DEF CON 18 Speakers

Speaker Index

FOCA2: The FOCA Strikes Back

FOCA is a tool to extract information in footprinting and fingerprinting phases during a penetration test. It helps auditors to extract and analyze information from metadata, hidden info and lost data in published files. This new release of FOCA, version 2, adds tools to scans internal domains using PTR Scanning, Software recognition through installation paths, etc. The idea of FOCA is to give as much info as can be discovered automatically starting from a public domain name.

Chema Alonso is a Computer Engineer by the Rey Juan Carlos University and System Engineer by the Politecnica University of Madrid. He has been working as security consultant last six years and had been awarded as Microsoft Most Valuable Professional since 2005 to present time. He is a Microsoft frequent speaker in Security Conferences. He writes monthly in several Spanish Technical Magazines. He is currently working on his PhD thesis about Blind Techniques. Recently spoke in BH Europe 2008 about LDAP Injection & Blind LDAP Injection attacks, in DEF CON 16 about Time-Based Blind SQL Injection using heavy Queries, in Toorcon X about RFD (Remote File Downloading) and in DeepSec 2k8 in Austria. Recently has been selected to be presenting in HackCon#4 and HackCon #5 in Norway and in SchmooCon 2k9 in Washington DC, Black Hat Europe 2k9 , DEF CON 17 and Ekoparty and Argentina.

José Palazón "Palako" is globally responsible for mobile security at Yahoo!. With more than 9 years experience in security auditing, consulting and training for the public, private and academic sectors, his areas of expertise include mobile, web security, unix systems security and digital forensics. Frequent international speaker, he has presented, among others, at DEFCON (Las Vegas), Shmoocon (Washington) and FOWA (London), as well as published vulnerabilities in key sites such as

return to top

Connection String Parameter Attacks

This session is about Parameter Pollution in Connection Strings Attack. Today, a lot of tools and web applications allow users to configure dynamically a connection against a Database server. This session will demonstrate the high risk in doing this insecurely. This session will show how to steal, in Microsoft Internet Information Services, the user account credential, how to get access to this web applications impersonating the connection and taking advance of the web server credentials and how to connect against internal databases servers in the DMZ without credentials. The impact of these techniques are especially dangerous in hosting companies which allow customers to connect against control panels to configure databases.

Chema Alonso is a Computer Engineer by the Rey Juan Carlos University and System Engineer by the Politecnica University of Madrid. He has been working as security consultant last six years and had been awarded as Microsoft Most Valuable Professional since 2005 to present time. He is a Microsoft frequent speaker in Security Conferences. He writes monthly in several Spanish Technical Magazines. He is currently working on his PhD thesis about Blind Techniques. Recently spoke in BH Europe 2008 about LDAP Injection & Blind LDAP Injection attacks, in DEF CON 16 about Time-Based Blind SQL Injection using heavy Queries, in Toorcon X about RFD (Remote File Downloading) and in DeepSec 2k8 in Austria. Recently has been selected to be presenting in HackCon#4 and HackCon #5 in Norway and in SchmooCon 2k9 in Washington DC, Black hat Europe 2k9 , Def con 17 and Ekoparty and Argentina.

José Palazón "Palako" is globally responsible for mobile security at Yahoo!. With more than 9 years experience in security auditing, consulting and training for the public, private and academic sectors, his areas of expertise include mobile, web security, unix systems security and digital forensics. Frequent international speaker, he has presented, among others, at DEFCON (Las Vegas), Shmoocon (Washington) and FOWA (London), as well as published vulnerabilities in key sites such as

return to top

WPA Too!

WPA2 is the most robust security configuration available today for WiFi networks. It is widely used to secure enterprise WLANs. Interestingly, it is also being used to secure guest, municipal and public WiFi networks. In this paper, we present a new vulnerability found in WPA2 protocol which can be exploited by a malicious user to attack and compromise legitimate users. We also present a few attack mitigation techniques which can be used to protect genuine WiFi users.

Md Sohail Ahmad is a wireless security researcher and currently works as a Manager Technology at AirTight Networks. He has over six years of experience of research and development in various wireless technologies such WiFi, Bluetooth, GSM, GPRS etc. He possesses strong background in secure driver development, protocol development, wireless network security and vulnerability assessment. He has discovered many security flaws and implementation vulnerabilities which has been presented in several international security events such as Defcon, Toorcon, Comsware etc.

He holds an MTech in Computer Science from Indian Institute of Technology Roorkee, India.

return to top

Evilgrade, "You Still Have
Pending Upgrades?"

Vulnerabilities are disclosed daily and in the best case new patches are released. Is no new that many application's update process have security weaknesses allowing fake updates injection. The new version of the framework will show how many updates system are still vulnerable to this trivial attack.

Francisco Amato is a researcher and computer security consultant who works in the area of vulnerability Development, blackbox testing, reverse engineering. He runs his own company - [ISR] Infobyte Security Research, from where he published his developments in audit tools and vulnerabilities in products from companies like Novell, IBM, Sun Microsystems, Apple, Microsoft. Founding organizer of ekoparty south america security conference

Federico Kirschabum is currently the CTO of Infobyte Security Research, company based in Buenos Aires, Argentina. With almost 10 years of experience researching and pentesting networks, he has developed a deep knowledge in the computer security & telecomunications field.

He is one of the founders of the ekoparty security conference, one of the biggest con in Latin America which is held yearly in BA. Besides computing, Federico studied Filmmaking and worked in several productions. In his free time he loves to play competitive paintball and
make asados for his friends.

return to top

Cyber[Crime | War] Charting Dangerous Waters

CyberWar has been a controversial topic in the past few years. Some say the the mere term is an error. CyberCrime on the other hand has been a major source of concern, as lack of jurisdiction and law enforcement have made it one of organized crime's best sources of income.

In this talk we will explore the uncharted waters between CyberCrime and CyberWarfare, while mapping out the key players (mostly on the state side) and how past events can be linked to the use of syndicated CyberCrime organization when carrying out attacks on the opposition.

We will discuss the connections between standard warfare (kinetic) and how modern campaigns use cybersecurity to its advantage and as an integral part of it.

With more than 10 years of experience in the information security industry, Iftach Ian Amit brings a mixture of software development, OS, network and Web security expertise as a Managing Partner of the top-tier security consulting and research firm Security & Innovation. Prior to Security & Innovation, Ian was the Director of Security Research for the Content Security Business Unit at Aladdin Knowledge Systems, where he created the AIRC (Attack Intelligence Research Center). Prior to joining Aladdin, Amit was Director of Security Research at a global Internet security company, leading its security research while positioning it as a leader in the Web security market. Amit has also held leadership roles as founder and CTO of a security startup in the IDS/IPS arena, developing new techniques for attack interception, and director at Datavantage responsible for software development and information security, as well as designing and building a financial datacenter. Prior to Datavantage, he managed the Internet application and UNIX worldwide. Amit holds a Bachelor's degree in Computer Science and Business Administration from the Interdisciplinary Center at Herzlya.

return to top

SCADA and ICS for Security Experts: How to avoid Cyberdouchery

The traditional security industry has somehow decided that they are the white knights who are going to save everyone from the horror of insecure powergrids, pipelines, chemical plants, and cookie factories. Suddenly, every consultant is an expert and every product fixes SCADA. And because they don't know what the hell they're talking about -- 'fake it till ya make it' doesn't work -- they're making all of us look stupid.

Attendees will gain a practical level of knowledge sufficient to keep them from appearing foolish should they choose to opine on any of the various real issues stemming from Industrial Control or SCADA systems. Attendees will also feel embarrassed for something they've said, empowered to call out charlatans, and much less worried about cyberhackers unleashing cyberattacks which cybercause cyberpipelines and cybermanufacturing plants to cybergonuts and cybertakeovertheplanet using cybercookiesofdeath.

James Arlen, CISA, sometimes known as Myrcurial, is a security consultant usually found in tall buildings wearing a suit, founder of the Think|Haus hackerspace, columnist at Liquidmatrix Security Digest, Infosec Geek, Hacker, Social Activist, Author, Speaker and Parent. He's been at this security game for more than 15 years and loves blinky lights and shiny things. Cyber.

return to top

Exploitation on ARM - Technique and Bypassing Defense Mechanisms

In this presentation there will be covered (from scratch) quick talk on security mechanisms on X86 and how to bypass them, how exploits are being used on X86 and why they won't work as is on ARM, How to approach ARM assembly from hacker point of view and how to write exploits in the proper way for a remote and local attacker on ARM, what are the options for ARM hacker, etc.

This presentation starts from the very basics of ARM assembly (since there are not lots of expert on this subject) and advance to an expert level of ARM. After this talk you'll think in ARM way. Today, ARM is running on almost everything (mobile phones, TVs, or tons of other devices). Till now, we were used to think that ARM means no protection mechanisms, which is not the case with the next generation mobile phones.

In the recent/upcoming mobile phones you can start seeing security mechanisms implied. How can you run your shellcode if your stack is not executable? What else do you need to know?

There's almost nothing known on how to exploit weaknesses over ARM in the assembly level, when there are security mechanisms which are very common in X86.

This presentation also presents a technique to create a shellcode which will be able to pass security mechanisms over ARM. For example, this technique can be used to exploit a stack-overflow on ARM when stack is not executable.

Itzhak Avraham (zuk) is a Computer & Network Security Expert who has done a wide variety of vulnerability Assessments. Itzhak worked at the IDF as a Security Researcher and later as Security Researcher Training Specialist. Itzhak has worked at top penetration testing companies in Israel. He is a Senior Engineer at Samsung R&D (Israel) and he's a proud partner of where he consults for special pentesting/hacking/RE projects. He's interested in any hacking related topics such as : regular (network/web) hacking, reverse engineering and exploitation of security weaknesses. As a hobby he's volunteering for malware analysis at MalwareInt. Twits under @ihackbanme and holds a personal hacking related blog at

return to top

Web Services We Just Don't Need

A barbecue with a built in webserver. Remote command execution via Twitter. Great geek projects, but do we really need them? On the serious side of things, do we really need web-based management interfaces on firewalls, printers, and phone systems? Maybe it's time to take a look at the sometimes-humorous, often-dangerous downsides.

mckt (pronounced "mckt") is a three time consecutive winner of the Bill Bilano 'Heeey Dude!' award, and a volunteer with the Mitnick's Children Foundation.

He often finds himself in harrowing situations involving the stormtroopers of an popular software vendor, but always manages to escape using a rusty backslash and a pack of chewing gum. His mother is disappointed in him, but hopes he'll one day live up to his true potential.

return to top

Mobile Privacy: Tor on the iPhone and Other Unusual Devices

Mobile phones are still a proving ground for keeping the users' privacy safe. This presentation will describe the problems which are arising around the use of these technologies and how they can affect mobile users. It will propose Tor as a possible solution for some of these problems, describing its own strengths and weaknesses and the efforts developers put to implement a working port of the program on different devices, from the Chumby One to my own port for the iPhone platform. Finally, it will also describe where the development is going to protect mobile phone users privacy and let them survive their own devices.

Marco Bonetti is a Computer Science engineer with a lot of passion for free and open source operating systems. Interested in privacy and security themes, he's following the emerging platforms for the protection of privacy in hostile enviroments. As he didn't find any suitable distribution for his PowerBook, he created Slackintosh: the unofficial PowerPC port of the famous Slackware Linux distribution. He's currently working as a security consultant for CutAway.

return to top

Who Cares About IPv6?

What is IPv6? Why should you care? If we ignore it, will it just go away?

The current Internet Protocol numbering scheme, IPv4, is nearing its end-of-life. Within two years, all the IPv4 numbers will be allocated, so that new devices will not be able to connect directly to the Internet. We all will be forced to adapt to the new IPv6 system soon. But how can we get started?

This talk explains why IPv6 is necessary, how it works, and how everyone can quickly and easily start using it now. I will explain and demonstrate how to set up a free tunnel to access the Internet via IPv6.

I will also explain the Hurricane Electric IPv6 certifications. The certifications are great because they guide a novice through the stages of IPv6 knowledge: connecting as a client, setting up an IPv6-enabled Web server, email server, DNS server, and glue records.

There are large security implications to IPv6 too. I will explain several important IPv6 vulnerabilities and countermeasures, including auto-configuration privacy risks, torrents over IPv6, bypassing VPNs with IPv6, Routing Header Zero packet amplification attacks, and the ping-pong IPv6 DoS vulnerability.

My goal is to convince the audience to pay attention to IPv6 and to guide them to an easy way to start learning about it and using it now. All my students at City College San Francisco will have IPv6 homework from now on--you need to get on board now or be left behind!

Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEFCON and Toorcon on Ethical Hacking, and taught classes and seminars at many other schools and teaching conferences. Sam is a Hurricane Electric Certified IPv6 Sage. He also has a B.S. in Physics from Edinboro University of Pennsylvania and a Ph.D. in Physics from University of Illinois, Urbana-Champaign. His Industry Certifications are: Certified Ethical Hacker, Microsoft: MCP, MCDST, MCTS: Vista; Network+, Security+, Certified Fiber Optic Technician.

return to top

Seccubus – Analyzing vulnerability assessment data the easy way...

As part of his job as Security Engineer at Schuberg Philis, Frank Breedijk performs regular security scans. The repetitive nature of scanning the same customer infrastructure over and over again made him decide to look for a more automated approach. After building his first scanning scheduler he realized that it actually does not make sense to look at all findings every time they are reported. It would be much better to only investigate the deltas between the scans. The philosophy behind Seccubus was born.

In his presentation Frank will demonstrate Seccubus by performing scans of a live demo environment and explain its inner working and the philosophy behind it.

Frank Breedijk (@Seccubus) is employed as a Security Engineer at Schuberg Philis since 2006. He is responsible for the technical information security of Schuberg Philis Mission Critical outsourcing services. This includes, but is not limited to:

* Security Awareness
* Vulnerability management
* Internal security consultancy
* Internal technical audits
* Seccubus development

Frank Breedijk has been active in IT Security for over 10 years. Before joining Schuberg Philis he worked as a Security Consultant for INS/BT and Security Officer for Interxion. He managed the European Security Operations Center (SOC) for Unisys' managed security services. During this period Gartner labeled Unisys leader in the magic quadrant for Managed Security Services in Europe.

Besides his day job Frank Breedijk develops Seccubus, is an active on Twitter and writes blog entries for He has also written magazine articles about Seccubus and security awareness.

My Twitter: @Seccubus

return to top


This talk covers the use of chaining vulnerabilities in order to bypass layered security systems. This talk will also cover ways of obtaining wormable remote code execution on a modern LAMP platform. These attacks where developed by me, and they are very new. These attacks are as real as it gets, and the results are making the headlines.
"Apocalyptic infection"
-- The Register

Michael Brooks: This will be my 3rd year in a row that I spoken at Defcon. According to the Department of Homeland Security I have found a vulnerability with a severity metric of 13.5 which makes it into the top 1,000 most dangerous of all time. I am the top answerer of security questions on (The Rook). I actively hunt for vulnerabilities on a verity of platforms. I write exploit code and make it public. hack to live , live to hack.

return to top

Resilient Botnet Command and Control with Tor

There's nothing worse than toiling away at building a large, powerful botnet after months of effort, only to see it get taken down due to being taken down by an ISP, hosting provider or due to law enforcement intervention. Fortunately, a tool exists that will help us hide the command and control channels of botnets to allow us control our botnets anonymously. This tool is Tor.

This presentation discusses several ways to operate a botnet anonymously via Tor, discuss the strengths and weaknesses of each method, and demonstrate some of these techniques live. Mitigation techniques will also be discussed for all the white hats in attendance.

Dennis Brown is a research engineer for Tenable Network Security. He specializes in malware analysis with a penchant for botnet research. Dennis has appeared previously at Toorcon and on the PaulDotCom security podcast, and is a frequent presenter for DC401 in Rhode Island.

return to top

How Hackers Won the Zombie Apocalypse

In April, 2010, a zombie outbreak occurred in Providence, Rhode Island. These were not traditional zombies however; They were controlled by an electronic device that allowed for wireless attacks against the living around them. Fortunately, the living had their own devices, and were able to fight off the zombies... but more threatening enemies
entered the fray.

This is the story about the QuahogCon 2010 badge and the embedded Zombie Invasion game. For about 48 hours, hackers attacked not only other players, but the badges themselves, trying to unlock the secrets within. This presentation will explore the various hacks, both hardware and software, that people tried against a system they had little-to-no prior knowledge about, and both the failures and successes that resulted. It will also discuss the decisions made to make the firmware hackable in a way that was accessible to as many people as possible, but not entirely trivial. Further discussion points will cover the hardware used in the badge, some of the more hilarious issues that came up, and will discuss plans for future designs.

Dennis Brown is an organizer for QuahogCon, a regional hacker conference in Rhode Island run by DC401. He was one of two people who developed the Zombie Invasion firmware for the conference badges. Dennis has presented previously about topics related to his day job, such as botnets, underground economies, and social media trending. He has presented at Toorcon 10 and 11, and is a frequent presenter at DC401 meetings.

return to top

Exploiting SCADA Systems

SCADA systems are just as vulnerable to attack today than they were ten years ago. The lack of security awareness by SCADA software vendors, combined with the rush of hacking these systems, make them very attractive to hackers today. The focus of this presentation will be showing the disconnect between SCADA software and secure programming. There will be a live demonstration of Sploitware, a framework dedicated to vulnerability analysis of SCADA systems. This framework could be thought of as a proof of concept, although you will see it is more than mature enough to prove the point.

Jeremy Brown is a computer security researcher employed at Tenable Network Security as a Vulnerability Research Engineer. Jeremy enjoys vulnerability research and analysis, exploit development, programming, fuzzing, and reverse engineering.

Twitter: @jeremybrownn

return to top

Cloud Computing, a Weapon of Mass Destruction?

Using cloud computing to attack systems allows for the testing of a company's incident response and recovery program. We have been using the cloud computing environment to test real world scenarios for different types of attacks, such as Distributed Denial of Service, Flooding, and Packet Fragmentation. The presentation will review some of the common attack types, what they are, and how they can be used to disrupt service. I will also review the steps that led us to choose the cloud computing environment, why these environments are good for most, but also why they may not meet your regulatory requirements. And lastly, I will review mitigation strategies and response programs that can reduce the operational risks when responding to these events.

David has over 9+ years of computer security experience and is a self taught expert. With that comes a CISSP and experience working on security engineering, design, administration and more recently consulting. He has performed security assessment projects for health care, nuclear, retail, manufacturing, pharmaceutical, banking and educational sectors. As an active participant in the information security community, he volunteers at DEFCON where he designs and implements the Firewall and Network for what is said to be the most hostile network environment in the world. He is also an active participant in the local Minneapolis security groups both as a board member of OWASP MSP and co-manager of DC612. His roots and experience come from working for a large enterprise banks, designing and managing enterprise security systems. In the more recent years he has been working as an Information Security Consultant to review the security and architecture of information computing environments.

Mike Anderson currently works as a security consultant for NetSPI, in Minneapolis, MN. He studied computer sciences and Japanese at the University of Minnesota, and worked as a systems operator and technician, supporting 2,000 concurrent users.

return to top

The keys to running a successful Def con Group by DC612

The local DC612 group has been around, and has had a fairly successful attendance for several years now. If you've got a group, or are thinking about running a group we have some pointers for capturing people, and how to keep them coming back for more!

Jared Bird and David M. N. Bryan have been working to keep the lights and utilities paid with the DC612 Group.

return to top

Google Toolbar: The NARC Within

You downloaded google toolbar because it came with Adobe, or you are a a Google fanboy. You started using it to store your bookmarks because you're too lame to rsync them like real man. Little do you know that google is selling you out to your corporate security staff. They now know about the midget porn...the porn you bookmarked at home, but never view at work. Yes *that* porn

Jeff Bryner has 20 years of experience integrating systems, fixing security issues, performing incident response and forensics. He writes for the SANS forensic blog ,has spoken at RSA on SCADA security issues and runs just for fun

return to top

Open Public Sensors and Trend Monitoring

Our world is instrumented with countless sensors. While many of these are outside of our control (at least without significant effort...) there is an incredible amount of publicly available information being generated and gathered all the time. While much of this data goes by unnoticed or ignored it contains fascinating insight into the behavior and trends that we see throughout society. The trick is being able to identify and isolate the useful patterns in this data and separate it from all the noise. Sites such as craigslist provide a wealth of wonderfully categorized trend information. What job categories are trending upward? What cities show the most (or the least) promise for technology careers? What relationship is there between the number of bikes for sale and the number of prostitution ads? All of this and more can be explored through data available from this single source - and it is just one of hundreds out there. This exploration was inspired by a past DefCon talk (Meme Mining for Fun and Profit) and seeks to inspire others to explore the exploitation of such publicly available sensor systems.

Daniel Burroughs first became interested in computer security shortly after getting a 300 baud modem to connect his C64 to the outside world. Since that time he has moved on to bigger and (somewhat) better things. These have included work in virtual reality systems at the Institute for Simulation and Training at the University of Central Florida, high speed hardware motion control software for laser engraving systems, parallel and distributed simulation research at Dartmouth College, distributed intrusion detection and analysis at the Institute for Security Technology Studies, and most recently development of a state-wide data sharing system for law enforcement agencies in Florida (FINDER). He currently works as research faculty at the University of Central Florida and is the Associate Technology Director for the Center for Law Enforcement Technology, Training, & Research.

He is also the proud owner of two DefCon leather jackets won at Hacker Jeopardy at DefCon 8 & 9 (as well as few hangovers from trying to win more).

return to top

Bad Memories

No matter which kind of cryptography you are using to defend your network, , sooner or later to make it work you will have to store somewhere a password, a key or a certificate. If the attacker is able to tampers with its storage mechanism then even the strongest encryption mechanism became irrelevant.

In this talk we will present Tapjacking attacks which abuse smartphone features to create more efficient clickjacking attacks. We also show how to attack storage mechanisms to tampers with SSL session and break into Wifi network that use WPA encryption.

For SSL we will show how to exploit warning inconsistency and caching mechanisms to trick the user into accepting a bad cert and gets his credential stolen.

For Wifi network we will demonstrate how to use clickjacking, CSRF, and XSS to steal from routers the two pieces of information that an attacker needs to geo-localize and break into it, namely the WPA key and the mac address. Finally we will discuss how to discuss what frame busting defense are used by the Alexa top 100 website and how we were able to break them using standard and not so standard tricks. We also demonstrate how to use Paul Stone scrolling attack in novel ways.

This is joint work with Dan Boneh and Collin Jackson.

Elie Bursztein is a researcher at the Stanford Computer Security Lab. He holds a PhD in computer science and an Engineering degree in computer systems, networks and security. His research focus is offensive technologies, mobile and web security. He enjoy applying game theory, machine learning and data mining techniques to security.

Baptiste Gourdin is a student at the Stanford Computer Security Lab focusing on web and mobile devices security. He holds an Engineering in computer systems, networks and security.

Gustav Rydstedt is a student at the Stanford Computer Security Lab focusing on web and mobile devices security.

return to top

Kartograph : Finding a Needle in a Haystack or How to Apply Reverse Engineering Techniques to Cheat at
Video Games

While we were slaving away hacking an awesome memory analysis tool, Kartograph, our lazy graduate student friends next door were busy honing their skills in CIV 4, Age of Empire III, Anno, C&C, and WarCraft III. They did not anticipate that we could use Kartograph to own them in these games. This talk shows how we turned the tables on them by using Kartograph to build 0-day cheats. Kartograph is a tool designed to reverse-engineer the memory structure of games, applying analysis and visualization techniques to find small chunks of valuable information within large process footprints (like a needle in a haystack). As a proof of concept, we used Kartograph to extract the relevant 256KB chunks from 1+GB processes and built what is considered the most difficult cheat to build: a map-hack. We will show a live demo of how Kartograph works and some cool cheats we built with it for CIV4, AoE3, Anno, and WarIII. If you want to learn about memory forensic techniques, or if you want to cheat at these popular games, you don't want to miss this talk.

Elie Bursztein is a researcher at the Stanford Computer Security Lab. He holds a PhD in computer science and an Engineering degree in computer systems, networks and security. His research focus is offensive technologies, mobile and web security. He enjoy applying game theory, machine learning and data mining techniques to security.

Jocelyn Lagarenne is a student at the Stanford Computer Security Lab. He holds an Engineering degree in computer systems, networks and security. His research focus on system and network security.

Dan Boneh heads the applied crypto group at the Computer Science department at Stanford University. Dr. Boneh's research focuses on applications of cryptography to computer security. He is a recipient of the Packard Award, the Alfred P. Sloan Award, and the RSA Award.

return to top

Token Kidnapping's Revenge

On April 14, 2009 Microsoft released a patch ( to fix the issues detailed in my previous Token Kidnapping presentation ( The patch properly fixed the issues but...

This new presentation will detail new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7. These new attacks allow to bypass new Windows services protections such as Per service SID, Write restricted token, etc. It will be demonstrated that almost any process with impersonation rights can elevate privileges to Local System account and completely compromise Windows OSs. While the issues are not critical in nature since impersonation rights are required, they allow to exploit services such as IIS 6, IIS 7, SQL Server, etc. in some specific scenarios. Exploits code for those services will be released. The presentation will be given in a very practical way showing how the new issues were found, with what tools, techniques, etc. allowing the participants to learn how to easily find these kind security issues in Windows operating systems

Cesar Cerrudo is the founder and CEO of Argeniss (, a security consultancy firm based in Argentina. He is a security researcher and consultant specializing in application security. Regarded as a leading application security researcher, Cesar is credited with discovering and helping to eliminate dozens of vulnerabilities in leading applications including Microsoft SQL Server, Oracle database server, IBM DB2, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows, Yahoo! Messenger, etc. Cesar has authored several white papers on database, application security, attacks and exploitation techniques and he has been invited to present at a variety of companies and conferences including Microsoft, Black Hat, Bellua, CanSecWest, EuSecWest, WebSec. HITB, Microsoft BlueHat, FRHACK, EkoParty, etc. Cesar collaborates with and is regularly quoted in print and online publications including eWeek, ComputerWorld, and other leading journals.

return to top

WRT54-TM, Media Center and
Network Sniffer

Q: Can you build a low budget media center and packet sniffer using a Linksys WT54G-TM in 20 minutes or less?

A: Yes!

Outside the hardware hacks, I'll show you what firmware and packages are needed and get everything operational in less than 20 minutes. It starts with laying the framework by flashing a stock WRT54G-TM and then loading OpenWRT. To finish, I then install and configure the correct packages to auto-mount a 16 Gig SDHC memory chip. We will also get that SDHC card shared on the network for remote access, so we can map a drive to the WRT file system. For even more storage, we will auto mount a network share on the WRT. The final addition will be darkstat installation and configuration for packet sniffing, logging and graphing the network traffic from all the interfaces on the WRT, yes even wireless!

John A. Colley's bio I have spent 25 years in the computer field. I started out working on DEC PDPs, VAXes, and Xerox Mainframes in the early 80's as a field engineer. My principal job was maintaining and repairing all processors and associated peripheral devices, to include multivendor networking gear, tape drives, disk drives, line printers, and a wide variety of terminal devices around the Washington, DC area.

That was an era when we could actually replace the R/W heads on the disk drives, and the tape drives were the size of refrigerators. An oscilloscope was part of my field engineerís tool kit, along with alignment packs and mater skew tapes. The computer rooms were the size of football fields and I never had to worry about the hot humid days on the east coast.

Over the past 25 years I've had the privilege of working at NIST, NRL, NASA, DTNSRDC, NSWC, NADC, all while supporting our country in ways I never dreamed of as a young HAM operator in the 70's. Amateur radio then was the Internet of today and communications is my true passion no matter what the medium happens to be.

