Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Defcon 27 JSON Schedule
# the issue is that website.txt is not in chronological or track order!
import os
import re
import json
os.system("lynx -dump https://defcon.org/html/defcon-27/dc-27-speakers.html >\
schedule.txt")
with open('schedule.txt',encoding='cp1252') as f:
content = f.readlines()
Talks = []
Talk = []
for line in content:
if "Back to top" in line:
Talks.append("\n".join(Talk))
Talk = []
elif len(Talk) == 0 and line == "\n":
continue
else:
Talk.append(line)
talks = []
Day = re.compile("(Thurs|Fri|Satur|Sun)day at (\d*:\d*)( - \d*:\d*)? in (.*)\n")
for Talk in Talks:
match = Day.search(Talk)
talk = {
"Title": None,
"Day": None,
"Time": None,
"Location": None,
"Description": Talk
}
if match is None:
continue
else:
talk["Title"] = Talk[:Talk.find("\n")]
talk["Day"] = match.group(1) + "day"
talk["Time"] = match.group(2)
talk["Location"] = match.group(4)
talks.append(talk)
output = json.dumps(talks, indent=4, separators=(',', ': '))
with open('schedule.json', 'w') as f:
f.write(output)
[
{
"Title": "Want Strong Isolation? Just Reset Your Processor",
"Day": "Sunday",
"Time": "13:00",
"Location": "Track 4",
"Description": "Want Strong Isolation? Just Reset Your Processor\n\n\n\n Sunday at 13:00 in Track 4\n\n 45 minutes | Demo, Tool\n\n\n\nAnish Athalye PhD student at MIT\n\n\n\n Today's systems sandbox code through traditional techniques: memory\n\n protection and user-kernel mode. Even high-security devices like\n\n hardware cryptocurrency wallets use such an architecture.\n\n Unfortunately, this arrangement has a history of security bugs due to\n\n misconfigured protection hardware, bugs in kernel code, hardware bugs,\n\n and side channels.\n\n This talk proposes a new approach to isolation for devices like crypto\n\n wallets: separate the user and kernel onto two CPUs and multiplex\n\n processes by completely resetting the user processor between tasks so\n\n that there is no leakage.\n\n Processor reset is more complicated than might be expected. Simply\n\n asserting the reset line isn't enough to clear all CPU-internal state,\n\n but it turns out that software can be used to clear this state.\n\n However, reasoning about the correctness of such code is challenging.\n\n This talk presents a tool that can be used to develop and formally\n\n verify the correctness of reset code for a given CPU implementation.\n\n This talk also walks through a design of a wallet based on this\n\n reset-based isolation technique, discusses known security\n\n vulnerabilities in current designs such as the Ledger and Trezor\n\n wallets (including bugs in MPU misconfiguration, system calls, and\n\n drivers), and explores how a reset-based design could prevent such\n\n vulnerabilities.\n\n\n\n Anish Athalye\n\n Anish is a PhD student at MIT working on systems, security, and formal\n\n verification. He is currently interested in making hardware wallets\n\n more secure. In his free time, he enjoys bending neural networks to his\n\n will: among other exploits, he has mastered the art of transfiguration\n\n (as far as computers are concerned), exemplified by turning a turtle\n\n into a rifle.\n\n Twitter: @anishathalye\n\n Websites: anish.io (academic), anishathalye.com(blog)\n\n\n"
},
{
"Title": "HackPac: Hacking Pointer Authentication in iOS User Space",
"Day": "Friday",
"Time": "13:00",
"Location": "Track 1",
"Description": "HackPac: Hacking Pointer Authentication in iOS User Space\n\n\n\n Friday at 13:00 in Track 1\n\n 45 minutes | Demo, Tool, Exploit\n\n\n\nXiaolong Bai\n\n\n\nMin (Spark) Zheng\n\n\n\n Pointer Authentication (in short, PAuth) is the latest security\n\n mechanism in iOS. It is proposed to protect the integrity of pointers\n\n with hardware-assisted encryption, thus eliminating the threats of\n\n code-reuse attacks. In PAuth, a cryptographic signature called PAC is\n\n calculated from a pointer value and inserted into the pointer. When the\n\n pointer is about to be used, the PAC is extracted and verified whether\n\n it is consistent with the original pointer value. In this way, PAuth is\n\n able to ensure that the pointers are not tampered. iOS deployed PAuth\n\n in user-space system services, protecting pointers that may affect the\n\n control flow and preventing code-reuse attacks like ROP and JOP.\n\n However, in our study, we found that a fatal flaw in the implementation\n\n of iOS PAuth makes user-space system services till vulnerable to\n\n code-reuse attacks. The flaw is: iOS uses the same signing key in\n\n different user-space processes. This flaw allows a signed pointer from\n\n a malicious process can be correctly verified in a system service, thus\n\n making it possible to launch JOP. In this talk, we will explain how we\n\n found the flaw and why it is inevitable. In advance, we will\n\n demonstrate how to leverage this flaw and launch JOP attacks in a\n\n PAuth-protected system service. Also, we will propose a new tool,\n\n PAC-gadget, to automatically find JOP gadgets in PAuth-protected\n\n binaries.\n\n\n\n Xiaolong Bai\n\n Xiaolong Bai (twitter@bxl1989, github@bxl1989) is a security engineer\n\n in Alibaba Orion Security Lab. Before joining Alibaba, he received his\n\n Ph.D. degree in Tsinghua University. He has published several research\n\n papers on top conferences including IEEE S&P, Usenix Security, CCS,\n\n NDSS, and presented his research in Black Hat, DEF CON, HITB,\n\n CanSecWest, etc. He has been acknowledged by famous vendors, including\n\n Apple, Google, Facebook, Evernote, and Tencent for his contribution in\n\n discovering the vulnerabilities in their systems and improving the\n\n security of their products. He is a member of the OverSky team for\n\n private jailbreaking development.\n\n Twitter: @bxl1989\n\n Website: https://xiaolongbai.weebly.com/\n\n Github: https://github.com/bxl1989/\n\n\n\n Min (Spark) Zheng\n\n Min (Spark) Zheng (twitter@SparkZheng, github@zhengmin1989) is a\n\n security expert in Alibaba Orion Security Lab. He received his Ph.D.\n\n degree in the CSE department of the CUHK. His research focuses on\n\n malware analysis, smartphone (Android & iOS) security, system design\n\n and implementation. Before receiving Alibaba A-Star offer award in\n\n 2015, he worked in FireEye, Baidu and Tencent. He was the champion of\n\n GeekPwn 2014 and AliCTF 2015. He won the \"best security researcher\"\n\n award in FIT 2016 for detecting the iOS/macOS vulnerabilities,\n\n XcodeGhost virus and WormHole RCE vulnerability. He is a member of the\n\n OverSky team for private jailbreaking development. He presented his\n\n research in DEF CON, HITB, BlackHat, RUXCON, etc.\n\n Twitter: @SparkZheng\n\n\n"
},
{
"Title": "Help Me, Vulnerabilities. You're My Only Hope",
"Day": "Sunday",
"Time": "12:00",
"Location": "Track 4",
"Description": "Help Me, Vulnerabilities. You're My Only Hope\n\n\n\n Sunday at 12:00 in Track 4\n\n 45 minutes | Tool, Exploit\n\n\n\nJacob Baines Research Engineer, Tenable\n\n\n\n MikroTik routers keep getting owned. They've been exploited by advanced\n\n threats like VPNFilter, Slingshot APT, and Trickbot. They've been\n\n compromised by coin miners, botnets, and who knows what else. With each\n\n new campaign the security industry publishes new indicators of\n\n compromise and everyone moves on.\n\n However, MikroTik administrators operate in a sandbox. They have very\n\n limited access to the router's underlying file system and almost no\n\n ability to directly interact with the Linux operating system. Due to\n\n these limitations, file hashes cannot answer the fundamental question\n\n that is asked again and again on the MikroTik forums, \"Have I been\n\n compromised?\"\n\n It's time the users had their question answered. In this talk, I'll\n\n present three vulnerabilities that can help MikroTik administrators\n\n break out of the sandbox. I'll show how to use these vulnerabilities to\n\n help determine if the router has been compromised.\n\n\n\n Jacob Baines\n\n Jacob is the founding member of Tenable's Zero Day Research group. He\n\n focuses much of his research efforts on routers and other IoT devices.\n\n Sometimes he even finds vulnerabilities.\n\n Twitter: @junior_baines\n\n\n"
},
{
"Title": "Hacking WebAssembly Games with Binary Instrumentation",
"Day": "Sunday",
"Time": "10:00",
"Location": "Track 3",
"Description": "Hacking WebAssembly Games with Binary Instrumentation\n\n\n\n Sunday at 10:00 in Track 3\n\n 45 minutes | Demo, Tool\n\n\n\nJack Baker\n\n\n\n WebAssembly is the newest way to play video games in your web browser.\n\n Both Unity3d and Unreal Engine now support WebAssembly, meaning the\n\n amount of WebAssembly games available is growing rapidly. Unfortunately\n\n the WebAssembly specification is missing some features game hackers\n\n might otherwise rely on. In this talk I will demonstrate adapting a\n\n number of game hacking techniques to WebAssembly while dealing with the\n\n limitations of the specification.\n\n For reverse engineers, I will show how to build and inject your own\n\n \"watchpoints\" for debugging WebAssembly binaries and how to insert\n\n symbols into a stripped binary.\n\n For game hackers, I will show how to use binary instrumentation to\n\n implement some old-school game hacking tricks and show off some new\n\n ones.\n\n I will be releasing two tools: a binary instrumentation library built\n\n for modifying WebAssembly binaries in the browser, and a browser\n\n extension that implements common game hacking methods a la Cheat\n\n Engine.\n\n\n\n Jack Baker\n\n Jack Baker is a professional vulnerability researcher and amateur video\n\n game hacker. His primary areas of expertise include web application\n\n security, embedded reverse engineering, and Tony Hawk's Pro Skater 3.\n\n Github: https://github.com/Qwokka\n\n\n"
},
{
"Title": "The ABC of Next-Gen Shellcoding",
"Day": "Sunday",
"Time": "11:00",
"Location": "Track 1",
"Description": "The ABC of Next-Gen Shellcoding\n\n\n\n Sunday at 11:00 in Track 1\n\n 45 minutes | Demo, Tool\n\n\n\nHadrien Barral Hacker\n\n\n\nR\u00e9mi G\u00e9raud-Stewart Hacker\n\n\n\nGeorges-Axel Jaloyan PhD Student at ENS\n\n\n\n Shellcodes are short executable stubs that are used in various attack\n\n scenarios, whenever code execution is possible. After briefly recalling\n\n how they work in general and what interesting things they can do,\n\n besides obviously running a reverse-shell, we'll have to deal with the\n\n reality that shellcodes are usually not particularly stealthy, due in\n\n part to the very suspicious presence of non-printable characters. In a\n\n tutorial-like fashion, we'll address increasingly more complex\n\n constraints. As a reward, we reveal new methods for writing in\n\n particular alphanumeric shellcodes and attacking platforms for which\n\n (to the best of our knowledge) no such shellcode was previously known.\n\n Don't know anything about constrained shellcodes? Do not worry: we'll\n\n start from the ground up. Black-belt in shellcoding? We have you\n\n covered, stay until the end were we'll get our hands dirty!\n\n\n\n Hadrien Barral\n\n Hadrien Barral is an R&D engineer, focusing on Operating Systems,\n\n Security and High-Assurance software. In his spare time, he enjoys\n\n hacking on various and obscure systems.\n\n\n\n R\u00e9mi G\u00e9raud-Stewart\n\n R\u00e9mi G\u00e9raud-Stewart is a cryptologist and security expert with Ecole\n\n normale superieure in Paris, focusing on intrusion and cyberwarfare.\n\n\n\n Georges-Axel Jaloyan\n\n Georges-Axel Jaloyan is a PhD student at Ecole normale sup\u00e9rieure in\n\n Paris focusing on formal methods applied to reverse-engineering, in\n\n collaboration with the French Alternative Energies and Atomic Energy\n\n Commission (CEA).\n\n\n"
},
{
"Title": "Are Quantum Computers Really A Threat To Cryptography? A Practical Overview",
"Day": "Thursday",
"Time": "12:00",
"Location": "DC101, Paris Theatre",
"Description": "Are Quantum Computers Really A Threat To Cryptography? A Practical Overview\n\nOf Current State-Of-The-Art Techniques With Some Interesting Surprises\n\n\n\n Thursday at 12:00 in DC101, Paris Theatre\n\n 45 minutes | Demo\n\n\n\nAndreas Baumhof Vice President Quantum Technologies, QuintessenceLabs Inc.\n\n\n\n Shor's Algorithm for factoring integer numbers is the big threat to\n\n cryptography (RSA/ECC) as it reduces the complexity from exponential to\n\n polynomial, which means a Quantum Computer can reduce the time to crack\n\n RSA-2048 to a mere 10 seconds. However current noisy NISQ type quantum\n\n computers are very limited to something like 16 bit RSA keys. And the\n\n quality of the current qubits is so bad that error-correction comes at\n\n a massive cost of at least 100 times the amount of qubits.\n\n While the world is pre-occupied whether we have universal quantum\n\n computers big enough for Shor's algorithm, Quantum Annealing is\n\n stealing the show with having factored a 20-bit number just in January\n\n this year using 97 qubits. And these qubits are actually good enough to\n\n factor bigger numbers. If we assume a linear scalability, we'd \"only\"\n\n need around 10,000 qubits to factor a 2048bit RSA key. D-Wave announced\n\n a quantum computer with 5,640 qubits, so that puts it within reach\n\n soon.\n\n So, could Quantum Annealing be more of a threat to cryptography than\n\n Shor's algorithm on universal quantum computers? How do these\n\n algorithms work? How do they achieve a polynomial complexity to what\n\n traditional computers need exponential time? What impact will this have\n\n on the competition from NIST for the design of\n\n post-quantum-cryptography algorithms?\n\n\n\n Andreas Baumhof\n\n Andreas Baumhof is Vice President Quantum Technologies at Quintessence\n\n Labs. He is responsible for all developments relating to Quantum\n\n Technologies such as Quantum Random Number Generator, Quantum Key\n\n Distribution or Quantum Computing in general. Before this role, Andreas\n\n was CTO for ThreatMetrix Inc, the global leader in digital identities,\n\n where he was responsible for software engineering. He helped lead the\n\n company to a very successful exit and a 830m USD acquisition by Lexis\n\n Nexis/RELX. Andreas holds a mathematics degree from the University of\n\n Munich. In his spare time he enjoys mountain biking, snowboarding and\n\n spending time with his family.\n\n Twitter: @abaumhof\n\n LinkedIn: https://www.linkedin.com/in/abaumhof/\n\n\n"
},
{
"Title": "Backdooring Hardware Devices By Injecting Malicious Payloads On",
"Day": "Sunday",
"Time": "10:00",
"Location": "Track 1",
"Description": "Backdooring Hardware Devices By Injecting Malicious Payloads On\n\nMicrocontrollers\n\n\n\n Sunday at 10:00 in Track 1\n\n 45 minutes | Demo, Tool\n\n\n\nSheila Ayelen Berta Security Researcher\n\n\n\n Is targeting microcontrollers worth the effort? Nowadays, they are\n\n responsible for controlling a wide range of interesting systems, e.g.,\n\n physical security systems, car's ECUs, semaphores, elevators, sensors,\n\n critical components of industrial systems, some home appliances and\n\n even robots.\n\n In this talk, it will be explained how microcontrollers can be\n\n backdoored too. After a quick review of basic knowledge about uC, we\n\n will dive into three different approaches to achieve payload injection,\n\n from basic to advanced techniques. The first method consists on\n\n locating the entry point of the firmware and inject our payload there,\n\n this is an easy way to execute it at least once. As a second -and more\n\n complex- technique, we will backdoor the EUSART communication injecting\n\n a malicious payload at the code routine of that hardware peripheral; we\n\n will be able to get the right memory address by inspecting the GIE,\n\n PEIE and polling process at the uC interrupt vector. Finally, the third\n\n technique allow us to take control of the microcontroller's program\n\n flow by manipulating the stack writing memory addresses at the TOS;\n\n with this we can execute a payload made with instructions already\n\n written in the original program, performing it just like a ROP-chain\n\n technique.\n\n\n\n Sheila Ayelen Berta\n\n Sheila Ayelen Berta is an Information Security Specialist and\n\n Developer, who started at 12 years-old by herself. At the age of 15,\n\n she wrote her first book about Web Hacking, published by RedUSERS\n\n Editorial in several countries. Over the years, Sheila has discovered\n\n lots of vulnerabilities in popular web applications and softwares. She\n\n also has given courses of Hacking Techniques in universities and\n\n private institutes in Argentina. Sheila currently works as Security\n\n Researcher who specializes in offensive techniques, reverse engineering\n\n and exploit writing. She is also a developer in ASM (microcontrollers\n\n and microprocessors x86/x64), C/C++, Golang and Python. Sheila is an\n\n international speaker who has spoken at important security conferences\n\n such as Black Hat Briefings, DEF CON 26, DEF CON 25 CHV, HITB,\n\n HackInParis, Ekoparty, IEEE ArgenCon, Hack.Lu, OWASP Latam Tour and\n\n others.\n\n Twitter: @UnaPibaGeek\n\n\n"
},
{
"Title": "Behind the Scenes: The Industry of Social Media Manipulation Driven by",
"Day": "Friday",
"Time": "10:00",
"Location": "Track 3",
"Description": "Behind the Scenes: The Industry of Social Media Manipulation Driven by\n\nMalware\n\n\n\n Friday at 10:00 in Track 3\n\n 45 minutes\n\n\n\nOlivier Bilodeau Cybersecurity Research Lead at GoSecure\n\n\n\nMasarah Paquet-Clouston Cybersecurity Researcher at GoSecure\n\n\n\n This talk is the grand finale of a four-year long investigation that\n\n started with analyzing an IoT botnet, to discovering the structured\n\n industry that exists behind social media manipulation (SMM). SMM is the\n\n deliberate act of paying for popularity with followers or activity on\n\n social media.\n\n Adopting a bottom-up approach, the thorough methodology undertook to\n\n study the botnet will be presented: from building honeypots, infecting\n\n them with malware and conducting a man-in-the-middle-attack on the\n\n honeypots' traffic to access the decrypted HTTPS content between the\n\n C&Cs and social networks. Then, the various investigative paths taken\n\n to analyze this large data set, leading to the discovery of industry\n\n actors involved in the supply chain of social media manipulation, will\n\n be presented. These investigative paths include traffic analysis,\n\n various OSINT approaches to reveal and understand actors,\n\n reverse-engineering the software that automates the use and creation of\n\n fake accounts, forum investigations, and qualitative profiling. All\n\n actors involved in the industry will be mapped, from malware authors,\n\n to reseller panels, and customers of fake popularity.\n\n The potential profitability of the industry will then be discussed, as\n\n well as the revenue division in the chain, demonstrating that the ones\n\n making the highest revenue per fake follower sold are not the malware\n\n authors, but rather those at the end of the chain.\n\n\n\n Olivier Bilodeau\n\n Olivier Bilodeau is leading the Cybersecurity Research team at\n\n GoSecure. With more than 10 years of infosec experience, he enjoys\n\n attracting malware in honeypots, writing tools for malware research,\n\n reverse-engineering all-the-things and vulnerability research.\n\n Passionate communicator, Olivier has spoken at several conferences like\n\n BlackHat Europe, DefCcon, Botconf, SecTor, Derbycon, HackFest and many\n\n more. Invested in his community, he co-organizes Montr\u00e9Hack, a monthly\n\n workshop focused on applied information security, and NorthSec,\n\n Montreal's community conference and Capture-The-Flag.\n\n Twitter: @obilodeau\n\n Website: https://gosecure.net/blog/\n\n\n\n Masarah Paquet-Clouston\n\n Masarah Paquet-Clouston is a security researcher at GoSecure, a PhD\n\n student at Simon Fraser University in criminology and one of Canada's\n\n decorated 150 scientific innovators. With her background in economics\n\n and criminology, she specializes in the study of markets behind illicit\n\n online activities. She published in several peer-reviewed journals,\n\n such as Social Networks, Global Crime and the International Journal for\n\n the Study of Drug Policy, and presented at various international\n\n conferences including Virus Bulletin, Black Hat Europe, Botconf and the\n\n American Society of Criminology.\n\n Twitter: @masarahclouston\n\n Website: https://gosecure.net/blog/\n\n\n"
},
{
"Title": ".NET Malware Threats: Internals And Reversing",
"Day": "Saturday",
"Time": "15:00",
"Location": "Track 4",
"Description": ".NET Malware Threats: Internals And Reversing\n\n\n\n Saturday at 15:00 in Track 4\n\n 45 minutes\n\n\n\nAlexandre Borges Security Researcher at Blackstorm Security\n\n\n\n .NET malware is well-known by security analysts, but even existing many\n\n tools such as dnSpy,.NET Reflector, de4dot and so on to make the\n\n analysis easier, most professionals have used them as a black box tool,\n\n without concerning to .NET internals, structures, MSIL coding and\n\n details. In critical cases, it is necessary have enough knowledge about\n\n internal mechanisms and to debug these .NET threats using WinDbg.\n\n Unfortunately, .NET malware samples have become very challenger because\n\n it is so complicated to deobfuscated associated resources, as unpacking\n\n and dumping them from memory. Furthermore, most GUI debugging tools\n\n does an inside view of mechanisms such as CRL Loader, Managed Heap,\n\n Synchronization issues and Garbage Collection.\n\n In the other side, .NET malware threats are incredibly interesting when\n\n analyzed from the MSIL instruction code, which allows to see code\n\n injections using .MSIL and attempts to compromise .NET Runtime keep\n\n being a real concern.\n\n The purpose of this presentation is to help professionals to understand\n\n .NET malware threats and techniques by explaining concepts about .NET\n\n internals, mechanisms and few reversing techniques.\n\n\n\n Alexandre Borges\n\n Alexandre Borges is a Security Researcher, who has been daily working\n\n on Reverse Engineering and Digital Forensic Analysis for many years. He\n\n has taught training courses about Malware and Memory Analysis, Digital\n\n Forensics Analysis and Mobile Forensics around the world. Furthermore,\n\n Alexandre is the creator and maintener of Malwoverview triage tool:\n\n https://github.com/alexandreborges/malwoverview.\n\n Alexandre has spoken in several conferences such as DEF CON USA (2018),\n\n DEF CON CHINA (2019), CONFidence Conference 2019, HITB 2019 Amsterdam,\n\n H2HC Conference (2015/2016), BSIDES Sao Paulo (2019/2018/2017/2016) and\n\n BHACK Conference (2018).\n\n Finally, it is a referee of Digital Investigation:The International\n\n Journal of Digital Forensics & Incident Response\n\n (https://www.journals.elsevier.com/digital-investigation/editorial-boar\n\n d)\n\n Twitter: @ale_sp_brazil\n\n LinkedIn: http://www.linkedin.com/in/aleborges\n\n Website: http://www.blackstormsecurity.com/bs/en/en_articles.html,\n\n Tool: https://github.com/alexandreborges/malwoverview\n\n\n"
},
{
"Title": "The JOP ROCKET: A Supremely Wicked Tool for JOP Gadget Discovery, or What to",
"Day": "Friday",
"Time": "16:00",
"Location": "Track 4",
"Description": "The JOP ROCKET: A Supremely Wicked Tool for JOP Gadget Discovery, or What to\n\nDo If ROP Is Too Easy\n\n\n\n Friday at 16:00 in Track 4\n\n 20 minutes | Demo, Tool\n\n\n\nDr. Bramwell Brizendine Assistant Professor of Computer and Cyber Sciences,\n\nDakota State University\n\n\n\nDr. Joshua Stroschien Assistant Professor of Cyber Security/Network &\n\nSecurity Administration, Dakota State University\n\n\n\n Return-oriented Programming (ROP) has been the predominate code-reuse\n\n attack for over a decade, but there are other options. Many mitigations\n\n can detect ROP due to heuristics, but these fail to detect\n\n Jump-oriented Programming (JOP). The JOP ROCKET is a reverse\n\n engineering framework dedicated to facilitating JOP exploits. It allows\n\n hackers to discover JOP gadgets. This includes dispatcher gadget's,\n\n which helps to subvert and direct the control flow, and functional\n\n gadgets, our primitives. This tool provides numerous options to give\n\n hackers flexibility on how to find gadgets, to narrow and expand\n\n possibilities. Additionally, the tool uses opcode-splitting to discover\n\n many unintended gadgets. All gadgets are classified based on operation\n\n as well as registers used and affected. Thus, hackers could easily\n\n obtain the desired functional gadgets, such as MOV EBX, [VALUE], using\n\n simple language commands. Because of JOP's much more complex set up,\n\n the tool provides this classification, so time isn't wasted hunting\n\n through results.\n\n JOP is rarely done in the wild. Part of that complexity is in set up,\n\n but another part is the lack of dedicated tools. Having to find JOP\n\n gadgets manually could be time-consuming and require expertise. JOP\n\n ROCKET simplifies that, allowing the JOP gadgets to be found quickly\n\n and easily.\n\n This talk will give brief content on ROP, and then it introduces JOP\n\n and its history. Then we will dive into JOP ROCKET, discussing its\n\n features, how to use it to find JOP gadgets, and how to set up your own\n\n JOP exploit. We will then demo the tool.\n\n\n\n Dr. Bramwell Brizendine\n\n Dr. Bramwell Brizendine graduated with a Ph.D. in Cyber Operations in\n\n May, 2019. He holds master's degrees in Computer Science and\n\n Information Assurance. Bramwell is a professor at Dakota State\n\n University where he teaches topics such as reverse engineering,\n\n software exploitation, and malware analysis. Bramwell is the creator of\n\n the the JOP ROCKET, or the Jump-oriented Programming Reversing Open\n\n Cyber Knowledge Expert Tool. Bramwell has been interested in code-reuse\n\n attacks for several years. Bramwell was overcome by the urge to present\n\n a tool that made JOP more practical and useful for hackers who may wish\n\n to attempt using this more arcane class of code-reuse attacks. The JOP\n\n ROCKET is a by product of his doctoral dissertation.\n\n\n\n Dr. Joshua Stroschien\n\n Dr. Josh Stroschien is a professor at Dakota State University. Dr. Josh\n\n Stroschein teaches undergraduate and graduate courses in cyber security\n\n with a focus on malware analysis, reverse engineering and software\n\n exploitation. His research interests include malware analysis and\n\n software exploitation. Outside of DSU, you can find Josh providing\n\n training at such venues as DerbyCon, Hack-In-The-Box and ToorCon.\n\n Website: https://0xevilc0de.com\n\n\n"
},
{
"Title": "How Deep Learning Is Revolutionizing Side-Channel Cryptanalysis",
"Day": "Friday",
"Time": "14:00",
"Location": "Track 3",
"Description": "How Deep Learning Is Revolutionizing Side-Channel Cryptanalysis\n\n\n\n Friday at 14:00 in Track 3\n\n 45 minutes | Demo, Tool\n\n\n\nElie Bursztein Google\n\n\n\nJean Michel Picod Google\n\n\n\n This talk explores how AI is revolutionizing hardware side-channel\n\n attacks and what this new wave of attacks mean for the future of\n\n hardware cryptography. Based on the lessons learned while successfully\n\n attacking many hardware AES implementations using deep-learning this\n\n talk discuss why those attacks are fundamentally more efficient and\n\n details how to conduct then in practice.\n\n\n\n Elie Bursztein\n\n Elie Bursztein leads Google' security & anti-abuse research team. He\n\n has authored over fifty research papers in the field for which he was\n\n awarded 6 best papers awards and multiple industry distinctions\n\n including the Black Hat pwnie award. Born in Paris, he received a Ph.D\n\n from ENS-cachan in 2008 before working at Stanford University and\n\n ultimately joining Google in 2011.\n\n Twitter @elie\n\n Website: https://elie.net\n\n\n\n Jean Michel Picod\n\n Jean-Michel Picod is currently working at Google Switzerland. He holds\n\n an engineering degree in computer systems, networks and security. He\n\n has contributed on several open source projects (GoodFET, pynids, etc.)\n\n and published several open source tools such as DPAPIck, OWADE,\n\n scapy-radio, forensic scripts,\n\n Twitter: @jmichel_p\n\n Website: https://www.j-michel.org/\n\n\n"
},
{
"Title": "SDR Against Smart TVs: URL and Channel Injection Attacks",
"Day": "Sunday",
"Time": "11:00",
"Location": "Track 2",
