotely and do not exist in packed executable files. On the other hand, clock synchronized morphed machine code driven by a remote metamorphic engine would trap dynamic RE attempts in the maze of metamorphism. One that is immune to code tampering and reversing by detecting the non-self.



We will present the fundamental difference between metamorphic and polymorphic techniques used to evade AV compared to the ones that can be used to resist RE. We will show how a remote diversified metamorphic self-modifying code with a very short expiration lifetime can detect, evade, and resist any code analysis, reverse engineering, machine learning and tampering attempts. Amro Abdelgawad is a security researcher and the founder of Immuneye. He has more than 15 years experience in software security and reverse engineering. He has experienced both sides of software security in vulnerability researching, penetration testing, reverse engineering, exploit development and the defensive side as a chief security officer for software companies running wide infrastructures. Amro is currently working as a security researcher where his main interests are analyzing malware, vulnerability researching and developing artificial software immunity.





Back to top

MR. ROBOT Panel Kor Adana Writer & Technical Supervisor, MR. ROBOT

Dark Tangent Founder, DEF CON

Marc Rogers

Ryan Kazanciyan Chief Security Architect, Tanium

Andre McGregor Director of Security, Tanium

Kim Zetter Senior Staff Reporter, Wired MR. ROBOT is a rare treat - a network television show whose hacker protagonist is a fully realized character with a realistically attainable set of skills. No hyper-typing, no gibberish masquerading as tech jargon, no McGuffins to magically paper over plot holes with hacker dust. MR. ROBOT takes the tech as seriously as the drama.



One of the main reasons for this verisimilitude is the work of Kor Adana, MR. ROBOT's advisor on all things hackish. His fingerprints are on every terminal window in the show. Another advisor to the show is our very own CJunky - known to the outside world as hacker and raconteur Marc Rogers. Join Dark Tangent for a panel discussion of MR. ROBOT: the phenomenon, the hacks and the crazy ways the show seems to pull its storylines from the future. Bring your questions, and keep an eye out for late-breaking special guests. Kor Adana’s interest in technology started as a child when he tried to build a red box to get free calls on pay phones. By the time he was in middle school, he was building his own computer systems and getting into trouble. After obtaining a B.S. in IT Network Administration, Kor went on to work in enterprise network security for one of the world’s largest automakers. He performed penetration testing, designed security policies, managed enterprise-wide eDiscovery, and conducted forensics for legal and HR matters. While there, he also worked alongside NASA in a high-profile government investigation. He eventually left the IT world to pursue his true passion, writing for film and television. He’s worked with the producers of THE WALKING DEAD, THE SHIELD, LOST, and DEXTER. He is currently a writer and technical supervisor for USA's Golden Globe Award-winning drama, MR. ROBOT. He also has one of his own projects in development with Universal Cable Productions. Ryan Kazanciyan is the Chief Security Architect for Tanium and has thirteen years of experience in incident response and forensics, penetration testing, and security architecture. Prior to joining Tanium, Ryan was a technical director and lead investigator at Mandiant, where he worked with dozens of Fortune 500 organizations impacted by targeted attacks. Ryan has presented security research at dozens of events worldwide, including Black Hat, DEFCON, and RSA. He has led training sessions for hundreds of the FBI's cyber squad agents, and was a contributing author for "Incident Response and Computer Forensics, 3rd Edition", published in 2014. Andre McGregor is at DEFCON 24 celebrating his one-year anniversary as Tanium’s Director of Security responsible for internal cybersecurity. Prior to joining Tanium, Andre was a fresh-faced new agent with the FBI working cases like the NYC Subway bomber and Times Square car bomb while arresting his share of Italian Organized Crime bosses. His computer engineering background led him to help form FBI New York’s first cyber national security squad focused on computer intrusions from China, Russia, and Iran. Having deploying with NSA Blue Team and DHS US-CERT/ICS-CERT as a technically-trained cyber agent, Andre has led numerous large-scale cyber investigations ranging from financial crimes to critical infrastructure protection. In his free time, when he wasn’t sifting through terabytes of Netflow with SiLK and playing around with Autopsy and IDA, Andre was an FBI firearms instructor, dive team medic, and a volunteer firefighter driving fire trucks. After graduating from Brown University, Andre worked as an engineer at Goldman Sachs and later transitioned to IT Director at Cardinal Health/Advogent. Having shed the badge and gun last year, Andre currently serves as the FBI cyber technical consultant for the TV show Mr. Robot. Kim Zetter is an award-winning, senior staff reporter at Wired covering cybercrime, privacy, and security. She is writing a book about Stuxnet, a digital weapon that was designed to sabotage Iran's nuclear program. Dark Tangent & Marc Rogers Bios to come

So You Think You Want To Be a Penetration Tester Anch Hacker So, you think you want to be a penetration tester, or you already are and don't understand what the difference between you and all the other "so called" penetration testers out there. Think you know the difference between a Red Team, Penetration Test and a Vulnerability assessment? Know how to write a report your clients will actually read and understand? Can you leverage the strengths of your team mates to get through tough roadblocks, migrate, pivot, pwn and pillage? No? well this talk is probably for you then! We will go through the fascinating, intense and often crazily boring on-site assessment process. Talk about planning and performing Red Teams, how they are different, and why they can be super effective and have some fun along the way. I'll tell you stories that will melt your face, brain and everything in between. Give you the answers to all of your questions you never knew you had, and probably make you question your life choices. By the end of this session you will be ready to take your next steps into the job you've always wanted, or know deep inside that you should probably look for something else. There will be no judgment or shame, only information, laughter and fun. Anch currently works on a Red Team for an agency with a 3 letter acronym. It's not secret squirrel, or hush hush he just doesn't like to talk about himself very much. He has 15 years of experience in penetration testing and cyber security with a background in control systems and security architecture.



Twitter: @boneheadsanon

Back to top

SITCH - Inexpensive, Coordinated GSM Anomaly Detection ashmastaflash Hacker It's recently become easier and less expensive to create malicious GSM Base Transceiver Station (BTS) devices, capable of intercepting and recording phone and sms traffic. Detection methods haven't evolved to be as fast and easy to implement. Wireless situational awareness has a number of challenges. Categorically, these challenges are usually classified under Time, Money, or a lot of both. Provisioning sensors takes time, and the fast stuff usually isn’t cheap. Iterative improvements compound the problem when you need to get software updates to multiple devices in the field. I’ll present a prototype platform for GSM anomaly detection (called SITCH) which uses cloud-delivered services to elegantly deploy, manage, and coordinate the information from many independent wireless telemetry sensors (IoT FTW). We’ll talk about options and trade-offs when selecting sensor hardware, securing your sensors, using cloud services for orchestrating firmware, and how to collect and make sense of the data you’ve amassed. Source code for the prototype will be released as well. The target audience for this lecture is the hacker/tinkerer type with strong systems and network experience. A very basic understanding of GSM networks is a plus, but not required. Ashmastaflash is a native of southeast Tennessee and a recent transplant to San Francisco. He entered the security domain through systems and network engineering, spent a number of years in network security tooling and integration, and currently works in R&D for CloudPassage.

Back to top

A Journey Through Exploit Mitigation Techniques in iOS Max Bazaliy Staff Engineer, Lookout Over the past year, Apple has consistently added features to prevent exploitation of the iOS kernel. These features, while largely misunderstood, provide a path for understanding of the iOS security model going forward. This talk will examine the history of iOS’s exploit mitigations from iOS 8 to iOS 9.3 in order to teach important features of the architecture. This talk will cover various enhancements that stop attackers from dynamically modifying the functionality of system services, but also resulted in the defeat of all known exploitation through function hooking. Additionally, we will explore how the ability to use PLT interception and the use of direct memory overwrite are no longer options for exploit writers because of recent changes. Finally, we will cover the code-signing mechanism in depth, userland and kernel implementations and possible ways to bypass code-sign enforcement. Max Bazaliy is a security researcher at Lookout. He has over 9 years of experience in the security research space. Max has experience in native code obfuscation, malware detection and iOS exploitation. Before joining Lookout Max was working in malware research and software protection areas, most recently at Bluebox Security. Currently he is focused on mobile security research, XNU and LLVM internals. Max holds a Master's degree in Computer Science.



Twitter: @mbazaliy

Back to top

Phishing without Failure and Frustration Jay Beale CTO InGuardians Inc.

Larry Pesce Director of Research, InGuardians You want to phish your company or your client. You’ve never done this for work before, you’ve got a week to do it, and you figure that’s plenty of time. Then someone objects to the pretext at the last minute. Or spam filters block everything. Or you decide to send slowly, to avoid detection, but the third recipient alerts the entire company. Or you can only find 5 target addresses. We’ve all been there on our first professional phishing exercise. What should be as easy as building a two page web site and writing a clever e-mail turns into a massively frustrating exercise with a centi-scaled corpus of captured credentials. In this talk, we’ll tell you how to win at phishing, from start to finish, particularly in hacking Layer 8, the "Politics" layer of the OSI stack that’s part of any professional phishing engagement. We’ll share stories of many of our experiences, which recently included an investigation opened with the US Security and Exchange Commission (SEC). Finally, we’ll tell you how we stopped feeling frustrated, learned to handle the politics, and produced successful phishing campaigns that hardened organizations at the human layer, and started to screw things up for the bad actors. Jay Beale has created several security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which have been used throughout industry and government. He has served as an invited speaker, program chair and trainer at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the ‘Stealing the Network’ series. Jay is a founder and the CTO of the information security consulting company InGuardians, where way too many clients’ staff have enthusiastically given him their passwords.