As business and government becomes increasingly reliant on the Internet, data and network security is becoming a major concern. To meet that demand for qualified security experts, I am currently enrolled in the Information Security program at the College of Southern Maryland. My projected graduation date is Fall of 2010. When I complete my formal education, I want to combine my solid experience with my new skills to meet the challenges of the 21st Century Information Society.

return to top

Hacking Facebook Privacy

Facebook's privacy issues are numerous and well-documented, from software "glitches" to decisions that take control away from users. Despite that, it is a still-growing force in the modern Internet and is currently trying to position itself as the gateway to the "social Web" for its 500 million users.

What can we, as hackers, do to protect the privacy of those millions?

This panel walks through a few existing projects that apply software skills to the privacy challenges that Facebook presents, from working within the system using Facebook's Platform API to adding a layer to the system with browser extensions to presenting a robust open-source alternative to the whole Facebook platform. We'll discuss how these different tools fit into various strategies to alter or replace Facebook's existing privacy regime and what other approaches might be successful in protecting privacy on Facebook and other user networks.

Chris Conley is the Technology & Civil Liberties Fellow at the ACLU of Northern California where he focuses on launching the organization's new online privacy campaign, Demand Your dotRights. A former computer scientist turned lawyer, Chris still uses his tech skills to explore the ramifications of new technologies and to create educational tools that expose the privacy consequences of technical design, ranging from short videos to Facebook applications. He works with users, developers, businesses, and lawmakers to promote transparency, protect individual rights from government intrusion, and give users of new technologies greater control of their own information.

return to top

Our Instrumented Lives: Sensors, Sensors, Everywhere...

Make no mistake, your analog life is under siege. Virtually every facet of your day to day existence is being sampled, digitized, aggregated, collated, shared, and reality mined. Whether the reason is to support your friendly neighborhood targeted advertiser or to help win a war on terror, a thickening web of sensors tracks our day to day existence in the physical world. Sensors are everywhere: our sneakers, cell phones, appliances, game consoles, power meters, automobiles, highways, bridges, airports, shopping malls and night clubs, among many others. At the same time, technologies that uniquely identify us from a sea of others are on the rise. Financial and other incentives motivate many to start sampling our lives and the law does little to protect us. Convergence of the resultant islands of data is occurring now. More important however is the next step. Because sampling is occurring on a scale never before imaginable, our uniqueness and individuality are giving way to previously impossible models of collective and individual human behavior. How these models will be used is up for debate, but you can be certain they will be abused by some. This talk examines the problem of our impending instrumented existence, studies where it is all going, and provides you with ways to defend yourself, your family, and friends.

Greg Conti is an Academy Professor and Director of West Point's Cyber Security Research Center. His research includes online privacy, cyber warfare, security data visualization, and usable security. He is the author of Security Data Visualization (No Starch Press) and Googling Security (Addison-Wesley). His hobbies include woodturning and helping humanity avoid a dystopian future. His work can be found at and

return to top

Programmable HID USB Keystroke Dongle: Using the Teensy as a pen testing device

The Programmable HID USB Keystroke Dongle (PHUKD) is a small device based around the Teensy microcontroller development board. It allows users to program in keystrokes and mouse macros that can execute when the device is plugged in, after a set time, or when certain environmental conditions are met (light, noise, temperature, etc.) This device can be used as a replacement for a U3 hacksaw, as a device left behind to execute commands when someone with elevated privileges is likely to be logged in, or give as a Trojan device to unsuspecting targets. Much pwnage should ensue.

Adrian Crenshaw has worked in the IT industry for the last twelve years. He runs the information security website, which specializes in videos and articles that illustrate how to use various pen-testing and security tools.

return to top

IPv6: No Longer Optional

The available pool of IPv4 address space has reached a critical level. With about 7% of the IPv4 free pool remaining, organizations should already be taking steps to prepare for IPv6. There is only about a year before IPv4 is fully depleted, so it is vital that all companies adopt IPv6, the next generation of Internet Protocol, now to avoid growth and scaling issues down the road.

While IPv6 will help lead the development and deployment of next-generation, IP-based networks and services, many companies have been slow to adopt IPv6 for various reasons, such as the cost in time and money to move to an IPv6 system, and the need for bridging technology to make IPv4 and IPv6 systems compatible.

In this session, John Curran, CEO of the American Registry for Internet Numbers (ARIN), will describe the key considerations for and benefits of IPv6 adoption and the steps all network operators and engineers should be taking to prepare for IPv4 depletion challenges.

John will also review regional and global IPv4 depletion and IPv6 adoption statistics, address allocation trends, and the IPv6 educational resources available to help operators and engineers prepare.

ARIN is the nonprofit corporation that manages the distribution of Internet number resources, including IPv4 and IPv6 addresses and Autonomous System Numbers (ASNs), to Canada, many Caribbean and North Atlantic islands, and the United States.

John Curran is the President and CEO of the American Registry for Internet Numbers (ARIN), responsible for leading the organization in its mission of managing the distribution of Internet number resources in its geographic region. He was also a founder of ARIN and served as its Chairman from inception through early 2009.

John's experience in the Internet industry includes serving as CTO and COO for ServerVault, which provides highly secure, fully managed infrastructure solutions for sensitive federal government and commercial applications. Prior to this, he was CTO for XO Communications, and was integral in leading the organization's technical initiatives, network architecture, and design of leading-edge capabilities built into the company's nationwide network. Mr. Curran also served as CTO for BBN/GTE Internetworking, where he was responsible for the organizationís strategic technology direction. He led BBN's technical evolution from one of the earliest Internet Service Providers through its growth and eventual acquisition by GTE.

He has also been an active participant in the Internet Engineering Task Force (IETF), having both co-chaired the IETF Operations and Network Management Area and served as a member of the IPng (IPv6) Directorate.

return to top

Function Hooking for Mac OSX and Linux

This talk will cover three different methods of function hooking for Mac OSX and Linux. The talk will begin by describing useful bits of Intel64 assembly followed up with 3 different binary rewriting techniques to hook a range of different functions, including some inlined functions, too. We'll finish up with a demo of two nice things that these techniques make possible (a memory profiler and a function call tracer), and one slightly more evil thing.

Joe Damato is a systems programmer who spends his days hacking on the Ruby VM and tools for analyzing the performance characteristics of complex software systems. He maintains a blog ( where he releases code, patches to the Ruby VM, and his thoughts on low level systems programming. He maintains memprof, a Ruby level memory profiler and added support for libdl to trace.

return to top

Exploiting Internet Surveillance Systems

For many years people have been debating whether or not surveillance capabilities should be built into the Internet. Cypherpunks see a future of perfect end to end encryption while telecom companies are hard at work building surveillance interfaces into their networks. Do these lawful intercept interfaces create unnecessary security risks?

This talk will review published architectures for lawful intercept and explain how a number of different technical weaknesses in their design and implementation could be exploited to gain unauthorized access and spy on communications without leaving a trace. The talk will explain how these systems are deployed in practice and how unauthorized access is likely to be obtained in real world scenarios. The talk will also introduce several architectural changes that would improve their resilience to attack if adopted. Finally, we'll consider what all this means for the future of surveillance in the Internet - what are the possible scenarios and what is actually likely to happen over time.

Decius works in the computer security industry. His job consists mostly of having meetings with people and filling out forms. He used to do a lot of patch reversing but he doesn't have time any more. He has spoken at Blackhat Federal, Electronic Frontier Forums, H.O.P.E., Summercon, Phreaknic, Interz0ne, and Outerz0ne. He likes beer, particularly if it is from Bavaria.

return to top

Physical Security : You're Doing It Wrong!

Follow in the footsteps of a seasoned geek as he recalls his adventures in the design, buildout, and operation of a physical security system. Learn how to plan ahead for the issues that will fall on your head, how to get vendors to take you to lunch, and how to achieve the impossible : a physical security system that keeps users,management , your budget, and you happy while actually keeping out the bad guys.

A.P. Delchi started out with a TRS-80 and a dream : To escape farm country. Since then he has derailed his professional career by associating with the hacker community. This includes rocking the house as a DJ for the Cult of the Dead Cow, covert operations for the Ninja Strike Force, professional power drinking with 303, and giving spiritual guidance to Attack Research & Offensive Computing. Taking a break from these stressful activities he has presented at Pumpcon, Defcon, HOPE , and professional engagements discussing information and physical security, automated reverse engineering, network analysis and incident response. In-between bouts of employment, he has also authored the someday-to-be-published graphic novel CHOWN. Utilizing this unique background and a list of accomplishments that can not be discussed in polite company, he has achieved the holy grail of network defense : being able to prevent Valsmith from breaking into a secured computer network.

return to top

The Search for Perfect Handcuffs...
and the Perfect Handcuff Key

The few handcuff talks which have appeared at conferences in the past have focused mostly on how these restraints function and how to open them without a key. While this talk is no exception (going into great detail about the specialized anti-pick protections used by many brands) we will also reveal the product of ongoing, precision research that TOOOL members have conducted.

Did you know that although there is a ?standard? size and shape for basic handcuff keys, every manufacturer has variations, special features, and sizing issues that make creating a single, universal key quite difficult? In our talk, we will explain how to create this type of "ultimate" key that opens all major brands of handcuff, both in the United States and elsewhere around the world. The über key is verified as working with...

Smith & Wesson (USA)
Peerless (USA)
Chicago (USA)
Winchester (USA)
Hiatt-Thompson (UK)
Kyoung Chang (Korea)
Yuil (Korea)
Republic Arms (South Africa)
... and more!

We have the math, we have the means, and will demonstrate to everyone how to obtain the best handcuff key you might ever own!

The Open Organization of Lockpickers is a non-profit sportpicking group dedicated to the advancement of the general public knowledge about locks and lockpicking. By examining locks, safes, and other such hardware and by publicly discussing our findings we hope to strip away the mystery with which so many of these products are imbued.

The more that people know about lock technology, the better they are capable of understanding how and where certain weaknesses are present. This makes them well-equipped to participate in sportpicking endeavors and also helps them simply be better consumers in the marketplace, making decisions based on sound fact and research.

Deviant Ollam While paying the bills as a security auditor and penetration testing consultant with The CORE Group, Deviant Ollam is also a member of the Board of Directors of the US division of TOOOL, The Open Organization of Lockpickers. Every year at DEFCON and ShmooCon Deviant runs the Lockpicking Village, and he has conducted physical security training sessions at Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, CanSecWest, ekoparty, and the United States Military Academy at West Point. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.

return to top

Katana: Portable Multi-Boot Security Suite

Tired of keeping up with dozens of CDs and flash drives loaded with various Live operating systems and applications? I will be introducing the Katana: Portable Multi-Boot Security Suite; which brings many of the best live operating systems and portable applications together onto a single flash drive. Katana includes live distros like Backtrack, the Ultimate Boot CD, UBCD4Win, Ophcrack, and Trinity Rescue Kit as well as hundreds of portable applications like Wireshark, Angry IP, The Sleuth Kit, ClamAV, and OllyDBG. I will cover how Katana was made, what tools are included, how to add additional distributions and applications, and how to use Katana for every day needs.

JP Dunning is currently a Graduate Student in Computer Science at Virginia Tech. Working as a researcher in the Virginia Tech IT Security lab. Research interests include the fields of wireless and portable security.

return to top

Breaking Bluetooth By Being Bored

Bluetooth has come leaps and bounds in its past decade of use. Finding its way into billions of devices world wide. This talk introduces several new Bluetooth attack tools and projects focusing on automated pen-testing, obfuscation, Bluetooth profile cloning, war-nibbling, Denial of Service, and mapping Bluetooth device information. We will be discussing what information your Bluetooth devices gives out about you and what you can do about it, a method for more accurate discovery of Bluetooth devices in non-discoverable mode, how to automate your Bluetooth pen-testing, as well as a few exploits over Bluetooth file transfer.

JP Dunning is currently a Graduate Student in Computer Science at Virginia Tech. Working as a researcher in the Virginia Tech IT Security lab. Research interests include the fields of wireless and portable security.

return to top

An Observatory for the SSLiverse

This talk reports a comprehensive study of the set of certificates currently in use on public HTTPS servers. We investigate who signed the certs, what properties they have, and whether there is any evidence of malicious certificates signed, directly or indirectly, by trusted CAs.

Peter Eckersley is a Senior Staff Technologist at the Electronic Frontier Foundation. His research interests include digital copyright and alternatives to digital copyright, network neutrality and network testing, censorship circumvention and privacy enhancing technologies.

Jesse Burns is a founding partner at iSEC Partner where he performs penetration tests and manages research. Prior to founding iSEC Partners in 2004, Jesse worked in a variety of software security roles, including as a managing security architect for @Stake, and as a developer of security and directory management tools on Windows and Unix systems. He has previously spoken on topics like Android Security, fuzzing Windows IPC mechanisms, Windows Vista security, and the weaknesses of NTLM.

return to top

How Unique Is Your Browser?

This talk reports the results of the panopticlick browser fingerprinting experiment. We show how inoccent-looking version and configuration information can be used to uniquely identify almost all desktop browsers, without use of cookies or IP addresses. We discuss how this comes about, how serious a problem it is, and just how hard it will be to fix...

Peter Eckersley is a Senior Staff Technologist at the Electronic Frontier Foundation. His research interests include digital copyright and alternatives to digital copyright, network neutrality and network testing, censorship circumvention and privacy enhancing technologies.

return to top

Your Boss is a Douchebag... How About You?

These days, all hackers have jobs and make some type of money. No matter if you are an independent researcher/ consultant/ 1337 hacker/ or entrepreneur, sometimes you have to deal with the corporate crap, one way or another. Now, how about those who really have to deal with it on a daily-basis in the corporate world? Well, this is an updated version of my DEF CON15 talk, shorter in time, yet, heavier on rants. Years go by, and most companies still don't understand their employees, and or keep the old style management. On the flip side, the new generation of hackers are getting into good companies, making good money, and some think they reached the peak of their career.
What's up?
We like to blame the companies and bosses, but, how about our own faults and mistakes? You might be part of the problem, not the solution. And those stupid rules you have to follow, might exist because of your actions.

It's easy and common to say your boss is a douchebag, but what happens when YOU become the boss and have to manage the newer (and old) generation? Is it that easy? In addition to just covering the corporate bullshit, I am gonna touch on how some of the cultural differences around the world and try to help the hacker community or the companies to better understand each other.

Luiz "effffn" Eduardo is a security consultant, researcher and hacker who's been around the corporate world around the globe for almost 20 years.

He's somewhat known in the hacker community for helping with the wireless networks at your favorite security cons and is the founder and one of the organizers of the YSTS security conference in Brazil.

Throughout his career Luiz has worked with possibly all types of networking technologies on the enterprise and service provider sectors, as well the security around these technologies and also has been a speaker at security events around the globe including: DefCon, ShmooCon, LayerOne, Toorcon, H2HC, HitB Malaysia and others. You can follow Luiz on Twitter as well.

return to top

Hacking with Hardware: Introducing the Universal RF USB Keyboard Emulation Device - URFUKED

"If do right, no can defence" -Miyagi

Do you check every USB plug on your computer before you log-in? Didn't think so... URFUKED is used to take over the user's keyboard input and quickly execute preprogrammed attacks with the user's privileges.

Plug in the USB receiver into the victim's computer. Then attack immediately or if necessary wait for the user to login- then trigger the attack remotely with an RF transmitter.

Walk by and talk to the victim, and while he's turned away from the display, press the button on the transmitter to trigger the attack- it'll be done by the time he turns back around. Or trigger it from across the room. It happens too fast to stop even if the user is watching when it happens.

Learn how to build the device cheaply; program it using the opensource Arduino development environment.Learn how to use it and modify it for specific attacks.

Monta Elkins Bio coming soon

return to top

Be A Mentor!

Breaking in to the Information Security field isn't easy. The web of certifications, skills, and credibility is hard to climb through without the help of someone who's been there. Many of us would not be here today without the guidance of a mentor. The Information Security Mentor Match-up program is here at DEF CON to help those people new to the field meet with seasoned pros who know the value of mentoring. Whether you're a researcher, pen tester, network admin, number jockey, hardware hacker, or beer connoisseur, there's someone else at DEF CON that shares your passion. To participate in this session, sign up at

Marisa Fagan is Errata Security's Security Project Manager, responsible for managing the custom development lifecycles required for the tools in the Hacker Eye View suite, as well as managing the research and consulting engagements. She specializes in rapid development of network security tools and is recognized for her research in threat modeling and identity theft. Ms. Fagan has a BBA degree from Georgia State University focused on IT Project Management and Information Security. Ms. Fagan has presented her work at SummerCon 2009 in Atlanta, GA and at Security B-Sides, 2009 in Las Vegas, NV & 2010 in San Francisco, CA.

return to top

Hacking and Protecting
Oracle Database Vault

Oracle Database Vault was launched a few years ago to put a limit on DBAs unlimited power especially over highly confidential data where it is required by regulations. This presentation will show how this add-on product for Oracle Database performs on this difficult task, first giving an introduction to DB Vault and what protections does it brings, then showing with many examples how it is possible to bypass the protections provided. The attacks demonstrated include getting operating system access to disable DB Vault, SQL Injection and impersonation techniques to bypass DB Vault protections and how it is possible using simple exploits to circumvent DB Vault. These attack examples are accompanied by recommendations on how to protect from them. Also the presentation shows some issues with native database auditing and has a section with additional recommendations to secure DB Vault and conclusions.

Esteban Martínez Fayó is a security researcher; he has discovered and helped to fix multiple security vulnerabilities in major vendor software products. He specializes in application security and is recognized as the discoverer of most of the vulnerabilities in Oracle server software. Esteban has developed and presented novel database attack techniques at international conferences such as Black Hat, WebSec, NcN and ekoparty. Esteban currently works for Argeniss doing information security research and developing security related software solutions.

return to top

Trolling Reverse-Engineers with Math: Ness... It hurts...

y = mx+b? f(x) = sin(x/freq)*amp?! SIN X = (A+BX+CX^2)/(P+QX+RX^2)?! None of these formulas as they stand alone really mean much of anything-- except maybe a headache for some. Isolating the variables, however, will eventually open the door for us to manipulate our code in creative and exciting ways. This isn't necessarily a ground-breaking technique in obfuscation, but who cares if it's fun? Given an arbitrary formula, we can place our code anywhere we like. It doesn't even need to be a traditional f(x) formula like a sinewave, either-- all we need is a number and some constants. Draw your code in circles? Sure! Sexually harass a reverse-engineer by the shape and girth of your code in memory? Hell yes! This talk will attempt to teach a functional method that allows for the random placement, concatenation and manipulation of assembly instructions for the attempt of filling up a reverser's swear jar. You don't need to write any assembly-- but you better come knowing its mechanics.

frank^2 has made a concerted effort to recursively generate arbitrary factory-factories of abstract static class pointers for the sake of synergising synthesized request-for-comment identifier palindromes as a means of deterministically reducing the Big-O notation of the algorithm which generates arbitrary bi-lateral paths to the 12 Galaxies. As the big endian of his peers he held the responsibility of keeping the order, assuring every bitty piece was kept in line. This allowed for the iterative arbitration of worldwide frankenstein living death slavery, to explore and control the entire universe. The gangster computer god also planned degeneration through markov-chain algorithms applied with a weighted percentage determined by the frequency of the word in an average set of words fed to it from the channel of communication. A second dimension could be added for greater accuracy.

return to top

The Anatomy of Drug Testing

This talk will cover most of the basics and some of the advanced principles/procedures to how drug screening works. Areas of the subject that will be covered will be the legality of drugs, the legality of drug testing, methods of drug testing, sample types, and reliability.

Jimi Fiekert's bio: I am a graduate of Cincinnati Technical College with a degree in Medical Laboratory Technician (MLT), and certified by the American Society of Clinical Pathologists (ASCP). I am also certified by the Department of Transportation (DOT) in the collection of legal drug screens and the administration of Breath Alcohol Testing. On top of that, I have personally done more research into the field of drug testing and how drugs interact with our bodies beyond what I have needed to career-wise.

return to top

Exploitable Assumptions Workshop

The mental disconnect that occurs in a "limiting assumption" is an excellent opportunity for exploitation. This cognitive security hole makes it possible to identify opportunities for injecting "rootkits" into human-scale systems that won't be found by conventional thinking. Con-men and marketing professionals have already realized the importance of these techniques and use them to great effect. In this workshop, we'll work through a methodology called Axiomatic Design that exposes these assumptions. We will apply this and other techniques to design problems and develop an "assumption-hacker" toolkit that will let you spot and make use of these opportunities.

Joe "Crazy" Foley is currently a researcher at iRobot's Government and Industrial Research Department. In addition to designing sneaky killer robots, he develops software for destroying expensive things. He got his Master's at MIT's AutoID Center developing the Object Name System for improving RFID visibility/tracing. He then spent the rest of his MIT graduate career trying to put the genie back in the bottle by improving RFID security and privacy culminating in the Tinfoil system.

Eric "Unlocked" Schmiedl majored in physical security at the playground of his elementary school, where he taught his friends to pick a freshly-bought Master padlock while they were hiding from the teachers during recess. He sits on the board of The Open Organization of Lockpickers (US Division), a group dedicated to promoting locksport and critical thinking about security, and helped found the Boston chapter while he was at MIT. Schmiedl has spoken on securing the physical world at many conferences over the years, including DEFCON, Black Hat, SecureWorld, and LockCon.

Zoz, PhD is a co-founder of Cannytrophic Design. He is famous for a variety of Discovery Channel shows and faking a UFO crash-landing.

return to top

Mastering the Nmap Scripting Engine

Most hackers can use Nmap for simple port scanning and OS detection, but the Nmap Scripting Engine (NSE) takes scanning to a whole new level. Nmap's high-speed networking engine can now spider web sites for SQL injection vulnerabilities, brute-force crack and query MSRPC services, find open proxies, and more. Nmap includes more than 125 NSE scripts for network discovery, vulnerability detection, exploitation, and authentication cracking.

Rather than give a dry overview of NSE, Fyodor and Nmap co-maintainer David Fifield demonstrate practical solutions to common problems. They have scanned millions of hosts with NSE and will discuss vulnerabilities found on enterprise networks and how Nmap can be used to quickly detect those problems on your own systems. Then they demonstrate how easy it is to write custom NSE scripts to meet the needs of your network. Finally they take a quick look at recent Nmap developments and provide a preview of what is soon to come. This presentation does not require any NSE experience, but it wouldn't hurt to read

Fyodor authored the open source Nmap Security Scanner in 1997 and continues to coordinate its development. He also maintains the Insecure.Org, Nmap.Org, SecLists.Org, and SecTools.Org security resource sites and has authored seminal papers on remote operating system detection and stealth port scanning. He is a founding member of the Honeynet project, former president of Computer Professionals for Social Responsibility (CPSR), and author or co-author of the books "Nmap Network Scanning", "Know Your Enemy: Honeynets" and "Stealing the Network: How to Own a Continent"

David Fifield is the co-maintainer of Nmap and author of the Ndiff scan comparison utility. He has also been active in the maintenance and enhancement of the Ncat network tool, the Zenmap GUI, and the Nmap Scripting Engine. Much of his time has been spent improving Nmap's performance and accuracy. He has previously presented about Nmap at the FOSDEM and LinuxTag conferences.

return to top

Live Fire Exercise: Baltic Cyber Shield 2010

In May, 2010, the Cooperative Cyber Defence Centre of Excellence in Estonia and the Swedish National Defence College hosted the Baltic Cyber Shield (BCS) international cyber defense exercise (CDX). For two days, six Blue Teams from northern European government, military and academic institutions defended simulated power generation companies against a Red Team of twenty hostile computer hackers. The scenario described a volatile geopolitical environment in which newly hired network security personnel were immediately forced to defend Critical Information Infrastructure (CII) from cyber attacks sponsored by a non-state, terrorist group. This presentation covers the origin and evolution of CDXs and it describes the design, goals, and lessons learned from
BCS 2010.

Kenneth Geers works for the Naval Criminal Investigative Service (NCIS), and is the U.S. Representative to the Cooperative Cyber Defence Centre of Excellence (CCD CoE) in Tallinn, Estonia. He has served as an intelligence analyst, a French and Russian linguist, and computer programmer in support of arms control initiatives. Kenneth has published strategic and technical papers on the growing connection between computer security and national security. He is a PhD student at the Tallinn University of Technology, and is a Certified Information Systems Security Professional (CISSP).

return to top

Making the DEF CON 18 Badge

For the fifth year in a row, the DEFCON Badge makes its appearance as a full-fledged, active electronic system. Pushing fabrication techniques to the limit and using some components that are so new they barely exist, the design of this year's badge took some serious risks. Did they pay off? If you're in this talk and not standing in a long line to get your badge, then the answer is "Yes!"

Join Kingpin as he guides you through the entire process of the badge, from initial concept to prototype electronics to firmware design to manufacturing, and all of the problems and challenges he faced along the way.

Joe Grand, also known as Kingpin, is an electrical engineer and hardware hacker. He has had the honor of designing the DEFCON badge for the past five years. Back in the day, he was a member of L0pht Heavy Industries and was a co-host of Discovery Channel's Prototype This.

return to top

Legal Developments in Hardware Hacking

Hardware hacking raises some novel legal issues This presentation will discuss recent updates in the law that hardware hackers need to know. Topics will include updates on phone unlocking and jailbreaking following the Digital Millennium Copyright Act rulemaking and reverse engineering law. We will also discuss a case in California that will decide whether it's legal for a company to automate user access to her Facebook's data without using the company's APIs.

Jennifer Granick is the Civil Liberties Director at the Electronic Frontier Foundation. Before EFF, Granick was a Lecturer in Law and Executive Director of the Center for Internet and Society at Stanford Law School where she taught Cyberlaw and Computer Crime Law. She practices in the full spectrum of Internet law issues including computer crime and security, national security, constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally. Before teaching at Stanford, Jennifer spent almost a decade practicing criminal defense law in California. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Matt Zimmerman is a Senior Staff Attorney with the Electronic Frontier Foundation, focusing on civil liberties, free speech, and privacy law. His practice further includes ongoing work in intellectual property law as well as government transparency issues. For the 2004 and 2006 elections, he coordinated a team of nationwide legal volunteers who responded to election-day problems with e-voting technology for the non-partisan Election Protection Coalition. He currently heads EFF's efforts to coordinate nationwide e-voting litigation and amicus support and evaluate emerging voting technology. Prior to joining EFF, Matt was a Privacy Fellow at the public interest law firm The First Amendment Project where he specialized in privacy and open government issues. Previously, Matt worked at the international law firm Morrison & Foerster LLP, where he focused on technology and commercial litigation matters, and the nonprofit advocacy organization The First Amendment Project, where he specialized in privacy and free speech issues. He earned his law degree from Columbia University and his undergraduate degree from the University of Nebraska-Lincoln.

return to top

The Law of Laptop Search and Seizure

This talk will teach attendees about their legal rights in information stored on their laptops, including when crossing the United States border. We will answer questions such as: What do the police need to do to seize your laptop? Can the U.S. government force you to turn over your password during a border search? Do you have constitutional rights in email and other data stored in the cloud? What happens when the government attempts to force disclosure of passwords? Finally, we will give attendees practical advice on when to do when the police want to take their computers and how to secure device-accessible information, whether on the hard drive or stored remotely.

