DEFCON LinkedIn Group DEFCON Facebook Page DEFCON Twitter DEFCON RSS Feed

When Space Elephants Attack: A DEFCON Challenge for Database Geeks

The Schemaverse is a vast universe found purely within a PostgreSQL database. Control your fleet of ships manually with SQL commands or write AI in PL/pgSQL so they control themselves while you sit back and enjoy the con. This presentation will help my fellow database geeks to understand the game play mechanics used in The Schemaverse so they can compete in the weekend long tournament.

Abstrct, the author of The Schemaverse game, is a hobbyist programmer and data aficionado. While not pretending to have much actual experience with database security in the professional world, he has enjoyed making database systems do ridiculous things since his first SELECT.

return to top

Bosses love Excel, Hackers too.

Remote applications published in companies are around us in the cloud. In this talk we are going to add ICA and Terminal Server Apps to fingerprinting process, automating data analysis using FOCA. It will allow attacker to fingerprinting internal software, internal networks and combine the info in PTR Scanning, evil-grade attacks and command execution trough Excel files. In the end, we are going to play with a tricky feature in security policies about remote excel that will allow hackers to bypass macro restrictions.

Chema Alonso is a Security Consultant with Informatica64, a Madrid-based security firm. Chema holds respective Computer Science and System Engineering degrees from Rey Juan Carlos University and Universidad Politécnica de Madrid. During his more than six years as a security professional, he has consistently been recognized as a Microsoft Most Valuable Professional (MVP). Chema is a frequent speaker at industry events (Microsoft Technet / Security Tour, AseguraIT) and has been invited to present at information security conferences worldwide including Black Hat Briefings, Defcon, Ekoparty and RootedCon – He is a frequent contributor on several technical magazines in Spain, where he is involved with state-of-the-art attack and defense mechanisms, web security, general ethical hacking techniques and FOCA, the meta-data extraction tool which he co-authors.
Twitter: @chemaalonso

Juan Garrido "Silverhack" is a forensics professional who had been working as security consultant the last seven years. He is the writer of two books about Forensic Analysis in Windows Environments and actually works as security consultant in Informatica 64.

return to top

Dust: Your Feed RSS Belongs To You! Avoid Censorship!

Law around the world is trying to control what is published on the Internet. After wikileaks case and HBGary ownage everybody could see how there are many controls that can be used to close a website, a domain name and to cut the communication between the source and the audience. What happened if someone wants to close your blog? Could you send any message to your audience? In this talk we provide you a new way to publish your RSS feeds using P2P networks as a failover system. Dust is "only" a Reader but could manage P2P Feeds, multiples http feeds from the same source, and the most important feature, can migrate from one feed to multiple ones without any effort for all your attendees.

Chema Alonso is a Security Consultant with Informatica64, a Madrid-based security firm. Chema holds respective Computer Science and System Engineering degrees from Rey Juan Carlos University and Universidad Politécnica de Madrid. During his more than six years as a security professional, he has consistently been recognized as a Microsoft Most Valuable Professional (MVP). Chema is a frequent speaker at industry events (Microsoft Technet / Security Tour, AseguraIT) and has been invited to present at information security conferences worldwide including Black Hat Briefings, Defcon, Ekoparty and RootedCon – He is a frequent contributor on several technical magazines in Spain, where he is involved with state-of-the-art attack and defense mechanisms, web security, general ethical hacking techniques and FOCA, the meta-data extraction tool which he co-authors.
Twitter: @chemaalonso

Juan Garrido "Silverhack" is a forensics professional who had been working as security consultant the last seven years. He is the writer of two books about Forensic Analysis in Windows Environments and actually works as security consultant in Informatica 64.

return to top

IP4 TRUTH: The IPocalypse is a LIE

There is a long tradition of researchers presenting at security conferences on topics that are embarrassing to a large company or government agency: ATM hacking, router vulnerabilities, Massachusetts toll road RFIDs, etc. Many of these brave researchers risk lawsuits or career ruin to reveal the truth. THIS is the first talk that puts the presenters' very lives in peril. Much has been made of the so-called "IPv4 address exhaustion" problem, also known as the IPocalypse. Industry analysts, networking vendors, regulatory groups, think-tanks, and so on have insisted that migration to IPv6 is the only solution. However, a small group of dissenters insist that threat is exaggerated and, more importantly, that the "migration plan" is merely a scheme to increase revenue for the network equipment manufactures and overpriced consultants.

The full truth is that IPv6 is the result of an international cabal on the verge of controlling the world. For centuries, mystics have prophesied that this "migration" would be the cabal's turning point. Incontrovertible evidence will be presented to convince all in attendance. Numerological analysis, ancient texts, and intercepted communiqués are just a few examples. Due to threats against their families, the presenters have been forced to take on assumed identities and appear only in disguise.

Sterling Archer , codename "Duchess", is the world's most deadly secret agent, master of the honeypot operation, and inventor of the tactical turtleneck. He has been an ISIS field agent for 14 years and is in the DANGER ZONE.

Twitter: @s__archer

Prof. Hubert Freaksworth's bio is somewhere. Everything's like somewhere. Currently this bio is free form. All of this fitting in this machine is seriously freaked up.

return to top

Security When Nano Seconds Count

There's a brave new frontier for IT Security - a place where "best practices" does not even contemplate the inclusion of a firewall in the network. This frontier is found in the most unlikely of places, where it is presumed that IT Security is a mature practice. Banks, Financial Institutions and Insurance Companies. High Speed Trading, High Frequency Trading, Low Latency Trading, Algorithmic Trading -- all words for electronic trades committed in microseconds without the intervention of humans. There are no firewalls, everything is custom and none of it is secure. It's SkyNet for Money and it's happening now.

Speaker , CISA, is Principal at Push The Stack Consulting providing security consulting services to the utility and financial verticals. He has been involved with implementing a practical level of information security in Fortune 500, TSE 100, and major public-sector corporations for more than 15 years. James is also a contributing analyst with Securosis, founder of the think|haus hackerspace and has a recurring column on Liquidmatrix Security Digest. Best described as: "Infosec geek, hacker, social activist, author, speaker, and parent." His areas of interest include organizational change, social engineering, blinky lights and shiny things.

Twitter: @myrcurial

return to top

Beat to 1337: Creating A Successful University Cyber Defense Organization

A university with no prior CTF experience and no students with significant prior information security experience may find competition a daunting task. Most competitions require a large amount of technical knowledge to set up, along with a fair amount of organization. But how are students with no information security knowledge going to compete in CTF competitions and keep from getting completely owned? Well, the answer is, they're not. The most important step to successful competition is educating oneself.

In this presentation, we describe our efforts as a team of undergraduate students interested in creating our school's cyber defense organization and beginning to participate in CTF competitions. We introduce the methodologies that we used (and continue to use) in order to start educating and motivating bright students about information security and keep them interested.

We will use our personal experience and proven successful tactics to outline the necessary steps to take and to expose the commonly overlooked necessities of starting a cyber defense organization, regardless of if you are a student interested in information security, an advisor looking to motivate students, an alumnus looking to share your passion for information security, etc.

Information security education must continue outside the classroom. Although the demand for information security knowledge is high, the requirements are rigid. While the industry is growing very rapidly, students who do not show passion and dedication to the field, and deep practical knowledge will be quickly left behind. We aim to leave you armed and ready to compete with and learn from some of the best and brightest information security students in the world.

Mike Arpaia is a Junior in the CyberSecurity program at Stevens Institute of Technology and is a co-founder of the Stevens Cyber Defense Team. Mike works as a Security Consultant/Penetration Tester Intern at Gotham Digital Science LLC. His primary interests are in web application security and exploitation.

Ted Reed was a student interested in cyber-security. Now he likes model planes and simulation.

return to top

Pillaging DVCS Repos For Fun And Profit

Distributed Version Control Systems, like git are becoming an increasingly popular way to deploy web applications and web related resources. Our research shows these repositories commonly contain information very useful to an attacker. This talk, which was part of my small contribution to the Penetration Testing Execution Standard (PTES) will demonstrate how to identify these repositories and techniques to pillage just as much information as possible from them. Lastly there will be release of a toolkit to automate the the discussed techniques supporting git, hg and bzr repositories!

Adam Baldwin has over 10+ years of mostly self taught computer security experience and currently is the co-founder and Chief Pwning Officer at nGenuity focusing on security of web applications. He at one time possessed a GCIA and if his CPE's are up to date should still have a CISSP. Prior to starting nGenuity Adam worked for Symantec. Adam is a minor contributor to the W3AF project and has previously spoke at Toorcamp, Djangcon 2010, and JSconf 2011.

return to top

Chip & PIN is Definitely Broken

The EMV global standard for electronic payments is widely used for inter-operation between chip equipped credit/debit cards, Point of Sales devices and ATMs.

Following the trail of the serious vulnerabilities published by Murdoch and Drimer's team at Cambridge University regarding the usage of stolen cards, we explore the feasibility of skimming and cloning in the context of POS usage.

We will analyze in detail EMV flaws in PIN protection and illustrate skimming prototypes that can be covertly used to harvest credit card information as well as PIN numbers regardless the type/configuration of the card.

The attacks are believed to be unreleased so far to the public (which however does not mean fraudster are not exploiting them) and are effective in bypassing existing protections and mode of operations.

As usual cool gear and videos are going to be featured in order to maximize the presentation.

return to top

Deceptive Hacking: How Misdirection Can Be Used To Steal Information Without Being Detected

There are many similarities between professional hackers and professional magicians. Magicians are experts in creating deception, and these skills can be applied when penetrating a network. The author, with 30 years experience in both security and magic, will explain the basic principles and theories magicians that use to create illusions. This includes definitions of magic terms such as gaff, gimmick, fake, stooge, feint, sleight, bluff, timing, and different types of misdirection. It will be shown that all of these techniques apply to hacking as well. A scenario is presented where normal hacking techniques would be detected and information theft is prevented. The only solution is to use deception and trickery.

Bruce "Grymoire" Barnett has been a scientist at a large Fortune 50 company for 25 years, with a focus on security and advanced algorithms. Some of the tools, developed for military contractors, dealt with attack trees and vulnerability chains (NOOSE – Networked Object-Oriented Security Examiner). Other projects include data provenance, steganography, key management algorithms for sensor networks, and advanced network analysis. He has also written several tutorials on Unix shell scripting, and Google ranks his Sed tutoral as #1. Bruce has been a part-time professional magician for 35 years, and belongs to societies such as the International Brotherhood of Magicians, and the Society of American Magicians. He currently runs several forums exclusively for magicians, such as the Electronic Grymoire, and the Shadow Network.
Twitter: @grymoire
Facebook: http://www.facebook.com/home.php#!/profile.php?id=1593769945&v=info

return to top

Fingerbank — Open DHCP Fingerprints Database

The presentation will first take a step back and offer a basic reminder of what passive fingerprinting is and, more precisely, DHCP fingerprinting. Then we will offer defensive and offensive use cases for DHCP fingerprinting. Next, we will cover the goals and resources offered by the new project and some future plans. As part of the announcement, two large fingerprint databases will be made available (both of which were bundled in separate projects: PacketFence and Satori).

We hope this new resource will increase the quality and breadth of current DHCP fingerprint databases and increase adoption for this reliable fingerprinting technique.

Olivier Bilodeau is a System Architect at Inverse developing PacketFence an open source Network Access Control (NAC) software. He also lectures on system security at …cole de technologie superieure University (ETS) in Montreal, Canada. His past experiences made him travel into dusty Unix server rooms, obfuscated perl code and expensive enterprise networks. On his free time he enjoys several CTFs a year (with the CISSP Groupies and Amish Security teams), hacking perl, doing open source development and brewing beer. You can read his occasional blog posts at: http://www.bottomlesspit.org/
Twitter: @packetfence

return to top

PacketFence, The Open Source Nac: What We've Done In The Last Two Years

Ever heard of PacketFence? It's a free and open source Network Access Control (NAC) software that's been out there since 2005. In the last two years we had several major releases with important new features that makes it an even more compelling solution.

Trying to appeal to both attackers and defenders, this presentation will cover all of our NAC's secret sauce : Wired / Wireless RADIUS MAC authentication / 802.1X, port-security through SNMP, captive portal redirection techniques, hardware support procedure, voice over IP, FreeRADIUS, Snort and Nessus integration, and quarantine / remediation features. We will continue with the advantages of Open Source when dealing with a NAC. Then we will focus on the last two years of the project, the problems, the missteps and the good, new and shiny stuff. This will include learning about some 802.1X problems, complaining about other vendor's code, looking at our own problems and salivating on some of the technical prowess we recently achieved. Finally we will expose our World Domination Roadmap covering both short-term improvements and potential research projects (and we will beg for help to achieve it).

Hopefully this talk will demystify NACs by explaining in details how our implementation works, give yet another example of why open source rocks and convince those who haven't jumped on the NAC band-wagon to give the free one a try.

Olivier Bilodeau is a System Architect at Inverse developing PacketFence an open source Network Access Control (NAC) software. He also lectures on system security at …cole de technologie superieure University (ETS) in Montreal, Canada. His past experiences made him travel into dusty Unix server rooms, obfuscated perl code and expensive enterprise networks. On his free time he enjoys several CTFs a year (with the CISSP Groupies and Amish Security teams), hacking perl, doing open source development and brewing beer. You can read his occasional blog posts at: http://www.bottomlesspit.org/
Twitter: @packetfence

return to top

Federation and Empire

Federated Identity is getting prevalent in corporate environments. True, solving cross domain access control to Web applications or services is a nagging issue. Today, unsatisfying traditional approaches based on duplicated user accounts or dangerous trust domain relationships are being replaced by neater solutions. One of them is getting more and more popular not only in academic but in corporate environments as well: Claims-based authorization relying on SAML tokens. This cross domain federated Web SSO solution allows applications or service providers to finely control their access while leaving the burden of users management to their authoritative domains. Authoritative domains also keep full control on what they disclose about their users: Very attractive. However most existing material explains developers how to leverage this technology while keeping them oblivious to the underlying protocols or (many) standards' complexity and intricacies. By taking a radically low level approach, API free, this talk is intended to security pen-testers or architects who have to cope with SAML based access control. The just necessary presentation of the standards involved will be given. Then the two main parts will focus on how to adapt existing tool set to be fully operational against SAML access control and to key aspects that need to be considered prior joining or creating such federation. Most of the points are implementation agnostic and can be applied to Shibboleth, SimpleSAMLPHP or Active Directory Federation Service for instance. As well, the presented tools are Burp Pro Extensions leveraging the Buby framework but can be easily be translated into everyone preferred toolset.

Emmanuel Bouillon has been working in the Information Security field for more than a decade. Most of these years were spent as an InfoSec expert within the French Atomic Energy Commission where he was in charge of a technical team dedicated to information security. Among its missions were incident handling, vulnerability assessment and penetration testing. Since 2009, Emmanuel Bouillon lives in the Netherlands working for an international organization as a Senior Information Assurance Scientist. His work is mainly focused on Cyber Defense issues. Emmanuel Bouillon has been a speaker in international conferences like PacSec, BlackHat, Hack.lu, #days, has written several articles in IT/Security magazines and was a teacher on network and system security in various French postgraduate schools. He holds a renewed ISO/CEI 27001:2005 Auditor certification and is credited for several responsibly disclosed vulnerabilities (CVE-2010-{0283,2229,2914,2941}, CVE-2011-{0001,...})

return to top

Three Generations of DoS Attacks (with Audience Participation, as Victims)

Denial-of-service (DoS) attacks are very common. They are used for extortion, political protest, revenge, or just LULz. Most of them use old, inefficient methods like UDP Floods, which require thousands of attackers to bring down a Web server. The newer Layer 7 attacks like Slowloris and Rudy are more powerful, and can stop a Web server from a single attacker with incomplete Http requests. The newest and most powerful attack uses IPv6 multicasts, and can bring down all the Windows machines on an entire network from a single attacker.

I will explain and demonstrate these tools: Low Orbit Ion Cannon, OWASP Http DoS Tool, and flood_router6 from the thc-ipv6 attack suite. This deadly IPv6 Router Advertisement Flood attack is a zero-day attack--Microsoft has known about it since June 2010 but has not patched it yet (as of May 4, 2011).

Audience Participation: Bring a device to test for vulnerability to the Router Advertisement Flood! Some cell phones and game consoles have been reported to be vulnerable--let's find out! If your device crashes, please come to the Q&A room so we can video-record it and arrange disclosure to the vendor.

Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEFCON, Toorcon and BayThreat, and taught classes and seminars at many other schools and teaching conferences.

Sam has a B.S. in Physics from Edinboro University of Pennsylvania and a Ph.D. in Physics from University of Illinois, Urbana-Champaign. His Industry Certifications are: Associate of (ISC)^2, Certified Ethical Hacker, Microsoft: MCP, MCDST, MCTS: Vista; Network+, Security+, Hurricane Electric IPv6 Guru, CCENT.
Twitter: @sambowne

return to top

Building The DEF CON Network, Making A Sandbox For 10,000 Hackers

We will cover on how the DEF CON network team builds a network from scratch, in three days with very little budget. How this network evolved, what worked for us, and what didn't work over the last ten years. This network started as an idea, and after acquiring some kick butt hardware, has allowed us to support several thousand users concurrently. In addition I will cover the new WPA2 enterprise deployment, what worked, and what didn't, and how the DEF CON team is has mad the Rio network rock!

David M. N. Bryan has 10 years of computer security experience, including pentesting, consulting, engineering, and administration. As an active participant in the information security community, he volunteers at DEF CON, where he designs and implements the firewall and network for what is said to be the most hostile network environment in the world. This network allows speakers, press, vendors, and others to gain access to the Internet, without being hacked. In his spare time he runs the local DEF CON group, DC612, is the president of Twincities Makers group, and participates in the Minneapolis OWASP chapter.

Twitter: @videoman

Luiz Eduardo is the Director of SpiderLabs Latin America Countries. With almost 20 years of experience, throughout his career he has worked with possibly all types of networking technologies on the enterprise and service provider sectors, as well as the security involved in these technologies.

Luiz is the founder of the y0u Sh0t the Sheriff security conference held in Brazil and has worked on the wireless infrastructure of Blackhat, DEF CON, Computer Chaos Congress and Shmoocon. As a public speaker, he has given presentations on diverse infosec topics at worldwide on conferences such as DEF CON, FIRST, H2HC, HitB Malaysia, Layerone, ShmooCon, BlueHat, ThotCon, Toorcon and others. Luiz holds the following certifications: CWNE, CISSP, GISP, GCIH and CEH.

return to top

Kinectasploit: Metasploit Meets Kinect

We've all seen hackers in movies flying through 3D worlds as they hack the gibson. How about trying it for real? Now that we've got the kinect, lets hook it up to some hacking tools and see what it looks like to hack via kinect!

Jeff Bryner has 20 years of experience integrating systems, fixing security issues, performing incident response and forensics. He writes for the SANS forensic blog, has spoken at RSA on SCADA security issues, DEFCON 18 on the google toolbar and runs p0wnlabs.com just for fun.
Twitter: @p0wnlabs

return to top

Physical Memory Forensics for Cache

Physical memory forensics has gained a lot of traction over the past five or six years. While it will never eliminate the need for disk forensics, memory analysis has proven its efficacy during incident response and more traditional forensic investigations. Previously, memory forensics, although useful, focused on a process' address space in the form of Virtual Address Descriptors (VADs) but ignored other rich sources of information. In the past, some techniques of process reconstitution have been auspicious at best and erroneous at worst. This presentation will build upon lessons learned and propose more thorough ways to reconstruct process contents, and therefore a process' address space. By using the methods presented, it will be possible to further reduce the data you care about in an incident response or forensic investigation and to better apply the traditional computer security techniques such as reverse engineering, hash matching, and byte pattern or signature matching such as those provided by ClamAV and VxClass.

Jamie Butler Bio to come.

return to top

Metasploit vSploit Modules

This talk is for security practitioners who are responsible for and need to test enterprise network security solutions. Marcus Carey, David Rude, and Will Vandevanter discuss how to use the Metasploit Framework beyond penetration testing to validate whether security solutions are working as expected. Marcus initiated the creation vSploit auxiliary modules that emulate real-world network attacks. This can be used for good and evil purpose. This talk will debut several Metasploit modules designed specifically for testing firewalls, IDS, IPS, and DLP solutions. This presentation will show how to emulate persistent network attacks with vSploit modules which can come in handy if you are a penetration tester.

Marcus J. Carey is the Enterprise Security Community Manager at Rapid7. Marcus has over 17 years experience in information assurance experience working in the DoD as well as Federal and State Government organizations. Marcus holds a M.S. in Network Security From Capitol College as well as several security related certifications.

David Rude is a Metasploit Exploit Developer at Rapid7. David writes code that executes code. David has worked for years as a professional security researcher. He has a fascination with finding and exploiting vulnerabilities. At Rapid7, David currently works as a developer who writes exploits and codes awesomeness for Metasploit Framework, Metasploit Express, and Metasploit Pro.

Will Vandevanter is a senior penetration tester at Rapid7. His focus interests include web application security, DoS attacks, and secure code. He has a Masters degree in Computer Science (focus in Secure Software Engineering) and a BSc with joint majors in Computer Science and Mathematics.
Twitter: @willis__

return to top

Lives On The Line: Securing Crisis Maps In Libya, Sudan, And Pakistan

Crisis maps collect and present open source intelligence (Twitter, Facebook, YouTube, news reports) and direct messages (SMS, email) during disasters such as the Haiti earthquake and civil unrest in Africa. The deployment of crisis mapping technology is on its way to becoming a standard tool to collect and track ground truth from crisis zones, but very little work has been done to evaluate and mitigate the threat posed by adversaries with offensive infosec capabilities. These platforms can provide responders and humanitarian organizations with the timely, high fidelity situational awareness necessary to direct aid and save lives. Unfortunately, they can also provide hostile national security services and other malicious groups with the information they need to target vulnerable populations, hunt down individuals, and manipulate response operations. In this session we'll setup, operate, attack and defend an online crisis map. Bring your laptop and toolsets because you will have the opportunity to play the bad actor (a technical member of the secret police or terrorist organization) as well as the defender (the response agency, citizen on the ground, and sysadmin trying to keep the server online). The experience will bring together everything we know and love and hate about defending online systems including buggy code, naive users, and security vs. usability tradeoffs and do so in a situation where people are dying and the adversary controls the network. We'll also introduce some not-so-typical concepts like building trust on the fly, crowdsourced verification, and maintaining situational awareness from halfway around the globe. Each step in the process will be based on real-world deployment experiences monitoring everything from local riots to nation-wide revolutions and natural disasters. The lessons learned, vulnerabilities found, and exploits developed during the session will be taken back to the crisis mapping community - enabling them to build more secure systems and more effective, life-saving deployments.

George Chamales has spent the last decade working in almost every legal permutation of employer / job the computer security field has to offer. His list of current and former government employers includes DOD, DOE, DHS, and DOI. In the private sector, he's worked as a security architect, member of the Honeynet Project, and corporate pen-tester targeting Fortune 500 companies. He is an active member of the crisis mapping community, where he develops new tools and capabilities, co-founded the Crisis Mappers Standby Task Force, and has served as the technical lead for numerous deployments including LibyaCrisisMap.net, Pakreport.org, and SudanVoteMonitor.com.

return to top

Abusing HTML5

The spike of i{Phone, Pod Touch, Pad}, Android, and other mobile devices that do not support Flash has spurred the growth and interest in HTML5, even though the standard is still evolving. The power of HTML5 allows developers to create almost full-fledged web applications, not just structured content. HTML5's new features has increased the attack surface. It has been demonstrated that the HTML5 offline application cache can be abused. In addition, the support for client-side storage will open up the opportunity for SQL injection attack on client machines. There has been chatter regarding the new attack opportunities that the <audio>, <video>, and <canvas> tags will present, considering they require JavaScript and image-related functions such as SVG. This presentation will demonstrate the issues of HTML5 and how they can be abused and mitigated with good-old techniques. This presentation will also delve into the writing malicious web pages with web workers, abusing cross-origin JavaScript requests, how not to do cross-document messaging, and abusing geolocation.