Twitter: @jaybeale

Jay Beale on Facebook



Larry Pesce, the Director of Research at InGuardians, has a long history with hacking that began with the family TV when he was a kid, rebuilding it after it caught on fire. Both times. Later, as a web developer for a university in the early days of the Internet, he managed some of the first layer 3-switched networks in the world. Larry holds a handful of SANS certs, wrote a book or two and co-founded the multiple international award-winning security podcast, "Paul's Security Weekly". When not pursuing these activities, work-related passions have also involved leveraging OSINT for attack surface development.



Outside of work, Larry enjoys long walks on the beach weighed down by his ham radio (DE KB1TNF) and thinking of ways to survive the pending zombie apocalypse.

Back to top

(Ab)using Smart Cities: The Dark Age of Modern Mobility Matteo Beccaro CTO, Opposing Force

Matteo Collura Electronic Engineering Student, Politecnico di Torino Since these last few years our world has been getting smarter and smarter. We may ask ourselves: what does smart mean? It is the possibility of building systems which are nodes of a more complex network, digitally connected to the internet and to the final users. Our cities are becoming one of those networks and over time more and more elements are getting connected to such network: from traffic lights to information signs, from traffic and surveillance cameras to transport systems. This last element, also called as Smart Mobility is the subject of our analysis, divided in three sub-element, each one describing a different method of transport in our city: Private transport: for this method we analyze the smart alternatives aimed to make parking activity easy, hassle free and more convenient Shared transport: we focus our attention on those systems which are sharing transport vehicles. In particular we deal with bike sharing which seems to be the most wide spread system in European cities Public transport: object of our analysis for this section is the bus, metro and tram network The aim of our analysis is understanding the ecosystem which each element belongs to and performing a security evaluation of such system. In this way the most plausible attack and fraud scenarios are pointed out and the presence of proper security measures is checked. All the details discussed here are collected from a sample city, but the same methodology and concept can be applied to most of the smart cities in the world. Matteo Beccaro is a security researcher, enrolled in Computer Engineering at Politecnico of Turin. He's co-founder and CTO of Opposing Force s.r.l., the first Italian offensive physical security company. Matteo works and researches on network protocols, NFC and EACS security. He's been selected as speaker at some of most prestigious international conferences like: DEF CON 21, 30th Chaos Communication Congress (30C3), BlackHat USA Arsenal 2014, DEF CON 22 SkyTalks, BlackHat Europe 2014, TetCon 2015, DEF CON 23 e ZeroNights 2015. As Chief Technical Officer of Opposing Force, Matteo works on vulnerability research activities and building physical intrusion.



Twitter: @_bughardy_



Matteo Collura is a student of Electronic Engineering at Politecnico di Torino. He has been studying Wireless networks and in the last few years he focused on NFC and Bluetooth. He presented the results of a progressive work of research at several conferences: DEF CON 21 (Las Vegas, 2013), 30C3 (Hamburg 2013), DEF CON Skytalks (Las Vegas, 2014), BlackHat USA 2014 Arsenal (Las Vegas), DEF CON 23 (Las Vegas, 2015), ZeroNights 2015 (Moscow) . He is going to continue his studies with a MSc in Electronic Engineering , Systems and Controls.



Twitter: @eagle1753

ask the eff

Back to top

Examining the Internet's pollution Karyn Benson Graduate Student Network telescopes are collections of unused but BGP-announced IP addresses. They collect the pollution of the Internet: scanning, misconfigurations, backscatter from DoS attacks, bugs, etc. For example, several historical studies used network telescopes to examine worm outbreaks. In this talk I will discuss phenomena that have recently induced many sources to send traffic to network telescopes. By examining this pollution we find a wealth of security-related data. Specifically, I'll touch on scanning trends, DoS attacks that leverage open DNS resolvers to overwhelm authoritative name servers, BitTorrent index poisoning attacks (which targeted torrents with China in their name), a byte order bug in Qihoo 360 (while updating, this security software sent acknowledgements to wrong IP addresses... for 5 years), and the consequence of an error in Sality's distributed hash table. Karyn recently defended her PhD in computer science. Prior to starting graduate school she wrote intrusion detection software for the US Army. When not looking at packets, Karb eats tacos, runs marathons, and collects state quarters.

Back to top

An Introduction to Pinworm: Man in the Middle for your Metadata bigezy Hacker

saci Hacker What is the root cause of memory and network traffic bloat? Our current research using tools we previously released Badger at Black Hat in 2014 and the Kobra released at BsidesLV 2015 shows a 40 percent increase in outside unique IP traffic destinations and a 400 percent increase in data transmitted towards these destinations. But through the course of the research we found currently used IRP monitoring tools were lacking to help produce enough information to forensically investigate the exfiltration of user metadata. Pinworm is a sniffer that shows all created IRPs created in the kernel in I/O devices. The IRPs are correlated with the processes that created them and the called driver stack. With network traffic data we are off to the races. Using pinworm which we released this week, we will show forensic case studies from cradle to grave of what happens when you do things online in social media sites. Like all of our previously released tools, Pinworm is a framework including server side code you can use to collect and display user metadata inline in browser frames. Does this metadata collection happen in the browser, in userland, or in the kernel? Come to our talk and find out. We will demonstrate the collection of user metadata and collecting this information in a live browser session. Then we will show you how to intercept your personal data before it leaves your computer keeping your privacy, well, private. BYOTFH (Bring your own tin foil hat). bigezy has spent his career defending critical infrastructure hacking it from the inside to keep things from blowing up. Bigezy got his black badge from DEF CON in 2003. Bigezy currently works as a cyber security researcher at a place where these things are done. During the last 25 years, Bigezy has worked at fortune 500 companies in the electric sector, financial sector, and telecom. He has spoke at numerous conferences worldwide including bsidesLV and the DEF CON Crypto and Privacy village last year. Bigezy is also the president of Hackito Ergo Sum in Paris France. @bigezy_ When you are a one legged boogeyman slash system internals hacker, every kick is a flying kick.



Twitter: @bigezy



saci takes pride in his disdain for hypocrisy. We are sure you have seen him around in the usual places, and maybe you think you know who he is. But, you will never quite know who he is until you come to the talk.



Twitter: @itsasstime

Back to top

Jittery MacGyver: Lessons Learned from Building a Bionic Hand out of a Coffee Maker Evan Booth Engineer In May of 2015, it was estimated that a pod-based coffee maker could be found in nearly one in three American homes. Despite the continued popularity of these single-cup coffee conjurers at home as well as in the workplace, it has become clear that these devices are not impervious to mechanical and/or electrical failure. It was this intersection of extremely prevalent hardware and relatively short lifespan that prompted me to begin exploring the upper limits of what could be created by repurposing one of the most popular pod-based machines: the Keurig. In this session, we will walk through some real-world examples of ‘MacGyver’-style creative problem-solving, we'll go hands on (yes, pun intended) with stuff made from repurposed Keurigs, and finally, I'll reflect on lessons learned from looking for potential in things most people deem common and unremarkable. Evan Booth Evan Booth loves to build stuff out of other stuff, he tends to break things for curiosity's sake. Throughout 2013 and into 2014, in an effort to highlight hypocrisy and "security theater" brought about by the TSA, through a research project called "Terminal Cornucopia," Evan created an arsenal ranging from simple, melee weapons to reloadable firearms to remotely-trigger incendiary suitcases—all solely comprised of items that anyone can purchase inside most airport terminals *after* the security checkpoint. Given the right ingredients, a big cardboard box can be a time machine, spaceship, minecart, or a telephone booth that only calls people named "Steve" who live in the future.



Twitter: @evanbooth

Back to top

Exploiting and Attacking Seismological Networks... Remotely Bertin Bervis Bonilla Founder, NETDB.IO

James Jara Founder & CTO, NETDB.IO In this presentation we are going to explain and demonstrate step by step in a real attack scenario how a remote attacker could elevate privileges in order to take control remotely in a production seismological network located at 183mts under the sea. We found several seismographs in production connected to the public internet providing graphs and data to anyone who connects to the embed web server running at port 80. The seismographs provide real time data based in the perturbations from earth and surroundings, we consider this as a critical infrastructure and is clear the lack of protection and implementation by the technicians in charge.



We are going to present 3 ways to exploit the seismograph which is segmented in 3 parts: Modem (GSM, Wi-Fi, Satellite, GPS,Com serial) {web server running at port 80 , ssh daemon} Sensor (Device collecting the data from ground or ocean bottom) Battery (1 year lifetime) Apollo server (MAIN acquisition core server) These vulnerabilities affect the Modem which is directly connected to the sensor , a remote connection to the modem it's all that you need to compromise the whole seismograph network. After got the root shell our goal is execute a post exploitation attack , This specific attack corrupts/modifies the whole seismological research data of a country/ area in real time. We are going to propose recommendations and best practices based on how to deploy a seismological network in order to avoid this nasty attacks. Bertin Bervis Bonilla is a security researcher focused in offensive security, reverse engineering and network attacks and defense, Bertin has been speaker in several security conferences in his country and latin america such OWASP Latin Tour , DragonJAR conference and EKOPARTY, He is the founder of NetDB - The Network Database project , a computer fingerprint/certificate driven search engine. Formerly is a network engineer working for a five letters us networking company in San Jose Costa Rica.



Twitter: @bertinjoseb



James Jara is the founder and CTO of NETDB.IO , a search engine of internet of things focused in info-security research. He likes Bitcoin Industry, Open Source and framework development and gave various presentations on security conferences like EkoParty. Interested machine learning for mobile, Internet of Things (IoT) devices and industrial systems used in critical infrastructure networks. Sport-coder!