Jennifer Granick is the Civil Liberties Director at the Electronic Frontier Foundation. Before EFF, Granick was a Lecturer in Law and Executive Director of the Center for Internet and Society at Stanford Law School where she taught Cyberlaw and Computer Crime Law. She practices in the full spectrum of Internet law issues including computer crime and security, national security, constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally. Before teaching at Stanford, Jennifer spent almost a decade practicing criminal defense law in California. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Kevin Bankston, a senior staff attorney specializing in free speech and privacy law, was the Electronic Frontier Foundation's Equal Justice Works/Bruce J. Ennis Fellow for 2003-05. His fellowship project focused on the impact of post-9/11 anti-terrorism laws and surveillance initiatives on online privacy and free expression. Before joining EFF, Kevin was the Justice William J. Brennan First Amendment Fellow for the American Civil Liberties Union in New York City. At the ACLU, Kevin litigated Internet-related free speech cases, including First Amendment challenges to both the Digital Millennium Copyright Act (Edelman v. N2H2, Inc.) and a federal statute regulating Internet speech in public libraries (American Library Association v. U.S.). Kevin received his J.D. in 2001 from the University of Southern California Law Center, and received his undergraduate degree from the University of Texas in Austin.

Marcia Hofmannis a senior staff attorney at the Electronic Frontier Foundation, where she focuses on electronic privacy, computer crime, and other civil liberties issues. Documents made public though her Freedom of Information Act work have been reported by the New York Times, Washington Post, National Public Radio, Fox News, and CNN, among others. Prior to joining EFF, Marcia was Staff Counsel and Director of the Open Government Project at the Electronic Privacy Information Center (EPIC), where she worked on a broad range of privacy issues and spearheaded EPIC's efforts to learn about emerging government policies in the post-9/11 era. She is a graduate of the University of Dayton School of Law and Mount Holyoke College.

Kurt Opsahl is a Senior Staff Attorney with the Electronic Frontier Foundation focusing on civil liberties, free speech and privacy law. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook. In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal.

return to top

Advanced Format String Attacks

Format string attacks remain difficult in both software and hackademic exercises as the techniques have not improved since their discovery. This session demonstrates advanced format string attack techniques designed to automate the process from creation to compromise as well as incorporate those techniques into the Metasploit framework. The audience is encouraged to bring a basic understanding of format string attacks in order to leave the presentation with the tools necessary to never write one again.

Paul Haas is the lead web application security engineer at Redspin, Inc, where has worked on a variety of research and penetration testing over the past four years with experience in over 100+ infrastructure and security assessment projects. He has a B.S. in Computer Science at the University of California Santa Barbara, and is a former member of the Reliable Software Group where he performed a variety of research into tracing the function calls of Linux binaries, cellular phone worms, the creation of an open source VMware framework for OWASP vulnerabilities, and ViSe, a virtual security testbed used to efficiently study computer attacks and suspect tools as part of a computer crime reconstruction. He is a former winner of the Defcon Capture the Flag contest and enjoys playing Mario Kart in his free time.

return to top

Tales from the Crypto

Learn how to crack crypto contests like a pro. The speaker has awarded half a dozen free round-trip plane tickets to previous contest winners. Maybe you'll be next. From the daily newspaper puzzle to badge contests to codes that keep the National Security Agency awake at night, it all comes down to intuition, perspiration, and math skillz.

G. Mark Hardy has been providing information security expertise to government, military, and commercial clients for over 25 years. His professional background includes information security planning and policy development, managing security assessment and penetration teams, data encryption and authentication (including "breaking" commercial cryptographic algorithms), software development and strategic planning for e-commerce, and writing commercial risk assessment software. He has developed information security plans for four U.S. Military commands, and wrote the communications security encryption requirements for an experimental military satellite program. He just retired from the Navy reserves, so you can no longer spot him as a Fed.

return to top

Constricting the Web: Offensive Python for Web Hackers

It seems that everything is a web application nowadays. Whether the application is cloud-based, mobile, or even fat client they all seem to be using web protocols to communicate. Adding to the traditional landscape there is rise in the use of application programming interfaces, integration hooks, and next generation web technologies. What this means for someone testing web applications is that flexibility is the key to success. The Python programming language is just as flexible as today's web application platforms. The language is appealing to security professionals because it is easy to read and write, has a wide variety of modules, and has plenty of resources for help. This additional flexibility affords the tester greater depth than many of the canned tests that come with common tools they use on a daily basis. Greater familiarity plus flexible language equals tester win!

In this presentation we introduce methods with which to create your own clients, tools, and test cases using the Python programming language. We want to put testers closer to the conditions in which they are testing for and arm them with the necessary resources to be successful. We also discuss interfacing with current tools that people commonly use for web application testing. This allows for pinpoint identification of specific vulnerabilities and conditions that are difficult for other tools to identify.

Nathan Hamiel is a Principal Consultant for FishNet Security's Application Security Practice. He is also an Associate Professor of Software Engineering at the University of Advancing Technology. Nathan is an Information Assurance faculty member that is part of the university's Center of Academic Excellence sponsored by the NSA and DHS. He spends most of his time focusing in the areas of application, Web 2.0, and enterprise security. Throughout his career Nathan has provided security guidance to everyone from Fortune 100 companies to government agencies. Nathan has been a speaker at security events around the world including: Black Hat, Def con, ShmooCon, ToorCon, SecTor, and many others. Recently his talks have covered attacking everything from user-generated content to application programming interfaces.

Marcin Wielgoszewski is a security engineer and consultant at Gotham Digital Science. He is a committee member for the OWASP NYNJMetro chapter and has previously spoken at ShmooCon and other OWASP events. His research primarily focuses on software security and assurance.

return to top

How to Hack Millions of Routers

This talk will demonstrate how many consumer routers can be exploited via DNS rebinding to gain interactive access to the router's internal-facing administrative interface. Unlike other DNS rebinding techniques, this attack does not require prior knowledge of the target router or the router's configuration settings such as make, model, internal IP address, host name, etc, and does not rely on any anti-DNS pinning techniques, thus circumventing existing DNS rebinding protections.

A tool release will accompany the presentation that completely automates the described attack and allows an external attacker to browse the Web-based interface of a victim's router in real time, just as if the attacker were sitting on the victim's LAN. This can be used to exploit vulnerabilities in the router, or to simply log in with the router's default credentials. A live demonstration will show how to pop a remote root shell on Verizon FIOS routers (ActionTec MI424-WR).

Confirmed affected routers include models manufactured by Linksys, Belkin, ActionTec, Thompson, Asus and Dell, as well as those running third-party firmware such as OpenWRT, DD-WRT and PFSense.

Craig Heffner's experience in IT security includes system and network analysis, wireless and networking security and vulnerability discovery, and he is currently employed as a Senior Security Engineer for Seismic LLC. He frequently publishes various tools, papers and vulnerability reports, and has a special fondness for embedded devices, particularly any whose descriptions include the words "wireless" or "Web based administrative interface".

return to top

FOE‚ The Release of Feed Over Email, a Solution to Feed Controversial News to Censored Countries

Many repressive countries have created Internet censorship systems to prevent Internet users from accessing websites that are deemed inappropriate by their officials. In many cases, these websites are news, political, or religion websites and the main purpose for the ban is to protect the interest of the country's political parties.

FOE is a new censorship circumvention tool developed in-house by the Broadcasting Board of Governors (the Federal Government agency that oversees and supports the operations of Voice of America, Radio Free Asia, Radio Free Europe, and Radio Farda, andRadio, etc.) FOE allows Internet users to get RSS feeds and/or download small files without needing proxy servers. The main goals for the FOE project is to create a multi-platform architecture that allows Internet users to receive unbiased news and to give developers a tool to create new censorship circumvention programs.

Sho Ho had been a freelance software developer for about 10 years and recently joined the Broadcasting Board of Governors, the Federal Government agency that oversees and supports broadcasters such as Voice of America, Radio Free Asia, Radio Free Europe, etc. Sho is a member of the Internet anti-censorship team at BBG whose duties include developing and managing anti-censorship technologies to help Internet users in censored countries to bypass Government censorships.

return to top

How To Get Your FBI File (and Other Information You Want From the Federal Government)

Want to know the story behind the latest government scandal, or see what a three-letter agency knows about you? In this workshop, the Electronic Frontier Foundation will show you how to use two open government laws, the Freedom of Information Act and the Privacy Act, to ask for records from the federal government. We'll discuss what you can (and can't) get under these laws, how to write an effective open government request, how to appeal an agency's decision to withhold information, and how to figure out next steps.

Marcia Hofmann is a senior staff attorney at the Electronic Frontier Foundation, where she focuses on electronic privacy, computer crime, and other civil liberties issues. Documents made public though her Freedom of Information Act work have been reported by the New York Times, Washington Post, National Public Radio, Fox News, and CNN, among others. Prior to joining EFF, Marcia was Staff Counsel and Director of the Open Government Project at the Electronic Privacy Information Center (EPIC), where she worked on a broad range of privacy issues and spearheaded EPIC's efforts to learn about emerging government policies in the post-9/11 era. She is a graduate of the University of Dayton School of Law and Mount Holyoke College.

return to top

Ripping Media Off Of the Wire

The proprietary protocol developed by Adobe Systems for streaming audio, video and data over the Internet, the ëReal Time Messaging Protocol- (RTMP) and the proprietary protocol created by Macromedia used for streaming video and DRM, -Encrypted Real Time Messaging Protocol- (RTMPE) implementations for MySpace use security through obscurity and actually provide zero security.

This talk will describe methods and demonstrate how to download media from MySpace directly and convert the media into MP3s, breaking the DRM by manipulating the RTMP/RTMPE protocol implementation.

Additionally, the talk will describe methods and demonstrate how to download media from YouTube directly and convert the media into MP3s, without using online third parties for conversions, by manipulating parameters in URLs.

HONEY works three jobs. Firstly, as a Network Administrator for the past four years, secondly as a Research Assistant for a Ballistic research grant by the NIST, and thirdly she just completed teaching a Networking class as an Adjunct Professor at John Jay College of Criminal Justice, located in NYC. Honey will be returning to her graduate studies in the Fall 2010 semester to gain her Master's degree in Forensic Computing. Honey has worked in the IT industry for the past 9 years. She is self taught as well as holds a Computer of Information Systems B.S., dual A.A.S. degrees in Industrial Electronic Engineering and Computer Networking, she holds a General Amateur Ham Radio Operator license, and an A+, N+, Security+. She is currently preparing to take her CISSP.

return to top

Physical Computing, Virtual Security: Adding the Arduino Microcontroller Development Environment to Your Security Toolbox

The Arduino microcontroller platform entered the world under the guise of "physical computing" aimed at designers and artists but just like you can use a paint brush to jimmy open a door, you can use the Arduino in your security toolkit too. Attend this talk to learn how the Arduino makes microcontrollers and embedded hardware accessible to hax0rs too. After a quick tour through the Arduino ecosystem we'll move on to offensive uses. You'll learn about the potential for use in re-implementing classic attacks, potential vulnerabilties in the "internet of things" infrastructure, USB driver fuzzing, physical control and perhaps some social engineering as well.

Leigh Honeywell is a jane of many trades. By day she works as a security consultant while finishing up a degree at the University of Toronto. By night (and sometimes over lunch) she is a co-founder and director of HackLab.TO, Toronto's hacker space. She also serves on the board of advisors of the SECtor security conference, has been a Google Summer of Code mentor, and is an avid cyclist, science fiction nerd, and traveller.

Follower admits some responsibility for integrating certain networking and USB technologies into the Arduino ecosystem. He has a particular interest in the intersection of software, hardware, craft and art. He is currently visiting the country to teach an introductory Arduino workshop at a large US tech conference. Occasionally he can be heard mumbling how Tim O'Reilly once called him a "troublemaker" for his Google Maps reverse engineering. He is also co-founder of Spacecraft--a New Zealand Hackerspace--and gets the blame for kicking off events that lead to its establishment.

return to top

Decoding reCAPTCHA

Due to the prevalence of spammers on the internet CAPTCHAs have become a necessary security measure. Without a CAPTCHA in place a system is incapable of knowing whether a human or an automated computer is executing a request. Currently one of the most widely implemented versions of this system is Google's reCAPTCHA due to its robustness thus far. This paper illustrates techniques to defeat this system which has been trusted to secure websites such as Twitter, Facebook, Craigslist, and many others, as well as methods to secure it further. The efficacy of the techniques outlined herein is at a very conservative figure of ten percent, which is more than enough for an applicable exploitation of the system.

Chad Houck graduated in 2010 from Oakland University in Rochester, MI with a bachelor's in computer science and engineering. He has over a decade of programming, networking, and security experience and quite a bit of experience working with electrical circuits and micro-controllers. He also is a registered ham radio operator having obtained his extra class license in 2010 with the call sign of 'AC8FM'. He and his business partner run a company dealing with online marketing and freelance security. For further details please visit or for his own personal site please visit the dilapidated

Jason Lee is a programmer, researcher, and consultant who works in the area of security and marketing. He and Chad Houck run their own company (Ziggee) which develops autonomous systems for niche market analysis, web development, advertising, search engine optimization, security and statistical analysis. He is currently completing an information technology for homeland security associates degree at Oakland Community College. He also is a registered ham radio operator having obtained his general class license in 2010 with the call sign of 'KD8MWZ'. For more information please visit

return to top

NoSQL == No SQL injections?

This is a short talk on NoSQL technologies and their impacts on traditional injection threats such as SQL injection. This talk surveys existing NoSQL technologies, and then demos proof-of-concept threats found with CouchDB. We then discuss impacts of NoSQL technologies to existing security technologies such as blackbox scanning, static analysis, and web application firewalls.

Wayne Huang has extensive experience in the security industry and is a frequent speaker at security conferences including RSA (07, 10), SyScan (08, 09), OWASP (08, 09), Hacks in Taiwan (06, 07), WWW (03, 04), PHP (07) and DSN (04). He is the first author to achieve consecutive best paper nominations at the prestigious World Wide Web (WWW) Conferences (2003, 2004), and has a co-authored the Web Application Security chapter of "Computer Security in the 21st Century" (Springer US, 2005). Wayne is a PhD candidate at the EE, NTU, and has received his BS and MS in CS from NCTU.

return to top

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection

This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google's compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government.

Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads.

If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google's) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques.

We will reveal for the first time, in this conference, some very advanced techniques that are almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit's a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection.

At the very beginning of our talk, we will be giving out a page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase.

Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injections such as Google's aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90's.

All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference.

Attendees will gain the following:

1. Understanding of drive-by downloads and associated terminologies.

2. Information about various drive-by download infection vectors.

3. Appreciation of tools helpful for drive-by analysis, including Malzilla, spikermonkey, rhino, burp and wepawet

4. Realize why drive-by downloads are hard to analyze and detect. Why antivirus fail, why behavior-based approaches fail, and why even manual efforts are difficult

5. Learning the Drivesploit framework and how it can be used to develop poc drive-bys

6. Learning two new deadly techniques: behavior-based browser finterprinting and javascript timelock puzzles

7. Learning how to implement above two using Drivesploit to defeat both automated and manual drive-by analysis

8. Knowledge about the available countermeasures to this threat

Wayne Huang has extensive experience in the security industry and is a frequent speaker at security conferences including RSA (07, 10), SyScan (08, 09), OWASP (08, 09), Hacks in Taiwan (06, 07), WWW (03, 04), PHP (07) and DSN (04). He is the first author to achieve consecutive best paper nominations at the prestigious World Wide Web (WWW) Conferences (2003, 2004), and has a co-authored the Web Application Security chapter of "Computer Security in the 21st Century" (Springer US, 2005). Wayne is a PhD candidate at the EE, NTU, and has received his BS and MS in CS from NCTU.

return to top

0box Analyzer: AfterDark Runtime Forensics for Automated Malware Analysis and Clustering

For antivirus vendors and malware researchers today, the challenge lies not in "obtaining" the malware samples - they have too many already. What's needed is automated tools to speed up the analysis process. Many sandboxes exist for behavior profiling, but it still remains a challenge to handle anti-analysis techniques and to generate useful reports.

The problem with current tools is the monitoring mechanism - there's always a "sandbox" or some type of monitoring mechanism that must be loaded BEFORE malware execution. This allows malware to detect whether such monitoring mechanisms exist, and to bail out thus avoiding detection and analysis.

Here we release 0box--an afterDark analyser that loads AFTER malware execution. No matter how well a piece of malware hides itself, there will be runtime forensics data that can be analyzed to identify "traces" of a process trying to hide itself. For example, evidences within the process module lists or discrepancies between kernel- and user-space datastructures. Since analysis is done post mortem, it is very hard for malware to detect the analysis.

By using runtime forensics to extract evidences, we turn a piece of malware from its original binary space into a feature space, with each feature representing the existence or non-existence of a certain behavior (ex, process table tampering, unpacking oneself, adding hooks, etc). By running clustering algorithms in this space, we show that this technique not only is very effective and very fast at detecting malware, but is also very accurate at clustering the malware into existing malware families. Such clustering is helpful for deciding whether a piece of malware is just a variation or repacking of an existing malware family, or is a brand new find.

Using three case studies, we will demo 0box, compare 0box with 0box with recent talks at BlackHat and other security conferences, and explain how 0box is different and why it is very effective. 0box will be released at the conference as a free tool.

Wayne Huang has extensive experience in the security industry and is a frequent speaker at security conferences including RSA (07, 10), SyScan (08, 09), OWASP (08, 09), Hacks in Taiwan (06, 07), WWW (03, 04), PHP (07) and DSN (04). He is the first author to achieve consecutive best paper nominations at the prestigious World Wide Web (WWW) Conferences (2003, 2004), and has a co-authored the Web Application Security chapter of "Computer Security in the 21st Century" (Springer US, 2005).

Wayne is a PhD candidate at the EE, NTU, and has received his BS and MS in CS from NCTU.

Jeremy Chiu (aka Birdman) has more than ten years of experience with host-based security, focusing on kernel technologies for both the Win32 and Linux platforms. In early 2001 he was investigated and subsequently held prison by Taiwan Criminal Investigation Bureau for creating Taiwan's first widespread trojan BirdSPY. The court dropped charges after Jeremy committed to allocate part of his future time to assist Taiwan law enforcement in digital forensics and incidence response. Jeremy specializes in rootkit/backdoor design. He has been contracted by military organizations to deliver military-grade implementations. Jeremy also specializes in reverse engineering and malware analysis, and has been contracted by law enforcements to assist in forensics operations. Jeremy is a sought-after speaker for topics related to security, kernel programming, and object-oriented design; in addition to frequently speaking at security conferences, Jeremy is also a contract trainer for militaries, law enforcements, intelligence organizations, and conferences such as SySCAN (09 08), Hacks in Taiwan (07 06 05), HTICA(06 08) and OWASP Asia (08 07). In 2005, Jeremy founded X-Solve Inc. and successfully developed forensics and anti-malware products. In July 2007, X-Solve was acquired by Armorize Technologies.

return to top

Exploiting Digital Cameras

In this talk we present how to reverse-engineering Canon Powershot digital cameras and take control of most of them to exploit interesting security threats. We present a novel attack method that allows taking control of a digital camera through a compromised memory card. This is a realistic attack scenario, as using the card in unsecured PCs is a common practice among many users. This attack vector leaves users of digital cameras vulnerable to many threats including privacy invasion and those targeting the camera storage (e.g., deletion and ransomware).

To implement the attack we abuse testing functionalities of the in-factory code. We will show how to analyze the code running in the camera's CPUs and find the parts relevant to the attack. We further show how to debug an emulated copy of the firmware in QEMU.

In contrast with firmware-modding projects like CHDK, our method doesn't require as much user interaction or firmware modification, and our techniques are mostly model-independent.

Finally, we show same proof-of-concept attacks launched from the camera to PCs.

Oren Isacson is an Exploit Writer and Researcher at Core Security Technologies. He has been interested in computer programming since an early age. He has been writing exploits, researching vulnerabilities, and researching exploitation methods for three years. He has written exploits for the Windows, Linux, AIX, Solaris, OpenBSD, and FreeBSD platforms. Previously, he worked as a security consultant doing penetration testing and writing security-related software.

Alfredo Ortega is a PhD candidate at ITBA (Instituto Tecnologico de Buenos Aires) and Exploit Writer at Core security. His specialty is unix exploit writing and low-level reverse engineering, wining contests like Ekoparty Reverse & Go Immunity challenge, and speaking in several high-profile security conferences. You may remember him from such security research as "OpenBSD IPV6 remote exploit", "Smartphone insecurity" and "Bios rootkits II: Son of the rootkit"

return to top

Jackpotting Automated Teller Machines Redux

The presentation "Jackpotting Automated Teller Machines" was originally on the schedule at Black Hat USA 2009. Due to circumstances beyond my control, the talk was pulled at the last minute. The upside to this is that there has been an additional year to research ATM attacks, and I'm armed with a whole new bag of tricks.

I've always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I've got that kid beat.

The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software.

Last year, there was one ATM; this year, I'm doubling down and bringing two new model ATMs from two major vendors. I will demonstrate both local and remote attacks, and I will reveal a multi-platform ATM rootkit. Finally, I will discuss protection mechanisms that ATM manufacturers can implement to safeguard against these attacks.

Barnaby Jack is the Director of Research at IOActive Labs, where he focuses on exploring new and emerging threats, and recommending areas in which to concentrate IOActive's research efforts.

Jack has over 10 years experience in the security research space and previously held research positions at Juniper Networks, eEye digital Security, and FoundStone. Over the course of his career, Jack has targeted everything from low-level Windows drivers to the exploitation of Automated Teller Machines. He has subsequently been credited with the discovery of numerous vulnerabilities, and has published multiple papers on new exploitation methods and techniques.

return to top

Black Ops Of Fundamental Defense: Web Edition

Lets be honest: Year in, year out, we keep finding the same bugs in the same places, and wondering: Why don't they learn? Why don't developers use these beautiful tools we provide them -- parameterized queries, XSRF tokens, X.509 certificates, and escapes in all their glorious forms? I will tell you: It is because these tools are not very good. And they are not very good, because their quality simply has not mattered. Security demands, devs implement, and if devs don't implement, security complains. And six months later, it's the same bugs, in the same places, by the same devs. It doesn't have to be this way. In this talk, I will discuss the theory that most classes of security flaws are actually symptoms of deeper causes. Furthermore, I will present attempts at addressing these causes. Specific areas of investigation will include potential answers to questions, specifically: 1) Why can't we keep code and data separate? 2) Why can't we log into web sites? 3) Why can't we authenticate across organizational boundaries? By answers, I mean code, and by code, I mean _a lot_ of code. I will not provide any assurances that the code is secure -- only extended peer review can do that — but I want to show another way of doing things. This talk is going to be packed with live demos.

Dan Kaminsky is the Director of Penetration Testing at IOActive where he specializes in design-level fault analysis, particularly against massive scale network applications. Previously of Cisco and Avaya, Kaminsky has operated professionally in the security space for over ten years. He is well-known for his "Black Ops" series of talks at the well-respected Black Hat Briefings. He regularly collects detailed data on the health of the worldwide Internet, and used this data to detect the worldwide proliferation of a major rootkit. Recently, he discovered a major flaw in the Internet's DNS infrastructure and worked with security engineers around the world, protecting countless organizations and individuals against this threat.

return to top

How I Met Your Girlfriend

How I Met Your Girlfriend: The discovery and execution of entirely new classes of Web attacks in order to meet your girlfriend.

This includes newly discovered attacks including HTML5 client-side XSS (without XSS hitting the server!), PHP session hijacking and random numbers (accurately guessing PHP session cookies), browser protocol confusion (turning a browser into an SMTP server), firewall and NAT penetration via Javascript (turning your router against you), remote iPhone Google Maps hijacking (iPhone penetration combined with HTTP man-in-the-middle), extracting extremely accurate geolocation information from a Web browser (not using IP geolocation), and more.

Samy Kamkar is best known for the Samy worm, the first XSS worm, infecting over one million users on MySpace in less than 24 hours. A co-founder of Fonality, Inc., an IP PBX company, Samy previously led the development of all top-level domain name server software and systems for Global Domains International (.ws).

In the past 10 years, Samy has focused on evolutionary and genetic algorithmic software development, Voice over IP software development, automated security and vulnerability research in network security, reverse engineering, and network gaming. When not strapped behind the Matrix, Samy can be found stunt driving, getting involved in local community service projects, and continuing his focus on staying out of jail.

return to top


Powershell is as close to a programming language we are going to get through a command line interface on Windows. The ability to perform almost any task we want through Windows is a huge benefit for systems administrators... and hackers. During this presentation we'll be releasing a new attack vector through Powershell that allows you to deliver whatever payload you want to through Powershell in both a bind and reverse type scenario and drop any executable. In addition, we will also be releasing a brand spanking new Metasploit module that incorporates the new attack method. This presentation is focused on showing the security implications and concerns with Powershell and how we may be seeing a lot more attacks on something that has generally not been a focus for discussion. Powershell... omfg.

David Kennedy (ReL1K) is a security ninja that likes to write code, break things, and develop exploits when he has spare time. Heavily involved with BackTrack and the Social-Engineer Framework, David continues (and strives) to contribute to a variety of open-source projects. David had the privilege in speaking at some of the nations largest conferences including Defcon and Shmoocon. David is the creator of the Social-Engineer Toolkit (SET), Fast-Track, modules/attacks for Metasploit, and has (responsibly) released a number of public exploits, including attacks that affect some of the largest software vendors in the world. David heavily co-authored the Metasploit Unleashed course available online and has a number of security related white-papers in the field of exploitation. Currently David is a Director and Regional Security for an international multi-billion dollar Fortune 1000 organization and is in charge of ensuring that security is maintained in over 60 different countries. He has a team of highly skilled security professionals that ensure the organizations systems are protected against attack. Prior to his current responsibilities at his current employer, David was a Partner and Vice President of a large information security consulting firm where he led a team of highly skilled and trained security professionals and performed thousands of penetration tests and security assessments across the world for a number of large Fortune 100, 500, and 1000 organizations. Lastly, David served as a United States Marine working directly for the intelligence community and deployed twice to Iraq in support of Operation Iraqi Freedom where he was the youngest Marine to receive multiple awards for recognition for going above and beyond in his battalion. David also developed a number of highly technical and cutting edge systems for the Marine Corps that were utilized on missions across the world. Towards the end of his military career, David was an instructor for the intelligence community on security related programs.

Twitter: @dave_rel1k

Josh Kelley (Winfang) is an Enterprise Security Analyst for a Fortune 1000 company where his primarily responsibilities are web application security, incident response, vulnerability management, and ensuring that the organization is protected against attack. Much of this is understanding the latest attack vectors and establishing a defense against a large international target. Josh has recently been working on exploit development and vulnerability research. Josh currently holds the SANS' GSEC and GCIH certifications and is undergoing the Offensive-Security Certified Professional certification.

return to top

Perspectives on Cyber Security and Cyber Warfare

With the current media hype about cyber threats and cyber warfare, Max Kelly - former CSO of Facebook - offers his perspective on the effects of internet militarization and it's relationship to traditional security operations.

Max Kelly is a recognized thought leader in the security space. As CSO of Facebook, he founded, built, and managed the Facebook Security Team from 2005-1010. He was responsible for all aspects of Facebook Security, protecting hundreds of millions of users personal information from attack. His prior experience includes FBI, Ticketmaster, and Thomson Financial Services. Max is a co-founder of the Virtuosi Group, providers of targeted threat intelligence and analysis.

return to top

Hardware Black Magic: Designing Printed Circuit Boards

Two years ago we hacked some circuits. Last year we showed you how to build things with FPGAs. This year you're in for a real treat - we're going to pull it all together. Up until now you've been limited to demo kits and pre-made packages. You've bought your Arduino, your MSP430, your HCS08, and connected a bunch of nonsense to it to make really cool things - and we've seen some really cool things! Now it's time to learn another skill in the art of hardware black magic: printed circuit board design. It's time to make your own shields, your own kits, and your own neighborly belt buckles! Like last year we're going to demystify the process to you and help you get on track to build you own boards!