Ming Chow is a Lecturer at the Tufts University Department of Computer Science. His areas of interests are computer security, game development, web application security, and Computer Science in Education. He was also a web application developer for ten years at Harvard University for University Operations Services. Ming co-edited a special issue of IEEE Security & Privacy on securing online games with Gary McGraw of Cigital, Inc. published in May 2009. Ming is a frequent guest speaker and have spoke at numerous organizations, including the New England Chapter of the High Technology Crime Investigation Association (HTCIA-NE), the Greater Boston Chapter of the Association of Certified Fraud Examiners (ACFE), the Massachusetts Office of the Attorney General (AGO), and OWASP. Ming mentored a team of students from Tufts to the Microsoft Imagine Cup Game Design Competition US Finals in 2010. Finally, Ming is a SANS GIAC Certified Incident Handler (GCIH).
Twitter: tufts_cs_mchow

return to top

Familiarity Breeds Contempt

"Good programmers write code, great programmers reuse" is one of the most well known truisms of software development. But what does that mean for security? For over 30 years software engineering has focused on writing the perfect code and reusing it as often as they can, believing if they can just get the bugs out, the system will be secure. In our talk we will demonstrate how the most prominent doctrine of programming is deadly for security. Analysis of software vulnerability data, including a full decade of data for several versions of the most popular operating systems, server applications and user applications (both open and closed source), shows that properties extrinsic to the software play a much greater role in the rate of vulnerability discovery than do intrinsic properties such as the actual software quality. We show that (at least in the first phase of a product's existence), software vulnerabilities have different properties from software defects. Our analysis of attacker tools and popular exploits shows that the attacker's learning curve determines when and which particular products are likely to be attacked. Improvements in those tools affect the frequency of attack, and the ultimate result is point-and-click usability. We will present several examples from both the defender and the attacker perspective illustrating how dangerous familiarity is for security. We will demonstrate that the more familiar an attacker is with your product, the more likely you are to be attacked and the more likely an attacker will succeed.

Sandy Clark (Mouse) has been taking things apart since the age of two, and still hasn't learned to put them back together. An active member of the Hacker community, her professional work includes an Air Force Flight Control Computer, a simulator for NASA and singing at Carnegie Hall. She is currently fulfilling achildhood dream, pursuing a Ph.D. in Computer Systems and Security at the University of Pennsylvania.

Her research explores the vulnerability lifecycle, human scale security and the unexpected ways that systems interact. A founding member of Toool-USA, she also enjoys puzzles, toys, Mao (the card game), and anything that involves night vision goggles.

Brad Haines (RenderMan) is a Whitehat by trade, Blackhat by fashion. A very visible and well known member of the wardriving and hacker community, he does whatever he can to learn how things work, how to make them better and to teach people the same. A firm believer in the hacker ethic of openess , sharing, and collaboration. Never afraid to try something new, he can usually be found taking unnessecary risks for the sake of the experience.

Author of several computer security books and a frequent presenter at hacker, security and privacy conferences, he can usually be found investigating something interesting, scanning the air for any WiFi data, and trying to find new and interesting beers.
Twitter: @Ihackedwhat

return to top

Operational Use of Offensive Cyber

This session will discuss the "Art of the Possible" when it comes to "Offensive Cyber Operations" and why it is so important for both military and non-military cyber professionals to understand each others perspectives on "Offensive Cyber Operations". Discussion will focus on the military's planning process and how the potential introduction of offensive cyber operations could effect the process and why information sharing events sessions like "DEFCON" are so important to its eventual success.

Christopher Cleary is a former Computer Network Operations Planner from US CYBER COMMAND who led an Operational Planning Team focused on studying "Advanced Persistent Threats" to DoD network. During his tenure at CYBERCOM he was one of the few Officers to lead a forward deployed element supporting combat operations in the CENTCOM AOR. Mr. Cleary is currently employed by Sparta Inc. opa Cobham Analytic Solutions directing Cyber Strategy and Policy.

return to top

Look At What My Car Can Do

This presentation is an introduction to the new world of automobile communication, data and entertainment systems, highlighting the Ford Sync System.

The Ford Sync System is a remarkable technological advance that has changed the automobile industry. While hard drives have been used in automobile entertainment applications for some time now, the Ford Sync System is different. It allows the user to interact with the car's communication system in a brand new way. If a vehicle with the Ford Sync system is used to commit a crime or to hide data, how would examiners be able to determine what data might be contained in the Ford Sync System? How does it get there? What forensic process or type of exploitation can be used to determine what traces are left behind on the car's hard drive? This presentation will take the audience through the process of various methods of infilling, hiding, acquiring data, and conducting a forensic exam on the Ford Sync System.

Tyler Cohen is known in the digital forensic community for her work with forensics on alternate media devices and has given presentations at conferences all over the country on the topic, including the Defense Cybercrime Conference, High Tech Crime Investigation Association, Defcon, TechnoSecuity, Technoforensics, and the California District Attorney Association. She has co-authored a book entitled Alternate Data Storage Forensics (ISBN – 13: 978-1-59749-163-1) and was featured in Best Damn Cybercrime and Digital Forensics Book Period (ISBN-13: 978-1-59749-228-7). She currently works for the Department of Defense. Prior to that she worked for General Dynamics, assigned to the Department of Defense Cyber Crime Center (DC3) where she was a lead digital forensic examiner. Here she used her expertise in intrusion analysis and major crimes to successfully complete digital forensic exams. Before joining DC3, she was employed at ISS/IBM as an emergency incident responder and forensic examiner where she also showcased her expertise in intrusion analysis, major crimes and PCI standards. Prior to that, she worked for NASA as a Computer Forensic Examiner under the computer crimes division for the Inspector General.

return to top

Kernel Exploitation Via Uninitialized Stack

Leveraging uninitialized stack memory into a full-blown root escalation is easier than it sounds. See how to find these vulnerabilities, avoid the pitfalls of priming the stack, and turn your "memory corruption" into full root privileges.

Kees Cook is part of the Ubuntu Security Team, where he tries to harden Ubuntu in particular, and Linux in general, against attack. In addition to being an Ubuntu developer, he's a member of the Ubuntu Technical Board, a Debian Developer, and a Kernel.org admin. As a long-time DEF CON Capture the Flag participant, he's especially proud of being part of Team 1@stPlace and winning in 2006 and 2007.

Twitter: @kees_cook

return to top

The Art and Science of Security Research

Research is a tricky thing, full of pitfalls, blind alleys, and rich rewards for the individual and humanity. This talk studies the art and science of conducting security research, from the genesis of your idea through experimentation and refinement to publication and beyond. In this talk you will learn how to generate and select powerful ideas, build upon the work of others, conduct groundbreaking work, and share your results for maximum desired effect. Whether you are a lone researcher or part of a large cabal you will take away ideas and techniques for maximizing the impact of your work, lest it lay dormant or have someone else rediscover your idea several years later.

Greg Conti is an Academy Professor and Director of West Point's Cyber Security Research Center. He is the author of Security Data Visualization (No Starch Press) and Googling Security (Addison-Wesley) as well as over 40 articles and papers covering online privacy, usable security, security data visualization, and cyber warfare. His work can be found at www.gregconti.com and www.rumint.org.

return to top

Internet Kiosk Terminals : The Redux

Paul Craig is the self-proclaimed "King of Kiosk Hacking" You have likely heard of him or his pornographic tool iKAT (Interactive Kiosk Attack Tool). For the last 3 years he has dedicated his life to striking fear into the hearts of Kiosk vendors.

This talk will compromise all of his latest advancements in the field of hacking Kiosk terminals. Multiple platforms, vendors, technologies and more shells than you can shake a stick at. If you have ever wanted to hack that lonely web-browsing computer in the corner of a room, this is the talk for you.

This talk will also showcase a live freestyle Kiosk hacking session, with a truck load of slick ninja techniques and zero-day. Watch out — the King of Kiosk hacking is back in town.

Paul Craig works at Security-Assessment.com with a bunch of some of the best hackers in the world.

Paul lives for hacking, it's in his blood! From the age of 13 he has have been addicted to popping shells, stealing access and escalating privileges. He loves his job and is fully committed to the trade.

return to top

Cipherspaces/Darknets: An Overview Of Attack Strategies

Darknets/Cipherspaces such as Tor and I2P have been covered before in great detail. Sometimes it can be hard to follow attack strategies that have been used against them as the papers written on the topic have been academic and abstract. What this talk will attempt to do is step back and give an overview of the topic in a manner hopefully more conducive to the understanding of security practitioners, giving more concrete examples. While little to nothing in this talk will be "new and groundbreaking" it should lead to a better understanding of how encrypted anonymizing networks can be subverted to reveal identities.

Adrian Crenshaw has worked in the IT industry for the last thirteen years. He runs the information security website Irongeek.com, which specializes in videos and articles that illustrate how to use various pen-testing and security tools.
Twitter: @irongeek_adc

return to top

Speaking with Cryptographic Oracles

Cryptography is often used to secure data, but few people have a solid understanding of cryptography. It is often said that if you are not strictly a cryptographer, you will get cryptography wrong. For that matter, if you ARE a cryptographer, it is still easy to make mistakes. The algorithms might be peer reviewed and unbroken for 15 years, but if you use them incorrectly, they might leak information. Cryptographic oracles are systems which take user-controlled input and leak part or all of the output, generally leading to an attacker being able to defeat the cryptography, in part of in whole. In this talk, methods for finding and exploiting encryption, decryption, and padding oracles with minimal cryptographic knowledge will be discussed.

Daniel Crowley is an Application Security Consultant for Trustwave's SpiderLabs team. He has been working in the information security industry for over 6 years and has been focused on penetration testing, specifically on Web applications. Daniel is particularly interested in vulnerabilities caused by a failure to account for little known or even undocumented properties of the platforms on which applications run. He especially enjoys playing around with Web based technologies and physical security technologies and techniques. Dan also rock climbs and makes a mean chili.
Twitter: @dan_crowley.

return to top

Taking Your Ball And Going Home; Building Your Own Secure Storage Space That Mirrors Dropbox's Functionality

When for-profit companies offer a free app, there is always going to be strings attached. As we have increasingly seen, these strings are often tied to your privacy to enable said third party company to monetize you in some way, but in worse cases your security can be compromised leaving you open to identity theft at best or legal repercussions at worst. One of today's most ubiquitous apps is Dropbox, which operates as a file hosting service that uses "cloud computing" (aka the internet) to enable users to store and share files and folders with others using file synchronization. Sounds harmless enough until you start thinking about how they can do so much for free. Learn about the flaws discovered by security researchers that have caused Dropbox to significantly change their terms of service, and about a group building a free, open sourced option for anyone to use to share and protect their data with. Learn, get involved, help and CYA, because for-profit third party companies are not going to do it for you.

Phil Cryer (fak3r) is a systems engineer and privacy advocate who has worked on Linux and open source solutions for over 10 years. While balancing security with openness he has lectured globally on ways to open data silos to facilitate scientific discovery, but is equally comfortable talking about sharing any kind of data. His favorite memory from previous DEFCONs was yelling at the screen during a late night screening of Wargames, but locking himself out of his own room at last year's con is a close second. He learns by doing, believes that imagination is more important than knowledge, and like all good IT professionals, has a bachelor degree in fine arts.
Twitter: @fak3r

return to top

PCI 2.0: Still Compromising Controls and Compromising Security

Building on last year's panel discussion of PCI and its impact on the world of infosec, we are back for more- including "actionable" information. Having framed the debates in the initial panel, this year we will focus on what works, what doesn't, and what we can do about it.

Compliance issues in general, and PCI-DSS in particular, are driving security in many organizations. In tight financial times, limited security resources are often exhausted on the "mandatory" (compliance) at the expense of the "optional" (actual security). We will focus on the information needed to reconcile these issues, and encourage the audience to continue the discussion with us.

Jack Daniel is old, and has a Unix Beard, so people mistakenly assume he knows stuff. He still makes no attempt to correct this gross misunderstanding. Jack has proven himself to be an inciteful moderator on compliance topics. He has many years of network and systems administration experience, and a bunch of letters after his name. Jack lives and breathes network security as Product Manager for Tenable.

James Arlen , CISA, sometimes known as Myrcurial is a cyber-security cyber-consultant usually found in tall buildings wearing a cyber-suit, founder of the Think|Haus hackerspace, columnist at Liquidmatrix Security Digest, Infosec Geek, Hacker, Social Activist, Author, Speaker and Parent. He's been at this security game for more than 15 years and loves blinky lights and shiny things. Cyber.

Joshua Corman is the Research Director for Enterprise Security at The 451 Group and founder of RuggedSoftware.org. A passionate advocate for the security practitioner, he is known for his candor, intellectual honesty, and willingness to challenge the status quo - tackling topics like his 7 Dirty Secrets of the Security Industry and Is PCI the No Child Left Behind Act for Security?

Alex Hutton likes risk, critical thinking, and data. He writes for newschoolsecurity.com dub cloud.com, and Verizon's security blog.

Martin McKeay is the host and author of the Network Security Blog and Podcast. He is a well known expert in the field of PCI and has worked as a QSA for over four years; he's seen the security compliance can encourage, as well as the lengths people will go to in order to avoid implementing real security. He is an advocate for PCI and compliance while recognizing it's limitation, a dichotomy that sometimes threatens his sanity.

Dave Shackleford is a SANS Analyst, instructor and GIAC technical director. He has consulted with hundreds of organizations in the areas of regulatory compliance, security, and network architecture and engineering. He's worked as CSO for Configuresoft, CTO for the Center for Internet Security, and has also worked as a security architect, analyst, and manager for several Fortune 500 companies.

return to top

Former Keynotes - The Future

Former keynotes keep coming back to DEFCON. Join The Dark Tangent, Rod Beckstrom, Jerry Dixon, Tony Sager, and Linton Wells to discuss the future of cyber security.

Dark Tangent Bio to Come

Rod Beckstrom is a highly successful entrepreneur, founder and CEO of a publicly-traded company, a best-selling author, avowed environmentalist, public diplomacy leader and, most recently, the head of a top-level federal government agency entrusted with protecting the nation's communication networks against cyber attack. Throughout 2008, Rod served as the Director of the National Cybersecurity Center (NCSC) at the U.S. Department of Homeland Security, where he reported to the Secretary of DHS, and was charged with cooperating directly with the Attorney General, National Security Council, Secretary of Defense, and the Director of National Intelligence (DNI). Prior to joining DHS, he served on the DNI's Senior Advisory Group. Rod is unique in having experienced the inner workings of two, highly-charged, often competing, federal security agencies created in the wake of the September 11th attacks, an event that he says, "changed my life."

Rod is widely regarded as a pre-eminent thinker and speaker on issues of cybersecurity and related global issues, as well as on organizational strategy and leadership. He is also an expert on how carbon markets and "green" issues affect business. While Director of the NCSC, Rod developed an effective working group of leaders from the nation's top six cybersecurity centers across the civilian, military and intelligence communities. His work led to his development of a new economic theory that provides an explicit model for valuing any network, answering a decades-old problem in economics. Rod co-authored four books including The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations, a best-selling model for analyzing organizations, leadership styles, and competitive strategy. The Starfish and the Spider has been translated into 16 foreign editions and is broadly quoted.

At age 24, Rod started his first company in a garage apartment and, subsequently, grew it into a global enterprise with offices in New York, London, Tokyo, Geneva, Sydney, Palo Alto, Los Angeles, and Hong Kong. CATS Software Inc., went public and later sold. Nobel Laureates Myron Scholes and William F. Sharpe served on the company's boards of directors and advisors. While at CATS Rod helped advance the financial theory of "value at risk," now used globally for all key banking risk management. Rod co-edited the first book to introduce "value at risk." Rod also co-founded Mergent Systems, a pioneer in inferential database engines, which Commerce One later acquired for $200 million. He has co-launched other collaborations, software, and internet service businesses, as well. From 1999 to 2001, he served as Chairman of Privada, Inc, a leader in technology enabling private, anonymous, and secure credit card transactions over the internet.

In 2003, Rod co-founded a global peace network of CEO's which initiated Track II diplomatic efforts between India and Pakistan. The group's symbolic actions opened the borders to people and trade, and contributed to ending the most recent Indo-Pak conflict. It's one of several non-profit groups and initiatives Rod has started. He now serves on the boards of the Environmental Defense Fund, which Fortune Magazine ranked as one of the seven most powerful boards in the world and Jamii Bora Trust an innovative micro-lending group in Africa with more than 200,000 members. He is a graduate of Stanford University with an MBA and a BA with Honors and Distinction. He served as Chairman of the Council of Presidents of the combined Stanford student body (ASSU) and was a Fulbright Scholar at the University of St. Gallen in Switzerland. Rod commenced as President and CEO of ICANN on 1 July 2009.

Jerry Dixon Jerry Dixon currently serves as Director of Analysis for Team Cymru and was the former Director of the National Cyber Security Division (NCSD) & US-CERT, of the Department of Homeland Security. He continues to advise partners on national cyber-security threats, aides organizations in preparing for cyber-attacks, and assists with the development of cyber-security policies for organizations.

Tony Sager is the Chief of the Vulnerability Analysis and Operations (VAO) Group within the Information Assurance Directorate at the National Security Agency. VAO's mission is to identify and analyze the vulnerability of information, technology, and operations for NSA customers, primarily within the Defense Department and the Intelligence Community. VAO is also very active in helping the broader national security community deal with these same problems through guidance and standards. VAO has received recognition from several private sector sources (including SC Magazine Editor's Choice for 2007; and The National Information Security Leadership Award from Government Executive Magazine and the SANS Institute).

During his 30 year career at the NSA, Tony has held a number of technical and managerial positions in Computer/Network Security and software analysis. He holds a BA in Mathematics from Western Maryland College and an MS in Computer Science from the Johns Hopkins University. Tony is also a graduate of the US Army Signal Officer Basic Course (as a civilian), and the National Security Leadership Course. He is a frequent keynote speaker and panelist at national and international security events.

Linton Wells II is the Director of the Center for Technology and National Security Policy (CTNSP) at National Defense University (NDU). He also is a Distinguished Research Professor and serves as the University's Transformation Chair. Prior to coming to NDU he served in the Office of the Secretary of Defense (OSD) from 1991 to 2007, serving last as the Principal Deputy Assistant Secretary of Defense (Networks and Information Integration). In addition, he served as the Acting Assistant Secretary and DoD Chief Information Officer for nearly two years. His other OSD positions included Principal Deputy Assistant Secretary of Defense (Command, Control, Communications and Intelligence-C3I) and Deputy Under Secretary of Defense (Policy Support) in the Office of the Under Secretary of Defense (Policy).

In twenty-six years of naval service, Dr. Wells served in a variety of surface ships, including command of a destroyer squadron and guided missile destroyer. In addition, he acquired a wide range of experience in operations analysis; Pacific, Indian Ocean and Middle East affairs; and C3I. Recently he has been focusing on STAR-TIDES, a research project focusing on sustainable support to populations under stress and public-private interoperability (www.star-tides.net).

Dr. Wells was born in Luanda, Angola, in 1946. He was graduated from the United States Naval Academy in 1967 and holds a Bachelor of Science degree in physics and oceanography. He attended graduate school at The Johns Hopkins University, receiving a Master of Science in Engineering degree in mathematical sciences and a PhD in international relations. He is also a 1983 graduate of the Japanese National Institute for Defense Studies in Tokyo, the first U.S. naval officer to attend there.

Dr. Wells has written widely on security studies in English and Japanese journals. He co-authored Japanese Cruisers of the Pacific War, which was published in 1997. His hobbies include history, the relationship between policy and technology, and scuba diving. He has thrice been awarded the Department of Defense Medal for Distinguished Public Service.

return to top

Introduction to Tamper Evident Devices

Tamper evident technologies are quickly becoming an interesting topic for hackers around the world. DEF CON 18 (2010) held the first ever "Tamper Evident" contest, where contestants were given a box sealed with a variety of tamper evident devices, many of which purport to be "tamper proof." All of these devices were defeated, even by those with little experience and a limited toolkit. Like the computer world, many of these devices are overmarketed and it is difficult for the average person to compare different tamper evident technologies.

This talk covers the design and uses of tamper evident devices used in the commercial and government sectors. We'll dig into the nitty gritty of how many of these devices work, the methods by which they can be defeated, and live demonstrations of defeats against common tamper evident devices. Be advised: this talk is for only the stealthiest of ninjas; pirates need not apply.

datagram has taught about locks, safes, and methods to compromise them for many years, including training to private companies and government agencies. He has spoken many times on physical and digital security at various conferences and is a part-time forensic locksmith. datagram runs the popular lock and security websites lockwiki.com and lockpickingforensics.com. datagram is the leader of "The Motherfucking Professionals," the team that won the first Tamper Evident contest at DEF CON 18.

return to top

VDLDS — All Your Voice Are Belong To Us

Anytime you want to bypass the system, you tend to have a telephone conversation instead of leaving a paper trail. Data Leakage Prevention (DLP) is on top of the list for most organizations, be it financial or medical industry. In order to overcome this issue we need to devise a new system that can monitor phone conversations. Voice Data Leakage Detection System can be used for tracking Credit card, social security numbers, along with other PII data. An extension of this can be used for tracking Accounting and Financial information that leaves the organization before the information is actually public. This will help spot the people leaking insider information to traders, competitors and other news sources. By utilizing a signature system, each environment can quickly capture sensitive information like Acquisition/Sale of organization, or honeypot data to find the insider leaks.

Ganesh Devarajan is the Sr. Security Architect within Go Daddy's Security Research Team. His focuses are Web Applications security, Malware Analysis, Reputation Service and Cloud security.

Ganesh has a wide variety of experience in his field. Prior to joining Go Daddy in 2010, he worked as a security researcher for the TippingPoint DVLabs and THECASE Research Center in Syracuse, NY. He has publications in a variety of fields, ranging from Supervisory Control and Data Acquisition (SCADA) Securities, Role Based Access Control (RBAC), Wireless Securities and Runtime Software Application patches. His talks have been presented at various venues, including RSA, Department of Defense (DoD) Cybercrime conference, Computer Security Convention DEFCON, LayerOne, Reboot, National Petrochemicals & Refiners Association (NPRA), SMi, Hawaii International Conference on Social Sciences (HICSS), International Information Security Conference (IFIP/SEC) and Hacker Halted.

Don LeBert currently works as a Security Engineer for GoDaddy.com Inc. He has been working with hosting providers for the past 5 years filling the role of Networking Administrator, Server Administrator and Server Manager. Don currently holds a Bachelors degree in Information Systems and Masters degree in Information Security.

return to top

Safe to Armed in Seconds: A Study of Epic Fails of Popular Gun Safes

Hackers like guns. Hackers like locks. Hackers like to tinker with guns and locks. And, most of the time, hackers protect their guns with high-quality locks. However, while it's one thing to own a nice gun safe protected by a high security dial, that sort of solution tends to be best for the firearms that one doesn't have in daily use. Many of us who wear a firearm as part of our daily routine opt to store and secure our carry piece in a separate, more easily-accessible way at the end of the day. This talk is an in-depth evaluation of some of the most popular small firearm lockboxes in-use today. Some rely on mechanical locks, others on biometric locks, and some offer a combination of both. But overall, they tend to fail miserably in the face of any dedicated attacker. Come and learn how your favorite gun lockbox might be preventing your toddler from having an accidental discharge, but why it's not at all likely to repel a criminal or even perhaps a curious teenager. Means of both attacking as well as improving upon the lockboxes you already may own will be demonstrated, and audience members will be invited to participate in all sorts of attacks... live and on stage!