Back to top

All Your Solar Panels are Belong to Me Fred Bret-Mounet Hacker I got myself a new toy: A solar array... With it, a little device by a top tier manufacturer that manages its performance and reports SLAs to the cloud. After spending a little time describing why it tickled me pink, I'll walk you through my research and yes, root is involved! Armed with the results of this pen test, we will cover the vendor's reaction to the bee sting: ostrich strategy, denial, panic, shooting the messenger and more. Finally, not because I know you get it, but because the rest of the world doesn't, we'll cover the actual threats associated with something bound to become part of our critical infrastructure. Yes, in this Shodan world, one could turn off a 1.3MW solar array but is that as valuable as using that device to infiltrate a celebrity's home network? Fred Bret-Mounet's descent into the underworld of security began as a pen tester at @stake. Now, he leads a dual life--info sec leader by day, rogue hacker by night. His life in the shadows and endless curiosity has led to surprising home automation hacks, playing with Particle Photons and trying to emulate Charlie & Chris' car hacking on his I3.



Twitter: @fbret

Back to top

Introduction the Wichcraft Compiler Collection : Towards Universal Code Theft Jonathan Brossard (endrazine) Master of Darkness, MOABI.com With this presentation, we take a new approach to reverse engineering. Instead of attempting to decompile code, we seek to undo the work of the linker and produce relocatable files, the typical output of a compiler. The main benefit of the later technique over the former being that it does work. Once achieved universal code ‘reuse’ by relinking those relocatable objects as arbitrary shared libraries, we'll create a form of binary reflection, add scripting capabilities and in memory debugging using a JIT compiler, to attain automated API prototyping and annotation, which, we will argue, constitutes a primary form of binary code self awareness. Finally, we'll see how abusing the dynamic linker internals shall elegantly solve a number of complex tasks for us, such as calling a given function within a binary without having to craft a valid input to reach it.



The applications in terms of vulnerability exploitation, functional testing, static analysis validation and more generally computer wizardry being tremendous, we'll have fun demoing some new exploits in real life applications, and commit public program profanity, such as turing PEs into ELFs, functional scripting of sshd in memory, stealing crypto routines without even disassembling them, among other things that were never supposed to work. All the above techniques have been implemented into the Wichcraft Compiler Collection, to be released as proper open source software (MIT/BSD-2 licenses) exclusively at DEF CON 24. Jonathan Brossard is a computer whisperer from France, although he's been living in Brazil, India, Australia and now lives in San Francisco. For his first conference at DEF CON 16, he hacked Microsoft Bitlocker, McAffee Endpoint and a fair number of BIOS Firmwares. During his second presentation at DEF CON 20, he presented Rakshasa, a BIOS malware based on open source software, the MIT Technology review labeled &lquo;incurable and undetectable&rquo;.



This year will be his third DEF CON ... Endrazine is also known in the community for having run the Hackito Ergo Sum and NoSuchCon conferences in France, participating to the Shakacon Program Committee in Hawaii, and authoring a number of exploits over the past decade. Including the first remote Windows 10 exploit and several hardcore reverse engineering tools and whitepapers. Jonathan is part of the team behind MOABI.COM, and acts as the Principal Engineer of Product Security at Salesforce.



Twitter: @endrazine

Facebook: toucansystem

https://moabi.com

Back to top

Bypassing Captive Portals and Limited Networks Grant Bugher Perimeter Grid Common hotspot software like Chilispot and Sputnik allow anyone to set up a restricted WiFi router or Ethernet network with a captive portal, asking for money, advertising, or personal information in exchange for access to the Internet. In this talk I take a look at how these and similar restrictive networks work, how they identify and restrict users, and how with a little preparation we can reach the Internet regardless of what barriers they throw up. Grant Bugher has been hacking and coding since the early 90's and working professionally in information security for the last 12 years. He is currently a security engineer for a cloud service provider, and has previously been an architect, program manager and software engineer on a variety of online services, developer tools and platforms. Grant is a prior speaker at BlackHat and DEF CON and a regular DEF CON attendee since DEF CON 16. Most of his research and work is on cloud computing and storage platforms, application security, and detecting & investigating attacks against web-scale applications.



Twitter: @fishsupreme.

perimetergrid.com

Back to top

VLAN hopping, ARP Poisoning and Man-In-The-Middle Attacks in Virtualized Environments Ronny Bull Assistant Professor of Computer Science, Utica College & Ph.D. Candidate, Clarkson University

Dr. Jeanna N. Matthews Associate Professor of Computer Science, Clarkson University

Ms. Kaitlin A. Trumbull Undergraduate CS Research Assistant, Utica College Cloud service providers offer their customers the ability to deploy virtual machines in a multi-tenant environment. These virtual machines are typically connected to the physical network via a virtualized network configuration. This could be as simple as a bridged interface to each virtual machine or as complicated as a virtual switch providing more robust networking features such as VLANs, QoS, and monitoring. At DEF CON 23, we presented how attacks known to be successful on physical switches apply to their virtualized counterparts. Here, we present new results demonstrating successful attacks on more complicated virtual switch configurations such as VLANs. In particular, we demonstrate VLAN hopping, ARP poisoning and Man-in-the-Middle attacks across every major hypervisor platform. We have added more hypervisor environments and virtual switch configurations since our last disclosure, and have included results of attacks originating from the physical network as well as attacks originating in the virtual network. Mr.Bull is an Assistant Professor of Computer Science at Utica College with a focus in computer networking and cybersecurity. He is also a Computer Science Ph.D. candidate at Clarkson University focusing on Layer 2 network security in virtualized environments. Ronny earned an A.A.S. degree in Computer Networking at Herkimer College in 2006 and completed both a B.S. and M.S. in Computer Science at SUNYIT in 2011. He also co-founded and is one of the primary organizers of the Central New York Intercollegiate Hackathon event which brings together cybersecurity students from regional colleges to compete against each other in offensive and defensive cybersecurity activities.



Dr. Matthews is an Associate Professor of Computer Science at Clarkson University. Her research interests include virtualization, cloud computing, computer security, computer networks and operating systems. Jeanna received her Ph.D. in Computer Science from the University of California at Berkeley in 1999. She is currently the co-editor of ACM Operating System Review and a member of the Executive Committee of US-ACM, the U.S. Public Policy Committee of ACM. She is a former chair of the ACM Special Interest Group on Operating Systems (SIGOPS). She has written several popular books including Running Xen: A Hands-On Guide to the Art of Virtualization and Computer Networking: Internet Protocols In Action.



Miss Trumbull is an undergraduate student at Utica College working on her bachelors degree in Computer Science with a concentration in computer and network security. She is also an officer of the Utica College Computer Science club (a.k.a. The UC Compilers). Kaitlin is currently working as an undergraduate research assistant to Professor Bull.

Back to top

Crypto: State of the Law Nate Cardozo Senior Staff Attorney, Electronic Frontier Foundation Strong end-to-end encryption is legal in the United States today, thanks to our victory in what’s come to be known as the Crypto Wars of the 1990s. But in the wake of Paris and San Bernardino, there is increasing pressure from law enforcement and policy makers, both here and abroad, to mandate so-called backdoors in encryption products. In this presentation, I will discuss in brief the history of the first Crypto Wars, and the state of the law coming into 2016. I will then discuss what happened in the fight between Apple and the FBI in San Bernardino and the current proposals to weaken or ban encryption, covering proposed and recently enacted laws in New York, California, Australia, India, and the UK. Finally, I will discuss possible realistic outcomes to the Second Crypto Wars, and give my predictions on what the State of the Law will be at the end of 2016. Nate Cardozo is a Senior Staff Attorney on the Electronic Frontier Foundation’s digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF’s cryptography policy and the Coders’ Rights Project. Nate has projects involving export controls on software, state-sponsored malware, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings.



Twitter: @ncardozo

Back to top

Robot Hacks Video Games: How TASBot Exploits Consoles with Custom Controllers Allan Cecil (dwangoAC) President, North Bay Linux User's Group TASBot is an augmented Nintendo R.O.B. robot that can play video games without any of the button mashing limitations us humans have. By pretending to be a controller connected to a game console, TASBot triggers glitches and exploits weaknesses to execute arbitrary opcodes and rewrite games. This talk will cover how these exploits were found and will explore the idea that breaking video games using Tool-Assisted emulators can be a fun way to learn the basics of discovering security vulnerabilities. After a brief overview of video game emulators and the tools they offer, I'll show a live demo of how the high accuracy of these emulators makes it possible to create a frame-by-frame sequence of button presses accurate enough to produce the same results even on real hardware. After demonstrating beating a game quickly I'll show how the same tools can be used to find exploitable weaknesses in a game's code that can be used to trigger an Arbitrary Code Execution, ultimately treating the combination of buttons being pressed as opcodes. Using this ability, I'll execute a payload that will connect a console directly to the internet and will allow the audience to interact with it. An overview of some of the details that will be described in the talk can be found in an article I coauthored for the PoC||GTFO journal (Pokemon Plays Twitch, page 6 ). Allan Cecil (dwangoAC) is the President of the North Bay Linux User's Group. He acts as an ambassador for Tasvideos.org, a website devoted to using emulators to complete video games as quickly as the hardware allows. He participates in Games Done Quick charity speedrunning marathons using TASBot to entertain viewers with never-before-seen glitches in games. By day, he is a senior engineer at Ciena Corporation working on OpenStack Network Functions Virtualization orchestration and Linux packet performance optimization testing.