"Description": "SDR Against Smart TVs: URL and Channel Injection Attacks\n\n\n\n Sunday at 11:00 in Track 2\n\n 45 minutes | Demo, Tool\n\n\n\nPedro Cabrera Camara Founder, Ethon Shield\n\n\n\n Software-defined-radio has revolutionized the state of the art in IoT\n\n security and especially one of the most widespread devices: Smart TV.\n\n This presentation will show in detail the HbbTV platform of Smart TV,\n\n to understand and demonstrate two attacks on these televisions using\n\n low cost SDR devices: TV channel and HbbTV server impersonation\n\n (channel and URL injection). This last attack will allow more\n\n sophisticated remote attacks: social engineering, keylogging,\n\n crypto-mining, and browser vulnerability assessment.\n\n\n\n Pedro Cabrera Camara\n\n Industrial and Electronics Engineer, Pedro is an enthusiast of Software\n\n Defined Radio and UAVs, which has worked for 12 years in the main\n\n Spanish telecommunications operators, conducting security audits and\n\n pentesting in mobile and fixed networks. In addition to working with\n\n telecommunications operators, Pedro leads open source projects such as\n\n intrusion detection systems for GSM, UMTS and LTE networks, which has\n\n led him to study the various fake stations attacks and existing\n\n solutions. In recent years he has participated in security events in\n\n the United States (RSA, CyberSpectrum, DEF CON DemoLabs), Asia\n\n (BlackHat Trainings) and Europe (Rootedcon, Euskalhack, AlligatorCON)\n\n Twitter: @PcabreraCamara\n\n Website: http://www.fakebts.com\n\n\n"
},
{
"Title": "Defeating Bluetooth Low Energy 5 PRNG for Fun and Jamming",
"Day": "Saturday",
"Time": "12:00",
"Location": "Track 2",
"Description": "Defeating Bluetooth Low Energy 5 PRNG for Fun and Jamming\n\n\n\n Saturday at 12:00 in Track 2\n\n 45 minutes | Demo, Tool\n\n\n\nDamien Cauquil (virtualabs) Senior Security Researcher @ Econocom\n\nDigital.Security\n\n\n\n Bluetooth Low energy version 5 has been published in late 2016, but we\n\n still have no sniffer supporting this specific version (and not that\n\n much compatible devices as well). The problem is this new version\n\n introduces a new channel hopping algorithm that renders previous\n\n sniffing tools useless as devices can no longer be attacked and\n\n connections analyzed. This new algorithm is based on a brand new\n\n pseudo-random number generator (PRNG) to provide better collision\n\n avoidance while kicking out all of our good old sniffing tools.\n\n Unless some random hacker manages to break this not-that-strong PRNG\n\n and upgrades his BLE sniffing tool to support this algorithm ;). In\n\n this talk, we will explain why this PRNG is vulnerable and how it can\n\n be easily defeated to sniff and jam communications between two BLE 5\n\n devices. A new version of BtleJack will be released during this talk,\n\n providing an efficient way to sniff BLE 5 connections to our fellow IoT\n\n hacker family.\n\n\n\n Damien Cauquil (virtualabs)\n\n Damien is a senior security researcher who joined Digital Security in\n\n 2015 as the head of research and development. He discovered how\n\n wireless protocols can be fun to hack and quickly developed BtleJuice,\n\n one of the first Bluetooth Low Energy MitM framework, and BtleJack, a\n\n BLE swiss-army knife released in 2018.\n\n Damien presented at various security conferences including DEF CON,\n\n Hack In Paris, Chaos Communication Camp, Chaos Communication Congress,\n\n BruCon, Hack.lu, anda dozen times at Nuit du Hack, one of the oldest\n\n French hacking conference.\n\n Twitter: @virtualabs\n\n\n"
},
{
"Title": "Malproxying: Leave Your Malware at Home",
"Day": "Sunday",
"Time": "12:00",
"Location": "Track 2",
"Description": "Malproxying: Leave Your Malware at Home\n\n\n\n Sunday at 12:00 in Track 2\n\n 45 minutes | Demo, Tool\n\n\n\nHila Cohen Security Researcher, XM Cyber\n\n\n\nAmit Waisel Senior Technical Leader, XM Cyber\n\n\n\n During a classic cyber attack, one of the major offensive goals is to\n\n execute code remotely on valuable machines. The purpose of that code\n\n varies on the spectrum from information extraction to physical damage.\n\n As defenders, our goal is to detect and eliminate any malicious code\n\n activity, while hackers continuously find ways to bypass the most\n\n advanced detection mechanisms. It's an endless cat-and-mouse game where\n\n new mitigations and features are continuously added to the endpoint\n\n protection solutions and even the OS itself in order to protect the\n\n users against newly discovered attack techniques. In this talk, we\n\n present a new approach for malicious code to bypass most of endpoint\n\n protection measures. Our approach covertly proxies the malicious code\n\n operations over the network, never deploying the actual malicious code\n\n on the victim side. We are going to execute code on an endpoint,\n\n without really storing the code on disk or loading it to memory. This\n\n technique potentially allows attackers to run malicious code on remote\n\n victims, in such a way that the code is undetected by the victim's\n\n security solutions. We denote this technique as \"malproxying\".\n\n\n\n Hila Cohen\n\n Hila Cohen is a passionate Security Researcher at XM Cyber, where she\n\n investigates new attack techniques and develops detection and\n\n mitigation capabilities. Hila has a vast knowledge in the fields of\n\n malware analysis, reverse engineering and incident response.\n\n\n\n Amit Waisel\n\n Amit Waisel is a Senior Technical Leader at XM Cyber. He is a seasoned\n\n data security expert with vast experience in cyber offensive projects.\n\n Prior to XM Cyber, Amit filled multiple data security positions in the\n\n Israeli intelligence community. Amit is well experienced with malware\n\n detection and analysis techniques, operating system internals and\n\n security-oriented software development. He graduated with honors from\n\n Tel Aviv University with a MSc. in Computer Science.\n\n\n"
},
{
"Title": "Contests Awards Ceremony",
"Day": "Sunday",
"Time": "14:00",
"Location": "Track 4",
"Description": "Contests Awards Ceremony\n\n\n\n Sunday at 14:00 in Track 4\n\n 90 minutes\n\n\n\nContests & Events Goons\n\n\n\n You've seen the Contests, you've played in a Contest, you've won a\n\n Contest and may have lost a Contest! Whatever the outcome was, come\n\n join as as we celebrate the winners and contestants of our DEF CON 27\n\n Contests! DEF CON 27 Contests and Events Closing Ceremonies will be\n\n August 11th at 14:00 in Track 4. Black Badge winning Contests will\n\n still be honored at the main DEF CON 27 Closing Ceremonies on August\n\n 11th at 16:00 in the Paris Ballroom!\n\n\n"
},
{
"Title": "Closing Ceremonies",
"Day": "Sunday",
"Time": "16:00",
"Location": "Paris Ballroom",
"Description": "Closing Ceremonies\n\n\n\n Sunday at 16:00 in Paris Ballroom\n\n 120 minutes\n\n\n\nThe Dark Tangent & Goons\n\n\n\n DEF CON 27 draws to a close. Prizes awarded, Black Badge winners\n\n announced, thanks given, future plans revealed.\n\n\n"
},
{
"Title": "How You Can Buy AT&T, T-Mobile, and Sprint Real-Time Location Data on the",
"Day": "Saturday",
"Time": "12:00",
"Location": "Track 1",
"Description": "How You Can Buy AT&T, T-Mobile, and Sprint Real-Time Location Data on the\n\nBlack Market\n\n\n\n Saturday at 12:00 in Track 1\n\n 45 minutes\n\n\n\nJoseph Cox Senior Staff Writer, Motherboard\n\n\n\n Major US telecommunications companies AT&T, T-Mobile, and Sprint have\n\n been quietly selling access to their customers' real-time location\n\n data, including cell tower information as well as highly precise GPS\n\n data. Through a complex network of dodgy data aggregators and middlemen\n\n companies, this data access eventually trickled down to a slew of\n\n different industries, used car salesman, landlords, and hundreds of\n\n bounty hunters, likely without your knowledge or informed consent. In\n\n this talk, based on leaked documents, sources, and first hand\n\n experience, Joseph will explain how this data industry works, the\n\n players involved, and also how the data access is available on the\n\n black market, where it can be used in any way an attacker fancies:\n\n Joseph paid a source $300 to successfully locate a phone in New York.\n\n\n\n Joseph Cox\n\n Joseph is an investigative reporter for Motherboard, the science and\n\n technology section of VICE. He covers cybersecurity, the digital\n\n underground, and social media platforms.\n\n Twitter: @josephfcox\n\n\n"
},
{
"Title": "Practical Key Search Attacks Against Modern Symmetric Ciphers",
"Day": "Friday",
"Time": "14:00",
"Location": "Track 4",
"Description": "Practical Key Search Attacks Against Modern Symmetric Ciphers\n\n\n\n Friday at 14:00 in Track 4\n\n 45 minutes | Demo\n\n\n\nDaniel \"ufurnace\" Crowley Research Baron, X-Force Red\n\n\n\nDaniel Pagan Student, Georgia Tech\n\n\n\n In theory, brute force key recovery attacks against modern ciphers like\n\n AES should be impractical with the current state of computer hardware.\n\n It's often said that recovering an AES key should take longer than the\n\n remainder of the life of the sun. However, this assumes that keys are\n\n chosen properly, and that there is no way to determine whether a key is\n\n the correct one after a candidate key is used to decrypt a captured\n\n ciphertext.\n\n In practice, these conditions do not always hold. In much the same way\n\n that hash functions are impossible to reverse but hash cracking is\n\n still a practical attack, in the real world it is often possible to\n\n perform practical key search attacks. In this talk, we will discuss the\n\n common mistakes and common conditions that allow for practical brute\n\n force recovery of keys for modern block ciphers such as AES. We will\n\n also discuss optimizations to speed up key search efforts, and present\n\n our FOSS tool, which implements our approach.\n\n\n\n Daniel \"ufurnace\" Crowley\n\n Daniel Crowley is the head of research and a penetration tester for\n\n X-Force Red. Daniel denies all allegations regarding unicorn smuggling\n\n and questions your character for even suggesting it. Daniel is the\n\n primary author of both the Magical Code Injection Rainbow, a\n\n configurable vulnerability testbed, and FeatherDuster, an automated\n\n cryptanalysis tool. Daniel enjoys climbing large rocks and is TIME\n\n magazine's 2006 person of the year. Daniel has been working in the\n\n information security industry since 2004 and is a frequent speaker at\n\n conferences including Black Hat, DEF CON, Shmoocon, and SOURCE. Daniel\n\n does his own charcuterie and brews his own beer. Daniel's work has been\n\n included in books and college courses. Daniel also holds the noble\n\n title of Baron in the micronation of Sealand.\n\n\n\n Daniel Pagan\n\n Daniel Pagan is a student at Georgia Tech, a DEF CON TV goon, and a\n\n Lord in the micronation of Sealand.\n\n\n"
},
{
"Title": "I Know What You Did Last Summer: 3 Years of Wireless Monitoring at DEF CON",
"Day": "Friday",
"Time": "16:00",
"Location": "Track 2",
"Description": "I Know What You Did Last Summer: 3 Years of Wireless Monitoring at DEF CON\n\n\n\n Friday at 16:00 in Track 2\n\n 20 minutes | Demo, Tool\n\n\n\nd4rkm4tter (Mike Spicer) Hacker\n\n\n\n For the past 3 years d4rkm4tter has been obsessed with monitoring the\n\n wireless networks at DEF CON. This talk will take you on a journey\n\n through the successes and failures that lead to the creation of the\n\n WiFiCactus and the over 1 TB of data captured. A history of each\n\n capture project including a summary of the most interesting pieces of\n\n data will be shown.\n\n Many people spread a lot of fear, uncertainty and doubt about the\n\n wireless environments during DEF CON. This presentation aims to bring\n\n some clarity to what is really happening in the airwaves during one of\n\n the largest hacker conferences in the world. This will include\n\n presenting data on the attacks and sensitive information that exists in\n\n the airwaves. This presentation will demonstrate the risks of using\n\n wireless networks and information leaks that can be captured by anyone\n\n who is passively listening. Countermeasures and protection strategies\n\n will be provided to help you avoid having your data captured by those\n\n who might be listening.\n\n With the number of connected devices around us, there has never been a\n\n better time to start wardriving or warwalking. Everyone is capable of\n\n profiling wireless data around them thanks to cheap hardware and open\n\n source tools. As hackers it is important for us to discover issues and\n\n vulnerabilities while validating claims of security by software and\n\n hardware vendors. Monitoring wireless communication is a great way to\n\n start validating those claims. All of the hardware and methods used\n\n will be provided so that anyone can do this type of monitoring on their\n\n own. Hack the Planet!\n\n\n\n d4rkm4tter (Mike Spicer)\n\n d4rkm4tter is a mad scientist hacker who likes to meddle with hardware\n\n and software. He is particularly obsessed with wireless. He has a\n\n degree in computer science from Southern Utah University which he has\n\n put to use building and breaking a wide array of systems. These include\n\n web application pentesting, wireless monitoring and tracking as well as\n\n good old fashioned reverse engineering. He is the creator of the\n\n #WiFiCactus and has been seen presenting Demolabs at DEF CON and DEF\n\n CON China Beta. He is a Kismet cultist and active in the wireless and\n\n wardriving communities.\n\n Twitter: @d4rkm4tter\n\n Website: palshack.org\n\n\n"
},
{
"Title": "D0 N0 H4RM: A Healthcare Security Conversation",
"Day": "Friday",
"Time": "20:00",
"Location": "Firesides Lounge",
"Description": "D0 N0 H4RM: A Healthcare Security Conversation\n\n\n\n Friday at 20:00 in Firesides Lounge\n\n 120 minutes\n\n\n\nChristian \"quaddi\" Dameff Medical Director of Security at The University of\n\nCalifornia San Diego\n\n\n\nJeff \"r3plicant\" Tully MD Anesthesiologist at The University of California\n\nDavis\n\n\n\nSuzanne Schwartz MD Associate Director for Science and Strategic Partnerships\n\nat the US Food and Drug Administration FDA\n\n\n\nMarie Moe PhD Researcher and Hacker\n\n\n\nBilly Rios Founder of Whitescope\n\n\n\nJay Radcliffe Security Researcher at Thermo Fisher Scientific\n\n\n\n Technology's promise flows within medicine like blood through veins.\n\n With every drip of life-saving medicine given to the smallest babies,\n\n with every paced beat of a broken heart, connected tech has changed the\n\n way we treat patients and offers near limitless potential to improve\n\n our health and wellness. But it's taken an army of dedicated protectors\n\n to ensure that such promise isn't outweighed by peril- and hackers are\n\n fighting on the front lines to safeguard medical devices and\n\n infrastructure so they remain worthy of our trust. Join docs quaddi and\n\n r3plicant as they once again curate a selection of medicine's finest\n\n hackers and allies for D0 N0 H4RM- the uniquely DEF CON conversation\n\n between the unsung heroes in the healthcare space- security researchers\n\n and advocates working to protect patients one broken med device at a\n\n time. Spun from an off-con hotel room gathering between friends into\n\n progressively in demand talks at DC 25 and 26, we've returned to bring\n\n you insight and inspiration- divorced from the spin and formality of an\n\n increasingly industry-saturated landscape- from the people whose\n\n primary goal is to kick ass and save lives.\n\n\n\n Christian \"quaddi\" Dameff\n\n Christian (quaddi) Dameff MD is an emergency medicine doctor, former\n\n open capture the flag champion, prior DEF CON/RSA/Blackhat/HIMSS\n\n speaker, and security researcher. He is currently the Medical Director\n\n of Cybersecurity at The University of California San Diego. Published\n\n works include topics such as therapeutic hypothermia after cardiac\n\n arrest, novel drug targets for myocardial infarction patients, and\n\n other Emergency Medicine related works with an emphasis on CPR\n\n optimization. Published security research topics including hacking\n\n critical healthcare infrastructure, medical devices and the effects of\n\n malware on patient care. This is his fifteenth DEF CON.\n\n Twitter: @CdameffMD\n\n\n\n Jeff \"r3plicant\" Tully MD\n\n Jeff (r3plicant) Tully is an anesthesiologist, pediatrician and\n\n security researcher with an interest in understanding the ever-growing\n\n intersections between healthcare and technology.\n\n Twitter: @JeffTullyMD\n\n\n\n Suzanne Schwartz MD\n\n Dr.Suzanne Schwartz's programmatic efforts in medical device\n\n cybersecurity extend beyond incident response to include raising\n\n awareness, educating, outreach, partnering and coalition-building\n\n within the Healthcare and Public Health Sector (HPH) as well as\n\n fostering collaborations across other government agencies and the\n\n private sector. Suzanne has been recognized for Excellence in\n\n Innovation at FDA's Women's History Month on March 1st 2018 for her\n\n work in Medical Device Cybersecurity. Suzanne chairs CDRH's\n\n Cybersecurity Working Group, tasked with formulating FDA's medical\n\n device cybersecurity policy. She also co-chairs the Government\n\n Coordinating Council (GCC) for the HPH Critical Infrastructure Sector,\n\n focusing on the sector's healthcare cybersecurity initiatives.\n\n\n\n Marie Moe PhD\n\n Dr. Marie Moe cares about public safety and securing systems that may\n\n impact human lives, this is why she joined the grassroots organisation\n\n \"I Am The Cavalry\". Marie is a Research Manager at SINTEF, the largest\n\n independent research organisation in Scandinavia, and has a PhD in\n\n information security. She is also an Associate Professor at the\n\n Norwegian University of Science and Technology. She has experience as a\n\n team leader at NorCERT, where she did incident handling of cyberattacks\n\n against Norway's critical infrastructure. She is currently doing\n\n research on the security of her own personal critical infrastructure,\n\n an implanted pacemaker that is generating every single beat of her\n\n heart. Marie loves to break crypto protocols, but gets angry when the\n\n broken crypto is in her own body.\n\n Twitter: @MarieGMoe\n\n\n\n Billy Rios\n\n Billy is the founder of Whitescope LLC, a startup focused on embedded\n\n device security. Billy is recognized as one of the world's most\n\n respected experts on emerging threats related to Industrial Control\n\n Systems (ICS), Critical Infrastructure (CI), and, medical devices. He\n\n discovered thousands of security vulnerabilities in hardware and\n\n software supporting ICS and critical infrastructure. Billy provided the\n\n research that led to the FDA's first cybersecurity safety advisory and\n\n research which helped spur the FDA's pre-market cybersecurity guidance.\n\n Billy is a contributing author to Hacking: The Next Generation, The\n\n Virtual Battlefield, and Inside Cyber Warfare. He currently holds a\n\n Master of Science in Information Systems, an MBA, and a Masters of\n\n Military Operational Arts and Science.\n\n Twitter: @XSSniper\n\n\n\n Jay Radcliffe\n\n Jay Radcliffe (CISSP) has been working in the computer security field\n\n for over 20 years. Coming from the managed security services industry\n\n as well as the security consultation field, Jay has helped\n\n organizations of every size and vertical secure their networks and\n\n data. Jay presented ground-breaking research on security\n\n vulnerabilities in multiple medical devices and was featured on\n\n national television as an expert on medical device cybersecurity. As a\n\n Type I diabetic, Jay brings a lifetime of being a patient to helping\n\n medical facilities secure their critical data without compromising\n\n patient care. Not only is Jay a prolific public speaker, but also works\n\n with legal firms on expert witness consultation related to IoT and\n\n cybersecurity issues. Jay holds a Master's degree in Information\n\n Security Engineering from SANS Technology Institute, as well as a\n\n Bachelor's degree in Criminal Justice/Pre-Law from Wayne State\n\n University. SC Magazine named him one of the Top Influential IT\n\n Security Thinkers in 2013.\n\n Twitter: @JRadcliffe02\n\n\n"
},
{
"Title": "DEF CON 101 Panel",
"Day": "Thursday",
"Time": "15:00",
"Location": "DC101, Paris Theatre",
"Description": "DEF CON 101 Panel\n\n\n\n Thursday at 15:00 in DC101, Paris Theatre\n\n 105 minutes\n\n\n\nHighwiz\n\n\n\nNikita\n\n\n\nWill\n\n\n\nn00bz\n\n\n\nShaggy\n\n\n\nSecBarbie\n\n\n\nTottenkoph\n\n\n\n The DEF CON 101 Panel is the place to go to learn about the many facets\n\n of DEF CON and to begin your DEF CONian Adventure. The idea is to help\n\n attendees get the best experience out of DEF CON (and also tell them\n\n how to survive the weekend!). It is a way for people who have\n\n participated in making DEF CON what it is today to share those\n\n experiences and, hopefully, inspire attendees to expand their horizons.\n\n DEF CON offers so much more than just talks and the DEF CON 101 panel\n\n is the perfect place to learn about all things DEF CON so you, dear\n\n reader, can get the best experience possible. The panel will end with\n\n the time honored tradition of \"Name the n00b\" where lucky attendees\n\n will be brought up on stage to introduce themselves to you and earn the\n\n coveted 101 n00b handle. Don't worry if you don't make it on to the\n\n stage, you can stick around for the n00b party after the panel and get\n\n your handle then!\n\n\n\n Highwiz\n\n HighWiz is born of glitter and moon beams and he has all the right\n\n moves. He is the things that sweet dreams are made of and nightmares\n\n long to be... Years ago, with the help of some very awesome people*, he\n\n set about to create an event that would give the n00bs of DEF CON a\n\n place to feel welcomed and further their own pursuit of knowledge. For\n\n years he has held onto the simple tenet that \"You get out of DEF CON\n\n what you put into it\". HighWiz is the fabled Man on the Mountain whom\n\n people seek to gain a taste of his forbidden knowledge. He is a rare\n\n sighting at DEF CON only to be glimpsed by those lucky few. HighWiz is\n\n a member of the DEF CON CFP Review Board and Security Tribe.\n\n *Some (but not all) of the people HighWiz would like to thank for\n\n helping to make 101 into what it is today : Runnerup, Wiseacre, Nikita,\n\n Roamer, Shaggy, Lockheed, Pyr0, Zac, V3rtgio, 1o57, Neil, Sethalump,\n\n AlxRogan, Jenn, Zant, MalwareUnicorn, Clutch, TheDarkTangent, Siviak,\n\n Tuna, Ripshy, Valkyrie, Suggy, Flipper and all the members of Security\n\n Tribe. Shout outs to Security Tribe, GH, QC and The LonelyHackersClub\n\n Twitter: @HighWiz\n\n\n\n Nikita\n\n DEF CON, Director of Content & Coordination. Wife & Mom. Chicken Soup\n\n repairwoman. SecurityTribe. !X!🦄🌈🤓 Into: hacks\n\n 💡 snacks 🌮 shellacs 💅🏻\n\n Twitter: @Niki7a\n\n\n\n Will\n\n Will was summoned to life through the trials of fire, fueled by the\n\n alcohol and excitement of DEF CON 25. He arose from those ashes of his\n\n former life into a malware making, maple syrup drinking n00b with a new\n\n attitude on life and lots of fury to share. On a path of creation and\n\n destruction, Will is on a relentless quest to conquer anyone that\n\n doubts him and maybe one day leave a mark that is just nearly as bright\n\n as the Phoenix itself.\n\n\n\n n00bz\n\n (or his n00bzness or el n00berino if you're not into the whole brevity\n\n thing) pays the bills by working for a Silicon Valley company\n\n protecting the F500 doing Compliance and IT Security Globally by way of\n\n Wall Street and D&T. He grew up tying up phone lines across South\n\n Florida with his Bosun whistle. His love for all things wireless are\n\n due to his love of software defined radio and hatred of getting up to\n\n change the TV channel when the remote was lost. He has spoken at DEF\n\n CON, HackMiami (%27), DerbyCon and when advised of his right to remain\n\n silent, plead the fif!\n\n\n\n Shaggy\n\n Shaggy is a penetration tester by day and a renaissance man at night.\n\n He enjoys mastering new things and breaking anything put in front of\n\n him. When he is not messing around with technology he is making things\n\n with wood, performing card tricks, and seducing the masses with his\n\n warm gently voice.\n\n\n\n SecBarbie\n\n Known on the dark web as \"l'initiateur du parti\" and \"ne stoit\n\n nedoocenivat' ee\", Erin Jacobs (best known as @SecBarbie) has been\n\n attending DEF CON for over 15 years. Erin is a member of the DEF CON\n\n CFP Review Board, has DJed both DEF CON and DEF CON China, is an\n\n organizer of DC 312, and a past DEF CON speaker. Outside of DEF CON,\n\n she's a Founding Partner at Urbane Security, an avid traveler, and a\n\n fan of great Champagne, wine, and dining. You can find more about her\n\n under @SecBarbie, or, if you're up for the challenge, dunes hinder\n\n sniff huddle auburn meeting arsenic wizard dizzy lipstick spying enmity\n\n highway muppet woven woken puffin atlas python iris sprig mouth yellow\n\n hexagon hexagon ;)\n\n\n\n Tottenkoph\n\n Tottenkoph has been going to DEF CON for over 10 years and has spent\n\n the past several cons volunteering as the Workshop department lead as\n\n well as serving on the Workshop Review Board. Tottie has spoken on\n\n things from security flaws in digital billboards to drunken insights on\n\n what random episodes of Babylon 5 *really* meant. She thinks the\n\n perfect date is April 25th, overuses exclamation points in text-based\n\n comms, and is excited to have a chance to meet/speak with more new\n\n attendees!\n\n\n"
},
{
"Title": "Panel: DEF CON Groups",
"Day": "Friday",
"Time": "22:15",
"Location": "Firesides Lounge",
"Description": "Panel: DEF CON Groups\n\n\n\n Friday at 22:15 in Firesides Lounge\n\n 45 minutes\n\n\n\nBrent White / B1TK1LL3R Global Coordinator\n\n\n\nJayson E. Street Ambassador\n\n\n\nDarington Web Master\n\n\n\nApril Wright Welcoming Committee & Liaison\n\n\n\nTim Roberts (byt3boy) Volunteer\n\n\n\nCasey Bourbonnais Volunteer\n\n\n\ns0ups Social media\n\n\n\n Do you love DEF CON? Do you hate having to wait for it all year? Well,\n\n thanks to DEF CON groups, you're able to carry the spirit of DEF CON\n\n with you year round, and with local people, transcending borders,\n\n languages, and anything else that may separate us!In this fireside\n\n chat, your DEF CON groups team who works behind the scenes to make DCG\n\n possible will invite group leaders to share how they started their\n\n groups, how they found meeting space, how they decide what content to\n\n present each meeting, and other topics. Potential new group leaders can\n\n find out how to start and run a local group, and existing group leaders\n\n and members can share and get operational ideas for running the best\n\n group possible. During the Fireside chat, we'll have the ability to\n\n keep it an open forum for questions and ideas, as well as a great\n\n opportunity to meet other groups.\n\n\n\n Brent White / B1TK1LL3R\n\n Twitter: @brentwdesign\n\n\n\n Jayson E. Street\n\n Twitter: @jaysonstreet\n\n\n\n Darington\n\n Twitter: @darington\n\n\n\n April Wright\n\n Twitter: @aprilwright\n\n\n\n Tim Roberts (byt3boy)\n\n Twitter: @ZanshinH4x\n\n\n\n Casey Bourbonnais\n\n Twitter: @Bourbonnais_c\n\n\n\n s0ups\n\n Twitter: @ynots0ups\n\n\n"
},
{
"Title": "Are Your Child's Records at Risk? The Current State of School Infosec",
"Day": "Friday",
"Time": "14:00",
"Location": "Track 2",