Deviant Ollam's first and strongest love has always been teaching. A graduate of the New Jersey Institute of Technology's Science, Technology, & Society program, he is always fascinated by the interplay that connects human values and social trends to developments in the technical world. While earning his BS degree at NJIT, Deviant also completed the History degree program at Rutgers University.

While paying the bills as a security auditor and penetration testing consultant with The CORE Group, Deviant is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. Every year at DEFCON and ShmooCon Deviant runs the Lockpicking Village, and he has conducted physical security training sessions at Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, CanSecWest, ekoparty, and the United States Military Academy at West Point. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.
Twitter: @DeviantOllam

return to top

Whitfield Diffie and Moxie Marlinspike

Come watch Whitfield Diffie and Moxie Marlinspike talk about certificate authorities, DNSSEC, SSL, dane, trust agility and whatever else they want to. Moderated by the Dark Tangent and with Q&A from the audience.

return to top

Bit-squatting: DNS Hijacking Without Exploitation

We are generally accustomed to assuming that computer hardware will work as described, barring deliberate sabotage. This assumption is mistaken. Poor manufacturing, errant radiation, and heat can cause malfunction. Commonly, such malfunction DRAM chips manifest as flipped bits. Security researchers have known about the danger of such bit flips but these attacks have not been very practical. Thanks to ever-higher DRAM densities and the use of computing devices outdoors and in high-heat environments, that has changed. This presentation will show that far from being a theoretical nuisance, bit flips pose a real attack vector. First the presentation will describe bit-squatting, an attack akin to typo-squatting, where an attacker controls domains one bit away from a commonly queried domain (e.g. mic2osoft.com vs. microsoft.com). To verify the seriousness of the issue, I bit-squatted several popular domains, and logged all HTTP and DNS traffic. The results were shocking and surprising, ranging from misdirected DNS queries to requests for Windows updates. The presentation will show an analysis of 6 months of real DNS and HTTP traffic to bit-squatted domains. The traffic will be shown in terms of affected platform, domain queried, and HTTP resources requested. Using this data the presentation will also attempt to ascertain the cause of the bit-flip, such as corruption on the wire, in requestor RAM, or in the RAM of a third party. The presentation will conclude with potential mitigations of bit-squatting and other bit-flip attacks, including both hardware and software solutions. By the end I hope to convince the audience that bit-squatting, and other attacks enabled by bit-flip errors are practical and serious, and should be addressed by software and hardware vendors.

Artem Dinaburg currently works as a security researcher at Raytheon, investigating a broad range of security related topics. Prior to joining Raytheon, Artem worked as a security researcher building automated malware analysis systems, investigating web-based exploit kits, and identifying botnet command-and-control domains. While a graduate student at Georgia Tech he created hypervisor-based dynamic malware analysis platforms under Dr. Wenke Lee.

return to top

A Bridge Too Far: Defeating Wired 802.1x with a Transparent Bridge Using Linux

Using Linux and a device with 2 network cards, I will demonstrate how to configure an undetectable transparent bridge to inject a rogue device onto a wired network that is secured via 802.1x using an existing authorized connection. I will then demonstrate how to set up the bridge to allow remote interaction and how the entire process can be automated, creating the ultimate drop and walk away device for physical penetration testers and remote testers alike.

Alva 'Skip' Duckwall has been using Linux back before there was a 1.0 kernel and has since moved into the information security arena doing anything from computer/network auditing, to vulnerability assessments and penetration testing. Skip currently holds the following certs: CISSP, CISA, GCIH, GCIA, GCFW, GPEN, GWPT, GCFA, GSEC, RHCE, and SCSA and is working on getting his GSE. Skip currently works for Northrop Grumman as a Sr. Cyber Something or other.

return to top

Virtualization under attack: Breaking out of KVM

KVM, the Linux Kernel Virtual Machine, seems destined to become the dominant open-source virtualization solution on Linux. Virtually every major Linux distribution has adopted it as their standard virtualization technology for the future. And yet, to date, remarkably little work has been done on exploiting vulnerabilities to break out of KVM.

We're here to fix that. We'll take a high-level look at KVM's architecture, comparing and contrasting with other virtualization systems and describing attack surfaces and possible weaknesses. Using the development of a fully-functioning exploit for a recent KVM vulnerability, we'll describe some of the difficulties involved with breaking out of a VM, as well as some features of KVM that are helpful to an exploit author.

Once we've explored the exploit in detail, we'll finish off with a demonstration against a live KVM instance.

Nelson Elhage is a kernel hacker for Ksplice, Inc., where he works on providing rebootless security updates for the Linux kernel. In his spare time, he mines for bugs in the Linux kernel and other pieces of open-source systems software.


return to top

I Am Not a Doctor but I Play One on Your Network

How secure is your Protected Health Information? This talk will expose the world of Health Information Systems with an in depth technical review of their common protocols and technologies. Many of these life-critical systems had once relied on the security provided by air gapped medical networks. Recently, in an effort to realize savings and further share health information, medical systems have moved onto interconnected networks, opening them up to a plethora of attacks. We believe these systems have not had adequate research performed against them due to high cost and relatively low availability. Our talk will not only reveal weaknesses we have discovered in medical protocols but will create a foundation of knowledge for researchers who want to continue investigation of these systems. We will release findings and vulnerabilities that were discovered during the course of this research as well as fuzzers designed to allow penetration testers and researchers to further assess healthcare specific protocols for security vulnerabilities. We will take a look at healthcare specific hardware and discuss vulnerabilities related to these devices including prescription dispensing drug cabinets and the ability to dispense scheduled substances without authentication, authorization, or accounting. Finally, we will discuss how the impact of vulnerabilities on healthcare systems have changed with the introduction of large health information repositories such as the Google Health and Microsoft Health Vault as well as with countless regional and national Health Information Exchanges.

Tim Elrod and Stefan Morris have a combined experience of over 10 years works specifically in the healthcare industry assessing health information systems for security vulnerabilities. Together they have audited and discovered vulnerabilities in most major healthcare specific protocols in use by health care providers today.

return to top

Mamma Don't Let Your Babies Grow Up to be Pen Testers - (a.k.a. Everything Your Guidance Counselor Forgot to Tell You About Pen Testing)

Always wanted to be a 1337 penetration tester capable of deciphering Kryptos while simultaneously developing your own custom 0-days? Then this is NOT the talk for you. We will however make you laugh by presenting an honest look at the life and times of a penetration tester today. We promise to open your eyes to aspects of the job you may have not considered before (at least we hadn't considered them before we started). Drawn from personal experience, this talk will focus on the myths and realities of penetration testing as a "for-sale" service. We love being penetration testers but we're pretty sure the guidance counselor forgot to mention there was a dark side to all the fun. We got the job with a little knowledge, a couple of lamer exploits, and high expectations. We expected firewalls and IDS to be the only thing standing between us and our beloved shells, but it turns out something far more sinister waited for us. Deadlines, timelines, reporting, scope, budgets, and chubby fingers quickly reared their ugly heads and threatened to smash our dreams. Like all PT'ers before us, we soon found out how important each of these topics are and what a critical role they play in our day-to-day activities. Join us for a unique and humorous 20-minute presentation as we air the dirty laundry about the mechanics of penetration testing and open your eyes to the untold aspects of best job on earth.

Dr. Pat Engebretson is an Assistant Professor of Information Assurance at Dakota State University in Madison, SD. He teaches graduate and undergraduate classes in penetration testing, operating system security, and programming. Dr. Engebretson also serves as a Senior Penetration Tester for a Security consulting company in the Midwest. Before returning to academia, Dr. Engebretson spent 5 years as a Network Security Office for a financial institution. He recently published a book on the basics of hacking and penetration testing for Syngress and he works non-stop to weave past experiences into the classroom, integrate hands-on material, and open his student's eyes to the wonders of DEF CON.
Twitter: pengebretson

Dr. Josh Pauli is an Associate Professor of Information Assurance at Dakota State University in Madison, SD where he teaches graduate and undergraduate courses in web and software security. His background is in software engineering and information systems. Dr. Pauli first attended DEF CON 16 (friggin' n00b) and was hooked immediately - he has spent every waking moment since then trying to figure out how to inject DEF CON into DSU's security program and bring his students to DEF CON 19 and beyond!
Twitter: CornDogGuy

return to top

Steganography and Cryptography 101

There are a lot of great ways to hide your data from prying eyes this talk will give a crash course in the technology and some tools that can be used to secure your data. Will also discuss hiding your files in plain site so an intruder will have no idea that hidden files even exist. These same techniques can also be employed by somebody wishing to transmit messages.

Eskimo (Neil Weitzel) is a Technology Analyst for Indiana University. At IU he works for Research System and Decision Support where he performs various to provide a solid infrastructure and secure environment for researchers. Outside of employment Eskimo also does freelance work. He is an avid scripter and automationist.

return to top

Don't Drop the SOAP: Real World Web Service Testing for Web Hackers

Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.

In this presentation Tom, Josh and Kevin will discuss the new security issues with web services and release an updated web service testing methodology that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and a open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques.

Tom Eston is a Senior Security Consultant for SecureState. Tom is a senior member of SecureState's Profiling team, which provides attack and penetration testing services for SecureState's clients. Tom focuses much of his research on new technologies such as social media and mobile devices. He is the founder of SocialMediaSecurity.com which is an open source community dedicated to exposing the insecurities of social media. Tom is also a security blogger, co-host of the Security Justice and Social Media Security podcasts and is a frequent speaker at security user groups and national conferences including Notacon, OWASP AppSec, DEFCON and ShmooCon.

Twitter: @agent0x0

Joshua "Jabra" Abraham joined Rapid7 in 2006 as a Security Consultant. Josh has extensive IT Security and Auditing experience and worked as an enterprise risk assessment analyst for Hasbro Corporation. Josh specializes in penetration testing, web application security assessments, wireless security assessments, and custom code development. He has spoken at BlackHat, DEFCON, ShmooCon, The SANS Pentest Summit, Infosec World, CSI, OWASP Conferences, LinuxWorld, Comdex and BLUG. In his spare time, he contributes code to open source security projects such as the BackTrack LiveCD, BeEF, Nikto, Fierce, and PBNJ. He is frequently quoted in the media regarding Microsoft Patch Tuesday and web application security by ComputerWorld, DarkReading and SC Magazine.

Twitter: @jabra

Kevin Johnson is a security consultant and founder of Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. He is the founder of many different projects and has worked on others. He founded BASE, which is a Web front-end for Snort analysis. He also founded and continues to lead the SamuraiWTF live DVD. This is a live environment focused on Web penetration testing. He also founded Yokoso and Laudanum, which are focused on exploit delivery. Kevin is a certified instructor for SANS and the author of Security 542: Web Application Penetration Testing and Ethical Hacking. He also presents at industry events, including DEFCON and ShmooCon, and for various organizations, like Infragard, ISACA, ISSA, and the University of Florida.

Twitter: @secureideas

return to top

"Get Off of My Cloud": Cloud Credential Compromise and Exposure

An Amazon Machine Image (AMI) is a virtual appliance container used to create virtual machines (VMs) within the Amazon Elastic Compute Cloud (EC2). EC2 instances typically interact with a variety of Amazon Web Services (AWS), and as such require access to AWS credentials and private key materials. In this presentation we will explore how AWS credentials and keys may end up being persisted within an AMI. If persisted within a public or shared AMI, these credentials and key materials may be unintentionally shared with 3rd parties. We will discuss the different types of AWS credentials and key materials, how they are used to access different Cloud services, and the risks and potential impacts of compromise of this sensitive information. A new tool, "AMIexposed" will be released that can check an AMI for the most common ways AWS credentials and keys are persisted within an AMI. The results of research using AMIexposed against public AMIs will be presented, helping to quantify the scope and prevalence of AWS credentials and keys exposed within public AMIs. We'll also discuss the risks inherent in trusting public AMIs to be free of backdoors, trojans, and other malicious hitchhikers. Results of an experiment demonstrating these risks will be presented. Finally, the talk will propose best practices for utilizing AMIs. These will include specific steps for ensuring you organization's AWS credentials and key materials are not unintentionally persisted within public or shared AMIs, and recommendations regarding usage of 3rd party public AMIs.

Ben Feinstein is Director of CTU Operations & Analysis with the Dell SecureWorks Counter Threat Unit (CTU). Ben is an author of RFC 4765 and RFC 4767, and has over a decade of experience designing, implementing and operationalizing security-related information systems. His major areas of expertise include network IDS/IPS, digital forensics and incident response, and security operations. Ben has previously presented at Black Hat USA, DEF CON, ToorCon, DeepSec, the U.S. Department of Defense Cyber Crime Conference, and many other events. He is active in his local DEF CON group, DC404.

Jeff Jarmoc: A first time DEF CON presenter, Jeff has been hacking most of his life. He got his start in the early days of the 312 BBS scene, moved on to IRC and USENET, and eventually pursued a career in enterprise infrastructure and security. His latest passion is abusing ubiquitous infrastructure devices and systems in an attempt to bring renewed focus on the security of these systems everyone has come to rely on. Jeff has previously spoken at Black Hat USA. When not abusing software and hardware he enjoys spending time with his wife and daughter.
Twitter: @jjarmoc

return to top

Handicapping the US Supreme Court: Can We Get Rich by Forceful Browsing?

Using only script-kiddie skills, it may be possible to handicap the outcome of decisions of national importance. This talk presents a walk-though of a project to make more accurate predictions of US Supreme Court case outcomes. That could be a useful thing, if you had something at stake. Conventional techniques for predicting outcomes rely on legal expertise and knowledge of the policy issues at stake in a case and the justices' voting records. Forget all that: we're going to see what we can do with perl and XML transcripts of oral arguments. It's only 20 minutes of your life, but it might equip you to astound your lawyer friends, or make some canny investments.

For nearly fifteen years, Foofus has worked in network security, spending most of that time leading the charming and intelligent foofus.net team of penetration testers. Prior research has dealt with software security and trust relationships between systems in large networked environments. In more recent times, Foofus has been enjoying law school, and in particular, finding ways to apply hacker techniques to legal studies.

return to top

Getting F***** On the River

Online poker is a multi-million dollar industry that is rapidly growing, but is not highly regulated. There have been "hacks" recently (i.e. weak SSL implementation, superuser account) that have drawn more attention to security in the poker industry, especially as it moves to full regulation in the United States. This talk will cover the technical architecture of online poker, existing security controls, examples of past vulnerabilities, new weaknesses we have discovered in the poker clients and surrounding infrastructure, and next steps of research we are performing in this area.

Mr. Fritschie has been involved in the field of information security for over ten years. He began his career in information technology (IT) as a system administrator for a growing financial company. It was there that he gained a fundamental understanding of all aspects of IT, including network security. Mr. Fritschie then joined the information security consulting practices of KPMG, Deloitte and Touche leading and performing numerous vulnerability assessments and penetration tests in support of financial audits, GISRA (now FISMA), and other compliance related efforts. Clients included fortune 500 companies, civilian agencies, and DOD. Since joining SeNet as the Director of Engineering and Security Assessments, Gus has led several large-scale projects. Some of these projects included enterprise-wide vulnerability assessments for multiple government and commercial clients, management of the Certification and Accreditation efforts, and web application penetration tests. He is also an avid poker player having logged close to a million hands online.

Mike Wright is a senior security engineer who specializes in penetration testing, web application assessments, and breaking stuff. For the past three years, Mike has assisted in enterprise-wide vulnerability assessments as well as C&A engagements for several of SeNet's clients.

return to top

Cellular Privacy: A Forensic Analysis of Android Network Traffic

People inherently trust their phones, but should they? "Cellular Privacy: A Forensic Analysis of Android Network Traffic" is a presentation of results from forensically analyzing the network traffic of an Android phone. The results paint an interesting picture. Is Google more trustworthy than the application developers? Are legitimate market apps more trustworthy than their rooted counterparts? Perhaps most importantly, should you trust your passwords, location, and data to a device that shares too much?

Eric Fulton is the Director of Research for Lake Missoula Group, LLC, and a specialist in network penetration testing and web application assessments . In his spare time Eric works with local University students to provide hands-on security training, and conducts independent security research. Eric also publishes network forensics contests on ForensicsContest.com

return to top

UPnP Mapping

Universal Plug and Play(UPnP) is a technology developed by Microsoft in 1999, as a solution for NAT traversal(among other things). This talk explores the exploiting of port mapping services in UPnP/IGD devices from the WAN. It also talks about a tool called Umap to help process the UPnP requests. Attacking UPnP allows attackers to use devices as a proxy that can establish connections to internal and external IP addresses. The software allows scanning internal hosts behind the device NAT, manual port-mapping(WAN to LAN, WAN to WAN) and a SOCKSv4 proxy service that automatically maps requests to UPnP devices. Most UPnP attacks have focused on the exploiting of UPnP from the LAN side of the device, this talk focuses on attacking from the WAN side. Attackers can use these techniques to hide IP addresses and attack internal hosts behind common household gateway devices.

Daniel Garcia (FormateZ on Undernet) is a security researcher/consultant with 15+ years of experience in security. He also founded Toor, a security consultant group that focuses on penetration testing, secure architectures and application assesments.Aside from security, he has also worked with numerous projects and platforms like DOCSIS, Wimax, Wi-Fi(city-wide), PLC and DHE.

return to top

Gone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP

Got domain admin to a couple of thousand Windows systems? Got an hour to spare? Steal sensitive data from all of these systems simultaneously in under an hour with OpenDLP.

OpenDLP is an open source, agent-based, massively distributable, centrally managed data discovery program that runs as a service on Windows systems and is controlled from a centralized web application. The agent is written in C, has no .NET requirements, uses PCREs for pattern matching, reads inside ZIPs like Office 2007 and OpenOffice files, runs as a low priority service so users do not see or feel it, and securely transmits results to the centralized web application on a regular basis. The web application distributes, installs, and uninstalls agents over SMB; allows you to create reusable profiles, view results in realtime, and mark false positives; and exports results as XML.

OpenDLP also supports scanning databases for sensitive information. It can also perform agentless scans of Windows systems over SMB and UNIX/Linux systems over SSH.

Andrew Gavin creator of OpenDLP, is an information security consultant at Verizon Business. He has more than 11 years of experience in security assessments of networks and applications. He has consulted for numerous customers in various industries around the world.
Twitter: @andrewgavin

return to top

Strategic Cyber Security: An Evaluation of Nation-State Cyber Attack Mitigation Strategies

This presentation argues that computer security has evolved from a technical discipline to a strategic concept. The world's growing dependence on a powerful but vulnerable Internet — combined with the disruptive capabilities of cyber attackers — now threatens national and international security.

Strategic challenges require strategic solutions. The author examines four nation-state approaches to cyber attack mitigation.

•Internet Protocol version 6 (IPv6)
•Sun Tzu's Art of War
•Cyber attack deterrence
•Cyber arms control

The four threat mitigation strategies fall into several categories. IPv6 is a technical solution. Art of War is military. The third and fourth strategies are hybrid: deterrence is a mix of military and political considerations; arms control is a political/technical approach.

The Decision Making Trial and Evaluation Laboratory (DEMATEL) is used to place the key research concepts into an influence matrix. DEMATEL analysis demonstrates that IPv6 is currently the most likely of the four examined strategies to improve a nation's cyber defense posture.

There are two primary reasons why IPv6 scores well in this research. First, as a technology, IPv6 is more resistant to outside influence than the other proposed strategies, particularly deterrence and arms control, which should make it a more reliable investment. Second, IPv6 addresses the most significant advantage of cyber attackers today — anonymity.

Kenneth Geers: PhD, CISSP, Naval Criminal Investigative Service (NCIS), is a Scientist and the U.S. Representative to the NATO Cyber Centre in Tallinn, Estonia. His new book, "Strategic Cyber Security," is a FREE download: http://ccdcoe.org/278.html.

return to top

Bulletproofing The Cloud: Are We Any Closer To Security?

Cloud security has come into focus in the last few years; while many ways to break the cloud have been proposed, few solutions have been put forward. This talk is primarily a conceptual discussion on how cloud providers can and should be (but probably are not) protecting both their own and their clients' assets in their cloud implementations. It will discuss the known issues with cloud, and a readily available proposed solution to some of these issues. The presentation will conclude with a demonstration of an actual implementation of this theory at a cloud hosting provider. An understanding of basic network security technology is required.

Ramon Gomez is a Security Professional working for a cloud hosting provider. He has been working in correlation theory for the last 8 years, including time spent working at a prominent North American vendor of SEIM software, providing theory and logic to improve the correlation capabilities of the product. His primary areas of professional expertise are in correlation theory, and Intrusion Detection/Analysis.

return to top

Smile for the Grenade! "Camera Go Bang!"

Cameras are hugely important to urban and suburban battlefields. Reconnaissance is a must-have for commanders, and a force multiplier for actual combat units. A combat-deployable camera system is being developed or used by nearly every military-industrial manufacturer and government agency, ranging from Throwable Camera Balls to Grenade-style launched cameras. But they're expensive and inaccessible to civilians. Would it be possible to build a combat-deployable camera system that would fulfill the mandates of a tactical combat team, feed information to a strategic command center, and force-multiply "on the cheap"?

Vlad Gostom has over 7 years of experience conducting security consulting and penetration testing in the corporate world. He has worked on such diverse projects as the future warrior combat system, wireless triangulation systems, adaptive IDS/IPS systems, network security/penetration testing for Fortune 50 companies, and physical security assessments for banks.
Twitter: @Recompiler

Joshua Marpet: Security is a complex system, with many disciplines and specialized knowledge. Luckily, there's Josh, who's done everything. Ex-cop, blacksmith, pen testing, video surveillance, sales engineering, and well, everything. And now, technological ordnance developer!
Twitter: @Quadling

return to top

Represent! Defcon Groups, Hackerspaces, and You.

Fabricating, circumventing, forging, partying, milling, crafting, building breaking — Defcon Groups have risen, fallen, and endured the last 8 years as decentralized and smoldering embers of the local hacker think-tank. This year Defcon sets out to stoke that fire and unite our groups, at and outside of the conference. The talk will consist of a panel of Defcon Groups leaders, uncovering the secrets and follies of several groups: what makes them work, when do they fail, and ultimately .. WTF have these people been doing all this time? Come hear how hackerspaces have influenced these local groups and the cool ways that these groups are propping the hackerspace. What can you break?

Anch (DC503) - currently rebooting DC503 after it's near death experience, is a part of the unique hacking scene that is Portland.

blakdayz (DC225) - can pwn sh1t from space, master of a harem, original gangster @ Defcon Voicebridge

Anarchy Angel & ngharo (DC414) - Brew city nerds coming together under the dc414 flag to hack the planet

Itzik Kotler (DC9723) - is killing time till the feds arrive. Meanwhile, he is the CTO of Security Art and co-founder of DC9723. In his former life, he was a Software Engineer. People change. Now, I'm a lamp.

Jake "GenericSuperhero" - Representing Black Lodge Research. Hardware, Software, Wetware, Anywhere, Everywhere.

converge DCG Coordinator, hermit champion of email harassment and slayer of dead hacker groups; you'll probably see his beard wandering the Defcon landscape in search of booze and fun

return to top

Smartfuzzing The Web: Carpe Vestra Foramina

It can be scary to think about how little of the modern attack surface many tools cover. There is no one best tool for the job and on top of that some tools don't do a great job at anything. Often in the hands of general users the capabilities and limitations are not even thought of during testing. Point, click, done. The attack surface of modern web environments as well as their protection mechanisms have become more complicated and yet many tools have not adapted. Hey, Y2K called and it wants some applications tested.