Twitter: @MrTASBot

Twitch.TV: dwangoac

YouTube: dwangoac

Back to top

Toxic Proxies - Bypassing HTTPS and VPNs to Pwn Your Online Identity Alex Chapman Principal Researcher, Context Information Security

Paul Stone Principal Researcher, Context Information Security Rogue access points provide attackers with powerful capabilities, but in 2016 modern privacy protections such as HTTPS Everywhere, free TLS certificates and HSTS are de-facto standards. Surely our encrypted traffic is now safe on the local coffee shop network? If not, my VPN will definitely protect me... right? In this talk we'll reveal how recent improvements in online security and privacy can be undermined by decades old design flaws in obscure specifications. These design weakness can be exploited to intercept HTTPS URLs and proxy VPN tunneled traffic. We will demonstrate how a rogue access point or local network attacker can use these new techniques to bypass encryption, monitor your search history and take over your online accounts. No logos, no acronyms; this is not a theoretical crypto attack. We will show our techniques working on $30 hardware in under a minute. Online identity? Compromised. OAuth? Forget about it. Cloud file storage? Now we're talking. Alex Chapman is a Principal Security Researcher at Context Information Security in the UK, where he performs vulnerability discovery, exploit development, bespoke protocol analysis and reverse engineering. He has been credited in security advisories for a number of major software products for vendors such as Citrix, Google, Mozilla and VMware, and has presented his research at security conferences around the world. He has spent the past several months making things (for a change), poking holes in old technologies, and pointing out security flaws which have no place in modern day software.



Twitter: @noxrnet



Paul Stone is a Principal Security Researcher at Context Information Security in the UK where he performs vulnerability research, reverse engineering, and tool development. He has a focus on browser security and has reported a number of vulnerabilities in the major web browsers including Chrome, Internet Explorer, Firefox, and Safari. He has spoken at a number of Black Hat conferences, presenting the well-received 'Pixel-Perfect Timing Attacks' and 'Next Generation Clickjacking' talks. Paul's recent obsession has been Bluetooth LE and has helped create the RaMBLE Android app for collecting and analyzing BLE data.



Twitter: @pdjstone

Back to top

NG9-1-1: The Next Generation of Emergency Ph0nage CINCVolFLT (Trey Forgety) Director of Government Affairs & IT Ninja, NENA: The 9-1-1 Association

AK3R303 (Alex Kreilein) CTO & Co-Founder, SecureSet For 48 years, 9-1-1 has been /the/ emergency telephone number in the United States. It's also been mired in 48-year-old technology. So let's just put that on the internet, right? What could possibly go wrong? Without the radical segmentation of the PSTN, the move to IP networks (even the private, managed kind) will bring new 9-1-1 capabilities AND new vulnerabilities. This talk builds on the work of quaddi, r3plicant, and Peter Hefley (see &lquo;Hacking 911: Adventures in Destruction, Disruption, and Death,&rquo; DEF CON 22, http://ow.ly/10AvZh). It provides an overview of NG9-1-1 architecture and security concerns, and identifies critical attack surfaces that Public Safety Answering Points need to monitor and secure. Familiarity with NENA's i3 and NG-SEC standards may be helpful, but is not required. CINCVolFLT (Trey Forgety) is Director of Government Affairs for NENA: The 9-1-1 Association. He previously served as a Presidential Management Fellow in the U.S. Department of Homeland Security's Office of Emergency Communications, with rotations in the Federal Communications Commission's Public Safety and Homeland Security Bureau, and the U.S. Department of Commerce's National Telecommunications and Information Administration. A sometimes-piratical sailor and inveterate tinkerer, CINCVolFLT's recent activities have included work on establishing a backup timing source for telecom networks to ensure service during GPS outages or jammin, and serving as pro bono counsel to QueerCon.He holds a B.S. in Applied Physics and a J.D., both from the University of Tennessee (GO VOLS!).



Twitter: @cincvolflt



AK3R303 (Alex Kreilein) is Managing Partner and CTO of SecureSet, which is a cybersecurity services provider specializing in education and startup acceleration. Previously, AK3R303 was a Technology Strategist with the U.S. Department of Homeland Security and a Guest Researcher at the National Institute of Standards and Technology focusing on public safety and mobile communications network security. He holds a B.A. from Fordham University where he studied nuclear game theory through the political science department in Beijing, China. He holds an M.A. in National Security & Strategic Studies from the US Naval War College, and is an M.S. / Ph.D. candidate at the CU Boulder College of Engineering & Applied Sciences in Telecom Engineering.



Twitter: @ak3r303

Back to top

Machine Duping 101: Pwning Deep Learning Systems Clarence Chio ML Hacker Deep learning and neural networks have gained incredible popularity in recent years. The technology has grown to be the most talked-about and least well-understood branch of machine learning. Aside from it's highly publicized victories in playing Go, numerous successful applications of deep learning in image and speech recognition has kickstarted movements to integrate it into critical fields like medical imaging and self-driving cars. In the security field, deep learning has shown good experimental results in malware/anomaly detection, APT protection, spam/phishing detection, and traffic identification. This DEF CON 101 session will guide the audience through the theory and motivations behind deep learning systems. We look at the simplest form of neural networks, then explore how variations such as convolutional neural networks and recurrent neural networks can be used to solve real problems with an unreasonable effectiveness. Then, we demonstrate that most deep learning systems are not designed with security and resiliency in mind, and can be duped by any patient attacker with a good understanding of the system. The efficacy of applications using machine learning should not only be measured with precision and recall, but also by their malleability in an adversarial setting. After diving into popular deep learning software, we show how it can be tampered with to do what you want it do, while avoiding detection by system administrators.



Besides giving a technical demonstration of deep learning and its inherent shortcomings in an adversarial setting, we will focus on tampering real systems to show weaknesses in critical systems built with it. In particular, this demo-driven session will be focused on manipulating an image recognition system built with deep learning at the core, and exploring the difficulties in attacking systems in the wild. We will introduce a tool that helps deep learning hackers generate adversarial content for arbitrary machine learning systems, which can help make models more robust. By discussing defensive measures that should be put in place to prevent the class of attacks demonstrated, we hope to address the hype behind deep learning from the context of security, and look towards a more resilient future of the technology where developers can use it safely in critical deployments. Clarence Chio graduated with a B.S. and M.S. in Computer Science from Stanford, specializing in data mining and artificial intelligence. He currently works as a Security Research Engineer at Shape Security, building a product that protects high valued web assets from automated attacks. At Shape, he works on the data analysis systems used to tackle this problem. Clarence spoke on Machine Learning and Security at PHDays, BSides Las Vegas and NYC, Code Blue, SecTor, and Hack in Paris. He had been a community speaker with Intel, and is also the founder and organizer of the ‘Data Mining for Cyber Security’ meetup group, the largest gathering of security data scientists in the San Francisco Bay Area.



Twitter: @cchio

Back to top

A Monitor Darkly: Reversing and Exploiting Ubiquitous On-Screen-Display Controllers in Modern Monitors Ang Cui PHD, CEO & Chief Scientist, Red Balloon Security

Jatin Kataria Principal Research Scientist, Red Balloon Security

Francois Charbonneau Research Scientist, Red Balloon Security There are multiple x86 processors in your monitor! OSD, or on-screen-display controllers are ubiquitous components in nearly all modern monitors. OSDs are typically used to generate simple menus on the monitor, allowing the user to change settings like brightness, contrast and input source. However, OSDs are effectively independent general-purpose computers that can: read the content of the screen, change arbitrary pixel values, and execute arbitrary code supplied through numerous control channels. We demonstrate multiple methods of loading and executing arbitrary code in a modern monitor and discuss the security implication of this novel attack vector.



We also present a thorough analysis of an OSD system used in common Dell monitors and discuss attack scenarios ranging from active screen content manipulation and screen content snooping to active data exfiltration using Funtenna-like techniques. We demonstrate a multi-stage monitor implant capable of loading arbitrary code and data encoded in specially crafted images and documents through active monitor snooping. This code infiltration technique can be implemented through a single pixel, or through subtle variations of a large number of pixels. We discuss a step-by-step walk-through of our hardware and software reverse-analysis process of the Dell monitor. We present three demonstrations of monitoring exploitation to show active screen snooping, active screen content manipulation and covert data exfiltration using Funtenna.



Lastly, we discuss realistic attack delivery mechanisms, show a prototype implementation of our attack using the USB Armory and outline potential attack mitigation options. We will release sample code related to this attack prior to the presentation date. Dr. Ang Cui is the Founder and Chief Scientist of Red Balloon Security. Dr. Cui received his PhD from Columbia University in 2015. His doctoral dissertation, titled "Embedded System Security: A Software-based Approach", focused exclusively on scientific inquiries concerning the exploitation and defense embedded systems. Ang has focused on developing new technologies to defend embedded systems against exploitation. During the course of his research, he has uncovered a number of serious vulnerabilities within ubiquitous embedded devices like Cisco routers, HP printers and Cisco IP phones. Dr. Cui is also the author of FRAK and the inventor of Software Symbiote technology. Ang has received various awards on his work on reverse engineering commercial devices and is also the recipient of the Symantec Graduate Fellowship and was selected as a DARPA Riser in 2015.



Jatin Kataria is a Principal Research Scientist at Red Balloon Security. His research focus is on the defense and exploitation of embedded devices. Jatin earned his master’s degree from Columbia University and a bachelor’s degree from Delhi College of Engineering. Previously, he has worked as a System Software Developer at NVIDIA and as an Associate Software Engineer at Mcafee.



Francois Charbonneau is a embedded security researcher who spent the better part of his career working for the Canadian government until he got lost and wondered into New York City. He now works as a research scientist for Red Balloon Security where he lives a happy life, trying to make the world a more secure place, one embedded device at a time.