"Description": "Are Your Child's Records at Risk? The Current State of School Infosec\n\n\n\n Friday at 14:00 in Track 2\n\n 45 minutes\n\n\n\nBill Demirkapi Independent Security Researcher\n\n\n\n From credit reporting agencies to hotel enterprises, major data\n\n breaches happen daily. However, when was the last time we considered\n\n the data security of children and middle-level education students? The\n\n infosec community spends so much time thinking about enterprise\n\n security and user privacy, but who looks after those who can't defend\n\n themselves? Unknown to most, there are only just a handful of major\n\n educational software providers--and flaws in any of them can lead to\n\n massive holes which expose the confidential information of our rising\n\n generation, this speaker included. Additionally, while many dismiss\n\n educational data as \"just containing grades\", the reality is that these\n\n systems store extremely sensitive information from religious beliefs,\n\n health and vaccine-related data, to even information about parental\n\n abuse and drug use in the family.\n\n This talk will cover never-before-seen research into the handful of\n\n prominent educational software companies, the vulnerabilities that were\n\n found, the thousands of schools and millions of students affected, and\n\n the personal fallout of such research. Vulnerabilities discussed will\n\n range from blind SQL injection to leaked credentials for the entire\n\n kingdom. If a high school student can compromise the data of over 5\n\n million students and teachers, what can APT do?\n\n\n\n Bill Demirkapi\n\n Bill is a 17-year-old high school student with an intense passion for\n\n the information security field. Bill's interests include game hacking,\n\n reverse engineering malware, and breaking things. Next year, Bill will\n\n be attending the Rochester Institute of Technology where he hopes to\n\n grow his career and knowledge in the enormous field of Cybersecurity.\n\n In his pursuit to make the world a better place, Bill constantly looks\n\n for the next big vulnerability following the motto \"break anything and\n\n everything\".\n\n Twitter: https://twitter.com/BillDemirkapi\n\n Blog: https://d4stiny.github.io\n\n\n"
},
{
"Title": "Evil eBPF In-Depth: Practical Abuses of an In-Kernel Bytecode Runtime",
"Day": "Friday",
"Time": "11:00",
"Location": "Track 4",
"Description": "Evil eBPF In-Depth: Practical Abuses of an In-Kernel Bytecode Runtime\n\n\n\n Friday at 11:00 in Track 4\n\n 45 minutes | Demo, Exploit\n\n\n\nJeff Dileo Research Director, NCC Group\n\n\n\n eBPF (or \"extended\" Berkeley Packet Filter) is a bytecode instruction\n\n set and virtual machine used as a safe computing environment within the\n\n Linux kernel to perform arbitrary programmatic actions. It is a\n\n redesign of Linux's original in-kernel BPF bytecode VM used to power\n\n features like tcpdump filters. eBPF has an entirely different set of\n\n capabilities and instructions, with its primary goal being to serve as\n\n a JIT-able virtual machine instruction set that can be targeted by\n\n compilers of a memory-safe \"restricted C\" language. In the Linux\n\n kernel, it is actively being applied to anything and everything to\n\n provide performant programmatic capabilities to userland that extend\n\n traditionally kernel-based functionality.\n\n In this exploit development focused talk, we will first introduce eBPF\n\n and discuss several nefarious techniques enabled by the technology. As\n\n we do so, we will cover the respective sets of APIs, file descriptor\n\n types, and other eBPF machinery that enable such techniques, building\n\n up from various forms of hidden IPC channels to full-fledged rootkits.\n\n Within this talk, we will walk through the implementations of the\n\n techniques we discuss so that attendees will walk away with the\n\n knowledge of how to implement their own variants. Along the way we will\n\n discuss novel container breakout techniques and interesting\n\n \"dual-purpose\" eBPF features that enable the development of mutative\n\n syscall hooks that work for processes that work for processes already\n\n attached by a debugger. Finally, we will provide insight on how\n\n defenders should begin to attempt to detect and recover from such\n\n abuses, when possible at all.\n\n This presentation significantly extends on work we first presented at\n\n 35C3, which focused more heavily on the underlying aspects of general\n\n eBPF-based kernel tracing. In contrast, this talk will demo new\n\n techniques and include substantially improved versions of techniques\n\n presented previously as proofs-of-concept.\n\n\n\n Jeff Dileo\n\n Jeff Dileo (chaosdata) is a security consultant by day, and sometimes\n\n by night. He hacks on embedded systems, mobile apps and devices, web\n\n apps, and complicated things that don't have names. He likes candy and\n\n arguing about text editors and window managers he doesn't actually use.\n\n Twitter: @chaosdatumz\n\n\n"
},
{
"Title": "The Tor Censorship Arms Race: The Next Chapter",
"Day": "Friday",
"Time": "11:00",
"Location": "Track 2",
"Description": "The Tor Censorship Arms Race: The Next Chapter\n\n\n\n Friday at 11:00 in Track 2\n\n 45 minutes | Tool\n\n\n\nRoger Dingledine The Tor Project\n\n\n\n Tor is a free-software anonymizing network that helps people around the\n\n world use the Internet in safety. But who cares how good Tor's privacy\n\n is, if your government prevents you from reaching the Tor network?\n\n In the beginning, some countries filtered torproject.org by DNS (so we\n\n made website mirrors and an email autoresponder for downloading Tor),\n\n and then some countries blocked Tor relays by IP address (so we\n\n developed bridges, which are essentially unlisted relays), and then\n\n some countries blocked Tor traffic by Deep Packet Inspection (so we\n\n developed pluggable transports to transform Tor flows into\n\n benign-looking traffic).\n\n Then things got weird, with China's nationwide active probing\n\n infrastructure to enumerate bridges, with Amazon rolling over to\n\n Russia's threats when Telegram used \"domain fronting\" to get around\n\n blocking, with Turkey blocking Tor traffic by DPI in more subtle ways,\n\n with Venezuela and Ethiopia and Iran trying new tricks, and more.\n\n In this talk I'll get you up to speed on all the ways governments have\n\n tried to block Tor, walk through our upcoming steps to stay ahead of\n\n the arms race, and give you some new--easier--ways that let you help\n\n censored users reach the internet safely.\n\n\n\n Roger Dingledine\n\n Roger Dingledine is president and co-founder of the Tor Project, a\n\n nonprofit that develops free and open source software to protect people\n\n from tracking, censorship, and surveillance online.\n\n Wearing one hat, Roger works with journalists and activists on many\n\n continents to help them understand and defend against the threats they\n\n face. Wearing another, he is a lead researcher in the online anonymity\n\n field, coordinating and mentoring academic researchers working on\n\n Tor-related topics. Since 2002 he has helped organize the yearly\n\n international Privacy Enhancing Technologies Symposium (PETS).\n\n Among his achievements, Roger was chosen by the MIT Technology Review\n\n as one of its top 35 innovators under 35, he co-authored the Tor design\n\n paper that won the Usenix Security \"Test of Time\" award, and he has\n\n been recognized by Foreign Policy magazine as one of its top 100 global\n\n thinkers.\n\n Twitter: @RogerDingledine\n\n\n"
},
{
"Title": "Cheating in eSports: How to Cheat at Virtual Cycling Using USB Hacks",
"Day": "Sunday",
"Time": "14:00",
"Location": "Track 2",
"Description": "Cheating in eSports: How to Cheat at Virtual Cycling Using USB Hacks\n\n\n\n Sunday at 14:00 in Track 2\n\n 45 minutes | Demo, Tool\n\n\n\nBrad Dixon Security Consultant, Carve Systems\n\n\n\n Athletes are competing in virtual cycling by riding real bikes on\n\n stationary trainers which power the in-game athletic performance.\n\n Riders train and compete online against each other. New racing teams\n\n are even competing in Union Cycliste Internationale (UCI) sanctioned\n\n events. Better at hacking than riding? Me, too. I'll expand on the\n\n dubious achievements of prior cycling cheaters by showing how to use\n\n the open source USBQ toolkit to inspect and modify USB communications\n\n between the Zwift application and the wireless sensors that monitor and\n\n control the stationary trainer. USBQ is a Python module and application\n\n that uses standard hardware, such as the Beaglebone Black, to inspect\n\n and modify communications between USB devices and the host. You'll ride\n\n away with a lesson on building your own customized USB\n\n man-in-the-middle hacking tool, too.\n\n\n\n Brad Dixon\n\n Brad once told his parents that if they gave him a Commodore 64 it\n\n would be the last computer he'd ever want. He never got that Commodore\n\n 64. Nevertheless Brad managed to become a computer nerd at a young age.\n\n Brad studied Computer Engineering at Georgia Tech and jumped into\n\n embedded software engineering. He worked for many years helping\n\n developers to design embedded Linux into telecom, network, and mobile\n\n products. Brad also took a turn as a product manager for embedded\n\n development tools and a mobile location analytics product. At Carve he\n\n hacks IoT, embedded, and Linux systems.\n\n Github: https://github.com/rbdixon\n\n\n"
},
{
"Title": "State of DNS Rebinding - Attack & Prevention Techniques and the Singularity",
"Day": "Saturday",
"Time": "15:00",
"Location": "Track 3",
"Description": "State of DNS Rebinding - Attack & Prevention Techniques and the Singularity\n\nof Origin\n\n\n\n Saturday at 15:00 in Track 3\n\n 45 minutes | Demo, Tool\n\n\n\nGerald Doussot Principal Security Consultant, NCC Group\n\n\n\nRoger Meyer Principal Security Consultant, NCC Group\n\n\n\n Do you want to know how you can exploit DNS rebinding 10x faster,\n\n bypass prevention mechanisms, interactively browse the victim's\n\n internal network, and automate the whole process during your next red\n\n team exercise?\n\n This talk will teach you how and give you an easy-to-use tool to do it.\n\n First, we will cover in detail the subtleties that make DNS rebinding\n\n attacks more effective in practice, including techniques and\n\n operational conditions that make it faster and more reliable. We'll\n\n also explain how to bypass commonly recommended security controls,\n\n dispelling attack and defense misconceptions that have been\n\n disseminated in blogs and social media posts.\n\n This talk will include a number of demos using Singularity, our open\n\n source DNS rebinding attack framework that includes all the parts you\n\n need to get started pwning today, including:\n\n * Remote code execution and exfiltration payloads for common dev\n\n tools and software\n\n * Practical scanning and automation techniques to maximize the chance\n\n of controlling targeted services\n\n\n\n We'll also show an interesting post-exploitation technique that allows\n\n you to browse a victim browser network environment via the attacker's\n\n browser without the use of HTTP proxies.\n\n You'll leave this talk with the knowledge and tools to immediately\n\n start finding and exploiting DNS rebinding bugs.\n\n\n\n Gerald Doussot\n\n Gerald Doussot is a Principal Security Consultant at NCC Group, with\n\n over 20 years experience in information technology. Gerald has\n\n undertaken defensive and offensive security roles, including the\n\n design, implementation and management of security solutions, software\n\n development, integration and security Testing.\n\n\n\n Roger Meyer\n\n Roger Meyer is a Principal Security Engineer at NCC Group with\n\n extensive experience in managing and leading complex engagements. Roger\n\n specializes in web application security, network penetration testing,\n\n configuration reviews, and secure software development and architecture\n\n design.\n\n\n"
},
{
"Title": "Go NULL Yourself or: How I Learned to Start Worrying While Getting Fined for",
"Day": "Saturday",
"Time": "16:30",
"Location": "Track 3",
"Description": "Go NULL Yourself or: How I Learned to Start Worrying While Getting Fined for\n\nOther's Auto Infractions\n\n\n\n Saturday at 16:30 in Track 3\n\n 20 minutes\n\n\n\ndroogie Security Consultant at IOActive\n\n\n\n Input sanitization issues will always exist, although it's surprising\n\n at how we're still seeing amateur mistakes being made on everyday\n\n applications and systems used by millions. After making some\n\n observations against automatic license plate recognition (ALPR) data\n\n requested via the freedom of information act (FOIA) while having\n\n reminiscent conversations about old hacker tales, it turned on the evil\n\n bit, leading to some interesting ideas. We'll go over this adventure of\n\n poking at systems using totally valid user-controlled data that causes\n\n unexpected behavior in the real world. It's always a strange thing when\n\n you can \"exploit\" unexpected attack surface, due to poor specification,\n\n especially in government systems.\n\n\n\n droogie\n\n droogie is a security researcher, interested in offensive security and\n\n hacking of retro and modern video games alike. He makes a living as a\n\n security consultant at IOActive, which helps fund his degenerate\n\n passion for hardware hacking on old video game console hardware. He's\n\n spoken at conferences like CCC and Ruxcon and helped bring Metal Gear\n\n Online back to life, he enjoys international travel to security\n\n conferences to kick it with awesome hackers.\n\n\n"
},
{
"Title": "Meet the EFF - Meetup Panel",
"Day": "Saturday",
"Time": "20:00",
"Location": "Firesides Lounge",
"Description": "Meet the EFF - Meetup Panel\n\n\n\n Saturday at 20:00 in Firesides Lounge\n\n 120 minutes\n\n\n\nKurt Opsahl Deputy Executive Director And General Counsel, EFF\n\n\n\nCamille Fischer Frank Stanton Fellow, EFF\n\n\n\nBennett Cyphers Staff Technologist, EFF\n\n\n\nNathan 'nash' Sheard Grassroots Advocacy Organizer, EFF\n\n\n\nShahid Buttar Panel Host and Director of Grassroots Advocacy, EFF\n\n\n\n Join staffers at the Electronic Frontier Foundation--the nation's\n\n premier digital civil liberties group fighting for freedom and privacy\n\n in the computer age--for a candid chat about how the law is racing to\n\n catch up with technological change.\n\n Then meet representatives from Electronic Frontier Alliance allied\n\n community and campus organizations from across the country. These\n\n technologists and advocates are working within their communities to\n\n educate and empower their neighbors in the fight for data privacy and\n\n digital rights.\n\n This discussion will include updates on current EFF issues such as the\n\n government's effort to undermine encryption (and add backdoors), the\n\n fight for network neutrality, discussion of our technology projects to\n\n spread encryption across the Web and emails, updates on cases and\n\n legislation affecting security research, and much more.\n\n Half the session will be given over to question-and-answer, so it's\n\n your chance to ask EFF questions about the law, surveillance and\n\n technology issues that are important to you.\n\n\n\n Kurt Opsahl\n\n Kurt Opsahl is the Deputy Executive Director and General Counsel of the\n\n Electronic Frontier Foundation. In addition to representing clients on\n\n civil liberties, free speech and privacy law, Opsahl counsels on EFF\n\n projects and initiatives. Opsahl is the lead attorney on the Coders'\n\n Rights Project, and is representing several companies who are\n\n challenging National Security Letters. Before joining EFF, Opsahl\n\n worked at Perkins Coie, where he represented technology clients with\n\n respect to intellectual property, privacy, defamation, and other online\n\n liability matters, including working on Kelly v. Arribasoft, MGM v.\n\n Groksterand CoStar v. LoopNet. For his work responding to government\n\n subpoenas, Opsahl is proud to have been called a \"rabid dog\" by the\n\n Department of Justice. Prior to Perkins, Opsahl was a research fellow\n\n to Professor Pamela Samuelson at the U.C. Berkeley School of\n\n Information Management & Systems. Opsahl received his law degree from\n\n Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl\n\n co-authored \"Electronic Media and Privacy Law Handbook.\" In 2007,\n\n Opsahl was named as one of the \"Attorneys of the Year\" by California\n\n Lawyer magazine for his work on the O'Grady v. Superior Courtappeal. In\n\n 2014, Opsahl was elected to the USENIX Board of Directors.\n\n\n\n Camille Fischer\n\n Camille Fischer is a Frank Stanton Fellow working on EFF's free speech\n\n and government transparency projects. Camille came to EFF from D.C.\n\n where she worked in the Obama White House and in the Department of\n\n Commerce advocating for civil, human rights, and due process\n\n protections in national security and law enforcement policies. She also\n\n ran projects to increase consumer security and privacy, like the move\n\n to chip cards (sorry not sorry), and has war stories about ECPA Reform,\n\n MLATs, and encryption. Camille graduated from Georgetown University Law\n\n Center and the University of Georgia (Go Dawgs). She takes pics and\n\n bakes pies.\n\n\n\n Bennett Cyphers\n\n Bennett is an engineer on the Tech Projects team, where he works on\n\n Privacy Badger and HTTPS Everywhere.\n\n Before EFF, Bennett was at Access Now and MIT, and he has a Master's of\n\n Engineering for work on privacy-preserving machine learning. He cares\n\n about privacy, transparency, data ownership, and digital equity. He\n\n wishes ad companies would kindly stop tracking everyone. Outside of\n\n work he has hobbies and likes fun.\n\n\n\n Nathan 'nash' Sheard\n\n As EFF's Grassroots Advocacy Organizer, nash works directly with\n\n community members and organizations to take advantage of the full range\n\n of tools provided by access to tech, while engaging in empowering\n\n action toward the maintenance of digital privacy and information\n\n security.\n\n\n\n Shahid Buttar\n\n Shahid leads EFF's grassroots, student, and community outreach efforts.\n\n He's a constitutional lawyer focused on the intersection of community\n\n organizing and policy reform as a lever to shift legal norms, with\n\n roots in communities across the country resisting mass surveillance.\n\n From 2009 to 2015, he led the Bill of Rights Defense Committee as\n\n Executive Director.\n\n Outside of his work at EFF, Shahid also DJs and produces electronic\n\n music, writes poetry & prose, kicks rhymes, organizes guerilla poetry\n\n insurgencies, plays capoeira, speaks truth to power on Truthout,\n\n occasionally elucidates legal scholarship, and documents\n\n counter-cultural activism for the Burning Man Journal. He also serves\n\n on the Boards of Directors of Defending Rights and Dissent, the Center\n\n for Media Justice, and the Fund for Constitutional Government.\n\n\n"
},
{
"Title": "Rise of the Hypebots: Scripting Streetwear",
"Day": "Saturday",
"Time": "10:00",
"Location": "Track 2",
"Description": "Rise of the Hypebots: Scripting Streetwear\n\n\n\n Saturday at 10:00 in Track 2\n\n 45 minutes | Demo\n\n\n\nfinalphoenix Engineer & Hypebae\n\n\n\n Buying Supreme is even harder when most of your competitors are AI. The\n\n era of bot purchasing has arrived and more often than not, purchasing\n\n shoes, shirts, and swag, requires shell scripting. We will look at how\n\n simplistic (and how complicated) purchasing bots have become, how to\n\n write them, and what companies are trying to do to fight them, and why\n\n they're failing at conquering the machines.\n\n\n\n finalphoenix\n\n finalphoenix is a full-stack engineer who has been working on the web\n\n since man invented fire gifs. She likes React, Node, and the Unix\n\n fortune command. She specializes in web security and optimization, and\n\n in the process, discovered the dangerous world of automation to help\n\n her shop.\n\n Twitter: @finalphoenix\n\n\n"
},
{
"Title": "Reverse-Engineering 4g Hotspots for Fun, Bugs and Net Financial Loss",
"Day": "Saturday",
"Time": "15:00",
"Location": "Track 2",
"Description": "Reverse-Engineering 4g Hotspots for Fun, Bugs and Net Financial Loss\n\n\n\n Saturday at 15:00 in Track 2\n\n 45 minutes | Demo, Tool\n\n\n\ng richter Senior Researcher, Pen Test Partners LLP\n\n\n\n \"5G is coming\" (apparently). That probably means, over the next few\n\n years, more and more people are going to be using more and more\n\n cellular-connected devices for their day-to-day TCP/IP activities.\n\n The problem is, a lot of existing 4G modems and routers are pretty\n\n insecure. We found critical remotely-exploitable flaws in a selection\n\n of devices from variety of vendors, without having to do too much work.\n\n Plus, there's only a small pool of OEMs working seriously with cellular\n\n technologies, and their hardware (& software dependencies) can be found\n\n running in all sorts of places. Their old 4G, 3G and even 2G-era code\n\n is going to be running in these 5G-capable devices.\n\n With a small sample of consumer 4G routers as examples, we're going to\n\n talk about how malleable, frustrating, and insecure these devices are.\n\n We'll run through a few examples of existing 4G routers, from low-end\n\n bargain-basement end-of-life-never-to-be-fixed to higher-end devices.\n\n root is a means to an end, rather than the goal.\n\n\n\n g richter\n\n g richter is the single-use pseudonym of a security researcher with a\n\n particular interest in embedded devices and cellular. He has done this\n\n kind of thing for money and fun for quite a while now, but before that,\n\n he also did other things that didn't involved as many computers. At the\n\n moment he's doing this for money at Pen Test Partners.\n\n\n"
},
{
"Title": "We Hacked Twitter... And the World Lost Their Sh*t Over It!",
"Day": "Saturday",
"Time": "22:15",
"Location": "Firesides Lounge",
"Description": "We Hacked Twitter... And the World Lost Their Sh*t Over It!\n\n\n\n Saturday at 22:15 in Firesides Lounge\n\n 45 minutes\n\n\n\nMike Godfrey Penetration Tester, INSINIA Security\n\n\n\nMatthew Carr Penetration Tester, INSINIA Security\n\n\n\n In December 2018 INSINIA Security was involved in one of the biggest\n\n hacking stories of the year. A number of \"celebrities\", including Louis\n\n Theroux, Eamon Holmes and more, logged into their Twitter accounts just\n\n after Christmas to find a Tweet, from their account, saying:\n\n \"This account has been temporarily hijacked by INSINIA SECURITY\".\n\n The tweet immediately directed people to our blog post, and the\n\n compromised accounts retweeted INSINIA's Tweet, saying:\n\n \"This account is now under the control of @InsiniaSRT. Luckily, this\n\n has been H4CK3D to highlight an important vulnerability. The user of\n\n this account has NOT lost access to it, no data compromised and is NOT\n\n under attack. See how it was done...\".\n\n What we did was simple. We used spoof texts to Tweet from these\n\n accounts. We NEVER had access to these accounts. We could never read\n\n DM's. We simply passively controlled these accounts with no opportunity\n\n of getting confidential data in return.\n\n So what did the hacking community, journalists and commentators do?!\n\n They LOST THEIR SH*T OVER IT!\n\n \"It's unethical\" \"It's a crime\" \"Computer Misuse Act counts for\n\n security researchers too!\" \"You guys are total f*cking idiots!\n\n These are the types of things we'd heard from our peers. But why was\n\n the backlash so bad? In this talk, INSINIA explains why it was done,\n\n how it was done, how people reacted and how research can be released\n\n quickly and responsibly... Without always getting the warm reception\n\n you might expect!\n\n\n\n Mike Godfrey\n\n Mike Godfrey, Director of INSINIA Security, started life as a \"hacker\"\n\n before he had hit his teens. With a professional background in\n\n Electro-technical / Electro-mechanical Engineering and almost 20 years'\n\n experience in building and breaking computers.\n\n Mike offers a unique perspective when it comes to varied and\n\n multi-vector attacks and is regarded as one of the UK's most capable\n\n multi-skilled Cyber Security Specialists, gaining notoriety in the\n\n Cyber Security industry for using elements of different skills, both on\n\n hard and soft surfaces, to carry out highly technical and often highly\n\n intricate electronic attacks. One of these attacks includes hacking\n\n Costco's high security Sentry display safe with nothing more than a\n\n magnet and a sock! This research was utilised and referenced by @Plor\n\n in his talk at DEF CON 25 - \"Popping a Smart Gun\". Mike has also been\n\n lucky enough to become a DEF CON speaker in 2018, one of the proudest\n\n moments of his life!\n\n Mike works as a Cyber Security contributor for the BBC, LBC, Channel 4\n\n and was the Ethical Hacker who discovered the TalkTalk and O2 data\n\n breach stories.\n\n Twitter: @MikeGHacks\n\n\n\n Matthew Carr\n\n Matthew's previous roles including Senior Penetration Tester and\n\n Researcher at SecureLink, Europe's largest managed security services\n\n provider and Operational Security Specialist at Ikea overseeing\n\n worldwide Operational Security as part of a Specialist Team.\n\n Matthew regularly speaks at industry events and lectures offensive\n\n security at Malm\u00f6's Technology University in Sweden.\n\n Matthew spent over 3 years as part of an R&D team building intrusion\n\n detection software, a secure cloud platform, SIEM tools and other\n\n security software, Matthew is not only a competent red teamer but also\n\n a valuable asset to any blue team.\n\n Matthew works as a Cyber Security contributor for the Telegraph, Talk\n\n Radio and SVT.\n\n Twitter: @sekuryti\n\n\n"
},
{
"Title": "Exploiting Qualcomm WLAN and Modem Over The Air",
"Day": "Sunday",
"Time": "11:00",
"Location": "Track 3",
"Description": "Exploiting Qualcomm WLAN and Modem Over The Air\n\n\n\n Sunday at 11:00 in Track 3\n\n 45 minutes | Demo, Exploit\n\n\n\nXiling Gong Consultant, NCC Group\n\n\n\nPeter Pi Senior Security Researcher of Tencent Blade Team\n\n\n\n In this talk, we will share our research in which we successfully\n\n exploit Qualcomm WLAN in FIRMWARE layer, break down the isolation\n\n between WLAN and Modem and then fully control the Modem over the air.\n\n Setup the real-time debugger is the key. Without the debugger, it's\n\n difficult to inspect the program flow and runtime status. On Qualcomm\n\n platform, subsystems are protected by the Secure Boot and unable to be\n\n touched externally. We'll introduce the vulnerability we found in Modem\n\n to defeat the Secure Boot and elevate privilege into Modem locally so\n\n that we can setup the live debugger for baseband.\n\n The Modem and WLAN firmware is quite complex and reverse engineering is\n\n a tough work. Thanks to the debugger, we finally figure out the system\n\n architecture, the components, the program flow, the data flow, and the\n\n attack surfaces of WLAN firmware. We'll share these techniques in\n\n detail, along with the zero-days we found on the attack surfaces.\n\n There are multiple mitigations on Qualcomm baseband, including DEP,\n\n stack protection, heap cookie, system call constraint, etc. All the\n\n details of the exploitation and mitigation bypassing techniques will be\n\n given during the presentation.\n\n Starting from Snapdragon 835, WLAN firmware is integrated into the\n\n Modem subsystem as an isolated userspace process. We'll discuss these\n\n constraints, and then leverage the weakness we found to fully exploit\n\n into Modem.\n\n\n\n Xiling Gong\n\n Xiling Gong is a Senior Security Researcher of Tencent Blade Team. He\n\n has discovered many vulnerabilities of vendors like Google and\n\n Qualcomm. He is the speaker of CanSecWest 2018.\n\n Twitter: @Gxiling\n\n\n\n Peter Pi\n\n Peter Pi is a Senior Security Researcher of Tencent Blade Team. He has\n\n discovered many vulnerabilities of vendors like Google, Microsoft,\n\n Apple, Qualcomm, Adobe and Tesla. He was the #1 researcher of Google\n\n Android VRP in year 2016. He has spoken at many famous security\n\n conferences such as BlackHat, CanSecWest, HITB GSEC and Hitcon.\n\n Twitter: @tencent_blade\n\n\n"
},
{
"Title": "MOSE: Using Configuration Management for Evil",
"Day": "Friday",
"Time": "15:00",
"Location": "Track 1",