There is certainly no shortage of vulnerabilities in modern web environments but we should be looking beyond low hanging fruit at this point. In between fully automated scanners and manual testing lies a sweet spot for the identification of vulnerabilities. Some of the juiciest pieces of information are not found by vulnerability scanners but are found by humans creating custom tests. This is why semi-automated testing space is so important. All of this complicated blending of protection mechanisms, services, and RIA technologies means that moving in to the area of semi-automated testing can be fraught with failure. We detail how these failures can be avoided as well as provide a tool that solves some of these problems as well as provides analysis for your own tools and scripts. Your web applications have moved on, don't you think it's time your tools to do the same?

Nathan Hamiel is a Principal Consultant for FishNet Security's Application Security Practice. He is also an Associate Professor of Software Engineering at the University of Advancing Technology. He spends most of his time focusing in the areas of application, Web 2.0, and enterprise security. Nathan has been a speaker at security events around the world including: Black Hat, DefCon, ShmooCon, ToorCon, SecTor, OWASP and many others. He is also a developer of several open source security projects including the pywebfuzz and RAFT.

Gregory Fleischer is a Senior Security Consultant in the Application Security practice at FishNet Security. In his spare time, he likes to find and exploit vulnerabilities in web browsers and client-side technologies such as Java and Flash. He has an interest in privacy and anonymity and has worked with The Tor Project to identify potential issues.

Justin Engler is a Security Consultant for FishNet Security's Application Security practice. His focus is on the security of web applications, web-backed thick clients (desktop and mobile), databases, and industrial control systems. Justin is currently working on the open source RAFT project.

Seth Law Seth Law is a Principal Consultant for FishNet Security in Application Security. He spends the majority of his time breaking web and mobile applications, but has been known to code when the need arises. Seth is currently involved in multiple open source projects, including RAFT.
Twitter: @sethlaw

return to top

Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests

Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests brings the DEF CON 19 audience the most massive collection of weird, downright bizarre, freaky, and altogether unlikely hacks ever seen in the wild. This talk will focus on those complex hacks found in real environments — some in very high end and important systems, that are unlikely but true. Through stories and demonstrations we will take the audience into a bizarre world where odd business logic flaws get you almost free food [including home shipping], sourcing traffic from port 0 allows ownership of the finances a nation, and security systems are used to hack organizations.

The SpiderLabs team delivered more than 2300 penetration tests last year, giving us access to a huge variety of systems and services, we've collected a compendium of coolest and oddest compromises from the previous year to present at DEF CON. Our goal is to show effective attacks and at the same time not the trivial ones that can be found by automated methods. By the end of this presentation we hope to have the audience thinking differently about systems and applications that organizations use every day, and how they may be used against them.

Rob Havelt is the director of penetration testing at Trustwave's SpiderLabs, the advanced security team within Trustwave focused on forensics, ethical hacking, and application security testing for premier clients. Rob has worked with offensive security seemingly forever, and from running a start-up ISP, to working as a TSCM specialist, he's held just about every job possible in the realm of system administration and information security.

Formerly a bourbon-fueled absurdist, raconteur, and man about town, currently a sardonic workaholic occasionally seeking meaning in the finer things in life — Rob is, and will always be, a career hacker.

Wendel Guglielmetti Henrique is a Security Consultant at Trustwave's SpiderLabs, the advanced security team within Trustwave focused on forensics, ethical hacking, and application security testing for premier clients. He has over 11 years experience in Information Technology, where the last 6 years were dedicated to penetration testing. He has performed security focused code reviews, secure development training, forensics analysis and security assessments. Wendel has performed countless network, application and web application penetration tests for various organizations across the globe, including government, banking, commercial sectors, as well as the payment card industry.

Recent presentations include Black Hat Arsenal 2010 (USA), OWASP AppSec Research 2010 (Sweden) and Black Hat Europe 2010 (Spain). Previously, Wendel spoke in Troopers 09 (Germany), OWASP AppSecEU09 (Poland), YSTS 3.0 (Brazil), and has spoken in well known security conferences such as DEF CON 16 (USA) and H2HC (Brazil).

Wendel developed a tool to detect and remove the famous BugBear virus, before most of the antivirus companies around the world in 2002. During his career, he has discovered vulnerabilities across a diverse set of technologies including webmail systems, wireless access points, remote access systems, web application firewalls, IP cameras, and IP telephony applications. Some tools he wrote already were used as examples in national magazines like PCWorld Brazil and international ones like Hakin9 Magazine.

return to top

From Printer To Pwnd: Leveraging Multifunction Printers During Penetration Testing

In this presentation we go beyond the common printer issues and focus on harvesting data from multifunction printer (MFP) that can be leveraged to gain access to other core network systems. By taking advantage of poor printer security and vulnerabilities during penetration testing we are able to harvest a wealth of information from MFP devices including usernames, email addresses, and authentication information including SMB, Email, LDAP passwords. Leveraging this information we have successful gained administrative access into core systems including email servers, file servers and Active directory domains on multiple occasions. We will also explore MFP device vulnerabilities including authentication bypass, information leakage flaws. Tying this altogether we will discuss the development of an automated process for harvesting the information from MFP devices with the updated release of our tool 'PRAEDA'.

Deral Heiland CISSP, serves as a Senior Security Engineer where he is responsible for security assessments, and consulting for corporations and government agencies. In addition, Deral is the founder of Layered Defense Research a group of security professionals responsible for discovering and publishing multiple vulnerabilities. Deral is also co-founder and president of Ohio Information Security Forum a not for profit organization that focuses on information security training and education. Deral has also presented at numerous conferences including ShmooCon, DEF CON, AFCEA InfoTech, Ohio Digital Government Summit , University of Wisconsin lockdown conference and has also been a guest lecturer at the Airforce Institute of Technology (AFIT). Deral has over 18 years of experience in the Information Technology field, and has held multiple positions including: Senior Network Analyst, Network Administrator, Database Manager, Financial Systems Manager and Senior Information Security Analyst where he was responsible for delivering security guidance and leadership in the area of risk and vulnerability management for a global Fortune 500 manufacturer.

return to top

Assessing Civilian Willingness to Participate in On-Line Political and Social Conflict

Changes in the social dynamics and motivations of the hacking community are a potential catalyst that when combined with the expanding reliance of critical infrastructure components upon networked control systems may provide the genesis for the emergence of what is being called the civilian cyberwarrior The emerging visibility and salience of cyber-vulnerabilities within large elements of a nation's critical infrastructure is creating opportunities that are facilitating significant potential shifts in the power relationship between individuals and nation states. This paper examines some of these shifts in the social dynamics and motivations in the hacking community, their effects on the traditional power differential between individuals and nation-state actors and discusses the emergence of the civilian cyberwarrior – individuals that are encouraged and emboldened by this transformed power differential to engage in malicious acts against another country's critical infrastructure or even the critical infrastructure of their own country. In particular, this presentation will explore the findings from an international survey of youth to identify the situational and social factors that predict individual willingness to engage in physical and cyberattacks against various targets. The findings will assist researchers, law enforcement, and the intelligence community to proactively anticipate various threat scenarios and develop effective defenses against attacks on and off-line.

Thomas J. Holt is an Assistant Professor in the School of Criminal Justice at Michigan State University. He received his Ph. D. in Criminology and Criminal Justice from the University of Missouri-Saint Louis in 2005. His research focuses on computer hacking, malware, and the role that technology and computer mediated communications play in facilitating all manner of crime and deviance. Dr. Holt has been published in numerous academic journals, including Crime and Delinquency, Deviant Behavior, and the Journal of Criminal Justice, is a co-author of the book Digital Crime and Digital Terror, editor of the text Cybercrime: Causes, Correlates, and Context, and co-editor of the forthcoming book Corporate Hacking and Technology-Driven Crime. He is also a regular presenter at Defcon, the Department of Defense Cybercrime Conference, and various regional hacker conferences. Dr. Holt is also the recipient of two grants from the U.S. National Institute of Justice to examine the market for malicious software and the social dynamics of carders and data thieves in on-line markets. Additionally, Dr. Holt is the project lead for the Spartan Devils Chapter of the Honeynet Project, and directs the MSU Open Source Research Laboratory dedicated to exploring the landscape of cyberthreats around the globe through on-line research.

Max Kilger received his doctorate from Stanford University in Social Psychology in 1993. He is a behavioral profiler for the Honeynet Project and contributes additional efforts in the areas of statistical and data analysis. Max has written and co-authored research articles and book chapters in the areas of influence in decision-making, the interaction of people with technology, the motivations of malicious online actors and understanding the changing social structure of the computer hacking community. He was the lead author for the Profiling chapter of the Honeynet Project's book Know Your Enemy (second edition) which serves as a reference guide for information security professionals in government, military and private sector organizations. He also coauthored a chapter examining the vulnerabilities and risks of a cyberattack on the U.S. national electrical grid. His most recent published work is a book chapter on social dynamics and the future of technology-driven crime. He currently is working on two chapters dealing with cyberprofiling for a book on cyber-counterintelligence to be published in early 2012. Max was a member of the National Academy of Engineering's Combating Terrorism Committee, which was charged with recommending counterterrorism methodologies to the Congress and relevant federal agencies. He is a frequent national and international speaker to law enforcement, the intelligence community and military commands as well as information security forums.

return to top

An Insider's Look at International Cyber Security Threats and Trends

Verisign iDefense General Manager, Rick Howard, will provide an inside look into current cyber security trends with regard to Cyber War, Cyber Hacktivism, and Cyber Espionage. In this presentation Rick will discuss the current capabilities, tactics, techniques and procedures used by various cyber security cartels in key regions around the world. Finally, Rick will describe the idea of a Cyber Security Disruptor; new ideas, technologies and policies that will fundamentally make us change how we protect the enterprise.

Rick Howard spent the last five years working as the iDefense Intelligence director and is now the general manager of the business. Prior to joining iDefense, Rick led the intelligence-gathering activities at Counterpane Internet Security and ran Counterpane's global network of Security Operations Centers.

He served in the US Army for 23 years in various command and staff positions involving information technology and computer security and spent the last 2 years of his career as the US Army's Computer Emergency Response Team Chief (ACERT). He coordinated network defense, network intelligence and network attack operations for the Army's global network and retired as a lieutenant colonel in 2004.

Rick holds a Master of Computer Science degree from the Naval Postgraduate School and an engineering degree from the US Military Academy. He also taught computer science at the Academy from 1990 to 1995 . He has published many academic papers on technology and security and has contributed as an executive editor to two books that Verisign iDefense personnel have written: "Cyber Fraud: Tactics, Techniques and Procedures" and "Cyber Security Essentials."
Twitter: @raceBannon99

return to top

Anonymous Cyber War

This talk will educate listeners on best practices for safety and privacy on the Internet.It aims to demonstrate the improbability of staying anonymous while engaging in group or social activities on the internet, and especially while engaging in criminal activities as a group.

This talk will reveal how Hubris, A5h3r4h, and Backtrace security staged a cyber war against anonymous, using Anonymous' own methods, and how key operatives in anonymous were exposed, scattered and neutralized. In short, how a handful of bored social engineers with no material resources used trolling, social engineering, and the magic of Google to derail an army of out of control btards with a dose of virtual Ritalin.

We will also provide an explanation of how different organizations (and even non-organizations) have their own "signature" beliefs and behaviors and how they can be used against them.

Hubris: Director Strategic Operations for Backtracesecurity. Former military specialized in electronic warfare. Currently monitoring anonymous actions.

a5h3r4h: Director of Psychological Operations. Many previous lectures in the area of psychological warfare.

return to top

Economics of Password Cracking in the GPU Era

As this shift to "General Computing" and working in the cloud has accelerated in the last 4 years, so has the ability to take advantage of these technologies from an Information Security vantage point. This could not be more apparent than with the sudden uptick in GPU based password cracking technologies. In this presentation we will explore where the current GPU cracking technologies are, what their cost are to implement, and how to deploy and execute them (with demo). Most importantly, we will demonstrate the "brute force calculator" which can assist with getting your monies worth. Finally, we will explore where the future lays for this medium and what that means for safe passwords moving into the next decade.

Robert has been working in Information Security for over 12 years. In his travels he was one of the first to publicly demonstrate the downfalls of credit card security in merchant environments. Next, after 2 Ω years of research, he demonstrated "whitelist" based IDPS technology embedded in within web based code to protect against and detect XSS and Injection Attacks in real-time. Later, he developed and implemented highly customized DNS logging integrated with real-time IDPS technology for protection against 0-day malware threats. He currently is working on a SV Hacker Space and various WiFi security shenanigans.
Twitter: @hackajar
Facebook: www.facebook.com/hackajar
Skype: hackajar

return to top

Jugaad – Linux Thread Injection Kit

Windows malware conveniently use the CreateRemoteThread() api to delegate critical tasks inside of other processes. However till now there is no API on Linux to perform such operation. This paper talks about my work on creating an API similar to createRemoteThread() on *nix OSes. The kit currently works on Linux, allocates space inside a process and injects and executes arbitrary payload as a thread into that process. It utilizes the ptrace() functionality to manipulate other processes on the system. ptrace() is an API generally used by debuggers to manipulate(debug) a program. By using the same functionality to inject and manipulate the flow of execution of a program Jugaad is able to inject the payload as a thread.

There is another awesome tool injectSo that injects the whole library into a process, however it leaves traces like the name and path of the injected library which can easily be found by reading the process maps file. Jugaad does an in-memory thread injection and hence is stealthier as there are no traces of any library found in the maps file. It however allocates memory in the process using mmap2 system call which only shows up as allocated memory in maps file but does not reveal anything about the injection. The payload to be executed runs inside the thread and is independent of the kit - you chose your payload, jugaad injects the payload.

Aseem Jakhar is an Independent security researcher with 7 years of experience in system programming, security research and consulting. He has worked on various security software including UTM appliances, Messaging/security appliances, Anti-Spam/antivirus engines, multicast packet reflector, Transparent HTTPS proxy with Captive portal, Bayesian spam filter to name a few.

He has been a speaker at various security conferences like Xcon 2009, Blackhat EU 2008, Clubhack 2008/2009/2010, IBM Security and Privacy 2009, Cocon 2010, ISACA Bangalore 2010, Gnunify 2007/2009/2011.

He is the founder of null - The open security community(a registered non-profit organization, http://null.co.in ) , the largest security community in India. null is now planning to expand outside India as well. Currently he is working full-time on null initiatives. One of the null initiatives is nullcon security conference (http://nullcon.net ) which is a favourite go-to destination of hackers and security professionals in the Indian sub-continent. Before starting on his own he was working with IBM.
Twitter: @aseemjakhar

return to top

The Art of Trolling

Trolling is something that today has a very negative connotation on the Internet and in the common usage of the word outside of it. However, for better or worse trolling has long enjoyed a close relationship with hacking be it in the area of information security, or simply in technology development. I intend to delve into the definition of a troll, the history of trolling in human culture ( as well as its contributions ), and the techniques that are generally exploited by trolls to realize their intended goals. There will be several past projects that I classify as successful trolls that I will use as object lessons in the practical application of the discussed techniques. Trolls span the gaps between hardware and software projects and at times can carry a variety of "payloads".

Matt 'openfly' Joyce is pretty well known in some circles for having amassed a rather staggeringly large number of klines, olines, ilines, and glines in his many years on irc. In addition to IRC bans, he has been firewalled from Fark, physically barred from attending the HOPE conference, and once introduced in a videocasted Unreal 2004 competitive gaming tournament as "the guy that has been banned from just about every server and forum known to the internet". In addition to this staggering list of anti-accomplishments, Matt has been an invited member of NYC Resistor, a Maker, and an all around great person whom many ladies would love to share their special lady parts with. He also works on open source federal cloud platforms, fonera2.0n images for the ChaosVPN project and occasionally spends time in the company of puppies. In his free time, Matt loves drinking single malt scotch while discussing the markets of the orient, from the confines of exclusive gentlemen's clubs. This talk is dedicated to the memory of Macho Man Randy Savage and Ronald Reagan.

return to top

Black Ops of TCP/IP 2011

Remember when networks represented interesting targets, when TCP/IP was itself a vector for messiness, when packet crafting was a required skill? In this thoroughly retro talk, we're going to play with systems the old fashioned way, cobbling together various interesting behaviors with the last few shreds of what low level networking has to offer. Here's a few things to expect:

• IPv4 and IPv6 Fragmentation Attacks, Eight Years In The Making
• TCP Sequence Number Attacks In Modern Stacks
• IP TTLs: Not Actually Expired
• Inverse Bug Hunting: More Things Found On The Open Net
• Rebinding Attacks Against Enterprise Infrastructure
• BitCoin: Network Manipulation for Fun And (Literal) Profit
• The Net Neutrality Transparency Engine

DNS might show up, and applications are going to be poked at. But this will be an old style networking talk, through and through.

Dan Kaminsky Bio to come

return to top

Hacking Your Victims Over Power Lines

When performing penetration tests on the internal network in conjunction with physical pentests your always concerned about being located. Let's remove that barrier and perform your penitents over power lines and never be detected. In this presentation we'll cover how you can perform full penetration tests over the power lines and hack into home automation systems. Home automation has been gaining momentum not only in small homes but in large companies and organizations. There's a huge variety of solutions out there both open-source and "proprietary" that provide these solutions to your homes and businesses. Home automation gives us several things for example, full-fledge 85mbps networks, security systems, lights, windows, HVAC, doors, and cameras and they are all generally done through the power lines or through short-wave wireless communications. So let's break it.... During this presentation we'll be going over the non-existence of security over these devices, show proof of concept demonstrations on hacking these devices, and while we're at it, demonstrate how to disable all security mechanisms that use the different protocols like X10.

Dave Kennedy (ReL1K) is a Director of Information Security for a Fortune 1000 company and the founder of DerbyCon. David is a penetration tester that likes to write code, break things, and develop exploits. Dave is on the Back|Track and Exploit-Database development team and the co-host of the Social-Engineer podcast and started the first Offensive-Security Ohio Chapter. David continues to contribute to a variety of open-source projects. David had the privilege in speaking at some of the nations largest conferences on a number of occasions including BlackHat, Defcon and Shmoocon. David is the creator of the Social-Engineer Toolkit (SET), Fast-Track, modules/attacks for Metasploit, and has released a number of public exploits. David heavily co-authored the Metasploit Unleashed course available online and has a number of security related white-papers in the field of exploitation. David is the author of the book "Metasploit: A Penetration Testers Guide". Lastly, David worked for three letter agencies during his U.S Marine career in the intelligence field specializing in red teaming and computer forensics.
Twitter: dave_rel1k

return to top

Tracking the Trackers: How Our Browsing History Is Leaking into the Cloud

What companies and organizations are collecting our web-browsing activity? How complete is their data? Do they have personally-identifiable information? What do they do with the data?

The speaker, an ex–Google and DoubleClick engineer, will answer these questions by detailing the research he did for The Wall Street Journal (http://j.mp/tttwsj) and CNN (http://j.mp/tttcnn), talking about the crawler he built to collect reverse-tracking data, and launching a tool you can use to do your own research.

Brian Kennish is the developer of Disconnect (http://j.mp/dchrome) and Facebook Disconnect (http://j.mp/fbdisconnect), browser extensions that stop tracking by third parties and search engines, and founder of Disconnect, Inc. (http://disconnect.me/), a startup that makes tools to help people understand and control the data they share online. Brian was an early DoubleClick and Google engineer, writing web and mobile ad servers for DoubleClick then working on AdWords, Wave, and Chrome for Google. He has spoken at SXSW Interactive, CTIA Wireless, Google I/O, Launch, and pii.
Twitter: @byoogle

return to top

Hacking and Securing DB2 LUW Databases

DB2 for Linux, Unix and Windows is one of the databases where only little bit information about security problems is available. Nevertheless DB2 LUW is installed in many corporate networks and if not hardened properly could be an easy target for attackers. In many aspects DB2 is different from other databases, starting at the user management (normally no user/passwords in the database) to the privilege concept.

With the latest versions, DB2 LUW became more and more similar to Oracle (views, commands, concepts to make more stuff query-able from the database) and allows even to run PLSQL code from Oracle databases. IBM is also cloning the insecure configuration from Oracle by granting a lot of the PLSQL packages to public.

This talk will give a quick introduction into the DB2 architecture, differences to other relational database systems and the most common DB2 configuration problems.

Showing a lit of available exploits and typical pentester questions (how can I run OS commands, how can I access the network or file system) will also be covered.

This talk will also demonstrate SQL injection in stored procedure code inside of the database (SQL/PL and PL/SQL), how to find, exploit and fix it.

The last part covers the hardening of DB2 databases.

Alexander Kornbrust is the founder of Red-Database-Security a company specialized in database security. He provides database security audits, security training and consulting to customers worldwide. Alexander audited 3000 Oracle, DB2 and MSSQL instances over the last years. Alexander is also the co-author of the book "SQL Injection Attacks and Defense ".

Alexander has worked since 1992 with Oracle and his specialties are the security of databases and secure software architectures. In the last 7 years Alexander has reported more than 1200 security bugs to Oracle and gave various presentations on security conferences like Black Hat, Defcon, Bluehat, HITB,...
Twitter: @kornbrust

return to top

Sounds Like Botnet

VoIP is one of the most widely-used technologies among businesses and, increasingly, in households. It represents a combination of Internet technology and phone technology that enhances and expands the possibilities of both. One of these possibilities involves using it for botnet command and control infrastructure and a data exfiltration vector.

The concept of VoIP Botnet is to operate in closed networks with limited access and the potential of censorship using everyday telecommunication and telephony services such as voicemail, conference calls, voice and signaling information.

Moshi Moshi is a proof of concept VoIP Botnet that allows the operator to dial in from a pay phone or mobile phone, and get shell access and exfiltrate data from the bots.

This presentation will discuss and demonstrate the use of VoIP technology to create "Moshi Moshi," we also explore some interesting properties of VoIP based botnet.

Additionally, we will discuss mitigating factors and ways that VoIP providers should implement in order to prevent further VoIP abuse.

Itzik Kotler Itzik Kotler serves as Security Art's Chief Technology Officer and brings more than ten years of technical experience in the software, telecommunications and security industries. Early in his career, Itzik worked at several start-up companies as a Security Researcher and Software Engineer. Prior to joining Security Art, Itzik worked for Radware (NASDQ: RDWR), where he managed the Security Operation Center (SOC), a vulnerability research center that develops update signatures and new techniques to defend known and undisclosed application vulnerabilities. Itzik has published several security research articles, and is a frequent speaker at industry events including Black Hat, RSA Conference, DEF CON and Hackito Ergo Sum.

Twitter: @itzikkotler
Skype: itzikkotler
LinkedIn: http://il.linkedin.com/in/itzikk

Iftach Ian Amit: With over a decade of experience in the information security industry, Iftach Ian Amit brings a mixture of software development, OS, network and Web security expertise as Vice President Consulting to the top-tier security consulting firm Security-Art. Prior to Security-Art, Ian was the Director of Security Research at Aladdin and Finjan, leading their security research while positioning them as leaders in the Web security market. Ian has also held leadership roles as founder and CTO of a security startup in the IDS/IPS arena, developing new techniques for attack interception, and a director at Datavantage, responsible for software development and information security, as well as designing and building a financial datacenter. Prior to Datavantage, he managed the Internet Applications as well as the UNIX departments at the security consulting firm Comsec. Ian is a frequent speaker at the leading industry conferences such as BlackHat, DEF CON, Infosec, Hacker-Halted, FIRST, BruCon, SOURCE, ph-neutral, and many more. Ian holds a Bachelor's degree in Computer Science and Business Administration from the Interdisciplinary Center at Herzlya.
Twitter: @iiamit
Skype: iamit.org

return to top

DCFluX in: License to Transmit

When cell phones, land lines and the internet break down in a disaster, Amateur radio is there. Considered to be one of the earliest forms of Hacking, this talk will take a look at some of the things that can be done if you are a licensed amateur radio operator.