Back to top

Universal Serial aBUSe: Remote Physical Access Attacks Rogan Dawes Researcher, Sensepost

Dominic White CTO, SensePost In this talk, we’ll cover some novel USB-level attacks, that can provide remote command and control of, even air-gapped machines, with a minimal forensic footprint, and release an open-source toolset using freely available hardware. In 2000, Microsoft published its 10 Immutable laws of security [1]. One of which was "if a bad guy has unrestricted access to your computer, it's not your computer anymore." This has been robustly demonstrated over the years. Examples include numerous DMA-access attacks against interfaces such as firewire [2], PCMCIA and thunderbolt [3] as well as USB-based attacks including simple in-line keyloggers, "evil maid" attacks [4] and malicious firmware [5]. Despite these warnings, groups such as the NSA were still able to use physical access to bypass software controls with toolsets such as COTTONMOUTH [6]. Likewise, criminals have been able to defraud banks with a handful of simple hardware tricks [7]. While some progress has been made to secure some devices against some threats, such as the use of full disc encryption, or the impact of Apple's secure enclave in the physical security of the iPhone [8], most laptops and desktops remain vulnerable to attacks via physical interfaces. In our experience, organisations merely view USB devices as a channel for malware or unsanctioned communications, and rely on protections placed elsewhere in their defensive stack to deal with them, but few deal with the risk the USB interface presents directly. There are many scenarios where gaining physical access to hosts is plausible [9], and having done so can provide access to "chewy" internal networks [10] ripe for lateral movement. While most people are familiar with USB devices, many don't realise the extent to which the USB standard allows seemingly innocuous devices to have multiple personalities. There has been an extensive amount of research into malicious USB devices, such as TURNIPSCHOOL [15], GoodFET/Facedancer [16], Shikra [17], Rubber Ducky [11], USBdriveby [12] and BadUSB [5]. However, none of these implement an end-to-end attack either because that was not their intention, they only focus on a part of the attack or the project was never completed. Additionally, existing attacks are predominantly "send only" with no built-in bidirectional communications. They usually rely on the executed payload and the host’s networks for any advanced remote access. Thus, these payloads can leave a significant forensic footprint in the form of network communications and on-host behaviours, and leave them vulnerable to anti-malware controls. Numerous companies are improving toolsets to detect such attacks [13][14]. Lastly, these attacks are often "spray and pray", unable to account for variations in the user's behaviour or computer setup. Our approach is to create a stealthy bi-directional channel between the host and device, with remote connectivity via 3G/Wi-Fi/Bluetooth and offload the complexity to our hardware, leaving a small simple stub to run on the host. This talk will discuss the process of creating a set of malicious USB devices using low cost hardware. The design and toolkit will be released during the talk. Our toolkit provides three significant improvements over existing work. The first is the ability to gain a stealthy bi-directional channel with the host via the device. No traffic is generated on the target network (i.e it would work against air-gapped hosts). This is done via the use of either a raw HID device or standard USB class printer driver linked to our device, with the stub merely wrapping commands and their output to our device. The second is the ability to communicate with the device remotely via Wi-Fi/3G/Bluetooth, allowing for updates to the payloads, exfiltration of data, real-time interaction with the host and an ability to debug problems. This also has the advantage that any network controls are bypassed. Finally, the stub running on the host will leave a minimal forensic trail, making detection of the attack, or analysis of it later, difficult. For completeness sake, a new transport for metasploit was developed to allow metasploit payloads to be used instead. Our hope is that the tools will provide a method of demonstrating the risk of physical bypasses of software security without an NSA budget, and encourage defences to be built in this area. [1] "10 Immutable Laws of Security" https://technet.microsoft.com/library/cc722487.aspx

[2] "Physical memory attacks via Firewire/DMA - Part 1: Overview and Mitigation" https://web.archive.org/web/20160304055745/http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation

[3] "Thunderstrike 2" https://trmm.net/Thunderstrike_2

[4] "Evil Maid goes after TrueCrypt!" http://theinvisiblethings.blogspot.co.za/2009/10/evil-maid-goes-after-truecrypt.html

[5] "Turning USB peripherals into BadUSB" https://srlabs.de/badusb/

[6] "Your USB cable, the spy: Inside the NSA’s catalog of surveillance magic" http://arstechnica.com/information-technology/2013/12/inside-the-nsas-leaked-catalog-of-surveillance-magic/

[7] "How bank hackers stole £1.25 million with a simple piece of computer hardware" https://www.grahamcluley.com/2014/04/bank-hackers-hardware/

[8] "Apple vs FBI" https://www.apple.com/customer-letter/

[9] "Users Really Do Plug in USB Drives They Find" https://zakird.com/papers/usb.pdf

[10] "The Design of a Secure Internet Gateway" http://www.cheswick.com/ches/papers/gateway.pdf

[11] "USB Rubber Ducky Wiki" http://usbrubberducky.com/

[12] "USBDriveBy" http://samy.pl/usbdriveby/

[13] "Cylance, Math vs Malware" https://cdn2.hubspot.net/hubfs/270968/All_Web_Assets/White_Papers/MathvsMalware.pdf

[14] "Carbon Black, Next Generation Endpoint Security" https://www.carbonblack.com/wp-content/uploads/2016/03/2016_cb_wp_next_gen_endpoint_security_small.pdf

[15] "NSA Playset, TURNIPSCHOOL" http://www.nsaplayset.org/turnipschool

[16] "Facedancer2" http://goodfet.sourceforge.net/hardware/facedancer21/

[17] "The Shikra" http://int3.cc/products/the-shikra Rogan Dawes is a senior researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague’s frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies; WebScarab. In recent years, Rogan has turned his attentions towards hardware hacking; and these days many suspect him to be at least part cyborg. A good conversation starter is to ask him where he keeps his JTAG header.



Dominic White is the CTO of SensePost, an information security company based in South Africa and London. He has worked in the industry for 12 years. He tweets as @singe.

Back to top

CANSPY: a Framework for Auditing CAN Devices Jonathan-Christofer Demay Airbus Defence and Space

Arnaud Lebrun Airbus Defence and Space In the past few years, several tools have been released allowing hobbyists to connect to CAN buses found in cars. This is welcomed as the CAN protocol is becoming the backbone for embedded computers found in smartcars. Its use is now even spreading outside the car through the OBD-II connector: usage-based policies from insurance companies, air-pollution control from law enforcement or engine diagnostics from smartphones for instance. Nonetheless, these tools will do no more than what professional tools from automobile manufacturers can do. In fact, they will do less as they do not have knowledge of upper-layer protocols. Security auditors are used to deal with this kind of situation: they reverse-engineer protocols before implementing them on top of their tool of choice. However, to be efficient at this, they need more than just being able to listen to or interact with what they are auditing. Precisely, they need to be able to intercept communications and block them, forward them or modify them on the fly. This is why, for example, a framework such as Burp Suite is popular when it comes to auditing web applications. In this paper, we present CANSPY, a framework giving security auditors such capabilities when auditing CAN devices. Not only can it block, forward or modify CAN frames on the fly, it can do so autonomously with a set of rules or interactively using Ethernet and a packet manipulation framework such as Scapy.



It is also worth noting that it was designed to be cheap and easy to build as it is mostly made of inexpensive COTS. Last but not least, we demonstrate its versatility by turning around a security issue usually considered when it comes to cars: instead of auditing an electronic control unit (ECU) through the OBD-II connector, we are going to partially emulate ECUs in order to audit a device that connects to this very connector. Jonathan-Christofer Demay, PhD is the current penetration testing team leader at AIRBUS Defence and Space. As a former academic researcher, he has been working on IDS bypassing, intrusion detection and general network security. Now a consultant for various key industries and government bodies, he is working on incident response, penetration testing and social engineering.



Arnaud Lebrun is a command and control engineer currently working at AIRBUS Defence and Space. He is focusing on security issues for several projects in the aerospace industry and related areas such as radioactive waste disposal facilities or large telescopes. He also supports the penetration testing team for perimeters that include ICS infrastructures or embedded electronics.

Back to top

Auditing 6LoWPAN Networks using Standard Penetration Testing Tools Jonathan-Christofer Demay Airbus Defence and Space

Adam Reziouk

Arnaud Lebrun The Internet of Things is expected to be involved in the near future in all major aspects of our modern society. On that front, we argue that 6LoWPAN is a protocol that will be a dominant player as it is the only IoT-capable protocol that brings a full IP stack to the smallest devices. As evidence of this, we can highlight the fact that even the latest ZigBee Smart Energy standard is based on ZigBee IP which itself relies on 6LoWPAN, a competitor of the initial ZigBee protocol. Efficient IP-based penetration testing tools have been available to security auditors for years now. However, it is not that easy to use them in the context of a 6LoWPAN network since you need to be able to join it first. In fact, the difficult part is to associate with the underlying IEEE 802.15.4 infrastructure.



Indeed, this standard already has two iterations since its release in 2003 and it provides with several possibilities regarding network topology, data transfer model and security suite. Unfortunately, there is no off-the-shelf component that provides, out of the box, with such a wide range of capabilities. Worst still, some of them deviate from the standard and can only communicate with components from the same manufacturer. In this paper, we present the ARSEN project: Advanced Routing for 6LoWPAN and Ethernet Networks. It provides security auditors with two new tools.



First, a radio scanner capable of identifying IEEE 802.15.4 infrastructures and for each one of them their specificities, including several deviations from the standard that we encountered in actual security audits.



Secondly, a border router capable of routing IPv6 datagrams between Ethernet and 6LoWPAN networks while adapting to the specificities identified by the scanner. As a result, the combination of both effectively allows security auditors to use available IP-based penetration testing tools on different 6LoWPAN networks. Jonathan-Christofer Demay, PhD is the current penetration testing team leader at AIRBUS Defence and Space. As a former academic researcher, he has been working on IDS bypassing, intrusion detection and general network security. Now a consultant for various key industries and government bodies, he is working on incident response, penetration testing and social engineering.



Adam Reziouk is an electronics and automation engineer currently working on wireless communications and industrial network security at AIRBUS Defence and Space. He holds a master's degree in electrical and electronic engineering and has been conducting vulnerability research activities on programmable logic controllers, connected devices and smart grids.



Arnaud Lebrun is a command and control engineer currently working at AIRBUS Defence and Space. He is focusing on security issues for several projects in the aerospace industry and related areas such as radioactive waste disposal facilities or large telescopes. He also supports the penetration testing team for perimeters that include ICS infrastructures or embedded electronics.