"Description": "MOSE: Using Configuration Management for Evil\n\n\n\n Friday at 15:00 in Track 1\n\n 45 minutes | Demo, Tool\n\n\n\nJayson Grace Penetration Tester, Splunk\n\n\n\n Configuration Management (CM) tools are used to provision systems in a\n\n uniform manner. CM servers are prime targets for exploitation because\n\n they are connected with key machines. The tools themselves are powerful\n\n from a security standpoint: they allow an attacker to run commands on\n\n any and every connected system. Unfortunately, many security\n\n professionals do not have CM experience, which prevents them from using\n\n these tools effectively. MOSE empowers the user to weaponize an\n\n organization's CM tools without having to worry about\n\n implementation-specific details.\n\n MOSE first creates a binary based on user input. Once transferred to\n\n the CM server and run, this binary dynamically generates code that\n\n carries out the desired malicious behavior on specified systems. This\n\n behavior can include running arbitrary system commands, creating or\n\n deleting files, and introducing backdoors. MOSE puts the generated code\n\n in the proper place so that all targeted systems will run it on their\n\n next check-in with the server, removing the need for the user to\n\n integrate it manually.\n\n CM tools are a powerful resource, but they have a barrier to entry.\n\n MOSE aims to remove this barrier and make post exploitation more\n\n approachable by providing a tool to translate the attacker's desired\n\n task into commands executable by the CM infrastructure.\n\n\n\n Jayson Grace\n\n Jayson Grace is a Penetration Tester on the Product Security Team at\n\n Splunk. Previously he founded and led the Corporate Red Team at Sandia\n\n National Laboratories. He holds a BS in Computer Science from the\n\n University of New Mexico, which gave him some great knowledge and also\n\n made him fatter and added a bunch of grey hairs. He has also previously\n\n worked as a tool developer, system administrator, and DevOps engineer.\n\n Jayson is passionate about empowering engineers to create secure\n\n applications, as well as coming up with novel automation methods to\n\n break things.\n\n Twitter: @Jayson_Grace\n\n Website: https://techvomit.net\n\n\n"
},
{
"Title": "Behind the Scenes of the DEF CON 27 Badge",
"Day": "Friday",
"Time": "10:00",
"Location": "Track 1",
"Description": "Behind the Scenes of the DEF CON 27 Badge\n\n\n\n Friday at 10:00 in Track 1\n\n 45 minutes | Tool\n\n\n\nJoe Grand (Kingpin)\n\n\n\n Incorporating natural elements, complex fabrication techniques, and\n\n components rarely seen by the outside world, the DEF CON 27 Badge\n\n brings our community together through Technology's Promise. Join DEF\n\n CON's original electronic badge designer Joe Grand on a\n\n behind-the-scenes journey of this year's development process and the\n\n challenges, risks, and adventures he faced along the way.\n\n\n\n Joe Grand (Kingpin)\n\n Joe Grand, also known as Kingpin, is a computer engineer, hardware\n\n hacker, DEF CON badge designer (14, 15, 16, 17, 18, China 1, 27),\n\n teacher, advisor, runner, daddy, honorary doctor, TV host, member of\n\n legendary hacker group L0pht Heavy Industries, and the proprietor of\n\n Grand Idea Studio (grandideastudio.com).\n\n Twitter: @joegrand\n\n Website: http://www.grandideastudio.com\n\n\n"
},
{
"Title": "Unpacking Pkgs: A Look Inside Macos Installer Packages And Common Security",
"Day": "Saturday",
"Time": "16:30",
"Location": "Track 1",
"Description": "Unpacking Pkgs: A Look Inside Macos Installer Packages And Common Security\n\nFlaws\n\n\n\n Saturday at 16:30 in Track 1\n\n 20 minutes | Demo\n\n\n\nAndy Grant Technical Vice President, NCC Group\n\n\n\n We are hackers, we won't do as you expect or play by your rules, and we\n\n certainly don't trust you. JAR files are really ZIPs...unzip them! So\n\n are Microsoft's DOCX, XLSX, PPTX, etc. Let's open them up! macOS\n\n applications (.app \"files\") are really directories you can browse?!\n\n Sweet, let's do that.\n\n Less well known but similarly prevalent are Flat Package Mac OS X\n\n Installer (.pkg) files. These are actually XAR archives that, among\n\n other things, contain many plaintext files (including shell, Perl, and\n\n Python scripts) as cpio files compressed using gzip.\n\n In this presentation I'll walk you through extracting the contents of\n\n these installer packages, understanding their structure, and seeing how\n\n they work while highlighting where security issues can come up. To\n\n drive the point home of what can go wrong, I'll include examples of\n\n serious security issues I've seen in the wild and show you how they can\n\n be exploited to elevate privileges and gain code/command execution.\n\n After this talk, .pkg files will no longer be opaque blobs to you.\n\n You'll walk away knowing tools and techniques to tear them open,\n\n understand how to evaluate what they're really doing on your computer,\n\n and a methodology for finding bugs in them. As a final bonus, I'll\n\n include a subtle trick or two that can be used on red teams.\n\n\n\n Andy Grant\n\n Andy Grant is a Technical Vice President for NCC Group. While at NCC\n\n Group, Andy has worked on a wide-variety of security assessment and\n\n advisory projects. He has performed numerous application assessments on\n\n mobile (Android, iOS, WP7), desktop (OS X/macOS, Windows, Linux), and\n\n web platforms. He has also performed many internal and external network\n\n penetration tests and widget/third-party platform reviews. Andy has\n\n worked with small tech start-ups, small and large software development\n\n groups, and large financial institutions. Andy has a BS in Computer\n\n Science and an Advanced Computer Security Certificate from Stanford\n\n University.\n\n Twitter: @andywgrant\n\n\n"
},
{
"Title": "Duplicating Restricted Mechanical Keys",
"Day": "Friday",
"Time": "10:00",
"Location": "Track 4",
"Description": "Duplicating Restricted Mechanical Keys\n\n\n\n Friday at 10:00 in Track 4\n\n 45 minutes | Exploit\n\n\n\nBill Graydon President and Principal, Physical Security Analytics\n\n\n\nRobert Graydon Principal, GGR Security\n\n\n\n Secure facilities in North America use lock systems like Medeco, Abloy,\n\n Assa and Mul-T-Lock partly to resist lock picking, but also to prevent\n\n the duplication and creation of unauthorised keys. Places such as the\n\n White House and the Canadian Parliament buildings go so far as to use a\n\n key profile exclusive to that facility to ensure that no-one is able to\n\n obtain key blanks on which to make a copy. However, there are tens of\n\n thousands of unrestricted key blank profiles in existence - many match\n\n very closely to these restricted key blanks, and can be used instead of\n\n the real blanks to cut keys on. Moreover, keys are just pieces of metal\n\n - we will present numerous practical techniques to create restricted\n\n keys without authorisation - including new attacks on Medeco,\n\n Mul-T-Lock and Abloy key control systems. We will touch on all aspects\n\n of key control, including patents and interactive elements, and discuss\n\n how to defeat them and how facility managers can fight back against\n\n these attacks.\n\n\n\n Bill Graydon\n\n Bill Graydon is a principal at GGR Security Consultants, and is active\n\n in research in electronic surveillance and alarm systems, human\n\n psychology in a secure environment and locking systems analysis. He\n\n received a Masters in computer engineering and a certificate in\n\n forensic engineering from the University of Toronto, applying this at\n\n GGR to develop rigorous computational frameworks to model and improve\n\n security in the physical world.\n\n Website: https://ggrsecurity.com/DEFCON\n\n\n\n Robert Graydon\n\n Robert is a principal at GGR security. With a strong interest driving\n\n him forward, he is researching lock manipulation, picking, bypass, and\n\n other vulnerabilities, to discover and evaluate possible flaws or\n\n methods of attack. He has well-honed skills such as lock picking,\n\n decoding, locksmithing, as well as a thorough understanding of the\n\n mechanics and function of many types of high security locks, and\n\n electronic security systems and components, allowing him to effectively\n\n search for and test methods of cracking high security systems.\n\n\n"
},
{
"Title": "SELECT code_execution FROM * USING SQLite;--Gaining code execution using a",
"Day": "Saturday",
"Time": "14:00",
"Location": "Track 1",
"Description": "SELECT code_execution FROM * USING SQLite;--Gaining code execution using a\n\nmalicious SQLite database\n\n\n\n Saturday at 14:00 in Track 1\n\n 45 minutes | Demo, Tool, Exploit\n\n\n\nOmer Gull Security Researcher at Check Point Software Technologies\n\n\n\n Everyone knows that databases are the crown jewels from a hacker's\n\n point of view, but what if you could use a database as the hacking tool\n\n itself? We discovered that simply querying a malicious SQLite database\n\n - can lead to Remote Code Execution. We used undocumented SQLite3\n\n behavior and memory corruption vulnerabilities to take advantage of the\n\n assumption that querying a database is safe.\n\n How? We created a rogue SQLite database that exploits the software used\n\n to open it.Exploring only a few of the possibilities this presents\n\n we'll pwn password stealer backends while they parse credentials files\n\n and achieve iOS persistency by replacing its Contacts database...\n\n The landscape is endless (Hint: Did someone say Windows 10 0-day?).\n\n This is extremely terrifying since SQLite3 is now practically built-in\n\n to any modern system.\n\n In our talk we also discuss the SQLite internals and our novel approach\n\n for abusing them. We had to invent our own ROP chain technique using\n\n nothing but SQL CREATE statements. We used JOIN statements for Heap\n\n Spray and SELECT subqueries for x64 pointer unpacking and arithmetics.\n\n It's a new world of using the familiar Structured Query Language for\n\n exploitation primitives,laying the foundations for a generic leverage\n\n of memory corruption issues in database engines.\n\n\n\n Omer Gull\n\n Omer Gull is a vulnerability researcher in the Malware and\n\n Vulnerability Research group at Check Point Software Technologies.\n\n Omer has a diverse background in security research, that includes web\n\n application penetration testing, RE and exploitation.\n\n He loves Rum, Old School Hip-Hop and Memory Corruptions.\n\n Twitter: @GullOmer\n\n\n"
},
{
"Title": "Next Generation Process Emulation with Binee",
"Day": "Saturday",
"Time": "14:00",
"Location": "Track 4",
"Description": "Next Generation Process Emulation with Binee\n\n\n\n Saturday at 14:00 in Track 4\n\n 45 minutes | Demo, Tool\n\n\n\nKyle Gwinnup Senior Threat Researcher, Carbon Black\n\n\n\nJohn Holowczak Threat Researcher\n\n\n\n The capability to emulate x86 and other architectures has been around\n\n for some time. Malware analysts have several tools readily available in\n\n the public domain. However, most of the tools stop short of full\n\n emulation, halting or doing strange things when emulating library\n\n functions or system calls not implemented in the emulator. In this talk\n\n we introduce a new tool into the public domain, Binee, a Windows\n\n Process emulator. Binee creates a nearly identical Windows process\n\n memory model inside the emulator, including all dynamically loaded\n\n libraries and other Windows process structures. Binee mimics much of\n\n the OS kernel and outputs a detailed description of all function calls\n\n with human readable parameters through the duration of the process.\n\n We've designed Binee with two primary use cases in mind; data\n\n extraction at scale with a cost and speed similar to common static\n\n analysis tools, and second, for malware analysts that need a custom\n\n operating system and framework without the overhead of spinning up\n\n various configurations of virtual machines. Currently Binee can run on\n\n Windows, OS X, and Linux.\n\n\n\n Kyle Gwinnup\n\n Kyle is a Senior Threat Researcher in Carbon Black's TAU team. He has\n\n over 10 years of experience in many areas of computer science and IT.\n\n Prior to Carbon Black, Kyle worked in finance and with the DoD in\n\n various roles ranging from network/systems administrator, software\n\n engineer, reverse engineer, penetration tester and offensive tool\n\n developer. At Carbon Black, Kyle's focus is on large scale program\n\n analysis, primarily static but moving asymptotically toward dynamic\n\n analysis.\n\n Twitter: @switchp0rt\n\n\n\n John Holowczak\n\n John is a Threat Researcher on Carbon Black's Threat Analysis Unit,\n\n focusing on automation of threat detection and building out\n\n infrastructure for large scale malware analysis. Within the field of\n\n threat detection and analysis, John specializes his research in binary\n\n classification, dynamic analysis and reverse engineering.\n\n Twitter: @skipwich\n\n\n"
},
{
"Title": "Hacking Congress: The Enemy Of My Enemy Is My Friend",
"Day": "Friday",
"Time": "10:00",
"Location": "Track 2",
"Description": "Hacking Congress: The Enemy Of My Enemy Is My Friend\n\n\n\n Friday at 10:00 in Track 2\n\n 45 minutes\n\n\n\nFormer Rep. Jane Harman President, The Wilson Center, Former Rep. (D-CA), aka\n\nSurfer Jane\n\n\n\nRep. James Langevin (D-RI)\n\n\n\nJen Ellis Director of Public Affairs, Rapid 7\n\n\n\nCris Thomas Director, X-Force Red Team, IBM, aka Space Rogue\n\n\n\nRep. Ted Lieu (D-CA)\n\n\n\n A SIMULATED crisis is unfolding on a national scale, based loosely on\n\n the NotPetya attack of 2017. Triggered by a yet-unknown adversary, what\n\n started as a an isolated technical issue has quickly escalated into a\n\n society-wide event affecting millions of citizens, several industries,\n\n and spanning government jurisdictions. Who is in charge, how do they\n\n cooperate with others, and how do they make decisions? The Wilson\n\n Center, Hewlett Foundation and I Am The Calvary are teaming up to bring\n\n public policymakers together with security researchers and others to\n\n discover how our nation might respond to a wide-scale \"cyber crisis\".\n\n Work in tandem with sitting Members of Congress to understand what\n\n levers of power Congress yields and how Members can address policy gaps\n\n in the future.\n\n\n\n Former Rep. Jane Harman\n\n The Hon. Jane Harman is President of the Wilson Center, a think tank in\n\n Washington, DC. She is a former nine-term Member of Congress who served\n\n on all the major security committees and represented an aerospace and\n\n technology hub in Southern California.\n\n Twitter: @thewilsoncenter\n\n Website: https://www.wilsoncenter.org/person/jane-harman\n\n\n\n Rep. James Langevin\n\n The Hon. Jim Langevin represents Rhode Island's 2nd Congressional\n\n district. He is Ranking Member of the Emerging Threats and Capabilities\n\n Subcommittee and a senior member of the Cybersecurity and\n\n Infrastructure Protection Subcommittee. Rep. Langevin is a member of\n\n the House Minority Whip Steny Hoyer's Senior Whip Team, and is\n\n responsible for educating other Democratic Members on key issues.\n\n Twitter: @jimlangevin\n\n Website: https://langevin.house.gov/about-me/full-biography\n\n\n\n Jen Ellis\n\n Jen Ellis is the Vice Preident of Community and Public Affairs at\n\n Rapid7. She works directly with security researchers, technology\n\n providers and operators, and government entities to help them\n\n understand and address cybersecurity challenges together.\n\n Twitter: @infosecjen\n\n Website: https://blog.rapid7.com/author/jen-ellis/\n\n\n\n Cris Thomas\n\n Cris Thomas works for IBM X-Force Red, and before that worked at\n\n Guardent, Trustwave, Tenable and others. Cris created the first\n\n security research think tank L0pht Heavy Industries and the video news\n\n show The Hacker News Network.\n\n Twitter: @spacerog\n\n Website: https://securityintelligence.com/author/cris-thomas/\n\n\n\n Rep. Ted Lieu\n\n The Hon. Ted Lieu represents California's 33rd Congressional district.\n\n Now in his third term in Congress, Rep. Lieu currently sits on the\n\n House Judiciary Committee and House Foreign Affairs Committee. He also\n\n serves as Co-Chair of the Democratic Policy and Communications\n\n Committee and has emerged as a leader in cybersecurity in Congress.\n\n Twitter: @RepTedLieu\n\n Website: https://lieu.house.gov/about/full-biography\n\n\n"
},
{
"Title": "Don't Red-Team AI Like a Chump",
"Day": "Friday",
"Time": "11:00",
"Location": "Track 1",
"Description": "Don't Red-Team AI Like a Chump\n\n\n\n Friday at 11:00 in Track 1\n\n 45 minutes | Demo, Tool\n\n\n\nAriel Herbert-Voss PhD student, Harvard University\n\n\n\n AI needs no introduction as one of the most overhyped technical fields\n\n in the last decade. The subsequent hysteria around building AI-based\n\n systems has also made them a tasty target for folks looking to cause\n\n major mischief. However, most of the popular proposed attacks\n\n specifically targeting AI systems focus on the algorithm rather than\n\n the system in which the algorithm is deployed. We'll begin by talking\n\n about why this threat model doesn't hold up in realistic scenarios,\n\n using facial detection and self-driving cars as primary examples. We\n\n will also learn how to more effectively red-team AI systems by\n\n considering the data processing pipeline as the primary target.\n\n\n\n Ariel Herbert-Voss\n\n Ariel Herbert-Voss is a PhD student at Harvard University, where she\n\n specializes in adversarial machine learning, cybersecurity,\n\n mathematical optimization, and dumb internet memes. She is an affiliate\n\n researcher at the MIT Media Lab and at the Vector Institute for\n\n Artificial Intelligence. She is a co-founder and co-organizer of the\n\n DEF CON AI Village, and loves all things to do with malicious uses and\n\n abuses of AI.\n\n Twitter: @adversariel\n\n\n"
},
{
"Title": "I'm on your phone, listening - Attacking VoIP Configuration Interfaces",
"Day": "Saturday",
"Time": "14:00",
"Location": "Track 2",
"Description": "I'm on your phone, listening - Attacking VoIP Configuration Interfaces\n\n\n\n Saturday at 14:00 in Track 2\n\n 45 minutes | Demo, Tool, Exploit\n\n\n\nStephan Huber Fraunhofer SIT\n\n\n\nPhilipp Roskosch\n\n\n\n If toasters talking to fridges is no joke to you, then you are aware of\n\n the big Internet of Things hype these days. While all kind of devices\n\n get connected and hacked, one of the oldest class of IoT devices seems\n\n to be forgotten even though it is literally everywhere - VoIP phones.\n\n For configuration and management purposes, VoIP phones run a web\n\n application locally on the device. We found several critical bugs\n\n (reported CVEs) in the web application as well as in the webserver\n\n which enabled us to hijack the phones. Starting with simple XSS and\n\n CSRF issues, via command injections and memory corruptions right\n\n through to remote code executions, all popular vulnerability classes\n\n can be found on those devices.\n\n We will present our findings together with the tools and strategies we\n\n used, and will enable you to do the same with your own phones and other\n\n IoT devices.\n\n Further, we will provide helpful ARM shell code patterns, scripts and\n\n tricks which hackers can use to find bugs. We will conclude our talk by\n\n showing that automatic tools fail to discover such vulnerabilities.\n\n Therefore, manual IoT pentesting is still required.\n\n If you think these management interfaces are not exposed to the\n\n internet, you are wrong. In a scan, we found thousands of reachable\n\n phones vulnerable to our exploits.\n\n\n\n Stephan Huber\n\n Stephan is a security researcher at the Testlab mobile security group\n\n at the Fraunhofer Institute for Secure Information Technology (SIT).\n\n His main focus is Android application security testing and IoT devices.\n\n He develops new static and dynamic analysis techniques for app security\n\n evaluation. He has found different vulnerabilities in well-known\n\n Android applications and the AOSP. He has delivered talks at\n\n conferences including DEF CON, HITB, AppSec and Virus Bulletin. In his\n\n spare time he enjoys teaching students Android hacking techniques.\n\n Twitter: @teamsik\n\n Website: www.team-sik.org\n\n\n\n Philipp Roskosch\n\n Philipp is a security researcher of the department Secure Software\n\n Engineering at Fraunhofer SIT (Germany). His research interests center\n\n on static and dynamic security analysis in the area of mobile apps and\n\n IoT devices. Besides research, he is a penetration tester in the same\n\n field. In his spare time, he enjoys hacking as a member of TeamSIK.\n\n\n"
},
{
"Title": "Weaponizing Hypervisors to Fight and Beat Car and Medical Devices Attacks",
"Day": "Saturday",
"Time": "10:00",
"Location": "Track 1",
"Description": "Weaponizing Hypervisors to Fight and Beat Car and Medical Devices Attacks\n\n\n\n Saturday at 10:00 in Track 1\n\n 45 minutes | Demo, Tool\n\n\n\nAli Islam CEO, Numen Inc.\n\n\n\nDan Regalado (DanuX) CTO, Numen Inc\n\n\n\n Historically, hypervisors have existed in the cloud for efficient\n\n utilization of resources, space, and money. The isolation feature is\n\n one of the reasons hypervisors are heavily moving to other ecosystems,\n\n like Automobiles, so that for example, if an Infotainment crashes, it\n\n does not affect other sensitive ECUs like ADAS. Blackberry QNX and AGL\n\n announced the use of hypervisors in their deployments on Cars.\n\n The trending is real, but there is a big challenge! Most of the systems\n\n in Cars and Medical devices run on ARM, plus, protection at the\n\n hypervisor level is still limited. So, is it possible to have a\n\n framework that runs at the hypervisor level, able to monitor at the OS\n\n level and most important, capable to identify and kill threats coming\n\n into the monitored devices?\n\n During this talk we will walk you through the steps needed to setup a\n\n framework running on Xilinx ZCU102 board able to monitor ARM-based\n\n devices and to kill malicious threats identified. Also will discuss\n\n challenges on syscall monitoring, single-stepping limitations,\n\n techniques to stay stealthy, techniques to detect and kill traditional\n\n malware seen in enterprise like Ransomware, Heap Exploits and\n\n capabilities on VM Escape attacks and feasibilty to detect Spectre-like\n\n exploits.\n\n\n\n Ali Islam\n\n Ali Islam Khan is the Chief Executive Officer (CEO) and Co-Founder of\n\n Numen Inc. He is also an avid C programmer and has developed the core\n\n set of Numen's Virtual Machine Introspection (VMI) capabilities. Before\n\n quitting his job to work full time on Numen, Ali was Director R&D at\n\n FireEye where he was leading the R&D efforts for FireEye's flagship\n\n email and network products. He is the founding member of FireEye Labs\n\n where he invented & developed some of the key detection technologies\n\n used in FireEye products today. Ali has multiple patents to his name\n\n and has over 13 years' experience in a wide range of cyber security\n\n disciplines, including cryptography, malware analysis, cyber-espionage\n\n and product development. He has successfully created and led global\n\n teams from scratch. Ali has spoken at conferences such as RSA and\n\n worked with various government agencies such as DHS, KISA on\n\n intelligence sharing efforts to counter nation-state level threats.\n\n Khan holds an MBA from UC Berkeley and a Master's degree in network\n\n security from Monash University, Australia. He is an AUSAID scholar and\n\n the recipient of the prestigious Golden Key Award.\n\n Twitter: @Ali_Islam_Khan\n\n LinkedIn: https://www.linkedin.com/in/aliislam/\n\n\n\n Dan Regalado (DanuX)\n\n Daniel Regalado aka DanuX is the CTO and Co-Founder of Numen Inc. He is\n\n a Mexican security researcher with more than 17 years in the scene. He\n\n has worked reversing malware and exploits at Symantec Security Response\n\n Team and FireEye Labs and lately focused on IoT threats at Zingbox. He\n\n is credited with the discovery of most of the ATM malware worldwide. He\n\n is the co-author of famous book Gray Hat Hacking and he likes to\n\n present his discoveries in major security conferences like RECon, RSA,\n\n DEF CON IoT/Car Hacking villages, BSIDES.\n\n Twitter: @danuxx\n\n LinkedIn: https://www.linkedin.com/in/daniel-regalado-200aa414/\n\n\n"
},
{
"Title": "Say Cheese - How I Ransomwared Your DSLR Camera",
"Day": "Sunday",
"Time": "11:00",
"Location": "Track 4",
"Description": "Say Cheese - How I Ransomwared Your DSLR Camera\n\n\n\n Sunday at 11:00 in Track 4\n\n 45 minutes | Demo, Exploit\n\n\n\nEyal Itkin Vulnerability Researcher at Check Point Software Technologies\n\n\n\n It's a nice sunny day on your vacation, the views are stunning, and\n\n like on any other day you take out your DSLR camera and start taking\n\n pictures. Sounds magical right? But when you get back to your hotel the\n\n real shock hits you: someone infected your camera with ransomware! All\n\n your images are encrypted, and the camera is locked. How could that\n\n happen?In this talk, we show a live demo of this exact scenario. Join\n\n us as we take a deep dive into the world of the Picture Transfer\n\n Protocol (PTP). The same protocol that allows you to control your\n\n camera from your phone or computer, can also enable any attacker to do\n\n that and more. We will describe in detail how we found multiple\n\n vulnerabilities in the protocol and how we exploited them remotely(!)\n\n to take over this embedded device.But it doesn't end here. While\n\n digging into our camera, we found a reliable way to take over most of\n\n the DSLR cameras without exploiting any vulnerability at all. We simply\n\n had to ask our camera to do that for us, and it worked.\n\n This is the first vulnerability research on the Picture Transfer\n\n Protocol, a vendor agnostic logical layer that is common to all\n\n modern-day cameras. As DSLR cameras are used by consumers and\n\n journalists alike, this opens up the door for future research on these\n\n sensitive embedded devices.\n\n\n\n Eyal Itkin\n\n Eyal Itkin is a vulnerability researcher in the Malware and\n\n Vulnerability Research group at Check Point Software Technologies. Eyal\n\n has an extensive background in security research, that includes years\n\n of experience in embedded network devices and protocols, bug bounties\n\n from all popular interpreter languages, and an award by Microsoft for\n\n his CFG enhancement white paper. When not breaking I2P or FAX, he loves\n\n bouldering, swimming, and thinking about the next target for his\n\n research.\n\n Twitter: @EyalItkin\n\n\n"
},
{
"Title": "Meticulously Modern Mobile Manipulations",
"Day": "Saturday",
"Time": "11:00",
"Location": "Track 4",
"Description": "Meticulously Modern Mobile Manipulations\n\n\n\n Saturday at 11:00 in Track 4\n\n 45 minutes | Demo\n\n\n\nLeon Jacobs Researcher - SensePost\n\n\n\n Mobile app hacking peaked in 2015 with tools like keychain-dumper &\n\n ssl-kill-switch released but requiring jailbroken/rooted devices. Back\n\n then, wresting the power to understand & modify apps on our devices\n\n from dystopian looking mega corps was our cause. As jailbreaks became\n\n infrequent, the hackers' arsenal was left behind. While this is\n\n progress against dark uses of hacking, done to protect our freedom\n\n fighters, how can hackers still hold power to account? Can we still\n\n find flaws in apps/devices & live up to the protections the technology\n\n promises?\n\n Enter runtime binary instrumentation with Frida. It's possible to\n\n analyze apps in their final state when executed on real hardware\n\n running the latest iOS/Android with no jailbreaks. This fills a gap\n\n between source analysis & debuggers. But, simply enumerating app\n\n classes requires studying multiple blogs & a deep read of the docs. We\n\n created Objection to simplify this & hide the boilerplate so hackers\n\n could focus on unravelling apps. But, many people still rely on simple\n\n hacks & automation & rarely use new advanced techniques such as\n\n reflectively inspecting live heap objects, canary execution tracing,\n\n runtime memory edits and filesystem exploration.\n\n We'll show hackers, malware researchers & security engineers how to use\n\n these advanced mobile hacking techniques.\n\n\n\n Leon Jacobs\n\n Leon has been hacking for over a decade. He's plied his trade at\n\n SensePost for the last three having previously worked for a bank and\n\n ISP in South Africa. Leon spends most of his daytime hours hacking\n\n large networks or web and mobile applications. Leon spends most of his\n\n nighttime hours building hacking tools and techniques to contribute\n\n back to the community.\n\n Twitter: @leonjza\n\n\n"
},
{
"Title": "Vacuum Cleaning Security--Pinky and the Brain Edition",
"Day": "Saturday",
"Time": "16:00",
"Location": "Track 4",