Matt Krick "DCFluX" is Chief Engineer of New West Broadcasting Systems, Inc., Operators of broadcast stations KGMN-FM, KZKE-FM, KYET-AM and KKAX-LP. He has worked in the field of broadcasting since 1998, specializing in all aspects of broadcast engineering, video editing and electronics.

return to top

Balancing The Pwn Trade Deficit – APT Secrets in Asia

In last year, we have given a talk over China-made malware in both Blackhat and DEFCON, which is appreciated by various parties and we would like to continue this effort and discuss over APT attacks in Asia this year. However, case studies are not just our main dish this time, we will carry out technical analysis over the samples. I have worked with 2 Taiwanese researchers and would like to talk about how to automate the APT attack analysis with our analysis engine, Xecure, and give comparison between samples from various Asian countries, giving similarity and difference analysis among them, which could be insightful to the audience. Finally, we will talk about our contribution to the rule and signature to detect APT attack.

Anthony Lai (aka Darkfloyd) has worked on code audit, penetration test, crime investigation and threat analysis and acted as security consultant in various MNCs. Anthony has worked with researchers to convey talks about Chinese malware and Internet Censorship in Blackhat 2010 and DEFCON 18. His interest falls on studying exploit, reverse engineering, analyse threat and join CTFs, it would be nice to keep going and boost this China-made security wind in malware analysis and advanced persistent threat areas. He has found VXRL (Valkyrie-X Security Research Group) in Hong Kong and keep themselves to connect to and work with various prominent and respectable hackers and researchers.
Anthony Lai Twitter:: anthonation
Facebook: Anthony Lai

Benson Wu focuses research on detect and counter advanced persistent threat, code review, secure coding and SDLC process implementation. He graduated from National Taiwan University with PhD in Electrical Engineering and National Chiao-Tung University with MS in Computer Science; and held ECSP, CEI, CSSLP certifications. Currently, he is with Xecure Lab as Lead Security Researcher, and Research Center for Information Technology Innovation, Academia Sinica as Postdoctoral. He had spoken at NIST SATE 2009, DEFCON 18 (with Birdman), OWASP China 2010, BoT (Botnets in Taiwan) 2011, HIT (Hacks in Taiwan) 2011, and wrote the "Web Application Security Guideline" for the Taiwan government since year 2007.

Jeremy Chiu (aka Birdman) has more than ten years of experience with host-based security, focusing on kernel technologies for both the Win32 and Linux platforms. In early 2001 he was created Taiwan's first widespread trojan BirdSPY. The court dropped charges after Jeremy committed to allocate part of his future time to assist Taiwan law enforcement in digital forensics and incidence response. Jeremy specializes in rootkit/backdoor design. Jeremy also specializes in reverse engineering and malware analysis, and has been contracted by law enforcements to assist in forensics operations. Jeremy is a sought-after speaker for topics related to security, kernel programming, and object-oriented design; in addition to frequently speaking at security conferences, Jeremy is also a contract trainer for law enforcements, intelligence organizations, and conferences such as DEFCON 18, SySCAN (09 08), Hacks in Taiwan (07 06 05), HTICA(06 08) and OWASP Asia (08 07). In 2005, Jeremy founded X-Solve Inc. and successfully developed forensics and anti-malware products. In July 2007, X-Solve was acquired by Armorize Technologies. In Oct 2010, he left Armorize and created a new research team, Xecure-Lab.

Peikan (aka PK) has intensive computer forensic, malware and exploit analysis and reverse engineering experience. He has been the speaker in Syscan and HIT (Hack In Taiwan) and convey various training and workshop for practitioners.

return to top

And That's How I Lost My Eye: Exploring Emergency Data Destruction

Are you concerned that you have become a subject of unwarranted scrutiny? Convinced that the black helicopters are incoming and ruthless feds are determined in to steal your plans of world domination? This talk explores several potential designs for quick and ruthless destruction of data as a last resort, break glass in case of emergency type of situation. Projectiles and chemical warfare will be involved along with other methods. Each method carries risk, reward, and near certainty for bodily harm. You might lose an eye, but you will keep your freedom with these techniques and remain to fight another day.

Shane Lawson is a Senior Security Engineer for Tenacity Solutions, Inc. †He creates and tests secure network solutions for various commercial and government clients, advises on security policy development, and provides physical security guidance to multiple clients. †Prior to this, he was a senior technical advisor for multiple US Navy carrier and expeditionary strike groups, specializing in information security and joint communications. †Shane is a US Navy veteran, where he served as an information systems security manager and communications watch officer for over ten years. In his spare time he is actively involved in physical security research and exploitation and is a member of the Fraternal Order of Locksport (FOOLS).
Twitter: @valanx

Bruce Potter is the chief technologist and cofounder of Ponte Technologies. Prior to founding Ponte Technologies, Mr. Potter served as a Senior Associate at Booz Allen Hamilton for almost four years where he lead a team focusing on emerging technologies such as wireless security, software assurance, trusted computing, and advanced computer network defense capabilities. In his role at Booz Allen, Mr. Potter served as a technologist overseeing a variety of client engagements as well as managing the day to day operations and logistics of his team. Prior to joining Booz Allen, Mr. Potter held several jobs focused on security and network operations including managing network and security operations for Network Solutions and CTO for a transaction processing startup in Anchorage, Alaska. Mr. Potter has coauthored a number of books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published through O'Reilly. Mr. Potter also regularly writes articles and presents at a wide variety of security conferences. Mr. Potter is the founder of The Shmoo Group of security, crypto, and privacy professionals. Through The Shmoo Group, Mr. Potter assists with a number of open source projects and the yearly ShmooCon security conference held in Washington, DC.
Twitter: @gdead

Deviant Ollam is a value-sized bucketful of free fun who enjoys all things related to physical security and many things that aren't. Among the non-lock and non-gun things that he adores are taro smoothies, reindeer meat, jersey-knit bedsheets, and surprise hugs. He will totally rock on in karaoke at everything from the Ramones to the Grateful Dead to Joan Jett to Frank Sinatra to Lynyrd Skynyrd so hand him a drink and pass him the microphone.
Twitter: @deviantollam

return to top

I'm Your MAC(b)Daddy

The field of Computer Forensics moves more and more in the direction of rapid response and live system analysis every day. As breaches and attacks become more and more sophisticated the responders need to continually re-examine their arsenal for new tactics and faster ways to process large amounts of data. Timelines and super-timelines have been around for a number of years but new software and techniques brings them back into play for Incident Response and live analysis instead of static postmortem forensics. Add in identification of anti-forensics techniques and you gain a whole new view on forensic timelines.

Grayson Lenik is a Security Consultant at Trustwave and a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 12 years of System Administration experience including 6 years with American Express/IBM Global Services at one of the largest data centers in the world. Prior to his career in IT he was an Aviation Electronics Technician in the United States Navy forward deployed on board the USS Kitty Hawk and USS Independence. Grayson is a Microsoft Certified Systems Engineer (MCSE), a GIAC Certified Forensic Analyst (GCFA) and a Qualified Security Assessor (QSA). He is working towards the CISSP certification and a Bachelor's in Information Security. Grayson authors the computer forensics blog "An Eye on Forensics".

return to top

Don't Fix It In Software

At Defcon 17 when a speaker didn't show a bottle of vodka was offered to whoever gave an impromptu talk. Somebody went up and talked about his robot project. He mentioned that it didn't normally drive straight, and talked about all the software solutions he had tried to fix this. I was reasonably intoxicated and wound up shouting at him over the crowd that it did not drive straight because of his drive base design, and not his software. This led to questions, which eventually led to a rant about all of the dumb things people who are brilliant at in software do wrong in hardware, and then try to fix using more software. Sadly a scoundrel absconded with my vodka, but a goon took me aside, said the information was great, and told me to submit it as a full talk. Now I am.

This talk will cover material assuming the average audience member is a relatively intelligent coder with a high-school physics/math background and has seen linear algebra / calculus before. The intent is to navigate people new to robotics around many lessons my teams and I learned the "hard way," and to give them all the words to look up in wikipedia to help bridge the gap between amateur and novice professional robotics. It will not cover why your Arduino doesn't work when you plugged your USB tx into your RS232 tx.

Katy Levinson Katy worked as the Software Lead on the Lunar Micro Rover project at NASA Ames. This work earned her Best Team Lead for the Ames Robotics Academy. The portions of her work done while completing her Bachelor's in Computer Science at Worcester Polytechnic Institute won her WPI's Honorable Mention for her Major Qualifying Project. She has been a team member for four competitive seasons of FIRST Robotics, mentored an additional one, helped found five more and mentored them through a full competitive season, earning her a Recognition Award from the Worcester Public Schools and a Team Mentorship Award from the Washington State FLL for her work mentoring students. She co-founded a robotics science camp at 16. She is now a software engineer at Google and a director at the Hacker Dojo, a hackerspace in Mountain View, California.

return to top

PIG: Finding Truffles Without Leaving A Trace

When we connect to a network we leak information. Whether obtaining an IP address, finding our default gateway, or using Dropbox there are packets that can be used to help identify more about our machine and network. This talk and series of demonstrations will help you learn to passively profile a network through a new Metasploit module by gathering broadcast and multicast traffic, processing it, and looking at how the bad guys will use it to own your network. Without sending a packet, many networks divulge significant information about the assets that are attached. These broadcast packets can be used to identify hosts, OS's, and other hardware that is attached. Any skill level can learn how to easily gather and use this information, how to protect your network, and talk about how to extend the framework for new protocols.

Ryan Linn is a Senior Security Consultant with Trustwave's SpiderLabs who has a passion for making security knowledge accessible. In addition to being a columnist with the Ethical Hacker Network, Ryan has contributed to open source tools including Metasploit, Dradis and the Browser Exploitation Framework (BeEF).
Twitter: @sussurro

return to top

Hacking and Forensicating an Oracle Database Server

David Litchfield is recognized as one of the world's leading authorities on database security. He is the author of Oracle Forensics, the Oracle Hacker's Handbook, the Database Hacker's Handbook and SQL Server Security and is the co-author of the Shellcoder's Handbook. He is a regular speaker at a number of computer security conferences and has delivered lectures to the National Security Agency, the UK's Security Service, GCHQ and the Bundesamt f¸r Sicherheit in der Informationstechnik in Germany.

return to top

Johnny Long and Hackers for Charity

Picking on charities is just plain rude. Thankfully, that's not what we're about. We're about proving that hackers have amazing skills that can transform charitable organizations.

We're about stepping into the gap to feed and educate the world's most vulnerable citizens. We are virtual, geographically diverse and different.

We've fed thousands of families through our "food for work" program We build computer labs to help students learn skills and land jobs that are key to disrupting poverty's vicious cycle.We provide technical assistance to charities and non-profits that can not afford IT services.We provide job experience and references to our volunteers.


return to top

Pervasive Cloaking

What Cloak? Recent policy proposals from the US Executive seem to call for government support for strong encryption use by individuals and vendors in the name of protecting privacy and anonymity. Yet strong encryption is still considered a controlled resource, requiring explicit permission to import or export from the US. This is also true for other countries. This talk will try to couch these proposals in light of past crypto rules, illuminate some possible ways forward, and touch on the advantages of and weaknesses inherent in a global cyber domain that has interoperable, strong crypto based encryption capabilities for the masses.

Bill Manning has been involved in data communications and Internet protocol design and operations for the past 25 years. He ran one of the first DNSSEC enabled environments, circa 1998, and as such was affected by the difficulties in getting crypto source code released for global use.

return to top

We're (The Government) Here To Help: A Look At How FIPS 140 Helps (And Hurts) Security

Many standards, especially those provided by the government, are often viewed as more trouble the actual help. The goal of this talk is to shed a new light onto onesuch standard (FIPS 140) and show what it is inteded for and how is can sometimes help ensure good design practices for security products. But everything is not roses and there are certain things that these standards cannot help with or may even inhibit. By examining these strengths and potential weakness, the hope is everyone will have a new opinion of this and similar standards and how they are used.

Joey Maresca is a security analyst/engineer with a background in computer hardware and software, including a BS in Electrical and Computer Engineering from The Ohio State University.

In a past life, he worked at the US Patent Office, while not the most exciting job it was an informative experience. Over the past five years he has worked in the security field with a primary focus on FIPS 140 testing and validations. This has allowed him inside access to dozens of commercial products.
Twitter: @l0stkn0wledge

return to top

SSL And The Future Of Authenticity

In the early 90's, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol for making secure HTTP requests, and what they came up with was called SSL. Given the relatively scarce body of knowledge concerning secure protocols at the time, as well the intense pressure that everyone at Netscape was working under, their efforts can only be seen as incredibly heroic. But while it's amazing that SSL has endured for as long as it has, some parts of it -- particularly those concerning Certificate Authorities -- have always caused some friction, and have recently started to cause real problems. This talk will examine authenticity within SSL, shed new light on the current problems, and cover some new strategies for how to move forward.

Moxie Marlinspike Bio to come

return to top

Hacking .Net Applications: The Black Arts

This presentation will cover the Black Arts of making Cracks, KeyGens, Malware, and more. The information in this presentation will allow a .NET programmer to do unspeakable things .NET applications. I will cover the life cycle of developing such attacks and over coming common countermeasures to stop such attacks. New tools to assist in the attacks will be supplied. This presentation will focus on C# but applies to any application based on the .NET framework.

Jon McCoy is a .NET Software Engineer that focused on security and forensics. He has worked on a number of Open Source projects ranging from hacking tools to software for paralyzed people. With a deep knowledge of programming under the .NET Framework he has released new attacks on live applications and the .NET Framework it self. He provides consulting to protect .NET applications.

return to top

Covert Post-Exploitation Forensics With Metasploit

In digital forensics, most examinations take place after the hardware has been physically seized (in most law enforcement scenarios) or a preinstalled agent allows access (in the case of enterprise forensics packages). These scenarios imply that the "subject' (the one in possession of the media) is aware of the fact that their data has been seized or subject to remote access. While penetration testing tools allow for surface-level access to the target filesystem, there is a lot of potential data that is being missed in unallocated space that could be accessed by file system forensic tools such The Sleuth Kit. In this presentation, Wesley will present a new set of tools that will allow forensic examiners and pentesters alike to image remote filesystems of compromised systems, or perform examinations directly on remote filesystem with forensic tools on the attacking machine by mapping remote drives to local block devices. This is the integration of Metasploit with a large body of existing digital forensic tools.

Wesley McGrew is currently a lecturer and researcher at the National Forensics Training Center, which provides free digital forensics training to law enforcement and wounded veterans. He has interests in both penetration testing and digital forensics, resulting in some interesting combinations of the two. He has written tools useful to both fields (NBNSpoof, msramdmp, GooSweep), and tries to stay involved and interactive with the online infosec community.

Twitter: @mcgrewsecurity

return to top

Vulnerabilities of Wireless Water Meter Networks

Why research wireless water meters? Because they are a potential security hole in a critical infrastructure, which can lead to a potential leakage of private information, and create the potential to steal water by lowering water bills? It's a technology that's all around us but seems to too mundane to think about. Because a hacker can't resist exploring technology to see how it works and how to break it, because they are there? In this talk the speaker, who managed a small water system for 13 years, will first present an overview of drinking water security, review reported water system security incidents and the state of drinking water security over the past year, and will then take a deep dive into the hardware, software, topology, and vulnerabilities of wireless water meter networks and how to sniff wireless water meter signals.

John McNabb, an IT pro for more than 6 years, also served as an elected Water Commissioner for a small New England town for 13 years. John has been actively researching security issues for drinking water systems for many years, and presented talks at DEF CON 18 and Shmoocon 18 on the subject. He has also presented talks on the environmental impacts of IT at The Next Hope and Phreaknic 14. John is a long-time science fiction fan and has been working on a few SF short stories he hopes to submit some day for publication.

return to top

Battery Firmware Hacking

Ever wonder how your laptop battery knows when to stop charging when it is plugged into the wall, but the computer is powered off? Modern computers are no longer just composed of a single processor. Computers possess many other embedded microprocessors. Researchers are only recently considering the security implications of multiple processors, multiple pieces of embedded memory, etc. This paper takes an in depth look at a common embedded controller used in Lithium Ion and Lithium Polymer batteries, in particular, this controller is used in a large number of MacBook, MacBook Pro, and MacBook Air laptop computers.

In this talk, I will demonstrate how the embedded controller works. I will reverse engineer the firmware and the firmware flashing process for a particular smart battery controller. In particular, I will show how to completely reprogram the smart battery by modifying the firmware on it. Also, I will show how to disable the firmware checksum so you can make changes. I present a simple API that can be used to read values from the smart battery as well as reprogram the firmware. Being able to control the working smart battery and smart battery host may be enough to cause safety issues, such as overcharging or fire.

Charlie Miller is Principal Research Consultant at Accuvant Labs. He was the first with a public remote exploit for both the iPhone and the G1 Android phone. He won the CanSecWest Pwn2Own competition for the last four years. He has authored two information security books and holds a PhD from the University of Notre Dame.

return to top

DEF CON Comedy Jam IV, A New Hope For The Fail Whale

We're baaaaaack! The most talked about panel at DEF CON! Nearly two hours of non-stop FAIL. Come hear some of the loudest mouths in the industry talk about the epic security failures of the last year. We'll be covering mobile phones, cloud, money laundering and food cooked on stage to name just a few topics. Nothing is sacred not even each other. Come for the FAIL stay for the crepes!

David Mortman runs Operations and Security for C3, LLC and is a Contributing Analyst at Securosis. Formerly the Chief Information Security Officer for Siebel Systems, Inc., Previously, Mr. Mortman was Manager of IT Security at Network Associates. Mr. Mortman has also been a regular panelist and speaker at RSA, Blackhat, DEF CON and Source Boston as well. Mr. Mortman sits on a variety of advisory boards including Qualys. He holds a BS in Chemistry from the University of Chicago. David writes for Securosis, Emergent Chaos and the New School blogs. David was an editor for the 2nd Ed of the Cloud Security Alliance Guidance.
Twitter: @mortman

Rich Mogull Swim. Bike. Run. Kick. Punch. Code. Write.

Mr. Graham learned hacking as a toddler from his grandfather, a WW-II codebreaker. His first IDS was written more than 10 years ago designed to catch Morris-worm copycats. He is the author of several pending patents in the IDS field. He is the author of well-regarded security-related documents http://www.robertgraham.com/pubs and is a frequent speaker at conferences. Prior to founding Errata Security he co-founded, was the CTO, and chief-architect at Network ICE (now owned by ISS-IBM)

return to top

Blinkie Lights: Network Monitoring with Arduino

Remember the good old days, when you'd stare at Rx and Tx on your shiny new Supra 1200bps modem, and actually know what the heck was going on? Systems tend to talk a lot more nowadays, and somewhere along the line I completely lost track of who mine hangs out with. And I kind of miss my blinkie lights.

But we live in a world of Arduino and cheap LEDs — maybe there's a way to play with electronics, talk about security, and show the kids a thing or two — all at the same time. Imagine if one of those USB toys on your desk could actually give you an indication of which countries you were trading packets with, or alert you to unusually long-running sessions. 'cerealbox' will demonstrate how an 8x8 multicolor LED matrix, Arduino, and a network monitoring program can be used to make an LED-based sniffer for around $60. And if that doesn't sound interesting, just wait until you see Port Scan Inferno.

Steve Ocepek was one of the original team behind Wholepoint, a computer security consultancy that later merged with Trustwave. As Director of Security Research for Spiderlabs, he is in charge of all signature development for all products, maintaining and updating open source projects, researching new threats, providing intelligence to premier clients, pursuing security advisories, and supporting other SpiderLabs teams during technical engagements.

Ocepek's accomplishments include discovering and patenting a new method of detecting wireless clients from the wired network, as well as creating the "thicknet" framework to analyze protocols for Man-in-the-Middle attack surface. He has a featured as a keynote speaker at industry conferences such as Blackhat in both the USA and Europe, and OWASP AppSec.

Ocepek is a Certified Information Systems Security Professional (CISSP) and a member of Northeast Ohio Information Security Forum.
Twitter: @nosteve

return to top

Ask EFF: The Year in Digital Civil Liberties

Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as surveillance online and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, discussion of our technology project to protect privacy and speech online, updates on cases and legislation affecting security research, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you.

Kurt Opsahl is a Senior Staff Attorney with the Electronic Frontier Foundation focusing on civil liberties, free speech and privacy law. Opsahl has counseled numerous computer security researchers on their rights to conduct and discuss research. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal, which established the reporter's privilege for online journalists.

Kevin Bankston is a Senior Staff Attorney for the Electronic Frontier Foundation (EFF) and a former Nonresidential Fellow at Stanford Law School's Center for Internet and Society, specializing in free speech and privacy law with a focus on government surveillance, Internet privacy, and location privacy. He regularly litigates issues surrounding location privacy and electronic surveillance, and is currently a lead counsel in EFF's lawsuits against the National Security Agency and AT&T challenging the legality of the NSA's warrantless wiretapping program. From 2003-05, he was EFF's Equal Justice Works/Bruce J. Ennis Fellow, studying the impact of post-9/11 anti-terrorism surveillance initiatives on online privacy and free expression. Before joining EFF, he was the Justice William J. Brennan First Amendment Fellow for the American Civil Liberties Union, where he litigated Internet-related free speech cases. He received his J.D. in 2001 from the University of Southern California and his undergraduate degree from the University of Texas.

Marcia Hofmann is a senior staff attorney at the Electronic Frontier Foundation, where she focuses on computer crime and security, electronic privacy, free expression, and other digital civil liberties issues. She is also a non-residential fellow at Stanford Law School's Center for Internet and Society and a social media columnist for California Lawyer magazine. Prior to joining EFF, Marcia was staff counsel and director of the Open Government Project at the Electronic Privacy Information Center (EPIC).

Hanni Fakhoury is a Staff Attorney with the Electronic Frontier Foundation focusing on the intersection of technology and criminal law within the Coders Rights Project. Prior to joining EFF, Hanni worked as a federal public defender in San Diego. In less than four years, he tried fourteen felony jury and bench trials and argued before the Ninth Circuit Court of Appeals four times, winning three reversals, including a published reversal in U.S. v. Sandoval-Gonzalez. He also served as a copy editor for the 2010 edition of Defending a Federal Criminal Case. While in law school, Hanni worked at the federal public defender's office in Sacramento, where he obtained acquittals in one jury trial and two bench trials. Hanni is a graduate of UC Berkeley, where he received two degrees, including a honors degree in history, and Pacific McGeorge School of Law, where he was elected to the Order of Barristers for his excellence in written and oral advocacy. Hanni is a member of the National Association of Criminal Defense Lawyers.

Peter Eckersley is a Staff Technologist for the Electronic Frontier Foundation. He keeps his eyes peeled for technologies that, by accident or design, pose a risk to computer users' freedoms and then looks for ways to fix them. He explains gadgets to lawyers, and lawyers to gadgets. Peter is currently putting the finishing touches to a PhD on digital copyright policy with the Intellectual Property Research Institute of Australia and the computer science department at the University of Melbourne. His doctoral research focused on the practicality and desirability of using "virtual market" public funding systems to legalize P2P file sharing and similar distribution tools while still paying authors and artists for their work.

Rebecca Reagan is the Intake Coordinator at EFF and is the first point of contact at EFF for many people. Prior to coming to EFF, Rebecca directed the federally-funded Congress-Bundestag Youth Exchange for Young Professionals, worked in employee benefits consulting and software project management, and was a participant in the Robert Bosch Foundation Fellowship Program, through which she worked for Karsten Voigt, the Coordinator of German-American Cooperation for the German Foreign Ministry.

return to top

Hacking Google Chrome OS

Google recently announced Chrome OS powered computers, called Chromebooks, at Google I/O and the company is getting ready to market them to businesses as well as consumers. What's different about Chrome OS and Chromebooks, other than the entire user-experience taking place exclusively in a Web browser (Google Chrome), is everything takes place in the cloud. Email, document writing, calendaring, social networking - everything. From a security perspective this means that all website and Web browser attack techniques, such as like Cross-Site Scripting, Cross-Site Request, and Clickjacking, have the potential of circumventing Chrome OS's security protections and exposing all the users data.