This tutorial will go through the process of showing everybody exactly how easy PCB fabrication can be. Starting from an initial circuit design we will take you through all the steps needed to have that new device sitting in your hand. We'll explain all about data sheets, footprints, design rules, verification, taping out, why you need that cap between Vcc and Gnd, silkscreens, layers and much, much more. Several different software packages will be demonstrated to give the audience a wide spread of options to choose from. The audience will be encouraged to follow along as they like. For our use case we'll show you how to build the circuits from the DEFCON 17 badge starting from scratch. This should help those hacking the badge get a better idea of what they're working with. As those who have come to our talks before know, we will have lots of surprises to give away as always! Since we are running a workshop, it is encouraged that you bring your own laptop. We will distribute VIRTUALBOX images with all the software you need to follow along with us.

Dr. Fouad Kiamilev is a professor in the Department Electrical and Computer Engineering at the University of Delaware where he directs a group of pirates who call themselves CVORG (which stands for CMOS VLSI Optimization Research Group). Fouad's main mission is to train students to become successful participants in the 21st century global economy. Since 1997, he has advised 12 Ph.D. students and 16 M.S. students. His graduates are employed by leading academic and industrial organizations in the United States. Fouad's research group, CVORG, specializes in custom hardware design for special applications. As a hobby the group likes to tackle the security problems of today from a hardware perspective.

Corey 'c0re' Lange is a graduate student at UD. He works for Dr. K in the CVORG lab building circuit boards, test platforms, software patches and pretty much anything else that needs to be built. In his spare time, he tries to find new and exciting ways to spend his pittance of a graduate stipend on unnecessary (but extremely cool) electronic toys. To date, he has created many PCBs for various applications, from cryogenic testing to making electronics rock out to some music.

Stephen 'afterburn' Janansky is a Senior Computer Engineer at UD. He can usually be found in the lab flirting on the edge between hardware and software, killing routers and other electronics by the dozens (and then asking someone to resurrect them), and taking blinky lights to a new level. He is a member of CVORG, dreams of hardware security, and is one of the most energetic engineers you will ever meet.

return to top

Malware Migrating to Gaming Consoles: Embedded Devices, an AntiVirus-free Safe Hideout for Malware

A large portion of people who possess a Gaming Console or a Smartphone are downloading paid software illegally from the web or p2p.

Most of those people do not even give a second thought before installing the downloaded software, and merely just check that the application works. The sense of security here comes from the application's popularity (many people use it = safe) and the fact that the application is working as advertised with no noticeable problems (app is working = nothing is wrong).

The reason why people have this kind of false sense of security for Console Gaming systems or Mobile Devices is because they are not fully aware that malware can potentially bring the same devastating effects as that of a PC malware, and no one has published a reliable way to inject a malware to a legit software.

However, the boundary of these devices and the PC is getting very thin due to the evolution of hardware, which makes these devices capable of bringing the same negative effects of PC malware. Also, most recent Gaming Consoles contain hardware to connect to the network so an almost ideal environment is provided for malware to survive
and perform its job.

For instance, you are playing your favorite game Guitar Hero and a malware is silently running in the background attacking another PC in the network stealing sensitive material, as well as luring people to fake sites collecting personal information. It is also possible to use the malware's capability to your advantage, and walk into a company that does not allow you to bring Smartphones or Laptops with a Nintendo DS, and use NDS to connect to the corporate's internal network.

These problems are not only restricted to Gaming consoles or Smartphones but also other various embedded devices. There are already TVs and Cars that have networking capabilities and have Android installed on them. The number of these kind of devices will continue to grow.

In this presentation, we will show how these innocent devices can misbehave and pose a serious threat(in particular Wii, NDS, iPhone, and Android), and show a demo of a malware in live action. We will also show some possible defenses to these kind of attacks.

Ki-Chan Ahn is a student of Hanyang University. He is majoring in Electronics but has a high interest in security and computers in general. He has worked in penetration testing, as well as binary auditing. He also gave several lectures to companies and in seminars regarding Reverse Engineering.Twitter: @externalist

Dong-Joo Ha is a Security Researcher working in AhnLab, Inc. His main job is to analyze malware and vulnerabilities, and is interested in security threat research. He enjoys studying anything packet related and playing CTF events. Twitter: @ChakYi

return to top

Hardware Hacking for Software Guys

Hardware hacking is cool, but it can be daunting to software guys.  Microcontrollers mix hardware and software basically allowing software guys to do hardware in software.  Lately several products have emerged that make it even easier for software guys to get hardware up and working.  

Arduinos are relatively cheap, open source, all-in-one prototyping boards with a strong community behind them.  All you need is a USB cable and the Arduino IDE (which is also open source).  The Arduino language is easy to learn for anyone with even a basic knowledge of coding.  Arduinos can be made into many different security devices including keyboard emulators, RFID readers/writers, combination lock brute forcing robots, magnetic stripe card emulators, and automated cell phone dialers.  In a way, an Arduino is kind of like the hardware equivalent of scripting languages.  They make development quick and are a good fit for many projects.  

In this talk you'll see examples of projects built with Arduinos and information on how they were done.  You'll also see some limitations of Arduinos and some alternatives to typical Arduinos.  In the end you'll see that anyone can make really cool hardware, even without a degree in electrical engineering.

Dave King likes to break things.  He holds a Bachelor's degree in Computer Science Master's degree in Information Assurance.  Dave currently does penetration testing, code review, and spews opinions on how to improve security.  In past lives Dave has taught at a local college, contributed to a book on PCI compliance, owned his own PCI approved scanning vendor, and was a web developer and system admin for an eCommerce company.  After 10 years working mostly on the software side of hacking, Dave now finds himself spending his free time hacking hardware.

return to top

Training the Next Generation of Hardware Hackers -- Teaching Computer Organization and Assembly Language Hands-on with Embedded Systems

Hardware hacking can be lots of fun but can be very intimidating getting started. Andrew Kongs and Dr. Gerald Kane wanted to spread the hardware hacking culture to others and saw incoming college engineering freshman as the perfect crowd to indoctrinate. They developed a set of hardware and software tools to help their incoming students play with low-level software and embedded systems.

After sharing the tools with their student audience, they want to share the tools they built with everyone so that those interested can get their feet wet. Want to learn more about the nitty gritty of how microcontrollers and how embedded systems tick (and how to break them) without diving in eyeballs deep? So do many people and the guys from the University of Tulsa are here to help.

Andrew Kongs is an undergraduate at the University of Tulsa and spends time working on embedded systems and doing security research.

Dr. Gerald Kane is the Norberg Endowed Chairman in Electrical Engineering. He enjoys finding novel ways to teach material and does research with embedded systems and robotics.

return to top

DCFluX in: Moon-bouncer

This presentation will look at ways you can get critical data across the country during a wired infrastructure break down, Including taking over satellites, low altitude wifi via weather balloons, and bouncing signals off the moon. We will also take a look at some other stuff you can blame us for as time permits.

Matt "DCFluX" Krick is Chief Engineer of New West Broadcasting Systems, Inc., Operators of broadcast stations KGMN-FM, KZKE-FM, KYET-AM and KKAX-LP. He has worked in the field of broadcasting since 1998, specializing in all aspects of broadcast engineering and video editing.

return to top

Like a Boss: Attacking JBoss

JBoss is an open source Java EE application server. Its default configuration provides several insecure defaults that an attacker can use to gather information, cause a denial of service, or even execute arbitrary code on the system.

Tyler Krpata Tyler Krpata is a principal security engineer for a SaaS company. He has previously worked in enterprise security in the retail and healthcare fields. When he was suspended from high school for "hacking," he had no idea he was starting a career


return to top

Air Traffic Control Insecurity 2.0

This presentation will be a follow up to my "Air Traffic Control: Insecurity and ADS-B" talk last year. I will give a quick overview of what has changed since last year. I will cover a few insecurity's today. How bad is your network when the FAA requires firewalls between critical flight systems and passengers surfing the web on the new 787 plane. I give a caution to all the executive jet owners that it will be much easier to track flights. As always, I want to open peoples eyes to the insecurity of the ATC system.

Righter Kunkel (CISA, CISSP, CISM) is a security researcher. He is a private pilot with about 230 hours of flight time. Righter's background includes positions as global education manager and senior network security consultant at CyberGuard Corporation.

return to top

The Power of Chinese Security

If you visit China, I am sure you would like the Great Wall, however, if you surf the Internet in China, I am sure you hate the Great FireWall (GFW). How a firewall could "serve" over 3.8 billion Internet users in China is a readily interesting story for the globe.

In the presentation and seminar, we will quote case studies and discussions from various forums in China about how Internet censorship impacts them. In addition, we will present technical aspects and diagnosis on how censorship could be achieved on the Internet, content filtering software and instant messenger. Moreover, some tools/software (China or non-China made) used to bypass Internet and content censorship.

This presentation is suitable to those would like to do business/tours in China.

In Anthony's technical and work experience, he enjoys reverse engineering, exploitation, malware analysis and penetration testing. He began his DEFCON experience in 2007, and to be frank, people claim he is crazy! Anthony started an organized research group on reverse engineering , malware analysis and forensics in Hong Kong (people there love money instead of hardcore hacking techniques). Anthony is quite concerned about the impact of Internet censorship on our Chinese fellows in China, and he believes as he comes from Hong Kong, it would be "advantageous" for him to discuss it openly. He has presented reverse engineering dissection over Green Dam, which is a content filtering software in Hong Kong, and is widely reported by International and Chinese media.

Since the hacker community always supports freedom of information flow, which matches the spirit and philosophy of this presentation, it is fun for him to partner and present with two another researchers to make the presentation fruitful and internationalized.

Jake Appelbaum (aka ioerror) is an accomplished photographer, software hacker and world traveler. He works as a developer for The Tor Project and trains interested parties globally on how to effectively use and contribute to the Tor network. He is a founding member of the hacklab Noisebridge in San Francisco where he indulges his interests in magnetics, cryptography and consensus based governance. He was a driving force in the team behind the creation of the Cold Boot Attacks; winning both the Pwnie for Most Innovative Research award and the Usenix Security best student paper award in 2008. Additionally, he was part of the MD5 Collisions Inc. team that created a rogue CA certificate by using a cluster of 200 PS3s funded by the Swiss taxpayers. He is also an ethics enthusiast, a former pornographer and proud Vegan.

Jon Oberheide is currently at Scio Security, a security startup founded by Dug Song and himself. He is also wrapping up his PhD thesis at the University of Michigan, where he previously received a BS and MS in Computer Science. Jon has a passion for all things related to security, whether physical, code, or network. In his free time, he picks locks, audits code, analyzes protocols, writes exploits, and patches holes. He believes in monkeys.

return to top

Bypassing Smart-card Authentication
and Blocking Debiting: Vulnerabilities
in Atmel Cryptomemory-based
Stored-value Systems

Atmel CryptoMemory based smart cards are deemed to be some of the most secure on the market, boasting a proprietary 64-bit mutual authentication protocol, attempts counter, encrypted checksums, anti-tearing counter measures, and more. Yet none of these features are useful when the system implementation is flawed.

Communications were sniffed, protocols were analyzed, configuration memory was dumped, and an elegant hardware man-in-the-middle attack was developed. From start to finish, we will show you how concepts learned from an introductory computer security class were used to bypass the security measures on a Cryptomemory based stored value smart card laundry system, with suggestions on how things can improve.

Jonathan Lee is a Computer Engineering student from the University of British Columbia.

Neil Pahl is a recent graduate of the University of British Columbia in Electrical Engineering.

return to top

Blitzableiter - the Release

The talk presents a simple but effective approach for securing Rich Internet Application (RIA) content before using it. Focusing on Adobe Flash content, the security threats presented by Flash movies are discussed, as well as their inner workings that allow such attacks to happen. Some of those details will make you laugh, some will make you wince. Based on the properties discussed, the idea behind the defense approach will be presented, as well as the code implementing it and the results of using it in the real world.

After a year of development, we hope to release a working tool to the world, so you can apply the defense technique to your web browser.

Felix "FX" Lindner runs Recurity Labs, a security consulting and research company in Berlin, Germany. FX has over 11 years experience in the computer industry, nine of them in consulting for large enterprise and telecommunication customers. He possesses a vast knowledge of computer sciences, telecommunications and software development. His background includes managing and participating in a variety of projects with a special emphasis on security planning, implementation, operation and testing using advanced methods in diverse technical environments. FX is well known in the computer security community and has presented his and Phenoelit's security research on Black Hat Briefings, CanSecWest, PacSec, DEF CON, Chaos Communication Congress, MEITSEC and numerous other events. His research topics included Cisco IOS, HP printers, SAP and RIM BlackBerry. Felix holds a title as State-Certified Technical Assistant for Informatics and Information Technology as well as Certified Information Systems Security Professional.

return to top

These Aren't the Permissions
You're Looking For

The rise of the robot revolution is among us. In the past year Android has stepped up to become a leader in the world of mobile platforms. As of early may the platform has surpassed the iPhone in market share at 28%. Third party trackers for the Android Market have reported upwards of 50,000 apps available now. The Android security model relies heavily on its sandboxed processes and requested application permissions. It survived the recent pwn2own slay fest unscathed, but this does not mean it is safe by any means. We aim to explore novel techniques for attacks based around abuse of the permission system. Both in performing operations sans appropriate permissions, as well as abusing granted permissions outside of their scope. We'll be demonstrating various ways to hijack input, steal sensitive information, and many other ways to break the rules put in place by our new robot overlords.

Anthony Lineberry is a security researcher from Los Angeles who has been active in the security community for many years, specializing in reverse engineering code, researching vulnerabilities, and advanced exploitation development. He has written an open source kernel from scratch, helped with the first iPhone jailbreak, and feels uncomfortable speaking in the 3rd person. Professionally his experience includes working as a security researcher for McAfee, NeuralIQ, and currently with Lookout. He has spoken previously at SCaLE and BlackHat EU/US.

David Richardson, Sr. is a Senior Software Engineer at Lookout Mobile Security. He writes security software for mobile phones including Android, Windows Mobile, BlackBerry and iPhone. He was the President of the University of Southern California ACM in 2008-2009 and received an award for "Outstanding Service In Computer Science" - whatever that means. His interests are primarily in Application Development and User Experience. In his free time he enjoys not knowing how to ride a bicycle.

Tim Wyatt is a software engineer whose 16-year career has focused on development of security products and products with critical security requirements. Most recently, this has led him to focus on security in the mobile space at Lookout Mobile Security. Prior to Lookout, Tim was a lead engineer for the Symantec (formerly Vontu) Network Data Loss Prevention Suite

return to top

Multiplayer Metasploit: Tag-Team Penetration and Information Gathering

Sharing information in team penetration testing environments is frequently a challenge. There are a number of tools out there that allow wiki style submissions but any time that data needs to be used, it must be copied and pasted out of one form into another. Metasploit has a robust database with much of the data that a security professional may need to perform new tasks, as well as to check on the status of where the team is as a whole. This presentation will discuss how to share information using Metasploit, how to get data in and out of Metasploit remotely, and how to build and expand tools to automatically store new findings in the database. This presentation will have demonstrations using remote Nmap scanning as well as demonstrate how to write your own tools to manipulate Metasploit data.

Ryan Linn is an Information Security Engineer at SAS Institute and a columnist for . Ryan has a passion for making security knowledge accessible and in his free time enjoys extending and augmenting security tools and has contributed to popular open source security tools such as Metasploit and BeEF.

return to top

Repelling the Wily Insider

Working with more than 50 malicious backdoors written over the last 10 years we show how insiders who write code, whether they are developers working for an enterprise or contributors to an open source project, have an almost unlimited number of ways to put chinks in the armor of their software. These holes are often put in place for seemingly good reasons to facilitate easy debugging, make working from home easier, or as a failsafe in case other mechanisms for interfacing with the system fail. However, we'll consider what happens when insiders aren't so pure of heart, including logic bombs and backdoors that allow them to embezzle funds, steal private information, or exact revenge if they become disgruntled.

Whether unintentional or malicious, code that performs questionable behavior or permits unauthorized access can be introduced with relative ease and can persist in a code base almost indefinitely without being discovered. Until it's too late. In this talk, we discuss obvious techniques defenders should employ, outline obvious techniques attackers will apply, and the theoretical limits of the problem. We give detailed examples of insider threats that have been uncovered in real software systems, outline possible motives for malicious insiders, and discuss how external stimuli like layoffs are increasing the attention paid to insider threats. We conclude the talk with the head-to-head results of a face-off between modern static analysis and the best backdoors we've come across.

Matias Madou is a security researcher at Fortify's Security Research Group, which is responsible for building security knowledge into Fortify's products. His work focuses on developing new techniques to detect vulnerabilities. Matias holds a Ph.D. in computer engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application. During his Ph.D., he collaborated with top research and industry players in the field of program obfuscation.

Jacob West is Director of Security Research at Fortify Software where his team is responsible for building security knowledge into Fortify's products. Jacob brings expertise in numerous programming languages, frameworks and styles together with knowledge about how real-world systems can fail. Before joining Fortify, Jacob contributed to the development of MOPS, a static analysis tool used to discover security vulnerabilities in C programs. In 2007, he co-authored a book with colleague Brian Chess titled "Secure Programming with Static Analysis." When he is away from the keyboard, Jacob spends time speaking at conferences and working with customers to advance their understanding of software security.

return to top

App Attack: Surviving the Mobile Application Explosion

The mobile app revolution is upon us. Applications on your smartphone know more about you than anyone or anything else in the world. Apps know where you are, who you talk to, and what you're doing on the web; they have access to your financial accounts, can trigger charges to your phone bill, and much more. Have you ever wondered what smartphone apps are actually doing under the hood? We built the largest-ever mobile application security dataset to find out.

Mobile apps have grown tremendously both in numbers and capabilities over the past few years with hundreds of thousands of apps and billions of downloads. Such a wealth of data and functionality on each phone and a massive proliferation of apps that can access them are driving a new wave of security implications. Over the course of several months, we gathered both application binaries and meta-data about applications on the most popular smartphone platforms and built tools to analyze the data en masse. The results were surprising. Not only do users have very little insight into what happens in their apps, neither do the developers of the applications themselves.

In this talk we're going to share the results of our research, demonstrate a new class of mobile application vulnerability, show how we can quickly find out if anyone in the wild is exploiting it, and discuss the future of mobile application security and mobile malware.

Kevin Mahaffey is the CTO of Lookout, which he co-founded in 2007. He started programming when he was 8 years old and it has been a love affair ever since. When not at the office, Kevin can be found hacking in various coffee shops around San Francisco. Kevin is a frequent speaker on security, mobile, and other topics, having recently spoken at Blackhat, Defcon, Yahoo Security Week, and Microsoft's Bluehat Conference. Kevin studied Electrical Engineering at the University of Southern California and enjoys photography, snowboarding, unit tests, clean code, and building things that make people happy.

John Hering, co-founder of Lookout Mobile Security, specializes in mobile security research and development with a focus on intelligence and emerging threats. Past projects include the "BlueSniper" project, which resulted in a world-record-setting attack of a Bluetooth-enabled mobile device from a distance of over 1.12 miles. John has presented at leading security conferences such as Black Hat and DEFCON and his research has been featured in major publications such as The New York Times, Wired Magazine, and The Wall Street Journal. John studied Policy, Planning, and Development at the University of Southern California and has extensive experience with information security, policy, and wireless communications technologies.

return to top

Changing Threats To Privacy: From TIA To Google

A lot has changed since discussions around digital privacy began. The security community won the war for strong cryptography, anonymous darknets have been successfully deployed, and much of the communications infrastructure has been decentralized. These strategies were carefully conceived while planning for the most dystopian visions of the future imaginable, and yet somehow they've fallen short of delivering us from the most pernicious privacy threats today. Rather than a centralized state-backed database of all our movements, modern threats to privacy have become something much more subtle, and perhaps all the more sinister. This talk will explore these evolving trends and discuss some interesting solutions in the works.

Moxie Marlinspike is a fellow at the Institute For Disruptive Studies with over thirteen years of experience in attacking networks. He recently published the null-prefix attacks on X.509, the session-denial attacks against OCSP, and is the author of both sslsniff and sslstrip -- the former of which was used by the MD5 Hash Collision team to deploy their rogue CA cert, and the latter of which continues to implement Moxie's deadly "stripping" technique for rendering communication insecure. His tools have been featured in many publications including Hacking Exposed, Forbes Magazine, The Wall Street Journal, the New York Times, and Security Focus as well as on international TV.

return to top

Facial Recognition: Facts, Fiction, and Fsck-ups

Facial Recognition sucks. But it's getting better. Big brother is watching, and he is interested in what you do, where you go, and who you talk to. Whether it's Deep Packet Inspection, or Facial Recognition, the idea of personalization as applied to privacy invasion is a fascinating and cogent issue.

Governments are using it to locate fugitives with fake id's in the DMV database. DHS-like agencies, the world over, are starting to use it to find terrorists flying in or out of their country. Police departments can identify criminals from street side video surveillance cameras. When will you be added to a list? And what ramifications will that have on your life?

Learn how good Facial Recognition is, common ways to defeat it, and where the science of Finding Waldo in a crowd is going.

Joshua Marpet is a Security Solutions Specialist at WhiteHat Security, providing strategic guidance to WhiteHat customers and prospects on their website risk management programs. Additionally, he strives to educate the market-at-large about the need for effective website security.

Mr. Marpet is a popular speaker at industry events including Black Hat and Bsides, and has served as an adjunct professor of computer science at St. Johns University's Tobin College of Business. He is currently writing a textbook about Physical Security in a Networked World.

Prior to WhiteHat, Joshua worked as an information security consultant focused on penetration testing, auditing and forensics. Early in his career, he worked in law enforcement. He was later able to combine those skills with his interest in technology to create security systems for the airline, gaming, and prison industries. Mr. Marpet earned a bachelor's degree in psychology from Fairleigh Dickinson University.

His industry certifications include C|EH (Certified Ethical Hacker), from ISC(2), as well as the ever popular Application Security Specialist.

Twitter: @quadlingdageek

return to top

Searching for Malware: A Review of Attackers’ Use of Search Engines to Lure Victims

For many people, the first page they visit online is a search engine; in fact, in the US alone more than 14 billion searches per month happen on Google, Yahoo! and Bing. These searches are then siphoned into thousands of popular search terms that are ripe for attackers to exploit. Attackers understand the number of eyeballs and browsers that are at stake and have targeted their attacks against popular search engine results in order to reach the broadest audience possible. For the past five months, Barracuda Labs has been observing and measuring attackers’ use of search engine results to host malware or redirect users to malicious sites, collecting data multiple times a day and checking for malicious content around the clock across Google, Yahoo!, Bing and Twitter. In this talk, we reveal statistical data about the search engines and terms that were most targeted. We will highlight key attacker trends, and examine the ability of traditional security approaches like anti-virus and URL filters to react to the rapid movements by the SEO poisoning attacks.

Dave Maynor is a research scientist with Barracuda Labs. He is also co-founder and CTO of Errata Security. Prior to founding Errata Security, he has held positions for both security vendors and organizations in industries such as education and media. Maynor contributes heavily to the ProtoDev program with both proof-of‐concept software and newly discovered vulnerabilities. He is an author and sought-after speaker delivering cutting-edge research talks to audiences at conferences including Blackhat, Defcon, ToorCon, Microsoft's Bluehat and CanSecWest. Maynor has been quoted in technology articles for international news outlets such as The New York Times, CNN and the Fox News Channel. As an author, Maynor has several books to his credit on information security and regularly contributes to Dark Reading, a leading information security news outlet.

Dr. Paul Q. Judge serves as chief research officer and vice president of cloud services at Barracuda Networks. In this role, he leads the Barracuda Labs threat intelligence team and is responsible for application security, Web threat, intrusion and anti-spam intelligence for over 100,000 appliances deployed worldwide. He was co-founder and chief technology officer at Purewire, a Web security SaaS vendor acquired by Barracuda Networks in October 2009. Previously he served as chief technology officer of CipherTrust and Secure Computing. Dr. Judge is a recognized authority on Internet security, having won numerous honors including InfoWorld Top 25 CTOs, Atlanta Power 30 under 30 and MIT Technology Review Magazine's 100 Top Innovators under 35. He regularly presents at leading conferences and is quoted by national business and technology trade press, and has been awarded 10 patents and has over 20 patents pending. Dr. Judge earned a Ph.D. in Computer Science from Georgia Tech.

return to top

Hacking .NET Applications at Runtime: A Dynamic Attack

What do you do when you get inside of a .Net program? This presentation will demonstrate taking full advantage of the .Net world from the inside. Once inside of a program don't just put in a key-logger, remold it! I will presentation a how to infiltrate, evaluate, subvert, combine, and edit .Net applications at Runtime. The techniques demonstrated will focus on the modification of core logic in protected .Net programs.

This will make almost every aspect of a target program susceptible to evaluation and change; and allow such hacks as the ability to intermix your favorite applications into a new Frankenstein App, compromise program level security, reverse engineer from memory, modify events, edit the GUI, hunt malware, get the code behind a button, and/or subvert program locks. Demo implementation and tools will be released.

The coding techniques presented will be applicable well beyond compromising the security of a running program. These techniques will grant programmers a new level of access and control over any .Net code, as well as granting the ability to use and integrate with most any .Net application. Creating a development path to test and build 3rd party patches within .Net.

Jon McCoy has been working in .NET since v1.1. He enjoys bending the rules and finding different and new ways to utilize .Net.

He is a software engineer, both self taught and classically trained. He spent more then 10 years programming C++, but has focused on C#(.NET) for the last 7 years.

return to top

You Spent All That Money And You Still Got Owned...

This talk will focus on practical methods of identifying and bypassing enterprise class security solutions such as Load Balancers, both Network and Host-based Intrusion Prevention Systems (IPSs), Managed Anti-Virus, Web Application Firewalls (WAFs), and Network Access Control Solutions (NAC).

Joe has 8 years of experience in the security industry with a diverse background that includes network and web application penetration testing, forensics, training, and regulatory compliance. Joe is a frequent presenter at security conferences, and has taught the CISSP, CEH, CHFI, and Web Application Security at Johns Hopkins University (JHU), University of Maryland Baltimore College (UMBC), and several other technical training centers across the country.

return to top

A ChaosVPN for Playing Capture The Flag

ChaosVPN - the American name is AgoraLink - is a tinc based, fully meshed VPN to connect hackerspaces and other hacker related networks for fun, sharing, learning and competition with each other.

Its purpose is to provide a trusted, private and secure network with high bandwidth, low latency, without single points of failure. The first intended usage of the network was VoIP, but it has become used for lots of different purposes - whatever works on IPv4 and/or IPv6 works on ChaosVPN. This includes our own root zone .hack. Most major Hackerspaces in Europe and America are now connected via the ChaosVPN.

To play CTF contests we decided to build a separate incarnation of this network called warzone. This network is to compete, play and learn in an isolated environment without harming anyone. We host CTF hacking contests and challenges on the network. Critical thinking, source code analysis, reverse engineering and a good understanding of networks are the abilities honed in this environment.

The talk will show the direction ChaosVPN / AgoraLink took and explain some decision points. We will show how it is built, what it does and how to integrate it in your hacker gathering space.