"Description": "Vacuum Cleaning Security--Pinky and the Brain Edition\n\n\n\n Saturday at 16:00 in Track 4\n\n 20 minutes | Exploit\n\n\n\njiska TU Darmstadt, Secure Mobile Networking Lab\n\n\n\nclou (Fabian Ullrich)\n\n\n\n Data collected by vacuum cleaning robot sensors is highly\n\n privacy-sensitive, as it includes details and metadata about consumers'\n\n habits, how they live, when they work or invite friends, and more.\n\n Connected vacuum robots are not as low-budget as other IoT devices and\n\n vendors indeed invest into their security. This makes vacuum cleaning\n\n robot ecosystems interesting for further analysis to understand their\n\n security mechanisms and derive takeaways.\n\n In this talk we discuss the security of the well-protected Neato and\n\n Vorwerk ecosystems. Their robots run the proprietary QNX operating\n\n system, are locally protected with secure boot, and use various\n\n mechanisms that ensure authentication and encryption in the cloud\n\n communication. Nonetheless, we were able to bypass substantial security\n\n components and even gain unauthenticated privileged remote execution on\n\n arbitrary robots. We present how we dissected ecosystem components\n\n including a selection of vacuum robot firmwares and their cloud\n\n interactions.\n\n\n\n jiska\n\n Jiska has a M.Sc. in IT-Security. She is a PhD student at the Secure\n\n Mobile Networking Lab (TU Darmstadt) since May 2014. Her main research\n\n interest are wireless physical layer security and reverse engineering.\n\n You might also know her embroidery projects or game shows from past CCC\n\n events.\n\n Twitter: @seemoolab\n\n\n\n clou (Fabian Ullrich)\n\n Fabian has a M.Sc. in IT-Security. He is working as a researcher and\n\n analyst at ERNW. His main research interests are full stack IoT and web\n\n application security. In his free time, Fabian likes to capture some\n\n flags.\n\n\n"
},
{
"Title": "Your Car is My Car",
"Day": "Saturday",
"Time": "11:00",
"Location": "Track 1",
"Description": "Your Car is My Car\n\n\n\n Saturday at 11:00 in Track 1\n\n 45 minutes | Demo, Tool, Exploit\n\n\n\nJmaxxz\n\n\n\n For many of us, our cars are one of the largest purchases we will ever\n\n make. In an always connected world it is natural that we would want to\n\n have the convenience of being able to remotely monitor our vehicles: to\n\n do everything from remind ourselves exactly where exactly we parked,\n\n verify we locked our vehicle, or even remote start it so it will be\n\n warmed up (or cooled down) when we get in. There are a variety of\n\n vendors offering aftermarket alarm systems that provide these\n\n conveniences and offer a peace of mind. But how much can we trust the\n\n vendors of these systems are protecting access to our cars in the\n\n digital domain? In this talk, Jmaxxz will tell the story of what he\n\n found when he looked into one such system.\n\n\n\n Jmaxxz\n\n Jmaxxz works as a software engineer, but is a hacker by passion. He is\n\n best known for his work on the August Smart Lock (DEF CON 24\n\n \"Backdooring the Frontdoor\"). In recent years IoT devices have been the\n\n focus of his work. He participated in the IoT village zero day track at\n\n DEF CON 24 and DEF CON 25. After enduring several polar vortexes, he\n\n decided it was probably time to investigate an IoT remote car starter.\n\n twitter: @jmaxxz Website: jmaxxz.com\n\n\n"
},
{
"Title": "Surveillance Detection Scout - Your Lookout on Autopilot",
"Day": "Friday",
"Time": "16:00",
"Location": "Track 3",
"Description": "Surveillance Detection Scout - Your Lookout on Autopilot\n\n\n\n Friday at 16:00 in Track 3\n\n 20 minutes | Demo, Tool\n\n\n\nTruman Kain Sr. Information Security Analyst at Tevora\n\n\n\n Surveillance detection routes are a daily occurrence for clandestine\n\n operatives and agents all over the world. These mentally taxing\n\n counter-surveillance measures often mean the difference between life\n\n and death. Surveillance Detection Scout hopes to ease that burden.\n\n Scout currently supports Tesla Models S, 3 and X, running license plate\n\n recognition on 3 camera feeds to alert you in real time if you're being\n\n followed. When you park, Scout remains vigilant, implementing familiar\n\n face detection as well. By combining timestamped vehicle location data\n\n & video, computer vision and an intuitive web interface, it becomes\n\n apparent that Scout has just as many offensive as defensive\n\n applications. Over time, SDS captures and reports on observed patterns\n\n of life, allowing you to quickly gain an overview of your surroundings\n\n (or your target) with minimal effort. Whether you're conducting or\n\n evading surveillance, Scout has got your 6.\n\n\n\n Truman Kain\n\n Truman Kain has a background in design and marketing, which he utilized\n\n to develop Dragnet, an intuitive, AI-powered social engineering\n\n framework released at DEF CON 26. This year, he has combined his\n\n machine learning and design experience to make Surveillance Detection\n\n Scout look and feel as OEM as possible.\n\n Twitter: @trumankain\n\n\n"
},
{
"Title": "100 Seconds of Solitude: Defeating Cisco Trust Anchor With FPGA Bitstream",
"Day": "Friday",
"Time": "15:00",
"Location": "Track 3",
"Description": "100 Seconds of Solitude: Defeating Cisco Trust Anchor With FPGA Bitstream\n\nShenanigans\n\n\n\n Friday at 15:00 in Track 3\n\n 45 minutes | Demo, Tool, Exploit\n\n\n\nJatin Kataria Principal Scientist, Red Balloon Security\n\n\n\nRick Housley Research Scientist, Red Balloon Security\n\n\n\nAng Cui Chief Scientist, Red Balloon Security\n\n\n\n First commercially introduced in 2013, Cisco Trust Anchor module(TAm)\n\n is a proprietary hardware security module that is used in a wide range\n\n of Cisco products, including enterprise routers, switches and\n\n firewalls. TAm is the foundational root of trust that underpins all\n\n other Cisco security and trustworthy computing mechanisms in such\n\n devices. We disclose two 0-day vulnerabilities and show a remotely\n\n exploitable attack chain that reliably bypasses Cisco Trust Anchor. We\n\n present an in-depth analysis of the TAm, from both theoretical and\n\n applied perspectives. We present a series of architectural and\n\n practical flaws of TAm, describe theoretical methods of attack against\n\n such flaws. Next, we enumerate limitations in current state-of-the-art\n\n offensive capabilities that made the design of TAm seem secure.\n\n Using Cisco 1001-X series of Trust Anchor enabled routers as a\n\n demonstrative platform, we present a detailed analysis of a current\n\n implementation of TAm, including results obtained through hardware\n\n reverse engineering, Trust Anchor FPGA bitstream analysis, and the\n\n reverse engineering of numerous Cisco trustworthy computing mechanisms\n\n that depend on TAm. Finally, we present two 0-day vulnerabilities\n\n within Cisco IOS and TAm and demonstrate a remotely exploitable attack\n\n chain that results in persistent compromise of an up-to-date Cisco\n\n router. We discuss the implementation of our TAm bypass, which involves\n\n novel methods of reliably manipulating FPGA functionality through\n\n bitstream analysis and modification while circumventing the need to\n\n perform RTL reconstruction. The use of our methods of manipulation\n\n creates numerous possibilities in the exploitation of embedded systems\n\n that use FPGAs. While this presentation focuses on the use of our FPGA\n\n manipulation techniques in the context of Cisco Trust Anchor, we\n\n briefly discuss other uses of our bitstream modification techniques.\n\n\n\n Jatin Kataria\n\n Jatin Kataria is the Principal Research Scientist at Red Balloon\n\n Security where he architects defensive technologies for embedded\n\n systems. Playing both the role of cat and of mouse at Red Balloon has\n\n many suggesting that he may be the first real source of perpetual\n\n energy. He tires of n-days easily and is always looking for new and\n\n exciting ELF shenanigans, caching complications, and the Fedex guy who\n\n lost his engagement ring. Prior to his time at Red Balloon Security,\n\n Jatin worked at a number of firms as a systems software developer and\n\n earned his Master of Engineering at Columbia University.\n\n Twitter: @jatinkataria\n\n\n\n Rick Housley\n\n Rick Housley is a Research Scientist at Red Balloon Security and leads\n\n their advanced hardware reverse engineering efforts. He often finds\n\n himself at the end of a soldering iron hoping he has not bricked\n\n another expensive COTs product. His focus at Red Balloon includes the\n\n discovery of previously unknown vulnerabilities, novel firmware\n\n extraction techniques, and advanced physical reverse engineering using\n\n custom tooling. When not designing secure-boot defeating EMPs and\n\n interposers, he is building axe handles and baby rattles in his\n\n woodshop.\n\n Twitter: @rickyhousley\n\n\n\n Ang Cui\n\n Dr. Ang Cui is the Founder and Chief Scientist of Red Balloon Security.\n\n Dr. Cui received his PhD from Columbia University in 2015. His doctoral\n\n dissertation, titled \"Embedded System Security: A Software-based\n\n Approach\", focused exclusively on scientific inquiries concerning the\n\n exploitation and defense embedded systems. Ang has focused on\n\n developing new technologies to defend embedded systems against\n\n exploitation. During the course of his research, he has uncovered a\n\n number of serious vulnerabilities within ubiquitous embedded devices\n\n like Cisco routers, HP printers and Cisco IP phones. Dr. Cui is also\n\n the author of FRAK and the inventor of Software Symbiote technology.\n\n Ang has received various awards on his work on reverse engineering\n\n commercial devices and is also the recipient of the Symantec Graduate\n\n Fellowship and was selected as a DARPA Riser in 2015.\n\n\n"
},
{
"Title": "Confessions of an Nespresso Money Mule: Free Stuff & Triangulation Fraud",
"Day": "Saturday",
"Time": "16:00",
"Location": "Track 3",
"Description": "Confessions of an Nespresso Money Mule: Free Stuff & Triangulation Fraud\n\n\n\n Saturday at 16:00 in Track 3\n\n 20 minutes\n\n\n\nNina Kollars Associate Professor Naval War College Strategic and Operational\n\nResearch Department\n\n\n\nKitty Hegemon\n\n\n\n In 2018 I somewhat innocently bought very expensive coffee (Nespresso\n\n capsules) online from Ebay. What followed was a series of unexpected\n\n additional packages from the manufacturer Nespresso and a lurking\n\n suspicion that something had gone terribly--if not criminally--wrong as\n\n a result of my purchase. This talk chronicles the obnoxious amounts of\n\n obsessive research and tracking that became my new hobby--stalking\n\n Nespresso fraudsters and my decidedly non-technical attempts at\n\n developing a generic search profile and reporting the fraudsters to\n\n anyone who would listen, to include : the persons whose identities had\n\n been stolen, Nespresso, Ebay, and the FBI. Ultimately I just ended up\n\n with a LOT of coffee; a lingering sense that I had committed several\n\n crimes; and no faith left in humanity.\n\n\n\n Nina Kollars\n\n Nina Kollars is writing a book about the ways in which hackers\n\n contribute to national security. She is a political scientist whose\n\n main research is in technological adaptation by users. Kollars is\n\n Associate Professor for the Naval War College in the Strategic and\n\n Operational Research Department. She conducts research on military\n\n weapons and the humans who use them. Largely unsatisfied with sitting\n\n still, Kollars has also worked for the Library of Congress' Federal\n\n Research Division, the Department of Afro-American Studies at Harvard\n\n University, the World Bank, an anti-glare coating factory on the third\n\n shift, and volunteers for BSides. She is the former viceroy of the DC\n\n strategy group Cigars, Scotch, and Strategy. She is also a certified\n\n bourbon steward.\n\n Twitter: @nianasavage\n\n\n"
},
{
"Title": "Process Injection Techniques - Gotta Catch Them All",
"Day": "Friday",
"Time": "12:00",
"Location": "Track 1",
"Description": "Process Injection Techniques - Gotta Catch Them All\n\n\n\n Friday at 12:00 in Track 1\n\n 45 minutes | Tool\n\n\n\nItzik Kotler Co-Founder & CTO at SafeBreach\n\n\n\nAmit Klein VP Security Research at SafeBreach\n\n\n\n When it comes to process injection in Windows, there are only 6-7\n\n fundamental techniques, right? Wrong. In this talk, we provide the most\n\n comprehensive to-date \"Windows process injection\" collection of\n\n techniques. We focus on Windows 10 x64, and on injections from running\n\n 64-bit medium integrity process to another running 64-bit medium\n\n integrity process, without privilege elevation. We pay special\n\n attention to the new Windows protection technologies, e.g. CFG and CIG.\n\n We differentiate between memory write primitives and execution\n\n techniques, and discuss memory allocation strategies. Our collection is\n\n curated, analyzed, tabulated, with straight-forward, research-grade\n\n PoCs. We tested each technique against Windows 10 x64 with and without\n\n protections, and we report on the requirements, limitations, and quirks\n\n of each technique. And of course - no decent DEF CON presentation is\n\n complete without new attacks. We describe a new memory writing\n\n primitive which is CFG-agnostic. We describe a new \"stack bombing\"\n\n execution method (based on the memory write primitive above) that is\n\n inherently safe (even though overwriting the stack is a-priori a\n\n dangerous and destabilizing action). Finally, we release a library of\n\n all write primitives and execution methods, so users can generate\n\n \"tailor-made\" process injections.\n\n\n\n Itzik Kotler\n\n Itzik Kotler is CTO and Co-Founder of SafeBreach. Itzik has more than a\n\n decade of experience researching and working in the computer security\n\n space. He is a recognized industry speaker, having spoken at DEF CON,\n\n Black Hat USA, Hack In The Box, RSA, CCC and H2HC. Prior to founding\n\n SafeBreach, Itzik served as CTO at Security-Art, an information\n\n security consulting firm, and before that he was SOC Team Leader at\n\n Radware. (NASDQ: RDWR).\n\n Website: http://www.ikotler.org\n\n Twitter: @itzikkotler\n\n\n\n Amit Klein\n\n Amit Klein is a world renowned information security expert, with 28\n\n years in information security and over 30 published technical and\n\n academic papers on this topic. Amit is the VP Security Research at\n\n SafeBreach, responsible for researching various infiltration,\n\n exfiltration and lateral movement attacks. Before SafeBreach, Amit was\n\n the CTO for Trusteer (acquired by IBM) for 8.5 years. Prior to\n\n Trusteer, Amit was chief scientist for Cyota (acquired by RSA) for 2\n\n years, and prior to that, director of Security and Research for Sanctum\n\n (acquired by Watchfire, now part of IBM security division) for 7 years.\n\n Amit has a B.Sc. from the Hebrew University in Mathematics and Physics\n\n (magna cum laude, Talpiot program), recognized by InfoWorld as a CTO of\n\n the year 2010 , and has presented at BlackHat USA, DEF CON, NDSS, OWASP\n\n Global (keynote), InfoCom, DSN, HITB, RSA, OWASP EU, CertConf, BlueHat,\n\n CyberTech, APWG and AusCERT (keynote).\n\n Website: http://www.securitygalore.com/\n\n\n"
},
{
"Title": "Intro to Embedded Hacking--How you too can find a decade old bug in widely",
"Day": "Thursday",
"Time": "13:00",
"Location": "DC101, Paris Theatre",
"Description": "Intro to Embedded Hacking--How you too can find a decade old bug in widely\n\ndeployed devices. [REDACTED] Deskphones, a case study.\n\n\n\n Thursday at 13:00 in DC101, Paris Theatre\n\n 45 minutes | Demo, Exploit\n\n\n\nPhilippe Laulheret Senior Security Researcher @ McAfee Advanced Threat\n\nResearch\n\n\n\n From small business to large enterprise, VOIP phones can be found on\n\n nearly every desk. But how secure are they? What if your phone was\n\n spying on every conversation you have?\n\n This talk is an introduction to hardware hacking and as a case study\n\n I'll use the [REDACTED] Deskphone, a device frequently deployed in\n\n corporate environments. I'll use it to introduce the tools and\n\n methodology needed to answer these questions.\n\n During this talk, attendees will get a close up look at the operations\n\n of a hardware hacker, including ARM disassembly, firmware extraction\n\n using binwalk, micro-soldering to patch an EEPROM and get a root shell\n\n over UART, and ultimately uncover an already known decade-old bug that\n\n somehow remained unnoticed in the device's firmware.\n\n Beyond the case study I will also address alternative tactics; some did\n\n not work, others may have but were not the lowest-hanging fruit. When\n\n it comes to hardware hacking, the process is as important as the\n\n result; knowing that there are multiple ways to reach the end goal\n\n helps researchers remain confident when hurdles arise. After the talk,\n\n attendees will have an increased distrust towards always-on devices;\n\n however, they will have the background knowledge to investigate the\n\n products and systems they encounter daily.\n\n\n\n Philippe Laulheret\n\n Philippe Laulheret is a Senior Security Researcher on the McAfee\n\n Advanced Threat Research team. With a focus on Reverse Engineering and\n\n Vulnerability Research, Philippe uses his background in Embedded\n\n Security and Software Engineering to poke at complex system and get\n\n them to behave in interesting ways. He previously talked about Reverse\n\n Engineering PSX game at Bsides PDX, created & contributed to some\n\n Hardware Hacking CTF when working at Red Balloon Security and shared\n\n the love of tearing apart VOIP phones during ad-hoc workshops at\n\n multiple conferences (Summer Con, Hardware Hacking Village, etc.)\n\n Twitter: @phLaul\n\n\n"
},
{
"Title": "EDR Is Coming; Hide Yo Sh!t",
"Day": "Saturday",
"Time": "10:00",
"Location": "Track 4",
"Description": "EDR Is Coming; Hide Yo Sh!t\n\n\n\n Saturday at 10:00 in Track 4\n\n 45 minutes | Demo, Tool\n\n\n\nMichael Leibowitz Principal Troublemaker\n\n\n\nTopher Timzen (@TTimzen), Principal Vulnerability Enthusiast\n\n\n\n There's a new, largely unaddressed threat in the security industry\n\n today, Endpoint Detection and Response (EDR), which aims to stop threat\n\n actors in their tracks. The scenario plays out like this... At first\n\n your campaign is going well and your attacker objectives are being met.\n\n Then, your lovingly crafted payloads become analyst samples, you're\n\n evicted from the environment and you lose your persistence. You and the\n\n analyst are now having a bad time. You may feel this is just fear\n\n mongering, but we assure you, the risk is real.Fortunately, we have a\n\n few new tricks up our sleeves to keep this nightmare scenario at bay.\n\n While many would have you believe that we live in a measured and signed\n\n boot Utopia on modern systems, we will show you the seedy underbelly of\n\n this Brave New World. By abusing early boot mechanisms and UEFI\n\n platform firmware, we are able to evade common detection. By showing up\n\n early to the fight, we sucker punch EDR, leaving it in a daze unable to\n\n see our malicious activities. We put a new twist on old code injection\n\n techniques and maintain persistence in UEFI firmware, making an\n\n effective invisibility cloak. By leveraging these two techniques, you\n\n and the analyst can have a happy and relaxing evening. From that point\n\n on - the good ol' days are back again! Plunder away!\n\n\n\n Michael Leibowitz\n\n Michael (@r00tkillah) has done hard-time in real-time. An old-school\n\n computer engineer by education, he spends his days hacking the\n\n mothership for a fortune 100 company. Previously, he developed and\n\n tested embedded hardware and software, fooled around with strap-on boot\n\n roms, mobile apps, office suites, and written some secure software. On\n\n nights and weekends he hacks on electronics, writes CFPs, and\n\n contributes to the NSA Playset.\n\n Twitter: @r00tkillah\n\n\n\n Topher Timzen\n\n Topher Timzen (@TTimzen) is currently a Principal Vulnerability\n\n Enthusiast and enjoys causing constructive mischief. Topher has spoken\n\n at conferences such as DEF CON, SecTor and BSidesPDX on offensive\n\n security research. Enjoying teaching, particularly about exploitation,\n\n he has been running the CTF at BSidesPDX for the past few years. Topher\n\n is located in the woods hiking or mountain biking when not computing.\n\n Collectively they have pretended to be bears, slayed a dragon or two,\n\n and have managed to not bring down a production server (for long). In\n\n reality, they just want to write malware.\n\n Twitter: @Ttimzen\n\n\n"
},
{
"Title": "API-Induced SSRF: How Apple Pay Scattered Vulnerabilities Across the Web",
"Day": "Friday",
"Time": "12:00",
"Location": "Track 4",
"Description": "API-Induced SSRF: How Apple Pay Scattered Vulnerabilities Across the Web\n\n\n\n Friday at 12:00 in Track 4\n\n 45 minutes | Demo, Exploit\n\n\n\nJoshua Maddux Security Researcher / Software Engineer, PKC Security\n\n\n\n The 2016 WWDC saw the dawn of Apple Pay Web, an API that lets websites\n\n embed an Apple Pay button within their web-facing stores. Supporting it\n\n required a complex request flow, complete with client certificates and\n\n a custom session server. This proved detrimental, since Apple failed to\n\n caution against important side effects of taking in untrusted URLs. As\n\n a result, many new SSRF vulnerabilities entered the world. Worse yet,\n\n while they were exploitable and discoverable in similar ways, they were\n\n spread across distinct codebases in several programming languages, so\n\n could not be patched in any generic way.\n\n Apple is not alone - in the process of gluing the web together, Twilio,\n\n Salesforce, and others have all created similarly broad attack\n\n surfaces. When companies fail to take an honest, empathetic look at how\n\n clients will use a product, they shove along hidden security burdens.\n\n Those who integrate with an API have less context than those who create\n\n it, so are in a worse position to recognize these risks.\n\n Engineers have been talking about defensive programming for decades,\n\n but top companies still have trouble practicing it. In this talk we\n\n explore these mistakes with demos of affected software, and introduce a\n\n powerful model for finding broad classes of bugs.\n\n\n\n Joshua Maddux\n\n Joshua Maddux started out as a software engineer. After a few years,\n\n having introduced his share of problems to the world, he turned his\n\n life around and started hunting for vulnerabilities. Now at PKC\n\n Security he does a mix of software development and white-box\n\n penetration testing, with a focus on helping startups move fast without\n\n breaking too many things.\n\n Aside from pentesting for clients, Joshua is also active in the bug\n\n bounty world. His past research has led to security updates in Java,\n\n Gitlab, United Airlines, Zapier, and others.\n\n Twitter: @joshmdx\n\n\n"
},
{
"Title": "HVACking: Understand the Difference Between Security and Reality!",
"Day": "Friday",
"Time": "13:00",
"Location": "Track 2",
"Description": "HVACking: Understand the Difference Between Security and Reality!\n\n\n\n Friday at 13:00 in Track 2\n\n 45 minutes | Demo\n\n\n\nDouglas McKee Senior Security Researcher, McAfee Advanced Threat Research\n\n\n\nMark Bereza Security Researcher, McAfee Advanced Threat Research\n\n\n\n Like most modern devices, building controllers have increasingly become\n\n network connected, exposing them to a wider range of threats. If\n\n malicious actors could manipulate access control systems, boiler rooms,\n\n or temperature control for critical industrial systems, the potential\n\n for catastrophic damage is extreme.\n\n McAfee's ATR team has discovered a 0-day vulnerability in a major\n\n building controller. This controller is a fully programmable native\n\n BACnet(TM) device designed to manage a wide range of building systems.\n\n By modifying BACnet broadcast traffic, a buffer overflow can be\n\n leveraged into a write-what-where (WWW) condition. This WWW leads to\n\n execution control, providing the attacker with a root shell and\n\n complete control over the device remotely. Because this attack vector\n\n is through BACnet broadcast traffic, there is no authentication\n\n mechanism for the target device, allowing anyone on the same network to\n\n communicate with it directly and exploit the vulnerability without\n\n authentication. Currently, there are over 500 of these devices\n\n connected to the internet running in BACnet/IP Broadcast Management\n\n Device (BBMD) mode. Utilizing this mode, broadcast traffic can travel\n\n over the internet, increasing the potentially devastating impact of\n\n this vulnerability.\n\n This presentation will include a deep technical analysis of the\n\n vulnerability discovery process and demos illustrating an attack in a\n\n critical scenario. Finally, we will discuss the steps taken by the\n\n vendor to patch this vulnerability and demonstrate its effectiveness.\n\n\n\n Douglas McKee\n\n Douglas McKee is a senior security researcher for the McAfee Advanced\n\n Threat Research team, focused on finding new vulnerabilities in both\n\n software and hardware. Douglas has an extensive background in\n\n penetration testing, reverse engineering, malware analysis and\n\n forensics and throughout his career has provided software exploitation\n\n training to many audiences, including law enforcement. Douglas recently\n\n presented his research focused on hacking medical devices at DEF CON\n\n 26.\n\n Twitter: @fulmetalpackets\n\n\n\n Mark Bereza\n\n Mark Bereza is a security researcher and new addition to McAfee's\n\n Advanced Threat Research team. A recent alumnus of Oregon State's CS\n\n systems program, Mark's work has focused primarily on vulnerability\n\n discovery and exploit development for embedded systems.\n\n\n"
},
{
"Title": "Change the World, cDc Style: Cow tips from the first 35 years",
"Day": "Friday",
"Time": "15:00",
"Location": "Track 2",
"Description": "Change the World, cDc Style: Cow tips from the first 35 years\n\n\n\n Friday at 15:00 in Track 2\n\n 45 minutes\n\n\n\nJoseph Menn Author, Cult of the Dead Cow: How the Original Hacking Supergroup\n\nMight Just Save the World (PublicAffairs, June 2019)\n\n\n\nPeiter Mudge Zatko\n\n\n\nChris Dildog Rioux\n\n\n\nDeth Vegetable\n\n\n\nOmega\n\n\n\n The Cult of the Dead Cow changed the culture of the entire security\n\n industry, the attitude of companies who had ignored risks, and even how\n\n the feds dealt with hackers. In this session, four key figures from the\n\n group's first 35 years will cover their greatest hits and screw-ups,\n\n highlighting the lessons for other hackers out to make a difference.\n\n They will be questioned by Joseph Menn, whose new book on the group\n\n shows how it evolved from a network of bulletin board operators to the\n\n standard-bearers of hacker culture. cDc Minister of Propaganda Deth\n\n Vegetable and long serving text-file editor Omega will appear for the\n\n first time under their real names, covering the group's formative years\n\n and how it handled such recent controversies as WikiLeaks, neo-Nazis,\n\n and the presidential candidacy of cDc alum Beto O'Rourke.\n\n cDc tech luminaries Zatko and Rioux will discuss the release of Back\n\n Orifice at Def Con in 1998, which allowed non-hackers to hijack Windows\n\n machines, drawing worldwide attention to the insecurity of Microsoft's\n\n operating system, and Rioux's pathbreaking sequel, Back Orifice 2K,\n\n which prompted Microsoft to hire hackers as security consultants,\n\n including those from Zatko and Rioux's @stake. Zatko will share\n\n insights from leading inside the government, where he ran cybersecurity\n\n grantmaking at DARPA, the people who brought you the internet. And\n\n Rioux will explain what's possible in the private sector, where he\n\n co-founded unicorn Veracode, which dramatically improved code review by\n\n major software buyers.\n\n\n\n Joseph Menn\n\n Joseph Menn has just published Cult of the Dead Cow: How the Original\n\n Hacking Supergroup Might Just Save the World. He is an investigative\n\n reporter on security, and has covered the issue since 1999 at the Los\n\n Angeles Times, Financial Times and most recently Reuters. His previous\n\n books include Fatal System Error: The Hunt for the New Crime Lords who\n\n are Bringing Down the Internet and All the Rave: The Rise and Fall of\n\n Shawn Fanning's Napster.\n\n Twitter: @josephmenn Website:\n\n https://www.facebook.com/Joseph-Menn-author-of-Cult-of-the-Dead-Cow-and\n\n -Fatal-System-Error-178879563940/\n\n\n\n Peiter Mudge Zatko\n\n Mudge fronted the pioneer hacker space the L0pht and turned it into a\n\n venture-backed security business @Stake. He led sensitive government\n\n work at BBN and cybersecurity at DARPA before joining Google to work on\n\n special projects. He also led security at Stripe and founded Cyber-ITL,\n\n an independent testing lab for software security.\n\n Twitter: @dotMudge\n\n\n\n Chris Dildog Rioux\n\n Rioux was the first employee of the L0pht, updated password cracker\n\n L0phtcrack, stayed with @stake through its acquisition by Symantec and\n\n founded Veracode.\n\n Twitter: @dildog\n\n\n\n Deth Vegetable\n\n Veggie took a break to go to graduate school in archaeology. He's back\n\n now.\n\n Twitter: @dethveggie\n\n\n\n Omega\n\n Omega has been very quietly working in security for a long time.\n\n\n"