Two members of the WhiteHat Security's Threat Research Center, Matt Johansen and Kyle Osborn, have spent months hacking away on Google's Cr-48 prototype laptops. They discovered a slew of serious and fundamental security design flaws that with no more than a single mouse-click may victimize users by:

• Exposing of all user email, contacts, and saved documents.
• Conduct high speed scans their intranet work and revealing active host IP addresses.
• Spoofing messaging in their Google Voice account.
• Taking over their Google account by stealing session cookies, and in some case do the same on other visited domains.

While Chrome OS and Chromebooks has some impressive and unique security features, they are not all encompassing. Google was informed of the findings, some vulnerabilities were addressed, bounties generously awarded, but many of the underlying weaknesses yet remain -- including for evil extensions to be easily made available in the WebStore, the ability for payloads to go viral, and javascript malware survive reboot. With the cloud and web-based operating systems poised to make an impact on our computing future, Matt and Kyle ready to share all their never-before-seen research through a series of on-stage demonstrations.

Kyle 'Kos' Osborn is a web application security specialist at WhiteHat Security. He competes as a Red Team member in the West Coast Collegiate Cyber Defense Competition and has also done work for the US Cyber Challenge by building a CTF for three of the Cyber Camps. Mr. Osborn has also released Open Source security tools to the information security community, notably "Man Just Left of the Middle", which was featured in Dave Kennedy's Social Engineer Toolkit. He attended his first security conference at the age of 16 and was hooked. He firmly believes in sharing information and best practices throughout the security community to promote greater web security for all. He's a regular participants at conferences, including attending more than 20 security events in the last 4 years. Most recently was a featured speaker at Toorcon Seattle, where he spoke about embedded HTML engines in desktop applications. Hacker by day, hacking harder by night. Living in the danger zone.
Twitter: @theKos

Matt Johanson is an application security specialist at WhiteHat Security where he oversees and assessments on more than 250 web applications for many Fortune 500 companies across a range of technologies such as PHP, .NET, Ruby on Rails, and Flash. He was previously a consultant for VerSprite, where he was responsible for performing network and web application penetration tests. Mr. Johansen is also a professor of Web Application Security at Adelphi University and San Jose State University. He recently was part of the cut-score panel for the SANS certification by the GIAC and is the 29th person worldwide to achieve this certification. He holds a Bachelor of Science in Computer Science from Adelphi University.
Twitter: @mattjay

return to top

VoIP Hopping the Hotel: Attacking the Crown Jewels through VoIP

This presentation is about the security of VoIP deployed in hotel guest rooms. What it is, why it benefits administrators and users, and how easily it can be broken. The hospitality industry is widely deploying VoIP. Since 2008, we've seen an increase of these rollouts along with Admin awareness of applying the required security controls in order to mitigate this potential backdoor into a company's mission critical data and systems — their Crown Jewels. The method is simple: through VoIP, a malicious hotel guest may gain access into corporate data resources such as a company's sensitive financial or HR systems. This talk will present updated research with a new case study: A Hotel VoIP infrastructure that had security applied. We will explore the missing pieces. How has this risk changed for permitting a hotel guest unauthorized network access, and who should be concerned? An old VLAN attack will be re-visited, with a new twist: how the VLAN attack applies to recent production VoIP infrastructure deployments, and how it can be combined with a new physical method. A new version of the free VoIP Hopper security tool will be demonstrated live, showcasing this new feature. In addition, we will investigate an alternative to CDP for device discovery and inventory control: LLDP-MED (Link Layer Device Discovery - Media Endpoint Discovery). A case study penetration test of a client infrastructure that used LLDP-MED follows , with a comparison to CDP. VoIP Hopper will demonstrate the first security assessment tool features for this advancing protocol. Mitigation recommendations will follow.

Jason Ostrom is a security researcher working in the Sipera VIPER Lab, with an interest in VoIP and layer 2 security issues. He is a graduate of the University of Michigan, Ann Arbor, and has over 13 years of experience in the IT industry, including VoIP penetration testing. He is the author of the VoIP Hopper security tool and has contributed to other open source UC security tools.

return to top

Big Brother on the Big Screen: Fact/Fiction?

Can the NSA really do that? Um, yes. Join me at the movies to take a close look at how current technology has caught up with the spy gadgets dreamed up for Hollywood flicks- from old favorites like Brazil to newer additions like Bourne and Dark Knight. Jaunty tin foil hats and movie snacks will be provided!

Nicole Ozer directs the Technology and Civil Liberties Program at the ACLU of Northern California and spearheads the organization's new online privacy campaign- Demand Your dotRights (www.dotrights.org). Before joining the ACLU, Nicole was an intellectual property attorney at Morrison & Foerster LLP and worked on diverse civil liberties technology projects with the Samuelson Law, Technology, and Public Policy Clinic at Boalt Hall, UC Berkeley. Nicole graduated from Amherst College and earned her J.D. with a Certificate in Law and Technology from UC Berkeley. Nicole was recognized by San Jose Magazine in 2001 for being one of 20 "Women Making a Mark" in Silicon Valley. Nicole's legal and policy publications include: Location-Based Services: Time for a Privacy Check-in (ACLU-NC, 2010) and Cloud Computing: Storm Warning for Privacy (ACLU-NC, 2010). Nicole blogs regularly at Bytes and Pieces at www.aclunc.org/tech.

return to top

Getting SSLizzard

The world has seen a seismic shift from browser-based web applications to GUI-rich semi-thick client applications running on handheld mobile devices. In the browser world, the industry had placed a great deal of time and energy towards providing users visual cues to indicate the level security and trust that their data being transmitted to the remote server is protected and not falling into the hands of unintended recipients. In the mobile device world, these visual cues are mostly nonexistent, resulting in the inherent trust that the underlying APIs are ensuring a level of security before transmitting a users sensitive data. In our research, we tested the most popular apps on both the iOS and Android platforms. We ran each app through a data transmission assault course that contained various historic, contemporary, and obscure SSL attacks and documented the results. In this presentation, we will discuss and demonstrate flaws at both the application an OS layer that need to be addressed by both the mobile app developers and well the mobile device manufactures. A utility called "SSLizzard" will also be released for use by mobile application developers to test their mobile apps and their behavior against SSL-based attacks discussed in this talk.

Nicholas J. Percoco: With more than 14 years of information security experience, Percoco is the lead security advisor to many of Trustwaveps premier clients and assists them in making strategic decisions around security compliance regimes. He leads the SpiderLabs team that has performed more than 1000 computer incident response and forensic investigations globally, run thousands of penetration and application security tests for clients, and conducted security research to improve Trustwave's products. Percoco and his research has been featured by many news organizations including: The Washington Post, eWeek, PC World, CNET, Wired, Hakin9, Network World, Dark Reading, Fox News, USA Today, Forbes, Computerworld, CSO Magazine, CNN, The Times of London, NPR and The Wall Street Journal.
Twitter: c7five

Paul Kehrer is a web developer and programmer at Trustwave with extensive experience with X.509 and PKI, including writing and maintaining a registration authority. Since 2007, Paul has lead the team responsible for the design and infrastructure of Trustwave's Certification Authority. Paul enjoys baking cakes in his spare time.
Twitter: reaperhulk

return to top

Malware Freak Show 3: They're pwning er'body out there!

Well There's malware on the interwebs. They're pwning all your systems, snatching your data up. So hide your cards, hide your docs, and hide your phone, 'cause they're pwning er'body out there! This may be the 3rd and final installment of the Malware Freak Show series, so we're pulling out all the stops. This year we'll highlight 4 new pieces of malware but the victims are you and the people you know. We will analyze and demo malware found in your place of employment, your watering hole, your friendly neighborhood grocer, and finally your mobile phone. The malware we are going to demo are very advanced pieces of software written by very skilled developers that are target your world's data. The complexity in their propagation, control channels, anti-forensic techniques and data exporting properties will be very interesting to anyone interested in this topic.

Nicholas J. Percoco Senior Vice President and Head of SpiderLabs at Trustwave With more than 14 years of information security experience, Percoco is the lead security advisor to many of Trustwaveπs premier clients and assists them in making strategic decisions around security compliance regimes. He leads the SpiderLabs team that has performed more than 1000 computer incident response and forensic investigations globally, run thousands of penetration and application security tests for clients, and conducted security research to improve Trustwave's products. Percoco and his research has been featured by many news organizations including: The Washington Post, eWeek, PC World, CNET, Wired, Hakin9, Network World, Dark Reading, Fox News, USA Today, Forbes, Computerworld, CSO Magazine, CNN, The Times of London, NPR and The Wall Street Journal.
Twitter: @c7five

Jibran Ilyas is a Senior Forensic Investigator at Trustwave's SpiderLabs. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has investigated some of nationπs largest data breaches and is a regular contributor for published security alerts through his research. Jibran and his research has been featured by many news organizations including Dark Reading, Infoworld, Threatpost, IT World and SearchSecurity. He has 87 years of experience and has done security research in the area of computer memory artifacts. Jibran has presented talks at security conferences (DEF CON, Black Hat, SecTor, SOURCE Barcelona) in the area of Computer Forensics and Cyber Crime. Jibran is also a regular guest lecturer at DePaul and Northwestern University. Prior to joining SpiderLabs, Jibran was part of Trustwave's SOC where he helped Fortune 500 clients with their Security Architectures. and deployments. Jibran holds a Bachelors of Science degree from DepPaul University and Masters degree in Information Technology Management from Northwestern University.
Twitter: @jibranilyas

return to top

This is REALLY not the droid you're looking for...

Last year, we presented a talk on the implication of malware and rootkits on mobile devices. We focused on the kernel layer of the Android OS stack. With the proliferation of Apps of every size, shape and color being published this year, we focused solely upon the User Interface (UI) of the Android OS. The results of our research yielded a very dangerous flaw that is likely going to require a UI overhaul of the Android OS. Our talk will demonstrate a technique using legitimate and documented APIs to steal credentials and other user information from the most popular Apps in the Android Market. We will demo this technique live and provide a technical walkthrough of the specific methods being used. At the conclusion of our talk, we'll release a Proof of Concept (PoC) built to demo this technique.

Nicholas J. Percoco Senior Vice President and Head of SpiderLabs at Trustwave With more than 14 years of information security experience, Percoco is the lead security advisor to many of Trustwaveps premier clients and assists them in making strategic decisions around security compliance regimes. He leads the SpiderLabs team that has performed more than 1000 computer incident response and forensic investigations globally, run thousands of penetration and application security tests for clients, and conducted security research to improve Trustwave's products. Percoco and his research has been featured by many news organizations including: The Washington Post, eWeek, PC World, CNET, Wired, Hakin9, Network World, Dark Reading, Fox News, USA Today, Forbes, Computerworld, CSO Magazine, CNN, The Times of London, NPR and The Wall Street Journal.
Twitter: c7five

Sean Schulte Software Engineer, Trustwave Sean is an engineer at Trustwave who works primarily with Java and Ruby. He is responsible for building external APIs such as the SSL reseller API, and internal APIs including a Google Safe Browsing blacklist along with the infrastructure to support various SSL services. In his spare time he maintains an unpopular, but feisty, baseball blog.
Twitter: sirsean

return to top

Hacking MMORPGs for Fun and Mostly Profit

Online games, such as MMORPG's, are the most complex multi-user applications ever created. The security problems that plague these games are universal to all distributed software systems. Online virtual worlds are eventually going to replace the web as the dominant social space on the 'Net, as Facebook apps have shown, and this is big business. MMORPG game security is something that is very important to game studios and players, yet bots and exploits continue to infest all major MMORPG's, the creators and maintainers of the next generation of MMORPG's will need to understand software security from the ground up or face failure. The problem extends from software bugs such as item or money duplication, to mechanical exploitation such as botting, which leads to economic forces and digital identity theft. There is upwards of a billion dollars at stake, for both game hackers and game operators. Both Josh and Kuba have explored game hacking from both sides, and this talk presents a pragmatic view of both threats and defenses.

Josh Phillips is currently a Senior Malware Researcher at Kaspersky Lab, previously he was a Virus Analyst for Microsoft Corp. He cut his teeth reversing by hacking and botting for profit, several MMORPG games. He has had professional ties to several of the big name virtual currency dealers in addition to being well known in the underground game hacking community.

return to top

Port Scanning Without Sending Packets

With auto-configuration protocols now being added to operating systems and implemented by default in your network devices, hosts are now actively advertising their available attack surfaces to anyone listening on the network.

By collecting background traffic on the network, and analyzing it, we can perform a host discovery, a port scan, and a host profile which even includes configuration information; all without sending any packets. This means that threats both inside and outside your network can assess and target your network hosts silently without leaving a trail.

In this session, we'll start out by covering what makes this all possible, then examine typical network traffic to see what is made available to us, end up using several brand new tools that I have developed to utilize this information in an actual attack against a vulnerable network host, and finally finish our time discussing what you can as a network defender do about it.

Gregory Pickett CISSP, GCIA, GPEN, also known as rogu3ag3nt, is the lead Intrusion Analyst on the Abbott Laboratories Network Security team by day and a penetration tester for Hellfire Security by night. As a penetration tester, his primary areas of focus and occasional research are network and host penetration testing with an interest in using background network traffic to target and exploit network hosts using their own traffic against them. He holds a B.S. in Psychology which is completely unrelated but interesting to know. While it does nothing to contribute to how he makes a living, it does demonstrate how screwed up he actually is.

return to top

My password is: #FullOfFail! — The Core Problem with Authentication and How We Can Overcome It

Authentication is an integral part of our modern, digital lifestyle. It is a universal means of access to our work, to our finances, and to our friends and recreation. Of all the types of authentication available, passwords are still the most common form of authentication in use. Indeed, passwords in one form or another have been utilized since the dawn of computing. This, as this presentation will demonstrate, is not necessarily a good thing.

Simply put, password authentication is full of fail. Furthermore, the level of fail has nothing to do with the length, the complexity, or any other attribute of passwords. The researchers and professionals that have theorized about or created new password schemes- cognitive or picture-based passwords for example- are well intentioned but are only treating the symptoms of an inherently flawed technology.

The purpose of this presentation, then, is to ask discuss why our password authentication is so full of fail, to outline how this fail extends to other authentication methods, and to paint a brief outline of a new paradigm that does not suffer from the same inherent issues.

Jason M. Pittman is currently a doctoral student with research interests in new methods of authentication, artificial life modeling for security, and games-based learning. Jason is an adjunct professor of Information Assurance, teaching young padawans the ways of the Sit...err, Jedi. As well, Jason has ten years of professional experience in security, working on a variety of projects ranging from the technical, compliance & governance, and some fun stuff here too.

return to top

Sneaky PDF

Being a most prevalent document exchange format on the Internet, Portable Document Format (PDF) is in danger of becoming the main target for client-side attack. With estimation of more than 1.5 million line of code and loaded with huge functionalities, this powerful document format is suffered with several high impact vulnerabilities, allowing attackers to exploit and use it as malware spreading vector.

Until now, there are thousands of malicious PDF file spreads with little chances of getting detected.

The challenges are obfuscation techniques used by the attackers to hide their malicious activities, hence minimizing detection rate. In order to sustain the survival of malicious PDF file on the Internet, attackers circumvent the analysis process through diverse obfuscation techniques. Obfuscation methods used usually ranges from PDF syntax obfuscation, PDF filtering mechanism, JavaScript obfuscation, and variant from both methods. Because of rapid changes in methods of obfuscation, most antivirus software as well as security tools failed to detect malicious content inside PDF file, thus increasing the number of victims of malicious PDF mischief.

In this paper, we study in the obfuscation techniques used inside in-the-wild malicious PDF, how to make it more stealthy and how we can improve analysis on malicious PDF.

Mahmud Ab Rahman currently works as Information Security Specialist for Malaysia Computer Emergency and Response Team (MyCERT) under umbrella of CyberSecurity Malaysia. Prior to that, he worked as an Intrusion Analyst at MyCERT department. His education background comprises of Master Degree in Computer Science from National University of Malaysia in 2006. Prior to that, he obtained a Degree in Computer Science from the same university.

Mahmud has been involved in the computer security field for over 5 years. His area of focus and interest is network security, honeynet, botnet monitoring, and malware analysis. He also engages in several large scale penetration-testing exercises and to provide solutions for any vulnerability detected. Moreover, he is recognized for conducting numbers of training for organizations to talk on topics ranging from introduction to advanced security courses.

He is a occasional speaker at conferences such as FIRST Technical Colloquium, FIRST Annual Conference, Honeynet Annual Security Conference, Honeynet Project HackInTheBox SIGINT and Infosec.MY

He currently holds a GIAC's GPEN, GREM and CISCO's (CCNA,CCNP). On 2010, he wrote a paper on "Getting Owned By Malicious PDF" for GIAC GPEN Gold certification.
Twitter: @yomuds

return to top

Why Airport Security Can't Be Done FAST

Eight years after 9/11 TSA finally decided to fix their security system. But what has really changed? Homeland Security's science division has been busy lately, and is currently polishing up a project called FAST - Future Attribute Screening Technology. FAST, part of project MALINTENT, is a project of the Department of Homeland Security Behavioral Science Unit, which supposedly can detect whether you want to blow up the plane purely based off of biological indicators. While it was originally slated for completion this year, the project has been delayed due to many technical difficulties. Starting to smell snake oil? Basic statistics and common sense agree! Methodological flaws, numerous exploits and better uses of tax dollars will be discussed.

Semon Rezchikov is an independent security researcher, programmer, and wetware hacker. He is spending the summer at MIT making cells do his bidding. In his free time, he can be found messing around with mathematics, playing clarinet, and furiously scribbling thoughts into his handy black notebook.

Morgan Wang is an independent security researcher and analyst, history buff, classically liberal Libertarian, avid knitter and overall crafty person. Her hobbies include impersonating long-dead historical figures and obtaining suspicious amounts of fabric.

Joshua Engelman is an independent security researcher and amateur mathematician. In his spare time, he volunteers for the ACLU and teaches fencing to small children. His current project is an autonomous beverage retrieval bot for his robotics team. He can be found lurking on the DEF CON forums, in school labs at odd hours, and directly behind law enforcement personnel wearing a monocle and trenchcoat.

return to top

"Whoever Fights Monsters..." Aaron Barr, Anonymous, and Ourselves

"Whoever fights monsters should see to it that in the process he does not become a monster." - Friedrich Nietzsche.

Aaron Barr returns for the first time in what's sure to be a gritty and frank (and heated) panel. How can we conduct ourselves without losing ourselves? How far is too far - or not far enough? IT security has finally gotten the attention of the mainstream media, Pentagon generals and public policy authors in the Beltway, and is now in mortal danger of losing (the rest of) its soul. We've convinced the world that the threat is real - omnipresent and omnipotent. But recent events suggest that in their efforts to combat a faceless enemy, IT security firms and their employees risk becoming indistinguishable from the folks with the Black Hats. The Anonymous attacks and data spilled from both private— and public sector firms raise important questions that this panel will try to answer. among them: how to respond to chaotic actors like Anonymous and LulzSec, what the U.S. gains (and loses) by making "APTs" the new "Commies" and cyber the forefront of the next Cold War and APTs the new commies. Aaron, Josh and Jericho will debate whether we in the security community can fight our "monsters" without sacrificing the civil liberties and the freedoms we enjoy here at home.

Paul Roberts , Editor, Threatpost.com - Paul is an editor at Threatpost.com, Kaspersky Lab's security news blog. Paul is a thought leader with a decade of experience as a technology reporter and analyst covering information technology security. Before joining Threatpost, Paul was a Senior Analyst in the Enterprise Security Practice at The 451 Group, an industry analyst firm. As a reporter and editor, he has worked for leading technology publications including InfoWorld, eWeek and The IDG News Service. Paul's writing has appeared in The Boston Globe, Salon.com and Fortune Small Business. He has been interviewed on issues relating to technology and security for publications ranging from The Wall Street Journal, to NPR's Marketplace to the Oprah Show. When he's not writing about security, Paul runs the occasional marathon and edits bloggingbelmont.com, a citizen powered blog in Belmont, Massachusetts, where he lives with his wife and three daughters.
Facebook: facebook.com/pfroberts
Twitter: @paulfroberts

Aaron Barr has spent the last 20 years in the intelligence and federal space of the cyber security community in positions ranging from intelligence analyst, UNIX system administrator and technical director. With degrees in Field Biology and computer security, his path would have drastically changed in 1997 had the Navy accepted his request to extend his educational program towards a degree in Mycology. Alas the Navy had no open billets for mushroom experts. He separated from the Navy in 2001 and chartered a course in IT and IT security in the defense industry. An agitator/collaborator, not afraid to express an opinion, but open to adopt better ones, he is enthusiastic and passionate about technology and its positive and negative effects on society, including security. An analyst at heart and by trade, he is focused on security as an intelligence problem.

Joshua Corman Research Director, Enterprise Security Practice, The 451 Group - Joshua Corman is the Research Director of the 451 Group's enterprise security practice. Corman has more than a decade of experience with security and networking software, most recently serving as Principal Security Strategist for IBM Internet Security Systems. Corman's research cuts across sectors to the core challenges of the industry, and drives evolutionary strategies toward emerging technologies and shifting economics. Corman is a candid and highly coveted speaker and has spoken at leading industry events such as RSA, Interop, ISACA, and SANS. His efforts to educate and challenge the industry recently lead NetworkWorld magazine to recognize him as a top Influencer of IT for 2009. Corman also serves on the Faculty for IANS and is a staunch advocate for CISOs everywhere. In 2010, Corman also co-founded Rugged www.ruggedsoftware.org - a value based initiative to raise awareness and usher in an era of secure digital infrastructure. Corman received a bachelor's degree in philosophy, Phi Beta Kappa, summa cum laude, from the University of New Hampshire. He lives with his wife and two daughters in New Hampshire.

Jericho has been poking about the hacker/security scene for 18 years (for real), building valuable skills such as skepticism and alchohol tolerance. As a hacker-turned-security whore, he has a great perspective to offer unsolicited opinion on just about any security topic. A long-time advocate of advancing the field, sometimes by any means necessary, he thinks the idea of 'forward thinking' is quaint (we're supposed to be thinking that way all the time). No degree, no certifications, just the willingness to say things most of the industry is thinking but unwilling to say themselves. He remains a champion of security industry integrity and small misunderstood creatures.
Twitter: @attritionorg

return to top

What Time Are You Anyway?

Computer forensic examiners rely heavily on timestamps during investigations. Timeline analysis is a critical technique in determining what happened and when. In 2005, timestomp.exe was released and this gave non-observant investigators a run for their money. Unfortunately, there are some gaps in what timestomp.exe will do. Observant investigators can identify timestomping and recover from that activity. Good timestomping requires knowing what time values need to get trashed, where these times are stored, AND what supporting artifacts need to be altered. This presentation examines several file systems and operating systems and identifies what needs to be tweaked in order to effectively hide one's tracks.

Michael Robinson has over 15 years of computer security experience and is currently a computer forensic examiner in the Washington, DC area, where he deals with e-discovery and intrusion analysis. For over four years he ran IT and IA operations for a Department of Defense agency. He teaches computer forensics at the graduate level at Stevenson University in Maryland. He earned two masters degrees - one in computer forensics and one in information security.

return to top

Owned Over Amateur Radio: Remote Kernel Exploitation in 2011

Originally considered to be the stuff of myth, remote kernel exploits allow attackers to bypass all operating system protection mechanisms and gain instant root access to remote systems. While reviewing prior work in remote kernel exploitation, this talk will go over some of the challenges and limitations associated with developing remote kernel exploits.