And then we will show how this network can be used to play CTF Games and
have some fun. has organized capture the flag contests in university and chaos communication congress enviroment several times. He is member of CCC hamburg and is believing that a good and secure private network among hackers is a deeply needed thing. He can sometimes be seen on cons and camps on both sides of the pond chilling around and talking too loud to people.

ryd Jens Muecke did the coding job. He wrote one service for the CTF at Hackers at Random (HAR) Camp in the Netherlands and is one of the authors of the chaosvpn software. He gave a talk at 24c3, toorcamp and some other conferences. He beleives in hackerspaces to play CTF and have his home in CCC hamburg.

vyrus Vyrus is a relatively amoral psychological degenerate whose pastimes include emotionally scarring small children and zealot information security corporate evangelists. A trained professional procrastinator, bad corporate citizen, psychotropic substance abuser, and sexual deviant, Vyrus enjoys pelting government agents with annoying questions about classified projects, and occasionally embarking on wacky programming time wasters such as oCTF, TwatFS, MockingBird, Skynet, Barcode shmarcode, and miscellaneous projects with DC949 and others.

no_maam Erik Tews was born in Germany. He moved to Darmstadt in 2003 where he studied computer science with a minor in Math and Law at Technische Universitat Darmstadt until 2007. He is now a PHD student with a focus on applied cryptanalysis of mostly symmetric crypto algorithms and on wireless protocols. He also works at Technische Universitat Darmstadt as a research assistant and as a system administrator. In his free time, he can be seen at a lot of conferences of the Chaos Computer Club in Germany.

return to top

Cyberterrorism and the Security of the National Drinking Water Infrastructure

The national drinking water infrastructure is vitally important to protection of public health and safety and also supports business, industry, and the national economy. While steps have been taken since 9/11 to identify and mitigate vulnerabilities in the drinking water infrastructure, serious vulnerabilities remain. In this talk, the presenter will discuss and review the challenges of physical and cyber security for the national public drinking water infrastructure and provide his observations, based on 13 years running a local water department and 5 years in IT, on the existing security gaps and what should be done about them. Part of this talk will be based on a talk he gave at the American Water Works Association (AWWA) Water Security Congress in April, 2009 in Washington, DC about a strategic weakness of the national infrastructure. He will also review the state of cyber insecurity of the drinking water infrastructure, the threats currently known to their SCADA systems, and the potential threats and countermeasures that should be considered.

John McNabb has been an elected Water Commissioner for 13 years in a small town in Massachusetts, and has been concerned about physical and cyber security of water systems even before 9/11. He also worked for 10 years in the New England office of Clean Water Action and 6 years at the Massachusetts Department of Environmental Protection. He has been interested in computers since a very early age, and after varying lengths of time in non-IT careers including politics, lobbying, government relations, journalism, public relations, and waterworks management, and now works as an IT pro, sometimes in IT security. John gave a talk at The Next HOPE two weeks ago on Electronic Take Back.

return to top

We Don't Need No Stinkin' Badges: Hacking Electronic Door Access Controllers

In the security world, attacker physical access often means game over - so what happens if you can't trust your building's electronic door system? This presentation and paper explore attack surfaces and exploitation vectors in a major vendor of electronic door access controllers (EDAC).

The main focus is on time-constrained rapid analysis and bug-hunting methodologies, while covering research techniques that assist in locating and targeting EDAC systems. In addition, a review of practical countermeasures and potential research activities in the EDAC space are covered.

Attendees can expect an eye-opening experience regarding insecurities of critical systems controlling physical access to hospitals, schools, fire stations, businesses and other facilities.

Shawn Merdinger is an independent security researcher based in the USA. In former corporate lives he worked with Cisco Systems' STAT (Security Technologies Assessment Team) and TippingPoint. His current security interests include VoIP, medical devices and embedded systems. Merdinger is a technical editor for Cisco Press and Pearson Publishing and has presented at security conferences such as ShmooCon, Hack-in-the-Box, OíReilly, CSI, NoConName, IT Underground, CONfidence and SecurityOpus.

return to top

Securing MMOs: A Security Professional's View From the Inside

Gold farmers. Cheaters. Beleaguered programmers. All ingredients in a recipe for an unstable, fun-sapping game.

Closely following the model of "Brief Title: Long, Boring Description," Securing MMOs: A Security Professional's View From the Inside will give attendees a look at the security problems plaguing the MMO industry and how modern engineers are taking the fight to cheaters and hackers in MMOs.

metr0 is currently a Senior Software Engineer with Bioware Mythic in Fairfax, VA. As a member of computer security group Kenshoto, he has hosted four Defcon CTF competitions and frustrated thousands of hackers with unnecessarily evil challenges. For the last four years, he has written subversive software and has recently moved into the gaming industry.

return to top

Letting the Air Out of Tire Pressure Monitoring Systems

Since 2008 every new car sold in the US requires some type of Tire Pressure Monitoring System be installed. The most popular uses simple unencrypted RF communications to relay the tire pressure information back to the car ECU. This talk goes over the basic history, implementation, and most importantly the unforeseen issues with privacy and subversion of TPM systems

Mike Metzger is a technology consultant offering network, security, virtualization, and programming services for his company Flexible Creations. He has spent the past 14 years in networking and security working for various companies dealing with firewall, IDS/IPS, DLP, network storage, etc. Lately he has become much more involved with physical computing & fabrication and is a member of the Dallas Makerspace and a founder of the Dallas area Embedded Workshop group.

return to top

Kim Jong-il and Me: How to Build a Cyber Army to Defeat the U.S.

Think you might ever be "asked" by a dictator of an Axis of Evil country to take down the USA in a cyberwar? Ever wonder how someone who finds vulnerabilities and breaks into computers for a living would approach cyberwar, i.e. not Richard Clarke? Then this is the talk for you! In this talk, I outline how to construct a cyber army to attack a developed country, based on my experience as a penetration tester and security researcher. This will highlight anticipated costs, resources needed, roles of individuals, and numbers of people needed, as well as tactics and strategies to use. It will also outline time required to get the unit operational as well as timeframes to achieve particular objectives. That's right, the USA is going down!

Charlie Miller is currently Principal Analyst at Independent Security Evaluators. He was the first with a public remote exploit for both the iPhone and the G1 Android phone. He won the CanSecWest Pwn2Own competition for the last three years. Popular Mechanics listed him as a Top 10 Hacker of 2008 and he is on the list of 2010 Security Superstars by Channel Web. He has authored two information security books and holds a PhD from the University of Notre Dame.

return to top

HD Voice - The Overdue Revolution

After kicking around on the back shelf for years, HD voice is finally gaining traction both in the broadband world and the cellular. And the French are leading the way!

The audio standards for a POTS (Plain Old Telephone System) call have been frozen since about 1937. Since then, modern society has had FM radio, Dolby Sound, TV, HDTV, cell phones, satellite broadcast, the Internet, fiber optics, but no improvement to a stock voice phone call.

Information will include more precisely defining WTF HD voice is, where it is taking place around the globe, the emerging War of the Codecs, mobile vs broadband, enterprise vs consumer, the goodness of HD voice over POTS, and whatever other questions come up from the audience.

Tuned into the HD communications space as Editor-in-Chief of HD Voice News, Doug Mohney has clocked over 20 years in the ICT arena between working in real-world businesses and writing about them.

He has contributed for a diverse group of publications over the past dozen years, covering telecommunications, wireless and spectrum issues, the Internet, and online video. Most recently, he served at Editor in Chief of the Telecom and Digital Media Group at an online publication and Editor-in-Chief at VON Magazine (the pulvermedia incarnation).

Doug's hands-on/real-world experience includes stints at two high-tech start-up companies. Joining DIGEX as employee number 10 in 1993, he had a ring-side seat to the trials and tribulations of a fast growing, VC-funded startup doing the boom growth years of the Internet. He can be reached at

return to top

Getting Social with the Smart Grid

Littered with endless threats and vulnerabilities surrounding both social networking and the Smart Grid, the marriage of these two technologies is official, despite protests by the security community. Consumers love it because they can brag to their friends about how green they are. Businesses love it more because it provides fresh material for their marketing departments. Hackers love it the most because it opens up attack vectors, both new and old. During this presentation we dissect readily available social Smart Devices, examining where they get things right, and where they fail. We expand on the failures, discussing and demonstrating attacks against consumers (think, the Smart Devices themselves, and the social networking sites they communicate with. We want consumers, device manufactures, and social networking sites to understand how to get social with the Smart Grid securely, and prevent social networking privacy from becoming even more complex. The tools we release during this presentation will allow consumers to review their Smart Devices' social footprint, and provide device manufacturers with recommendations that can be implemented immediately. Attendees will leave our presentation armed with a deep understanding of the strengths and weaknesses of social Smart Devices, how to attack their current weaknesses and leverage their current strengths, and utilize our tools to further research how we all can better secure the social side of the Smart Grid.

Justin Morehouse leads the assessment team at one of the nation's largest retailers. He's released several security tools including PassiveRecon, while his most recent tool, GuestStealer, was released at ShmooCon 2010. Justin holds a M.S. in Information Assurance, is an adjunct college professor, and leads the OWASP Tampa chapter.

Tony Flick is a Principal with Tampa-based FYRM Associates. He's presented at Black Hat, DEF CON, ShmooCon and OWASP conferences. Additionally, Tony has been recognized as a security subject matter expert and utilized by such media outlets as the Associated Press, SC Magazine, Dark Reading, and eWeek.

return to top

Defcon Security Jam III: Now in 3-D?

They say third time is the charm. Some of the biggest mouths in Information Security are back again and once again, we will show you all new of security FAIL. Our panelists will demonstrate innovative hacking techniques in naked routing, web application (in)security, and wireless goats. After taking a sabatical year, we are also proud to announce that Chris "Squirrel" Hoff will be keeping the rest of us honest with his real-time snarkage. Speaking of real time, moderator David Mortman will be making waffles (and maybe pizzelles) on stage as rewards for best comments, questions and shared fail.

David Mortman runs Operations and Security for C3, LLC. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and is leading up Siebel's product security and privacy efforts. Previously, Mr. Mortman was Manager of IT Security at Network Associates, where, in addition to managing data security, he deployed and tested all of NAI's security products before they were released to customers. Before that, Mortman was a Security Engineer for Swiss Bank. A CISSP, member of USENIX/SAGE and ISSA, and an invited speaker at RSA 2002 and 2005 security conferences, Mr. Mortman has also been a panelist and speaker at RSA 2007-2009, InfoSecurity 2003, Blackhat 2004-2009, Defcon 2005-2009 and Information Security Decisions 2007 and 2008 as well. Mr. Mortman sits on a variety of advisory boards including Qualys, Applied Identity and Reflective amongst others. He holds a BS in Chemistry from the University of Chicago.

Rich Mogull as twenty years experience in information security, physical security, and risk management. He specializes in data security, application security, emerging security technologies, and security management. Prior to founding Securosis, Rich was a Research Vice President at Gartner on the security team where he also served as research co-chair for the Gartner Security Summit. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator. Rich is the Security Editor of TidBITS, a monthly columnist for Dark Reading, and a frequent contributor to publications ranging from Information Security Magazine to Macworld. He is a frequent industry speaker at events including the RSA Security Conference and DefCon, and has spoken on every continent except Antarctica (where he's happy to speak for free -- assuming travel is covered).

Prior to his technology career, Rich also worked as a security director for major events such as football games and concerts. He was a bouncer at the age of 19, weighing about 135 lbs (wet). Rich has worked or volunteered as a paramedic, firefighter, and ski patroller at a major resort (on a snowboard); and spent over a decade with Rocky Mountain Rescue. He currently serves as a responder on a federal disaster medicine and terrorism response team, where he mostly drives a truck and lifts heavy objects. He has a black belt, but does not play golf. Rich can be reached at rmogull (at) securosis (dot) com.

Chris Hoff has over 19 years of experience in high-profile global roles in network and information security architecture, engineering, operations, product management and marketing with a passion for virtualization and all things Cloud.

Hoff is currently Director of Cloud and Virtualization Solutions of the Security Technology Business Unit at Cisco Systems. Prior to Cisco, he was Unisys Corporation’s Systems & Technology Division’s Chief Security Architect. Additionally, he served as Crossbeam Systems' Chief Security Strategist, was the Chief Information Security Officer for a $25 billion financial services company, and was founder/Chief Technology Officer of a national security consultancy. Hoff regularly speaks at high profile conferences, interviewed regularly by the media, is a featured guest on numerous podcasts and blogs at Hoff is a CISSP, CISA, CISM and NSA IAM. He was twice nominated as the Information Security Executive of the Year and won the Security 7 award in Financial Services in 2005.

Dave Maynor is a founder of Errata Security and serves as the Chief Technical Officer. Mr. Maynor is responsible for day-to-day technical decisions of Errata Security and also employs a strong background in reverse engineering and exploit development to produce Hacker Eye View reports. Mr. Maynor has previously been the Senior Researcher for Secureworks and a research engineer with the ISS Xforce R&D team where his primary responsibilities included reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable. Before that Maynor contracted with a variety of different companies in a widespread of industries ranging from digital TV development to protection of top 25 websites to security consulting and penetration testing to online banking and ISPs.

Larry Pesce is the Manager for Information Services Security, Disaster Recovery at a mid-sized healthcare organization in New England. Larry is also gainfully employed as a Penetration Tester / Ethical Hacker with PaulDotCom Enterprises, and leads the research efforts in many areas, including projects such as "Evil" USB thumb drives, hiding rogue access points, and tinkering with wireless, RFID, Cellular SIM cards and metadata. Larry co-authored "Linksys WRT54G Ultimate Hacking" and was a contributing author to "How to Cheat at Configuring Open Source Security Tools" and "Wireshark and Ethereal" from Syngress Publishing. In addition to his industry experience, Larry is also a Security Evangelist and co-host for the PaulDotCom Security Weekly podcast at

return to top

Wardriving the Smart Grid: Practical Approaches to Attacking Utility Packet Radios

If you haven't just emerged from a coma, you probably have some idea of the multifaceted attack surface that the inevitable modernization of power transmission and distribution is rapidly introducing

What you may *not* be thinking about just yet, though, is the path much of that attack surface travels on... The air around you

Our talk gives a crash course in the brain-melting number of wireless Smart Grid radio implementations very quickly popping up all around us (some built on actual standards, some snuggled in the comforting blanket of proprietary obscurity) and describes our own experience in reverse engineering Smart Grid radio stacks, and how it's possible to gnaw one's way through to the soft, squishy SCADA underbelly, invariably hiding just below the surface

Along the way, we'll take a hard look at the future landscape of theft of service, point out some larger threats, and try to find a realistic middle ground between the "we're doomed" and the "let's all put our toasters on the Internet" camps in what ultimately is (warts and all) a natural and inevitable step forward.

Shawn Moyer spent four years at the Cleveland School of Metaphysics, where he met with such great success in his ontology research that the school, provably, no longer exists

Following that, Shawn studied business writing with Dr. Lazlo Toth, producing a groundbreaking work linking colon frequency in email correspondence in the plastics industry to a rise in factory floor accidents

Today, Shawn works as a Principal Consultant with FishNet Security's assessment team, helping customers transform critical infrastructure vulnerabilities into PDF documents.

Nathan Keltner, widely held to be the finest Nathan Keltner of his generation, once lifted a Volkswagen Jetta above his head for over thirty seconds while reciting a passage from Finnegan's Wake

Though born without the capacity to see the color amber, he nonetheless developed a keen interest in technology at a young age, compensating for his disability by learning to identify the position of his PC's "turbo" button by feel alone

Nathan is a Security Consultant with FishNet Security's assessment team as well as a regular contributor to the Metasploit project, and finds Ruby's lack of indentation rules quite liberating, actually.

return to top

Open Source Framework for Advanced Intrusion Detection Solutions

Razorback is the result of extensive research by members of the Sourcefire Vulnerability Research Team into developing a platform to address advanced detection problems. The level of sophistication currently demonstrated both by actors described as the 'Advanced Persistent Threat' (APT) and publicly available exploit frameworks such as Metasploit, CANVAS and Core Impact leave increasingly fewer options to provide robust detection. This project is designed to provide enterprise defense teams with a framework for developing the kinds of detection necessary to combat these threats.

A complicating factor in high-CPU-cost detection is the desire of organizations to have low-latency analysis at wire speed. While components of the Razorback system will be able to block first-strike attacks prior to delivery, some detection solutions will cause sufficient latency as to make this impossible. One of the key points of the system is to accept that some solutions require trading real-time blocking for high-accuracy detection.

The Razorback Framework addresses these issues by providing a core infrastructure that matches declared data types to the individual capabilities of various detection systems. By providing an open, documented API, arbitrary data sources can be paired with one or more arbitrary detection systems to provide detection solutions that would otherwise be impossible due to limited data access or restriction on system resources.

This talk will discuss the concepts, design, and architecture of the Razorback Framework as well as introduce several modules for performing advanced inspection, detection, and alerting of network events. Additionally, the capability to update network defense mechanisms based upon these events will be demonstrated. The current implementation of the framework uses a stripped-down version of snort as a data collector, but any data collection engine could be used, including server-based modules designed to work with squid, procmail,or any other proxy or server.

At the conclusion of this discussion, participants will have the knowledge required to install and configure the framework and existing modules and have enough information about the design and philosophy of the framework to begin development on new, custom modules necessary to fill their needs.

Patrick Mullen has fourteen years of computer industry experience with the past twelve years focused on information and network security. He was an early major contributor for the snort open source intrusion detection system and has contributed to several other open source security projects.

Patrick is currently Principal Research Engineer with the Sourcefire Vulnerability Team (VRT) In this role he is responsible for researching vulnerabilities and developing advanced detection algorithms for security issues. Patrick is also the team lead for c-based detection capabilities within Snort. Prior to joining Sourcefire, Patrick spent six years as a security consultant where he analyzed application, system, and network security, providing a holistic view into security requirements and recommendations for Fortune 500 enterprises.

Ryan Pentney was born in Montreal, Canada. He studied Computer Science at Concordia University and later went on to join Sourcefire in 2008 as part of the Vulnerability Research Team. His primary responsibilities involve vulnerability analysis/discovery, snort rule-writing and reverse-engineering. Most recently he has taught Sourcefire's Fundamentals of Exploit Development class and been heavily involved in the development of the Razorback Framework near-real-time detection project. His areas of interest include software exploitation, intrusion prevention research and formal languages.

return to top

The Games We Play

An in depth forensic analysis of video games and the systems they're played on. The goal of which is to identify the types of information useful to a forensics investigation and any other bits of personal information.

Brandon Nesbit is a Security Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. Brandon has 9 years experience in information security and has done security research in the area of computer memory artifacts, and network forensics. Prior to joining SpiderLabs, Brandon was part of Trustwave's Compliance Services Team where he helped Fortune 500 clients with their Security Architectures and compliance initiatives for Payment Card Industry Data Security Standard compliance.


return to top

FPGA Bitstream Reverse Engineering

FPGAs are a hot topic at the last few Defcons, but we have not seen much talk of hacking FPGAs. In this talk, we present two tools: one to decompile bitstreams into netlists, and one to decompile netlists into Verilog code. For those not familiar with FPGA internals, we will discuss how they work and their bitstream formats. It is highly recommended that attendees know at least some digital electronics/logic design basics.

Lang Nguyen wanted to design spacecraft as a kid in Ukraine, but got sidetracked growing up. His first real programming experience was writing demos for the NES emulator in 6502 assembly. He thus got hooked on low-level hacking, electronics, reverse engineering, and the intersection thereof. His projects have included reverse engineering the bytecode format used in obscure BASIC compilers, a homegrown method for drawing surface-mount PCBs, and a fast PDF reader for the iPhone. The last few months he spent playing with FPGAs. He is now attending UCLA
as a CS&E major.

return to top

Antique Exploitation (aka Terminator 3: Point One One for Workgroups)

Just as the Terminator travels back from the future to assassinate John Connor using futuristic weaponry, we will travel a couple decades back in time to attack a computing platform that threatens the future of Skynet: Windows 3.11 for Workgroups! Come enjoy the hilarity that ensues when applying modern attack tools and exploitation techniques to an operating system that is approaching its 20th birthday yet EOL'ed only two years ago. We'll be presenting a number of 0-days for applications that are over 6000 days old and poppin' 16-bit calculators all over the place!

Jon Oberheide is the CTO of Scio Security, an Ann Arbor-based startup. He previously attended the University of Michigan for a BS, MS, and PhD in Computer Science and has held positions at Merit Networks and Arbor Networks. Jon has presented at a wide range of academic, industry, and hacker security conferences.

return to top

ExploitSpotting: Locating Vulnerabilities Out Of Vendor Patches Automatically

This is a new methods to expedite the speed of binary diffing process. Most of the time in analyzing security patches are spent in finding the patched parts of the binary. In some cases one patch contains multiple patches and feature updates. The mixed patches will make the analysis very difficult and time consuming. That's where our new security patch recognizing technology kicks in. We're presenting general signature based security patch recognition and also a method combined with static taint analysis. With both methods implemented, we are presenting new DarunGrim 3 in this year's Defcon. It'll be a must have tool for the security researchers who's looking for the free 1-day exploits.

Jeongwook Oh started his career as a firewall developer back in mid 90s. After that he spent few years doing security audits and penetration testing. Finally, he moved to California and joined eEye crew and did some IPS stuff. It involved userland and kernel land hacking stuff.

Now he's working for WebSense Inc where he's doing research related to malware and exploit detection.

return to top

Electronic Weaponry or How to Rule
the World While Shopping at Radio Shack

Talk will cover electronic weapons, focusing mainly on the ones that target electronic systems.

TW "Mage2" Otto's bio: I have a lame degree in electronics and computer technology. I am a self proclaimed information junkie. Started playing with high voltages in my early teens and somehow survived it all. I still to this day remember what a 40+kv hit feels like. I have been in the computer and electronics industry for over 10 years now and have been tinkering long before that. Who cares DEF CON's canceled...

return to top


Big Brother on the Big Screen: Fact/Fiction?

Can the NSA really do that? Um, yes. Join us at the movies to take a close look at how government surveillance has caught up with the fables dreamed up for Hollywood flicks- from old favorites like Brazil to newer additions like Bourne and Dark Knight. Jaunty tin foil hats and popcorn will be provided!

Nicole Ozer directs the Technology and Civil Liberties Program at the ACLU of Northern California and spearheads the organization's new online privacy campaign- Demand Your dotRights (

Before joining the ACLU, Nicole was an intellectual property attorney at Morrison & Foerster LLP and worked on diverse civil liberties technology projects with the Samuelson Law, Technology, and Public Policy Clinic at Boalt Hall, UC Berkeley. Nicole graduated from Amherst College and earned her J.D. with a Certificate in Law and Technology from UC Berkeley. Nicole was recognized by San Jose Magazine in 2001 for being one of 20 ìWomen Making a Markî in Silicon Valley.

Kevin Bankston is a senior staff attorney at the Electronic Frontier Foundation, specializing in free speech and privacy law. Before joining EFF, Kevin was the Justice William J. Brennan First Amendment Fellow for the American Civil Liberties Union in New York City. Kevin received his J.D. in 2001 from the University of Southern California Law Center, and received his undergraduate degree from the University of Texas in Austin.

return to top

Practical Cellphone Spying

It's widely accepted that the cryptoscheme in GSM can be broken, but did you know that if you're within radio range of your target you can intercept all of their cellphone calls by bypassing the cryptoscheme entirely? This talk discusses the practical aspects of operating an "IMSI catcher", a fake GSM base station designed to trick the target handset into sending you its voice traffic. Band jamming, rolling LACs, Neighbour advertisements and a wide range of radio trickery will be covered, as well as all the RF gear you'll need to start listening in on your neighbours.

Chris Paget has over a decade of experience as an information security consultant and technical trainer for a wide range of financial, online, and software companies. Chris' work is increasingly hardware-focused, recently covering technologies such as GSM and RFID at venues such as Defcon and Shmoocon. With a wide range of experience encompassing software, networks, radio, cryptography and electronics, Chris enjoys looking at complex systems in unusual ways to find creative attacks and solutions.

return to top

Extreme-range RFID Tracking

If you think that RFID tags can only be read a few inches away from a reader you haven't met EPC Gen2, the tag that can be found in Enhanced Drivers Licenses - this 900MHz tag is readable from 30 feet with off-the-shelf equipment. Without amplifying the signal from a commercial reader we were able to equal the previous Defcon record of 69 feet, and with less than $1000 of equipment we achieved considerably further than that. This talk covers everything you'll need to know to read federally-issued RFID tags at extreme ranges and explores the consequences to personal privacy of being able to do so.

Chris Paget has over a decade of experience as an information security consultant and technical trainer for a wide range of financial, online, and software companies. Chris' work is increasingly hardware-focused, recently covering technologies such as GSM and RFID at venues such as Defcon and Shmoocon. With a wide range of experience encompassing software, networks, radio, cryptography and electronics, Chris enjoys looking at complex systems in unusual ways to find creative attacks and solutions.

return to top

My Life As A Spyware Developer

Behold! Billions of computers are infected with spyware every decade! But how! And why!

Let's join our host as he takes you behind the curtain of the mysterious spyware industry. This will be a high level discussion with no technical knowledge needed. I'll be covering how I ended up writing spyware, what the software was capable of, how it was deployed onto millions of machines, how all the money was made (not how you'd expect) and how it all fell apart (of course).

After seeing this talk, all your dreams will come true and you will never die!

Garry Pejski has had a varied programming career that has included creating dating websites, pharmacy software, online casinos and custom applications for power plants. Also, he wrote spyware when he was broke and couldn't find a real job (he's very sorry). He's been programming professionally for like 13 years now. Damn.

These days he's basically a technical manager at an engineering consulting company. He still writes software, but has been up to a lot of NERC CIP security work lately. He is handsome and lives in Toronto.

return to top

"This is not the droid you're looking for..."

Android is a software stack for mobile devices that includes an operating system, middleware and key applications and uses a modified version of the Linux kernel. 60,000 cell phones with Android are shipping every day. Android platform ranks as the fourth most popular smartphone device-platform in the United States as of February 2010.

To date, very little has been discussed regarding rootkits on mobile devices. Android forms a perfect platform for further investigation due to its use of the Linux kernel and the existence of a very established body of knowledge regarding kernel-level rootkits in Linux.

We have developed a kernel-level Android rootkit in the form of a loadable kernel module. As a proof of concept, it is able to send an attacker a reverse TCP over 3G/WIFI shell upon receiving an incoming call from a 'trigger number'. This ultimately results in full root access on the Android device. This will be demonstrated (live).

The implications of this are huge; an attacker can proceed to read all SMS messages on the device/incur the owner with long-distance costs, even potentially pin-point the mobile device's exact GPS location. Such a rootkit could be delivered over-the-air or installed alongside a rogue app. Our talk will take participants down this path of development, describing how the PoC was written and laying the foundations for our research to be taken further.

Nicholas J. Percoco is the head of SpiderLabs at Trustwave - the advanced security team that has performed more than 700 cyber forensic investigations globally, thousands of penetration and application security tests for Trustwave clients. In addition, his team is responsible for the security research that feeds directly into Trustwave's products through real-time intelligence gathering. He has more than 15 years of information security experience. Nicholas acts as the lead security advisor to many of Trustwave's premier clients by assisting them in making strategic decisions around various security and compliance regimes. As a speaker, he has provided unique insight around security breaches and trends to public and private audiences throughout North America, South America, Europe, and Asia including security conferences such as Black Hat, DEFCON, SecTor and You Sh0t the Sheriff. Prior to Trustwave, Nicholas ran security consulting practices at both VeriSign and Internet Security Systems. Nicholas holds a Bachelor of Science in Computer Science from Illinois State University.