},
{
"Title": "Get off the Kernel if you can't Drive",
"Day": "Saturday",
"Time": "15:00",
"Location": "Track 1",
"Description": "Get off the Kernel if you can't Drive\n\n\n\n Saturday at 15:00 in Track 1\n\n 45 minutes | Demo. Tool, Exploit\n\n\n\nJesse Michael\n\n\n\nMickey Shkatov\n\n\n\n For software to communicate with hardware, it needs to talk to a\n\n kernel-mode driver that serves as a middle-man between the two, helping\n\n to make sure everything operates as it should. In Windows that is done\n\n using the Kernel-Mode Driver Framework (KMDF).\n\n These drivers are used to control everything in your computer, from\n\n small things like CPU fan speed, color of your motherboard LED lights,\n\n up to flashing a new BIOS.\n\n However, as the code in these drivers runs with the same privileges as\n\n the rest of the kernel, malicious drivers can be used to compromise the\n\n security of the platform. To that end, Microsoft relies on WHQL, code\n\n signing, and EV Signing to prevent drivers which have not been approved\n\n by Microsoft from being loaded into the kernel.\n\n Unfortunately, security vulnerabilities in signed drivers can be used\n\n to as a proxy to read and write hardware resources such as kernel\n\n memory, internal CPU configuration registers, PCI devices, and more.\n\n These helpful driver capabilities can even be misused to bypass and\n\n disable Windows protection mechanisms.\n\n Let us teach you how these drivers work, show you the unbelievable risk\n\n they pose, and enjoy our walk of shame as we parade all the silly and\n\n irresponsible things we discovered in our research.\n\n\n\n Jesse Michael\n\n Jesse Michael is an experienced security researcher focused on\n\n vulnerability detection and mitigation who has worked at all layers of\n\n modern computing environments from exploiting worldwide corporate\n\n network infrastructure down to hunting vulnerabilities inside\n\n processors at the hardware design level. His primary areas of expertise\n\n include reverse engineering embedded firmware and exploit development.\n\n He has also presented research at DEF CON, Black Hat, PacSec, Hackito\n\n Ergo Sum, Ekoparty, and BSides Portland.\n\n Twitter: @JesseMichael\n\n\n\n Mickey Shkatov\n\n Mickey Shkatov, a principal researcher at Eclypsium, has been\n\n performing security research and product security validation since\n\n 2010, He has also presented multiple times at DEF CON, Black Hat,\n\n PacSec, CanSecWest, BruCon, Hackito Ergo Sum, and BSides Portland.\n\n Twitter: @HackingThings\n\n\n"
},
{
"Title": "RACE - Minimal Rights and ACE for Active Directory Dominance",
"Day": "Saturday",
"Time": "13:00",
"Location": "Track 1",
"Description": "RACE - Minimal Rights and ACE for Active Directory Dominance\n\n\n\n Saturday at 13:00 in Track 1\n\n 45 minutes | Demo, Tool\n\n\n\nNikhil Mittal PentesterAcademy\n\n\n\n User rights and privileges are a part of the access control model in\n\n Active Directory. Applicable only at the local computer level, a user\n\n generally has different rights (through access tokens) on different\n\n machines in a domain. Another part of the access control model is\n\n security descriptors (ACLs) that protects a securable object. At the\n\n domain level, ACL abuse is well known and adversaries have used it for\n\n persistence. For user rights, the abuse is mostly with the help of\n\n groups (memberships, SID History etc.) or misconfigured delegated\n\n rights.\n\n A lesser-known area of abuse and offensive research is a combination of\n\n minimal Rights and ACE (hence the term RACE). Often overlooked in\n\n audits and assessments, using minimal rights along with favourable ACEs\n\n provides a very interesting technique of persistence and on-demand\n\n privilege escalation on a Windows machine with much desired stealth.\n\n This talk covers interesting domain privilege escalation, persistence\n\n and backdoor techniques with the help of ACLs, minimal user rights and\n\n combinations of both. We will discuss how these techniques can be\n\n applied using open source tools and scripts. The talk also covers how\n\n to detect and mitigate such attacks. The talk will be full of live\n\n demonstrations.\n\n\n\n Nikhil Mittal\n\n Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast.\n\n His area of interest includes red teaming, active directory security,\n\n attack research, defense strategies and post exploitation research. He\n\n has 10+ years of experience in red teaming. He specializes in assessing\n\n security risks at secure environments that require novel attack vectors\n\n and \"out of the box\" approach. He has worked extensively on Active\n\n Directory attacks, defense and bypassing detection mechanisms and\n\n Offensive PowerShell for red teaming. He is creator of multiple tools\n\n like Nishang, a post exploitation framework in PowerShell and\n\n Deploy-Deception a framework for deploying Active Directory deception.\n\n In his spare time, Nikhil researches on new attack methodologies and\n\n updates his tools and frameworks.\n\n Nikhil has held trainings and boot camps for various corporate clients\n\n (in US, Europe and SE Asia), and at the world's top information\n\n security conferences. He has spoken/trained at conferences like DEF\n\n CON, BlackHat, CanSecWest, BruCON, 44CON and more. He blogs at\n\n https://www.labofapenetrationtester.com/\n\n Twitter: @nikhil_mitt\n\n Blog: https://labofapenetrationtester.com/\n\n\n"
},
{
"Title": "I'm In Your Cloud... Pwning Your Azure Environement",
"Day": "Sunday",
"Time": "12:00",
"Location": "Track 1",
"Description": "I'm In Your Cloud... Pwning Your Azure Environement\n\n\n\n Sunday at 12:00 in Track 1\n\n 45 minutes | Demo, Tool, Exploit\n\n\n\nDirk-jan Mollema Security Expert - Fox-IT\n\n\n\n After having compromised on-premise for many years, there is now also\n\n the cloud! Now your configuration mistakes can be accessed by anyone on\n\n the internet, without that fancy next-gen firewall saving you. With\n\n this talk I'll share my current research on Azure privileges,\n\n vulnerabilities and what attackers can do once they gain access to your\n\n cloud, or how they can abuse your on-premise cloud components. We start\n\n with becoming Domain Admin by compromising Azure AD Sync, sync\n\n vulnerabilities that allow for Azure admin account takeover and\n\n insecure Single Sign On configurations. Up next is cloud roles and\n\n privileges, backdooring Azure AD with service accounts, escalating\n\n privileges as limited admin and getting past MFA without touching\n\n someone's phone. Then we finish with cloud integrations, also known as\n\n \"how a developer can destroy your whole infrastructure with a single\n\n commit\": Exploring Azure DevOps, backdooring build pipelines, dumping\n\n credentials and compromising Azure Resource Manager through connected\n\n services. Besides all the fun we'll also look into how this translates\n\n into the questions you should ask yourself before moving things to the\n\n cloud and how this differs from on-premise.\n\n\n\n Dirk-jan Mollema\n\n Dirk-jan is one of the core researchers of Active Directory and Azure\n\n AD at Fox-IT. Amongst the open source tools published to advance the\n\n state of AD research are aclpwn, krbrelayx, mitm6, ldapdomaindump and a\n\n Python port of BloodHound. He blogs at dirkjanm.io, where he publishes\n\n about new Active Directory attack chains, which included the discovery\n\n of the PrivExchange vulnerability. He is also co-author of ntlmrelayx\n\n and contributor to several other open source tools and libraries. After\n\n discovering that breaking stuff is a lot of fun he never looked back at\n\n his freelance web developer days, but is still thankful for the\n\n knowledge and experience that those days provided him.\n\n Twitter: @_dirkjan\n\n Website: dirkjanm.io\n\n\n"
},
{
"Title": "More Keys Than A Piano: Finding Secrets In Publicly Exposed Ebs Volumes",
"Day": "Friday",
"Time": "13:00",
"Location": "Track 4",
"Description": "More Keys Than A Piano: Finding Secrets In Publicly Exposed Ebs Volumes\n\n\n\n Friday at 13:00 in Track 4\n\n 45 minutes | Demo, Tool\n\n\n\nxBen \"benmap\" Morris Security Associate, Bishop Fox\n\n\n\n Did you know that Elastic Block Storage (Amazon EBS) has a \"public\"\n\n mode that makes your virtual hard disk available to anyone on the\n\n internet? Apparently hundreds of thousands of others didn't either,\n\n because they're out there exposing secrets for everyone to see.\n\n I tore apart the petabytes of data for you and have some dirty laundry\n\n to air: encryption keys, passwords, authentication tokens, PII, you\n\n name it and it's here. Whole (virtual) hard drives to live sites and\n\n apps, just sitting there for anyone to read. So much data in fact that\n\n I had to invent a custom system to process it all.\n\n There's a massive Wall of Sheep out there on the internet, and you\n\n might not have even noticed that you're on it. Actually, you should\n\n stop reading and go check that out right now.\n\n\n\n xBen \"benmap\" Morris\n\n Ben Morris is a Security Associate at Bishop Fox, a consulting firm\n\n providing cybersecurity services to the Fortune 500, global financial\n\n institutions, and high-tech startups. In this role, he focuses on\n\n application penetration testing, network penetration testing, and\n\n red-teaming.\n\n Ben also enjoys performing drive-by pull requests on security tools and\n\n bumbling his way into vulnerabilities in widely used PHP and .NET\n\n frameworks and plugins. Ben has also contributed to Root the Box, a\n\n capture the flag security competition.\n\n\n"
},
{
"Title": "The Ether Wars: Exploits, counter-exploits and honeypots on Ethereum",
"Day": "Sunday",
"Time": "14:00",
"Location": "Track 3",
"Description": "The Ether Wars: Exploits, counter-exploits and honeypots on Ethereum\n\n\n\n Sunday at 14:00 in Track 3\n\n 45 minutes | Demo, Tool\n\n\n\nBernhard Mueller ConsenSys Diligence\n\n\n\nDaniel Luca\n\n\n\n Ethereum smart contracts are Turing-complete programs that mediate\n\n transfers of money. It doesn't come as a surprise that all hell is\n\n breaking loose on the Ethereum blockchain.\n\n In this talk, we'll introduce Karl, an Ethereum blockchain monitor, and\n\n Scrooge McEtherface, an auto-exploitation bot that extracts Ether from\n\n vulnerable smart contracts. Scrooge uses symbolic execution to detect\n\n vulnerable states that live up to three transactions deep and\n\n constructs exploit payloads using the Z3 constraint solver.\n\n We'll also examine the game-theoretic consequences of Scrooge's\n\n existence. What if multiple bots compete for exploiting the same\n\n contracts? How about honeypots that counter-exploit bots? Is it\n\n possible to cheat those honeypots? When all is said and done, who is\n\n going to end up stealing money from whom?\n\n During the talk, we'll show many examples for vulnerable contracts,\n\n honeypots, and counter-honeypots, explain the role of transaction\n\n ordering and frontrunning, and launch a little challenge for the\n\n audience.\n\n\n\n Bernhard Mueller\n\n Bernhard Mueller is an OG security engineer and researcher with\n\n experience in a variety of fields including Internet protocols, web\n\n apps, operating systems, server software and blockchain technology. His\n\n work in mobile and blockchain security has earned him two \"Best\n\n Research\" Pwnie Award nominations (and one win). In the Ethereum\n\n community he is known for creating the Mythril symbolic analyzer.\n\n Twitter: @muellerberndt\n\n LinkedIn: https://www.linkedin.com/in/bernhardm/\n\n\n\n Daniel Luca\n\n Daniel is a self-taught developer with experience in multiple\n\n programming languages. Having a hacker mindset he always tests the\n\n limits of software or hardware he interacts with. He likes to\n\n experiment with new technologies, always trying to develop his\n\n available toolchain. When he isn't glued to a computer screen, he likes\n\n to snowboard, read and meditate. He currently does security audits and\n\n builds tools for ConsenSys Diligence and the Ethereum ecosystem.\n\n Twitter: @cleanunicorn\n\n LinkedIn: https://www.linkedin.com/in/luca-daniel-5227267/\n\n\n"
},
{
"Title": "SSO Wars: The Token Menace",
"Day": "Saturday",
"Time": "13:00",
"Location": "Track 4",
"Description": "SSO Wars: The Token Menace\n\n\n\n Saturday at 13:00 in Track 4\n\n 45 minutes | Demo, Tool, Exploit\n\n\n\nAlvaro Mu\u00f1oz Software Security Researcher @ Fortify (Micro Focus)\n\n\n\nOleksandr Mirosh Software Security Researcher @ Fortify (Micro Focus)\n\n\n\n It is the year 2019. Humanity has almost won its long-standing war\n\n against Single-Sign On (SSO) bugs. The last of them were discovered and\n\n eradicated some time ago and the world is now living in an era of\n\n prosperity while the Auth Federation enjoys peaceful CVE-free times.\n\n However, while things seem to be running smoothly, new bugs are brewing\n\n at the core of major implementation libraries. This is probably the\n\n last chance for the evil empire to launch a world scale attack against\n\n the Auth Federation.\n\n In this talk, we will present two new techniques:\n\n * 1) A new breed of SAML implementation flaws that break XML\n\n signature validation and enable arbitrary modification of the SAML\n\n assertion, which enables attackers to authenticate as arbitrary\n\n users or grant themselves arbitrary authorization claims. Although\n\n any implementation may be affected by this flaw, we will show how\n\n it affects Microsoft Windows Identity Framework (WIF) applications,\n\n Windows Communication Foundation (WCF) web services, and flagship\n\n products such as SharePoint and Exchange Servers.\n\n * 2) A bug in the .NET crypto library, which may allow attackers to\n\n gain Remote Code Execution (RCE) or Denial of Service (DoS)\n\n depending on the availability of code gadgets in the target server.\n\n\n\n A new tool to detect this type of vulnerability will also be discussed\n\n and released.\n\n\n\n Alvaro Mu\u00f1oz\n\n Alvaro Mu\u00f1oz (@pwntester) is Principal Security Researcher at Micro\n\n Focus Fortify where he researches new software vulnerabilities and\n\n implement systems to detect them. His research focuses on web\n\n application frameworks where he looks for vulnerabilities or unsafe\n\n uses of APIs. Before joining the research team, he worked as an\n\n Application Security Consultant helping enterprises to deploy\n\n application security programs. Mu\u00f1oz has presented at many Security\n\n conferences including BlackHat, DEF CON, RSA, OWASP AppSec US & EU,\n\n JavaOne, etc and holds several infosec certifications, including OSCP,\n\n GWAPT and CISSP. He plays CTFs with Spanish int3pids team and blogs at\n\n http://www.pwntester.com.\n\n Twitter: @pwntester\n\n Website: http://www.pwntester.com\n\n\n\n Oleksandr Mirosh\n\n Oleksandr Mirosh has over 11 years of computer security experience,\n\n including vulnerability research, penetration testing, reverse\n\n engineering, fuzzing, developing exploits and consulting. He is working\n\n for Fortify Software Security Research team in Micro Focus\n\n investigating and analyzing new threats, vulnerabilities, security\n\n weaknesses, new techniques of exploiting security issues and\n\n development vulnerability detection, protection and remediation rules.\n\n In the past, he has performed a wide variety of security assessments,\n\n including design and code reviews, threat modelling, testing and\n\n fuzzing in order to identify and remove any existing or potentially\n\n emerging security defects in the software of various customers.\n\n Twitter: @olekmirosh\n\n\n"
},
{
"Title": "Re: What's up Johnny? - Covert Content Attacks on Email End-to-End Encryption",
"Day": "Friday",
"Time": "16:30",
"Location": "Track 4",
"Description": "Re: What's up Johnny? - Covert Content Attacks on Email End-to-End Encryption\n\n\n\n Friday at 16:30 in Track 4\n\n 20 minutes | Demo, Exploit\n\n\n\nJens M\u00fcller Ruhr University Bochum\n\n\n\n We show practical attacks against OpenPGP and S/MIME encryption and\n\n digital signatures in the context of email. Instead of targeting the\n\n underlying cryptographic primitives, our attacks abuse legitimate\n\n features of the MIME standard and HTML, as supported by email clients,\n\n to deceive the user regarding the actual message content. We\n\n demonstrate how the attacker can unknowingly abuse the user as a\n\n decryption oracle by replying to an unsuspicious looking email. Using\n\n this technique, the plaintext of hundreds of encrypted emails can be\n\n leaked at once. Furthermore, we show how users could be tricked into\n\n signing arbitrary text by replying to emails containing CSS conditional\n\n rules. An evaluation shows that 17 out of 19 OpenPGP-capable email\n\n clients, as well as 21 out of 22 clients supporting S/MIME, are\n\n vulnerable to at least one attack. We provide different countermeasures\n\n and discuss their advantages and disadvantages\n\n\n\n Jens M\u00fcller\n\n Jens M\u00fcller is a PhD student at the Chair for Network and Data\n\n Security, Ruhr University Bochum, Germany. His research interests are\n\n legacy protocols and data formats, for which he loves to investigate\n\n what could possibly go wrong in a modern world. He has experience as a\n\n speaker on international security conferences (BlackHat, IEEE S&P,\n\n OWASP) and as a freelancer in network penetration testing and security\n\n auditing. Besides breaking thinks, he develops free open source\n\n software, for example, tools related to network printer\n\n exploit^H^H^H^H^H^H^H, um, \"debugging\".\n\n Twitter: @jensvoid\n\n Websites: https://www.nds.ruhr-uni-bochum.de/chair/people/jmueller/\n\n https://hacking-printers.net/\n\n\n"
},
{
"Title": "GSM: We Can Hear Everyone Now!",
"Day": "Saturday",
"Time": "13:00",
"Location": "Track 2",
"Description": "GSM: We Can Hear Everyone Now!\n\n\n\n Saturday at 13:00 in Track 2\n\n 45 minutes | Demo, Exploit\n\n\n\nCampbell Murray Global Head Cybersecurity Delivery, BlackBerry\n\n\n\nEoin Buckley Senior Cybersecurity Consultant\n\n\n\nJames Kulikowski Senior Cybersecurity Consultant\n\n\n\n The presentation demonstrates that the security of the A5/1 and A5/3\n\n ciphers used to protect cellular calls are vulnerable to compromise\n\n leading to full decryption of GSM communications, using freely\n\n available open source solutions along with our tools we developed for\n\n this task.\n\n The flaw being exploited lies in the heart of the design of GSM. In all\n\n implementations the standard requires GSM messages to first be error\n\n control encoded using a convolutional code and then encrypted. In the\n\n vast majority of implementations used today, encryption is performed\n\n using the A5/1 or A5/3 cipher. The convolutional code adds redundancy\n\n to the transmitted message, which can act like a fingerprint to\n\n identify the key used to encrypt the GSM message.\n\n To exploit the vulnerability an attacker simply needs to capture a\n\n transmission and identify the GSM channel used. The standard defines\n\n the convolutional code and therefore how the redundancy may be\n\n interpreted to recover the encryption key.\n\n This presentation considers passively capturing GSM traffic using A5/3\n\n encryption and demonstrates a novel solution to cracking the key used\n\n without interacting with the mobile or network.\n\n\n\n Campbell Murray\n\n Campbell Murray is the global head of BlackBerry Cybersecurity Delivery\n\n and joined the organization through the acquisition of Encription Ltd,\n\n of which he was a founder and director. He has over 20 years'\n\n cybersecurity experience with an emphasis on offensive security\n\n techniques and security engineering in the IoT, industrial and\n\n transport arenas. Campbell is a founding director of both the\n\n TigerScheme and the CyberScheme.\n\n Twitter: @zyx2k\n\n\n\n Eoin Buckley\n\n Michael Eoin Buckley is a senior cybersecurity consultant at BlackBerry\n\n with over 20 years' experience spanning cybersecurity consultancy,\n\n product security and both security and physical layer aspects of 3GPP\n\n cellular, Zigbee and IETF standards. In his role he leads the\n\n cybersecurity engineering effort and specializes in product security\n\n assessments of several areas such as automotive, healthcare and\n\n aerospace. Eoin holds a Ph.D. from Cornell University with a thesis\n\n focus on error control coding.\n\n\n\n James Kulikowski\n\n James Kulikowski is a senior cybersecurity consultant at Blackberry and\n\n an active member at Unallocated Space in Baltimore Maryland. In his 15\n\n years, James has worked with clients from the DoD and Intel community\n\n to companies in finance, healthcare and transportation. James\n\n previously specialized in risk management and policy development before\n\n transitioning to hardware and software security assessments.\n\n\n"
},
{
"Title": "NOC NOC. Who's there? All. All who? All the things you wanted to know about",
"Day": "Saturday",
"Time": "16:00",
"Location": "Track 2",
"Description": "NOC NOC. Who's there? All. All who? All the things you wanted to know about\n\nthe DEF CON NOC and we won't tell you about\n\n\n\n Saturday at 16:00 in Track 2\n\n 105 minutes\n\n\n\nThe DEF CON NOC\n\n\n\n It's been a while, something like DEF CON 19, since we had the chance\n\n to have more than a few minutes at closing ceremonies to talk to\n\n everyone about the DEF CON NOC. It is not uncommon for people during\n\n the show or throughout the year to come to us asking things here and\n\n there about the DEF CON network. Come see all the DEF CON NOC team on\n\n stage, yes, those you usually don't see anywhere during the show,\n\n because, well, we're making sure packets are flowing and people are\n\n interneting. Come learn what we do, how we do it and possibly answer\n\n any questions that you might have about the \"most hostile network in\n\n the planet\".\n\n\n\n The DEF CON NOC\n\n @DEFCON_NOC, @effffn, @macmceniry, @Mike_Moore, @mansimusa, @c7five,\n\n @_CRV, @jaredbird, all the other NOC members who refuse to share their\n\n twitter handles and our very special guest Lord Raytheon\n\n\n"
},
{
"Title": "Poking the S in SD cards",
"Day": "Friday",
"Time": "16:30",
"Location": "Track 1",
"Description": "Poking the S in SD cards\n\n\n\n Friday at 16:30 in Track 1\n\n 20 minutes | Demo, Tool, Exploit\n\n\n\nNicolas Oberli Cybersecurity Expert, Kudelski security\n\n\n\n Ever wonder why the S in SD cards stands for Secure? Well, it turns out\n\n that it is possible to read and/or write protect these cards by\n\n software using specific commands. As you might expect, this process\n\n isn't as \"secure\" as the name implies leading to multiple issues. This\n\n talk will present some of these features and the vulnerabilities\n\n discovered while poking at cards from various manufacturers. The\n\n equipment used in this talk is quite easily attainable allowing for\n\n easy replication and learning about these attacks.\n\n\n\n Nicolas Oberli\n\n Nicolas works as a security researcher for Kudelski Security in\n\n Switzerland. His research focuses on embedded devices and communication\n\n protocols. In his spare time, he now spends more time designing CTF\n\n challenges than solving them. He is also one of the main developers of\n\n the Hydrabus hardware hacking tool and part of the BlackAlps security\n\n conference committee.\n\n Twitter: @Baldanos\n\n\n"
},
{
"Title": "No Mas - How One Side-Channel Flaw Opens Atm, Pharmacies and Government",
"Day": "Friday",
"Time": "13:00",
"Location": "Track 3",
"Description": "No Mas - How One Side-Channel Flaw Opens Atm, Pharmacies and Government\n\nSecrets Up to Attack\n\n\n\n Friday at 13:00 in Track 3\n\n 45 minutes | Demo, Exploit\n\n\n\nphar ioactive\n\n\n\n Hacking `high security' electronic locks has become a bit of a hobby,\n\n but what if you identify an unpatchable design pattern that unlocks\n\n buckets of cash and government secrets? How long do wait before telling\n\n `people'? let's talk about how these locks are designed, where they\n\n fail and we can rip this band-aid off together.\n\n\n\n phar\n\n Mike Davis is a hardware security researcher and consultant with\n\n IOActive, and for some reason still responds to `phar'.\n\n\n"
},
{
"Title": "Breaking The Back End! It Is Not Always A Bug. Sometimes, It Is Just Bad",
"Day": "Friday",
"Time": "16:30",
"Location": "Track 3",
"Description": "Breaking The Back End! It Is Not Always A Bug. Sometimes, It Is Just Bad\n\nDesign!\n\n\n\n Friday at 16:30 in Track 3\n\n 20 minutes | Demo, Exploit\n\n\n\nGregory Pickett Cybersecurity Operations, Hellfire Security\n\n\n\n Reverse engineering is critical to exploitation. However, going through\n\n the process of reverse engineering can often lead to a great deal more\n\n than just uncovering a bug. So much so that you might find what you\n\n need for exploitation even if you don't find a bug.\n\n That's right. If you go through object data, object representation,\n\n object states, and state changes enough you can find out quite a lot.\n\n Yes. Poor application logic is a bitch. Just ask any application\n\n penetration tester. This time it is not the magstripe. It's appsec and\n\n you will get to see how application attacks can be used against a\n\n hardware platform.\n\n In this talk, I will go through the journey that I took in reverse\n\n engineering the public transportation system of an east asian\n\n mega-city, the questions that I asked as I wondered \"How does this\n\n work?\", the experiments that I ran to answers those questions, what I\n\n learned that lead me to an exploit capable of generating millions of\n\n dollars in fake tickets for that very same system, and how other\n\n designers can avoid the same fate. Not without risk, this research was\n\n done under a junta so I will also be telling you how I kept myself out\n\n of jail while doing it. Please join me. You won't want to miss it.\n\n\n\n Gregory Pickett\n\n Gregory Pickett CISSP, GCIA, GPEN has a background in intrusion\n\n analysis for Fortune 100 companies but now heads up Hellfire Security's\n\n Managed Security Services efforts and participates in their assessment\n\n practice as a network security subject matter expert. As a security\n\n professional, his primary area of focus and occasional research is\n\n networks with an interest in using network traffic to better\n\n understand, to better defend, and sometimes to better exploit the hosts\n\n that live on them. He holds a B.S. in Psychology which is completely\n\n unrelated but interesting to know. While it does nothing to contribute\n\n to how he makes a living, it does demonstrate how screwed up he\n\n actually is.\n\n Twitter: @shogun7273\n\n Website: https://sourceforge.net/u/shogun7273/profile/\n\n\n"
},
{
"Title": "Hacking Your Thoughts - Batman Forever meets Black Mirror",
"Day": "Saturday",
"Time": "11:00",
"Location": "Track 3",