We will discuss in detail the development of an exploit for a remotely triggerable vulnerability in the Linux kernel's implementation of the ROSE amateur radio protocol. In doing so, a number of new kernel exploitation techniques will be demonstrated. In addition, this talk will present a working example of the installation of a remote kernel backdoor. We will conclude with a demonstration of this exploit against a live system and a discussion of future work in kernel exploitation and mitigation.

Dan is a security consultant and vulnerability researcher at Virtual Security Research, where he performs application and network penetration testing, conducts code reviews, and identifies vulnerabilities in third-party software. He has reported and corrected dozens of vulnerabilities in popular open source and commercial applications, including more than 50 vulnerabilities in the Linux kernel. He also contributes on the defensive side by submitting kernel patches that implement proactive security features. His current research interests include exploit development, kernel hardening, and mobile security.

return to top

Build your own Synthetic Aperture Radar

Radar is used extensively by the military, police, weather, air travel, and maritime industries - why not you? Come learn how to build a radar imaging system on the cheap! This talk will explain the basics of how radar works as well as how to measure range and velocity of your chosen targets. You will learn how to use synthetic aperture techniques to generate a two- or even three-dimensional image. The hardware and software design will be totally opened up so you can go home and build your own system.

The talk will try to run through the basics pretty fast, so some knowledge of electronics or basic physics might help, but is not required! Regardless of your background, you will see the capabilities of a modern home-built radar system and hopefully get some ideas for your own uses.

Michael Scarito is a multidisciplinary hacker masquerading as an electrical engineer. Interests include physical and cyber security, surveillance systems, innovative uses for radio frequency electronics, and projects which incorporate all of the above.

return to top

Net Neutrality Panel

Over the last five years, network neutrality has moved from an abstract buzzword to FCC-enacted policy. Supporters and detractors both contend that their opponents position means "the end of the Internet as we know it!" This panel discussion will present a reasoned discussion of the issue from multiple viewpoints. Among the issues to answer: What is network neutrality and can we even agree on a definition? Does the FCC have the authority to enact net neutrality rules? What is the role of Congress in net neutrality? Lastly, what are the future implications for the Internet? This panel discussion will cover the basics of net neutrality, the role of Congress and the FCC in regulating the Internet, and the future legal and policy implications of the FCC's neutrality rules. Is the future of the Internet really at risk?

return to top

WTF Happened to the Constitution?! The Right to Privacy in the Digital Age

There is no explicit right to privacy in the Constitution, but some aspects of privacy are protected by the First, Third, Fourth and Fifth Amendments. This presentation will discuss the historical development of the right to privacy, and in particular, the development of the Fourth Amendment; and then compares this historical development to the current digital age. The development of the right to privacy (especially given the historical context of the Fourth Amendment) to our current age requires us to deal with technologically invasive personal searches as airports, searches and seizures of laptops and other computing devices, and how to handle stored communications. It becomes evident very quickly that searches and seizures are not so clear when it comes to bits and bytes...so where do we go from here?

Michael Schearer ("theprez98") is the author of the "Assault on Privacy" blog, which focuses on governmental intrusions into privacy rights. He also hosts monthly "Flex Your Rights' nights at Unallocated Space, a central Maryland hackerspace. Michael is a government contractor who spent nearly nine years in the United States Navy as an EA-6B Prowler Electronic Countermeasures Officer. His military experience includes aerial combat missions over both Afghanistan and Iraq and nine months on the ground doing counter-IED work with the U.S. Army. He is a graduate of Georgetown University's National Security Studies Program and a speaker at ShmooCon, DEFCON, HOPE, and other conferences. Michael is a licensed amateur radio operator and an active member of the Church of WiFi. He lives in Maryland with his wife and four children
Twitter: theprez98

return to top

Archive Team: A Distributed Preservation of Service Attack

For the last few years, historian and archivist Jason Scott has been involved with a loose, rogue band of data preservation activists called The Archive Team. As major sites with brand recognition and the work of millions announce short-notice shutdowns of their entire services, including Geocities, Friendster, and Yahoo Video, Archive Team arrives on the scene to duplicate as much as they possibly can for history before all the data is wiped forever. To do this, they have been rude, crude and far outside the spectrum of polite requests to save digital history, and have used a variety of techniques to retrieve and extract data that might have otherwise been unreachable. Come for the rough-and-tumble extraction techniques and teamwork methods, stay for the humor and ranting.

Jason Scott is a computer historian, archivist, documentary filmmaker and essayist dedicated to saving digital history and having a blast doing it. Between his sites TEXTFILES.COM, ARCHIVETEAM.ORG and a propensity for saying a lot of stuff to a lot of people, he's done his best to ensure entire lengths of computer and hacker history have been preserved and not forgotten. This will be his 198th DEFCON.

return to top

Attacking and Defending the Smart Grid

The Smart Grid brings greater benefits for utilities and customer alike, however these benefits come at a cost from a security perspective. Unlike the over-hyped messages we usually hear from the media, the sky is NOT falling. However, just like any other technology, the systems and devices that make up the Smart Grid will have weaknesses and vulnerabilities. It is important for us to understand these vulnerabilities, how they can be attacked, and what we need to do to defend against those attacks.

This presentation will explore how the increased functionality and complexity of the Smart Grid also increases the Smart Grid's attack surface, or in other words, increases the ways attackers can compromise the Smart Grid's new infrastructures, systems, and business models. We'll discuss several specific attack avenues against the Smart Grid and the recommendations we are making to utilities and vendors to mitigating and blocking these attacks. This will be done without the FUD and over-hyped framing that we usually find in the media and other Smart Grid presentations.

Justin Searle is a Senior Security Analyst with InGuardians, specializing in the penetration testing of web applications, networks, and embedded devices, especially those pertaining to the Smart Grid. Justin is an active member of ASAP-SG (Advanced Security Acceleration Project for the Smart Grid) and led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628. Previously, Justin served as JetBlue Airway's IT Security Architect, and has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities and corporations. Justin has presented at top security conferences including Black Hat, DEF CON, ToorCon, ShmooCon, and SANS. Justin co-leads prominent open source projects including the Samurai Web Testing Framework, Middler, Yokoso!, and Laudnum.
Twitter: @meeas

return to top

Mobile App Moolah: Profit taking with Mobile Malware

Smartphones are a hot new market for software developers. Millions of potential customers, and a large percentage willing to part with a small sum of money for your latest creation. Even a moderately successful app can help fill your pockets. It's hard to ignore for legitimate developers. It's even harder to ignore for criminals.

Things have changed from the old days of malware creation. It's no longer just about proving yourself or testing a new platform by writing proof-of-concepts(PoCs), porting old malware, and learning the idiosyncrasies of the development tools. Now it's about evading detection and taking a profit. Where there's money, crime usually follows.

The presentation is not about attribution, naming names or pointing out the parties responsible. It's about the underlying technology and the methods used, including:

- how actual examples in the wild function
- detection/analysis evasion techniques
- geographical trends in profit-taking malware

Jimmy Shah is a Mobile Security Researcher for McAfee, specializing in analysis of mobile threats on existing platforms (J2ME, Symbian, Windows Phone, iOS, Android) and potential mobile malware and spyware. He works with a team of researchers that regularly provides analysis and research on mobile threats to McAfee clients. He has presented on mobile threat research at a number of computer security conferences.

return to top

Are You In Yet? The CISO's View of Pentesting

When a CISO pays good money for a thorough pentesting, she wants results. Not necessarily the ones that the pentester had in mind, either. Whether the time allotted is too short, the pentester has to achieve multiple objectives, or they disagree on the severity of the findings, both the CISO and the pentester have to agree on both sides of the engagement. We discuss numerous aspects of voluntary pwnage: the differences between a security assessment and a penetration test, what color of box works best, tweaking the objectives for more targeted results, and ensuring a happy ending.

@shrdlu has worked as a CISO since 25 years past the epoch, both in the public and private sectors, and has grown to enjoy the exquisite pain of being on the receiving end of a pentest. It should be noted that @shrdlu is not speaking on behalf of any employers, past, present or future, did not test the presentation on any live animals, and will not be dispensing any sort of legal or medical advice.
Twitter: @shrdlu

return to top

Hacking the Global Economy with GPUs or How I Learned to Stop Worrying and Love Bitcoin

In the post 9/11 era when it's nearly impossible to buy a pack of gum without alerting the big three credit bureaus, you may think that anonymity is long gone from the economy. That's where bitcoin comes in. Bitcoin is a decentralized peer-to-peer currency based solely on computing power. It is (mostly) untraceable and highly anonymous, not backed by any banks or companies, and in the words of Jason Calacanis "the most dangerous project we've ever seen". In my talk I'll explain what bitcoin is and isn't, and why this 70+ PetaFLOP network has caught the attention of everyone from The Washington Post and MSNBC to Wikileaks and the EFF.

Skunkworks is an undergraduate studying electrical engineering. He's an active phone phreak and experiments with high voltage and hardware hacking in his spare time.

return to top

How Haunters Void Warranties

Halloween makers or how haunters void warranties, social engineer and find the joy of creativity. A short path down to what a community of makers that mod hardware, special effect and mood you in order to scare the shit out of you just one night a year. These people comprise electrical engineers to housewives and personally I've learned to solder better, faster because of it.

Reeves Smith has been working with hardware for security's sake for 12 years, making open source WIDS and the like. He found a community of makers that live for nothing but Halloween and thought their spirit of creativity was a lot like the creativity seen in parts of the security community. He currently works for Tenacity Solutions Inc. as a SNSE and is a Mac Fan Boy.
Facebook: http://www.facebook.com/profile.php?id=571239063

return to top

SCADA & PLCs in Correctional Facilities: The Nightmare Before Christmas

On Christmas Eve, a call was made from a prison warden: all of the cells on death row popped open. Many prisons and jails use SCADA systems with PLCs to open and close doors. Not sure why or if it would happen, the warden called physical security design engineer, John Strauchs, to investigate. As a result of their Stuxnet research, Rad and Newman have discovered significant vulnerabilities in PLCs used in correctional facilities by being able to remotely flip the switches to "open" or "locked closed" on cell doors and gates. Using original and publicly available exploits along with evaluating vulnerabilities in electronic and physical security designs, this talk will evaluate and demo SCADA systems and PLC vulnerabilities in correctional and government secured facilities while recommending solutions.

John J. Strauchs, M.A., C.P.P., conducted the security engineering or consulting for more than 114 justice design (police, courts, and corrections) projects in his career, which included 14 federal prisons, 23 state prisons, and 27 city or county jails. He owned and operated a professional engineering firm, Systech Group, Inc., for 23 years and is President of Strauchs, LLC. He was an equity principal in charge of security engineering for Gage-Babcock & Associates and an operations officer with the U.S. Central Intelligence Agency (CIA). His company and work was an inspiration for the 1993 movie, "Sneakers" for which he was the Technical Advisor. He was a presenter at Hackers On Planet Earth (HOPE) in 2008 and DojoCon in 2010 and is a consultant for Recursion Ventures.

Tiffany Strauchs Rad, BS, MBA, JD, is the President of ELCnetworks, LLC., a technology development, law and business consulting firm with offices in Portland, Maine and Washington, D.C. Her consulting projects have included business and technology development for start-ups and security consulting for U.S. government agencies. She is also a part-time Adjunct Professor in the computer science department at the University of Southern Maine teaching computer law, ethics and information security. Her academic background includes studies at Carnegie Mellon University, Oxford University, and Tsinghua University (Beijing, China). She has presented at Black Hat USA, Black Hat Abu Dhabi, Defcon 17 & 18, SecTor, Hackers on Planet Earth, Chaos Communication Congress and regional information security conferences. Tiffany also researches car computers and is fond of virus research (both biological and digital).
Twitter: @TiffanyRad
Facebook: facebook.com/TiffanyRad

Teague Newman is an independent information security consultant based in the Washington, D.C. area with extensive penetration testing experience. In 2009, he competed in the Netwars segment of the US Cyber Challenge and ranked within the Top 10 in the US in all rounds in which he participated. He is also an instructor for Core Security Technologies and has instructed professionals on the topics of information security and penetration testing at places like NASA, DHS, US Army, US Marine Corps (Red Team), DOE, various nuclear facilities as well as for large corporate enterprises. His projects include GPU-based password auditing and liquid nitrogen overclocking.

Dora The SCADA Explorer: Exploit writer.

return to top

Steal Everything, Kill Everyone, Cause Total Financial Ruin! (Or How I Walked In And Misbehaved)

This is not a presentation where I talk about how I would get in or the things I might be able to do. This is a talk where I am already in and I show you pictures from actual engagements that I have been on. They say one picture is worth a thousand words I show you how one picture cost a company a million dollars and maybe even a few lives. In a community where we focus so much on the offensive I also make sure with every attack I highlight. I spend time discussing what would have stopped me. We need to know the problems but we need more talks providing solutions and that is what I hope people will get from this. I show the dangers of Social engineering and how even an employee with no SE experience can be an eBay James Bond which can cause total financial ruin to a company. These Security threats are real. So are these stories!

Jayson E. Street is an author of the book "Dissecting the hack: The F0rb1dd3n Network" from Syngress. Also creator of the community site http://dissectingthehack.com

He has also spoken at DEFCON, BRUCON, UCON and at several other 'CONs and colleges on a variety of Information Security subjects.

His life story can be found on Google under "Jayson E. Street".

*He is a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time's persons of the year for 2006. ;)
Twitter: @jaysonstreet
Facebook: https://www.facebook.com/jayson.e.street

return to top

Weaponizing Cyberpsychology and Subverting Cybervetting for Fun, Profit and Subterfuge

Almost everything we do in life leaves a personality footprint and what we do on social networking sites like Facebook is no exception. During this talk we will examine:

  • • What it is possible to determine about someone's personality from their facebook activity
  • • What to look for when you are trying to identify the most pwnable person in a group
  • • Whether facebook activity can indicate a high probability of having or developing depression
  • • How you could weaponize 'sockpuppets' by giving them certain personality traits
  • • Cybervetting and your rights (or lack of rights) to privacy
  • • Steps you can take to manage or even alter your 'NetRep' (online reputation)

We conducted a research project called 'The Big 5 Experiment' with the objective of determining whether there were any significant correlations between a user's facebook activity and their answers to a personality questionnaire called 'The Big Five Inventory'. The Big Five Inventory was created by Prof Oliver John, to measure personality dimensions known as the Big Five.

Considering the ubiquity of personality tests such as the Myers-Briggs for employee selection and the growing number of companies adding cybervetting to their selection processes, it can only be a matter of time before we see the two activities merge and at what cost to society?

You should leave the talk with an insight into how the Big 5 Experiment results could be used in attack and defense strategies. Should you wish to conduct your own research, related or not, you should also learn from what proved a rather fascinating experience in carrying out the experiment.

Facebook: http://www.facebook.com/onlineprivacyfoundation

Chris "TheSuggmeister" Sumner has been directly involved in Corporate Information Security at a Fortune <100 since 1999 and has maintained a passion for security since seeing the movie Wargames when it first came out. Chris is currently focused on Security in the Development Lifecycle and previously held the position of worldwide Security Manager for one of the corporation's largest business divisions.

Outside the corporate world Chris' interests include Cyberpsychology, Social Networks (a keen tweeter and facebooker), Data Mining and Visual Analytics.

Together with a small group of likeminded individuals, he co-founded the not-for-profit (purely for loss) Online Privacy Foundation in order to get security people talking in their communities.
Twitter: @TheSuggmeister

alien is a DEF CON Goon and the co-organiser of DEF CON London (DC4420). He holds 2 degrees, a Bachelors with Honours in Computer Science, and a Information Security Masters degree from Royal Holloway rather too many years ago for comfort.

alien has been an Information Security Consultant/Security Architect across a large number of industries for over 10 years and is currently doing "stuff & things" for a FTSE10 company.
Twitter: @alien8

Alison B is a Civil Servant and statistician with a keen interest in privacy issues. Having spent time working for the Defence and the Health sectors, she is fully aware of the power of information and the steps that should be taken to care for individual level data.

With a degree in Experimental Psychology, she also has a keen interest in human behaviour and is fascinated by the effects of culture, religion, emotion, authority, genetics and social norms on people and their actions, thoughts and beliefs.

return to top

How To Get Your Message Out When Your Government Turns Off The Internet

How would you communicate with the world if your government turned off the Internet? Sound far-fetched? It isn't. It already happened in Egypt and Lybia and the US Congress is working on laws that would allow it to do the same. In this talk we'll explore how to get short messages out of the country via Email and Twitter in the event of a national Internet outage. Remember, data wants to be free.

Bruce Sutherland is a network systems architect and software developer with Domex Computer Services Inc, based in Melbourne Beach, FL. Bruce has worked in the industry for over 20 years and has recently been working on building and hardening web-based applications. He has been an amateur radio operator since 2003 and enjoys making contacts worldwide via amateur radio satellite and on the traditional HF bands.

return to top

Web Application Analysis With Owasp Hatkit

The presentation will take a deep dive into two newly released Owasp tools; the Owasp Hatkit Proxy and the Owasp Hatkit Datafiddler. The name Hatkit is an acronym (of sorts) for Http Analysis Toolkit and are tools mainly for people who analyse (hack!) web applications. The tools make extensive use of MongoDB, in particular the advanced querying facilities in available in this database. Prior knowledge of Javascript and Python is an advantage, but absolutely no requirement.

Martin Holst Swende is a Senior Security Consultant at 2Secure AB, working with application security- and penetration testing. Martin has a background as a Java/J2me-programmer but nowadays finds more joy in Python and Javascript. Martin is project leader for the Owasp Hatkit Proxy/Datafiddler projects and contributor to open source security projects such as Webscarab and Nmap.
Twitter: @mhswende

Patrik Karlsson is a Senior Security Expert with over ten years of experience in the field of IT- and Information Security. Patrik's area of expertise includes security penetration testing, vulnerability assessments, software application security audits and incident investigations. Patrik is an active Nmap contributer and runs the security related web site www.cqure.net.
Twitter: @nevdull77

return to top

Wireless Aerial Surveillance Platform

Tired of theory? This session has everything you want, big yellow aircraft flown by computers, pounds of highly volatile chemicals, CUDA, 50 Amp electrical circuits and the ability to attack networks, systems and cell phones interactively from a remote location anywhere in the world. We will demonstrate a fully functional open source autonomous aerial wireless hacking platform and explain how to pwn the friendly skies. The talk will cover actual construction and components of the aircraft itself and its mission support systems. From start to finish, we will discuss design concepts, lessons learned and potential pitfalls.

Mike Tassey is a security consultant to Wall Street, and the US Intelligence Community. He spent the majority of his 16 year information security career in support of the Dept. of Defense (both in uniform and out) and now does security consulting for global companies and government. His interests include martial arts, lolcats, danger and putting large things in small airplanes.

Rich Perkins is an avid radio control enthusiast and a senior security engineer supporting the U.S. Government. He has had a 20 year Information Technology career including programming, Enterprise Administration, and Information Security. Hobbies include hiking, SCUBA diving, R/C, computers and electronics, as well as a penchant for voiding warranties.

return to top

Staring into the Abyss: The Dark Side of Crime-fighting, Security, and Professional Intelligence

Nothing is harder to see than things we believe so deeply we don't even see them. This is certainly true in the "security space," in which our narratives are self-referential, bounded by mutual self-interest, and characterized by a heavy dose of group-think. That narrative serves as insulation to filter out the most critical truths we know about our work.

An analysis of deeper political and economic structures reveals the usual statements made in the "security space" in a new context, one which illuminates our mixed motivations and the interpenetration of overworlds and underworlds in our global society. Crime and legitimacy, that is, are the yin/yang of society, security, and our lives. You can't have one without the other. And nobody should know this better than hackers.

This presentation will make you think twice before uncritically using the buzzwords and jargon of the profession — words like "security," "defense," and "cyberwar." By the end of this presentation, simplistic distinctions between foreign and domestic, natural and artificial, and us and them will go liquid and the complexities of information security will remain ... and permeate future discussions of this difficult domain.

As a result, we will hopefully think more clearly and realistically about our work and lives in the context of the political and economic realities of the security profession, professional intelligence, and global corporate structures.

Richard Thieme has published hundreds of articles, dozens of short stories, two books (including Mind Games, a collection of short stories with more coming (FOAM, a novel, a serio-comic narrative of sex, secrets and intrigue, will be completed soon, followed by "The Room," a novelette about torture and the tortured), and he has given several thousand speeches. He speaks professionally about the challenges posed by new technologies and the future, how to redesign ourselves to meet these challenges, and creativity in response to radical change. Many recent speeches have addressed security and intelligence issues for professionals around the world. He has keynoted conferences in Sydney and Brisbane, Wellington and Auckland, Dublin Heidelberg and Berlin, Amsterdam, the Hague, and Rotterdam, Eilat Israel and Johannesburg South Africa, and the USA. Clients range from GE and Microsoft to the FBI, US Dept of the Treasury. and the US Secret Service. His pre-blog column, "Islands in the Clickstream," was distributed to thousands of subscribers in sixty countries before collection as a book by Syngress, a division of Elsevier. His work has been taught at universities in Europe, Australia, Canada, and the United States, and he has guest lectured at numerous universities. He lives with his wife, Shirley, in Fox Point, Wisconsin and can be reached at www.thiemeworks.com.

return to top

Insecurity: An Analysis Of Current Commercial And Government Security Lock Designs

Lock manufacturers continue to produce insecure designs in both mechanical and electro-mechanical locks. While these devices are designed to provide secure access control to commercial and government facilities, in fact many do not. Recent disclosures with regard to extremely popular push-button locks have led to an expanded investigation into their technology and security by our research team. As a consequence, it appears that mechanical locks, as well as electro-mechanical locks that are compliant with government standards, may be subject to several different forms of compromise, thereby placing commercial and government facilities at risk.

In this presentation, we will examine specific design parameters that are supposed to provide a high level of protection against covert entry for both commercial and government facilities, but do not.

It would be logical to assume that the electronics and physical hardware within physical access security devices would work together and present a high level of difficulty in circumventing the requirements of these standards. Our research has disclosed that such is not the case in certain devices. Our investigation with regard to a specific manufacturer of extremely popular hardware discloses a lack of understanding with regard to security engineering and an inability to produce hardware that is immune to different forms of attack. We document three serious occurrences of security engineering failures with regard to different product designs, all intended to provide a certain level of security for commercial and government facilities.

We will examine different designs, both mechanical and electronic, and why there is a basic failure in the most basic fundamentals of designing a secure device.

Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He is the principal attorney for Investigative Law Offices, P.C. and as part of his practice represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. Marc and his associates also conduct technical fraud investigations and deal with related legal issues. Marc has authored five police textbooks, including Locks, Safes, and Security, which is recognized as a primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book (LSS+) is also available online.

Marc has written extensively about the security vulnerabilities of products and has appeared in numerous television and radio interviews and news reports as well as magazine articles during the past thirty years. He is a member of several professional organizations including the American Bar Association (ABA, American Society for Industrial Security (ASIS), Associated Locksmiths of America (ALOA), Association of Firearms and Tool mark Examiners (AFTE), American Polygraph Association (APA) and the American Police Polygraph Association (APPA).

Matt Fiddler is a certified and registered locksmith and Security Professional with over 19 years of experience. Mr. Fiddler's research into lock bypass techniques have resulted in many public and private disclosures of critical lock design flaws. Mr. Fiddler began his career as an Intelligence Analyst with the United States Marine Corps. Since joining the commercial sector in 1992, he has spent the last 19 years enhancing his extensive expertise in the areas of Covert Entry Tool Design, Physical Security Consulting, Computer Forensics and Intrusion Analysis.