Christian Papathanasiou is a Security Consultant for Trustwave. He is part of SpiderLabs - the advanced security team at Trustwave responsible for incident response, penetration testing and application security tests for Trustwave's clients. Christian's research interests include Linux kernel rootkit/anti-rootkit technology, algorithmic trading and web application security. Christian holds a MSc with Distinction in Information Security from the Information Security Group at Royal Holloway, University of London and a CISSP. He has consulted internationally in the space/defense/commercial and financial sectors in all matters relating to Information Security. Christian is also a qualified Chemical Engineer having graduated with a MEng(Hons) in Chemical Engineering from the University of Manchester Institute of Science and Technology.

return to top

Malware Freak Show 2: The Client-Side Boogaloo

We had a busy year. We investigated over 200 incidents in 24 different countries. We ended up collecting enough malware freaks [samples] to fill up Kunstkammer a few times over. Building upon last year's talk, we want to dive deeper and bring you the most interesting samples from around the world - including one that made international headlines and the rest we're positive no one's ever seen before (outside of us and the kids who wrote them). This talk will bring you 4 new freaks and 4 new victims including: a Sports Bar in Miami, Online Adult Toy Store, US Defense Contractor, and an International VoiP Provider. The malware we are going to demo are very advanced pieces of software written by very skilled developers. The complexity in their propagation, control channels, anti-forensic techniques and data exporting properties will be very interesting to anyone interested in this topic.

Nicholas J. Percoco is the head of SpiderLabs at Trustwave - the advanced security team that has performed more than 700 cyber forensic investigations globally, thousands of penetration and application security tests for Trustwave clients. In addition, his team is responsible for the security research that feeds directly into Trustwave's products through real-time intelligence gathering. He has more than 15 years of information security experience. Nicholas acts as the lead security advisor to many of Trustwave's premier clients by assisting them in making strategic decisions around various security and compliance regimes. As a speaker, he has provided unique insight around security breaches and trends to public and private audiences throughout North America, South America, Europe, and Asia including security conferences such as Black Hat, DEFCON, SecTor and You Sh0t the Sheriff. Prior to Trustwave, Nicholas ran security consulting practices at both VeriSign and Internet Security Systems. Nicholas holds a Bachelor of Science in Computer Science from Illinois State University.

Jibran Ilyas is a Senior Forensic Investigator at Trustwave's SpiderLabs. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has investigated some of nations largest data breaches and is a regular contributor for published security alerts through his research. He has 7 years experience and has done security research in the area of computer memory artifacts. Jibran has presented talks at security conferences (DEFCON, SecTor) in the area of Computer Forensics and Cyber Crime. Jibran is also a regular guest lecturer at DePaul and Northwestern University. Prior to joining SpiderLabs, Jibran was part of Trustwave's SOC where he helped Fortune 500 clients with their Security Architectures and deployments. Jibran holds a Bachelors of Science degree from Depaul University and Masters degree in Information Technology Management from Northwestern University.

return to top

WiMAX Hacking 2010

It's 2010. WiMAX networks have now been deployed in most major US and European cities. Laptops are being sold with WiMAX built in, and mobile phones are now hitting the market. This talk covers some of the latest findings, public and private, from the wimax-hacking google group. Come see what's been done, what's possible, and what we are working on.

Pierce, Goldy and aSmig are security researchers from Portland Oregon, and active contributors to the wimax-hacking google group.

return to top

Sniper Forensics - One Shot, One Kill

At one time, computer forensics consisted of pulling the plug, imaging everything in sight, loading those images into EnCase or FTK, and hoping you can "find the bad guy stuff". As computer hackers have become more resourceful, the complexity of computer forensics has likewise increased exponentially. Add to that the growing size of data storage devices, and it becomes infeasible to even consider imaging tens or hundreds of terabytes, let alone load those images into EnCase or some other forensic software. So what's the answer? How can incident responders hope to remain relevant in today's operating environment? With Sniper Forensics!

Live Analysis tools and techniques have exploded onto the incident response scene in the last two years. By gathering and reviewing volatile data and RAM dumps, incident responders can use time proven theories like, "Locard's Exchange Principle", "Occam's Razor", and "The Alexiou Principle" to identify and target only the systems that are part of the breach. What used to take hours of analysis can now be done in minutes! What used to take weeks, can now take days!

By using sound logic and data reduction based on forensic evidence extracted from Live Analysis, incident responders can introduce accuracy and efficiency into their case work at a level not available through any other means. This is truly the cutting edge of modern computer forensics, and not something to be taken lightly! Don't miss the opportunity to learn tips, tools, and hear real world examples of how Live Analysis is literally changing the landscape of modern forensics!

This information is CRITICAL for all incident responders and computer forensic analysts! It combines cutting edge forensic tools and techniques with time proven principles. Successful integration of the material contained in this presentation will without question, reduce the time spent on cases and increase accuracy! It's a targeted approach to forensics which I have dubbed, "Sniper Forensics" rather than the old school, "Shotgun forensics" approach.

Chris Pogue is a Senior Security Analyst for the Spiderlabs Incident Response and Digital Forensics team at Trustwave. He as over ten years of administrative and security experience including three years on the IBM ISS X-Force Emergency Response Services Team, five years with IBM's Ethical Hacking Team, and 13 years of Active Military service in the US Army Signal Corps.

Chris also has worked with local, state, and federal law enforcement agencies such as the New York Police Department, the Royal Canadian Mounted Police, the Federal Bureau of Investigation, and The United States Secret Service to help pursue the digital evidence left behind by criminals of all types. His efforts have lead to arrests and convictions in Oklahoma, New York, Florida, Albania, and Germany.

Chris holds a Bachelor's Degree in Business Management, a Master's degree in Information Security, is a Certified Information Systems Security Professional, (CISSP), a Certified Ethical Hacker (CEH), a Certified Reverse Engineering Analyst (CREA), a GIAC Certified Forensics Analyst (GCFA), and a VISA PCI DSS Qualified Security Assessor (QSA).

return to top

Industrial Cyber Security

Industrial control systems are flexible constructs that result in increased efficiency and profitability, but this comes at the cost of vulnerability. In past years, industrial cyber security has been mostly ignored due to cost, lack of understanding, and a low incidence rate. More and more these systems rely on commercial, off the shelf software which increases the ease and likelihood of an attack. Today, we face growing threats from individuals, foreign governments and competing companies. The risks have increased by orders of magnitude.

This presentation will provide an overview of control components common to the power industry, common vulnerabilities, the current situation with industry’s cyber infrastructure as well as worst case scenarios. A short overview of standards & governances will follow along with suggestions to achieve compliance with overlapping governances. The final phase of the presentation will provide the audience with a case study regarding the security flaws of a programmable logic controller, a common control component, and just how devastating an attack on industrial machinery can be. This will be demonstrated on the physical hardware by simulation of common systems run by this device. After the presentation, a breakout session will occur where the audience will have the opportunity to attempt to compromise the control network.

Wade Polk is a controls engineer in mining and power generation. Specialties include cyber security, NERC compliance, DB development, pollution monitoring/reduction systems, control room designs, fire protection systems, instrument requisitions, logic design and control system design. Additional experience includes robotics, MIDI development, RF design, IC design, processor design.
- B.S., Electrical Engineering, 2006
- B.S., Computer Engineering, 2006

Paul Malkewicz has over five years of experience, including two years with WorleyParsons, in the design and implementation of control systems and data acquisition systems. Responsible for the design and development of automated integration systems. As an Instrumentation and Controls (I&C) Engineer, proficient in analysis and design tasks including specifying, integrating, and commissioning distributed control systems (DCS) for power plants. Project engineering experience includes defining instruments for mechanical equipment, defining instrument specifications, and creating system descriptions for control system logic development. Experience creating loop and control wiring diagrams for installation and maintenance of instruments and equipment.
- B.S., Computer Engineering, University of Illinois, Champaign/Urbana, 2004
- Member, ISA, 2010-Present

J.Novak is a controls engineer in mining and power generation. Worked in Mining and power generation industry for 3 Years. Worked as a PLC programmer for period of 2 years.
- A.S., Electrical Engineering
- B.S., Electrical Engineering

return to top

"This Needs to be Fixed" and Other Jokes in Commit Statements

Open source. These two words mean lots of things to lots of people. Some say, because it's open source it's more secure because you have complete transparency. Some say, because it's open source it's less secure because amateurs are writing the code. Well, one thing is true, with open source you have free reign to see the code and all the commentary left in there before it's compiled away. Ever wondered what was in those comments? Is there some lingering bug with a comment left behind to remind someone to go back in to fix it later? How many times did the developer leave a comment behind with the word 'bollocks' in it? These are the questions we set out to answer and this talk is about those answers and how we got them.

During our talk we'll cover how we went about crawling the Internets for any and all public repositories, how we parsed the source code and commit statements in the repos we found, how we store the results, and of course the results. Some of what we find will be security specific.... much of what we find will just be comedy. We plan on releasing access to a web interface to perform your own queries against our results to see what interesting comments you can find in which repositories.

Bruce Potter is the founder of the Shmoo Group of security, crypto, and privacy professionals. He is also the co-founder and CTO of Ponte Technologies, a company focused on developing and deploying advanced IT defensive technologies. His areas of expertise include wireless security, network analysis, trusted computing, pirate songs, reusing bios, and restoring hopeless vehicles. Mr. Potter has co-authored several books and writes monthly articles for "Network Security".

Logan Lodge s a member of the Shmoo group and an avid Python developer. When he's not dominating in TF2, or blogging about the benefits of test driven development, he's likely on a golf course somewhere testing the limits of a golf ball's flight trajectory or attempting to drive a dispenser off of a boat to see if it's flight worthy.

return to top

Toolsmithing an IDA Bridge, Case Study For Building A Reverse Engineering Tool

The presentation is a case study about an approach to building reverse engineering tools, but in this case, a network bridge between IDA Pro and Debuggers. The presentation will cover the development side of things, and discuss how to leverage open source projects as supplements for code and learning aids, detail useful sources for this type of development, and provide insight about how to build C++ extensions for WinDbg and IDA, as well as building Python plugins for ImmunityDebugger and VDB.

Additionally, tips and techniques for rapid software development and testing will be described to help aid those onesy/twosy development teams. The target audience for this presentation are those interested in tool development.

Adam Pridgen is an independent researcher and information security consultant that works on a variety of problems as an attacker and a reverse engineer. Adam began his security career at the University of Texas, where he was a member of the UT Honeynet Project and an IDS tech. From there, he has passed through a variety of research and consulting roles. Currently, he is an open source tool developer, researcher, and consultant at The Cover of Night. In the fall, he will begin his PhD at Rice University.

Matthew Wollenweber has extensive background as a penetration tester and security researcher. Matthew is a former employee of the NSA where he was a member of the Red Team and later a lead developer of an advanced network sensor program. Matthew is a former senior consultant at Foundstone, a Shmoocon speaker, and active researcher. Currently he is the team lead for malware analysis at The George Washington University and hopes to enter a PhD program shortly.

return to top

Build Your Own Security Operations Center for Little or No Money

In this talk, I'll use my knowledge of working in a Security Operations Center to provide you with a framework to guide you in building your own SOC or network monitoring system capable of monitoring small to medium sized networks. The goal of this kind of monitoring is to watch for things such as break-in attempts on your network, malware downloads and malware beaconing out after installation and to be a central location for IT security threats. Additionally, the presentation will include some methods of packet analysis of specific events such as cross-site scripting, SQL injection and beaconing malware.

No information on specific technologies or methodologies used by the Security Operations Center Josh works with can be discussed. All information will be based on publicly available tools and information.

Josh Pyorre currently works as an analyst at a Security Operations Center. He has 10 years of experience working as a System Administrator for various non-profit agencies in the San Francisco Bay Area. His primary professional passion has always been for network security.

Chris McKenney is a Principal Consultant for Mandiant Corporation. He has over 20 years in IT, mainly security-focused. His experience includes penetration testing, network defense, and being a security zealot.

return to top

Operating System Fingerprinting for Virtual Machines

Operating System fingerprinting (OSF) is important to help on deciding security policy enforced on protected Virtual Machine (VM). Unfortunately, current OSF techniques suffer many problems, such as: they fail badly against modern Operating Systems (OS), they are slow, and only support limited OS-es and hypervisors.

This paper analyzes the drawbacks of current OSF approaches against VM in the cloud, then introduces a novel method, named UFO, to fingerprint OS running inside VM. Our solution fixes all the above problems: Firstly, it can recognize all the available OS variants and (in lots of cases) exact OS versions with excellent accuracy, regardless of OS tweaking. Secondly, UFO is extremely fast. Last but not least, it is hypervisor-independent: we proved that by implementing UFO for Xen and Hyper-V.

Nguyen Anh Quynh is a researcher at The National Institute of Advanced Industrial Science and Technology (AIST), Japan. His interests include computer security, networking, operating system, virtualization, trusted computing, digital forensic, and intrusion detection. He published a lot of academic papers in those fields, and frequently gets around the world to present his research results in various hacking conferences. Quynh obtained his PhD degree in computer science from Keio University, Japan. He is also a member of VnSecurity, a pioneer security research group in Vietnam.

return to top

Lord of the Bing: Taking Back Search Engine Hacking from Google and Bing

During World War II the CIA created a special information intelligence unit to exploit information gathered from openly available sources. One classic example of the teamís resourcefulness was the ability to determine whether Allied forces had successfully bombed bridges leading into Paris based on increasing orange prices. Since then OSINT sources have surged in number and diversity, but none can compare to the wealth of information provided by the internet. Attackers have been clever enough in the past to take advantage of search engines to filter this information to identify vulnerabilities. However, current search hacking techniques have been stymied by search provider efforts to curb this type of behavior.

Not anymore. Our demonstration-heavy presentation picks up the subtle art of search engine hacking at the current state and discusses why these techniques fail. We will then reveal several new search engine hacking techniques that have resulted in remarkable breakthroughs against both Google and Bing. Come ready to engage with us as we release two new tools, GoogleDiggity and BingDiggity, which take full advantage of the new hacking techniques.

Weíll also be releasing the first ever 'live vulnerability feed', which will quickly become the new standard on how to detect and protect yourself against these types of attacks. This presentation will change the way you've previously thought about search engine hacking, so put on your helmets. We don't want a mess when we blow your minds.

Rob Ragan is a Security Associate at Stach & Liu, a security consulting firm providing IT security services to the Fortune 500 and global financial institutions as well as U.S. and foreign governments. Before joining Stach & Liu, Rob served as Software Engineer with the Application Security Center team of Hewlett-Packard (formerly SPI Dynamics) where he developed automated web application security testing tools, performed penetration tests, and researched vulnerability assessment and identification techniques. Rob has presented his research at leading conferences such as InfoSec World and is a contributing author to the upcoming Hacking Exposed: Web Applications 3rd edition.

Francis Brown, CISA, CISSP, MCSE, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 500 and global financial institutions as well as U.S. and foreign governments.

Before joining Stach & Liu, Francis served as an IT Security Specialist with the Global Risk Assessment team of Honeywell International where he performed network and application penetration testing, product security evaluations, incident response, and risk assessments of critical infrastructure. Prior to that, Francis was a consultant with the Ernst & Young Advanced Security Centers and conducted network, application, wireless, and remote access penetration tests for Fortune 500 clients.

Francis holds a Bachelor of Science and Engineering from the University of Pennsylvania with a major in Computer Science and Engineering and a minor in Psychology.

return to top

Build a Lie Detector/Beat a Lie Detector

Everyone seems to be acquainted with the idea that the polygraph is fallible and that there a million tricks that can supposedly be used to beat it, but how can you really know for sure? One way would be if you pieced together your own polygraph for the singular reason of trying to beat it and we have done just that. We will take a look at the history of deception detection from the birth of Jesus through the Age of Reason to try and get a grasp on how the modern day polygraph came about. Next comes the show and tell on exactly how the group built its own homebrew polygraph and the hilarity that ensues as we tried it out on our friends and family to answer the question; will they beat the machine, or will the machine beat them?

Rain was raised by a coven of nocturnal city attorneys in the then-unspoiled wilderness of Northern Ontario, and has since drawn upon the survival skills learned during these early times to thrive in today's burgeoning culture of new technology. After spending her formative years living under the sea, she then made inroads to Cusco, before subsequently traveling to Lemuria, Skull Island, and briefly and most recently a base camp in Mare Vaporum on the Moon. She currently splits her time between summers in Moaning Moose, Montana and winters in a research laboratory of indeterminate location.

j03b34r is a system analyst in Calgary Alberta. He is an avid hardware modifier and a recovering hoarder of technologies. He is the reigning Dr. Mario champion within his 8-bit mind. His current mottos are "If it ain't broke, modify it", and "If it's broken, take it apart".

return to top

Search & Seizure & Golfballs s

In 2008, Eric Rachner was playing a round of Urban Golf with friends in Seattle. When an errant foam ball hit by another player struck a passer-by, the police were called. Eric was standing on the sidewalk minding his own business, and arrested for 'Obstruction' for refusing to identify himself to police. Refusing to back down, Eric took his case to court where it was ultimately dismissed. Today he continues to fight against the Seattle Police, and his story has been featured prominently in local and internet media.

This talk will provide you with a basic understanding of search and seizure law, so that you can appreciate Eric's story and so you know how to exercise your own rights should the time arise. We'll use Eric's situation as a case study in how the rubber meets the road when it comes to the Constitution and interactions with the police.

Jim Rennie is an Attorney, and has been practicing criminal defense law in Las Vegas for nearly 3 years. He spoke previously at DefCon about what to do if you get arrested in Vegas, and on the Creative Commons license.

Eric Rachner is a Security Consultant based in Seattle. He previously worked at a major software company in Seattle, and now travels the world as an independent consultant.

return to top

Enough Cyber Talk Already! Help get this Collaboration Engine Running!

With the Private-sector "owning" the intellectual capital for the cyber domain, one key issue is how can we extend the reach of the military's arm to leverage our requirements process, the awareness to existing or the 'art of the possible' cyber capabilities, and finally, 'non-standard' models in acquisition of cyber services? How do we capture/manage cyber cross-domain capabilities to "what's out there" in the private sector that are mutually beneficial to both the military operator and innovative company--in real-time (when necessary)? Finally, how do we incentivize your participation to 'wanna' play?!

Riley Repko is Senior Adviser, Cyber Operations and Transformation, Deputy Chief of Staff for Operations, Plans and Requirements, Headquarters U.S. Air Force, Washington, D.C. He is responsible for leveraging existing cyber programs and policies and developing new transformational strategies paramount to supporting the CSAF-directed priorities in air, space and cyber operations. He serves as a functional expert collaborating with Department of Defense, federal government organizations and private industry on how to effectively integrate cyber capabilities with current operational forces within the Air Force. He establishes and maintains essential relationships, specific lines of communication and critical processes that ensure continued success across the entire Air Force operational enterprise. Mr. Repko is a Highly Qualified Expert who will serve in this assignment for three years.

return to top

Implementing IPv6 at ARIN

Matt Ryanczak, Network Operations Manager at the American Registry for Internet Numbers (ARIN), began deploying IPv6 in production in 2003. Matt has encountered and overcome the common challenges many of you will encounter working with IPv6. ARIN would like to share its IPv6 deployment experiences with you and relay our knowledge of other production IPv6 deployments to help you get a jump start on your own efforts.

Matt will talk in detail about ARIN's deployment, to include information about provider communications, hardware, and software issues. Matt will also address security-related concerns related to IPv6 deployment.

Matt Ryanczak is the Network Operations Manager for the American Registry for Internet Numbers, the nonprofit corporation that manages the distribution of all Internet number resources, including IPv4, IPv6, and ASNs.

return to top

Exploiting WebSphere Application Server's JSP Engine

WebSphere Application Server (WAS), IBM's Java Enterprise Edition (JEE) application server, is one of the leading application servers and is the predominate application server in the financial and insurance sectors. It is also embedded in several of IBM's other products including WebSphere Portal, WebSphere Process Server and WebSphere Message Broker.

In March 2009, IBM released PK81387 which patches a "Possible application source file exposure" in WAS. Detailed explanation of this vulnerability and it's exploitation will be provided including how implementation details such as character encoding and multiple vulnerabilities, some still unpatched, can be orchestrated to provide file and directory exposure inside a applications Web Archive (WAR). In some cases, with common libraries or WAS feature use, these vulnerabilities can be extended to achieve arbitrary code execution resulting in full compromise of the application server.

Exploitation details will be described and use of this vulnerability and others to execute a remote operating system shell will be demonstrated. Source code to the exploit and other tools will be provided.

Ed Schaller has had a long interest in computer security from both the defensive and offensive angles. Before professionally focusing on security, he worked as systems administrator, developer and architect at various companies. In his security work, he was a researcher at Brigham Young University's Internet Security Research Laboratory and is now employed by a health insurance company doing security assessments on both internally developed and third party applications and systems. Most of his current work involves Java applications running on IBM's WebSphere Application Server.

Outside of work, Ed is married and has three small children, who, given their current ability to get into things at home, are destined to be great hackers.

return to top

SHODAN for Penetration Testers

SHODAN is a computer search engine. But it is unlike any other search engine. While other search engines scour the web for content, SHODAN scans for information about the sites themselves. The result is a search engine that aggregates banners from well-known services. This presentation will focus on the applications of SHODAN to penetration testers, and in particular will detail a number of case studies demonstrating passive vulnerability analysis including default passwords, descriptive banners, and complete pwnage. For penetration testers, SHODAN is a game-changer, and a goldmine of potential vulnerabilities.

Michael Schearer ("theprez98") is a government contractor who spent nearly nine years in the United States Navy as a combat-experienced EA-6B Prowler Electronic Countermeasures Officer. He also spent nine months on the ground doing counter-IED work with the U.S. Army. He is a graduate of Georgetown University's National Security Studies Program and a previous presenter at DEFCON, and has spoken at ShmooCon, HOPE and internationally at CONFidence (Poland) and HackCon (Norway) as well as other numerous conferences. Michael is a licensed amateur radio operator and an active member of the Church of WiFi. He lives in Maryland with his wife and four children.

return to top

Gaming in the Glass Safe - Games
DRM & Privacy

"DRM is the new form of slavery - but it also spies on you." - conversation with a gamer

After years of perceived-rampant piracy on the PC, game publishers are beginning to shackle gamers with increasingly intrusive DRM systems. However, recent game news headlines are brimming with failures of these measures. Cracks either get released weeks prior to street dates, or systems fail and prohibit legitimate buyers from running their games. Even worse, these systems can easily be used to siphon the personal information of gamers and potentially cause them major pain.

This presentation will show an overview of what is out there in the game DRM space and dive into specific issues. These issues detail how game platforms and their DRM systems create a goldmine of personal data and can be easily used to mess with legitimate gamers.

Ferdinand Schober has been ranting about games for several years, and has been playing them in lieu of sleep since grade school. He worked in a security testing position on AAA titles with the highest ranked game publisher, followed by an excursion into web-based and casual game development for a major online game portal. He recently joined the Georgia Institute of Technology as a PhD student and security researcher, focusing on entertainment security.

return to top

You're Stealing It Wrong! 30 Years of
Inter-Pirate Battles

Historian Jason Scott walks through the many-years story of software piracy and touches on the tired debates before going into a completely different direction - the interesting, informative, hilarious and occasionally obscene world of inter-pirate-group battles. A multi-media extravaganza of threats, CSI-level accusations and evidence trails, decades of insider lingo, and demonstrations of how the more things change, the more they still have to keep their ratios up.

Jason Scott is a computer historian and proprietor of TEXTFILES.COM, a collection of computer history. This is a pretty good pairing, actually. He also creates documentaries on computer history and attends and speaks at conventions like DEFCON, making computer history. If you see him at DEFCON the choice is clear: talk to him about his cat.

return to top

DC 18 Movie Night

At the dawn of the era of home computing, an unusual type of game was the most popular to play. With just a screen of text and a prompt, you'd be asked the simple question: WHAT DO YOU WANT TO DO NEXT?

As you typed in commands and sentences, the games would tell you a story, a story fraught with danger, excitement, puzzles and hours of exploration. They were called text adventures, adventure games and interactive fiction. They dominated the sales charts and introduced millions to the power and flexibility of home computers. No other type of computer game could come close. And then they were gone forever... or maybe they never actually left.

GET LAMP tells the story from a cave in Kentucky to the modern era of what some call a brand new form of literature. Director Jason Scott will be on hand for the showing, as well as a Q&A afterwards.

Jason Scott is a computer historian and proprietor of TEXTFILES.COM, a collection of computer history. This is a pretty good pairing, actually. He also creates documentaries on computer history and attends and speaks at conventions like DEFCON, making computer history. If you see him at DEFCON the choice is clear: talk to him about his cat.

return to top

SMART Project: Applying Reliability Metrics to Security Vulnerabilities

Battlefield operations depend heavily on network-centric computing systems. Such complex and widely dispersed operations expose network-based systems to unprecedented levels of reliability and security risks. Computer systems and network security are often limited by the reliability of the software running on constituent machines. Faults in the software expose vulnerabilities, pointing to the fact hat a critical aspect of the computer security problem resides in software. This presentation will be covering the latest results of the Software Engineering Research Center's (SERC) SMART Project. SMART stands for Security Measurement and Assuring Reliability through metrics Technology. SMART is the result of a collaboration between SERC and the US Army Research Laboratory (ARL). Through our previous award winning reliability research and our current focus of analyzing large open-source systems, promising results were obtained to support the accurate prediction of the reliability and security of individual and interdependent components in a network-centric environment. Open-source systems being analyzed include Apache, OpenSSH, OpenSolaris, and Firefox. An analysis of our current methods and results of those methods will be given.

Blake Self is most widely known for co-authoring the first commercial encrypted instant messenger with Dr. Cyrus Peikari while at VirusMD. He has also worked as a SIPRNET Administrator, Department of Defense Red Team Analyst, and R&D at various corporations including Airscanner and Ontario Systems. He currently works in the automated data collection industry as well as doing research for S2ERC (

Wayne Zage and Dolores Zage are professors in the Computer Science Department at Ball State University. They have been conducting research in the Software Engineering Research Center since 1986. Their research in design metrics and models has led to the Zages' design metrics being used at SERC industrial sites as indicators of good software design, to identify fault-prone modules during the design phase of development, and as indicators of where to place effort during software testing. Most recently, they have applied their metrics technology to assess the reliability and security of software systems. Wayne and Dolores Zage received the Alexander Schwarzkopf Prize for Technological Innovation from the National Science Foundation Association in 2007 for their Software Design Metrics.

return to top

Hacking DOCSIS For Fun and Profit

At Defcon 16 we showed various modifications and techniques to gain free and anonymous cable modem internet access. During our last talk, the DOCSIS hacking scene was behind the cable companies. Thanks to the efforts of SBHacker and others, we our now ahead of the cable companies. This talk will analyze and discuss the tools, techniques, and technology behind hacking DOCIS 3.0. We will also cover new areas like hacking PacketCable and discuss all of the DOCSIS related arrests since our last speech. We will be releasing the Haxomatic USB JTAG/SPI programmer by Rajkosto & SBHacker and updated DOCSIS 3.0 hacked firmware for TI puma5-based cable modems at this talk.

Blake Self is most widely known for co-authoring the first commercial encrypted instant messenger with Dr. Cyrus Peikari while at VirusMD. He has also worked as a SIPRNET Administrator, Department of Defense Red Team Analyst, and R&D at various corporations including Airscanner and Ontario Systems. He currently works in the automated data collection industry as well as doing research for S2ERC (

Bitemytaco is a well-known person in the DOCSIS research community and one of the root admins at, the largest modem hacking community in the world. He funded the development of Haxorware (coded by Rajkosto) - the most popular and innovative diagnostic cable modem firmware ever released. He also coordinated the development of the current hacked SB6120 firmware and released it to the public on Christmas 2009. Taco has been researching cable modem networks since 1998 and has been involved in the modem hacking scene for many years. "DOCSIS: Insecure By Design" was presented at DEFCON 16 by Taco along with teammates Blake of SERC and devDelay of SBHacker.

return to top

Rip Your Browser for x06 days

All significant modern applications are ported to the web. Even with custom applications, there is at least one web-based component. Web applications are partially dependent on web clients and are continuously part of the security equation. These issues manifest in ways that make the user vulnerable. For example, privacy vulnerabilities are demonstrated with the EFF's Panopticlick browser fingerprinting project. Whether the weakness is privacy exposure, a client exploit, or a server exploit,--an empowered browser can provide a reasonable defense.

This presentation will review three typical vulnerability classes and selected defenses: Privacy, Client-Side, and Server-side. The goal of this new tool is to shorten the vulnerability window to six days. The talk finale will demonstrate how to poison your browser's DOM for anonymity.

James Shewmaker has over 15 years' experience in IT, primarily developing appliances for automation and security for broadcast radio, internet, and satellite devices. He is a SANS certified instructor and is one of the first certified GSE-Malware experts. He graduated with a BS in Computer Science from the University of Idaho. James is a founder and active consultant for Bluenotch Corporation, which focuses on investigations, penetration testing, and analysis. His recent development projects incorporate watermarking and steganographic defensive techniques. James also contributes to the FreeBSD project and is a port maintainer. He presents at various security and IT conferences and is actively involved in the COINS program of the SANS Institute. In 2009, Shewmaker's focus was on the Netwars project-building and operating this contribution to the US Cyber Challenge. Currently, his research focus is client-side active defenses, including a new browser defense tool called x06d.

return to top

Hacking Oracle From Web Apps

This talk will focus on exploiting SQL injections in web applications with oracle back-end and will discuss all old/new techniques. The talk will target Oracle 9i,10g and 11g (R1 and R2) It is widely considered that the impact of SQL Injection in web apps with Oracle back-end is limited to extraction of data with the privileges of user mentioned in connection string. Oracle database does not offer hacker friendly functionalities such as openrowset or xp_cmdshell for privilege escalation and O.S code execution. Further, as Oracle by design do not support execution of multiple query in single SQL statement, the exploitation is further restricted. The Talk will highlight attack vector to achieve privilege escalation (from Scott to SYS) and O.S code execution, all by exploiting Oracle SQL injections from web applications. Further, as a number of organizations move to compliances like PCI ensuring that the Card data is always stored encrypted with the private key never stored inside the database. The talk will focus on what hackers are doing in the wild to bypass these and to obtain clear text card data when its only stored encrypted or even when its never stored.

Sumit "sid" Siddharth works as a Principal Security Consultant and heads the Penetration Testing department for 7Safe Limited in the UK.

He has been a speaker at many security conferences including Defcon, Troopers, OWASP Appsec, Sec-T, IT-Underground etc. He has contributed a number of whitepapers, security tools, exploits and advisories to the industry. He also runs the popular IT security blog

return to top

Weaponizing Lady GaGa, Psychosonic Attacks

This session introduces and demonstrates the emerging attack vector of psychosonics. Attend and you'll understand how to turn ANY MP3 into a weapon, a study aid, a hidden calming session or helping you experience that Ah-Ha moment of discovery simply by injecting an alternate data stream attack made up of psychosonic frequencies.

You'll learn how different mental states can be created using frequencies that interact with the brain, how the military is using this attack vector, how Vegas uses these same techniques on customers, which open source software creates these frequency generated psychic states and sites so you can continue your adventures in psychosonics. Multiple new attacks based on psychosonics will be demonstrated and fully explained to you can easily integrated these into you attack tools.

This is an "attack the audience" session where you'll actually experience these psychosonic attacks so you can judge their effectiveness for yourself. Better yet, you'll understand how to incorporate this attack vector into your future attack surface. Hey, psychosonics is much better than the flame thrower bra she already has!

Brad Smith, RN, ASCIE, BS-Psy MCNPS, CISSP, NSA-IAM became fascinated with computers in 1972 and hasn't burned out yet! In 1996 his software "2the BedSide" was a national Microsoft / HIMSS award winner. His company, the Computer Institute of the Rockies was selected as the 2005 Microsoft Small Business Solution Partner of the Year for their innovative and cost effective security solution for small business.

He is a frequent speaker at many national security events, such as CSI, Interop, HIMSS and COSAC. Brad is also known as "theNURSE" doing presentations on social engineering, interview and interrogation, and virus construction based on Biomimicry at conferences such as Defcon and CIScon.

Brad has developed the skill to make complex ideas simple to grasp. His high-energy style of presenting and the real-world experiences he shares during these sessions makes Brad an entertaining and educational speaker on security.

return to top

A New Approach to Forensic Methodology - !!BUSTED!! case studies

Imagine the following experiment, a unique case is given to three digital forensic analysts and each is given the opportunity to engage the requester in order to develop the information needed to process the case. Based on the information gathered, each of the three analysts is asked to provide an estimate to complete the investigation and can proceed with up to 20 hours to process the case. The analysts are then measured based on the total findings, the time required to process the case, the initial information gathered, and the estimated time to process the case. The expected result is to be varied based on experience and individual characteristics, such as organization, discipline, and the attention to detail of each analyst. Imagine this same experiment but with only 8 hours to process the case, because that is the way it happens in real life.

David Smith and Samuel Petreski have developed a methodology that fits within the Analysis phase in one of the standard Digital Forensic Analysis Methodologies - PEIA (Preparation, Extraction, Identification, and Analysis), to provide a structure for consistent results, better development of the requested goals, increase efficiency in fulfilling the goals, and develop an improved estimate of the time required to complete the request.

This methodology involves the generation and validation of case goals, the evaluation of methods used to achieve the goals, a structure for estimating the effectiveness, time required, processing results of specific methods, and generalized organization and time management. The primary goal of this methodology is to address the structure and optimal path that would allow a digital forensic examiner to perform an examination with a high level of efficiency and consistent results.

This presentation provides an introduction to this methodology and applies its key concepts to real sanitized digital investigations, such as tracking down a suspected executive's adult craigslist ad, performing an analysis on a compromised system involving social security numbers, and making the determination of intellectual property theft.

David C. Smith works as the CSO for Georgetown University and a co-owner of HCP Forensic Services providing information security programs, digital forensics, and expert witness testimony. He has been in the technical field for over 20 years and enjoys engaging in complex technical problems.

Samuel Petreski works as a Senior Security Analyst for Georgetown University and an owner of Remote IT Consulting. Samuel has worked mostly in higher-ed focusing on network architecture and administration, as well as building and administering scalable network security solutions. He posses over 10 years of experience in the IT field working in very diverse environments.

return to top

pyREtic - In memory reverse engineering for obfuscated Python bytecode

Increasing numbers of commercial and closed source applications are being developed in Python. Developers of such applications are investing more & more to stop people being able to see their source code through a variety of code obfuscation techniques. At the same time Python is an increasingly present component of 'Cloud' technologies where traditional bytecode decompilation techniques fall down through lack of access to files on disk.

The pyREtic presentation discusses the techniques and subsequent toolkit developed while trying to audit one such closed source Python application. The methodology behind the approaches used as well as practicalities of reverse engineering at the Python level (rather than the assembly level that we are all more familiar with) will be discussed as well as releasing a toolkit.

The toolkit is able to reverse Python applications from live objects in memory as opposed to decompiling .pyc bytecode files, it also shows how to defeat the techniques most commonly employed to obfuscate Python code today. This will allow people to find bugs in code that was previously opaque to them.

Rich Smith joined Immunity in October 2008 as a researcher and has worked across a variety of areas encompassing attack tooling and framework design, exploit development in addition to consulting for a variety of industry sectors as an outside expert in a range of technical capacities.

Prior to joining Immunity, Rich worked as a principal security researcher with HP Labs leading the Research In Offensive Technology and Threats based in the UK. Rich has spoken at numerous international conferences, both public and private, and participated in community, industry and government sponsored infosec groups.

return to top

Your ISP and the Government: Best Friends Forever.

Your Internet, phone and web application providers are all, for the most part, in bed with the government. They all routinely disclose their customers' communications and other private data to law enforcement and intelligence agencies. Worse, firms like Google and Microsoft specifically log data in order to assist the government, while AT&T and Verizon are paid $1.8 million per year in order to provide real time access to customer communications records to the FBI. How many government requests does your ISP get for its customers' communications each year? How many do they comply with? How many do they fight? How much do they charge for the surveillance assistance they provide? Who knows. Most companies have a strict policy of not discussing such topics.

You might assume that the law gives companies very little wiggle room - when they are required to provide data, they must do so. This is true. However, companies have a huge amount of flexibility in the way they design their networks, in the amount of data they retain by default, the emergency circumstances in which they share data without a court order, and the degree to which they fight unreasonable requests.

The differences in the privacy practices of the major players in the telecommunications and Internet applications market are significant: Some firms retain identifying data for years, while others retain no data at all; some voluntarily provide the government access to user data - Verizon even argued in court that it has a 1st amendment right to give the NSA access to calling records, while other companies refuse to voluntarily disclose data without a court order; some companies charge the government when it requests user data, while others disclose it for free. For an individual later investigated by the government, the data retention practices adopted by their phone company or email provider can significantly impact their freedom.

Unfortunately, although many companies claim to care about end-user privacy, and some even that they compete on their privacy features, none seem to be willing to compete on the extent to which they assist or resist the government in its surveillance activities. Because information about each firmís practices is not publicly known, consumers cannot vote with their dollars, and pick service providers that best protect their privacy.

This talk will pierce the veil of secrecy surrounding these practices. Based upon a combination of Freedom of Information Act requests, off the record conversations with industry lawyers, and investigative journalism, the practices of many of these firms will be revealed.

Christopher Soghoian is a Ph.D. Candidate in the School of Informatics and Computing at Indiana University. His research is focused on the intersection of applied computer security, privacy, law and policy. His work has resulted in the successful passage of an amendment to Indiana's data breach laws, a congressional investigation of web security flaws at the Transportation Security Administration as well as several media firestorms.

return to top

So Many Ways to Slap A Yo-Ho:: Xploiting Yoville and Facebook for Fun and Profit

Maybe you've played YoVille because your spouse or relative got you into it. Maybe its your overt obsession or secret delight. If you haven't heard of YoVille, well, its got at least 5 Million active users connected directly with Facebook.This talk explores the Web 2.0 pandora's box that is the trust relationship between YoVille and Facebook.

For many, YoVille is fiercely competitive in a hyper-decorative way, it has its own intricate economics, and yes, tempers can flare when you get rooked by a Scammer. You will meet people you want to pimp slap-really hard-and this talk will show you how. Send a school teacher who you don't like a "Jeffrey Dahmer Snack Plate with fingers and toes".Don't like that History Professor? Send him a Burning Cross that lets him know he is welcome in the neighborhood.

Want to show off for that special someone? You can grant yourself "The YoVille Sexiest Man (or Babe) award.and have it prominently displayed on your Facebook wall for everyone to see, rickrolling anyone who clicks on it..

Or you can embrace the dark side,,,

Imagine a cute "trojan" Puppy that takes over your system when you click to adopt it? Yes, it can be done -- and its going on right now. Post that payload on Facebook or to the YoFeed and mass root everyone who who clicks on it? This talk will show you hoe it is done, as well as recorded examples of actual attacks.

On a more serious tone, when you Click "Accept" and allow YoVille to access Facebook, you introduce a cornucopia of attack vectors for spreading malware within the user population. The origin, authenticity, and integrity of almost any message shared from YoVille can be subverted. If the receiving application trusts that message is safe, it becomes a broadcast for widening the attack.

I will show how a blackhat can use YoVille to spread destructive malware. Anything that updates the Facebook wall or sends a user a hyperlink is susceptible.

These problems are not unique to YoVille and Facebook -- this is clearly the tip of a very enormous iceberg. So embrace your dark-side for an hour of YoVillany, and remember:

Never click on "candy" from strangers.

The types of attacks we will demonstrate were collected in the wild, by watching the activities of a Philippine hacker group and then reverse engineering their attacks in our own lab. The real attacks ranged from using YoVille to Spam facebook user walls with ads selling discount meds, as well as spoofed YoVille events or collectibles that pointed to shotgun attacks against the browser.

strace Bio to come

Sean Barnum Bio to come

EvilAdamSmith Bio to come

Kanen Bio to come

Joey Tyson Bio to come

return to top

Deceiving the Heavens to Cross the Sea: Using the the 36 stratagems for Social Engineering

There are new threats arising every day. The problem is there has been a vulnerability in the system that has not been patched since the first computer was created by Humans!

As the network perimeter hardens and the controls on the desktop tightens. Hackers are going back to the basics and getting through the firewall by going through the front door. They are bypassing the IPS and IDS simply by bypassing the receptionist.

We look at this topic with a different viewpoint. We look at the history of social engineering from Amenhotep 3 to Sinon of Greece  as well as how the culture of the country you're in dictates the strategy to use. All this shown in an offbeat way showing how 1st century strategies can still be used to break into 21st century networks.

Jayson E. Street is an author of the book "Dissecting the hack: The F0rb1dd3n Network" from Syngress.  His consultation with the FBI and Secret Service on attempted network breaches resulted in the capture and successful prosecution of the criminals involved. In 2007 he consulted with the Secret Service on the Wi-Fi security posture at the White House. He has also spoken at DEFCON, BRUCON, UCON and at several other 'CONs and colleges on a variety of Information Security subjects.

He also was the co-founder and speaker of ExcaliburCon held in Wuxi China. He was an expert witness in two cases against the RIAA.

He is on the SANS GIAC Advisory Board as well as a mentor for SANS. He is also a current member on the Board of Directors for the Oklahoma "InfraGard". He is also Vice President for ISSA OKC. Jayson is also a longtime member of the Netragard "SNOsoft" research team.

*He is a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time's persons of the year for 2006. ;)

return to top

Social Networking Special Ops:
Extending Data Visualization Tools for Faster Pwnage

If you're ever in a position when you need to pwn criminals via social networks or see where Tony Hawk likes to hide skateboards around the world, this talk is for you.

The talk is delivered in two parts, both of which are intended to shine a fun light on visual social network analysis.

The first part introduces how you can extend the powerful data visualization tool, Maltego to speed up and automate the data mining and analysis of social networks. I'll show how I analyzed skateboard legend, Tony Hawk's twitter hunt and highlight how you could use the same techniques to set up your very own backyard miniature ECHELON.

The second part illustrates how these techniques have been used to enumerate a 419 scam, infiltrate the scammers social network and expose deeper, more sinister links to organized crime.

I focus specifically on Twitter and Facebook, demonstrating how you can graphically map and analyze social relationships using the Twitter API's, publicly available Facebook profiles, screen scraping and some clunky regex."

Related to this talk is the DEF CON Twitter Hunt

Each day at DEF CON you will have an opportunity to blag yourself a sweet limited edition DEF CON-ized skateboard deck. There may also be a couple of signed Tony Hawk decks slung in for good measure too... who knows.

You will have to follow @TheSuggmeister during DEF CON to know where to look. He'll be tweeting clues which lead to prizes. Hashtag #DCTH'

Chris "The Suggmeister" Sumner has been directly involved in Corporate Information Security since 1999 and has maintained a passion for security since seeing Wargames when it first came out. After a lengthy stint as a Pivot Chart creating, PowerPoint wielding, Security Manager for a business division that alone would make the Fortune100, he has turned his attention to a more geeky pursuit and is currently focused on Security in the Development Lifecycle.

Outside the corporate world, Chris is a data mining, analysis and visualization geek at heart and also enjoys hiding skateboards in the UK for Tony Hawk.

return to top

Getting Root: Remote Viewing, Non-local Consciousness, Big Picture Hacking, and Knowing Who You Are

Richard Thieme celebrates speaking for Def Con for fifteen years by discussing the deepest truths he knows and relating them to Big Picture hacking.

Thieme references the most fervent explorations of his life, from immersion in the works of the Society for Psychical Research while living in England as a young man to conversations with remote viewers in the governmentís Stargate program to thirty years of research in UFO reports (in particular, experiences of ìstrangenessî such as spacetime distortion and telepathic knowledge transfer) to the passionate, obsessive exploits of real hackers and what they discover when boundaries dissolve - all in a context of his own anomalous experiences. He talks about the background for 'Mind Games', his recently published collection of nineteen stories of brave new worlds and alternate realities, which he wrote after a friend at NSA told him, ìThe only way you can tell the truth now is in fiction. He also discusses why another NSA friend warned that he was 'over the line' in the hall of mirrors as a result of his conversations with dark side actors and victims alike. He weaves all this together in the kind of narrative usually reserved for private conversations but which he feels he owes Def Con colleagues and friends after fifteen years of enthusiastic and mutual knowledge-transfer.

Richard Thieme has done his best to use his skills as a writer and speaker all his life He articulates what is often invisible, the ground or frame of the picture, as opposed to seeing only the picture or only being in the picture. He attempts to illuminate the context of cultural and social realities by describing the slightly bigger box into which we jump when we move out of the box in which we usually live.

Born in Chicago, Illinois, Richard taught literature and writing at the University of Illinois, was an Episcopal priest for sixteen years, and has since 1993 traveled the world as a professional speaker. His presentations are diverse but always include the impact of technologies on social, cultural, and psychological states and the temporary identities that result. He speaks globally and locally, to audiences that range from four at a breakfest to thousands at a conference. Since speaking fifteen years ago for the first time at Def Con, he has integrated the seemingly disparate worlds of altered states of consciousness and deep states of spirituality, classic hacker mentalities at their best, and the professional practices of deception, intelligence, and security.

Robert Morris, Senior, after reading his "Islands in the Clickstream," said, "You know you're insane, right?" An intelligence analyst at NSA, after reading "Mind Games," said, "I love this book! You're absolutely mad!" and a colleague from the Central Intelligence and Security Agency in Paramaribo, Suriname, after hearing him speak in Europe several times, said, "What planet are you really from?" Then he added, "Your writing makes me discover life again and again."

Those quotes sum him up pretty well. Wisdom and insanity are contextual and depend on the frame of the listener as well as the speaker. You be the judge.

Thieme's pre-blog column, "Islands in the Clickstream," was distributed to thousands of subscribers in sixty countries before collection as a book. His work has been taught at universities in Europe, Australia, Canada, and the United States. After reading "Mind Games," a colleague who serves as gatekeeper with Richard of an archive on ethics and intelligence at the Hoover Institute of War, Revolution, and Peace, wrote: "This is an extraordinary book. The stories, drawings, and, my favorite, the unusual introductions to the stories, together draw the reader, if not into another dimension of reality, into another dimension of literature." Thieme attempts to bring his passions to a presentation unlike any he has ever given before. As Simple Nomad said ... "With Richard, there is no spoon."

return to top

Web Application Fingerprinting with Static Files

Web Application fingerprinting before 2010 has been a hodge-podge of different techniques, usually relying on meta tags or other clues helpfully added by well meaning (but security challenged) developers. Current hardening approaches hamper standard web application fingerprinting, but new static file techniques provide extremely high accuracy and require new hardening approaches. We will discuss implementation details of static file fingerprinting, demonstrate the effectiveness, and release both a fingerprinting tool and a hardening tool to help administrators harden their machines against this approach.

Patrick Thomas is a graduate of Cal Poly and a Vulnerability Detection Engineer with Qualys. He works on automated vulnerability detection tools, malware analysis, pragmatic security, and dabbles in the security implications of public policy and vice versa. He percolates and occasionally dispenses ideas on the above at

return to top

VirGraff101: An Introduction to
Virtual Graffiti

Want to take a stab at graffiti but spray paint fumes get you nauseous? Worry not! The world of virtual graffiti is slowly but surely gaining popularity and now hackers with little to no artistic inclination are able to go out and alter digital media as well as leave messages in virtual mediums with as much (if not more) finesse than our analogue counterparts
are able to.

This talk will cover the history of graffiti, how virtual graffiti is different from digital graffiti, examples of virtual graffiti that you can attempt on your own, and the legal implications involved with virtual graffiti. There will also be materials provided for LED throwies.

Tottenkoph Tottenkoph spends her days completing experiments in exchange for delicious cake, killing hordes of zombies in South Africa, battling terrorists in the streets of Las Vegas, and protecting the planet from the Covenant

Twitter: @tottenkoph

return to top


Many lock manufacturers do not understand the relationship and intersection between "mechanical engineering" and "security engineering" in their products. Typically, design engineers are fairly adept at making things work properly, but often fail to contemplate, conceive of, or identify potential or actual "real world" vulnerabilities in the locks and related hardware that they manufacture. This failure can lead to serious breaches in security, often from relatively trivial attacks by unauthorized individuals, rogue employees, and criminals. It can also result in significant liability upon the part facilities that employ specific security technology, and a failure to comply with regulatory requirements.

Issues stemming from insecurity engineering are compounded by intended or unknowing misrepresentations by lock manufacturers about the security of their products. These statements by manufacturers are often relied upon by consumers, commercial enterprises, and the government sector in the decision-making process involving the purchase of security hardware. Ultimately, security relates to both the protection of people and assets, and to liability. Thus, it is imperative that security professionals understand the interrelationship between standards, hardware design, and real-world threats. Marc Tobias, Tobias Bluzmanis, and Matt Fiddler have significant experience and track record in analyzing, discovering, and exposing real-world threats in security hardware. In this presentation, they will address these issues.

Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He is the principal attorney for Investigative Law Offices, P.C. and as part of his practice represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. Marc and his associates also conduct technical fraud investigations and deal with related legal issues.

Marc has authored five police textbooks, including Locks, Safes, and Security, which is recognized as a primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book (LSS+) is also available online.

Marc has written extensively about the security vulnerabilities of products and has appeared in numerous television and radio interviews and news reports as well as magazine articles during the past thirty years. He is a member of several professional organizations including the American Bar Association (ABA, American Society for Industrial Security (ASIS), Associated Locksmiths of America (ALOA), Association of Firearms and Tool mark Examiners (AFTE), American Polygraph Association (APA) and the American Police Polygraph Association (APPA)

Tobias Bluzmanis was born in Caracas, Venezuela. Tobias came to the United States in 1995 and was granted citizenship in 2000. He has been a professional locksmith for the past 20 years. Tobias is an expert in Covert Methods of Entry and has developed many unique forms of bypass, custom tools, including a decoder for Medeco locks, which was the impetus for the book "Open in Thirty Seconds".

Matt Fiddler is a registered locksmith and CISSP. Currently he is the Director of International Information Protection for a large financial services organization. Mr. Fiddler's research into lock bypass techniques have resulted in many public and private disclosures of critical lock design flaws. Mr. Fiddler began his career as an Intelligence Analyst with the United States Marine Corps. Since joining the commercial sector in 1992, he has spent the last 18 years enhancing his extensive expertise in the area of Unix and Network Engineering, Security Consulting, Computer Forensics and Intrusion Analysis.

return to top

Attack the Key, Own the Lock

Locks restrict access to anyone lacking the correct key. As security components, we depend on locks to secure our most valuable possessions. Most attacks demonstrated in recent years involve manipulation of the lock components with special picking tools, but what if we focused on using incorrect or blank keys to make a variety of tools? Bumping is a good example, but there are many other ways incorrect or modified keys can be used to defeat locks. Like the cryptography world, physical Keys are vulnerable to attack in even the highest security locks.

This talk focuses on using modified keys and key blanks to open, decode, and bypass several locking mechanisms, including many high security locks. We demonstrate and discuss the security implications of key-based attacks on modern lock designs.

Schuyler Towne is, first and foremost, a competitive lockpicker. He has won the DefCon LockCon twice and beat the #2 picker in the world head to head at the Dutch Open (now also named LockCon) in 2008. Schuyler teaches a Locksport course at Olin College and Sprout, a community education center in MA. He runs workshops at the University of Advancing Technology and regularly speaks at various schools and conferences. DefCon was the first, and remains the favorite speaking engagement Schuyler has ever had.

datagram has taught about locks, safes, and methods to compromise them for many years, including training to private companies and government agencies. He has spoken many times on physical and digital security at various conferences and is a part-time forensic locksmith. datagram runs the popular lock and security websites and This is the first time he's done a serious biography and it worries him, too.

return to top

Balancing the Pwn Trade Deficit

One of the presenters is a native Chinese language speaker and heavily involved in the Chinese security community and so brings unique insights to this presentation. The other presenters have been analyzing APT style threats for many years and bring this experience to bare on a problem that has received a lot of recent attention, but little technical depth. Viewers should walk away with a greatly increased understanding of the Chinese hacking community as well as some ideas for better defense, and collaboration.

Valsmith has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on a variety of problems in the security community. He specializes in penetration testing (over 40,000 machines assessed), reverse engineering and malware research. He has worked on the Metasploit Project development team as well as other vulnerability development efforts. Most recently Val Smith founded Attack Research[6] which is devoted to deep understanding of the mechanics of computer attack. Previously Val Smith founded a public, open source malware research project.

Colin Ames is a security researcher with Attack Research LLC where he consults for both the private and public sectors. He's currently focused on Pen testing, Exploit Development, Reverse Engineering, and Malware Analysis.

Anthony Lai For Anthony's technical and working experience, he likes reverse engineering, exploitation, malware analysis and penetration test as well as studying the attack, he has started BLACKHAT and DEFCON experience from 2007, Anthony starts and organized research group on reverse engineering , malware analysis and forensic in Hong Kong, connecting various security researchers and team in the globe; Anthony is one of those quite concerning about security issues and impact on our Chinese fellows in China, he believes as he comes from Hong Kong, it would be "advantageous" for him to discuss about it openly, he has presented reverse engineering dissection over Green Dam, which is a content filtering software, in Hong Kong, which is widely reported by International and China media.

return to top

SIE Passive DNS and the ISC DNS Database

Passive DNS replication is a technique invented by Florian Weimer for tracking changes to the domain name system. This session will introduce the problems faced by passive DNS replication in the areas of collection, analysis, and storage of DNS data at scale, and will introduce state-of-the-art solutions to these problems developed at ISC SIE. Components of SIE's passive DNS architecture will be showcased, including a specialized DNS capture tool, a tool for processing and deduplicating raw DNS message data, and the storage engine used to archive and index processed data. A bulk HTTP query API and web interface to the storage engine will also be demonstrated and made available.

Paul Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. Early in his career, he developed and introduced sends, proxynet, rtty, cron and other lesser-known tools. Paul is considered the primary modern author and technical architect of BINDv8 the Berkeley Internet Name Daemon Version 8, the open source reference implementation of the Domain Name System (DNS).

Paul Vixie founded ISC in 1994. In his role as President, Paul ensures that ISC stays true to his original mission of developing and maintaining production quality open source reference implementations of core Internet protocols, such as BIND and DHCP, and evolving those standards. In 1995, Paul co-founded PAIX (Palo Alto Internet Exchange), which was sold to AboveNet in 1999, who in turn named Paul its Chief Technology Officer in 2000, and then President of the PAIX subsidiary in 2001. Paul also co-founded MAPS (Mail Abuse Prevention System), a California nonprofit company established in 1998 with the goal of stopping the Internet's email system from being abused by spammers.

Along with Frederick Avolio, Paul co-wrote "Sendmail: Theory and Practice" (Digital Press, 1995). He has authored or co-authored more than a dozen RFCs, mostly on DNS and related topics. He is a member of ICANN RSSAC and ICANN DNSSAC, ARIN and a frequent participant in IETF and NANOG.

Robert Edmonds is a research engineer at Internet Systems Consortium where he works on the Security Information Exchange project. He is responsible for maintaining the SIE infrastructure and developing the interchange formats and library code used within SIE. Before coming to ISC, Robert earned his BS in Computer Science at the Georgia Institute of Technology where he spent four years as an undergraduate research assistant at the Georgia Tech Information Security Center.

return to top

Go Go Gadget Python!
Introduction to Hardware Hacking

So you know that embedded devices are everywhere, even attended some talks here about hardware security. Perhaps you've thought how nice it would be to make a linux USB driver for some windows-only device, or you've got something proprietary you would like to reverse-engineer and circuit-bend for your next big scheme. But how does a software person enter the world of circuits? And once you have some circuits, how can you bring the data back into your box?

Bridging the worlds of hardware and software, two electrical engineers will answer your questions while showing you how to pwn some sweet hardware and charm it over the USB port with Python. From our own trials and tribulations building and hacking real devices, from a simple USB missile launcher to a complex biomedical data acquisition system, you will learn about USB packet sniffing, rapid-prototyping device drivers in python, deciphering circuit boards and data sheets for fun & profit, and the use of electrical test equipment. We aim to leave you armed and ready to take on hardware of your own.

Nick Waite likes technology, nature, and freedom, and wants to see society embrace them all in a balanced way. Undermining walled gardens is a hobby, and he believes that the coolest discoveries of the future will come from interdisciplinary collaboration. Interests involve the fusion of bio & tech: ESP, brain-hacking with TMS & biofeedback, chemistry, bio-inspired materials & algorithms, and various other magics. For his day job, he designs, builds, and tests analog & mixed-signal gadgets with the CVORG research group.

Furkan Cayci is a graduate student in Electrical Engineering at UD. He has lots of interests ranging from low level hardware design to top level coding. He can usually either be found in front of his laptop trying to fix a broken package, or in front of a chess board at a coffee shop.

return to top

Build your own UAV 2.0 - Wireless Mayhem from the Heavens!

Earlier this year the community was shown how to successfully Build your own Predator UAV @ 99.95% Discount - and a recon mission over DC! But now new payloads take the fun/danger to a new level! Come find out how you can not only easily warfly and conduct aerial reconnaissance for your next 'mission' but also use your UAV as a roving angel of wireless death, as always from the confines of your couch.. Or Vegas hotel room.

The presenters will quickly overview how you can build your own UAV drone, and then detail how to outfit it to conduct wireless recon, attack, penetration, and other goodies.. Several demo mission from the Vegas Strip will be presented with video!

Michael Weigand has been breaking things and causing trouble since childhood... So he decided to make a career of it! He is currently studying computer science and military art at the United States Military Academy (West Point), with the goal of becoming an Army officer. He spends most of his free time racing sailboats, flying UAVs over officer housing, listening to trance, and working on crazy homebrews he thinks are applicable to the military.

Brad 'RenderMan' Haines is one of the more visible and vocal members of the wardriving community, appearing in various media outlets and speaking at conferences several times a year. Render is usually nearby on any wardriving and wireless security news, often causing it himself. His skills have been learned in the trenches working for various IT companies as well as his involvement through the years with the hacking community. A firm believer in the hacker ethos and promoting responsible hacking and sharing of ideas, he wrote the 'Stumbler ethic' for beginning wardrivers and greatly enjoys speaking at corporate conferences to dissuade the negative image of hackers and wardrivers.

Mike Kershaw / Dragorn is the author of Kismet, LORCON, and other open-source wifi security tools.

return to top

The Night The Lights Went Out In Vegas: Demystifying Smartmeter Networks

Smart meter technology is moving from news PR item to reality in many major utility markets, bringing with it the promise of fewer site visits and lower rates. With these devices, your local utility can perform a variety of actions from starting/stopping service, upgrading your meter, or even shutting off certain 'smart' appliances (air conditioners, etc) during peak demand to avoid brownouts. All of this is accomplished using a wireless network of meters and relay stations to transmit commands, power readings, and the like. But is this network the result of lessons hard learned by previous mistakes in wireless technologies (WiMAX), or do all claims of security rely on a closed system of obscurity (FHSS)?

Armed with the services of a USRP software radio, we set about to probe the underlying structure of the smart meter network and analyze the security (or lack thereof) of the transmission methods. Can your neighbor's 3am parties finally be silenced? Was your service utilization "really" that low for the month? Come to find out!

Barrett Weisshaar is a Security Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has been in the information technology field for nearly a decade, focusing on just about everything at some point or another. Prior to joining Trustwave, Barrett worked as a security consultant for Deloitte & Touche, focusing on retail security, security architecture, and avoiding audit projects as much as possible. Barrett holds a Bachelor's from the University of Notre Dame and an M.S. in Information Security from Carnegie Mellon University.

Garret Picchioni is an Undergraduate student, working as a Student Employee for The University of Arizona and as a Network Engineering Intern for the Ridgetop Group - the world leader in providing advanced electronic prognostics and health management (PHM) solutions, semiconductor IP blocks, and built-in self-test (BIST) solutions for critical applications. He has spent the last 5 years in the information technology industry, focusing on desktop support, systems administration, network administration, and avoiding mail servers but is now actively involved with product design as an intern. Garret is obtaining his degree from The University of Arizona and is looking to specialize in the security and network engineering career fields upon graduation.

return to top

An Examination of the Adequacy of the Laws Related to Cyber Warfare

This paper argues that the current rules of war are adequate for addressing the unique issues that are encountered as a result of conducting and defending against cyber warfare. The author begins by giving a survey of the laws that have the biggest impact on cyber warfare. Next, the author describes several paradigms that have come about as a result of cyber warfare, followed by a direct rebuttal. The author then asserts five reasons for why the U.S. should not enter into an international treaty for cyber warfare: (1) combatant commanders already have proper guidelines for conducting warfare; even in the information age; (2) fields of law are seldom demarcated by technology; (3) an unintended consequence of a cyber warfare law is that it may pose an undue limitation on a primarily non-lethal strategic deterrence; (4) our adversaries are unlikely to comply; and (5) the rate of technology growth will outpace the ability for an international cyber regime to produce responsive policy, while the flexibility allotted by the UN Charter and laws of war are able to absorb technological advances. The author concludes that the current UN Charter and Laws of War should continue to govern cyber warfare and that creating an international treaty or law for cyber warfare would do more harm than good and seriously cripple our ability to conduct war.

Dondi West is a Senior Cyber Intelligence and Policy Analyst at Booz Allen Hamilton. He holds a B.S. in Mathematics, a M.S. in Applied Information Technology, and a Juris Doctor degree from The University of Maryland School of Law, where he was an Editor of the Maryland Law Review. Dondi's scholarly interests include information operations and warfare policy, information privacy law, and cyberspace law.

Twitter: @dondiwest

return to top

From "No Way" to 0-day: Weaponizing the Unweaponizable

Many system administrators take a patch for a denial of service attack to be optional. What's the worst that could happen? Oh no -- a local user could crash the system. We'll just reboot it; on Rails is totally transactional, right? Commit messages fixing these sorts of crashes are often characteristically underreported, too: "allows attackers to cause an application crash".

In some cases, the descriptions are correct; the worst that can happen is that the system will crash. Too often, though, the risk is under-assessed. Although an application may not be vulnerable to a simple stack-smashing buffer overflow, that's not all that an attacker can do! This talk will take a recent Linux kernel CVE for a denial of service attack and weaponize it to privilege escalation.

An understanding of some of the inner workings of the Linux kernel, and of operating system concepts in general, will greatly enhance your experience at this talk, but may not be necessary.

Joshua Wise is an Electrical & Computer Engineering undergraduate at Carnegie Mellon University, and has recently been accepted into the master's program. His area of expertise for a long time has been embedded systems, dating back to the days of the iPAQ h3700, when he ported the Linux USB client stack to the open-source bootloader replacement; more recently, he has held internships at Google, Inc., Cavium Networks, and Tilera, and has served as a teaching assistant for Carnegie Mellon's Operating System Design and Implementation (15-410) class for four semesters.

return to top

Crawling BitTorrent DHTs for Fun
and Profit

This talk describes how crawling BitTorrent's DHTs used for distributed tracking can be used for two opposing goals. First, pirates can crawl the DHTs to build BitTorrent search engines in just a few hours without relying on the survival of any existing search engines or trackers. Second, content owners can crawl the DHTs to monitor users' behavior at large scale.

The talk will start by explaining what BitTorrent DHTs are and how they work. Then, it will describe the design of our attacks, how we validated them, and how many torrents and IPs we monitored (over 1 million each). Finally, we'll look at the impact that shifting from centralized BitTorrent tracking to DHTs, as The Pirate Bay has started to do, will have on the BitTorrent arms race.

Scott Wolchok is a graduate student studying computer security at the University of Michigan under Prof. J. Alex Halderman. He tends to do whatever involves problem solving and software and needs doing. His past work includes exploiting China's Green Dam censorware (nominated for the 2009 Pwnie Award for Mass Ownage), defeating the Vanish data privacy system by crawling BitTorrent DHTs, and developing firmware for demonstration attacks on India's electronic voting machines.

return to top

Pwned By The Owner: What Happens When You Steal A Hacker's Computer

Having your place broken into and your computer stolen can be a nightmare. Getting revenge on the fucker who has your machine can be a dream come true. I had the opportunity to experience both of these when my machine was stolen in Boston and then showed up in Las Vegas 2 years later. Come share some laughs at a lamer's expense, participate in the pwnage, and learn some resulting insights into the implications of certain security decisions.

Zoz is a software hacker, social engineer, and all-around sneaky bastard when the occasion demands. He loves his Mac like his first born.

return to top

Panel: Of Bytes and Bullets

This authors' panel has all the makings of a page-turning bestseller: crime lords, heroes, spies, global cartels, corporate scandals, hi-tech gizmos, betrayal, revolution, political intrigue, and midnight assassination attempts. As with all good books, it's the characters – the researchers, the criminals, and the victims – and their unique stories that will keep you riveted to your seat.

Jeffrey Carr, (Principal, GreyLogic) is a cyber intelligence expert, columnist for Forbes Firewall blog, and cyber warfare author who specializes in the investigation of cyber attacks against governments and infrastructures by State and Non-State hackers. Mr. Carr regularly consults with agencies of the U.S. and allied governments on Russian and Chinese cyber warfare strategy and tactics as well as new and emerging threats to Critical Infrastructure. His book "Inside Cyber Warfare" has been endorsed by General Chilton, Commander USSTRATCOM and his Chief of Staff MG Abraham Turner, among others, and he has been asked to speak on these issues at numerous venues including the Defense Intelligence Agency, US Army War College, Air Force Institute of Technology, NATO's CCDCOE Conference on Cyber Conflict, and DEFCON.

Robert K. Knakeis an international affairs fellow in residence at the Council on Foreign Relations studying cyber war. He is currently working on a Council Special Report on internet governance and security.

Prior to his fellowship, he was a principal at Good Harbor Consulting, a security strategy consulting firm with offices in Washington, DC; Boston, MA; and Abu Dhabi, UAE, where he served domestic and foreign clients on cybersecurity and homeland security projects.

During the 2008 presidential campaign, Rob coordinated the Counter-Terrorism Task Force for the Obama campaign and served on the Homeland Security Task Force. Following the election of President Obama, he served on the presidential transition team at the U.S. Department of Homeland Security and authored the agency review team's final report.

Rob joined Good Harbor after earning his MA from Harvard University's Kennedy School of Government. He has written extensively on cybersecurity, counterterrorism and homeland security issues. In 2006, he directed, with Steven Simon, the Century Foundation Task Force report "The Forgotten Homeland." He is co-author (with Richard Clarke) of Cyber War: The Next Threat to National Security and What To Do About It (HarperCollins, April 2010).

Joseph Menn covers cyber-security and other technology issues for the Financial Times, after a decade on the same beat for the Los Angeles Times. He is the author of 2003’s All the Rave: The Rise and Fall of Shawn Fanning’s Napster and a two-time finalist for the Gerald Loeb Award, the top prize in business reporting.

Robert Vamosi has been writing about the security community, most recently for, PCWorld, Threatpost and Windows Secrets. While at CNET/, he wrote an award-winning weekly security column, hosted a popular security podcast, and edited a weekly security newsletter. Robert is currently an analyst at Javelin Strategy & Research specializing in security, risk and fraud for the financial services industry. His first book on security of everyday gadgets is due out from Basic Books next year.

return to top

Panel:DNS Systemic Vulnerabilities and Risk Management: A Discussion
with the Experts

The experts on this panel will provide their views on systemic risks facing the DNS and provide thoughts on measures that should be undertaken to remediate the risks. The panelists will discuss both the challenges and the security benefits that will arise from the implementation of DNSSec.

Rod Beckstrom is a highly successful entrepreneur, founder and CEO of a publicly-traded company, a best-selling author, avowed environmentalist, public diplomacy leader and, most recently, the head of a top-level federal government agency entrusted with protecting the nation’s communication networks against cyber attack. Throughout 2008, Rod served as the Director of the National Cybersecurity Center (NCSC) at the U.S. Department of Homeland Security, where he reported to the Secretary of DHS, and was charged with cooperating directly with the Attorney General, National Security Council, Secretary of Defense, and the Director of National Intelligence (DNI). Prior to joining DHS, he served on the DNI’s Senior Advisory Group. Rod is unique in having experienced the inner workings of two, highly-charged, often competing, federal security agencies created in the wake of the September 11th attacks, an event that he says, “changed my life.”

Dan Kaminsky is the Director of Penetration Testing at IOActive where he specializes in design-level fault analysis, particularly against massive scale network applications. Previously of Cisco and Avaya, Kaminsky has operated professionally in the security space for over ten years. He is well-known for his "Black Ops" series of talks at the well-respected Black Hat Briefings. He regularly collects detailed data on the health of the worldwide Internet, and used this data to detect the worldwide proliferation of a major rootkit. Recently, he discovered a major flaw in the Internet’s DNS infrastructure and worked with security engineers around the world, protecting countless organizations and individuals against this threat.

Paul Mockapetris is Chairman and chief Scientist at Nominum, a company which supplies DNS and DHCP software to carriers and others. Paul is the inventor of the DNS protocol, and was the first implementer of SMTP. He believes he put the "S" in SMTP, and that complexity is the enemy. He is the veteran of several Silicon Valley successes and disasters.

Ken Silva's bio: As Chief Technology Officer, Ken Silva oversees VeriSign's mission critical Internet infrastructure that enables and protects billions of interactions every day across the world's voice and data networks.

Mark Weatherford was appointed by Governor Arnold Schwarzenegger to his most recent position as Executive Officer of the California Office of Information Security and Privacy. In this role, he has broad authority over California’s cyber security activities and is responsible for state government information security program policy, standards, and procedures. He also oversees the first-in-the-nation Office of Privacy Protection, which provides information, education and privacy practice recommendations for consumers, business and other organizations on identity theft and other privacy issues./span>

return to top

Panel: Hacking The Future: Weaponizing the Next Generation

Join this panel of "experts" who will discuss, debate, enlighten, and do battle on the topic of Hacker Parenting. From a multitude of viewpoints - paternal, maternal, fictive aunt and victim - the methodologies and techniques of applying the hacker mindset to parenting will be discussed. It is expected that the audience will participate as this topic is one on which everyone has an opinion. Maybe it's possible to do great work and develop a generation of people primed to hack the planet and take over.

James Arlen CISA, sometimes known as Myrcurial, is a security consultant usually found in tall buildings wearing a suit, founder of the Think|Haus hackerspace, columnist at Liquidmatrix Security Digest, Infosec Geek, Hacker, Social Activist, Author, Speaker and Parent. He's been at this security game for more than 15 years and loves blinky lights and shiny things. Cyber.

James Costello is a project manager for a compliancy focused hosting company in the Midwest. He is a charter member and current secretary/vice president of affiliate relations for the Cowtown Computer Congress. He holds a BA from the University of Saint Mary and in his free time enjoys reading scifi, watching British television and repurposing electronic devices.

Leigh Honeywell is a jane of many trades. By day she works as a security consultant while finishing up a degree at the University of Toronto. By night (and sometimes over lunch) she is a co-founder and director of HackLab.TO, Toronto's hacker space. She also serves on the board of advisors of the SECtor security conference, has been a Google Summer of Code mentor, and is an avid cyclist, science fiction nerd, and traveller.

Tim Krabec is the owner of a Small Computer Shop. A Vice President of the South Florida Chapter of the ISSA, Secretary of ASIS chapter 254. He is a former foster parent caring for over 40 children. He currently has 4 children with the 5th on the way. He holds a BS in CS for Florida Atlantic University, in what little free time he has he enjoys watching Syfy and woodworking.

Tiffany Strauchs Rad MA, MBA, JD, is a lawyer, hacker, and college professor. She has presented privacy and technical research at Black Hat USA, DEFCON, Hackers on Planet Earth, Hacking at Random, and Pumpcon. She also likes cars and hacks them.

return to top

Panel: Internet Wars

Continuing our tradition from previous years, leading experts from different industries, academia and law enforcement will be on stage participating in this panel to discuss the current threats online, hazards inside the Internet, battles between low level cyber criminals all the way to the mafia, special agents, spies, and even information warfare between nation-states.

This panel begins with a short introductory presentation on the latest technologies and operations by the Bad Guys and the Good Guys. We will talk about what's going on with Internet operations, global routing, botnets, extortion, phishing and the annual revenue the mafia is getting from it. Then we'll move into question and answers from the audience. Panelists will accept questions on any subject related to the concept of Internet warfare, crime, and espionage, and will discuss it openly in regard to what's being done and what we can expect in the future, both from the Bad Guys and the Good Guys.

Discussion will focus on operational issues currently happening on the Internet, not on vulnerabilities or the latest leet hack you might have heard about. The discussion is mostly technical and operational in nature, but in previous years attendees have asked questions directing the discussion to the legal side of things. Participants are people who are involved with battling cyber crime daily, and many are leaders in the security operations community of the Internet.

Audience members bearing six-packs of beer for the panelists will advance to the front of the line.

Marcus Sachs has served as the director of the SANS Internet Storm Center, an all-volunteer Internet early warning service sponsored by the SANS Institute in Bethesda, Maryland. The organization traces its roots back to the Y2K era, when a group of Internet security professionals began exchanging technical information via shared databases. Sachs retired from the U.S. Army in 2001 following a 20 year career as an engineer and systems automation officer, and was subsequently appointed by the President to serve in the White House Office of Cyberspace Security. Since leaving public service in 2003 he has continued to work closely with government and business stakeholders in task forces, working groups, committees, and trade associations as a cyber security expert supporting the National Security and Emergency Preparedness community in Washington, D.C. He is a member of the CSIS Commission on Cyber Security for the 44th Presidency and is the Secretary of the Communications Sector Coordinating Council. He holds degrees in Civil Engineering, Science and Technology Commercialization, and Computer Science, and is currently pursuing a Ph.D. in Public Policy.

return to top

Panel: Hacking The Future: Weaponizing the Next Generation

Join this panel of "experts" who will discuss, debate, enlighten, and do battle on the topic of Hacker Parenting. From a multitude of viewpoints - paternal, maternal, fictive aunt and victim - the methodologies and techniques of applying the hacker mindset to parenting will be discussed. It is expected that the audience will participate as this topic is one on which everyone has an opinion. Maybe it's possible to do great work and develop a generation of people primed to hack the planet and take over.

James Arlen CISA, sometimes known as Myrcurial, is a security consultant usually found in tall buildings wearing a suit, founder of the Think|Haus hackerspace, columnist at Liquidmatrix Security Digest, Infosec Geek, Hacker, Social Activist, Author, Speaker and Parent. He's been at this security game for more than 15 years and loves blinky lights and shiny things. Cyber.

James Costello is a project manager for a compliancy focused hosting company in the Midwest. He is a charter member and current secretary/vice president of affiliate relations for the Cowtown Computer Congress. He holds a BA from the University of Saint Mary and in his free time enjoys reading scifi, watching British television and repurposing electronic devices.

Leigh Honeywell is a jane of many trades. By day she works as a security consultant while finishing up a degree at the University of Toronto. By night (and sometimes over lunch) she is a co-founder and director of HackLab.TO, Toronto's hacker space. She also serves on the board of advisors of the SECtor security conference, has been a Google Summer of Code mentor, and is an avid cyclist, science fiction nerd, and traveller.

Tim Krabec is the owner of a Small Computer Shop. A Vice President of the South Florida Chapter of the ISSA, Secretary of ASIS chapter 254. He is a former foster parent caring for over 40 children. He currently has 4 children with the 5th on the way. He holds a BS in CS for Florida Atlantic University, in what little free time he has he enjoys watching Syfy and woodworking.

Tiffany Strauchs Rad MA, MBA, JD, is a lawyer, hacker, and college professor. She has presented privacy and technical research at Black Hat USA, DEFCON, Hackers on Planet Earth, Hacking at Random, and Pumpcon. She also likes cars and hacks them.

return to top

Meet the EFF

Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation’s premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as Digital Millennium Copyright Act (DMCA) use and misuse (and--maybe--the much delayed exemptions), whether breaking Captchas breaks the law, Digital Due Process (updating communications privacy law), legal and policy issues with walled gardens, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you.

Kevin Bankston is a senior staff attorney at the Electronic Frontier Foundation, specializing in free speech and privacy law. Before joining EFF, Kevin was the Justice William J. Brennan First Amendment Fellow for the American Civil Liberties Union in New York City. Kevin received his J.D. in 2001 from the University of Southern California Law Center, and received his undergraduate degree from the University of Texas in Austin.

Eva Galperin is a lifelong geek. She misspent her youth working as a Systems Administrator all over Silicon Valley. Since then, she has seen the error of her ways and earned degrees in Political Science and International Relations from SFSU. She comes to EFF from the US-China Policy Institute, where she researched Chinese energy policy, helped to organize conferences, and attempted to make use of her rudimentary Mandarin skills. Her interests include aerials, rock climbing, opera, and not being paged at 3 o'clock in the morning because the mail server is down.

Jennifer Granick is the Civil Liberties Director at the Electronic Frontier Foundation. Before EFF, Granick was a Lecturer in Law and Executive Director of the Center for Internet and Society at Stanford Law School where she taught Cyberlaw and Computer Crime Law. She practices in the full spectrum of Internet law issues including computer crime and security, national security, constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally. Before teaching at Stanford, Jennifer spent almost a decade practicing criminal defense law in California. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Marcia Hofmann is a senior staff attorney at the Electronic Frontier Foundation, where she focuses on electronic privacy, computer crime, and other civil liberties issues. Documents made public though her Freedom of Information Act work have been reported by the New York Times, Washington Post, National Public Radio, Fox News, and CNN, among others. Prior to joining EFF, Marcia was Staff Counsel and Director of the Open Government Project at the Electronic Privacy Information Center (EPIC), where she worked on a broad range of privacy issues and spearheaded EPIC's efforts to learn about emerging government policies in the post-9/11 era. She is a graduate of the University of Dayton School of Law and Mount Holyoke College.

Kurt Opsahl is a Senior Staff Attorney with the Electronic Frontier Foundation focusing on intellectual property, civil liberties, free speech and privacy law. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients and Internet companies. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored the "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the reporter's privilege for online journalists.

return to top

oCTF: 5 years in 50 minutes

Over the past 5 years oCTF has grown and evolved. Running the contest has been a lot of work, a lot of fun, and educational for both the contestants as well as for us. This panel talk will go over everything from the inspirations which started it back at the Alexis Park, right through to this year when we passed the torch to The Tube Warriors.

DC-949 was founded at some point in 2004, and has slowly amassed members of like minded and passionate hackers. Although group attendance rises and falls, some of the core members are Dr. Adam Nichols, Adrian, C-P, Frank^2, Jeffball, Merlin, and Vyrus. In addition to running the oCTF contest at DefCon, and the Barcode Shmarcode contest at Shmoocon, DC-949 members have given talks at numerous conferences including LayerOne, Outerz0ne, and DefCon. They have also released several proof of concept applications including Skynet, TwatFS, and Floodgate.

return to top

Meet the Feds - CSI:TCP/IP

The average criminal case today has over a terabyte worth of data to analyze. The cyber forensics field is just beginning to mature. Join federal agents to discuss the forensics field now and in the future.

Jim Christy Bio coming soon

Mike Convertino Bio coming soon

Jerry Dixon Bio coming soon

John Garris Bio coming soon

Barry Grundy Bio coming soon

Bob Hopper Bio coming soon

Ken Privette Bio coming soon

Tom Talleur Bio coming soon

Trent Teyema Bio coming soon

return to top

Meet the Feds - Policy, Privacy, Deterrence and Cyber War

This panel of federal agents will discuss cyber policy. How do we conduct robust continuous monitoring across a large multi-organizational enterprise yet stay within the constitutional requirements for privacy, civil rights and civil liberties? What changes are needed in the criminal justice system to increase the deterrence of committing cyber-crime? Once a cyber-crime has occurred - and through investigative efforts is determined to be a nation state - who becomes in charge or better yet who determines if it rises to the level of cyber-war versus espionage?

Mike Convertino Bio coming soon

Jerry Dixon Bio coming soon

Andy Fried Bio coming soon

Jon Iadonisi Bio coming soon

Kevin Manson Bio coming soon

Rich Marshall Bio coming soon

Marcus Sachs Bio coming soon

Roberta Stempfley Bio coming soon

Randy Vickers Bio coming soon

Lin Wells Bio coming soon

Amit Yoran Bio coming soon

return to top

PCI, Compromising Controls and Compromising Security

PCI at DefCon? Are you on drugs? Sadly, no- compliance is changing the way companies "do security", and that has an effect on everyone, defender, attacker, or innocent bystander. If you think all that 0-day you've heard about this week is scary, ask yourself this: if a company accepts credit cards for payment, which is a more immediate threat- failing an audit or the possibility of being compromised by an attacker? That is one of the reasons "they" do not listen to "us" when we try to improve security in our environments- as real as they are, our threats are theoretical compared to failing a PCI assessment. Systems are hardened against audit, not attack. Sadly, this is often an improvement, but this can also reduce security and provide a template for attackers. This panel will discuss and debate strengths and weaknesses of PCI, expose systemic problems in PCI-DSS, and propose improvements.

Jack Daniel is old, and has a Unix Beard, so people mistakenly assume he knows stuff. He makes no attempt to correct this gross misunderstanding. Jack has proven himself to be an inciteful moderator on compliance topics. He has many years of network and systems administration experience, and a bunch of letters after his name. Jack lives and breathes network security as Community Development Manager for Astaro. @jack_daniel on Twitter

Joshua Corman is the Research Director for Enterprise Security at The 451 Group and founder of A passionate advocate for the security practitioner, he is known for his candor, intellectual honesty, and willingness to challenge the status quo - tackling topics like his 7 Dirty Secrets of the Security Industry and Is PCI the No Child Left Behind Act for Security? @josh_corman on Twitter

Dave Shackleford, Director of Security Assessments and Risk & Compliance at Sword & Shield Enterprise Security, is a SANS Analyst, instructor and GIAC technical director. He has consulted with hundreds of organizations in the areas of regulatory compliance, security, and network architecture and engineering. He's worked as CSO for Configuresoft, CTO for the Center for Internet Security, and has also worked as a security architect, analyst, and manager for several Fortune 500 companies. @daveshackleford on Twitter

Dr. Anton Chuvakin is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, SIEM, correlation, security data analysis, PCI DSS, security management. @anton_chuvakin on Twitter

Martin McKeay is the host and author of the Network Security Blog and Podcast. He is a well known expert in the field of PCI and has worked as a QSA for over three years; he's seen the security compliance can encourage, as well as the lengths people will go to in order to avoid implementing real security. @mckeay on Twitter

Alex Hutton likes risk, critical thinking, and data. He writes for dub, and Verizon's security blog. @alexhutton on Twitter

James Arlen, CISA, sometimes known as Myrcurial is a security consultant usually found in tall buildings wearing a suit, founder of the Think|Haus hackerspace, columnist at Liquidmatrix Security Digest, Infosec Geek, Hacker, Social Activist, Author, Speaker and Parent. He's been at this security game for more than 15 years and loves blinky lights and shiny things. Cyber. @myrcurial on Twitter

return to top