Back to top

DEF CON 101 Panel Mike Petruzzi (wiseacre)

Ryan Clark (LosT)

CrYpT

HighWiz

Jay

Nikita Kronenberg DEF CON has changed for the better since the days at the Alexis Park. It has evolved from a few speaking tracks to an event that still offers the speakers, but also Villages, where you can get hands-on experience and Demo Labs where you can see tools in action. Of course, there is still the Entertainment and Contest Area, as well as Capture The Flag. There is so much more to DEF CON than there was in the past and it is our goal to help you get the best experience possible. In addition to introducing each of the different aspects and areas of DEF CON, we have a panel of speakers that will talk about how they came to be part of DEF CON and their personal experiences over the years. Oh yeah, there is the time honored "Name the Noob", lots of laughs and maybe even some prizes. Plus, stay for the after party. Seriously, there is an after party. How awesome is that? Mike Petruzzi (wiseacre) started at DEF CON participating in the Capture the Flag contest. Determined to do better the next year, he participated again. This time the format was 36 hours straight. He realized he was missing out on everything else that was happening at DEF CON. From then on he made a point to participate in as much as he could. Of course, within the limits of social anxiety so, if it allowed participation as a wallflower, he was in! Now, he wants to make sure everyone else gets to know as much as possible about this year's conference. In his private life, Mike hacks managers and is happy anyone listens to him at all. Mike would like to thank Highwiz for everything.

Ryan "LosT" Clarke has been involved with DEF CON for 16 years. In addition to his role on the CFP board, LosT serve's as DEF CON's official Cryptographer and Puzzle Master. He is best known for his early LosT @ CON Mystery Challanges designed to force creative thinking, and also introduced him to his amazing wife! Now he is responsible for designing the badges and lanyards for DEF CON, in addition to torturing a subculture of enthusiastic crypto fans with his ever-so-subtle clues and red herring rabbit holes in his yearly Badge challenge. LosT enjoys learning as much as he can about as much as he can. He can usually be found around CON in the 1o57 room, mostly encouraging and sometimes distracting a ragged band of sleep-deprived attendees who are racing to complete the challenge.

CrYpT first attended DEF CON at DC10 as CrAzE, where he made the common mistake of staying on the sidelines and not actively participating in all DEF CON had to offer. The experience was tough for him and he did not return for many years. He tried again at DC17, but this time he made the decision to start putting himself out there. After a marked improvement in the quality of his experience, he was determined to make each year better than the last. At DC20 he received the handle CrYpT from Y3t1 and met some people who would remain his closest friends to this day (looking at you Clutch). Now he leads the awesome, hard-working Inhuman Registration team in their quest to badge all the people. He's a member of the CFP Review Board and Security Tribe. In an effort to help welcome all the new faces at DEF CON, he is returning for his second year to the DC 101 panel. He encourages people to reach out and ask questions so they can get the most bang for their badge.

Born of glitter and moon beams, HighWiz is the things that dreams are made of and nightmares long to be... Years ago, with the help of some very awesome people* he set about to create an event that would give the n00bs of Def Con a place to feel welcomed and further their own pursuit of knowledge. For years he has held onto the simple tenet that "You get out of Def Con what you put into it". Sometimes HighWiz can be a bit much to swallow and hard to take. HighWiz is a member of the CFP Review Board and Security Tribe. *Some (but not all) of the people HighWiz would like to thank for helping to make 101 into what it is today : Runnerup, Wiseacre, Nikita, Roamer, Lockheed, Pyr0, Zac, V3rtgio, 1o57, Neil, Beaker, AlxRogan, Jenn, Zant, GM1, Clutch, TheDarkTangent, Siviak, Ripshy, Valkyrie, Xodia, Flipper and all the members of Security Tribe. After taking a year off from the 101 Panel, HighWiz is honored to once again be participating in it, as it marks its eighth year. Jay Korpi is not of the traditional hacker world; CrYpT invited him to DEF CON 6 years ago, and as a surgical first assist, he decided it was not of any interest to him. CrYpT insisted every year until finally three years ago CrYpT told him "there are people there smarter than you..." Jay couldn't believe it and had to see it for himself. His first year, it was obvious there were MANY people smarter than he was. Once he met some amazing people who were both inviting and generous, Jay vowed to get involved with DEF CON somehow so he could provide the same experience to others. He found his opportunity last year when he joined the Inhuman Registration team and was invited to share his experiences on the DC 101 panel. He attributes these opportunities to his willingness to put himself out there and meet as many people as possible from his very first CON. Nikita Kronenberg Nikita works to ensure DEF CON runs as smoothly as one can expect from a hacker conference. In addition to planning a vast array of details prior to DEF CON and thwarting issues while onsite, she also serves as the Director of Call For Papers and Workshops. In this role she systematically processes hundreds of submissions, organizes the CFP Board, and manages the entire CFP process from beginning to end. While no one relishes the job of rejecting submissions, Nikita strives to make the experience more positive with personal feedback and alternative speaking opportunities. Once talks have been selected, she weaves the final list into a comprehensive four day schedule over multiple speaking tracks. She serves as a primary point-of-contact for speakers leading up to DEF CON and acts as a liaison between speakers, press, and social media content organizers. Beyond the CFP, Nikita also works full-time on various behind-the-scenes administration and project management for DEF CON. As a DEF CON goon for the past 13 years, her superpowers involve putting out fires before they spark and juggling a multitude of tasks while balancing on an over-inflated ball. - rkut nefr ldbj gtjd bjws oayh qtmf york uykr fqwx awtr kumf giwk nxtw -

Twitter: @Niki7a

Back to top

pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle Brad Dixon, Hacker Security assessments of embedded and IoT devices often begin with testing how an attacker could recover firmware from the device. When developers have done their job well you'll find JTAG locked-up, non-responsive serial ports, locked-down uboot, and perhaps even a home brewed secure-boot solution. In this session you'll learn details of a useful hardware/software penetration technique to attempt when you've run out of easier options. We've used this technique on two commercial device security assessments successfully and have refined the technique on a series of test devices in the lab. This session will cover the prerequisites for successful application of the technique and give you helpful hints to help your hack! Best of all this technique, while a bit risky to the hardware, is easy to try and doesn't require specialized equipment or hardware modification. We are going to take pieces of metal and stab them at the heart of the hardware and see what happens. For the hardware/firmware developer you'll get a checklist that you can use to reduce your vulnerability to this sort of attack. Brad Dixon once told his parents that if they gave him a Commodore 64 it would be the last computer he'd ever want. He never got that Commodore 64. Nevertheless Brad managed to become a computer nerd at a young age. Brad studied Computer Engineering at Georgia Tech and jumped into embedded software engineering. He worked for many years helping developers to design embedded Linux into telecom, network, and mobile products. Brad also took a turn as a product manager for embedded development tools and a mobile location analytics product. At Carve Systems he hacks IoT, embedded, and Linux systems.

Back to top

Weaponizing Data Science for Social Engineering: Automated E2E Spear Phishing on Twitter Delta Zero (John Seymour) Data Scientist, ZeroFOX

KingPhish3r (Philip Tully) Senior Data Scientist, ZeroFOX Historically, machine learning for information security has prioritized defense: think intrusion detection systems, malware classification and botnet traffic identification. Offense can benefit from data just as well. Social networks, especially Twitter with its access to extensive personal data, bot-friendly API, colloquial syntax and prevalence of shortened links, are the perfect venues for spreading machine-generated malicious content. We present a recurrent neural network that learns to tweet phishing posts targeting specific users. The model is trained using spear phishing pen-testing data, and in order to make a click-through more likely, it is dynamically seeded with topics extracted from timeline posts of both the target and the users they retweet or follow. We augment the model with clustering to identify high value targets based on their level of social engagement such as their number of followers and retweets, and measure success using click-rates of IP-tracked links. Taken together, these techniques enable the world's first automated end-to-end spear phishing campaign generator for Twitter. John Seymour is a Data Scientist at ZeroFOX, Inc. by day, and Ph.D. student at University of Maryland, Baltimore County by night. He researches the intersection of machine learning and InfoSec in both roles. He's mostly interested in avoiding and helping others avoid some of the major pitfalls in machine learning, especially in dataset preparation (seriously, do people still use malware datasets from 1998?) He has spoken at both DEF CON and BSides, and aims to add BlackHat USA and SecTor to the list in the near future.



Twitter: @_delta_zero



Philip Tully is a Senior Data Scientist at ZeroFOX, a social media security company based in Baltimore. He employs natural language processing and computer vision techniques in order to develop predictive models for combating threats emanating from social media. His pivot into the realm of infosec is recent, but his experience in machine learning and artificial neural networks is not. Rather than learning patterns within text and image data, his previous work focused on learning patterns of spikes in large-scale recurrently connected neural circuit models. He is an all-but-defended computer science PhD student, in the final stages of completing a joint degree at the Royal Institute of Technology (KTH) and the University of Edinburgh.



Twitter: @phtully

Back to top

Stumping the Mobile Chipset Adam Donenfeld Senior Security Researcher, Check Point Following recent security issues discovered in Android, Google made a number of changes to tighten security across its fragmented landscape. However, Google is not alone in the struggle to keep Android safe. Qualcomm, a supplier of 80% of the chipsets in the Android ecosystem, has almost as much effect on Android’s security as Google. With this in mind, we decided to examine Qualcomm’s code in Android devices. During our research, we found multiple privilege escalation vulnerabilities in multiple subsystems introduced by Qualcomm to all its Android devices in multiple different subsystems. In this presentation we will review not only the privilege escalation vulnerabilities we found, but also demonstrate and present a detailed exploitation, overcoming all the existing mitigations in Android’s Linux kernel to run kernel-code, elevating privileges and thus gaining root privileges and completely bypassing SELinux. Adam Donenfeld is a lead mobile security researcher at Check Point with vast experience in the mobile research field. From a young age he has been hacking and reverse engineering for fun and profit. Prior to Check Point Adam served in an Israeli elite intelligence unit, as a security researcher. In his free time, Adam studies German.

Back to top

Vulnerabilities 101: How to Launch or Improve Your Vulnerability Research Game Joshua Drake VP of Platform Research and Exploitation, Zimperium

Steve Christey Coley Principal INFOSEC Engineer, MITRE If you’re interested in vulnerability research for fun or profit, or if you’re a beginner and you’re not sure how to progress, it can be difficult to sift through the firehose of technical information that’s out there. Plus there are all sorts of non-technical things that established researchers seem to just know. There are many different things to learn, but nobody really talks about the different paths you can take on your journey. We will provide an overview of key concepts in vulnerability research, then cover where you can go to learn more - and what to look for. We’ll suggest ways for you to choose what you analyze and provide tools and techniques you might want to use. We’ll discuss different disclosure models (only briefly, we promise!), talk about the different kinds of responses to expect from vendors, and give some advice on how to write useful advisories and how to go about publishing them. Then, we’ll finish up by covering some of the ‘mindset’ of vulnerability research, including skills and personality traits that contribute to success, the different stages of growth that many researchers follow, and the different feelings (yes, FEELINGS) that researchers can face along the way. Our end goal is to help you improve your chances of career success, so you can get a sense of where you are, where you want to go, and what you might want to do to get there. We will not dig too deeply into technical details, and we’d go so far as to say that some kinds of vulnerability research do not require deep knowledge anyway. Vulnerability research isn’t for everyone, but after this talk, maybe you’ll have a better sense of whether it’s right for you, and what to expect going forward. Joshua J. Drake is the VP of Platform Research and Exploitation at Zimperium Enterprise Mobile Security and lead author of the Android Hacker's Handbook. Joshua focuses on original research such as reverse engineering and the analysis, discovery, and exploitation of security vulnerabilities. He has over 10 years of experience researching and exploiting a wide range of application and operating system software with a focus on Android since early 2012. In prior roles, he served at Accuvant Labs, Rapid7's Metasploit, and VeriSign's iDefense Labs. Joshua previously spoke at Black Hat, DEF CON , RSA, CanSecWest, REcon, Ruxcon/Breakpoint, Toorcon, and DerbyCon. Other notable accomplishments include; helping spur mobile ecosystem change in 2015, exploiting Oracle's JVM at Pwn2Own 2013, exploiting the Android browser via NFC with Georg Wicherski at Black Hat USA 2012, and winning DEF CON 18 CTF with ACME Pharm in 2010.



Twitter: @jduck



Steve Christey Coley is a Principal Information Security Engineer in the Cyber Security Division at The MITRE Corporation, supporting FDA CDRH on medical device cyber security. Steve was co-creator and Editor of the CVE list and chair of the CVE Editorial Board from 1999 to 2015. He is the technical lead for CWE, the Common Weakness Scoring System (CWSS), and the CWE/SANS Top 25 Software Most Dangerous Software Errors. He was a co-author of the influential ‘Responsible Vulnerability Disclosure Process’ IETF draft with Chris Wysopal in 2002. He was an active contributor to other community-oriented efforts such as CVSS, CVRF, and NIST's Static Analysis Tool Exposition (SATE). His interests include adapting traditional IT security methodologies to new areas, software assurance, improving vulnerability information exchange, and making the cybersecurity profession more inclusive for anybody who seeks a place in it. He holds a B.S. in Computer Science from Hobart College.



Twitter: @sushidude

Back to top

Sk3wlDbg: Emulating All (well many) of the Things with Ida Chris Eagle sk3wl 0f fucking r00t It is not uncommon that a software reverse engineer finds themselves desiring to execute a bit of code they are studying in order to better understand that code or alternatively to have that code perform some bit of useful work related to the reverse engineering task at hand. This generally requires access to an execution environment capable of supporting the machine code being studied, both at an architectural level (CPU type) and a packaging level (file container type). Unfortunately, this is not always a simple matter. The majority of analysts do not have a full complement of hosts available to support a wide variety of architectures, and virtualization opportunities for non-intel platforms are limited. In this talk we will discuss a light weight emulator framework for the IDA Pro disassembler that is based on the Unicorn emulation engine. The goal of the project is to provide an embedded multi-architectural emulation capability to complement IDA Pro's multi-architectural disassembly capability to enhance the versatility of one of the most common reverse engineering tools in use today. Chris Eagle is a registered hex offender. He has been taking software apart since he first learned to put it together over 35 years ago. His research interests include computer network operations, malware analysis and reverse/anti-reverse engineering techniques. He is the author of The IDA Pro Book and has published a number of well-known IDA plug-ins. He is also a co-author of Gray Hat Hacking. He has spoken at numerous conferences including Black Hat, DEF CON , Shmoocon, and ToorCon. Chris also organized and led the Sk3wl of r00t to two DEF CON Capture the Flag championships and produced that competition for four years as part of the DDTEK organization.



Twitter: @sk3wl

Back to top

Eavesdropping on the Machines Tim ‘t0rch’ Estell Solution Architect, BAE Systems

Katea Murray Cyber Researcher, Leidos After the Rise of the Machines they'll need to communicate. And we'll need to listen in. The problem is that proprietary protocols are hard to break. If Wireshark barfs then we're done. Or can we listen in, break their Robot Overlord messages and spill it all to the meat-space rebels? Attend this talk to learn techniques for taking network data, identifying unknown protocols, and breaking them down to something you can exploit. Rebels unite! Tim Estell, a hacker since learning how to mod a TRS-80 game in the ‘80s. Since then he’s reversed protocols, leveraged hardware, and managed teams for many concepts of operation. He remains convinced machines will never exceed meat space innovation and so welcomes our new Robot Overlords, if only because their cause is lost. Rebels unite!



Katea Murray, a programmer who turned to hacking in the early 00’s, she’s reversed and co-opted many tools and toys consumer’s touch, from old-school boat anchors to the latest mobile devices. Along the way she’s pulled recruits to the rebel cause through internships, outreach, and high energy. When she’s not watching sports she’s hacking as a sport. Game on!

Back to top

I Fight For The Users, Episode I - Attacks Against Top Consumer Products Zack Fasel Managing Partner, Urbane

Erin Jacobs Managing Partner, Urbane This is not just another "I found a problem in a single IOT device" talk. Focusing on attacking three major consumer product lines that have grown rapidly in the past years, Zack and Erin will review flaws they’ve discovered and weaponized against home Windows installs, DIY security solutions, personal fitness tracking devices, and digital notification devices. We’ll review the security of these popular products and services in a ‘consumer reports’ style walkthrough, the attack methods against the 21 devices reviewed, release some tools for the lulz, and highlight the threats facing similar products. It's time to Fight for the Users. END OF LINE. Zack Fasel and Erin Jacobs are Partners at Urbane Security, a solutions-focused vendor-neutral information security services firm focusing on providing innovative defense, sophisticated offense and refined compliance services.



Heading up Urbane's Research and Security Services divisions, Zack brings his years of diverse internal and external experience to drive Urbane's technical solutions to organizations top pain points. His previous research and presentations at conferences have spread across numerous domains including Windows authentication flaws, femtocells, open source defensive security solutions, cloud security, and unique network and application attack vectors. When not selling out, he can be found lost in the untz unce wubs, dabbling in instagram food photography, or eating scotch and drinking gummy bears (that's right, right?). More information on Zack can be found by searching for "zfasel" and on Urbane Security at UrbaneSecurity.com.



Leading the charge of Urbane’s Compliance and Enterprise Risk Management divisions, Erin brings her years of executive level experience coupled with deep and diverse technical knowledge to help organizations accurate prioritize and address the security and compliance risks they face. Her prior talks and research have spread across numerous domains, including technical solutions for compliance requirements, OSX reversing, diversity in tech, and IOT. More information on Erin can be found by following @SecBarbie on twitter.



Twitter: @UrbaneSec @zfasel @SecBarbie

Back to top

101 Ways to Brick your Hardware Joe FitzPatrick SecuringHardware.com

Joe Grand (Kingpin) Grand Idea Studio Spend some time hacking hardware and you'll eventually render a piece of equipment unusable either by accident or intentionally. Between us, we've got decades of bricking experience that we'd like to share. We'll document the most common ways of temporarily or permanently damaging your hardware and ways to recover, if possible. We'll also talk about tips on how to avoid bricking your projects in the first place. If you're getting into hardware hacking and worried about messing something up, our stories will hopefully prevent you from experiencing the same horrors we did. If you're worried about an uprising of intelligent machines, the techniques discussed will help you disable their functionality and keep them down. Joe FitzPatrick is an Instructor and Researcher at https://SecuringHardware.com. Joe has spent over a decade working on low-level silicon debug, security validation, and hardware penetration testing, and hardware security training. In between training and bricking hardware, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects.



Twitter: @securelyfitz



Joe Grand also known as Kingpin, is a computer engineer, hardware hacker, former DEF CON badge designer, runner, daddy, honorary doctor, TV host, member of L0pht Heavy Industries, and the proprietor of Grand Idea Studio.



Twitter: @joegrand

Back to top

Breaking the Internet of Vibrating Things : What We Learned Reverse Engineering Bluetooth- and Internet-Enabled Adult Toys follower Hacker

goldfisk Hacker The Internet of Things is filled with vulnerabilities, would you expect the Internet of Vibrating Things to be any different? As teledildonics come into the mainstream, human sexual pleasure has become connected with the concerns of privacy and security already familiar to those who previously only wanted to turn on their lights, rather than their lover. Do you care if someone else knows if you or your lover is wearing a remote control vibrator? Do you care if the manufacturer is tracking your activity, sexual health and to whom you give control? How do you really know who is making you squirm with pleasure? And what happens when your government decides your sex toy is an aid to political dissidents? Because there’s nothing more sexy than reverse engineering we looked into one product (the We-Vibe 4 Plus from the innocuously named "Standard Innovation Corporation") to get answers for you.