Born in Caracas, Venezuela, Tobias came to the United States in 1995 and was granted citizenship in 2000. He has been a professional locksmith for the past 20 years. Tobias is an expert in Covert Methods of Entry and has developed many unique forms of bypass, custom tools, including a decoder for Medeco locks, which was the impetus for the book "Open in Thirty Seconds".

return to top

DIY Non-Destructive Entry

Ever leave the house without your picks only to find yourself in a situation where you desperately need them? Well, never fear! I'm going to explain how to open everything from cars, to briefcases to safes with objects as common as popsicle sticks and unconventional as palm sanders. Every attack will be fully explained so you understand the underlying mechanisms and how we are taking advantage of mechanical tolerances and design flaws to own these locks.

Schuyler Towne toes a strict ethical line when it comes to lockpicking, but lives a rich fantasy life where he is a lockpicking rogue stealing from the mansions of rich Italians and giving their valuables to the poor. By day he is a socialite who often helps the local constable solve crimes, but by night he is the man who robs the robber barons! This is all much more glamorous than reality, where Schuyler spends most of his days getting giddy about 19th century lock patents and annoying his friends by fondling their keys.
Facebook: www.facebook.com/stowne

return to top

The Future of Cybertravel: Legal Implications of the Evasion of Geolocation

This presentation discusses the current legal status of evasion of geolocation and the potential liability of the user-evader or provider of an evasion tool. The presentation also projects how the law might develop to treat acts of evasion and what challenges the technical community might face in this area.

The legal community has shown an interest in geolocation for several years; however, until recently it did not seriously consider mandating the use of geolocation to comply with national laws and regulations. Recently, there have been indications that governments will turn to geolocation as a viable means of partitioning cyberspace; geolocation tools should help mimic physical borders in cyberspace. The emerging reliance of legal systems on geolocation creates a need to address evasion of geolocation and reevaluate the legality of acts of evasion.

So far, no legal disputes concerning evasion have been published; however, the ongoing disputes regarding place-shifting technologies, such as the lawsuits against ivi and Justin.tv in the U.S., TV Catch UP in the U.K., and ManekiTV in Japan, indicate that evasion of geolocation is the next in line for legal attention.

The presentation will provide no legal advice but will offer a number of suggestions that should be considered by those who use evasion, are interested in evasion, or are in the process of developing evasion tools. Additionally, it will suggest the types of legal policy issues that are likely to emerge in the near future.

Dr. Marketa Trimble is an intellectual property law professor at the William S. Boyd School of Law, University of Nevada, Las Vegas. Her research and teaching on cross-border intellectual property issues have led her to the investigation of various cyberlaw issues, including legal problems in the context of the internet as the primary place for business and daily activities. She holds two doctoral law degrees, one from Stanford University Law School and one from Charles University Law School in Prague, has expertise from working in the European Union and in European governments, and conducts legal research in English, German and Czech, which gives her a unique perspective on legal problems that transcend international borders and involve the legal regimes and policy choices of multiple countries.

return to top

Runtime Process Insemination

Injecting arbitrary code during runtime in linux is a painful process. This presentation discusses current techniques and reveals a new technique not used in other projects. The proposed technique allows for anonymous injection of shared objects, the ability to pwn a process without leaving any physical evidence behind. Libhijack, the tool discussed and released in this presentation, enables injection of shared objects in as little as eight lines of C code. This presentation will demo real-world scenarios of injecting code into end-user processes such as firefox, nautilus, and python.

Shawn Webb is a professional security analyst. He works with Linux, FreeBSD, and Windows systems, finding vulnerabilities in in-house applications. He's a proud member and contributor of SoldierX.
Twitter: lattera

return to top

Network Nightmare: Ruling The Nightlife Between Shutdown And Boot With Pxesploit

The best techniques for exploitation, maintaining access, and owning in general move down the stack, using low-level code to bypass security controls. Take the preboot execution environment and get bios-level access to the hardware from across the network, outside any control of the on-disk operating system. In this presentation I will detail the pxesploit attack I wrote, releasing a new metasploit-based comprehensive PXE attack toolkit to deliver any payload reliably to many different operating systems. Also new will be the ability to host a PXE attack through a meterpreter session in memory, using it to escalating privileges and own remote networks.

Matt Weeks has performed research in mathematics in chaos and cryptology, and focuses on information security. He enjoys finding ways to break application security, writing shellcode, and creating post-exploitation techniques. Also known as scriptjunkie, he is a developer for the Metasploit framework, wrote the sessionthief MITM tool, and broke a cryptosystem based on chaos theory. He runs a blog at http://www.scriptjunkie.us/

return to top

Seven Ways to Hang Yourself with Google Android

According to Google, Android was designed to give mobile developers "an excellent software platform for everyday users" on which to build rich applications for the growing mobile device market. The power and flexibility of the Android platform are undeniable, but where does it leave developers when it comes to security? In this talk we discuss seven of the most interesting code--level security mistakes we've seen developers make in Android applications. We cover common errors ranging from the promiscuous or incorrect use of Android permissions to lax input validation that enables a host of exploits, such as query string injection. We discuss the root cause of each vulnerability, describe how attackers might exploit it, and share the results of our research applying static analysis to identify the issue. Specifically, we will show our successes and failures using static analysis to identify each type of vulnerability in real-world Android applications.

Yekaterina Tsipenyuk O'Neil is the founding member of the Security Research Group at Fortify Software, where she is responsible for performing code audits, identifying and analyzing insecure coding patterns, providing security content for Fortify's software security products, and researching ways to improve the quality of the tools. Outside of the office, Yekaterina spends time working with customers and speaking at conferences. Yekaterina has a B.S. and an M.S. in computer science from the University of California, San Diego. Her thesis work focused on mobile agent security.

Erika Chin is a Ph.D. student in Computer Science at the University of California, Berkeley. She is in the security research group, and her current research interest is improving mobile phone security. In particular, she is interested in addressing developer confusion and difficulty that lead to vulnerabilities in mobile phone applications. She recently presented at MobiSys on vulnerabilities stemming from inter-application communication in Android.

return to top

Key Impressioning

We've all seen lockpicking explained on several security venues. You might even have tried it yourself. But what if you need to open a lock a number of times? Wouldn't it be great to have an opening technique that would supply you with a working key in the process? A method to do this has existed for quite some time, but until recently it has remained quite unknown. Some time ago impressioning locks got "re-invented" by the lockpick community and the skill evolved to the level now shown at several international championships. What is it? How does it work? What skill is involved? Why is it the most interesting way to open a lock? These questions, and more will be answered in this talk.

Jos Weyers After ending second in the ongoing toool.nl competition four times in a row, he decided to do some training. 300-400 blanks later he slashed the then world record time of 4 minutes and 23 seconds to impression an ABUS C83 — he did it in 87 seconds! He's the current Dutch champion (second time in a row), the current German Meister (that's champion :-)) and current world record holder in this particular lock opening technique. Most people know him as the Dutch Kilt guy.

return to top

Staying Connected during a Revolution or Disaster

During the recent revolutions in Africa and the Middle East, governments have shut down both Internet and Phone services in an attempt to quell communication among demonstrators. In addition, during natural disasters, people have been left without a means of finding out the latest news regarding emergency services. We will discuss methods that can circumvent severed telecommunication infrastructures, including the use of mobile devices to act as ad hoc network access points. At the end of this talk, a new open source project will be announced, with the goal of developing the capabilities to generate spontaneous networks in times of crisis using current cellular phone technology.

Thomas Wilhelm is a Senior Security Consultant within the Penetration Test practice at Trustwave's SpiderLabs. SpiderLabs is the advanced security team responsible for application security, incident response, penetration testing, physical security and security research for Trustwave's clients. Thomas has been involved in Information Security since 1990, where he served in the Army for eight years as a Signals Intelligence Analyst / Russian Linguist / Cryptanalyst.

Thomas is also a Doctoral student who holds Masters degrees in both Computer Science and Management, and has written numerous articles and books; the latest being "Ninja Hacking," published by Syngress.
Twitter: thomas_wilhelm

return to top

Traps of Gold

The only thing worse than no security is a false sense of security. And though we know, "you can't win by defense alone", our modern approaches tend to act as though offense and defense are two entirely separate things. Treating security as an issue of quality has gotten us far, however, nearly everyday, some of the largest companies are still being compromised. It's become apparent that with enough time a skillful attacker will always get in. We have created new armaments to fight back. This style of fighting, known as maneuverability, aims to make your opponents expend their own resources while putting yourself in a position of strategic advantage. Using techniques that leverage deception, ambiguity, and tempo we believe we can do better to protect web applications. If time is an attacker's most important resource, let's steal it away from them. But talk is cheap. Not only will we demonstrate real world examples of this system, we encourage you to prove us wrong. An unofficial web application capture the flag competition, based on deceptive defense techniques, will be made available for testing throughout the conference.

Andrew Wilson is a Security Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 9 years experience building and securing software for a variety of companies. Andrew specializes in application security assessment, penetration testing, threat modeling and secure development life cycle. Andrew is active in the developer and security community as a speaker, a trainer, and as a leader of the Phoenix OWASP group.
Twitter: @Kuzushi

Michael Brooks writes exploit code because it is challenging and a privileged art form. He writes secure software and helps others do the same because secure software is a luxury that should be shared. He is the top answerer of security and cryptography questions on StackOverflow.com (Rook).
Exploit Code: http://www.exploit-db.com/author/?a=628
He works for Sitewatch: https://sitewat.ch

return to top

Network Application Firewalls: Exploits and Defense

In the last few years, a so called whole new generation of firewalls have been released by various vendors, most notably Network Application Firewalling. While this technology has gained a lot of market attention, little is actually known by the general public about how it actually works, what limitations it has, and what you really need to do to ensure that you're not exposing yourself. This presentation will examine/demystify the technology, the implementation, demonstrate some of the technology and implementation specific vulnerabilities, exploits, what it can and can't do for you, and how to defend yourself against potential weaknesses.

Brad Woodberg: I hail from just outside of Detroit MI, graduating from Michigan State University with a BS in Computer Engineering. Prior to joining Juniper Networks a few years ago, I was a security consulting engineer at a consulting firm in Ann Arbor Michigan for four and a half years, responsible for everything from penetration testing to intrusion investigation, managed services, implementations — whatever our sales guys could sell. At Juniper I'm heavily involved with the product development, and security testing, and all sorts of involvement with our security team. In addition to my work at Juniper, I have also co-authored three technical books, Junos Security, Configuring Netscreen/SSG firewalls, and Configuring Juniper SSL VPN.

return to top

Phishing and Online Scam in China

Today, Ebay, Paypal and WOW are all popular targets of global phishing. However, phishing in China is different from that in other countries. The Chinese government has already placed a lot of focus on this issue, however, online scams have already gone beyond the traditional scope of phishing. For example, one of the top five phishing targets is CCTV, which is an official Chinese TV station that produces several of the most widely distributed Chinese TV channels. I will explain how hackers get money through CCTV phishing. In the first part of the presentation, I will introduce the event about massive online bank phishing attacks, which target customers of the "Bank of China" at Feb, 2011. Then, I will share information about popular scams, which try to trick people into believe they won the lottery or bought cheap tickets. Finally, I will show a case about Taobao phishing, analyze its framework and the source code behind it.

Joey Zhu is a staff engineer at Trend Micro Inc. He joined Trend Micro's CoreTech team in 2005. He is highly experienced on threat knowledge and developed the sandbox for TrendLab when working as an expert at PH in 2007. Since 2008, he has been the leader of the ScriptAnalyzer project, which is analyzing HTML/Script to clean up web threats for browsers. Now he is also focusing on anti-phishing solutions.

return to top

Vanquishing Voyeurs: Secure Ways To Authenticate Insecurely

Observation is one of the principal means of compromise of authentication methods relying on secret information such as PINs and login/password combinations. Attackers can gather this information via observation, either from without by methods such as shoulder surfing and camera-based ATM skimmers, or from within by methods such as keystroke loggers and button-overlay-based ATM skimmers. Though these vulnerabilities of PIN/password based authentication mechanisms are well known, they have been difficult to correct due to the prevalence and general acceptance of such systems -- they are used in essentially all ATMs, mobile device locking mechanisms, and most web-based authentication schemes. It is difficult to avoid at least the occasional use of untrusted public terminals and devices and the unlocking of one's mobile device in public. We therefore present our research into devices and techniques for mitigating the threat of credential compromise when doing so. These include haptic and auditory mechanisms for password entry into public terminals, mobile device tools for turning one's mobile device into an observation-resistant password entry system, and strategies and tools for secure password entry in the presence of keyloggers and other input recording devices. These techniques can successfully evade observation even when one does not have administrative control of the terminal, as in the case of internet cafe computers and public ATMs.

Zoz is a robotics interface designer and rapid prototyping specialist. He is co-founder of Cannytrophic Design in Boston and CTO of BlueSky in San Francisco. He is a visiting professor at KAIST in Korea. He is best known for the Discovery Channel shows 'Prototype This!' and 'Time Warp', and for faking a crop circle.

Andrea Bianchi is an interface inventor and designer. He is the director of the DALSMA (Digital Architecture and Large Scale Media Art) conference and is currently completing his PhD in Culture Technology at KAIST in Korea. He owns 19 pairs of glasses.

return to top


Panel: Is it 0-day or 0-care?

Vulnerability Databases (VDBs) have provided information about security vulnerabilities for over 10 years. This has put VDBs in a unique position to understand and analyze vulnerability trends and changes in the security industry. This panel presentation will examine vulnerability information over the past several years with an emphasis on understanding security researchers, quality of research, vendors, disclosure trends and the value of security vulnerabilities. The emotional debate surrounding Full Disclosure has raged on for decades. This panel will use grounded data to discuss salient points of the debate to hopefully determine trends that may influence the debate. Maybe even in a positive fashion!

Jake Kouns is the co-founder, CEO, and CFO of the Open Security Foundation (OSF), a non-profit organization that oversees the operations of the Open Source Vulnerability Database (OSVDB.org) and Cloutage.org DataLossDB. All projects are independent and open source databases that provide detailed and unbiased technical information on security vulnerabilities, cloud security and data loss incidents world-wide. Mr. Kouns has presented at many well-known security conferences including RSA, CISO Executive Summit, EntNet IEEE GlobeCom, CanSecWest and SyScan. He is the co-author of the book Security in an IPv6 Environment, Francis and Taylor, 2009, and Information Technology Risk Management in Enterprise Environments, Wiley, 2010. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT.

Brian Martin has been maintaining or contributing to vulnerability databases since 1993. As the content manager for the Open Source Vulnerability Database (OSVDB), he is constantly exposed to new challenges in vulnerability management. A long-time advocate of vulnerability database evolution, he has helped push VDBs forward and challenged them to become more useful and more thorough. No degree or certifications; just 18 years working with vulnerabilities as part of the day job and hobbies. He remains a champion of small misunderstood creatures.

Steve Christey is a Principal Information Security Engineer in the Security and Information Operations Division at The MITRE Corporation. He is the editor of the Common Vulnerabilities and Exposures (CVE) list, Chair of the CVE Editorial Board, and technical lead for the Common Weakness Enumeration (CWE), CWSS, and the CWE/SANS Top 25 Software Most Dangerous Software Errors. He has been an active contributor to other efforts including NIST's Static Analysis Tool Exposition (SATE), the Common Vulnerability Scoring System (CVSS), the SANS Secure Programming exams, and a co-author of the influential "Responsible Vulnerability Disclosure Process" IETF draft with Chris Wysopal in 2002. His current interests include secure software development and testing, consumer-friendly software security metrics, the theoretical underpinnings of vulnerabilities, and vulnerability research. He holds a B.S. in Computer Science from Hobart College.

Carsten Eiram comes from a esrever engineering background and is a vulnerability connoisseur during the day with extensive experience in the fields of vulnerability research and Vulnerability Intelligence. At night, he's a binary ninja having successfully stalked, found, and killed many critical vulnerabilities in popular software from major software vendors. Carsten is currently the Chief Security Specialist at Secunia and holds the dual responsibility of developing and managing the Secunia Research unit as well as maintaining close dialogue with software vendors and the security community, thereby ensuring both the quality and integrity of Secunia's work. He is often referred to as the Security Beast, but has yet to manage getting that title on to his business cards. Carsten is a key contributor to the high technical quality and accurateness of the Secunia's Vulnerability Intelligence solutions and one of his responsibilities is to ensure that Secunia continues to be the most respected and trustworthy provider of Vulnerability Intelligence and most active research house. Based on his and his team's research efforts, Frost & Sullivan has presented awards to Secunia in both 2010 and 2011. Carsten is also a regular contributor to the "Threat of the Month" column in SC Magazine, a credited contributor for the "CWE/SANS Top 25 Most Dangerous Software Errors" list, and member of the CVE Editorial Board.

Art Manion is a senior member of the Vulnerability Analysis team in the CERT Program at the Software Engineering Institute (SEI). He has studied vulnerabilities and coordinated responsible disclosure efforts since joining CERT in 2001. Manion currently focuses on vulnerability discovery and other areas of applied research, including ways to improve operational vulnerability response. Prior to joining the SEI, Manion was the Director of Network Infrastructure at Juniata College.

Dan Holden is the director of security research for HP TippingPoint, where he leads one of the most well respected security research groups in the industry. His teams oversee product security testing, the Zero Day Initiative, the Digital Vaccine services, new security technologies, and vulnerability and malware research. Prior to HP TippingPoint, Dan was a founding member of IBM/ISS X-Force. Dan helped build and define X-Force over the course of 12 years in various capacities ranging from development to product management. Dan has been in the security industry for over 17 years specializing in vulnerability analysis, security research and IPS technology. Dan is a frequent speaker at major industry conferences and has been quoted and featured in many top publications.

Alex Hutton is a big fan of trying to understand security and risk through metrics and models. Currently, Alex is a principal for Research & Intelligence with the Verizon Business RISK Team. The Verizon RISK Team builds and hones the risk models for Cybertrust services, produces the Verizon Data Breach Investigation, the Verizon's PCI Compliance report, and is responsible for the VERIS data collection and analysis efforts. As a member of the RISK team, Alex also writes regularly for the Verizon Security Blog (http://securityblog.verizonbusiness.com). Alex likes risk and security so much, he spends his spare time working on projects and writing about the subject. Some of that work includes contributions to the Cloud Security Alliance documents, the CIS metrics project, the ISM3 security management standard, and work with the Open Group Security Forum. Alex is a founding member of the Society of Information Risk Analysts (http://societyinforisk.org/), and blogs for their website and records a podcast for the membership. He also blogs at the New School of Information Security Blog (http://www.newschoolsecurity.com).

Katie Moussouris leads the Security Community Outreach and Strategy team at Microsoft. Her team's work encompasses Security Ecosystem Strategy programs such as Microsoft's BlueHat conference and worldwide hacker conference engagement, security researcher outreach, and Microsoft's Vulnerability Disclosure Policies. Katie also founded and runs Microsoft Vulnerability Research, which is responsible for Microsoft's research and reporting of vulnerabilities in 3rd party software. Katie recently was voted the editor of a new draft ISO standard on Vulnerability Handling Processes, following her work over the past 4 years as the lead expert in the US National Body on an ISO draft standard on Vulnerability Disclosure. Prior to working for Microsoft, Katie was a penetration tester for several Fortune 500 companies, as a senior security architect for @stake when it was acquired by Symantec. At Symantec, Katie founded and ran Symantec Vulnerability Research.

return to top

Speaker Index


Josh Abraham
Chema Alonso (1, 2)
Iftach Ian Amit
Anarchy Angel
Derek Anderson
Sterling Archer
James "Myrcurial" Arlen (1, 2, 3)
Mike Arpaia


Adam Baldwin
Kevin Bankston
Andrea Barisani
Bruce "Grymoire" Barnett
Aaron Barr
Rod Beckstrom
Andrea Bianchi
Daniele Bianco
Oliver Bilodeau (1, 2)
Tobias Bluzmanis
Emmanuel Bouillon
Sam Bowne
Michael Brooks
David M. N. Bryan
Jeff Bryner
Jamie Butler


Marcus J. Carey
George Chamales
Erika Chin
Jeremy Chiu (aka Birdman)
Ming Chow
Steve Christey
Sandy "Mouse" Clark
Christopher Cleary
Tyler Cohen
Kees Cook
Greg Conti
Joshua Corman (1, 2)
Paul Craig
Adrian Crenshaw "Irongeek"
Dan Crowley
Phil Cryer


Jack Daniel
Dark Tangent
Ganesh Devarajan
Deviant Ollam (1, 2)
Whitfield Diffie
Artem Dinaburg
Jerry Dixon
Alva 'Skip' Duckwall


Peter Eckersley
Luiz Eduardo
Carsten Eiram
Nelson Elhage
Tim Elrod
Patrick Engebretson
Joshua Engelman
Justin Engler
Tom Eston


Hanni Fakhoury
Ben Feinstein
Matt Fiddler
Gregory Fleischer
Zac Franken
Gus Fritschie
Eric Fulton


Daniel Garcia
Juan Garrido "Silverhack" (1, 2)
Andrew Gavin
Kenneth Geers
Jake "GenericSuperhero"
Ramon Gomez
Vlad Gostom
Rob Graham
Wendel Gugliemetti Henrique


Brad "Renderman" Haines
Nathan Hamiel
Rob Havelt
Deral Heiland
Chris Hoff
Dan Holden
Thomas J. Holt
Rick Howard
Alex Hutton (1, 2)


Jibran Ilyas
Robert "Hackajar" Imhoff-Dousharm


Aseem Jakhar
Jeff Jarmoc
Matt Johanson
Kevin Johnson
Matt 'openfly' Joyce


Dan Kaminsky
Patrik Karlsson
Paul Kehrer
Dave Kennedy (ReL1K)
Brian Kennish
Max Kilger
Todd Kimball
Steve Kirk
Alexander Kornbrust
Itzik Kotler (1, 2)
Jake Kouns
Matt Krick "DCFluX"


Anthony Lai (aka Darkfloyd)
Adam Laurie
Seth Law
Shane Lawson
Don LeBert
Grayson Lenik
Katy Levinson
Ryan Linn
David Litchfield
Johnny Long


Art Manion
William Manning
Joey Maresca
Moxie Marlinspike (1, 2)
Joshua Marpet
Brian Martin
Dave Maynor
Chris McCeniry
John McCoy
Wesley McGrew
Martin McKeay
John McNabb
Charlie Miller
Rich Mogull
Michael Moore
Stefan Morris
David Mortman
Katie Moussouris


Teague Newman


Steve Ocepek
Yekaterina Tsipenyuk O'Neil
Kurt Opsahl
Kyle 'Kos' Osborn
Jason Ostrom
Nicole Ozer


Josh Pauli
Nicholas J. Percoco (1, 2, 3)
Larry Pesce
Rich Perkins
Abigail Phillips
Josh Phillips
Gregory Pickett
Jason M. Pittman
Bruce Potter


Tiffany Rad
Mahmud Ab Rahman
Rebecca Reagan
Ted Reed
Semon Rezchikov
Paul Roberts
Michael Robinson
Dan Rosenberg
David Rude


Deborah Salons
Tony Sager
Michael Scarito
Michael "theprez98" Schearer (1, 2)
Sean Schulte
Jason Scott
Justin Searle
Dave Shackleford
Jimmy Shah
Reeves Smith
Jayson E. Street
John J. Strauchs
Chris "TheSuggmeister" Sumner
Harish Skanda Sureddy
Bruce Sutherland
Martin Holst Swende


Mike Tassey
Richard Thieme
Marc Weber Tobias
Schuyler Towne
Marketa Trimble


Will Vandevanter


Morgan Wang
Shawn Webb
Matt "scriptjunkie" Weeks
Linton Wells
Jacob West
Jos Weyers
Thomas Wilhelm
Andrew Wilson
Brad Woodberg
Mike Wright


Joey Zhu