"Description": "Hacking Your Thoughts - Batman Forever meets Black Mirror\n\n\n\n Saturday at 11:00 in Track 3\n\n 45 minutes\n\n\n\nKatherine Pratt/GattaKat NSF Graduate Research Fellow, University of\n\nWashington - Seattle\n\n\n\n Companies are coming for your brains. The electricity in your brains,\n\n to be more precise. Valve, Facebook, Elon Musk and more are funding\n\n research into technologies that will translate neural signals into\n\n controls for devices like computers, smartphones, and VR/AR\n\n environments. While this would be super exciting, it represents some\n\n serious data privacy issues. First: what kind of private information\n\n can be elicited from your neural signals? It's possible to use a\n\n specific kind of neural response to visual and audio stimuli to deduce\n\n information about the user... like where you bank, who you know, your\n\n real identity, etc (Edward Nygma in Batman Forever, anyone?)\n\n More broadly, there is also the issue of what happens when you provide\n\n your neural signals to a company. If you're worried about what Facebook\n\n is doing with your information now, imagine what they can do when they\n\n have hours of information straight from your brain. If neural data is\n\n treated the same as your DNA, commercial companies become the owners of\n\n your thoughts (as electrical signals). Will they readily share it with\n\n the FBI without probable cause? These kinds of questions, and many\n\n more, are starting to surface with neurally-controlled devices and\n\n other emerging technologies. This talk will cover all of this and more.\n\n\n\n Katherine Pratt/GattaKat\n\n Dr Katherine Pratt received her B.S. in aerospace engineering from MIT\n\n in 2008, and her PhD in Electrical and Computer Engineering (ECE) from\n\n the University of Washington (UW) in 2019. During undergrad she\n\n completed several internships with the private space venture Blue\n\n Origin, working in systems and propulsion engineering. She has served\n\n four years in the United States Air Force, working primarily as an\n\n operational flight test engineer on the F-35 Joint Strike Fighter. Her\n\n doctoral dissertation focused on the privacy, ethics, and policy of\n\n information derived from elicited neural signals. She was the recipient\n\n of a National Science Foundation Graduate Research Fellowship and the\n\n 2018-19 UW ECE Irene Peden Endowed Fellowship. During graduate school\n\n she interned with the ACLU of Washington through the Speech, Privacy,\n\n and Technology Project. She also completed a six month fellowship as\n\n the first Congressional Innovation Scholar through Tech Congress where\n\n she crafted technology policy and legislation in the office of a member\n\n of the House of Representatives.\n\n Twitter: @GattaKat\n\n Website: https://kaipratt.site/web\n\n\n"
},
{
"Title": "Breaking Google Home: Exploit It with SQLite(Magellan)",
"Day": "Thursday",
"Time": "11:00",
"Location": "DC101, Paris Theatre",
"Description": "Breaking Google Home: Exploit It with SQLite(Magellan)\n\n\n\n Thursday at 11:00 in DC101, Paris Theatre\n\n 45 minutes | Demo, Exploit\n\n\n\nWenxiang Qian Senior security researcher at Tencent Blade Team\n\n\n\nYuXiang Li Senior security researcher at Tencent Blade Team\n\n\n\nHuiYu Wu Senior security researcher at Tencent Blade Team\n\n\n\n Over the past years, our team has used several new approaches to\n\n identify multiple critical vulnerabilities in SQLite and Curl, two of\n\n the most widely used basic software libraries. These two sets of\n\n vulnerabilities, which we named \"Magellan\" and \"Dias\" respectively,\n\n affect many devices and software. We exploited these vulnerabilities to\n\n break into some of the most popular Internet of things devices, such as\n\n Google Home with Chrome. We also exploited them on one of the most\n\n widely used Web server (Apache+PHP) and one of the most commonly used\n\n developer tool (Git).\n\n In this presentation, we will share how we try to crack the Google Home\n\n from both hardware and software aspects, get and analyze the newest\n\n firmware, solve the problem, and introduce new methods to discover\n\n vulnerabilities in SQLite and Curl through Fuzz and manual auditing.\n\n Through these methods, we found \"Magellan\", a set of three heap buffer\n\n overflow and heap data disclosure vulnerabilities in SQLite (\n\n CVE-2018-20346, CVE-2018-20505 CVE-2018-20506 ) We also found \"Dias\",\n\n two remote memory leak and stack buffer overflow vulnerabilities in\n\n Curl ( CVE-2018-16890 and CVE-2019-3822 ). Considering the fact that\n\n these vulnerabilities affect many systems and software, we have issued\n\n a vulnerability alert to notify the vulnerable vendor to fix it.\n\n We will disclose the details of \"Magellan\" and \"Dias\" for the first\n\n time and highlight some of our new vulnerability exploitation\n\n techniques. In the first part, we will introduce the results of our\n\n analysis on hardware, how to get the newest firmware from simulating an\n\n update request, and attack surface of Google Home. We will show how to\n\n use Magellan to complete the remote exploit of Google Home, we will\n\n also give a brefing talk about how to use Dias to complete the remote\n\n attack on Apache+PHP and Git. Finally, we will summarize our research\n\n and provide some security development advice to the basic software\n\n library developers.\n\n\n\n Wenxiang Qian\n\n Wenxiang Qian is a senior security researcher at the Tencent Blade\n\n Team. He is focusing on security research of IoT devices. He also do\n\n security audits for web browsers. He was on the top 100 of annual MSRC\n\n list (2016 & 2017 ). He published a book called \"Whitehat Talk About\n\n Web Browser Security \".\n\n Twitter: @leonwxqian\n\n\n\n YuXiang Li\n\n YuXiang Li is a senior security researcher at Tencent Blade Team,\n\n specialized in the study of Mobile Security and IoT Security. He has\n\n reported multiple vulnerabilities of Android and received\n\n acknowledgments from vendors(Google/Huawei). He was a speaker of HITB\n\n AMS 2018 and XCON 2018.\n\n Twitter: @Xbalien29\n\n\n\n HuiYu Wu\n\n HuiYu Wu is a senior security researcher at Tencent Blade Team. Now his\n\n job is mainly focus on IoT security research and mobile security\n\n research. He was also a bug hunter, winner of GeekPwn 2015, and speaker\n\n of DEF CON 26 , HITB 2018 AMS and POC 2017.\n\n Twitter: @DroidSec_cn\n\n\n"
},
{
"Title": "Firmware Slap: Automating Discovery of Exploitable Vulnerabilities in",
"Day": "Sunday",
"Time": "14:00",
"Location": "Track 1",
"Description": "Firmware Slap: Automating Discovery of Exploitable Vulnerabilities in\n\nFirmware\n\n\n\n Sunday at 14:00 in Track 1\n\n 45 minutes | Demo, Tool\n\n\n\nChristopher Roberts\n\n\n\n DARPA's Grand Cyber Challenge foretold an ominous future stricken with\n\n machines exploiting our code and automatically compromising our\n\n systems. Today, we have the chance to steel ourselves by creating new\n\n hope through stronger tools and techniques to find our bugs before our\n\n big-brother nation-states can take advantage. The firmware holding our\n\n phones, our routers, and our cars is our weakest link and it demands\n\n new methods of finding exploitable vulnerabilities. This talk will\n\n present Firmware Slap, the culmination of concolic analysis and\n\n semi-supervised firmware function learning. Each binary or library in a\n\n given firmware provides slices of information to accelerate and enable\n\n fault-resistant concolic analysis. These techniques provide a method of\n\n knowing where our vulnerabilities are and how we can trigger them.\n\n\n\n Christopher Roberts\n\n Christopher Roberts is a security researcher at REDLattice Inc. He has\n\n extensive vulnerability research experience in embedded systems and\n\n program analysis frameworks. He competes and speaks in George Mason's\n\n competitive cyber club. He's known for building several tools which\n\n automatically solve and produce flags from pwnable and reversing CTF\n\n problems. (Zeratool) (PinCTF)\n\n Github: https://github.com/ChrisTheCoolHut\n\n\n"
},
{
"Title": "Why You Should Fear Your \"mundane\" Office Equipment",
"Day": "Saturday",
"Time": "12:00",
"Location": "Track 3",
"Description": "Why You Should Fear Your \"mundane\" Office Equipment\n\n\n\n Saturday at 12:00 in Track 3\n\n 45 minutes | Demo, Tool, Exploit\n\n\n\nDaniel Romero Managing Security Consultant, NCC Group\n\n\n\nMario Rivas Senior Security Consultant, NCC Group\n\n\n\n The security of common enterprise infrastructure devices such as\n\n desktops and laptops has advanced over the years through incremental\n\n improvements in operating system and endpoint security. However,\n\n security controls for network devices such as enterprise printers are\n\n often ignored and thus present a greater potential for exploitation and\n\n compromise by threat actors seeking to gain a persistent foothold on\n\n target organisations.\n\n In order to assess the current state of mainstream enterprise printer\n\n product security and to challenge common assumptions made about the\n\n security of these devices, which sit on key parts of enterprise\n\n networks and process sensitive data, we set out on a vulnerability and\n\n exploitation research project of six known vendors. We were able to\n\n find remote vulnerabilities in all printers tested through various\n\n attack vectors, revealing a large number of 0-day vulnerabilities in\n\n the process.\n\n In this talk we walk through the entire research engagement, from\n\n initial phases such as threat modelling to understand printer attack\n\n surfaces to the development of attack methodologies and fuzzing tools\n\n used to target printer-specific protocols and functions. Besides of\n\n remarking important vulnerabilities found and their respective CVE's,\n\n proof of concept exploits showing how it is possible to gain full\n\n control of printers and all of the data they manage will be presented.\n\n This will show how to use enterprise printers as a method of\n\n persistence on a network, perhaps to exfiltrate sensitive data or\n\n support C2 persistence on Red Team engagements.\n\n We also address a number of challenges that researchers can face when\n\n performing vulnerability research on devices such as printers and how\n\n we used different techniques to overcome these challenges, working with\n\n limited to no debugging and triage capabilities. We also present\n\n mitigations that printer manufacturers can implement in order to reduce\n\n printer attack surfaces and render exploitation more difficult.\n\n\n\n Daniel Romero\n\n Daniel is currently a security consultant and researcher at NCC Group.\n\n During his career he has worked in interesting security projects,\n\n always trying to \"break\" as much as possible. In the last years Daniel\n\n has mostly been focused on embedded devices / IoT and all what\n\n surrounds it such as hardware, code review, reverse engineering,\n\n fuzzing or exploiting.\n\n Twitter: @daniel_rome\n\n\n\n Mario Rivas\n\n Mario is a penetration tester and security consultant at NCC Group in\n\n Madrid. His interests revolve around all areas of computer security,\n\n always trying to learn new things, and specially enjoying writing tools\n\n during the process to make his life a bit easier.\n\n Twitter: @Grifo\n\n\n"
},
{
"Title": "Owning The Clout Through Server-Side Request Forgery",
"Day": "Sunday",
"Time": "13:00",
"Location": "Track 3",
"Description": "Owning The Clout Through Server-Side Request Forgery\n\n\n\n Sunday at 13:00 in Track 3\n\n 45 minutes | Demo, Tool\n\n\n\nBen Sadeghipour Nahamsec\n\n\n\nCody Brocious (Daeken)\n\n\n\n With how many apps are running in the cloud, hacking these instances\n\n becomes easier with a simple vulnerability due to an unsanitized user\n\n input. In this talk, we'll discuss a number of different methods that\n\n helped us exfil data from different applications using Server-Side\n\n Request Forgery (SSRF). Using these methods, we were able to hack some\n\n of the major transportation, hospitality, and social media companies\n\n and make $50,000 in rewards in 3 months.\n\n\n\n Ben Sadeghipour\n\n Ben is the Hacker Operations Lead at HackerOne by day, and a hacker by\n\n night. He has helped identify and exploit over 500 security\n\n vulnerabilities across 100s of web and mobile applications for\n\n companies such as Yahoo, Airbnb, Snapchat, The US Department of\n\n Defense, Yelp, and more. He also invested time in the security\n\n community, by creating a community of 200+ active hackers who share\n\n ideas and their experiences. He has also held free workshops and\n\n trainings to teach others about security and web application hacking.\n\n Twitter: @nahamsec\n\n Website: nahamsec.com\n\n\n\n Cody Brocious (Daeken)\n\n Cody is the Head of Hacker Education at HackerOne where he dedicates\n\n his time to teaching hackers to be more effective and empowered. A\n\n reverse engineer and software developer with well over a decade of\n\n experience. Cody is also the lead instructor for Hacker101, a free\n\n course for web security.\n\n Twitter: @daeken\n\n Website: daeken.svbtle.com\n\n\n"
},
{
"Title": "Information Security in the Public Interest",
"Day": "Saturday",
"Time": "10:00",
"Location": "Track 3",
"Description": "Information Security in the Public Interest\n\n\n\n Saturday at 10:00 in Track 3\n\n 45 minutes\n\n\n\nBruce Schneier\n\n\n\n Computer security is now a public policy issue. Election security,\n\n blockchain, \"going dark,\" the vulnerabilities equities debate, IoT\n\n safety , data privacy, algorithmic security and fairness, critical\n\n infrastructure: these are all important public policy issues with a\n\n strong Internet security component. But while an understanding of the\n\n technology involved is fundamental to crafting good policy, there is\n\n little involvement of technologists in policy discussions. This is not\n\n sustainable. We need public-interest technologists: people from our\n\n fields helping craft policy, and working to provide security to\n\n agencies and groups working in the broader public interest. We need\n\n these people in government, at NGOs, teaching at universities, as part\n\n of the press, and inside private companies. This is increasingly\n\n critical to both public safety and overall social welfare. This talk\n\n both describes the current state of public-interest technology, and\n\n offers a way forward for us individually and collectively for our\n\n field. The defining policy question of the Internet age is this: How\n\n much of our lives should be governed by technology, and under what\n\n terms? We need to be involved in that debate.\n\n\n\n Bruce Schneier\n\n Bruce Schneier is an internationally renowned security technologist,\n\n called a \"security guru\" by the Economist. He is the author of 14\n\n books--including the New York Times best-seller \"Click Here to Kill\n\n Everybody\"--as well as hundreds of articles, essays, and academic\n\n papers. His influential newsletter \"Crypto-Gram\" and blog \"Schneier on\n\n Security\" are read by over 250,000 people. Schneier is a fellow at the\n\n Berkman Klein Center for Internet and Society at Harvard University; a\n\n Lecturer in Public Policy at the Harvard Kennedy School; a board member\n\n of the Electronic Frontier Foundation, AccessNow, and the Tor Project;\n\n and an advisory board member of EPIC and VerifiedVoting.org. He is also\n\n a special advisor to IBM Security.\n\n Twitter: @schneierblog\n\n Website: https://www.schneier.com\n\n\n"
},
{
"Title": "Zero bugs found? Hold my Beer AFL! How To Improve Coverage-Guided Fuzzing and",
"Day": "Saturday",
"Time": "14:00",
"Location": "Track 3",
"Description": "Zero bugs found? Hold my Beer AFL! How To Improve Coverage-Guided Fuzzing and\n\nFind New 0days in Tough Targets\n\n\n\n Saturday at 14:00 in Track 3\n\n 45 minutes | Demo, Tool, Exploit\n\n\n\nMaksim Shudrak Security Researcher\n\n\n\n Fuzzing remains to be the most effective technique for bugs hunting in\n\n memory-unsafe programs. Last year, hundreds of security papers and\n\n talks on fuzzing have been published and dozens of them were focused on\n\n adapting or improving American Fuzzy Lop in some way. Attracting with\n\n its simplicity and efficiency, AFL is the number one choice for the\n\n vast majority of security researchers. This high popularity means that\n\n hunting for bugs with AFL or a similar tool is becoming less and less\n\n fruitful since many projects are already covered by other researchers.\n\n It is especially hard when we talk about a project participating in\n\n Google OSS-Fuzz program which utilizes AFL to generate a half-trillion\n\n test cases per day.\n\n In practice, this means that we can not blindly rely on AFL anymore and\n\n should search for better fuzzing techniques. In order to overcome this\n\n challenge, we need to understand how AFL and similar fuzzers work and\n\n be able to use their weaknesses to find new 0days. This talk is aimed\n\n to discuss these weaknesses on real examples, explain how we can do\n\n fuzzing better and release a new open-source fuzzer called Manul.\n\n Manul is a high-scalable coverage-guided parallel fuzzer with the\n\n ability to search for bugs in open source and black box binaries on\n\n Windows and Linux. Manul was able to find 10 0-days in 4 widely-used\n\n projects that have been extensively tested by AFL. These\n\n vulnerabilities were not found by chance, but by analyzing and\n\n addressing issues exist in AFL. Authors will show several of the most\n\n critical vulnerabilities and explain why AFL overlooked them.\n\n This talk will be interested for experienced hackers, who are willing\n\n to improve their bug hunting capabilities, as well as for new\n\n researchers, who are making their first steps on the thorny trail of\n\n bug hunting.\n\n\n\n Maksim Shudrak\n\n Maksim is a security researcher and vulnerability hunter in open-source\n\n and blackbox applications. In the past, he had experience working on\n\n dynamic binary instrumentation framework DynamoRIO, developing\n\n extremely abstract Windows OS emulator for malware analysis at IBM\n\n Research as well as writing sophisticated fuzzer to search for\n\n vulnerabilities in machine code. The latter was so exciting that he\n\n defended PhD on this topic. Today, he works on Red Team side at large\n\n cloud-based software company.\n\n Maksim has spoken at various security conferences around the world such\n\n as DEF CON, Positive Hack Days, Virus Bulletin and BSides SF.\n\n Twitter: @Mshudrak\n\n LinkedIn: https://www.linkedin.com/in/mshudrak\n\n\n"
},
{
"Title": "Relaying Credentials Has Never Been Easier: How to Easily Bypass the Latest",
"Day": "Friday",
"Time": "15:00",
"Location": "Track 4",
"Description": "Relaying Credentials Has Never Been Easier: How to Easily Bypass the Latest\n\nNTLM Relay Mitigations\n\n\n\n Friday at 15:00 in Track 4\n\n 45 minutes | Demo, Tool, Exploit\n\n\n\nMarina Simakov Senior Security Researcher @Preempt\n\n\n\nYaron Zinar Senior Security Researcher Lead @Preempt\n\n\n\n Active Directory has always been a popular target for attackers, with a\n\n constant rise in attack tools attempting to compromise and abuse the\n\n main secrets storage of the organization. One of the weakest spots in\n\n Active Directory environments lies in the design of one of the oldest\n\n authentication protocols - NTLM, which is a constant source of newly\n\n discovered vulnerabilities. From CVE-2015-0005, to the recent LDAPS\n\n Relay vulnerability, it is clear why this protocol is one of the\n\n attackers' favorites.\n\n Although there are offered mitigations such as server signing,\n\n protecting the entire domain from NTLM relay is virtually impossible.\n\n If it weren't bad enough already, we will present several new ways to\n\n abuse this infamous authentication protocol, including a new critical\n\n zero-day vulnerability we have discovered which enables to perform NTLM\n\n Relay and take over any machine in the domain, even with the strictest\n\n security configuration, while bypassing all of today's offered\n\n mitigations. Furthermore, we will present why the risks of this\n\n protocol are not limited to the boundaries of the on-premises\n\n environment and show another vulnerability which allows to bypass\n\n various AD-FS restrictions in order to take over cloud resources as\n\n well.\n\n\n\n Marina Simakov\n\n Marina Simakov is a security researcher at Preempt, with a special\n\n interest in network security and authentication protocols. Prior to\n\n Preempt, Marina served as a Security Researcher at Microsoft for\n\n several years. She holds an M.Sc. in computer science, with several\n\n published articles, with a main area of expertise in graph theory.\n\n Marina previously spoke at various security conferences such as Black\n\n Hat, BlueHat IL and DEF CON.\n\n\n\n Yaron Zinar\n\n Yaron Zinar is a Lead Security Researcher at Preempt, delivering the\n\n industry's first Identity and Access Threat Prevention. Previously,\n\n Yaron spent over 12 years at leading companies such as Google and\n\n Microsoft where he held various positions researching and leading big\n\n data, machine learning and cyber security projects. Yaron is an expert\n\n on Windows Authentication protocols, among his team latest finding are\n\n CVE-2017-8563 and CVE-2018-0886, which he presented in Black Hat last\n\n year. Yaron holds an M.Sc. in Computer Science with focus on\n\n statistical analysis.\n\n\n"
},
{
"Title": "Adventures In Smart Buttplug Penetration (testing)",
"Day": "Sunday",
"Time": "10:00",
"Location": "Track 2",
"Description": "Adventures In Smart Buttplug Penetration (testing)\n\n\n\n Sunday at 10:00 in Track 2\n\n 45 minutes | Demo, Tool\n\n\n\nsmea\n\n\n\n Analysts believe there are currently on the order of 10 billions\n\n Internet of Things (IoT) devices out in the wild. Sometimes, these\n\n devices find their way up people's butts: as it turns out, cheap and\n\n low-power radio-connected chips aren't just great for home automation -\n\n they're also changing the way we interact with sex toys. In this talk,\n\n we'll dive into the world of teledildonics and see how connected\n\n buttplugs' security holds up against a vaguely motivated attacker,\n\n finding and exploiting vulnerabilities at every level of the stack,\n\n ultimately allowing us to compromise these toys and the devices they\n\n connect to.\n\n\n\n smea\n\n smea got his start making video games for closed consoles like the\n\n Nintendo DS using whatever hacks were available at the time. At some\n\n point consoles started getting actual security features and he\n\n transitioned from just making homebrew software to actually making the\n\n jailbreaks that let people run it. He's best known for his work on the\n\n Nintendo 3DS and Wii U but has also done exploitation work against high\n\n profile web browsers and virtualization stacks. Now he hacks buttplugs,\n\n apparently.\n\n Twitter: @smealum\n\n Github: https://github.com/smealum\n\n\n"
},
{
"Title": "Zombie Ant Farm: Practical Tips for Playing Hide and Seek with Linux EDRs",
"Day": "Saturday",
"Time": "12:00",
"Location": "Track 4",
"Description": "Zombie Ant Farm: Practical Tips for Playing Hide and Seek with Linux EDRs\n\n\n\n Saturday at 12:00 in Track 4\n\n 45 minutes | Demo, Tool\n\n\n\nDimitry Snezhkov Sr. Security Consultant, X-Force Red\n\n\n\n EDR solutions have landed in Linux. With the ever increasing footprint\n\n of Linux machines deployed in data centers, offensive operators have to\n\n answer the call.\n\n In the first part of the talk we will share practical tips and\n\n techniques hackers can use to slide under the EDR radar, and expand\n\n post-exploitation capabilities.\n\n We will see how approved executables could be used as decoys to execute\n\n foreign functionality. We will walk through the process of using well\n\n known capabilities of the dynamic loader. We will take lessons from\n\n user-land root-kits in evasion choices.\n\n Part two will focus on weaponizing the capabilities. We will show how\n\n to create custom preloaders, and use mimicry to hide modular malware in\n\n memory. We will create a \"Preloader-as-a-Service\" capability of sorts\n\n by abstracting storage of modular malware from its executing cradles.\n\n This PaaS is free to you though!\n\n We fully believe the ability to retool in the field matters, so we have\n\n packaged the techniques into reusable code patterns in a toolkit you\n\n will be able to use (or base your own code on) after it is released.\n\n This talk is for hackers, offensive operators, malware analysts and\n\n system defenders. We sincerely hope defensive hackers can attend and\n\n also have fun.\n\n\n\n Dimitry Snezhkov\n\n Dimitry Snezhkov is a Sr. Security Consultant for X-Force Red. In this\n\n role he hacks code, tools, networks, apps and sometimes subverts human\n\n behavior too. Dimitry has spoken at DEF CON, THOTCON, DerbyCon,\n\n CircleCityCon, NorthSec, and presented tools at BlackHat Arsenal.\n\n Twitter: @Op_Nomad\n\n\n"
},
{
"Title": "Apache Solr Injection",
"Day": "Saturday",
"Time": "16:30",
"Location": "Track 4",
"Description": "Apache Solr Injection\n\n\n\n Saturday at 16:30 in Track 4\n\n 20 minutes | Demo, Exploit\n\n\n\nMichael Stepankin Security Researcher at Veracode\n\n\n\n Apache Solr is a search platform used by many enterprise companies to\n\n add a full text search functionality to their websites. Often hidden\n\n behind firewalls, it provides a rich API to search across large\n\n datasets. If this API is used by web applications in a wrong way, it\n\n may open a possibility for injection attacks to completely modify the\n\n query logic.\n\n In this talk we'll shed some light on the new type of vulnerabilities\n\n for web applications - Solr parameter injection, and provide some\n\n useful ways how to achieve remote code execution through it. We also\n\n provide exploits for almost all known vulnerabilities for Apache Solr,\n\n including the two new RCEs we reported this year.\n\n\n\n Michael Stepankin\n\n Michael Stepankin is a Security Researcher at Veracode. He works on\n\n bringing new detection features to Veracode's dynamic and static\n\n scanner engines. As a passionate hacker, he loves to hack enterprise\n\n java applications by day and write beautiful JavaScript code by night.\n\n Listed in Halls of Fame of various bug bounty programs, Michael has\n\n also worked as a penetration tester for many years.\n\n Twitter: @artsploit\n\n\n"
},
{
"Title": "Reverse Engineering 17+ Cars in Less Than 10 Minutes",
"Day": "Saturday",
"Time": "16:00",
"Location": "Track 1",
"Description": "Reverse Engineering 17+ Cars in Less Than 10 Minutes\n\n\n\n Saturday at 16:00 in Track 1\n\n 20 minutes | Demo, Tool\n\n\n\nBrent Stone\n\n\n\n Brent provides a live demonstration reversing engineering 17 or more\n\n unknown passenger vehicle CAN networks in under 10 minutes using new\n\n automated techniques. These unsupervised techniques are over 90%\n\n accurate and consistent when tested using production CAN networks and\n\n different driving conditions. He then introduces the Python and R code\n\n used for the demo and posted to his public GitHub repository at\n\n https://github.com/brent-stone/CAN_Reverse_Engineering. The\n\n Dissertation explaining how the code works is also posted.\n\n\n\n Brent Stone\n\n Dr. Brent Stone is a Cyber officer with the U.S. Military. His\n\n professional experience includes 10 years of IT and cyber work in North\n\n America, the Middle East, and Asia. The focus of his PhD research was\n\n developing AI methods to help security researchers overcome the\n\n 'security through obscurity' used in the automotive industry. He\n\n presented initial findings at the 2018 IEEE Connected and Automated\n\n Vehicles Symposium and is an active member of the Open Garage's car\n\n hacking group. He holds a B.S. in Computer Science from West Point,\n\n M.S. in IT security from Carnegie-Mellon, and PhD in Computer Science\n\n from the Air Force Institute of Technology.\n\n Github: https://github.com/brent-stone\n\n\n"
},
{
"Title": "HAKC THE POLICE",
"Day": "Saturday",
"Time": "11:00",
"Location": "Track 2",
"Description": "HAKC THE POLICE\n\n\n\n Saturday at 11:00 in Track 2\n\n 45 minutes | Demo, Tool\n\n\n\nBill Swearingen World's #23 Best Hacker\n\n\n\n PULL OVER!\n\n No, it is a cardigan, but thanks for noticing! After getting a nasty\n\n speeding ticket, OG SecKC HA/KC/ER hevnsnt decided enough was enough,\n\n and set out to fully understand police speed measurement devices, and\n\n develop homebrew countermeasures that are legal in some states (and\n\n some that are not). Come learn how police RF (X, K, KA) and Laser speed\n\n detection systems work and how to implement your own homebrew jamming\n\n countermeasures on the cheap, essentially making your vehicle invisible\n\n to law enforcement. HOP IN and BUCKLE UP, this talk is going to FUEL\n\n your hardware hacking desires! You better be able to think fast to keep\n\n up with this talk and prepare to get home in record time.\n\n\n\n Bill Swearingen\n\n Bill Swearingen (hevnsnt) has been in the hacking scene for decades,\n\n which is odd because his twitter profile says he is only 23 years old.\n\n Having spent his life dedicated to understanding how how things work,\n\n he is has focused this curiosity and knowledge to take advantage of our\n\n world in any way possible. His interests have always been focused on\n\n hardware hacking and loves releasing easy to replicate projects using\n\n cheap computing platforms such as Arduino and RaspberryPi.\n\n Twitter: @hevnsnt\n\n\n"
},
{