Attend our talk to learn the unexpected political and legal implications of internet connected sex toys and, perhaps more importantly, how you can explore and gain more control over the intimate devices in your life. Learn the reverse engineering approach we took--suitable for both first timers and the more experienced--to analyze a product that integrates a Bluetooth LE/Smart wireless hardware device, mobile app and server-side functionality. More parts means more attack surfaces! Alongside the talk, we are releasing the "Weevil" suite of tools to enable you to simulate and control We-Vibe compatible vibrators. We invite you to bring your knowledge of mobile app exploits, wireless communication hijacking (you already hacked your electronic skateboard last year, right?) and back-end server vulnerabilities to the party. It’s time for you to get to play with your toys more privately and creatively than before.



Please note: This talk contains content related to human sexuality but does not contain sexually explicit material. The presenters endorse the DEF CON Code of Conduct and human decency in relation to matters of consent--attendees are welcome in the audience if they do the same. Keep the good vibes. :) follower talks with computers and humans. Six years after first speaking at DEF CON about vulnerabilities in the Internet of Things, the fad hasn’t blown over so is back doing it again. An interest in code and hardware has lead to Arduino networking and USB projects and teaching others how to get started with Arduino. Tim O'Reilly once called follower a ‘troublemaker’ for his Google Maps reverse engineering.



Twitter: @rancidbacon



goldfisk spins fire by night and catches up with computer science lectures, also by night. And wishes headphone cables would stop getting caught on stuff. An interest in reverse engineering can be blamed on a childhood playing with electronics and re-implementing browser games in Scratch.



Twitter: @g0ldfisk

Back to top

Direct Memory Attack the Kernel Ulf Frisk Penetration Tester Inexpensive universal DMA attacking is the new reality of today! In this talk I will explore and demonstrate how it is possible to take total control of operating system kernels by DMA code injection. Once control of the kernel has been gained I will execute code and dump gigabytes of memory in seconds. Full disk encryption will be defeated, authentication will be bypassed and shells will be spawned. This will all be made possible using a $100 piece of hardware together with the easy to use modular PCILeech toolkit - which will be published as open source after this talk. Ulf Frisk is a penetration tester working in the Swedish financial sector. Ulf focuses mainly on online banking security solutions, penetration testing and it-security audits during daytime and low-level coding during nighttime. Ulf has been working professionally with security since 2011 and has a dark past as a developer.



Twitter: @UlfFrisk



GitHub: github.com/ufrisk

Back to top

Hacker-Machine Interface - State of the Union for SCADA HMI Vulnerabilities Brian Gorenc Senior Manager, Trend Micro Zero Day Initiative

Fritz Sands Security Researcher, Trend Micro Zero Day Initiative Over the last year, synchronized and coordinated attacks against critical infrastructure have taken center stage. Remote cyber intrusions at three Ukrainian regional electric power distribution companies in December 2015 left approximately 225,000 customers without power. Malware, like BlackEnergy, is being specially developed to target supervisory control and data acquisition (SCADA) systems. Specifically, adversaries are focusing their efforts on obtaining access to the human-machine interface (HMI) solutions that act as the main hub for managing the operation of the control system. Vulnerabilities in these SCADA HMI solutions are, and will continue to be, highly valuable as we usher in this new era of software exploitation. This talk covers an in-depth analysis performed on a corpus of 200+ confirmed SCADA HMI vulnerabilities. It details out the popular vulnerability types discovered in HMI solutions developed by the biggest SCADA vendors, including Schneider Electric, Siemens, General Electric, and Advantech. It studies the weaknesses in the technologies used to develop HMI solutions and describes how critical vulnerabilities manifest in the underlying code. The talk will compare the time-to-patch performance of various SCADA vendors along with a comparison of the SCADA industry to the rest of the software industry. Finally, using the data presented, additional guidance will be provided to SCADA researchers along with a prediction on what we expect next in attacks that leverage SCADA HMI vulnerabilities. Brian Gorenc is the senior manager of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world’s most popular software. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions.



Twitter: @thezdi, @maliciousinput



Fritz Sands is a security researcher with Trend Micro's Zero Day Initiative. In this role, he analyzes and performs root-cause analysis on vulnerabilities submitted to the ZDI program, which is the world's largest vendor-agnostic bug bounty program. Fritz also focuses on writing tools to perform static and dynamic analysis for discovering vulnerabilities. Prior to joining the ZDI in 2014, Sands was in Microsoft's Trustworthy Computing and Secure Windows Initiative operations where he audited Windows code and developed dynamic analysis tools, and before that he was a system developer for multiple iterations of Microsoft Windows.



Twitter: @FritzSands

www.zerodayinitiative.com

Back to top

BSODomizer HD: A Mischievous FPGA and HDMI Platform for the (M)asses Joe Grand (Kingpin) Grand Idea Studio

Zoz Hacker At DEF CON 16 in 2008, we released the original BSODomizer (www.bsodomizer.com), an open source VGA pranking tool and introductory hacking platform for the multicore Propeller micro-controller. Hours of productivity were replaced with rage and frustration as unwitting computer users were confronted with fake Blue Screens of Death and revolting ASCII art. But, the world has changed. The machines have risen in capability. HDMI is the graphical transmission protocol of choice and hacking with micro-controllers is standard issue. The as-seen-on-HDTV duo of Joe Grand and Zoz return with the next generation of mischievous hardware, a device that supplants or captures any inline HDMI signal in a discreet, pentest-worthy package. BSODomizer HD is an FPGA-based system that not only improves on the graphics interception and triggering features of its predecessor, but can now capture screenshots of a target system and also provides a fully open design that you can use for your own experiments into the mystical world of massive, customizable arrays of digital logic. We'll guide you through the process of going from lamer zero to hacker hero with FPGAs, while savagely fucking with a few unfortunate friends along the way! Joe Grand, also known as Kingpin, is a computer engineer, hardware hacker, former DEF CON badge designer, runner, daddy, honorary doctor, TV host, member of L0pht Heavy Industries, and the proprietor of Grand Idea Studio.

Twitter: @joegrand Zoz is a robotics engineer, prankster, and renaissance hacker. Other than BSODs, things he enjoys faking include meteorite impacts, crop circles, and alien crash landings.

Back to top

Slouching Towards Utopia: The State of the Internet Dream Jennifer S. Granick Director of Civil Liberties, Stanford Center for Internet and Society Is the Internet going to live up to its promise as the greatest force for individual freedom that the world has ever known? Or is the hope for a global community of creative intellectual interaction lost…for now?



In last year’s Black Hat keynote—entitled "Lifecycle of a Revolution"—noted privacy and civil liberties advocate Jennifer Granick told the story of the Internet utopians, people who believed that Internet technology could greatly enhance creative and intellectual freedom. Granick argued that this Dream of Internet Freedom was dying, choked off by market and government forces of centralization, regulation, and globalization. The speech was extremely popular. Almost 8000 people watched it at Black Hat. It was retweeted, watched and read by tens of thousands of people. Boing Boing called it "the speech that won Black Hat (and DEF CON )."



This year, Granick revisits the state of the Internet Dream. This year’s crypto war developments in the U.S. and U.K. show governments’ efforts to control the design of technologies to ensure surveillance. The developments also show that governments see app stores as a choke point for regulation and control, something that couldn’t easily happen with general purpose computers and laptops but which could be quite effective in a world where most people access the network with mobile devices.



Also in the past year, the European Court of Justice embraced blocking orders and ISP liability in the name of stopping copyright infringement, privacy violations, and unflattering comments from ever being published online. The effect of these developments is to force Internet companies to be global censors on the side of online civility against the free flow of information and opinion. If we want to realize some of the promise of the Internet utopian vision, we are going to have to make some hard political choices and redesign communications technology accordingly. The future could look a lot like TV, or we could work to ensure our technology enshrines individual liberties. This talk will help attendees join that effort. In 1995, Jennifer Granick attended her first DEF CON at the Tropicana Hotel. Since then, she has defended hackers and coders in computer crime, copyright, DMCA and other cases. Jennifer left her criminal law practice in 2001 to help start the Stanford Center for Internet and Society (CIS). From 2001 to 2007, Jennifer was Executive Director of CIS and taught Cyberlaw, Computer Crime Law, Internet intermediary liability, and Internet law and policy. From 2008 to 2010, Jennifer worked with the boutique firm of Zwillgen PLLC and as Civil Liberties Director at the Electronic Frontier Foundation. Today, Jennifer has returned to CIS as Director of Civil Liberties. She teaches, practices, speaks, and writes about computer crime and security, electronic surveillance, technology, privacy, and civil liberties. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of Florida.



Twitter: @granick

Medium

Center for Internet and Society

Just Security

Back to top

Escaping The Sandbox By Not Breaking It Marco Grassi KEENLAB of Tencent

Qidan He KEENLAB of Tencent The main topic of this technical talk will be "sandboxes" and how to escape them. One of the main component of the modern operating systems security is their sandbox implementation. Android for example in recent versions added SELinux to their existing sandbox mechanism, to add an additional layer of security. As well OS X recently added System Integrity Protection as a ‘system level’ sandbox, in addition to the regular sandbox which is ‘per-process’.



All modern OS focus on defense in depth, so an attacker and a defender must know these mechanisms, to bypass them or make them more secure. We will focus on Android and iOS/OSX to show the audience the implementations of the sandbox in these operating systems, the attack surface from within interesting sandboxes, like the browser, or applications sandbox.



Then we will discuss how to attack them and escape from our restricted context to compromise further the system, showcasing vulnerabilities. We 