"Title": "[ MI CASA-SU CASA ] My 192.168.1.1 is Your 192.168.1.1",
"Day": "Sunday",
"Time": "13:00",
"Location": "Track 1",
"Description": "[ MI CASA-SU CASA ] My 192.168.1.1 is Your 192.168.1.1\n\n\n\n Sunday at 13:00 in Track 1\n\n 45 minutes | Demo, Tool\n\n\n\nElliott Thompson Senior Security Consultant, SureCloud Ltd\n\n\n\n Your browser thinks my 192.168.1.1 is the same as your 192.168.1.1.\n\n Using a novel combination of redirects, Karma, JavaScript and caching\n\n we demonstrate that it's viable to attack internal management\n\n interfaces without ever connecting to your network. Using the\n\n MICASA-SUCASA tool it's possible to automate the exploitation of\n\n hundreds of interfaces at once. This presentation will introduce the\n\n attack vector and demonstration, but also the public release of the\n\n MICASA-SUCASA tool.\n\n\n\n Elliott Thompson\n\n The alphabet soup: OSCP, CTL/CCT-APP Senior pentester and researcher\n\n for the last 3 years, with hundreds of successful engagements behind\n\n me. Passionate about security and involved in various article pieces\n\n for infosec magazine, the BBC and the UK consumer watchdog Which?. Last\n\n year I discovered and disclosed an exploit on some Android tablets that\n\n allowed RCE through the [canary.png] tag. [ CVE-2018-16618 ]\n\n\n"
},
{
"Title": "Infiltrating Corporate Intranet Like NSA \u00b6Pre-auth RCE on Leading SSL VPNs",
"Day": "Friday",
"Time": "12:00",
"Location": "Track 3",
"Description": "Infiltrating Corporate Intranet Like NSA \u00b6Pre-auth RCE on Leading SSL VPNs\n\n\n\n Friday at 12:00 in Track 3\n\n 45 minutes | Demo, Exploit\n\n\n\nOrange Tsai\n\nPrincipal Security Researcher from DEVCORE\n\nMember of HITCON(Hacks in Taiwan Conference)\n\nMember of CHROOT Security Group\n\nCaptain of HITCON CTF team\n\n\n\nMeh Chang Security Researcher from DEVCORE Member of HITCON CTF team\n\n\n\n Computer security is now a public policy issue. Election security,\n\n blockchain, \"going dark,\" the vulnerabilities equities debate, IoT\n\n safety , data privacy, algorithmic security and fairness, critical\n\n infrastructure: these are all important public policy issues with a\n\n strong Internet security component. But while an understanding of the\n\n technology involved is fundamental to crafting good policy, there is\n\n little involvement of technologists in policy discussions. This is not\n\n sustainable. We need public-interest technologists: people from our\n\n fields helping craft policy, and working to provide security to\n\n agencies and groups working in the broader public interest. We need\n\n these people in government, at NGOs, teaching at universities, as part\n\n of the press, and inside private companies. This is increasingly\n\n critical to both public safety and overall social welfare. This talk\n\n both describes the current state of public-interest technology, and\n\n offers a way forward for us individually and collectively for our\n\n field. The defining policy question of the Internet age is this: How\n\n much of our lives should be governed by technology, and under what\n\n terms? We need to be involved in that debate.SSL VPNs protect corporate\n\n assets from Internet exposure, but what if SSL VPNs themselves are\n\n vulnerable? They're exposed to the Internet, trusted to reliably guard\n\n the only way to intranet. However, we found pre-auth RCEs on multiple\n\n leading SSL VPNs, used by nearly half of the Fortune 500 companies and\n\n many government organizations. To make things worse, a \"magic\" backdoor\n\n was found to allow changing any user's password with no credentials\n\n required! To show how bad things can go, we will demonstrate gaining\n\n root shell from the only exposed HTTPS port, covertly weaponizing the\n\n server against their owner, and abusing a hidden feature to take over\n\n all VPN clients!\n\n In such complicated closed-source systems, gaining root shell from\n\n outside the box certainly ain't easy. It takes advanced web and binary\n\n exploitation techniques to struggle for a way to root shell, which\n\n involves abusing defects in web architectures, hard-core Apache\n\n jemalloc exploitation and more. We will cover every detail of all the\n\n dirty tricks, crazy bug chains, and the built-in backdoor. After\n\n gaining root shell into the box, we then elaborate on post exploitation\n\n and how we hack back the clients. In addition, we will share the attack\n\n vectors against SSL VPNs to kick start researches on similar targets.\n\n On the other hand, from our previous experience, we derive general\n\n hardening actions that mitigate not only all the above attacks, but any\n\n other potential 0days.\n\n In summary, we disclose practical attacks capable of compromising\n\n millions of targets, including tech giants and many industry leaders.\n\n These techniques and methodologies are published in the hope that it\n\n can inspire more security researchers to think out-of-the-box;\n\n enterprises can apply immediate mitigation, and realize that SSL VPN is\n\n not merely Virtual Private Network, but also a \"Vulnerable Point of\n\n your Network\".\n\n\n\n Orange Tsai\n\n Cheng-Da Tsai, also as known as Orange Tsai, is the principal security\n\n research of DEVCORE and the member of CHROOT security group from\n\n Taiwan. He has spoken at conferences such as Black Hat USA/ASIA, DEF\n\n CON, HITCON, HITB, Hack.lu and CODEBLUE. He participates in numerous\n\n Capture-the-Flags (CTF), and also the team captain of HITCON, which won\n\n 2nd place in DEF CON 22/25. Currently, he is focusing on application\n\n security and 0day research. Orange enjoys finding vulnerabilities and\n\n participating in Bug Bounty Programs. He is enthusiastic about Remote\n\n Code Execution (RCE), and uncovered RCEs in several vendors, such as\n\n Facebook, Uber, Apple, GitHub, Amazon, Yahoo, Netflix and Imgur.\n\n Twitter: @orange_8361\n\n Website: http://blog.orange.tw/\n\n\n\n Meh Chang\n\n Tingyi Chang, also known as Meh Chang, is a security researcher at\n\n DEVCORE. She focuses on binary program analysis and exploitation. She\n\n is a member of HITCON and 217 CTF team and has won the second place of\n\n DEF CON 25.\n\n Twitter: @mehqq_\n\n\n"
},
{
"Title": "Tag-side attacks against NFC",
"Day": "Saturday",
"Time": "13:00",
"Location": "Track 3",
"Description": "Tag-side attacks against NFC\n\n\n\n Saturday at 13:00 in Track 3\n\n 45 minutes | Demo, Tool\n\n\n\nChristopher Wade\n\n\n\n This talk covers tag-side attacks against NFC communication protocols,\n\n including cracking of Mifare encryption keys and performing targeted\n\n attacks against NFC readers. In addition, it will cover the design and\n\n creation of devices capable of emulating NFC tags down to the raw\n\n protocol using standard components and tools, with no abstraction to\n\n dedicated hardware, covering and expanding on the capabilities of\n\n available products. This talk will contain how 13.56MHz NFC works at a\n\n raw level, how tools can be built for analysing it, how the protocol\n\n can be implemented in full on standard Microcontrollers, and the\n\n security weaknesses present in its design.\n\n\n\n Christopher Wade\n\n Chris is a seasoned security researcher and testing consultant. His\n\n main focuses are in reverse engineering hardware, fingerprinting USB\n\n vulnerabilities and playing with Software Defined Radios, with his key\n\n strength lying in firmware analysis, which he utilises as part of the\n\n hardware testing team at Pen Test Partners.\n\n Twitter: @Iskuri1\n\n Github: https://github.com/Iskuri\n\n\n"
},
{
"Title": "Harnessing Weapons of Mac Destruction",
"Day": "Friday",
"Time": "14:00",
"Location": "Track 1",
"Description": "Harnessing Weapons of Mac Destruction\n\n\n\n Friday at 14:00 in Track 1\n\n 45 minutes | Demo, Exploit\n\n\n\nPatrick Wardle Chief Research Officer, Digita Security\n\n\n\n Whenever a new Mac malware specimen is uncovered, it provides a unique\n\n insight into the offensive Mac capabilities of hackers or nation-state\n\n adversaries. Better yet, such discoveries provide fully-functional\n\n capabilities that may be weaponized for our own surreptitious purposes!\n\n I mean, life is short, why write your own?\n\n We'll begin this talk by discussing the methodology of subverting\n\n existing malware for \"personal use\", highlighting both the challenges\n\n and benefits of such an approach.\n\n Next, we'll walk-thru the weaponization of various Mac malware\n\n specimens, including an interactive backdoor, a file-exfiltration\n\n implant, ransomware, and yes, even adware. Customizations include\n\n various runtime binary modifications that will coerce such malware to\n\n accept tasking from our own C&C servers, and/or automatically perform\n\n actions on our behalf.\n\n Of course, in their pristine state, such samples are currently detected\n\n by AV products. As such we'll also walk-thru subtle modifications that\n\n will ensure our modified tools remains undetected by traditional\n\n detection approaches.\n\n In conclusion, we'll highlight novel heuristic methods that can\n\n generically detect such threats to ensure Mac users remain protected\n\n even from such weaponized threats.\n\n\n\n Patrick Wardle\n\n Patrick Wardle is the Chief Research Officer at Digita Security and\n\n founder of Objective-See. Having worked at NASA and the NSA, as well as\n\n presented at countless security conferences, he is intimately familiar\n\n with aliens, spies, and talking nerdy. Patrick is passionate about all\n\n things related to macOS security and thus spends his days finding Apple\n\n 0days, analyzing macOS malware and writing free open-source security\n\n tools to protect Mac users.\n\n http://twitch.com/patrickwardle\n\n\n"
},
{
"Title": "Please Inject Me, a x64 Code Injection",
"Day": "Friday",
"Time": "16:00",
"Location": "Track 1",
"Description": "Please Inject Me, a x64 Code Injection\n\n\n\n Friday at 16:00 in Track 1\n\n 20 minutes | Demo\n\n\n\nAlon Weinberg Security Researcher, Deep Instinct\n\n\n\n Malware authors are always looking for new ways to achieve code\n\n injection, thereby allowing them to run their code in remote processes.\n\n Code Injection allows hackers to better hide their presence, gain\n\n persistence and leverage other processes' data and privileges.\n\n Finding and implementing new, stable methods for code injection is\n\n becoming more and more challenging as traditional techniques are now\n\n widely detected by various security solutions or limited by native OS\n\n protections.\n\n Inject-Me is a new method to inject code to a remote process in x64.\n\n Inject-Me is in fact \"injection-less\" - the remote (target) process is\n\n manipulated to read data from the injecting process, copy and execute\n\n it. The manipulation is mainly based on abusing ReadProcessMemory and\n\n calling conventions in X64. In addition to presenting Inject-Me, the\n\n talk will mention a generalized approach to copying data in remote\n\n processes to recreate shellcode from the injecting process.\n\n\n\n Alon Weinberg\n\n Alon Weinberg is a security researcher at Deep Instinct. Prior to\n\n joining Deep Instinct two years ago, Alon served in the IDF for 4.5\n\n years in an elite cyber unit as a security researcher.\n\n As part of his role in Deep Instinct, Alon is in charge of finding new\n\n ways to enhance and develop protection and defense mechanisms. Alon\n\n leverages his experience in offensive operations, OS internals and\n\n programming to explore attack surfaces in Windows and macOS, analyze\n\n malware and research attack vectors and evasion techniques. Alon is a\n\n cross-fit junky and enjoys riding his motorcycle whenever his training\n\n routine allows it.\n\n LinkedIn: https://www.linkedin.com/in/alon-weinberg-2a7742142/\n\n\n"
},
{
"Title": "Phreaking Elevators",
"Day": "Friday",
"Time": "12:00",
"Location": "Track 2",
"Description": "Phreaking Elevators\n\n\n\n Friday at 12:00 in Track 2\n\n 45 minutes | Demo\n\n\n\nWillC\n\n\n\n This is a comprehensive dive into the current emergency phones with an\n\n in-depth look at the phones used in elevators. This talk will provide\n\n unique insight into a topic that hasn't been covered before: Elevator\n\n Phones. During this talk, I will discuss the commonality between\n\n elevator phone brands. I will cover a new, never before released, set\n\n of default passwords these system use. I will show a tool kit and how\n\n to use it to access elevator phones locally, as well as remotely. In\n\n addition, I will show how to reprogram a phone , how to make the\n\n elevator state its location, and how to alert the passenger that help\n\n is on the way. Finally, I will demonstrate some attacks, including how\n\n you can use elevator phones as listening devices to silently listen to\n\n conversations of people inside an elevator. I'm WillC, your elevator\n\n operator, let's go for a ride!\n\n\n\n WillC\n\n Will has grown up with a passion for making things. He has done a\n\n number of high voltage projects and recently been taking in interest in\n\n information security competing in a number of different CTFs across the\n\n country. Will also helps run the Car Hacking Village. He works bringing\n\n in the infosec and maker community to Macchina.\n\n Twitter: @Willcaruana\n\n\n"
},
{
"Title": "Sound Effects: Exploring Acoustic Cyber-weapons",
"Day": "Sunday",
"Time": "13:00",
"Location": "Track 2",
"Description": "Sound Effects: Exploring Acoustic Cyber-weapons\n\n\n\n Sunday at 13:00 in Track 2\n\n 45 minutes | Tool\n\n\n\nMatt Wixey Cyber Security Research Lead, PwC UK\n\n\n\n While recent research has explored the capability of attacks to cause\n\n harm by targeting devices - e.g., SCADA systems, vehicles, medical\n\n implant devices - little consideration has been given to the concept of\n\n attacks affecting psychological and physiological health by targeting\n\n humans themselves.\n\n In a first-of-its-kind study, we assessed the capability of several\n\n consumer devices to produce sound at high and low frequencies which may\n\n be imperceptible to many people, as a result of remote and local\n\n attacks, and compared the resulting sound levels to maximum recommended\n\n levels. In doing so, we tested their viability as localised acoustic\n\n weapons which could cause temporary/permanent hearing damage and/or\n\n adverse psychological effects. We examined a number of countermeasures,\n\n including a tool to detect specified frequencies above specified\n\n thresholds.\n\n In this talk, I will cover the background of malware which has,\n\n intentionally or not, caused physical or psychological harm. I will\n\n explore previous research on the harmful effects of sound, focusing\n\n particularly on high and low frequencies, and some of the guidance\n\n which has been proposed to limit exposure to such sound. I will examine\n\n the use of imperceptible sound as applied to security research (covert\n\n channels, ultrasonic tracking beacons, etc), and will present our\n\n experiments and findings, including threat models, methodology, the\n\n attacks we developed, and the implications of our results. Finally, I\n\n will suggest a number of countermeasures and outline some possible\n\n areas for future research.\n\n\n\n Matt Wixey\n\n Matt is a PhD candidate at the Dawes Centre for Future Crimes,\n\n University College London, and leads technical research for the PwC\n\n Cyber Security practice in the UK. Prior to joining PwC, Matt led a\n\n technical R&D team for a law enforcement agency in the UK. His research\n\n interests include antivirus and sandboxing technologies, unconventional\n\n attack vectors, side-channels, and radio security.\n\n Twitter: @darkartlab\n\n\n"
},
{
"Title": "Can You Track Me Now? Why The Phone Companies Are Such A Privacy Disaster",
"Day": "Friday",
"Time": "16:30",
"Location": "Track 2",
"Description": "Can You Track Me Now? Why The Phone Companies Are Such A Privacy Disaster\n\n\n\n Friday at 16:30 in Track 2\n\n 20 minutes\n\n\n\nU.S. Senator Ron Wyden U.S. Senator from Oregon. Senate Finance Ranking\n\nMember\n\n\n\n Amidst the current public outcry about privacy abuses by corporate\n\n america, one sector has received far less scrutiny than it deserves:\n\n phone companies. America's phone companies have a hideous track record\n\n on privacy. During the past two decades, these descendants of \"Ma Bell\"\n\n have been caught, repeatedly, selling (or giving away) their customers'\n\n sensitive data to the government, bounty hunters, private\n\n investigators, data brokers, and stalkers.\n\n The DEFCON community is familiar with the phone companies' role in the\n\n Bush-era \"warrantless wiretapping\" program and the NSA's surveillance\n\n of telephone metadata, revealed by Edward Snowden. Far fewer people\n\n know that the carriers were also willing participants in a massive Drug\n\n Enforcement Administration (DEA) spying program, which the government\n\n quietly shut down after two decades in 2013.\n\n Even less well-understood is how these corporations reap profits by\n\n selling our information to the private sector. As just one example, the\n\n carriers for years used shady middlemen to provide nearly unlimited\n\n access to Americans' location data to anyone with a credit card.\n\n Join Oregon Senator Ron Wyden to learn why the phone companies have\n\n gotten one free pass after another, and what he's doing to hold them\n\n accountable.\n\n\n\n U.S. Senator Ron Wyden\n\n Sen. Ron Wyden is the foremost defender of Americans' civil liberties\n\n in the U.S. Senate, and a tireless advocate for smart tech policies.\n\n Years before Edward Snowden blew the whistle on the dragnet\n\n surveillance of Americans, Wyden warned that the Patriot Act was being\n\n used in ways that would leave Americans shocked and angry, and his\n\n questioning of NSA Director James Clapper in 2013 served as a turning\n\n point in the secret surveillance of Americans' communications.\n\n Since then, Wyden has fought to protect Americans' privacy and security\n\n against unwanted intrusion from the government, criminals and foreign\n\n hackers alike. He has opposed the government's efforts to undermine\n\n strong encryption, proposed legislation to hold companies accountable\n\n for protecting their users' data, and authored legislation with Rand\n\n Paul to protect Americans' Fourth Amendment rights at the border.\n\n Wyden is a senior member of the Senate Select Committee on Intelligence\n\n and the top Democrat on the Senate Finance Committee. He lives in\n\n Portland, Oregon.\n\n Twitter: @RonWyden\n\n Website: https://www.wyden.senate.gov/meet-ron\n\n\n"
},
{
"Title": "All the 4G modules Could be Hacked",
"Day": "Friday",
"Time": "11:00",
"Location": "Track 3",
"Description": "All the 4G modules Could be Hacked\n\n\n\n Friday at 11:00 in Track 3\n\n 45 minutes | Exploit\n\n\n\nXiaoHuiHui Senior Security Researcher, Baidu\n\n\n\nYe Zhang Security Researcher, Baidu\n\n\n\nZhengHuang Leader of Baidu Security Lab X-Team, Baidu\n\n\n\n Nowadays more and more 4G modules are built into IoT devices around the\n\n world, such as vending machines, car entertainment systems, laptops,\n\n advertising screens, and urban cameras etc. But no one has conducted a\n\n comprehensive security research on the 4G modules. We carried out this\n\n initiative and tested all the major brand 4G modules in the market\n\n (more than 15 different types). The results show all of them have\n\n similar vulnerabilities, including remote access with weak passwords,\n\n command injection of AT Command/listening services, OTA upgrade\n\n spoofing, command injection by SMS, and web vulnerability. Through\n\n these vulnerabilities we were able to get to the shell of these\n\n devices. In addition to using wifi to exploit these vulnerabilities, we\n\n created a new way to attack through fake base station system, triggered\n\n by accessing the intranet of cellular network, and successfully run\n\n remote command execution without any requisites. In this talk, we will\n\n first give an overview on the hardware structure of these modules. Then\n\n we will present the specific methods we use in vulnerability probe. In\n\n the final section we will demonstrate how to use these vulnerabilities\n\n to attack car entertainment systems of various brands and get remote\n\n control of cars.\n\n\n\n XiaoHuiHui\n\n Shupeng (xiaohuihui) is a member of Baidu Security Lab. He is an expert\n\n on IoT security, AI security, penetration testing, etc. He was invited\n\n to talk on multiple security conferences, and successfully pwned IOT\n\n equipments on XPwn 2016/2017/2018, GeekPwn May/October 2017,the biggest\n\n pwn competitions in China.\n\n Twitter: @xi4ohuihui\n\n\n\n Ye Zhang\n\n Ye Zhang is a security researcher of Baidu Security Lab X-Team. He's\n\n good at reverse engineering and malware analysis, now he focuses on\n\n finding IoT vulnerabilities.\n\n\n\n ZhengHuang\n\n Zheng Huang is the head of Baidu Security Lab X-Team. He is a prolific\n\n finder of vulnerabilities in the browser security area, has contributed\n\n a lot of vulnerabilities in Microsoft browsers, Chrome, and Safari.\n\n Previously, he mainly focused on malicious URL detection and defense of\n\n APT attacks, he is now responsible for the research of autonomous\n\n driving security.\n\n\n"
},
{
"Title": "Exploiting Windows Exploit Mitigation for ROP Exploits",
"Day": "Thursday",
"Time": "10:00",
"Location": "DC101, Paris Theatre",
"Description": "Exploiting Windows Exploit Mitigation for ROP Exploits\n\n\n\n Thursday at 10:00 in DC101, Paris Theatre\n\n 45 minutes | Demo\n\n\n\nOmer Yair Endpoint Team Lead at Symantec\n\n\n\n \"A concept is a brick. It can be used to build a courthouse of reason.\n\n Or it can be thrown through the window.\" - Gilles Deleuze\n\n Ever since Smashing the Stack For Fun And Profit was published by Aleph\n\n One almost a quarter century ago the security world has completely\n\n changed the way it defends exploitation. Canary stack, DEP, ASLR, CFI\n\n and various other mitigation techniques were developed to address\n\n various exploit techniques. Yet, ROP remains a prominent practice\n\n employed by many exploits even today.\n\n ROP is the most common exploitation method for attackers to mutate\n\n memory bugs on target process into malicious executable code. \"Next\n\n Gen\" endpoint security products try to address ROP and other\n\n exploitation methods. Windows embraces many mitigation techniques as\n\n well. However, these mitigation features such as CFG can in fact be\n\n leveraged and increase ROP's attack surface and allow it to even bypass\n\n exploit protections!\n\n If you are intrigued by ROP, want to learn about methods in Windows\n\n that protect against ROP and how to bypass them - this talk is for you!\n\n On top of that a novel method of bypassing ROP mitigation of most\n\n products will also be revealed.\n\n\n\n Omer Yair\n\n Omer is End-Point team lead at Symantec (formerly Javelin Networks).\n\n His team focuses on methods to covertly manipulate OS internals. Before\n\n Symantec he was a malware researcher at IBM Trusteer for two years\n\n focusing on financial malware families. In the past he has worked at\n\n Algotec for six years developing medical imaging software and at IDF's\n\n technology unit for three years as dev team lead. Omer lectured on\n\n DerbyCon 8, Virus Bulletin and Zero Nights conferences. In his free\n\n time he revives historical photographic processes.\n\n Twitter: @yair_omer\n\n\n"
},
{
"Title": "Your Secret Files Are Mine: Bug Finding And Exploit Techniques On File",
"Day": "Sunday",
"Time": "10:00",
"Location": "Track 4",
"Description": "Your Secret Files Are Mine: Bug Finding And Exploit Techniques On File\n\nTransfer App Of All Top Android Vendors\n\n\n\n Sunday at 10:00 in Track 4\n\n 45 minutes | Demo, Tool, Exploit\n\n\n\nXiangqian Zhang\n\n\n\nHuiming Liu\n\n\n\n Nearby sharing apps are very convenient and fast when you want to\n\n transfer files and have been pre-installed on billions of devices.\n\n However, we found that most of them will also open a door for attackers\n\n to steal your files and even more.\n\n First, we did a comprehensive research about all top mobile vendors'\n\n pre-installed nearby sharing apps by reverse engineering. Many serious\n\n vulnerabilities are found on most of them and reported to vendors.\n\n Algorithm and design flaws in these apps can lead to file leaking and\n\n tampering, privacy leaks, arbitrary file downloads and even remote code\n\n execution. We will present all the related vulnerabilities' details and\n\n exploit techniques. Next, we conducted the same research on lots of\n\n third-party file sharing apps and found that they are even worse about\n\n security and are used by surprising more than 1 billion users. Files\n\n transferred between them are nearly naked when our MITM attack devices\n\n are nearby. Finally, we will summarize all the attack vectors and two\n\n common attack models. We will also present the attack demos and related\n\n tools.\n\n Besides, we will present our practical mitigations. Currently, we are\n\n working with most of the top vendors to mitigate these vulnerabilities.\n\n Through this talk, we want to notify users and mobile vendors to pay\n\n more attention to this serious situation and fix it better and sooner.\n\n\n\n Xiangqian Zhang\n\n Xiangqian Zhang is a security researcher at Tencent Security Xuanwu Lab\n\n and his research focuses on Mobile Security and IOT Security. Xiangqian\n\n found multiple Android kernel and system security vulnerabilities.\n\n Twitter: @h3rb0x\n\n\n\n Huiming Liu\n\n Huiming Liu is a security researcher at Tencent Security Xuanwu Lab and\n\n his research focuses on Mobile Security and IOT Security. Huiming has\n\n spoken at several security conferences including CanSecWest and\n\n BlackHat Asia.\n\n Twitter: @liuhm09\n\n\n"
},
{
"Title": "Web2Own: Attacking Desktop Apps From Web Security's Perspective",
"Day": "Thursday",
"Time": "14:00",
"Location": "DC101, Paris Theatre",
"Description": "Web2Own: Attacking Desktop Apps From Web Security's Perspective\n\n\n\n Thursday at 14:00 in DC101, Paris Theatre\n\n 45 minutes\n\n\n\nJunyu Zhou Security Researcher in Tencent Security Xuanwu Lab\n\n\n\nCe Qin Security Researcher in Tencent Security Xuanwu Lab\n\n\n\nJianing Wang Security Researcher in Tencent Security Xuanwu Lab\n\n\n\n People are always talking about binary vulnerabilities when attacking\n\n desktop applications. Memory corruptions are always costly to find.\n\n Meanwhile, mitigations introduced by operating systems make them harder\n\n to be exploited. More and more applications are using hybrid\n\n technologies, so we can try web security tricks to pwn them reliably\n\n with less effort.\n\n Our presentation will summarize attack surfaces and methods to find\n\n security issues in desktop applications. In particular, we will\n\n explicate some real-world cases, such as chaining multiple\n\n vulnerabilities (information leaking, CSP bypass, opened debugging\n\n port) to achieve RCE in a specialized IDE, sensitive file leaking in\n\n famous editors, privileged APIs abusing in many IM applications and so\n\n on. During our research, we find some issues actually reside in popular\n\n libraries. These flaws may affect more applications than we will\n\n demonstrate in this talk.\n\n Web security knowledge is usually unfamiliar to desktop application\n\n developers. Attacking desktop apps using web security tricks is a\n\n non-competitive \"blue ocean\". Our presentation will focus on many\n\n design misconceptions and implementation mistakes in desktop\n\n applications. By sharing these representative lessons, we hope to help\n\n desktop application developers improve the security of their products.\n\n\n\n Junyu Zhou\n\n Junyu Zhou, Security Researcher in Tencent Security Xuanwu Lab, CTF\n\n player from 0ops/A*0*E, is focusing on vulnerability research and web\n\n application security. Speaker of HITB2018Dubai and ZeroNights2018.\n\n\n\n Ce Qin\n\n Ce Qin, Security Researcher in Tencent Security Xuanwu Lab for 3 years,\n\n focus on software security, mainly on browser and Desktop software.\n\n\n\n Jianing Wang\n\n Jianing Wang, Security Researcher in Tencent Security Xuanwu Lab,\n\n member of Syclover, is focusing on vulnerability research and web\n\n application security.\n\n\n"
}
]
Based On:
ttps://gist.github.com/azeemba/a27689e1252711159d602abac6237366
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment