Join Us August 1st–4th, 2013

All 4 days just $180 USD!

at the Rio Hotel in Las Vegas!

Cash only at the door.


The ACLU Presents: NSA Surveillance and More

From the NSA's PRISM and metadata programs to IMSI catchers, location tracking to surveillance drones, and warrantless wiretapping to the AP's emails – this has been the year of surveillance. Come join the American Civil Liberties Union as we unravel the thicket of new technologies and laws that allow the U.S. government to surveil Americans in more intrusive ways than ever before. We will explore the latest news and trends in surveillance, reasons to despair, grounds to be hopeful, and ways in which you can help the ACLU's fight against government overreaching.

Catherine Crump (@CatherineNCrump) s a Staff Attorney with the ACLU's Speech, Privacy and Technology Project. She specializes in free speech and privacy litigation, particularly regarding the impact of new technologies on First and Fourth Amendment rights. She is lead counsel in the ACLU's challenge to the government's suspicionless searches of laptops at the international border, and is litigating a series of cases challenging the government's claim it can track the location of people's cell phones without a warrant.

Christopher Soghoian (@csoghoian) is the Principal Technologist with the ACLU's Speech, Privacy and Technology Project. He completed his Ph.D. at Indiana University in 2012, which focused on the role that third party service providers play in facilitating law enforcement surveillance of their customers. In order to gather data, he has made extensive use of the Freedom of Information Act, sued the Department of Justice, and recorded phone company executives bragging about their surveillance practices.

Kade Crockford (@onekade) is director of the Technology for Liberty program at the ACLU of Massachusetts, where she quarterbacks the ACLU of Massachusetts' work challenging the growing surveillance state and defending core First and Fourth Amendment and due process rights. Kade is currently working on a long term project to document and challenge the militarization and federalization of state and local law enforcement, focusing on the procurement and deployment of advanced surveillance and weapons systems, towards the end of bringing local police back under local control. She built and maintains the dedicated privacy website, which hosts the Privacy Matters blog.

Alex Abdo (@AlexanderAbdo) is a staff attorney in the ACLU's National Security Project, where he litigates cases concerning the expansive surveillance policies of the post-9/11 era. For example, he was counsel in the ACLU's recent Supreme Court challenge to the NSA's warrantless wiretapping program; he is currently challenging the NSA's collection of all Americans' telephony metadata; and he is suing for release of the government's secret interpretation of Section 215 of the Patriot Act.

Nicole Ozer is the Technology and Civil Liberties Policy Director at the ACLU of California. She works on the intersection of new technology, privacy, and free speech and developed the organization’s online privacy campaign, Demand Your dotRights ( Nicole graduated magna cum laude from Amherst College, studied comparative civil rights history at the University of Cape Town, South Africa, and earned her J.D. with a Certificate in Law and Technology from Boalt Hall School of Law, University of California Berkeley. Before joining the ACLU, Nicole was an intellectual property attorney at Morrison & Foerster LLP. Nicole was recognized by San Jose Magazine in 2001 for being one of 20 “Women Making a Mark” in Silicon Valley.

return to top

Ask the EFF: The Year in Digital Civil Liberties

Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as surveillance online and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, discussion of our technology project to protect privacy and speech online, updates on cases and legislation affecting security research, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you.

Kurt Opsahl (@kurtopsahl)(@eff) is a Senior Staff Attorney with the Electronic Frontier Foundation focusing on civil liberties, free speech and privacy law. Opsahl has counseled numerous computer security researchers on their rights to conduct and discuss research. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook". In 2007, Opsahl was named as one of the 'Attorneys of the Year' by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal, which established the reporter's privilege for online journalists.

Marcia Hoffmann is an EFF Fellow. Now in private practice, Marcia was previously a senior staff attorney at the Electronic Frontier Foundation, where she focuses on computer crime and security, electronic privacy, free expression, and other digital civil liberties issues. Prior to joining EFF, Marcia was staff counsel and director of the Open Government Project at the Electronic Privacy Information Center (EPIC).

Dan Auerbach is a Staff Technologist who is passionate about defending civil liberties and encouraging government transparency. Coming to EFF with a background in mathematical logic and automated reasoning, as well as years of engineering experience at Google, Dan now works on EFF's various technical projects and helps lawyers, activists, and the public understand important technologies that might threaten the privacy or security of users.

Eva Galperin is EFF's Global Policy Analyst, and has been instrumental in highlighting government malware designed to spy upon activists around the world. A lifelong geek, Eva misspent her youth working as a Systems Administrator all over Silicon Valley. Since then, she has seen the error of her ways and earned degrees in Political Science and International Relations from SFSU. She comes to EFF from the US-China Policy Institute, where she researched Chinese energy policy, helped to organize conferences, and attempted to make use of her rudimentary Mandarin skills.

Mark Jaycox is a Policy Analyst and Legislative Assistant for EFF. His issues include user privacy, civil liberties, EULAs, and "cybersecurity" (online security). When not reading legal or legislative documents, Mark can be found reading non-legal and legislative documents, exploring the Bay Area, and riding his bike. He was educated at Reed College, spent a year abroad at the University of Oxford (Wadham College), and concentrated in History and Politics. The intersection of his concentration with advancing technologies and the law was prevalent throughout his education, and Mark's excited to apply these passions to EFF. Previous to joining EFF, Mark was a Contributor to ArsTechnica, and a Legislative Research Assistant for LexisNexis.

Mitch Stoltz is a Staff Attorney at the Electronic Frontier Foundation, focusing on intellectual property. Before joining EFF, Mitch worked on copyright and antitrust litigation for high-tech clients at Constantine Cannon LLP in Washington DC. Long ago, in an Internet far far away, Mitch was Chief Security Engineer at Netscape Communications and, where he put out fires and cajoled hackers on three continents. He also interned at the Computer and Communications Industry Association and the office of Massachusetts State Senator Jack Hart. Mitch has a JD from Boston University and a BA in Public Policy and Computer Science from Pomona College, where he co-founded the student TV station Studio 47.

return to top

DEF CON Comedy Jam Part VI, Return of the Fail

You know you can't stay away! The most talked about panel at DEF CON! More FAIL than you can shake a stick at. Come hear some of the loudest mouths in the industry talk about the epic security failures of the last year. So much fail, you'll need waffles to make it through. Nothing is sacred not even each other. Over the last two years, we've raised over $2000 for the EFF, let's see how much we can raise this year.

David Mortman ( is the Chief Security Architect at Enstratius and is a Contributing Analyst at Securosis. Before enStratus, he ran operations and security for C3. Formerly the Chief Information Security Officer for Siebel Systems, Inc., Previously, Mr. Mortman was Manager of IT Security at Network Associates. Mr. Mortman has also been a regular panelist and speaker at RSA, Blackhat, Defcon and SSecure360 as well. Mr. Mortman sits on a variety of advisory boards including Qualys. He holds a BS in Chemistry from the University of Chicago. David writes for Securosis, Emergent Chaos and the New School blogs.

Rich Mogull (@rmogull) is a recovering Gartner analyst who is embarrassed at corporate events because he actually enjoys using technology and can even pop a shell in a pinch. He is a DEF CON Goon, former paramedic and ski patroller, and once drove a submarine for a few minutes without hitting anything. In previous Fail panels he has broken robots, hacked WiFi, impersonated a money mule, and launched rockets.

Chris Hoff is VP of Strategy & Planning at Juniper Networks' Security Business Unit, previously serving as chief security architect, responsible for worldwide security solutions architecture, customer advocacy, and field enablement.

He was previously director of cloud & virtualization solutions at Cisco Systems where he focused on virtualization and cloud computing security, spending most of his time interacting with global enterprises and service providers, governments, and the defense and intelligence communities.

Prior to Cisco, he was Unisys Corporation’s chief security architect, served as Crossbeam Systems' chief security strategist, was the CISO and director of enterprise security at a $25 billion financial services company and was founder/CTO of a national security consultancy amongst other startup endeavors.

Dave Maynor is a founder of Errata Security and serves as the Chief Technical Officer. Mr. Maynor is responsible for day-to-day technical decisions of Errata Security and also employs a strong background in reverse engineering and exploit development to produce Hacker Eye View reports. Mr. Maynor has previously been the Senior Researcher for Secureworks and a research engineer with the ISS Xforce R&D team where his primary responsibilities included reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS, Maynor spent 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable. Before that Maynor contracted with a variety of different companies in a widespread of industries ranging from digital TV development to protection of top 25 websites to security consulting and penetration testing to online banking and ISPs.

James Arlen (@myrcurial) is a senior consultant at Leviathan Security Group providing security consulting services to the utility and financial verticals. He has been involved with implementing a practical level of information security in Fortune 500, TSE 100, and major public-sector corporations for 19+ years. James is also a contributing analyst with Securosis and has a recurring column on Liquidmatrix Security Digest. Best described as: "Infosec geek, hacker, social activist, author, speaker, and parent." His areas of interest include organizational change, social engineering, blinky lights and shiny things.

Rob Graham (@ErrataRob) is an American security consultant, best known as the father of network IPS and the creator of BlackICE. He's been in cybersec since before people started using the term "cybersec," starting as a child learning from his grandfather, who was a code breaker in WWII.

More Bios to Come Soon

return to top

Hardware Hacking with Microcontrollers: A Panel Discussion

Microcontrollers and embedded systems come in many shapes, sizes and flavors. From tiny 6-pin devices with only a few bytes of RAM (ala the DEF CON 14 Badge) to 32- bit, eight core multiprocessor systems (ala DEF CON 20 Badge), each has their own strengths and weaknesses. Engineers and designers tend to have their favorites, but how do they decide what part to work with? Join DEFCON Badge designers Joe Grand and LoSTBoY, master of embedded system design FirmWarez, devoted electronics hobbyist Smitty, and moderator extraordinaire RenderMan as they argue the virtues of their favorite microcontrollers and answer questions about hardware hacking. If you're just getting started with electronics and are trying to navigate the sea of available microcontrollers, microprocessors, and modules, this panel is for you.

Joe Grand (@joegrand) is an electrical engineer and hardware hacker. He runs Grand Idea Studio ( and specializes in the design of consumer and hobbyist embedded systems. He created the electronic badges for DEFCON 14 through 18 and was a co-host of Discovery Channel's Prototype This. Back in the day when he was known as Kingpin, he was a member of the infamous hacker group L0pht Heavy Industries.

Mark 'Smitty' Smith (@SmittyHalibut) is a network engineer and system administrator by day, relentless maker by night. (And by the weekend.) Electronics and computers have been a hobby of his since childhood with his first 50-In-1 and a TRS-80 at the age of 6. (And by lunch hour.) Microcontrollers have been a part of his repertoire since the 8051 in the mid 90s. His recent experience includes: Arduino, native Atmel, Propeller and BASIC Stamp. He is currently spending most of his Maker energies in the analog domain on Audiophile Electronics. (And by coffee break. In fact, it's safe to say he's always involved in some project or other.)

LosT (@1o57) With a background in mathematics and robotics LosT spends his free time between calculating how to take over the world and building the robots to accomplish it. Deciding to teach others how to create robot overlords, he created the Hardware Hacking Village for the DEF CON community with Russ in an effort to get more people involved with hardware. Fearing competition LosT devised the Mystery Challenge to confuse and confound those who would rise up against him- eventually becoming the creator of the badges to that same end. Really he just wants to juggle and read books these days, or watch MST3K with Tom.

RenderMan (@ihackedwhat) is a white hat by trade, blackhat by fashion. He spends his days fixing stuff that other people break and evenings finding new ways to break stuff once people fix it. A frequent speaker at conferences around the world, he tries to make the world a better place by educating people about security and the hacker ethic and stuffing random electronics into stuffed toys to make them creepier than ever imagined.

FirmWarez (@FirmWarez) is an embedded systems engineer with twenty years experience developing microcontroller based devices ranging from toys to military hardware. Having gone the MBA route to collect such titles as 'Director of Engineering' and 'VP of Engineering', he still stays directly active in designing and building electronics for fun and profit. Currently involved in a couple of start-ups as well as freelance jobs, he works from an obfuscated lab in a barn somewhere deep in flyover country.

return to top

Meet the VCs

Venture capital investments have reached the highest level since the dot-com days. Almost seven billion dollars was invested last quarter alone. While clean-tech deals hit a new low, security deals increased the most. Security is the new black. How should we spend the next billion? Meet the VCs and strategize on the future!
Deepak Jeevankumar, partner at General Catalyst, focuses on investments in cloud computing, big data, data center infrastructure and clean energy. He has been with General Catalyst Partners since 2010, first in Boston and later in the firm’s Palo Alto office and has been closely involved in our investments in DataGravity, Virtual Instruments and Sunglass. Prior to joining GC, Deepak worked at Sun Microsystems and was an intern at the Yale Investments Office. At Sun, he was involved in designing a few top 10 supercomputers in the industry and led the high performance computing architecture practice in the Asia-Pacific region. Deepak is a graduate of the National University of Singapore, earning a B.Eng. in Computer Engineering; the Singapore-MIT Alliance, earning a S.M. in Computer Science; and the Yale School of Management, earning an M.B.A.
John M. Jack actively consults startups and is a board partner at Andreessen Horowitz. Most recently, JJ was the CEO of Fortify Software, which was acquired by Hewlett-Packard in 2010 and was the market leader in protecting enterprises from the threats posed by security flaws in business-critical software applications. Prior to this, JJ was the CEO of Covalent (acquired by VMware), the COO of The Vantive Corporation (acquired by PeopleSoft) and held executive positions at Sybase Inc. JJ is on the boards of CipherCloud, ClearSlide, AlienVault and Cenzic.

return to top

The Policy Wonk Lounge

Can wonks hack it at DEF CON? Lean back and settle in for a stimulating evening of debate on Washington's most complex cybersecurity policy issues.

Join US Government insiders for an exclusive discussion session on domestic surveillance law, foreign computer criminals, law enforcement and criminal penalties, power grid regulation, user identity and privacy, and more. The debate rages in DC... and at DEF CON for one night only!

return to top


DC101 is the Alpha to the closing ceremonies' Omega. It's the place to go to learn about the many facets of Con and to begin your Defconian Adventure. Whether you're a n00b or a long time attendee, DC101 can start you on the path toward maximizing your DEF CON Experiences.

You don't need a badge to see the 101 Talks, though some of the content may make it an R Rated movie.

HighWiz █████ █████ ████████ ██ President Obama's ███ ███ ████ advanced persistent threat ███████████ █████████: █████ █ "Justin Bieber" ███ ███ Roswell, NM. █ ██████ ████████ ███ █████ █████████ ██ ███ Treaty of Versailles ███ ██ ███ ████████/███████ █████████ ██ ███ global peace & security ████ █████████ SPECTRE ███ █ █████ 1984 Olympic Games █████████ ███ ██████████ " the final solution" ██. ███████'█ █████ ████ ██ █████ ███████ ██ ███ ██ ███ NSA's PRISM program ████ ███ ███████ Council of Nicea ████████ ████ ██ Kremlin ██ ███ DPRK ██ ███████ ███ military industrial complex ████ █████ ███. █████ █████ ██ ████ ███████: ███████ ███ ████ ███ as the inspiration for ████ ██ ███ ████████ Full Metal Jacket ███ ██ ████ Gen Keith Alexander. ██ ███ ████ ██████ ██ top secret surveillance dirigible ██████ ███ ███████ ████ ██ the gay agenda ██ ███ █████ ██ ███ secret alliance of Opus Dei and the Jesuits ███ ████████ ███ truth, justice, and The American Way. [This biographical information has been redacted for your protection]

Pyr0 is the asshole who oversees the Contests and Events at DEF CON. He's been attending since DEF CON 6 and a goon since DEF CON 7. One of those 3 0 3 peoples and also rolls deep with Security Tribe. Loves good vodka, smart girls, explosives, and big black . . . guns. Has the ability to tell a man to go to hell so that he looks forward to the trip. ALSO:DONGS

Lockheed (@TheLockheed) was the Sr. Goon in charge of the DEF CON Network Operations Group since DEF CON 4. He retired last year - which means he's still involved and has a new role in DEF CON (because you never really retire!). Professionally, Lock has over 25 years of experience in the technology field. He's had jobs ranging from tech writer, mainframe operator, product engineer, product marketing manager, and is currently Sr Director in charge of the Global IT Group for Sony PlayStation Worldwide Studios. He's been in the video game industry for almost 10 years now & already has a PS4 (and thinks it's pretty kick-ass!).

Roamer (@shitroamersays) is the Senior Goon in charge of the Vendor Area. He has been on DEF CON staff since DEF CON 8. He was the founder of the DEF CON WarDriving contest the first 4 years of it's existence and has also run the slogan contest in the past. Roamer is one of the guitarists in the Goon Band, Recognize. Although having no actual skills his ability to drink virtually every Goon and attendee under the table has gained him massive prominence in the scene and elevated him to the lofty station you see him in today. When not "working" at DEF CON he is "working" as the Global Information Security Manager and Sr. Enterprise Architect for Sony PlayStation WorldWide Studios.

LosT mucks around with Defcon on occasion. He is the creator of the Hardware Hacking Village, the LosT@Defcon Mystery Challenge, and for the past few years the Defcon badges and badge challenges. Russ says he's the official Defcon Puzzlemaster, but LosT still doesn't believe him. In his other life LosT enjoys playing the bass and linguistics, among other things. He's also been known to study mathematics, electrical engineering and physics in his spare time.

return to top

Hacking Management: From Operations to Command

So you've been in IT for a while. You've done well. You like your job. When is it time to move on? We aren't talking about finding another job doing the same work. We are talking about making the decision that it's time to bite the bullet and make the dreaded transition into management. For most IT folks management is a dirty word, but should it be? In this talk a senior IT professional, a hybrid engineer/manager and a senior director will talk about the paths that brought them to their positions and why they have chosen to either stay in hands on roles or transition in management roles.

Lockheed (@TheLockheed) was the Sr. Goon in charge of the DEF CON Network Operations Group since DEF CON 4. He retired last year - which means he's still involved and has a new role in DEF CON (because you never really retire!). Professionally, Lock has over 25 years of experience in the technology field. He's had jobs ranging from tech writer, mainframe operator, product engineer, product marketing manager, and is currently Sr Director in charge of the Global IT Group for Sony PlayStation Worldwide Studios. He's been in the video game industry for almost 10 years now & already has a PS4 (and thinks it's pretty kick-ass!).

Roamer (@shitroamersays) is the Senior Goon in charge of the Vendor Area. He has been on DEF CON staff since DEF CON 8. He was the founder of the DEF CON WarDriving contest the first 4 years of its existence and has also run the slogan contest in the past. Roamer is one of the guitarists in the Goon Band, Recognize. Although having no actual skills his ability to drink virtually every Goon and attendee under the table has gained him massive prominence in the scene and elevated him to the lofty station you see him in today. When not "working" at DEF CON he is "working" as the Global Information Security Manager and Sr. Enterprise Architect for Sony PlayStation WorldWide Studios.

Naifx is a NOC Goon that has been with the DEF CON outfit for the last 7 CONs. He has been working in the Information Technology for a number of years in both the government and private sector. Naifx's ability to take a situation that has almost zero resources and innovative an elegant solution is inspiring. When not "working" at DEF CON he is "working" as a Staff Systems Engineer for Sony PlayStation WorldWide Studios.

return to top

The Ninjaneers: Getting started in Building Your Own Robots for World Domination.

So what’s your excuse for not building that robot idea you’ve been kicking around for months? Your excuse is invalid and we’re here to explain why. In this day in age ‘robots’ are in every corner of our lives. So why are you not hacking them? It’s time you take your computer skills and apply them to things that interact with the physical world. We will show you how easy it is to get started building your own robots to do your bidding or at a minimum make cool robot noises and impress the ladies*.

We will cover the various pitfalls we’ve run across building and operating various robots from advanced underwater gliders, beer delivery carts, CNC routers and 3D printers.

*Success with the ladies not guaranteed.

Beaker is a workshop dwelling, builder of killer robots and domesticated beer delivery devices. He’s spent his working life diddling computers for various organizations from early startups to three letter agencies and is still amazed this produces a paycheck. When he’s not molesting 1’s & 0’s for money he can be found building contraptions of questionable merit.

Flipper is a hardware hacker obsessed with lowering the cost of underwater robots. In his professional life Flipper is being employed by an EV manufacturer working to reduce the cost of high efficiency electric vehicles.

return to top

Decrypting DEFCON: Foundations Behind Some of the Games Hackers Play

Continuing on his 101 talk from last year (building a foundational knowledge, or at least where to start doing so), LostboY will discuss the crypto, puzzles, and tech that is seen all over Defcon each year. The floors, signs, program, lanyards, badges all have elements of mystery to them each year, and LosT will discuss the foundational knowledge/skills that were requisite in years past. The 4-bit processor that was drawn out on the floors last year will be discussed as a foundation on understanding how a processor works. (Everyone says they know a processor uses binary, but how many actually *know* what that means, or how to build one?) Fundamentals of digital logic design seem like a good next step from last year's talk. LosT will likely wax philosophical at some point as well.

LosT mucks around with DEF CON on occasion. He is the creator of the Hardware Hacking Village, the LosT@Defcon Mystery Challenge, and for the past few years the Defcon badges and badge challenges. Russ says he's the official Defcon Puzzlemaster, but LosT still doesn't believe him. In his other life LosT enjoys playing the bass and linguistics, among other things. He's also been known to study mathematics, electrical engineering and physics in his spare time.

return to top

Intro to Web Application Hacking

This talk will will cover web application attack basics to get any n00b started on the path of web app pentesting. Specifically we will cover cross site scripting attacks in javascript, sql injections with a mysql backend, and remote/local file inclusions within PHP. Others people that may join us through the presentation will be Alex Heid, Rod Soto, p33p33, chatters, and a few other special friends of the fish.

Terrence “Tuna” Gareau, Principal Research Scientist for Prolexic Technologies, began his IT security career more than 10 years ago. His experience encompasses enterprise security in addition to distributed denial of services (DDoS) expertise, and he has mitigated some of the Internet’s largest DDoS attacks for both government agencies and private enterprises. Tuna is a leader for architecture, engineering and research teams, creating solutions to protect client networks, establishing security testing policies, network and digital forensics, and serving as the subject matter expert for multiple private and government organizations. His past experience includes work at the Food and Drug Administration (FDA) and Chickasaw Nations Industries. A recognized expert in DDoS attack mitigation, Tuna has shared his knowledge at Defcon, NoVa Hackers, NIH, FDA, and other organizations.

return to top

Oil & Gas Infosec 101

Ever wonder what it's like to secure off-shore platforms, field operations, and aging SCADA systems? Take a ride through how Oil & Gas companies operate and what the pitfalls are in trying to fix technology that predates enterprise IT and make them more secure. SCADA, wifi/radio/satellite communication, and corporate IT all come together and it's up to YOU to figure out how to make sense of it all.

Aaron Bayles (@AlxRogan) was born and raised in the Oil and Gas industry, and has worked (off and on) there since 1995. He has gooned since DEF CON 12, and is a professional contest participant (CTF, Wardriving, ScavHunt). In his work experience, he has consulted for energy generating companies, health care providers, US and local government, and education/research institutions. He is currently the Information Security Architect for a mid-size oil and gas company in Houston.

return to top

Wireless Penetration Testing 101 & Wireless Contesting

Whether it’s war-driving or doing penetration testing of wireless networks there are tools, hardware and software, that have shown to stand the test of time.

Some of the biggest difficulties that users encounter are hardware related. This talk will cover the hardware and software that we as experienced wireless pentesters recommend for users just starting out. To provide some hands on experience with wireless penetration testing, we have developed a number of mini-contest that will be conducted in the Wireless Village. We will provide an over view of these contest designed to test your wireless skills whether you are new to wireless or an experienced wireless penetration tester.

DaKahuna works with large government agencies criticizing network and security architectures, wreaking havoc on information assurance and information security policies, standards and guidance. By night he enjoys snooping the Ether be it the amateur radio bands or his neighbors wireless networks. He is a father of two, 24 year Navy veteran, holder of an amateur radio Extra Class license and a staunch supporter and exerciser of his 2nd Amendment rights.

Rick Mellendick (@rmellendick) is a builder and breaker of RF things, defender of good and evil depending on your perspective, lots of time in the IT security space, and been involved with DefCon wireless as a competitor and visionary since 2002, and his last name is MELLENDICK

return to top

Pentesters Toolkit

You've been hired to perform a penetration test, you have one week to prepare. What goes in the bag? What is worth lugging through airport security and what do you leave home. I'll go through my assessment bag and show you what I think is important and not, talk about tools and livecd's, what comes in handy and what I've cut out of my normal pen-test rig.

Anch (@boneheadsanon) is a lead for the Chickasaw Nation Industries Red Team performing penetration tests, and accreditation's for the public and private sector.

Anch has 10 year’s experience in cyber security. He was the Network Security Architect at a major power administration. At Mentor Graphics he spent time as a network engineer providing enterprise networking, firewall and VPN support for a global network comprising of 72 connected sites worldwide. He has been involved in or lead over 75 penetration tests on over 200 networks.

Anch's background related to control systems is unrivaled in the bulk power generation and transmission areas. During this time he developed unique perspectives on the areas of compliance and regulation in the power industry.

return to top

Meet Pentoo, the Longest Running Pen-testing Linux Distro

Pentoo is the longest running Penetration Testing Linux distribution, pre-dating many of today's more popular distributions. We have sacked our non-existent marketing department and now, we're here to show what our experience and stability can do for you. Do you feel you must choose between a functional daily OS and a specialized pen-testing distro? Do you struggle to balance cutting edge tools and rock solid stability? Have other pen testing distributions left you between a rock and a hard place, with a new install as the only upgrade path? Come discover the hardened, cutting edge, rock solid linux distro of your daily use dreams. No compiling required.

ZeroChaos (@pentoo_linux)is the current lead developer for Pentoo Linux and a developer for Gentoo Linux as well as a general free and open source software zealot. When not developing for Pentoo Linux he is developing for Gentoo Linux, and in his spare time from that he enjoys developing for Pentoo Linux.

return to top

Business logic flaws in mobile operators services

GSM has been attacked in many different ways in the past years. But regardless of the protocol issues, there are also flaws in the logic of the mobile operators’ services. One may think that finding an issue which affects only one specific operator in some country couldn't affect other operators. However, this is not the case as most of the operators are using the same equipment and have the same implementation of their services in all of the countries as the operator's group prefers to have a uniform service.

This presentation examines different implementation flaws of mobile services which allows you to perform things like accessing someone else's online account, getting free Internet on your mobile device even when roaming, placing free mobile phone calls.

Bogdan Alecu (@msecnet) works as a System Administrator for an IT services company and, during his free time, he is an Independent Security Researcher. He received his BSc in Business Information Systems from the "Alexandru Ioan Cuza" University of Iasi. Bogdan has researched for many years in mobile security, starting with Voice over IP and continuing with GSM. One of his research in the GSM security could allow a potential attacker to perform a remote SMS attack which can force mobile phones to send premium-rate text messages. Bogdan is also a frequent speaker at security conferences like DeepSec, EUSecWest, and DefCamp. For more details about him check

return to top

Fear the Evil FOCA: IPv6 attacks in Internet connections

Windows boxes are running IPv6 by default so LANs are too. Internet is not yet ready for IPv6 worldwide, but... you can connect internal IPv6 networks to external IPv4 web sites with few packets. In this session you will see how using the new Evil FOCA tool, created to perform IPv6 networks attacks, it is possible to hack Internet IPv4 connections creating a man in the middle in IPv6 networks. And yes, it is only one point and click tool that does all for you. Evil FOCA does man in the middle IPv4, man in the middle IPv6, man in the middle IP4-IPv6, SSL strip, collects passwords, session cookies, and much more tricks. You will love this new Evil FOCA.

Chema Alonso (@chemaalonso) is a Security researcher with Eleven Paths , a Telefonica Digital company. Chema holds respective a PhD in Compter Security on top of Computer Science and System Engineering degrees from Rey Juan Carlos University and Universidad Politecnica de Madrid. During his more than 12 years as a security professional, he has consistently been recognized as a Microsoft Most Valuable Professional (MVP). Chema is a frequent speaker at industry events and has been invited to present at information security conferences worldwide including Black Hat Briefings, Defcon, ShmooCON, DeepSec, HackCON, Ekoparty and RootedCon - He is a frequent contributor on several technical magazines in Spain, where he is involved with state-of-the-art attack and defense mechanisms, web security, general ethical hacking techniques and FOCA tools.

return to top

Suicide Risk Assessment and Intervention Tactics

Suicide is the 10th leading cause of death in the United States, yet it persists as one of the few remaining taboo topics in modern society. Many characteristics linked to elevated suicide risk are prevalent in the technical community, and the effects of suicide within any community extend far beyond those directly involved. Prevention and intervention, however, are not a mystery. This workshop presents evidence based practices to assess suicide risk in others, and an introduction to the step-by-step practice of crisis intervention.

Rather than presenting a "depressing discussion of depression," attendees will learn the same threat modeling and crisis response best practices taught to first responders and mental health professionals, in a condensed format that answers many common questions people may be afraid to ask. Special attention will be paid to risk as it affects our particular community, and an overview of crisis network technical implementations / limitations (effects of digital anonymity & ethical concerns, etc.) will be presented.

Much like simple CPR training equips everyday people with the knowledge and confidence to help a heart attack victim that is likely a stranger, widespread dissemination of crisis intervention training aims to equip everyday people to prevent a suicide - most often, of a friend.

Amber Baldet (@AmberBaldet) performs product development and systems analysis at a top tier investment bank. Her work involves interesting capital markets applications and mundane infosec policy implementation, neither of which can she talk about. She enjoys teaching kids how to build blinky flashy things and presenting the “Digital Privacy and the Ethics of Development” portion of the Girls Who Code curriculum. As part of her volunteer work, Amber was certified as an Online Counseling and Suicide Intervention Specialist by the QPR Institute in 2011.

return to top

Combatting Mac OSX/iOS Malware with Data Visualization

Apple has successfully pushed both its mobile and desktop platforms into our homes, schools and work environments. With such a dominant push of its products into our everyday lives it comes as no surprise that both of Apple's operating systems, OSX and iOS should fall under attack by malware developers and network intruders. Numerous organizations and Enterprises who have implemented BYOD (bring your own device) company policies have seemingly neglected the security effort involved in protecting the network infrastructure from these potential insider threats. The complexity of analyzing Mach-O (Mach object file format) binaries and the rising prevalence of Mac-specific malware has created a real need for a new type of tool to assist in the analytic efforts required to rapidly identify malicious content. In this paper we will introduce Mach-O Viz, a Mach-O Interactive Data Visualization tool that lends itself to the role of aiding security engineers in quickly and efficiently identifying potentially malicious Mach-O files on the network, desktop and mobile devices of connected users.

Remy Baumgarten (@anrctraining) is a security developer and researcher for ANRC, a fast growing market leader in computer security training and consulting. He is highly skilled in reverse engineering and malware analysis on various platforms including Windows, OSX, Linux and iOS. He is also a low level programmer on various platforms. Before joining ANRC Mr. Baumgarten was a Technical Lead on the Malware Team and the mobile expert on iOS at Booz Allen Hamilton. In his spare time he enjoys delving into various architectures such as AVR, ARM and x86_64.

return to top

MITM All The IPv6 Things

Back in 2011, Alec Waters demonstrated how to overlay a malicious IPv6 network on top of an IPv4-only network, so that an attacker can carry out man-in-the-middle attacks on IPv4 traffic and subvert the assumed end to end security model. This attack is potentially powerful but requires involves a complex series of manual system configuration and setup activities, including the use of experimental and since-deprecated techniques. In addition, technology updates rendered Waters' implementation of the attack ineffective on certain platforms, such as Windows 8.

We reviewed the attack and tried it against current operating systems. We found configuration updates were needed to make it work against Windows 8 hosts and have packaged our setup into a script called "Sudden Six" to make launching the attack quick and painless. This attack now works against a variety of different platforms and operating systems, which will allow you to man-in-the-middle IPv6 traffic in record time.

This talk will discuss how the attack works as well as discuss our automation strategy and some pitfalls we uncovered. The "Sudden Six" configuration utility will be released and a demonstration of the attack against Windows 8 will be provided.

Scott Behrens (@HelloArbit) is currently employed as a senior security consultant at Neohapsis and an adjunct professor at DePaul University.  An avid coder and researcher, he has contributed to a number of open source tools for both attack and defense.  Scott Behrens is the co-developer of NeoPI, a framework to aid in the detection of obfuscated malware.  Scott also co-developed BBQSQL, a rapid blind sql injection exploitation framework.  Scott has presented security research at DEF CON, DerbyCon, Security Forum Hagenberg, Security B-sides Chicago, and ISACA Milwaukee.  Scott has also published security white papers for InformationWeek magazine, the Infosec Institute, and the Neohapsis blog.

Brent Bandelgar is an Associate Security Consultant at Neohapsis, focused on delivering network penetration testing, application security assessments, and security architecture. Prior to Neohapsis, Brent was a member of the Apple Consultants Network delivering managed IT services and custom solutions centered on the Apple Mac OS X and iOS platforms.  Brent has extensive background in developing and supporting Web applications in PHP as well as tools in Bash and Python.  Brent Bandelgar holds a Master's of Science in Network Security from DePaul University as well as the Apple Certified System Administrator and Mobile Technical Competency certifications from Apple, Inc.

return to top

PowerPwning: Post-Exploiting By Overpowering PowerShell

PowerShell is a scripting language included with all modern Windows operating systems, which, among other features, provides access to the Win32 API and the capability to run scripts on remote servers without writing to disk. PowerShell scripts bypass application white listing, application-signing requirements, and generally bypass anti-virus as well.

While all of these characteristics are very desirable to a penetration tester, rewriting penetration test tools in PowerShell would be time consuming. Instead, I will show how to combine PowerShell and assembly to reflectively load existing EXE’s and DLL’s without writing to disk, triggering anti-virus, or triggering application whitelisting. I’ll finish with several demonstrations of the Invoke-ReflectivePEInjection script in action.

Joe Bialek (@JosephBialek) is currently a Security Engineer on the Office 365 Red Team at Microsoft where he does security research, red teaming, penetration testing, tool development, and code review. Joe was a contributor to Microsoft's Pass the Hash guidance paper, and has been a contributor to other large security efforts within the company. Prior to his role at Microsoft, Joe graduated from Western Washington University with a Bachelors degree in Computer Science.

return to top

Transcending Cloud Limitations by Obtaining Inner Piece

With the abundance of cloud storage providers competing for your data, some have taken to offering services in addition to free storage. This presentation demonstrates the ability to gain unlimited cloud storage by abusing an overlooked feature of some of these services.

Zak Blacher is currently pursuing a Masters of Mathematics in Computer Science, and expects to be graduating at the end of August. He has previously completed a Bachelors of Computer Science, and a Masters of Science in Computer Science, having worked with the FIVES research group. He has held internships on the platform team at Sandvine Inc, and digital security team at Compuware Corp.

Social Media: IRC: chalk on #wolf @ espernet

return to top

Made Open: Hacking Capitalism

The game is Capitalism. The rule makers are the banks, corporations and governments. This presentation is about playing a game that is rigged by the rule makers, and winning in such fashion that the game is never the same. If you like breaking things and building them back up, or are a person, please at least watch this at a later time. I forgive you for not attending, but you will not forgive yourself for missing it.

Todd Bonnewell is a person with a message. Nothing Todd has done or said in his professional past in more important than the message. Todd works for the people at

return to top

Data Evaporation from SSDs

Files on magnetic hard drives remain on the drive even after they are deleted, so they can be recovered later with forensic tools. Sometimes SSDs work the same way, but under other conditions they erase this latent data in a "garbage collection" process. Understanding when and how this happens is important to forensic investigators and people who handle confidential data.

I'll explain the purpose of garbage collection, and how it is affected by the operating system, SSD model, BIOS settings, TRIM, and drive format. I'll demonstrate SSD data evaporation on a MacBook Air and a Windows system, using my "evap" tool (available for everyone to use) that makes it easy to test SSDs for data evaporation.

Sam Bowne (@sambowne) has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEF CON, BayThreat, LayerOne, Toorcon, and lightning talks at HOPE on Ethical Hacking, and taught classes and seminars at many other schools and teaching conferences. He has a PhD and a lot of industry certifications, but still no CISSP.

return to top

Evil DoS Attacks and Strong Defenses

On the attack side, this talk will explain and demonstrate attacks which crash Mac OS X, Windows 8, Windows Server 2012, and Web servers; causing a BSOD or complete system freeze.  The Mac and Windows systems fall to the new IPv6 Router Advertisement flood in thc-ipv6-2.1, but only after creating a vulnerable state with some "priming" router advertisements.  Servers fail from Sockstress--a brutal TCP attack which was invented in 2008, but still remains effective today.

On the defense side: the inside story of the DDoS that almost Broke the Internet.

In March 2013, attackers launched an attack against Spamhaus that topped 300Gbps. Spamhaus gave us permission to talk about the details of the attack. While CloudFlare was able to fend off the attack, it exposed some vulnerabilities in the Internet's infrastructure that attackers will inevitably exploit. If an Internet-crippling attack happens, this is what it will look like. And here's what the network needs to do in order to protect itself.

Sam Bowne (@sambowne) has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEFCON, BayThreat, LayerOne, Toorcon, and lightning talks at HOPE on Ethical Hacking, and taught classes and seminars at many other schools and teaching conferences.   He has a PhD & lot of industry certs but still no CISSP.

Matthew Prince (@eastdakota) is the co-founder & CEO of CloudFlare, the web performance and security company.

Matthew wrote his first computer program at age 7 when his mom would sneak him in to university computer science courses. After attending law school, he worked as an attorney for one day before jumping at the opportunity to be a founding member of a tech startup. He hasn't looked back. CloudFlare is Matthew's third entrepreneurial venture. CloudFlare was named a 2012 Technology Pioneer by the World Economic Forum and selected by the Wall Street Journal as the Most Innovative Internet Technology company for the last two years running. Today, CloudFlare accelerates and protects more than 120 billion page views for over a million customers and more than 1.5 billion web visitors every month.

Matthew holds a degree in English and Computer Science from Trinity College. He graduated with highest honors from the Harvard Business School where he was a George F. Baker Scholar and was awarded the Dubliner Prize for Entrepreneurship. He earned a JD from the University of Chicago and is a member of the Illinois Bar. He teaches technology law as an adjunct professor at the John Marshall Law School where he serves on the Board of Advisors for the Center for Information Technology and Privacy Law. He is also the co-creator of Project Honey Pot, the largest community of webmasters tracking online fraud and abuse. On the side, Matthew is a certified ski instructor, a former mountain guide, and a regular attendee of the Sundance Film Festival.

return to top

RFID Hacking: Live Free or RFID Hard

Have you ever attended an RFID hacking presentation and walked away with more questions than answers? This talk will finally provide practical guidance on how RFID proximity badge systems work. We'll cover what you'll need to build out your own RFID physical penetration toolkit, and how to easily use an Arduino microcontroller to weaponize commercial RFID badge readers — turning them into custom, long-range RFID hacking tools.

This presentation will NOT weigh you down with theoretical details, discussions of radio frequencies and modulation schemes, or talk of inductive coupling. It WILL serve as a practical guide for penetration testers to understand the attack tools and techniques available to them for stealing and using RFID proximity badge information to gain unauthorized access to buildings and other secure areas. Schematics and Arduino code will be released, and 100 lucky audience members will receive a custom PCB they can insert into almost any commercial RFID reader to steal badge info and conveniently save it to a text file on a microSD card for later use (such as badge cloning). This solution will allow you to read cards from up to 3 feet away, a significant improvement over the few centimeter range of common RFID hacking tools.

Some of the topics we will explore are:

  • Overview of best RFID hacking tools available to get for your toolkit
  • Stealing RFID proximity badge info from unsuspecting passers-by
  • Replaying RFID badge info and creating fake cloned cards
  • Brute-forcing higher privileged badge numbers to gain data center access
  • Attacking badge readers and controllers directly
  • Planting PwnPlugs, Raspberry Pis, and similar devices as physical backdoors to maintain internal network access
  • Creating custom RFID hacking tools using the Arduino
  • Defending yourself from RFID hacking threats

This DEMO-rich presentation will benefit both newcomers and seasoned professionals of the physical penetration testing field.

Francis Brown (@security_snacks) CISA, CISSP, MCSE, is a Managing Partner at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions as well as U.S. and foreign governments. Before joining Bishop Fox, Francis served as an IT Security Specialist with the Global Risk Assessment team of Honeywell International where he performed network and application penetration testing, product security evaluations, incident response, and risk assessments of critical infrastructure. Prior to that, Francis was a consultant with the Ernst & Young Advanced Security Centers and conducted network, application, wireless, and remote access penetration tests for Fortune 500 clients.

Francis has presented his research at leading conferences such as Black Hat USA, DEF CON, RSA, InfoSec World, ToorCon, and HackCon and has been cited in numerous industry and academic publications.

Francis holds a Bachelor of Science and Engineering from the University of Pennsylvania with a major in Computer Science and Engineering and a minor in Psychology. While at Penn, Francis taught operating system implementation, C programming, and participated in DARPA-funded research into advanced intrusion prevention system techniques.

return to top

OTP, It won't save you from free rides!

RFID technologies are becoming more and more prevalent in our lives. This motivated us to study them, and in particular to study the MIFARE ULTRALIGHT chips, which are widely used in public/mass transport systems. We focused on multiple-ride tickets, and were surprised that MIFARE ULTRALIGHT chips do not seem to use any type of encryption. We were excited at the idea of simply cloning a new, unused ticket onto older ones to "refill" them. Our excitement was cut short by a security feature called OTP. OTP, in the context of MIFARE chips, is a sector of the data that can be edited (initialized) only one time. In this way, the ticket can store how many rides you still have, and this value cannot be changed back.

After much tinkering, we were able to completely bypass this security feature, by (ab)using a separate security feature, the so-called "lockbyte sector". Join us in this session to learn how we found out how to use security features of the chip against each other, and obtain endless free rides with a 5-ride ticket.

bughardy (@_bughardy_) In 2013 bughardy ended his high school studies in Italy and has been admitted at Politecnico of Torino ( Turin ) in Telecommunication Engineering. His interests are Network Security and Hacking, He loves WiFi networks, and wireless connectivity. Bughardy is currently working with Eagle1753 on a WiFi security book. In dark nights, he dreams of one day being a pentester.

Eagle1753 (@Eagle1753) is a student at Politecnico of Torino (Turin). Eagle1753 is currently working together with bughardy on a WiFi security book, and is interested in wireless networks of any kind. He likes to study how things work, is very fond of Physics, in particular he loves electricity and sparks. He started programming databases, and one day hopes to become a developer in Robotics. According to his opinion, everyday life is a challenge and we all need challenges in order to go further in life.

return to top

Open Public Sensors, Trend Monitoring and Data Fusion

Our world is instrumented with countless sensors. While many are outside of our direct control, there is an incredible amount of publicly available information being generated and gathered all the time. While much of this data goes by unnoticed or ignored it contains fascinating insight into the behavior and trends that we see throughout society. The trick is being able to identify and isolate the useful patterns in this data and separate it from all the noise.

Previously, we looked at using sites such as Craigslist to provide a wealth of wonderfully categorized information and then used that to answer questions such as "What job categories are trending upward?", "What cities show the most (or the least) promise for technology careers?", and "What relationship is there between the number of bikes for sale and the number of prostitution ads?" After achieving initial success looking at a single source of data, the challenge becomes to generate more meaningful results by combining separate data sources that each views the world in a different way. Now we look across multiple, disparate sources of such data and attempt to build models based on the trends and relationships found therein.

The initial inspiration for this work was a fantastic talk at DC13, "Meme Mining for Fun and Profit". It also builds upon a similar talk I presented at DC18. And once again seeks to inspire others to explore the exploitation of such publicly available sensor systems.

Daniel Burroughs first became interested in computer security shortly after getting a 300 baud modem to connect his C64 to the outside world. After getting kicked off his favorite BBS for "accidently" breaking into it, he decided that he needed to get smarter about such things. Since that time he has moved on to bigger and (somewhat) better things. These have included work in virtual reality systems at the Institute for Simulation and Training at the University of Central Florida, high speed hardware motion control software for laser engraving systems, parallel and distributed simulation research at Dartmouth College, distributed intrusion detection and analysis at the Institute for Security Technology Studies, and the development of a state-wide data sharing system for law enforcement agencies in Florida. Daniel was an associate professor of engineering at the University of Central Florida for 10 years prior to his current position as the Associate Technology Director for the Center for Law Enforcement Technology, Training, & Research. He also is a co-founder of Hoverfly Technologies, an aerial robotics company, and serves on the board of directors for Familab – a hackerspace located in Orlando. He is also the proud owner of two DefCon leather jackets won at Hacker Jeopardy at DEF CON 8 & 9 (as well as few hangovers from trying to win more).

return to top

Conducting massive attacks with open source distributed computing

Distributed computing is sexy. Don't believe us? In this talk we'll show you, on a deep, practical level and with lots of (mostly Python) code, how a highly automated and effective computer network attack could be crafted and enhanced with the help of distributed computing over 'Big Data' technologies. Our goal is to demystify the concept of using distributed computing for network attacks over an open source distributed computing cluster (Hadoop). By the end of this highly demo-focused talk you'll have an understanding of how an attacker could use three of our open source custom-written distributed computing attack tools, or easily build their own, to do whatever it is that they're into (we don't judge).

Alejandro Caceres (@DotSlashPunk) is a software developer, web application penetration tester, and security researcher. His main interest is in the nexus between distributed computing and network/application attacks. He is the founder of the PunkSPIDER project, presented at ShmooCon 2013, which is an open source project to fuzz the entire Internet’s web applications using a Hadoop cluster. He’s also the owner of Hyperion Gray, a software development company focused on open source projects in the area of distributed computing as it relates to security. He didn’t know how to work in shamelessly mentioning the DARPA Cyber Fast Track research project he is also working on (Web 3.0, also being presented at DEF CON 21), so he just wrote it in at the end of the bio. He is very classy.

return to top

Offensive Forensics: CSI for the Bad Guy

As a pentester, when was the last time you 'recovered' deleted files from the MFT of a pwned box? Ever used an index.dat parser for identifying your next target? Do you download browser remnants of your victims to gather their saved form data?

Despite the sensitive information uncovered through forensic techniques, the usage of such concepts have primarily been limited to investigations and incident response. In this talk, we will cover the basics of "Offensive Forensics", what information to look for, how to find it, and the use of old tools in a new way. After looking at the post-exploitation potential, we'll dive into real-world examples and release the first ever "Vulnerable [Forensics] by Design" machine!

Benjamin Caudill (@RhinoSecurity) is a principal consultant for Rhino Security Labs, an IS consulting and managed security firm. Prior to his years in consulting, Ben worked as a penetration tester and incident responder in the aerospace and finance industries.

When not hacking all the things, he enjoys long wardrives on the beach and drinking too much (not necessarily in that order).

return to top

Utilizing Popular Websites for Malicious Purposes Using RDI

Reflected DOM Injection is a new attack vector that will be unveiled for the first time in our talk! We will explain the technique and show a live demo where we use it to hide malicious code within popular and trusted websites.

Daniel Chechik is a veteran security researcher at Trustwave's SpiderLabs. Among other things, he specializes in malware analysis, web exploits detection, Trojan and botnet detection and neutralizing and defining security requirements for the Secure Web Gateway product. Prior to that, Daniel served in a technological unit as a security specialist in the IDF. During the service, Daniel specialized in CheckPoint Firewall equipment, AntiVirus products and other IT security products. Daniel, among other things, has spoken at the RSA conference, holds CEH and CCSE certificates and has a patent pending for 'Detecting Malware Communication on an Infected Computing Device'.

Anat (Fox) Davidi is a security researcher at Trustwave's SpiderLabs. Her role includes vulnerability analysis, malware analysis and developing detection logic for the Secure Web Gateway product. Prior to that, Anat worked as a security consultant providing security reviews and penetration tests for organizations in various business sectors, ranging from banks and insurance companies to hi-tech corporations. Amongst other things, Anat has spoken at the RSA conference.

return to top

Abusing NoSQL Databases

The days of selecting from a few SQL database options for an application are over. There is now a plethora of NoSQL database options to choose from: some are better than others for certain jobs. There are good reasons why developers are choosing them over traditional SQL databases including performance, scalabiltiy, and ease-of-use. Unfortunately like for many hot techologies, security is largely an afterthought in NoSQL databases. This short but concise presentation will illustrate how poor the quality of security in many NoSQL database systems is. This presentation will not be confined to one particular NoSQL database system. Two sets of security issues will be discussed: those that affect all NoSQL database systems such as defaults, authentication, encryption; and those that affect specific NoSQL database systems such as MongoDB and CouchDB. The ideas that we now have a complicated heterogeneous problem and that defense-in-depth is even more necessary will be stressed. There is a common misconception that SQL injection attacks are eliminated by using a NoSQL database system. While specifically SQL injection is largely eliminated, injection attack vectors have increased thanks to JavaScript and the flexibility of NoSQL databases. This presentation will present and demo new classes of injection attacks. Attendees should be familiar with JavaScript and JSON.

Ming Chow (@tufts_cs_mchow) is a Lecturer at the Tufts University Department of Computer Science. His areas of work are in web and mobile engineering and web security. He teaches courses largely in the undergraduate curriculum including the second course in the major sequence, Web Programming, Music Apps on the iPad, and Introduction to Computer Security. He was also a web application developer for ten years at Harvard University. Ming has spoken at numerous organizations and conferences including the High Technology Crime Investigation Association - New England Chapter (HTCIA-NE), the Massachusetts Office of the Attorney General (AGO), John Hancock, OWASP, InfoSec World (2011 and 2012), DEF CON 19 (2011), the Design Automation Conference (2011), Intel, and the SOURCE Conference (Boston 2013). Ming's projects in information security include building numerous CTF challenges, Internet investigations, HTML5 and JavaScript security, and Android forensics.

return to top

Legal Aspects of Full Spectrum Computer Network (Active) Defense

Full spectrum computer network (active) defense mean more than simply "hacking back". We've seen a lot of this issue lately. Orin Kerr and Stewart Baker had a lengthy debate about it online. New companies with some high visibility players claim they are providing "active defense" services to their clients. But all-in-all, what does this really mean? And why is it that when you go to your attorneys, they say a flat out, "No".

This presentation examines the entire legal regime surrounding full spectrum computer network (active) defense. It delves into those areas that are easily legal and looks at the controversial issues surrounding others. As such we will discuss technology and sensors (ECPA and the service provider exception); information control and management (DRM); and, "active defense" focusing on honeypot, beacons, deception (say hello to my little friend the Security and Exchange Commission); open source business intelligence gathering (CFAA, economic espionage; theft of trade secrets); trace back and retrieval of stolen data (CFAA).

Past presentations have shown much of what is taken away is audience driven in response to their questions and the subsequent discussion. And, as always, I try to impress upon computer security professionals the importance of working closely with their legal counsel early and often, and of course "Clark's Law" - explain the technical aspects of computer security to your attorneys at a third grade level so they can understand it and then turn around and explain it to a judge or jury at a first grade level.

Robert Clark has enjoyed working numerous federal legal jobs for the past two decades. He is the former Cybersecurity Information Oversight & Compliance Officer for the Assistant Secretary of Cybersecurity and Communications, Department of Homeland Security and former legal advisor to the Navy CIO; United States Computer Emergency Readiness Team; and, the Army's Computer Emergency Response Team. In these positions he has provided advice on all aspect of computer network operations. He interacts regularly with many government agencies and is a past lecturer at Black Hat; DEF CON; Stanford Center for Internet and Society and the Berkman Center for Internet & Society at Harvard University -Four TED-TECH Talks 2011; SOURCE Boston 2010; the iapp; and, the DoD's Cybercrimes Conference. He is thrilled to be returning to DEF CON this year

return to top

Blucat: Netcat For Bluetooth

TCP/IP has tools such as nmap and netcat to explore devices and create socket connections. Bluetooth has sockets but doesn't have the same tools. Blucat fills this need for the Bluetooth realm. Blucat can be thought of as a:

  1. debugging tool for bluetooth applications
  2. device exploration tool
  3. a component in building other applications

Blucat is designed to run on many different platforms (including Raspberry Pi) by abstracting core logic from native code using the Bluecove library to interact with a variety of Bluetooth stacks. This talk will go over the objectives, designs, and current results of the project. More information is at .

Joseph Paul Cohen is a Ph.D. student at the University of Massachusetts Boston. He has worked for large finance, IT consulting, and startup software companies. He now focuses on computer science research in areas of machine learning and cyber security education.

return to top

Home Invasion 2.0 - Attacking Network-Controlled Consumer Devices

A growing trend in electronics is to have them integrate with your home network in order to provide potentially useful features like automatic updates or to extend the usefulness of existing technologies such as door locks you can open and close from anywhere in the world. What this means for us as security professionals or even just as people living in a world of network-connected devices is that being compromised poses greater risk than before.

Once upon a time, a compromise only meant your data was out of your control. Today, it can enable control over the physical world resulting in discomfort, covert audio/video surveillance, physical access or even personal harm. If your door lock or space heater are compromised, you're going to have a very bad day. This talk will discuss the potential risks posed by network-attached devices and even demonstrate new attacks against products on the market today.

Daniel (@dan_crowley) (aka "unicornFurnace") is a Managing Consultant for Trustwave's SpiderLabs team. Daniel denies all allegations regarding unicorn smuggling and questions your character for even suggesting it. Daniel has developed configurable testbeds such as SQLol and XMLmao for training and research regarding specific vulnerabilities. Daniel enjoys climbing large rocks. Daniel has been working in the information security industry since 2004 and is a frequent speaker at conferences including DEF CON, Shmoocon, and SOURCE. Daniel does his own charcuterie.

Jennifer (@savagejen) is a software engineer that cares about secure development. In her professional life, she has been tackling some of the harder questions surrounding security and privacy in the mobile payments industry. In her spare time, she has been hacking home electronics.

David has more then 10 years of computer security experience, including pentesting, consulting, engineering, and administration. As an active participant in the information security community, he volunteers at DEFCON, where he designs and implements the firewall and network for what is said to be the most hostile network environment in the world. In his spare time he runs the local DEFCON group, DC612, is the president of The Hack Factory, and helps to run Thotcon as an OPER.

return to top

Stepping P3wns: Adventures in full spectrum embedded exploitation (and defense!)

Our presentation focuses on two live demonstrations of exploitation and defense of a wide array of ubiquitous networked embedded devices like printers, phones and routers.

The first demonstration will feature a proof-of-concept embedded worm capable of stealthy, autonomous polyspecies propagation. This PoC worm will feature at least one 0-day vulnerability on Cisco IP phones as well as several embedded device vulnerabilities previously disclosed by the authors. We will demonstrate how an attacker can gain stealthy and persistent access to the victim network via multiple remote initial attack vectors against routers and printers. Once inside, we will show how the attacker can use other embedded devices as stepping stones to compromise significant portions of the victim network without ever needing to compromise the general purpose computers residing on the network. Our PoC worm is capable of network reconnaissance, manual full-mesh propagation between IP phones, network printers and common networking equipment. Finally, we will demonstrate fully autonomous reconnaissance and exploitation of all embedded devices on the demo network.

The second demonstration showcases host-based embedded defense techniques, called Symbiotes, developed by the authors at Columbia University under support from DARPA's Cyber Fast Track and CRASH programs, as well as IARPA's STONESOUP and DHS's S&T Research programs.

The Symbiote is an OS and vendor agnostic host-based defense designed specifically for proprietary embedded systems. We will demonstrate the automated injection of Software Symbiotes into each vulnerable embedded device presented during the first demonstration. We then repeat all attack scenarios presented in the first demo against Symbiote defended devices to demonstrate real-time detection, alerting and mitigation of all malicious embedded implants used by our PoC worm. Lastly, we demonstrate the scalability and integration of Symbiote detection and alerting mechanisms into existing enterprise endpoint protection systems like Symantec End Point.

Ang Cui is a fifth year Ph.D. candidate at Columbia University and Chief Scientist at Red Balloon Security. He has focused on developing new technologies to defend embedded systems against exploitation. During the course of his research, Ang has also uncovered a number of serious vulnerabilities within ubiquitous embedded devices like Cisco routers, HP printers and Cisco IP phones. Ang is also the author of FRAK and the inventor of Software Symbiote technology. Ang has received numerous awards on his research and is the recipient of the Symantec Graduate Fellowship.

Michael Costello is a Research Staff Associate at Columbia University and Scientist at Red Balloon Security. He was a network engineer at various ISPs and other organizations prior to his current work in offensive and defensive research and development of embedded systems.

return to top

Do-It-Yourself Cellular IDS

For less than $500, you can build your own cellular intrusion detection system to detect malicious activity through your own local femtocell. Our team will show how we leveraged root access on a femtocell, reverse engineered the activation process, and turned it into a proof-of-concept cellular network intrusion monitoring system.

We leveraged commercial Home Node-Bs (""femtocells"") to create a 3G cellular network sniffer without needing to reimplement the UMTS or CDMA2000 protocol stacks. Inside a Faraday cage, we connected smartphones to modified femtocells running Linux distributions and redirected traffic to a Snort instance. Then we captured traffic from infected phones and showed how Snort was able to detect and alert upon malicious traffic. We also wrote our own CDMA protocol dissector in order to better analyze CDMA traffic.

The goal of this project was to develop a low-cost proof-of-concept method for capturing and analyzing cellular traffic using locally-deployed femtocells, which any security professional can build.

Sherri Davidoff (@sherridavidoff) is a principal and Senior Security Consultant at LMG Security. She has over a decade of experience as an information security professional, specializing in penetration testing, forensics, social engineering testing and web application assessments. Sherri is the co-author of "Network Forensics: Tracking Hackers Through Cyberspace" (Prentice Hall, 2012). She is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN), and holds her degree in Computer Science and Electrical Engineering from />Facebook

Scott Fretheim is an expert penetration tester and risk assessment consultant. His clients include Fortune 500 companies, financial institutions, insurance companies, health care organizations, and more. He is a GIAC Certified Web Application Penetration Tester (GWAPT) and is trained in smart grid and SCADA security. He is a founding member of the Montana HTCIA, and holds his B.S. in Management of Information Systems. Scott is an instructor at Black Hat.

David Harrison specializes in digital and mobile device forensics as well as information security research. He is a principal author of the DEFCON 2012 Network Forensics Contest. David holds a A.S. in Computer Science from FVCC and is pursuing a B.S. in Software Design from Western Governor's University.

Randi Price is a security consultant at LMG Security. She specializes in policy and procedure review and development, including ISO 27001 assessments and HIPAA risk analyses. Randi provides security management consulting for large enterprises such as financial and health care organizations. She is a certified digital forensic examiner and holds her GIAC forensic certification (GCFE). Randi holds two BS degrees in Management of Information Systems and Accounting from the University of Montana.

return to top

Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions

Embedded systems are everywhere, from TVs to aircraft, printers to weapon control systems. As a security researcher when you are faced with one of these 'black boxes' to test, sometime in-situ, it is difficult to know where to start. However, if there is a USB port on the device there is useful information that can be gained. This talk is about using techniques to analyze USB stack interactions to provide information such as the OS running on the embedded device, the USB drivers installed and devices supported. The talk will also cover some of the more significant challenges faced by researchers attempting to exploit USB vulnerabilities using a Windows 8 USB bug recently discovered by the presenter (MS13-027) as an example.

Andy Davis is Research Director at NCC Group. He has worked in the Information Security industry for over 20 years, performing a range of security functions throughout his career. Prior to joining NCC Group, Andy held the positions of Head of Security Research at KPMG, UK and Chief Research Officer at IRM Plc. Before working in the private sector he worked for ten years performing various roles in Government. Recently, Andy has been leading security research projects into technologies such as embedded systems and hardware interface technologies and developing new techniques for software vulnerability discovery. Andy regularly presents at conferences such as: Black Hat, CanSecWest, Infiltrate and EUSecWest.

return to top

How to Disclose or Sell an Exploit Without Getting in Trouble

You have identified a vulnerability and may have developed an exploit. What should you do with it? You might consider going to the vendor, blogging about it, or selling it. There are risks in each of these options. This 20-minute session will cover the legal risks to security researchers involved in publishing or selling information that details the operation of hacks, exploits, vulnerabilities and other techniques. This session will provide practical advice on how to reduce the risk of being on the wrong end of civil and criminal legal action as a result of a publication or sale.

James Denaro (@CipherLaw) is the founder of CipherLaw, a Washington, D.C.-based consultancy and focuses his practice on the legal, technical, and ethical issues faced by innovators in information security. Jim is a frequent speaker and writer on the subject of intellectual property issues in information security and has experience in a wide range of technologies, including intrusion detection and prevention, botnet investigation, malware discovery and remediation, and cryptography.

Jim has completed professional coursework at MIT and Stanford in computer security and cryptography. He also holds technical certifications from the Cloud Security Alliance (CCSK) and Cisco Systems (CCENT), and has passed the CISSP examination (pending certification). Before becoming an attorney, Jim spent obscene amounts of time looking at PPC assembly in MacsBug

Jim is a registered patent attorney and is admitted to practice in the District of Columbia, California, Maryland, and Virginia. Jim has undergraduate degrees in computer engineering and philosophy and is currently pursuing graduate legal studies in national security at Georgetown. Jim was formerly with the international law firms of Morrison & Foerster and Perkins Coie before founding CipherLaw.

return to top

I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell

I have a box on my desk that your CDMA cell phone will automatically connect to while you send and receive phone calls, text messages, emails, and browse the Internet. I own this box. I watch all the traffic that crosses it and you don't even know you're connected to me. Welcome to the New World, where I, not them, own the towers. Oh, and thanks for giving me the box... for free.

This box is a femtocell, a low-power cellular base station given or sold to subscribers by mobile network operators. It works just like a small cell tower, using a home Internet connection to interface with the provider network. When in range, a mobile phone will connect to a femtocell as if it were a standard cell tower and send all its traffic through it without any indication to the user.

The state-of-the-art authentication protecting cell phone networks can be an imposing target. However, with the rising popularity of femtocells there is more than one way to attack a cellular network. Inside, they run Linux, and they can be hacked.

During this talk, we will demonstrate how we've used a femtocell for traffic interception of voice/SMS/data, active network attacks and explain how we were able to clone a mobile device without physical access.

Doug DePerry (@dugdep) is a Senior Security Consultant at iSEC Partners in New York City. In addition to his day-to-day consultant duties, Doug is also responsible for helping manage employee/new hire training as well as the summer intern program. At iSEC Doug has recently taken a deeper interest in iOS and crypto assessments as well as architecture reviews and embedded systems. He has also written a whitepaper on HTML5 titled, 'HTML5 Security:The Modern Web Browser Perspective'. Prior to joining iSEC, Doug worked for various defense contractors and the US Army.

Tom Ritter (@TomRitterVG) is a Senior Security Consultant at iSEC Partners, a frequenter of @nysecsec, and has far more ideas than time. He is interested in nearly all aspects of cryptography, privacy, anonymity, and pseudonymity; security; and traveling. He is located corporeally in New York City, virtually at, and meta- physically has been lost for quite some time.

return to top


Abstract Coming Soon.

Ambassador Joseph DeTrani was named President of the Intelligence and National Security Alliance (INSA) on February 5, 2013. As President, he will lead INSA as its Chief Executive Officer on a day-to-day basis.

Ambassador DeTrani has dedicated his professional career to public service with more than three decades of work for the U.S. government. Most recently, he served as the Senior Advisor to the Director of National Intelligence (DNI), and before that he served as the Director of the National Counter Proliferation Center (NCPC) and the National Intelligence Manager for Counter proliferation (CP). Ambassador DeTrani also served as the North Korea Mission Manager for the ODNI.

Prior to his work at the ODNI, Ambassador DeTrani served at the Department of State as the Special Envoy for the Six-Party Talks with North Korea, with the rank of Ambassador, and as the U.S. Representative to the Korea Energy Development Organization.

Before his service at the State Department, Ambassador DeTrani served at the Central Intelligence Agency (CIA) as Director for East Asia, Director for Europe, Director of Technical Services, Director of Public Affairs, Director of the Crime and Narcotics Center, and Executive Assistant to the Director of Central Intelligence.

Some of the awards Ambassador DeTrani received include: the Distinguished Career Intelligence Medal, the Distinguished Intelligence Medal, the National Intelligence Distinguished Service Medal, the Donovan Award and the Commandant’s Award. Ambassador DeTrani speaks Chinese and French, and received his bachelor’s degree from New York University (NYU) and attended the NYU School of Law and Graduate School of Business Administration.

return to top

Privacy In DSRC Connected Vehicles

To date, remote vehicle communications such as OnStar have provided little in the way of privacy. The planned DSRC system will become the first large-scale nationwide direct public participation network outside of the internet. Much information and misinformation has been spread on what the upcoming DSRC system is and can do, especially in the information security community. The recent field trial in the US of a connected vehicle infrastructure raises the level of concern amongst all who are aware of existing privacy issues.

In this talk I will examine the current system high level design for North American vehicles, as set by international standards and used in a recent road test in Ann Arbor, Michigan, USA. I will consider privacy concerns for each portion of the system, identifying how they may be addressed by current approaches or otherwise considered solutions. I conclude with a discussion of the strategic value in engaging the privacy community during development efforts and the potential community role in raising privacy as a competitive advantage.

Christie Dudley (@longobord) started her career with a BSEE with an emphasis in digital communications from the University of Kansas. A 15 year enterprise network engineer career, largely in finance and manufacturing followed. Starting with a study in anthropology she decided to change fields, eventually pursuing an old interest in communications security and privacy and a brief internship in hardware security. Seeking to combine her interests in technology and society she began pursuing the field from a new perspective, enrolling as JD candidate at Santa Clara Law. She now consults on privacy issues related to communications technology while completing her law degree. She has also cofounded Fork the Law, an effort to bridge the gap between technologists and legislation.

return to top

Pwn'ing You(r) Cyber Offenders

It is commonly believed that Offensive Defense is just a theory that is difficult to be used effectively in practice, but that is not entirely true...

During my talk along with a new service emulation technique, that will render standard port scanner results nearly useless and leave your attackers with an arduous analysis, I will focus on practical (automated) exploitation of a hackers' offensive toolbox. A few interesting attack vectors against software taken from the Internet will be presented.

It turns out you can get pwn'ed even through your Nmap scripts if you are not careful enough.

Piotr Duszynski (@drk1wi) is a Senior Security Consultant at Trustwave Spiderlabs. With more than 6 years of official experience in the security field, his main interest were always around breaking stuff and finding its true purpose. Currently he is mostly focused on web application security and security research. Apart from that he enjoys crazy road trips around the world, free diving and good music.

return to top

From Nukes to Cyber – Alternative Approaches for Proactive Defense and Mission Assurance

In typical military operations, the advantage goes to the offense because the initiator controls the timing and is able to concentrate forces. A good defense is designed to undermine the advantage of the offense. Proactive defense approaches include: masking (obfuscation), maneuvering, and hardening of critical capabilities. The other alternative, which is often characterized as resiliency or mission assurance, is to employ methods which deny the objectives of the offense. The expertise resident in the hacker community can improve both proactive defense and mission assurance.

Lt. Gen. Robert Elder (USAF, retired) joined the George Mason University faculty as a research professor with the Volgenau School of Engineering following his retirement from the Air Force as the Commander of 8th Air Force and U.S. Strategic Command’s Global Strike Component. He currently conducts research in the areas of integrated command and control, operational resiliency in degraded environments, strategic deterrence, and the use of modeling to support national security decision-making. He also serves as a senior advisor to the Cyber Innovation Center in Louisiana. General Elder was the first commander of Air Force Network Operations and led the development of the cyberspace mission for the Air Force. General Elder also served as Commandant of the Air War College, and holds a doctorate in engineering from the University of Detroit.

return to top

Noise Floor: Exploring the world of unintentional radio emissions

If it's electronic, it makes noise. Not necessarily noise that you and I can hear, of course – unless you know how to tune in. The air around us is filled with bloops, bleeps, and bzzts of machines going about their business, betraying their existence through walls or even from across the street. The unintentional noise lurking among intentional signals can even reveal what the machine is currently doing when it thinks it's keeping that information to itself. Attacks exploiting electromagnetic radiation, such as TEMPEST, have long been known, but government-sized budgets are no longer needed to procure the radio equipment. USB television receiver dongles can be used as software-defined radios (SDR) that cost less than a slice of Raspberry Pi. The goal of this talk is to show you that anyone with twenty bucks and some curiosity can learn a great deal about your computers and other equipment without ever leaving a trace, and you shouldn't neglect this risk when managing your organization's security.

Melissa Elliott (better known as 0xabad1dea) is a professional security bug finder who has seen unspeakable horrors in corporate codebases from around the world. Her very name causes systems to crash, especially ones that use jQuery. Her hobbies include programming the Nintendo Entertainment System, criticizing other people's C code, and an interest in radio emissions that resulted from a trip to the National Radio Astronomy Observatory in Green Bank, West Virginia.

return to top

Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher (and C3BO)

Password and PIN systems are often encountered on mobile devices. A software approach to cracking these systems is often the simplest, but in some cases there may be no better option than to start pushing buttons. This talk will cover automated PIN cracking techniques using two new tools and discuss the practicality of these attacks against various PIN-secured systems.

Robotic Reconfigurable Button Basher (R2B2) is a ~$200 robot designed to manually brute force PINs or other passwords via manual entry. R2B2 can operate on touch screens or physical buttons. R2B2 can also handle more esoteric lockscreen types such as pattern tracing.

Capacitive Cartesian Coordinate Bruteforceing Overlay (C3BO) is a combination of electronics designed to electrically simulate touches on a capacitive touch screen device. C3BO has no moving parts and can work faster than R2B2 in some circumstances.

Both tools are built with open source software. Parts lists, detailed build instructions, and STL files for 3d printed parts will be available for download.

A lucky volunteer will get to have their PIN cracked live on stage!.

Justin Engler (@justinengler) is a Senior Security Engineer for iSEC Partners. Justin specializes in mobile and application security. Justin has previously spoken at DEF CON and BlackHat. Justin is not a roboticist, but will play one on DEF CON TV.

Paul Vines is a student at University of Washington and an iSEC Security Engineering Intern.

return to top

Google TV or: How I Learned to Stop Worrying and Exploit Secure Boot

Google TV is intended to bring the Android operating system out of the mobile environment and into consumers' living rooms. Unfortunately, content providers began to block streaming access to popular content from the Google TV platform which hindered its reach. Furthermore, the first generation of Google TV hardware used an Intel powered x86 chipset that fractured Google TV from that of the traditional ARM based Android ecosystem, preventing most Android applications with native code from functioning properly.

In our previous presentation at DEFCON 20, we discussed exploits found in the first generation of Google TV hardware and software. This presentation will be geared towards the newly released second generation of devices which includes models from a wider variety of OEM's such as Asus, Sony, LG, Vizio, Hisense, and Netgear.

Our demonstration will include newly discovered and undisclosed hardware exploits, software exploits, and manufacturer mistakes as well as discuss in detail how to exploit the new Secure Boot environment on the Marvell chipset.

In order to bypass Secure Boot on the Google TV we will release two separate exploits which will allow users to run an unsigned bootloader on Google TV devices. One of which affects specific configurations of the Linux kernel that can also be used for priviledge escalation against a multitude of other embedded devices.

Finally, after our talk make sure to stop by the Q&A room and ask us a question. We have a limited number of USB TTL adapters to give away for free to aid the community in bootloader and kernel development.

Amir Etemadieh (@Zenofex) founded the GTVHacker group and has been working on the GTVHacker project from its initial start in November 2010. Amir is on the research and development team at Accuvant LABS and prior to his employment conducted independent research in consumer devices including the Logitech Revue, Ooma Telo, Samsung Galaxy S2, Boxee Box as well as services such as the 4G Clear Network.

CJ Heres (@cj_000) is an IT consultant by day who enjoys breaking devices ranging from washing machines to Blu-Ray players. His philosophy is to use a simple approach for complex problems. CJ's recent work includes independent research on Hospira and Alaris IV infusion pumps, as well as consumer electronics such as the Roku, Google TV, Boxee Box, and Vizio Smart TV's.

Mike Baker (@gtvhacker) (aka [mbm]) is a firmware developer, better known as the Co-Founder behind OpenWrt. He hacks stuff.

Hans Nielsen (@n0nst1ck) is a security wizard at Matasano Security. When he isn't busy protecting your in-house and external applications from evil, he enjoys hacking apart consumer electronics and designing prototype boards. Hans is a tinkerer at heart with an ability to quickly reverse hardware and software through whatever means necessary.

return to top

gitDigger: Creating useful wordlists from public GitHub repositories

This presentation intends to cover the thought process and logistics behind building a better wordlist using github public repositories as its source. With an estimated 2,000,000 github projects to date, how would one store that amount of data? Would you even want or need to? After downloading approximately 500,000 repositories, storing 6TB on multiple usb drives; this will be a story of one computer, bandwidth, basic python and how a small idea quickly got out of hand.

Jaime Filson (WiK) ell, WiK's just zis guy. He enjoys long walks on the beach while his computer equipment is busy fuzzing software, cracking passwords, or spidering the internet.
Rob Fuller (Mubix) is a Senior Red Teamer. His professional experience start from his time on active duty as United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications that haven't expired yet, but the titles that he holds above the rest is father, husband, and United States Marine.

return to top

10000 Yen into the Sea

The use of a pressure housing in an underwater vehicle can be difficult to implement without becoming a cost-center. Flipper will walk the audience through a new design for an Autonomous Underwater Glider which challenges assumptions about what is required or necessary to deploy sensors, transmitters, and payloads across long distances in the ocean. The speaker assumes no priory knowledge of subject matter & hopes the audience can help him to find new applications for this Open Source Hardware project.

Flipper (@NickFLipper) is a hardware hacker obsessed with lowering the cost of underwater robots. Flipper spent 2 years as a member of his College's ROV team practicing waterproofing of CoTs components such as cameras, IMUs, and motors. These experiences inspired him to form the "Mesa College" team that participated in the 2011 & '12 AUVSI Robosub competition. During the first year of competition, the Mesa team took home a judges award for 'Innovation on a Budget'. Since that time Flipper has been employed by an EV manufacturer working to reduce the cost of high efficiency electric vehicles.

return to top

Defeating SEAndroid

Security Enhancements for Android (SEAndroid) enables the use of SELinux in Android in order to limit the damage that can be done by malicious apps, trying to make exploitation harder. Some OEMs are trying hard to implement extra mitigations in their devices, especially those aiming to reach the enterprise market. We will present some issues that are found in devices currently implementing SEAndroid, and demonstrate how vendors FAIL in properly implementing SEAndroid protection.

Pau Oliva (@pof) is a Mobile Security Engineer with viaForensics. He has previously worked as R+D Engineer in a Wireless Provider. His passion for smartphones started back in 2004 when he had his first PocketPC phone with the Windows Mobile operating system and started reverse engineering and hacking HTC devices. He has been actively researching security aspects on the Android operating system since its debut with the T-Mobile G1 on October 2008. Pau is co-author of Wiley's Android Hacker's Handbook.

return to top

The Politics of Privacy and Technology: Fighting an Uphill Battle

In the past few decades the world has been dramatically transformed by technology. People have significantly evolved in how they interact with each other and the world; a side effect of this evolution is the drastic change in personal privacy. Private citizens, corporations, and governments all have different ideas on what privacy means and what information should be respected as private. Typically citizens don't realize their expectations of privacy are falsely held, or more accurately that they have very little privacy left. Regarding privacy, decades have gone by without any action to protect an individual's privacy against entities buying, selling, storing, and using your private data. Policy can take years to enact, and the minimal legislative action happening leans toward protecting special interest groups who have great political sway.

Action needs to be taken. Policy needs to be created allowing businesses to operate while allowing individuals to keep their information private. In the 2013 Montana Legislative Session Daniel Zolnikov, with the support of Eric Fulton, worked to introduce comprehensive legislation to protect the privacy of the citizens of Montana. Daniel Zolnikov and Eric Fulton will talk about the ideas behind the bill, the process of drafting and introducing legislation, presenting the bill before committee and the public testimony process, and the politics of why the bill ultimately died. The speakers will end the talk with lessons learned and thoughts on how to effectively pass future privacy legislation.

Eric Fulton (@Trisk3t) is a specialist in information security research and network penetration testing who regularly speaks on his research and work. In his spare time, Eric works with local students to provide hands-on security training, conducts independent security research on interesting projects, and occasionally works on legislation affecting privacy and technology. Eric currently works for SubSector Solutions which provides information security services and training.

Daniel Zolnikov (@DanielZolnikov) is a State Representative for Montana. As a 26 year old Representative, Daniel is one of the few legislators who even remotely understands the threats and concerns of the collection of personal information. He spent his first session working to fill a policy vacuum where privacy and politics meet the road. Daniel sponsored multiple bills, including two pieces of privacy legislation. The first bill would have created the Montana Privacy Act. The second bill, which was signed into law, prevented law enforcement from obtaining cell phone location information without a warrant. For the sake of transparency, he uses his Facebook page to post his votes. Daniel received his undergraduate degree from the University of Montana where he earned 3 business majors in Information Systems, Marketing and Management. As a Montanan, Daniel enjoys the finer things in life including shooting guns, fishing, and fighting tyranny.

return to top

Java Every-Days: Exploiting Software Running on 3 Billion Devices

Over the last three years, Oracle Java has become the exploit author's best friend. And why not? Java has a rich attack surface, broad install base, and runs on multiple platforms allowing attackers to maximize their return-on-investment. The increased focus on uncovering weaknesses in the Java Runtime Environment (JRE) shifted research beyond classic memory corruption issues into abuses of the reflection API that allow for remote code execution. This talk focuses on the vulnerability trends in Java over the last three years and intersects public vulnerability data with Java vulnerabilities submitted to the Zero Day Initiative (ZDI) program.

We begin by reviewing Java's architecture and patch statistics to identify a set of vulnerable Java components. We then highlight the top five vulnerability types seen in ZDI researcher submissions that impact these JRE components and emphasize their recent historical significance. The presentation continues with an in-depth look at specific weaknesses in several Java sub-components, including vulnerability details and examples of how the vulnerabilities manifest and what vulnerability researchers should look for when auditing the component.

Finally, we discuss how attackers typically leverage weaknesses in Java. We focus on specific vulnerability types attackers and exploit kits authors are using and what they are doing beyond the vulnerability itself to compromise machines. We conclude with details on the vulnerabilities that were used in this year's Pwn2Own competition and review steps Oracle has taken to address recent issues uncovered in Java.

Brian Gorenc (@MaliciousInput, @thezdi) is the Manager of Vulnerability Research in HP's Security Research organization. His primary responsibility is running the Zero Day Initiative (ZDI) program and doing root cause analysis on ZDI submissions. Brian's current research centers on discovering vulnerabilities in popular software, analyzing attack techniques, and identifying vulnerability trends. Prior to joining HP he worked for Lockheed Martin on the F-35 Joint Strike Fighter program where he led the development effort of the Information Assurance (IA) products in the JSF's mission planning environment.

Jasiel Spelman (@WanderingGlitch) is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, he was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions and helped develop the ReputationDV service from TippingPoint.

Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a B.A. in Computer Science from the University of Texas at Austin.

return to top

JTAGulator: Assisted Discovery Of On-Chip Debug Interfaces

On-chip debug (OCD) interfaces can provide chip-level control of a target device and are a primary vector used by hackers to extract program code or data, modify memory contents, or affect device operation on-the-fly. Depending on the complexity of the target device, manually locating available OCD connections can be a difficult and time consuming task, sometimes requiring physical destruction or modification of the device.

In this session, Joe will introduce the JTAGulator, an open source hardware tool that assists in identifying OCD connections from test points, vias, or components pads. He will discuss traditional hardware reverse engineering methods and prior art in this field, how OCD interfaces work, and how JTAGulator can simplify the task of discovering such interfaces.

Joe Grand (@joegrand) is an electrical engineer and hardware hacker. He runs Grand Idea Studio ( and specializes in the design of consumer and hobbyist embedded systems. He created the electronic badges for DEFCON 14 through 18 and was a co-host of Discovery Channel's Prototype This. Back in the day when he was known as Kingpin, he was a member of the infamous hacker group L0pht Heavy Industries.

return to top

Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust

The US National Security Agency has been public about the inevitability of mobile computing and the need to support cloud-based service use for secret projects. General Alexander, head of the NSA, recently spoke of using smartphones as ID cards on classified networks.

And yet, mobile devices have a poor security track record, both as data repositories and as sources of trustworthy identity information. Cloud services are no better: current security features are oriented toward compliance and not toward real protection.

What if we could provide a strong link between mobile device identity, integrity, and the lifecycle of data retrieved from the cloud using only the hardware shipped with modern smartphones and tablets?

The good news is that we can do that with the trusted execution environment (TEE) features of the common system on a chip (SOC) mobile processor architectures using 'measurement-bound' encryption. This talk will describe how data can be encrypted to a specific device, how decryption is no longer possible when the device is compromised, and where the weaknesses are. I will demonstrate measurement-bound encryption in action. I will also announce the release of an open-source tool that implements it as well as a paper that describes the techniques for time-bound keys.

This is likely the very same way that NSA will be protecting the smartphones that will be used for classified information retrieval. Come learn how your government plans to keep its own secrets and how you can protect yours.

Dan Griffin (@JWSdan) is the founder of JW Secure and is a Microsoft Enterprise Security MVP. Dan is the author of the books Cloud Security and Control, published in 2012, and The Four Pillars of Endpoint Security, to be published in 2013, and is a frequent conference speaker. Dan holds a Master's degree in Computer Science from the University of Washington and a Bachelor's degree in Computer Science from Indiana University.

return to top

So You Think Your Domain Controller is Secure?

Domain Controllers are the crown jewels of an organization. Once they fall, everything in the domain falls . Organizations go to great lengths to secure their domain controllers, however they often fail to properly secure the software used to manage these servers.

This presentation will cover unconventional methods for gaining domain admin by abusing commonly used management software that organizations deploy and use.

Justin Hendricks works on the Office 365 security team where he is involved in red teaming, penetration testing, security research, code review and tool development.

return to top

Phantom Network Surveillance UAV / Drone

DARPA, 2011, sponsored a contest named UAVForge which challenged teams to build a prototype unmanned aerial vehicle (UAV). Mission: "UAV must be small enough to fit in a soldier's rucksack and able to fly to, perch & stare from useful locations for several hours near targets of interest to provide real-time (visual) persistent surveillance." Long story short: 140 teams participated, no one won. Crashes, remote piloting, & electronics problems all took their toll.

Flash forward to 2013 - Technology has improved significantly. Reading the UAVForge story, I was fascinated by the concept of "perch and stare" surveillance. I wondered if this technique could be extended from visual to wireless network discovery & exploitation?

Jan. 2013, DJI Innovations introduced a quadcopter known as the Phantom. Phantom quickly gained a reputation as the most stable platform for use in aerial photography and other, small electronics. Phantom uses a GPS autopilot and a "return to home" capability in case the flight goes wrong. So, I decided to become a proud Phantom owner. I built and now fly wireless missions using 2 payloads: [1] Wispy spectrum analyzers, and [2] an Internet-accessible WiFi Pineapple (Hak5).

In this presentation you will learn how to successfully outfit & fly a quadcopter equipped with tiny computers, plus utilize wireless survey & exploitation tools. Three missions will be covered: site survey, in-flight wifi discovery, plus extended roof-top wifi pineapple operation.

Ricky HIll is a principal consultant at Tenacity Solutions, a security firm located in Reston, VA. Mr. Hill's research interests include wireless hacking and SCADA security. Both areas where he's performed challenging and novel work for the last 10 years on various defense contracts in the Washington D.C. area. When not occupied with the daytime job, he can be found outdoors flying R/C helicopters, balloons and other toys, (or just relaxing by the lake). A 3x DEF CON speaker and 13 yr. attendee, heís been to every DEF CON since 2000

return to top

The Bluetooth Device Database

As of 2013, it is estimated that there are now billions of bluetooth devices deployed worldwide. The goal of the Bluetooth Database Project is to track and freely distribute real time sightings and statistics of these wide spread devices. The data collected from these devices can be used to answer questions pertaining to various topics, such as device geolocation, device proliferation, population analysis, device misconfigurations, and an assortment of other security related analytics.

During this presentation I will go over the current community driven, distributed, real time, client/server architecture of the project. I will show off some of analytics that can be leveraged from the projects data sets. Finally, I will be releasing various open source open source bluetooth scanning clients (Linux, iOS, OSX). These clients are easily installable across various operating systems and can be used to systematically contribute data to the project.

Ryan Holeman (@hackgnar) resides in Austin Texas where he works as a senior software developer for Ziften Technologies. He has a Masters of Science in Software Engineering. He has published papers though ICSM and ICPC and spoken at various security conferences including DEF CON and Black Hat. His spare time is mostly spent digging into various network protocols and shredding local skateparks.

return to top

Dude, WTF in my car?

The ECU tuning market is weird. There is little help from people in it, and most of the equipment is expensive. Well, not anymore! After hacking some equipment worth thousands of dollars, a new toy was born. Seed/Key algos broken, RSA bustedÖ We will learn all about Bosch EDC15 and EDC16 car ECUs. How they communicate, what protocols they use, their security and why it is worth hacking them. There will be a demonstration of a tool that does all of these, and costs less than $25 to build.

Alberto Garcia Illera (@algillera) is a 25 year old who is passionate about hacking and social engineering. Alberto studied mathematics and computer systems in Spain and has spent the past several years working as a professional penetration tester. Alberto has presented at several seminars where he has helped teach hacking techniques to large companies such as Microsoft, the Spanish government and the cyberterrorism Spanish police department. At DEF CON 20 in Las Vegas, Alberto has presented a talk titled "How to hack all the transport networks of a country" that had a great repercussion. He has also spoken at ZeroNights in Moscow, BlackHat in Abu Dhabi and recently in Infiltrate in Miami.

Javier Vazquez Vidal AKA Bi0H4z4rD is a hardware security specialist. He has been involved in several reversing projects that go from a simple IP camera to the well known PS3. He has worked for Airbus Military among other companies.

He studied Electromechanics and Telecommunications, developing a passion for electronics and technology since his youth.

At this time, he will be presenting his first public work, the ecu tool.

return to top

Resting on Your Laurels will get you Pwned: Effectively Code Reviewing REST Applications to avoid getting powned

Public REST APIs have become mainstream. It is not just startups such as Facebook and twitter at the fore front of the REST revolution. Now, almost every company that wants to expose services or an application programming interfaces does it using a publicly exposed REST API. Although, many people have given talks about attacking REST APIs from a pen-tester's point of view –little discussion has occurred related to application layer vulnerabilities in REST APIs.

This talk gives code reviewers the skills they need to identify and understand REST vulnerabilities at the application code level. The findings are a result of reviewing production REST applications as well as researching popular REST frameworks.

Abraham Kang is fascinated with the nuanced details associated with programming languages and their associated APIs in terms of how they affect security. Abraham has a Bachelor of Science from Cornell University and a J.D. from Lincoln Law School of San Jose. He recently joined Samsung as a Director of R&D helping to drive security across new products and services in development. Prior to joining Samsung, Abraham worked as Principal Security Researcher for HP Fortify in their Software Security Research group. Prior to joining Fortify, Abraham worked with application security for over 10 years, reviewing over 12 million lines of code, and working over 4 years as a dedicated security code reviewer at Wells Fargo. He is focused on application, framework and mobile security and has presented his findings at Black Hat U.S.A., OWASP AppSec U.S.A., Baythreat, RSA, BSIDES, and HP Protect. When he is not finding security vulnerabilities, he is studying the law in relation to information security.

Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.

For the past couple years Dinis has focused on the field of Static Source Code Analysis and Dynamic Website Assessments (aka penetration testing), and is the main developer of the OWASP O2 Platform which is an Open Source project that is focused on 'Automating Security Consultants Knowledge/Workflows' and 'Allowing non-security experts to access and consume Security Knowledge'. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between: the multiple WebAppSec tools, the Security consultants and the final users (from management to developers).

return to top

Torturing Open Government Systems for Fun, Profit and Time Travel

"I'm from the government and I'm here to help you" takes on a sinister new meaning as jurisdictions around the world stumble over each other to 'set the people's data free'. NYC boasts in subway ads that 'our apps are whiz kid certified' (i.e. third party) which of course translates to 'we didn't pay for them, and don't blame us if somebody got it wrong and the bus don't come.' This session reports on my (and other people's) research aimed at prying out data that you're probably not supposed to have from Open Government Systems around the world. For example, Philadelphia, PA cavalierly posted the past 7 years of political contribution receipts which contained the full names and personal addresses of thousands of people, some of whom probably didn't want that information to be out there in such a convenient form. The entire database was also trivially downloadable as a CSV file and analysis of it yielded some fascinating and unexpected information. Referring back to classic computer science and accounting principles like 'least privilege' and 'segregation of duties' the presentation will suggest some ways to have our Open Data cake without letting snoopy people eat it.

Tom Keenan (@drfuture) wrote his first machine and assembler language programs in 1965 and by 1972 was working as a systems programmer on the KRONOS and MULTICS operating systems. This led to a long career as a computer science professor, media commentator and writer about the human side of technology. He helped design one of the first automated DNA sequencing machines as well as a system for personal identification based on typing rhythm. He has a Masters in Engineering and a Doctorate from Columbia University and has held a number of credentials including CISSP but doesnít feel the need for that now. An award-winning journalist, he co-authored the 1984 CBC Radio IDEAS series "Crimes of the Future" and is currently writing a book on creepiness to be published by OR Books.

return to top

The Dirty South – Getting Justified with Technology

It seems that every day there's a new NextGen firewall, whitelisting and blacklisting, DLP, or the latest technology thats suppose to stop us. But does it really stop "hackers"? Truth is, naw not really. In this talk we'll be showing off the latest bypass techniques for the "latest" hacker stoppers, using a universally whitelisted website as our middle man for a command and control, social engineering our way into some of the toughest companies, and showing off some techniques that work for us. This talk is about throwing misconceptions of protection and safety out the window, and going back the dirty south. Where thinking outside of the box is a requirement. We'll be releasing two new tools, one that makes meterpreter invisible over the network, and the other a shell that uses a popular third party as the command and control. A vulnerability scanner won't help you herrrrrrre.

David Kennedy (@dave_rel1k) is founder and principal security consultant of TrustedSec - An information security consulting firm located in Cleveland Ohio. David was the former Chief Security Officer (CSO) for a Fortune 1000 where he ran the entire information security program. Kennedy is a co-author of the book "Metasploit: The Penetration Testers Guide," the creator of the Social-Engineer Toolkit (SET), and Artillery. Kennedy has presented on a number of occasions at Black Hat, Defcon, ShmooCon, BSIDES, Infosec World, Notacon, AIDE, ISACA, ISSA, Infragard, Infosec Summit, and a number of other security-related conferences. Kennedy has been interviewed by several news organizations including CNN, Fox News, and BBC World News. Kennedy is on the Back|Track and Exploit-DB development team and co-host of the podcast. Kennedy is one of the co-authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. Kennedy is the co-founder of DerbyCon, a large-scale conference in Louisville Kentucky. Prior to Diebold, Kennedy was a VP of Consulting and Partner of a mid-size information security consulting company running the security consulting practice. Prior to the private sector, Kennedy worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions.

Nick Hitchcock (@nick8ch) is a Senior Security Consultant at TrustedSec and has a relentless pursuit to break security and make things do things they were not meant to do. He also has experience working in the IT/information security field for several years and has performed large scale security assessments/penetration tests, risk assessments, forensic analysis, physical security assessments, social engineering engagements. In addition to secular work Nick is also actively involved in the Infosec community, being one of the organizers of DerbyCon and head of security for BSidesLV and BSidesDE. He also is a contributor to and part of the Social Engineering CTF team at DEF CON. OSCP, GPEN

return to top

The Secret Life of SIM Cards

SIM cards can do more than just authenticate your phone with your carrier. Small apps can be installed and run directly on the SIM separate from and without knowledge of the phone OS. Although SIM Applications are common in many parts of the world, they are mostly unknown in the U.S. and the closed nature of the ecosystem makes it difficult for hobbyists to find information and experiment.

This talk, based on our experience building SIM apps for the Toorcamp GSM network, explains what (U)SIM Toolkit Applications are, how they work, and how to develop them. We will explain the various pieces of technology involved, including the Java Card standard, which lets you write smart card applications using a subset of Java, and the GlobalPlatform standard, which is used to load and manage applications on a card. We will also talk about how these applications can be silently loaded, updated, and interacted with remotely over-the-air.

Karl Koscher (@supersat) is a PhD student studying security and privacy at the University of Washington. His research covers a wide variety of areas, but he primarily focuses on security for embedded systems. Most recently, he was one of the primary researchers that demonstrated that modern cars are vulnerable to multiple remote exploits, which can affect nearly every physical system in the car.

Eric Butler (@codebutler) is a software engineer with an interest in security, privacy, and usability. He’s known for creating Firesheep, an easy to use tool that clearly demonstrated the risks of HTTP session hijacking attacks, and prompted major websites including Facebook, Twitter, and Hotmail to improve their security. He also created FareBot, an Android app that reads data from common NFC transit cards sparking a discussion around the privacy of these systems.

return to top

Decapping Chips the Easy Hard Way

For some time it has been possible to discover the inner workings of microprocessors with the help of a microscope and some nasty chemicals such as fuming nitric acid. However, unless you have access to a university or work science lab, this is beyond the reach of most hackers, and, even it were to be attempted, difficult and potentially extremely dangerous.

In this talk we will go through our own adventures in tackling the issue from the point of view of the back-room hacker/researcher, and how we have solved many of the problems using only tools and devices that were freely and cheaply available from online sources such as Ebay.

There is also the secondary problem of what to do with the chip once you've decapped it. For example: if you've taken microscopic images of a masked ROM, in theory you can extract the code, but in practice you're looking at thousands of tiny dots, each of which represent a 0 or a 1, which, once correctly read and compiled into HEX, will represent the original byte code. Many projects (e.g. MAME) have used crowd-sourcing as a means of converting the images by eye, but we will present a software tool that semi-automates this process and we'll demonstrate how what was once the works of tens if not hundreds of hours can be reduced to a few minutes.

Adam Laurie is a freelance security consultant working the in the field of electronic communications. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and wrote the world's first CD ripper, 'CDGRAB'. At this point, he became interested in the newly emerging concept of 'The Internet', and was involved in various early open source projects, the most well known of which is probably Apache-SSL which went on to become the de-facto standard secure web server. Since the late Nineties he has focused his attention on security, and has been the author of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centers (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings, and is a member of the Bluetooth SIG Security Experts Group and speaks regularly on the international conference circuit on matters concerning Bluetooth security. He has also given presentations on forensics, magnetic stripe technology, InfraRed and RFID. He is the author and maintainer of the open source python RFID exploration library 'RFIDIOt', which can be found at Adam is a Director and full time researcher working for Aperture Labs Ltd., specializing in reverse engineering of secure systems.
Adam's Blog at Aperture Labs

Zac Franken has been working in the computer and technology industry for over 20 years for major industry players such as ICL, Informix, British Airways and Motorola. Founding his first company, Point 4 Consulting at the age of 25, he built it into a multi-million pound technology design consultancy. Point 4 was the leading provider for critical back end technology in the UK and was used by many major web sites such as The Electronic Telegraph, MTV, United Airlines, Interflora, Credit Suisse, BT, Littlewoods and Sony. Following Point 4 he went on to found Ablaise, a company that manages the considerable intellectual property generated by Point 4, and Aperture Labs Ltd. In his spare time he manages the worlds largest and longest running security conference, DEF CON.

Zac's research focuses on embedded hardware with a penchant for access control systems and biometric devices, he has spoken and trained at public information security conferences in Europe and the US and for private and governmental audiences. He is responsible for identifying major vulnerabilities in access control and biometric systems, and has a passion for creating devices that emulate access control tokens either electronic physical or biometric. Zac has been responsible both directly and indirectly for changing access control guidelines for several western governments.
Zac's Blog at Aperture Labs

return to top

Key Decoding and Duplication Attacks for the Schlage Primus High-Security Lock

The Schlage Primus is one of the most common high-security locks in the United States. We reverse-engineered the operation of this lock, constructed a parameterized 3d model of a working key, and constructed a software tool to produce such a 3d model given the code number for any key. We then used this tool to 3d print working Primus keys with a variety of 3d printing processes. In our talk, we will discuss the reverse-engineering process, demonstrate our software tool, examine the working 3d printed keys, and discuss the security ramifications of this process.

dlaw, ervanalb, and robj study electrical engineering and computer science at the Massachusetts Institute of Technology, where they spend most of their time hacking on projects unrelated to their studies. They have taught seminars on lockpicking and security vulnerabilities to various audiences at the Institute.

return to top

How to use CSP to stop XSS

Crosssite scripting attacks have always been a mainstay of the OWASP Top 10 list. The problem with detecting XSS is that you can't go looking at web log traffic to determine if a request contains an actual crosssite scripting attack attempt, much less one that will actually succeed against your defenses. Our work has helped reveal some nuances with implementing content security policy to help detect and prevent XSS attacks across a major website. This talk will demonstrate a new python based tool that we are open sourcing for Defcon that combines client and serverbased whitelisting mechanisms to verify unauthorized scripts (I.e. XSS) running on a page, mixed content, and inline javascript across a site.

Kenneth Lee (@Kennysan) is a product security engineer at working on everything from HTTP security headers to shattering the site with new vulnerabilities. Previously, Kenneth worked at FactSet Research Systems preventing The Hackers from stealing financial data. He went to Columbia and got an MS in computer science focusing on computer security. Between sweet hacks, Kenneth enjoys drinking tea and force feeding Etsy's operations team with Japanese chocolates.

return to top

This presentation will self-destruct in 45 minutes: A forensic deep dive into self-destructing message apps

Prior to 2013, the phrase 'Self Destructing Message' was most commonly associated with Inspector Gadget, Maxwell Smart, and the occasional Tom Cruise movie. With the advent of smartphone apps like Snapchat, Wickr, and Facebook Poke, the self-destructing message has left the world of 'International Men of Mystery' and arrived to the civilian world by way of smart phone applications. These apps, and others, claim to provide ephemeral or private messaging to assure senders that their messages are burnt after reading.

A message can be encrypted, but that does not make it clandestine or deniable. Through the use of forensic images, packet captures, and API review - we have recovered a wide range of artifacts from messages before, after, and during transmission. We are neutral, fact finding, forensic examiners on a mission. A mission to seek truth and provide you with the results of our deep dive forensic review of self-destructing messaging smartphone apps.

Andrea (Drea) London (@strozfriedberg) is a Digital Forensic Examiner in Stroz Friedberg's Dallas office. At Stroz Friedberg, Ms. London acquires and examines digital evidence from laptops, desktops and mobile phones in support of legal proceedings, criminal matters, and/or corporate investigations. Ms. London previously held positions at Arsenal Security Group and IBM's Internet Security Systems Emergency Response Team. At Arsenal, Ms. London was an integral part of the company's immediate response team for worldwide cyber security incidents. During this time she completed and has maintained certification as a Payment Application Qualified Security Assessor (PA QSA), Payment Card Industry (PCI QSA), and PCI Forensic Investigators (PFI), one of the first appointed by the PCI Council. At IBM, she acted as an official Quality Incident Response Assessor (QIRA) reporting PCI breaches to major card brands. Prior to her work for IBM, Ms. London was with the Air Force Office of Special Investigations (AFOSI), where she was one of two Airmen chosen for special duty assignment at the Defense Cyber Crime Center, and where she was tasked with testing and evaluating forensic software and hardware for the Center.

Kyle O'Meara is a Digital Forensic Examiner in Stroz Friedberg’s Washington, DC office. Mr. O’Meara is part of a national team of examiners skilled in performing forensic acquisitions, preserving data from a variety of electronic sources, and delivering astute analysis. He supports the firm’s electronic discovery cases and also serves as a member of Stroz Friedberg’s incident response practice. His work further entail forming and articulating concise opinions on complex technical matters which ultimately serve as expert testimony in depositions, trials and other proceedings. Prior to joining Stroz Friedberg, Mr. O’Meara was a Network Exploitation and Vulnerability Analyst for the National Security Agency (NSA) providing security guidance to the Army and Air Force. During this time, he performed computer forensics on a 6 month deployment to Iraq and served as a lead cryptanalyst for discovering malicious and vulnerable content in computer network operation projects. Mr. O'Meara holds a Master's of Science in Information Security Policy and Management from Carnegie Mellon University.

return to top

HiveMind: Distributed File Storage Using JavaScript Botnets

Some data is too sensitive or volatile to store on systems you own. What if we could store it somewhere else without compromising the security or availability of the data, while leveraging intended functionality to do so? This presentation will cover the methodology and tools required to create a distributed file store built on top of a JavaScript botnet. This type of data storage offers redundancy, encryption, and plausible deniability, but still allows you to store a virtually unlimited amount of data in any type of file. They can seize your server – but the data's not there!

Sean Malone has been building and breaking networks and applications for the last 12 years, and he has a diverse practical and academic background in information technology and security. As a Principal Consultant and the primary engagement manager for FusionX, Sean provides clients across all verticals with sophisticated adversary simulation assessments and strategic security guidance. Sean is a key member of the FusionX internal research and development team and his custom security assessment utilities are used in a majority of FusionX engagements.

return to top

GoPro or GTFO: A Tale of Reversing
an Embedded System

Embedded systems are shrinking in size and becoming widely used in many consumer devices. High quality optic sensors and lenses are also shrinking in size. The GoPro Hero 3 camera leverages high quality camera equipment with multiple embedded operating systems to offer not only great imagery, but an interesting platform to explore and understand.

We'll explore the hardware used in the device to handle imaging, networking, and other I/O. We will disect the camera software, giving the audience a look at how the camera functions. We will explain the multiple layers of software running on the device, and show attack surfaces exposed to attackers.

We will present ways to turn the GoPro into a remote audio/video bug. We'll present some interesting ways to interface existing software with the AV capabilities, and present a library to control the device remotely.

Todd Manning (@tmanning) is a research consultant at Accuvant Labs where he is focused on reverse engineering and vulnerability discovery on a wide range of platforms including mobile, smart grid, and network security equipment. His independent research covers topics involving reverse engineering of the code, file formats, and protocols used in various consumer products. He was previously Manager of Security Research at BreakingPoint Systems. He's an avid stand-up paddleboarder, a volunteer with his local school district, and frequent participant in the Austin Hackers Association.

Zach Lanier (@quine) is a Senior Research Consultant with Accuvant LABS, specializing in network, mobile and web application security. Prior to joining Accuvant LABS, Lanier served as Security Researcher with Veracode, and Principal Consultant with Intrepidus Group. He has spoken at a variety of security conferences, including Black Hat, INFILTRATE, ShmooCon, and SecTor, and is a co-author of the upcoming "Android Hacker's Handbook".

return to top

A Thorny Piece Of Malware (And Me): The Nastiness of SEH, VFTables & Multi-Threading

Reverse Engineering is the supreme discipline in analyzing malware, how else would you find out all capabilities of a malicious sample? But this task gets trickier nearly every day, as malware authors apply new techniques to evade analysis. Even worse, documentation of said techniques is barely existent, which makes our job even harder.

This talk will focus on the challenges of a specifically thorny piece of malware, detected as Backdoor.Win32.Banito. It will discuss the palette of anti-analysis measures found and show a path through a multi-threaded file-infecting spy bot. The talk will try to shed some light on the merely shallow documentation of the binary layout of Windows Structured Exception Handling (SEH), point out complications in analyzing object oriented C++ binaries and give an insight on how to tackle multi-threaded executables.

Marion Marschalek (@pinkflawd) is currently employed at IKARUS Security Software GmbH based in Vienna, Austria. She is working as Malware Analyst and in Incident Response for two years now. Besides that Marion teaches basics of malware analysis at University of Applied Sciences St. Pölten. She has a technical degree, achieved through three different universities on three different continents. In March this year Marion won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake.

return to top

Pwn The Pwn Plug: Analyzing and Counter-Attacking Attacker-Implanted Devices

Malicious attackers and penetration testers alike are drawn to the ease and convenience of small, disguise-able attacker-controlled devices that can be implanted physically in a target organization. When such devices are discovered in an organization, that organization may wish to perform a forensic analysis of the device in order to determine what systems it has compromised, what information has been gathered, and any information that can help identify the attacker. Also, attacker-implanted penetration testing software and hardware may also be the target of counter-attack. Malicious attackers may compromise penetration testers' devices in order to surreptitiously gather information across multiple targets and pentests. The very tools we rely on to test security may provide an attractive attack surface for third parties.

In this talk, procedures for forensic examination and zero-day vulnerabilities that lead to remote compromise of the Pwn Plug will be discussed and demonstrated as a case study. Possible attack scenarios will be discussed.

Wesley McGrew (@McGrewSecurity) is an assistant research professor at Mississippi State University's Computer Security Research Center, where he recently earned a Ph.D. in computer science for his research in vulnerability analysis of SCADA HMI systems. He also lectures for the MSU National Forensics Training Center, which provides free digital forensics training to law enforcement and wounded veterans. In the spring 2013 semester, he began teaching a self-designed course on reverse engineering to students at MSU, using real-world, high-profile malware samples, as part of gaining NSA CAE Cyber Ops certification for MSU. Wesley has presented at Black Hat USA and DEF CON, and is the author of penetration testing and forensics tools that he publishes through his personal/consultancy website,

return to top

Getting The Goods With smbexec

Individuals often upload and execute a payload to a remote system during penetration tests for foot printing, gathering information, and to compromise additional hosts. When trying to remain stealthy, uploading a shell to a target may not be wise. smbexec takes advantage of native Windows functionality and SMB authentication to execute commands on remote Windows systems without having to upload a payload, decreasing the likelihood of being stopped by AntiVirus.

The original intent of creating smbexec was to upload and execute obfuscated payloads using samba tools. Since the first PoC, it has expanded its capability to do more, including dumping local and domain cached password hashes, clear text passwords from memory, and stealing the NTDS.dit file from a Windows Domain controller all without the need for a shell on the victim.

We will explore the creation of smbexec, the components behind it, and how to leverage its functionality to get the goods from a system without having to use a payload.

Eric Milam (@Brav0Hax) is a principal security assessor on the Accuvant LABS enterprise assessment team with over fifteen (15) years of experience in information technology. Eric has performed innumerable consultative engagements including enterprise security and risk assessments, perimeter penetration testing, vulnerability assessments, social engineering, physical security testing, wireless assessments and extensive experience in PCI compliance controls and assessments. Eric is a project steward for the Ettercap project as well as creator and developer of the easy-creds and smbexec projects.
IRC > J0hnnyBrav0

return to top

Adventures in Automotive Networks and Control Units

Automotive computers, or Electronic Control Units (ECU), were originally introduced to help with fuel efficiency and emissions problems of the 1970s but evolved into integral parts of in-car entertainment, safety controls, and enhanced automotive functionality. This presentation will examine some controls in two modern automobiles from a security researcherís point of view. We will first cover the requisite tools and software needed to analyze a Controller Area Network (CAN) bus. Secondly, we will demo software to show how data can be read and written to the CAN bus. Then we will show how certain proprietary messages can be replayed by a device hooked up to an ODB-II connection to perform critical car functionality, such as braking and steering. Finally, weíll discuss aspects of reading and modifying the firmware of ECUs installed in todayís modern automobile.

Charlie Miller (@0xcharlie) is a security engineer at Twitter. Back when he still had time to research, he was the first with a public remote exploit for both the iPhone and the G1 Android phone. He is a four time winner of the CanSecWest Pwn2Own competition. He has authored three information security books and holds a PhD from the University of Notre Dame. Charlie spends his free time trying to get back together with Apple, but sadly they still list their relationship status as "It's complicated".

Chris Valasek (@nudehaberdasher) is the Director of Security Intelligence at IOActive, an industry leader that offers comprehensive computer security services, where he specializes in attack methodologies, reverse engineering and exploitation techniques. While widely regarded for his research on Windows heap exploitation, Valasek also regularly speaks on the security industry conference circuit on a variety of topics. His previous tenures include Coverity, Accuvant LABS and IBM/ISS. He is also the Chairman of SummerCon, the nationís oldest hacker conference. He holds a B.S. in Computer Science from the University of Pittsburgh.

return to top

PowerPreter: Post Exploitation Like a Boss

Powerpreter is "The" post exploitation tool. It is written completely in powershell which is present on all modern Windows systems. Powerpreter has multiple capabilties which any post exploitation shell worth its salt must have, minus the detection by anti virus or other countermeasure tools. Powerpreter has, to name a few, functions like stealing infromation, logging keys, dumping system secrets, in-memory code execution, getting user credenitals in plain, introducing vulnerabilties, stealing/modifying registry, web server and impersonate users. It is also capable of backdooring a target using multiple methods/payloads which could be controlled using top third party websites. Based on available privs, it could be used to pivot to other machines on a network and thus execute commands, code, powershell scripts etc. on those. It also contains a web shell which includes all these functionalities. It also has limited ability to clean up the system and tinker with logs. Almost all the capabilities of Powerpreter are persistent across reboots, memory resident and hard to detect. Powerpreter uses powershell which enables it not to use any "foreign" code. It could be deployed in a skeleton mode which pulls functionality from the internet on demand. It aims to improve Windows post exploitation practices and help in the most important phase of a Pen Test. The talk will be full of live demonstrations.

Nikhil Mittal (@nikhil_mitt) is a hacker, info sec researcher and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has many years of experience in Penetration Testing of many Government Organizations of India and other global corporate giants. He specializes in assessing security risks at secure environments which require novel attack vectors and "out of the box" approach. He has worked extensively on using HID in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use HID in penetration tests and Nishang, a post exploitation framework in powershell. In his free time, Nikhil likes to scan full IP ranges of countries for specific vulnerabilities, does some vulnerability research and works on his projects. He has spoken/trained at conferences like BlackHat USA, BlackHat Europe, RSA China, Troopers, PHDays, BlackHat Abu Dhabi, Hackfest and more. Blog:

return to top

Kill 'em All — DDoS Protection Total Annihilation!

With the advent of paid DDoS protection in the forms of CleanPipe, CDN / Cloud or whatnot, the sitting ducks have stood up and donned armors... or so they think! We're here to rip apart this false sense of security by dissecting each and every mitigation techniques you can buy today, showing you in clinical details how exactly they work and how they can be defeated.

Essentially we developed a 3-fold attack methodology:

  1. stay just below red-flag rate threshold,
  2. mask our attack traffics inconspicuous,
  3. emulate the behavior of a real networking stack with a human operator behind it in order to spoof the correct response to challenges,
  4. ???
  5. PROFIT!

We will explain all the required look-innocent headers, TCP / HTTP challenge-response handshakes,JS auth bypass, etc. etc. in meticulous details. With that knowledge you too can be a DDoS ninja! Our PoC attack tool "Kill-em-All" will then be introduced as a platform to put what you've learned into practice, empowering you to bypass all DDoS mitigation layers and get straight through to the backend where havoc could be wrought. Oh and for the skeptics among you, we'll be showing testing results against specific products and services.

As a battle-hardened veteran in the DDoS battlefield, Tony "MT" Miu has garnered invaluable experiences and secrets of the trade, making him a distinguished thought leader in DDoS mitigation technologies. At Nexusguard, day in day out he deals with high-profile mission-critical clients, architecturing for them full-scale DDoS mitigation solutions where failure is not an option.

He has presented at DEF CON 20 and AVTokyo 2012 a talk titled "DDoS Black and White Kungfu Revealed", and at the 6th Annual HTCIA Asia-Pacific Conference a workshop titled "Network Attack Investigation".

With "Impossible is Nothing" as his motto, Dr. Lee never fails to impress with his ingenious implementation prowess. With years of SOC experience under his belt, systematic security engineering and process optimization are his specialties.

As a testament to his versatility, Dr. Lee has previously presented in conferences across various disciplines including ACM VRCIA, ACM VRST, IEEE ICECS and IEEE ECCTD.

return to top

Unexpected Stories From a Hacker Who Made it Inside the Government

Having had the opportunity to see things from within the hacker community and from a senior position in the DoD, Mudge has some enlightening stories to share, and is picking some of his favorites. He'll discuss Julian's story to him about US government involvement in the origins of Wikileaks, how the DoD accidentally caused Anonymous to target government systems, some of the ways in which the defense industrial base's poor security works financially in its favor, and cases where the government missed opportunities for positive outreach and understanding with this community.

You'll probably recognise parts of these stories from the news, but there are origins and back stories that are lesser known, and that should make for a good story time.

return to top

The Road Less Surreptitiously Traveled

Anonymously driving your own vehicle is becoming unattainable with the proliferation of automatic license plate readers (ALPRs) now coming into wide-spread use. Combined with always-on electronic toll tags, smart phone traffic apps and even plain cell phones are adding to this problem. There is little public disclosure of this tracking and little legislation limiting the length of time data is retained, even if it is not involved in any investigation. History, laws, funding, detection, and their technological limitations, will be explored in this talk.

pukingmonkey (@pukingmonkey) has been noodling around UNIX for a short three decades, has been attending DEF CON for a bit over a decade, during which time he has won three black badges. He is presently an IT Director in healthcare informatics, but has worked in technology research, and the financial services sector. Those that attend the DC shoot know him as the one that brings the loudest and largest bore to the event.

Please Insert Inject More Coins

The ccTalk protocol is widely used in the vending machine sector as well as casino gaming industry, but is actually not that much known, and very little information exists about it except the official documentation. This protocol is used to transfer money-related information between various devices and the machine mainboard like the value of the inserted bill or how many coins need to be given as change to the customer. This talk presents an introduction to the ccTalk protocol, its usage and various funny facts about it. Material presented will include a ccTalk server that can be used for DIY projects and various tools to help analyse and interact with a ccTalk bus.

Nicolas "Balda" Oberli (@Baldanos) The ccTalk protocol is widely used in the vending machine sector as well as casino gaming industry, but is actually not that much known, and very few information exists about it except the official documentation. This protocol is used to transfer money-related information between various devices and the machine mainboard like the value of the inserted bill or how many coins need to be given as change to the customer. This talk presents an introduction to the ccTalk protocol, its usage and various funny facts about it. Material presented will include a ccTalk server that can be used for DIY projects and various tools to help analyse and interact with a ccTalk bus. Nicolas "Balda" Oberli works as a security engineer in Switzerland. His main interests are network and VoIP security, electronics and embedded devices hacking. In his free time, he likes to play old videogames and brew his own beer. He is also participates in numerous CTF competitions with the team 0daysober.

return to top

Stalking a City for Fun and Frivolity

Tired of the government being the only entity around that can keep tabs on a whole city at once? Frustrated by dictators du jour knowing more about you than you know about them? Fed up with agents provocateur slipping into your protests, rallies, or golf outings?

Suffer no more, because CreepyDOL is here to help! With open-source software, off-the-shelf sensors, several layers of encryption, and a deployment methodology of "pull pin, point toward privacy insurance claimant," it allows anyone to track everyone in a neighborhood, suburb, or city from the comfort of their sofa. For just four easy hardware purchases of $131.95, you, too can move up from small-time weirding out to the big leagues of total information awareness: deploy CreepyDOL today!

Brendan O'Connor (@USSJoin) is a geek of many trades. While he's a full-time law student at the University of Wisconsin in Madison (set to graduate in May 2014), his consultancy, Malice Afterthought, completed two DARPA Cyber Fast Track contracts during his first two years in law school.

He has also taught information warfare for the DoD, played the violin (now for more than 21 years), obtained his Amateur Extra certification, and wished fervently that his two cats would think of him as more than (a provider of) food.

return to top

Fast Forensics Using Simple Statistics and Cool Tools

Ever been attacked by malicious code leaving unknown files all over your computer? Trying to figure out if a file is encrypted or just compressed? Is the file really something else? Is there hidden data? Are you short on time! This talk leads you through file identification and analysis using some custom FREE tools that apply statistics and visualization to answer these questions and more. You can often identify files by their statistical picture and I am going to show you how.

We can find some hidden data (steganalysis), easily determine if an executable file is packed or obfuscated, find appended data, figure out if the file is really what it purports to be and even aid in reversing XOR encryption. The final proof of concept program allows you to statistically identify (i.e. no magic numbers or header information used) some file types autonomously for an entire hard drive. The Windows-based tools (mostly math so adaptable to Linux) and source code are free!

John Ortiz is currently a senior computer engineering consultant for Harris/Crucial Security Inc. working as a reverse exploit engineer. In this position, he develops and analyzes vulnerabilities and exploits for various software. Prior to working at Crucial, he spent 5 years at SRA International and 5 years at General Dynamics developing various defense related software, researching data hiding techniques, and analyzing malware.

In a second role, Mr. Ortiz developed and teaches a Steganography course for the University of Texas at San Antonio (UTSA). It covers a broad spectrum of data hiding techniques in both the spatial and transform domains including least significant bit, discrete cosine transform, echo hiding, hiding in executables, and hiding in network protocols. For the course, Mr. Ortiz developed several steganographic programs for testing and analysis.

Mr. Ortiz holds two master's degrees from the Air Force Institute of Technology, one in Electrical Engineering and one in Computer Engineering and a BSEE from Rose-Hulman Institute of Technology.

My email address ( is available for public dissemination. I do not have twitter or facebook.

return to top

VoIP Wars: Return of the SIP

NGN (Next Generation Network) is modern TDM/PSTN system for communication infrastructure. SIP (Session Initiation Protocol) Servers are center of NGN services, they provide signaling services. SIP based communication is insecure, because of protocol implementation. Based on this fact, NGN is not actually Next Generation. It can be hacked with old stuff, but a few new attack types will be demonstrated in this presentation.

This presentation includes that basic attack types for NGN infrastructure, old school techniques for SIP analysis, a new hacking tool to analysis of SIP services and SIP Trust Hacking technique. Also a few fuzzing techniques will be explained in this presentation.

SIP networks provide its services based on Trust Infrastructure. SIP Soft Switches trust each other and accept calls from trusted SIP servers. A new technique will be demonstrated in this presentation, Hacking Trust Relationships Between SIP Gateways. SIP trust will be detected and hacked with a sip trust analyzer tool. For explaining basic attack types, a few tools will be demonstrated such as footprinting, register, enumerator, bruteforcer, call analyzer and SIP proxy.

Another dangerous thing is outdated software in NGN infrastructure. VoIP devices have responsibilities to serve signaling such as MSAN, MGW and Soft Switches. They support SIP protocol with vulnerable software which should be analyzed. New fuzzing techniques such as Response based fuzzing, MITM fuzzing and proxy tool usage will be explained.

Fatih Ozavci (@fozavci) is a Security Researcher and Consultant of Viproy Security, Turkey. He is author of Viproy VoIP Penetration and Exploitation Testing Kit, also he has published a paper about Hacking of SIP Trust Relationships. He has discovered many unknown private security vulnerabilities, design and protocol flaws in VoIP environments for his customers. Also he analyzes VoIP design and implementation flaws, and helps to improve VoIP infrastructures as a service.

While Fatih's primary areas of expertise are VoIP penetration testing, mobile application testing and IPTV testing, he is also well versed at network penetration testing, web application testing, reverse engineering, fuzzing and exploit development. In addition to that, he is a well-known speaker at many security events in Turkey. He is one of the speakers of Athcon 2013 and Blackhat Arsenal USA 2013, he will present his VoIP research and tools.

Viproy Security
Packetstorm Security

return to top

Exploiting Music Streaming with JavaScript

As the music industry transitioned from physical to digital distribution, they have forgotten the one thing they hold most dear to them: Their DRM. Many browser-based music streaming services use no DRM to secure their music. By doing this, they leave their library of high quality songs free for the picking.

This presentation details the use of JavaScript to circumvent the security of several browser-based music streaming services. By reverse engineering the code for several music players, it is possible to mimic the music player to download songs rather than stream them. Many services that are too difficult or obfuscated to reverse engineer can still be exploited by intercepting streaming traffic and making identical requests to downloads songs. This presentation covers the basics of music streaming, demonstrates browser-based traffic logging to identify and download music files, and describes the use of JavaScript to mimic the legitimate player in order to bypass security. The end result is a Google-Chrome extension which will allow users to download songs as they stream them.

Franz Payer (@franz780) is a programmer at Tactical Network Solutions in Columbia, MD. At TNS, Franz develops for several research and development projects, including the company's commercial Reaver Pro software. Franz is a freshman at the University of Maryland, majoring in computer science in the Cybersecurity honors program. Prior to college, Franz led his highschool's cybersecurity team, gh0stsec.

return to top

The Cavalry Isn't Coming: Starting the Revolution to Fsck it All!

We have some good news and some bad news. The good news is that security is now top of mind for the people of planet Earth. The bad news is that their security illiteracy has lead to very dangerous precedents and this is likely just the beginning. The reactionary stances taken by the hacker community has induced burnout and fatigue with many of us watching our own demise. We're here to help us all hit rock bottom in the pursuit of something better. At some point the pain of maintaining inertia will exceed the pain of making changes, so it is time for some uncomfortable experimentation. While it may be overwhelming to think about, this is what we do. We hack systems. Finding flaws in the digital world comes naturally to us. We can and must do the same to the physical world; the media, governments, and lawmakers in order to survive the next decade. Let's get started.

Nicholas J. Percoco (@c7five) has more than 16 years of information security experience and leads SpiderLabs at Trustwave. Prior to joining Trustwave, Percoco ran security consulting practices at VeriSign, and Internet Security Systems. As a speaker, he has provided unique insight around security breaches, malware, mobile security and InfoSec trends to public (Black Hat, DEFCON, SecTor, You Sh0t the Sheriff, OWASP) and private audiences (Including DHS, US-CERT, Interpol, United States Secret Service) throughout North America, South America, Europe, and Asia. Percoco and his research has been featured by many news organizations including: The Washington Post, eWeek, PC World, CNET, Wired, Network World, Dark Reading, Fox News, USA Today, Forbes, Computerworld, CSO Magazine, CNN, The Times of London, NPR, Gizmodo, Fast Company, Financial Times and The Wall Street Journal.

Joshua Corman (@joshcorman) is the Director of Security Intelligence for Akamai Technologies and has more than a decade of experience with security and networking software. Most recently he served as Research Director for Enterprise Security at The 451 Group following his time as Principal Security Strategist for IBM Internet Security Systems. Mr. Corman’s cross-domain research highlights adversaries, game theory and motivational structures. His analysis cuts across sectors to the core security challenges plaguing the IT industry, and helps to drive evolutionary strategies toward emerging technologies and shifting incentives. Mr. Corman is a candid and highly-coveted speaker with engagements at leading industry events such as RSA, DEFCON, Interop, ISACA, and SANS. As a staunch advocate for CISOs, Corman also serves as a Fellow with the Ponemon Institute, on the Faculty for IANS, and co-founded Rugged Software – a value-based initiative to raise awareness and usher in an era of secure digital infrastructure. His passion for challenging the status quo won him the title of Top Influencer of IT by NetworkWorld magazine in 2009. Corman received his bachelor’s degree in philosophy, graduating Phi Beta Kappa and summa cum laude, from the University of New Hampshire. He resides with his wife and two daughters in New Hampshire.

return to top

ACL Steganography - Permissions to Hide Your Porn

Everyone's heard the claim: Security through obscurity is no security at all. Challenging this claim is the entire field of steganography itself - the art of hiding things in plain sight. Most people know you can hide a text file inside a photograph, or embed a photograph inside an MP3. But how does this work under the hood? What's new in the stego field?

This talk will explore how various techniques employed by older steganographic tools work and will discuss a new technique developed by the speaker which embodies both data hiding and data enciphering properties by encoding data inside NTFS volumes. A new tool will be released during this talk that will allow attendees to both encode and decode data with this new scheme.

Michael Perklin (@mperklin) is currently employed as a Senior Investigator within the Corporate Investigations department of an Enterprise class telecommunications firm. Throughout his career he has performed digital-forensic examinations on over a thousand devices and has processed petabytes of information for electronic discovery. Michael has spoken at security conferences internationally about a variety of topics including digital forensics, computer security, data hiding, and anti-forensics. Michael holds numerous security-related degrees, diplomas and certifications, is a member of the High Technology Crime Investigations Association, and is an avid information security nut who loves learning about new ways to break things.

return to top

Doing Bad Things to 'Good' Security Appliances

The problem with security appliances is verifying that they are as good as the marketing has lead you to believe. You need to spend lots of money to buy a unit, or figure out how to obtain it another way; we chose eBay. We now have a hardened, encrypted, AES 256 tape storage unit and a mission, break it every way possible! We're going to dive into the finer points of the pain required to actually evaluate and disassemble a harden security appliance. We'll be delving into such fun topics as epoxy melting, de-soldering, ROM chip reading, FGPA configuration recreation, Verilog decoding, recovering the various key strands that keep the device/data secure, and any other topics we end up straying into.

Phorkus (Mark Carey) (@PeakSec) is a professional Security Engineer with over 18 years of experience in the areas of Information Technology, Rapid Development Lifecycle, Long Term Development Lifecycle, Computer Security, and Research/Development Innovation. He is a partner in Peak Security Inc ( where he serves as a Principal Security Consultant and Chief Scientist. Mark has developed many security tools used throughout the corporate and government sectors. Mark has co-authored Network Auditing with Nessus (second edition), and has published internal white-papers for many government agencies.

Evilrob (Rob Bathurst) is a Security and Network Engineer with over 12 years of experience with large multi-national network architecture and security engineering. His focus is on network security architecture, tool development, and high-assurance device reverse engineering. Rob has published multiple internal corporate and government whitepapers across multiple security domains, written a book on Hacking OS X, and is currently working on his Master's Degree at the University of Oxford.

return to top

Let's screw with nmap

Differences in packet headers allow tools like nmap to fingerprint operating systems. My new approach to packet normalization removes these header differences. Starting TTL, TCP Options used, and TCP Option order, after normalization, are the same from one packet to the next no matter which operating system sends it. If we normalized the packets transiting our network, could we keep nmap, and tools like it from remotely fingerprinting hosts? It turns out that we can, and we can for most hosts on our network.

The proof of concept that I developed (idguard) does just that. A Linux Kernel module, it will be installed as part of the embedded firmware of a Linux-based router, and placed on the local network. Idguard will then give all the packets flowing through the router the same starting TTL, the same selection of TCP options, and the same TCP option order, causing nmap to fail in its attempt to fingerprint hosts on the network.

In this session, we'll review packet normalization techniques and how they can be applied to the traffic flowing through our switches to make hosts that they support resistant to fingerprinting, even by nmap. We’ll walk through the process from start to finish, from the selection and design of the transformations (some old, some new), to the development of the proof of concept, and finally to the demonstration of idguard itself on a RouterBoard model RB450 router. Followed up by a discussion of the issues involved, the challenges to overcome, and the obstacles to deploying this in a production environment.

While ultimately something for the network switch, idguard is suitable for any Linux based router capable of loading and using kernel modules, and will be available for you to take home when we are done so that you can try it for yourself. It uses the packet normalization techniques that I developed, and it is more than enough to show you that while it is not currently an existing feature of switches like DHCP and IGMP snooping, it should be.

Gregory Pickett CISSP, GCIA, GPEN, is an Intrusion Analyst for Fortune 100 companies by day and a penetration tester for Hellfire Security by night. As a penetration tester, his primary areas of focus and occasional research are network and host penetration testing with an interest in using background network traffic to target and exploit network hosts using their own traffic against them. He holds a B.S. in Psychology which is completely unrelated but interesting to know. While it does nothing to contribute to how he makes a living, it does demonstrate how screwed up he actually is.
Hellfire Security

return to top

Defending Networks with Incomplete Information: A Machine Learning Approach

Let's face it: we may win some battles, but we are losing the war pretty badly. Regardless of the advances in malware and targeted attacks detection technologies, our top security practitioners can only do so much in a 24 hour day. Even less, if you let them eat and sleep. On the other hand, there is a severe shortage of capable people to do "simple" security monitoring effectively, let alone complex incident detection and response.

Enter the use of Machine Learning as a way to automatically prioritize and classify potential events and attacks as something can could potentially be blocked automatically, is clearly benign, or is really worth the time of your analyst.

In this presentation we will present publicly for the first time an actual implementation of those concepts, in the form of a free-to-use web service. It leverages OSINT and knowledge about the spatial distribution of the Internet to generate a fluid and constantly updated classifier that pinpoints areas of interest on submitted network traffic logs.

Alexandre Pinto (@alexcpsec) has over 13 years dedicated to information security solutions architecture, strategy advisory and monitoring. He has experience with a great range of security products, and has even been know to do pen-testing from time to time. Alex holds the CISSP-ISSAP, CISA, CISM, CREST CCT APP and PMP certifications. And somehow he is still a nice guy. He was also a PCI QSA for 5+ years, but is almost fully recovered.

Alex has been responsible over the last 3 years to kickstart his previous company's offices in 2 different countries mainly because he is able to perform competently on a very deep technical level on all the company services, from risk auditing (*sigh*) to network and web application penetration testing.

For the past year, as a part of his sabbatical, he has been researching and exploring the applications of Machine Learning and Predictive Analytics into Information Security Data, specially in supporting the mess that we currently face in trying to make sense of day to day usage of SIEM solutions as a whole

return to top

We are Legion: Pentesting with an Army of Low-power Low-cost Devices

This talk will show attendees how they can do penetration testing with a network of small, battery-powered, penetration testing systems. The small devices discussed will be running a version of The Deck, a full-featured penetration testing and forensics Linux distro. The Deck runs on the BeagleBoard and BeagleBone family of devices (including the next-gen BeagleBone released in April aka the Raspberry Pi killer). These devices are easily hidden and can run for days to weeks off of battery power thanks to their low power consumption. Various configurations will be presented including a device the size of a deck of cards that is easily attached to the back of a computer which is powered by USB and can be connected inline with the computer's Ethernet connection. While each device running The Deck is a full-featured penetration testing platform, connecting systems together via 802.15.4 networking allows even more power and flexibility. Devices may be constructed for $70-$200 each depending on configuration with the typical device costing less than $100. Devices may be located up to 1 mile from each other and from the command console which could also be running The Deck or any other version of Linux. A powerful pentesting army is easily built for much less than the cost of an Apple MacBook Pro.

Philip Polstra (@ppolstra) was born at an early age. He cleaned out his savings at age 8 in order to buy a TI99-4A computer for the sum of $450.Two years later he learned 6502 assembly and has been hacking computers and electronics ever since.

Phil currently works as an Associate Professor and Hacker in Residence at a private Midwestern university. He teaches computer security and forensics.

His current research focus involves use of microcontrollers and small embedded computers for forensics and pentesting. Prior to entering academia, Phil held several high level positions at well-known US companies. He holds a couple of the usual certs and degrees one might expect for someone in his position.

Phil is also an accomplished aviator with several thousand hours of flight time. He holds 12 ratings including instructor, commerical pilot, mechanic, inspector, and avionics tech. When not working, he likes to spend time with his family, fly, hack electronics, and has been known to build airplanes.

Over the last few years Phil has spoken on various USB-related topics at a number of conferences such as 44Con, NetSecure, ForenSecure, MakerFaire Detroit, THOTCON, GrrCON, DEF CON, and Black Hat.

He has developed a number of cheap, fun, and useful devices for infosec and forensics professionals.

return to top

Hacker Law School

In the past year, several high-profile prosecutions of hackers have underscored the need for legal education in our community. This workshop will provide you with the fundamentals of Intellectual Property, Crimimal Law, and Criminal Procedure that you need to protect yourself. Learn where the grey areas of law are that increase your risk. This session will also enable you to better understand the deeper in-depth legal talks provided on the other days of DefCon. Hacker Law School -- We Went to Law School so You Don't Have to.

Jim Rennie is an attorney who currently specializes in advising online business about both US and international online consumer privacy law. He also handles other general counsel duties such as contract negotiations and trademark registrations. Previously, he was a public defender in Las Vegas. Many years ago he was a software developer when he attended his first DefCon.

Marcia Hofmann is an attorney who litigates, writes, and speaks about computer crime and security, electronic privacy, freedom of expression, and copyright. She recently launched a boutique law practice focusing on these issues, and is part of Andrew Auernheimer's appellate defense team on appeal. She is also a fellow at the Electronic Frontier Foundation and Stanford Law School Center for Internet and Society, and an adjunct professor at the University of California Hastings College of the Law.

return to top

Defense by numbers: Making problems for script kiddies and scanner monkeys

On the surface most common browsers look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the shiny surface however, the way specific user agents handle traffic varies in a number of interesting and unique ways. This variation allows for defenders to play games with attackers and scripted attacks in a way that most normal users will never even see.

This talk will attempt to show that differences in how different user agents handle web server responses (specifically status codes) can be used to improve the defensive posture of modern web applications while causing headaches for the average script kiddy or scanner monkey!

Chris John Riley (@ChrisJohnRiley) is a senior penetration tester and part-time security researcher working in the Austrian financial sector. With over 15 years experience in various aspects of Information Technology, Chris now focuses full time on Information Security.

Chris is one of the founders of the PTES (Penetration Testing Execution Standard), regular conference attendee and avid blogger (, as well as being a regular contributor to the Metasploit project and generally getting in trouble in some way or another.

When not working to break one technology or another, Chris enjoys long walks in the woods, candle light dinners and talking far too much on the Eurotrash Security podcast.

return to top

De-Anonymizing Alt.Anonymous.Messages

In recent years, new encryption programs like Tor, RedPhone, TextSecure, Cryptocat, and others have taken the spotlight - but the old guard of remailers and shared inboxes are still around. Alt.Anonymous.Messages is a stream of thousands of anonymous, encrypted messages, seemingly opaque to investigators.  For the truly paranoid, there is no communication system that has better anonymity - providing features and resisting traffic analysis in ways that Tor does not.  Or so is believed.  After collecting as many back messages as possible and archiving new postings daily for four years, several types of analysis on the contents of alt.anonymous.messages will be presented and several ways to break sender and receiver anonymity explained.  Messages will be directly and statistically correlated, communication graphs drawn, and we'll talk about what challenges the next generation of remailers and nymservs face, and how they should be designed.

Tom Ritter is interested in nearly all aspects of cryptography, privacy, anonymity, and pseudonymity. He contributes to and tries to explain the difference between Onion Routing and Mixing to as many people as he can. He is located corporeally in New York City, virtually at, and meta-physically has been lost for quite some time.

return to top

Forensic Fails - Shift + Delete won't help you here

Forensic fails illustrates the rather comedic attempts at "anti-forensics" by inept computer users trying to hide their tracks. We will recount real-life stories about folks whose level of hacker-mojo might aspire to 1337 status but fall a little short. This talk covers why and how these fails happened and illustrate the forensic artifacts and the techniques used to analyze them.

Eric Robi (@ericrobi) is the founder of Elluma Discovery. He has been conducting forensic exams for 11 years and has served as a computer expert witness in Federal and State courts in matters involving computer hacking, trade secrets, murder, database forensics, email forgery, and electronic discovery. He has performed forensic examinations in many hundreds of cases.

Eric has spoken multiple times at forensics conferences including CEIC and The Cybercrime summit. He holds a CCE certification among other things and is an active participant in the EDRM (Electronic Discovery Reference Model) and helped publish a model for reducing risk of confidential and private information dissemination.

Michael Perklin is currently employed as a Senior Investigator within the Corporate Investigations department of an Enterprise class telecommunications firm. Throughout his career he has performed digital-forensic examinations on over a thousand devices and has processed petabytes of information for electronic discovery. Michael has spoken at security conferences internationally about a variety of topics including digital forensics, computer security, data hiding, and anti-forensics. Michael holds numerous security-related degrees, diplomas and certifications, is a member of the High Technology Crime Investigations Association, and is an avid information security nut who loves learning about new ways to break things.

return to top

The dawn of Web 3.0: website mapping and vulnerability scanning in 3D, just like you saw in the movies

Remember that scene in Hackers where Jonny Lee Miller and Angelina Jolie get a bunch of hackers to attack Fisher Steven's network through vulnerabilities that they find while flying (literally) through Fisher's network? Even though it had no basis in reality at the time, it was still pretty awesome. This presentation will be like that, except real.

This highly demo-focused presentation will unleash the next generation of web application visualization and security flaw detection. Created as part of DARPA's Cyber Fast Track, we have developed a completely awesome way of visualizing, in 3D, how massive numbers of web applications across the Internet are interconnected. This visualization engine provides a simple yet beautiful view of web applications and their vast, sprawling interconnections, all the while incorporating web application vulnerabilities into the visual metadata.

Teal Rogers is a dedicated maker and software designer who has been advancing existing products through innovative new interfaces for years. Between being a brilliant imagineer, rogue inventor, warrior-poet, master of surprise, and student of the arcane he has managed to design and sell the highest quality laser gloves on the market. More recently, he has been inexorably drawn to the nascent power of the 3rd dimension.

Alejandro Caceres is a computer network operations engineer focused on network offense software development and web application penetration testing and security. He is particularly interested in using distributed computing and offensive security principles to create cool/new/revolutionary open source and free applications with a global impact.

return to top

Building an Android IDS on Network Level

Being popular is not always a good thing and hereís why. As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware and threats are clearly on the rise, as attackers experiment with new business models by targeting mobile phones. Nowadays, several behavior-based malware analysis and detection techniques for mobile threats have been proposed for mobile devices. We'll show how we built a new detection framework that will be the first open source Android IDS on network level.

This open source network-based intrusion detection system and network-based intrusion protection system has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks, featuring: Protocol analysis, Content searching and Content matching.

In IDS/IPS mode, the program will monitor network traffic and analyze it against a rule set defined by the user, and then perform a specific action based on what has been identified. With the help of custom build signatures, the framework can also be used to detect probes or attacks designed for mobile devices, fool and cheat operating system fingerprinting attempts (like nmap or p0f), server message block probes, etc.

Jaime Sanchez (@segofensiva) is passionate about computer security. He has worked for over 13 years as a specialist advisor for large national and international companies. As a specialist advisor, he focuses on different aspects of security such as consulting, auditing, training and ethical hacking techniques. He works in the Security Operations Center (SOC) of a multinational telecommunications company offering managed security services for IBEX35 companies. He has a Computer Engineering degree and has completed an Executive MBA (Master in Business Administration). In addition, he holds several certifications: CISA, CISM, CISSP, CCNA, CCNA SECURITY, and ITIL, just to name a few.

In his free time, he conducts research on security and works as an independent consultant. He has spoken in renowned security conferences nationally and internationally, introducing new bugs and exploitation techniques and mitigation, as in RootedCON in Spain, and Nuit du Hack in Paris. In the coming months, he will be presenting at Blackhat Arsenal USA 2013. Defcon XXI, DerbyCON or Hacktivity.

Jaime is a frequent contributor to several technical magazines involved with state-of-the-art attack and defense mechanisms, network security and general ethical hacking techniques. He also writes a blog called "Seguridad Ofensiva" touching on current topics in the field of hacking and security.

return to top

Safety of the Tor network: a look at network diversity, relay operators, and malicious relays

Rumor has it that the Tor network is a CIA honeypot, that all relays are malicious, and that only bad people use Tor to do bad things online. How much of this is true? How much can we say about the safety of the network?

The safety of the Tor network has been a much discussed topic ever since the onion routing network was deployed in September 2002. This talk aims to answer the following questions: (1) How much diversity does the network really have?, (2) Who runs the relays in the Tor network?, and (3) What is being done about malicious relays?

Runa A. Sandvik (@runasand) is a developer for the Tor Project. Her work for the Tor Project includes forensic analysis of the Tor Browser Bundle and QA testing of new releases, as well as project management, user support, frequent traveling, and training. Runa has worked for the Tor Project since 2009 and has given talks to a number of different audiences, including activists, law enforcement, and university students.

return to top

The Dark Arts of OSINT

The proliferation and availability of public information has increased with the evolution of its dissemination. With the constant creation of digital document archives and the migration towards a paperless society, vast databases of information are continuously being generated. Collectively, these publicly available databases contain enough specific information to pose certain vulnerabilities. The actionable intelligence ascertained from these data sources is known as Open Source Intelligence (OSINT).

Numerous search techniques and applications exist to harvest data for OSINT purposes. Advanced operator use, social network searches, geospatial data aggregation, network traffic graphs, image specific searches, metadata extractors, and government databases, provide a wealth of useful data. Furthermore, applications such as FOCA, Maltego, and SearchDiggity, in addition to custom site API integration, yield powerful search queries with organized results.

Fluency in OSINT methodologies is essential for effective online reconnaissance, although a true mastery requires further mathematical investigation. The use of statistical correlation can often reveal hidden data relationships. Linkage attacks, inferential analysis, and deductive disclosure can exploit improperly sanitized data sets. These techniques can ultimately lead to data re-identification and de-anonymization, thus exposing personal information for exploitation. We will demonstrate our mathematical algorithm for data identification by attacking publically available anonymized datasets and revealing hidden personal information.

Noah Schiffman An IT industry veteran, with 20+ years of experience, Dr. Noah Schiffman is a former black-hat hacker turned security consultant. He spent almost a decade as a career computer hacker, performing penetration testing, social engineering, corporate espionage, digital surveillance, and other ethically questionable projects. Subsequently, he worked as a security consultant, teaching network defense, giving talks, and writing about information security. His past clients have consisted of Fortune 500 companies and various government agencies. For the past several years, his R&D efforts in the commercial and defense sectors have covered areas of data analysis and pattern recognition for security applications.

SkyDog (@skydogcon) With 20+ years of experience in network security and computer science, Skydog possesses a unique skillset of technological diversity and depth. His accomplishments range from the design and support of enterprise level system architectures, to developing custom security products and solutions. As an industry leader in the hacker community, his expertise in vulnerability assessment and exploitation, provide him with valuable insight for developing security strategies. He is responsible for establishing and running several Information Security conferences, including Outerz0ne and SkyDogCon. Working for Vanderbilt University, he spends his time researching security, performing data recovery services, and managing 100+ terabytes of storage.

return to top

How my Botnet Purchased Millions of Dollars in Cars and Defeated the Russian Hackers

This is the true story of a botnet that created a competitive advantage for a car dealership. This dealership found a website that offered returned lease vehicles—great cars for their inventory—but bad web design and heavy competition from other automotive dealerships made the website useless. In response, a botnet was developed to make automotive purchases with machine precision. With the bot, they could acquire any cars they wanted, without interference from competing dealerships. During its one-year life, this botnet autonomously acquired many millions of dollars in cars. Along the way, it successfully adjusted to competition from a similar bot developed by Russian hackers while maintaining a sufficiently low profile to “stay below the radar” of everyone involved.

Michael Schrenk (@mgschrenk) is a Las Vegas based webbot developer, online entrepreneur and writer, who has developed commercial botnets and webbots since 1995. He is the author of “Webbots, Spiders, and Screen Scrapers, 2nd Edition (2012, No Starch Press, San Francisco). Mike has presented talks at DEF CON 10, 11, 15 and 17 and wrote about DEF CON 5 for Computer World Magazine.

return to top

Examining the Bitsquatting Attack Surface

Bit errors in computer memory, when they occur in a stored domain name, can cause Internet traffic to be directed to the wrong Internet location potentially compromising security. When a domain name one bit different from a target domain is registered, this is called "bitsquatting". This presentation builds on previous work in this area presented by Artem Dinaburg at Blackhat 2011. Cisco's research into bitsquatting has revealed several previously unknown vectors for bitsquatting. Cisco has also discovered several new mitigations which do not involve installation of error correcting memory, nor the mass registration of bitsquat domains. In fact some of the new mitigations have the potential to render the problem of bitsquatting to the dustbin of history.

Jaeson Schultz (@jaesonschultz) is a Threat Research Engineer for Cisco's Threat Research and Communications (TRAC) Team. Cisco's TRAC team is dedicated to advancing the state-of-the-art of threat defense and enhancing the value of Cisco's security products. Jaeson has over 20 years' experience in Information Security, working previously for companies such as Counterpane, Brightmail, and IronPort. Jaeson's computer experience ranges from hardware hacking, to log analysis and security policy recommendation, to thwarting misuse of Internet application layer protocols like DNS, HTTP, and SMTP. Prior to working in Information Security, Jaeson studied Computer Science at the University of Nevada at Las Vegas. Jaeson also currently holds an Amateur Extra radio license from the FCC under the call sign K8YJO.

return to top

Hacking Wireless Networks of the Future: Security in Cognitive Radio Networks

M2M, IoT, whatever buzzword you want to use, telecoms are predicting and preparing for a huge increase in embedded, connected devices within the next 10 years and predict spectrum utilization will increase even faster in the next 5 years. One of the ways this growth will be addressed is with cognitive radio networks. This talk will discuss the new kinds of security issues that are faced by these networks, particularly TV Whitespace. It will NOT presuppose knowledge of RF engineering and will work up from the basics of what cognitive radio is to the security challenges it faces, many of which are not yet solved. It will also release a new hardware platform for building and breaking cognitive radio networks.

Hunter Scott is a computer engineer who can't not build things. His work is in robotics, embedded systems, and lately, RF engineering. He recently discovered that working at a startup is really fun.

return to top

Making Of The DEF CON Documentary

Early in 2012, to commemorate the 20th year of the conference, Jason Scott was asked if he would be interested in filming a documentary about DEF CON, whose policies and attendees have traditionally rejected media scrutiny and access. He was interested. Working with his producer, Rachel Lovinger, and a crew of six, Jason filmed for most of 2012, including five 20-hour days in Las Vegas last year, and then spent another 9 months editing 278 hours of footage into what has become DEF CON: The Documentary. The finished film will premiere at DEF CON XXI. Jason and Rachel will provide a look behind the scenes: discussing the planning and production process for this immense project, the ups and downs, and the learned lessons. Plus, we'll show some of the stranger footage you won't get to see in the final film.

Jason Scott (@textfiles) is a historian, archivist, activist and documentary filmmaker who has made two films before DEF CON, called BBS and GET LAMP. He has spoken at DEF CON a dozen times and it gets harder every. Single. Time.

Rachel Lovinger (@rlovinger) is a content strategist, movie buff, and documentary geek. She's been involved in a variety of film projects, but none of them compared to the intense shooting schedule of "The DEFCON Documentary." Having known Jason Scott for 25 years and having been to DEFCON several times, she somehow still agreed to help produce this film.

return to top

All Your RFz Are Belong to Me - Hacking the Wireless World with Software Defined Radio

Ever wondered what traffic is flowing through the many satellites in orbit above you? Have you wanted to intercept RADAR signals from air traffic control and visualise your local airspace in real-time on a 3D map? While youíre at it, check how many faults have been reported by the next plane youíll be travelling on (e.g. do the toilets work?). How about tracking down the source of a clandestine radio transmission that is interfering with your favourite channel, or probing the signals on your cable modem connection? If you have ever wanted to reverse engineer such systems, this is for you!

I will show how to analyse and hack RF communications systems using open source software and cheap radio hardware. The focus will be on how to use Software Defined Radio to create: a digital satellite demodulator for blind signal analysis, a souped-up Mode S aviation transponder/ACARS receiver with an Internet-enabled smooth-streaming Google Earth front-end, and a Radio Direction Finder.

Balint Seeber (@spenchdotnet) A software engineer by training, Balint is a perpetual hacker, and the guy behind His passion is extracting interesting information from lesser-known data sources and visualising them in novel ways. Lately, he has become obsessed with Software Defined Radio and all that can be decoded from the ether. When not receiving electromagnetic radiation, he likes to develop interactive web apps for presenting spatial data. Originally from Australia, he moved to the United States in 2012 to pursue his love of SDR.

return to top

A Password is Not Enough: Why disk encryption is broken and how we might fix it

Since the publication of the cold boot attack on software disk encryption 5 years ago, there has been little progress on developing countermeasures and implementing defenses in the disk encryption technologies already in wide use. Furthermore, many users of full disk encryption have physical security habits that fall outside the security models of disk encryption software and thus are more vulnerable than they realize. After examining a set of effective, easily executable, attacks on off- the-shelf disk encryption, and contextualizing them in x86 system architecture, we examine recent research on means of mitigating these attacks. By integrating AES new instructions, x86 debugging registers, encrypted RAM, IOMMU, and the TPM into a combined encryption system, the difficulty of executing a successful attack is raised significantly. We will examine the construction of this system in detail, and, at a higher level, the role of full disk encryption in assuring meaningful security in the face of physical access. Source to an experimental version of the system will be made available.

Daniel Selifonov has consulted for a handful of research oriented startups since 2007, and built systems for information technology where security was considered throughout design and implementation, rather than as an afterthought. His research interests in security include reverse engineering, applied cryptography, client side security, and user acceptable information system design. He believes that businesses, no matter the size, should have the tools to defend themselves without getting in the way of core operations, and that existing tools and building blocks require too much expert input to implement correctly.
Personal Website

return to top

EMET 4.0 PKI Mitigation

Microsoft EMET is a free Mitigation tool. In addition to its memory corruption exploit mitigations, a newly introduced feature is the PKI mitigation. This mitigation implements x509 certificate pinning to prevent usage of forged certificates in HTTPS sessions in the web browser. This talk is technical as it demos EMET in action and explains how the PKI mitigation works.

Neil Sikka (@neilsikka) is a computer security enthusiast and researcher. He works at Microsoft on MSRC (Microsoft Security Response Center) as a Software Security Engineer where he analyzes 0day exploits and other security vulnerabilities in any Microsoft software, and develops security tools such as EMET. In addition to his security research at work, he also likes to do security research on his free time at home on nights and weekends. He has a technical blog where he posts his security research (

return to top

DragonLady: An Investigation of SMS Fraud Operations in Russia

One of the top types of Android malware are trojans that claim to provide a useful service, but instead send SMS messages to premium shortcodes, charging the victims and putting money directly into the attackers’ hands. We’ve seen a steady increase in this type of malware over the past years, and recently we’ve seen an increase in sophistication of obfuscation and distribution techniques as well. By investigating certain families of malware over time, we’ve seen encryption, code level obfuscation, on-demand build systems, and weekly code release cycles become more common. It became clear that there was significant organization and investment of both time and money behind several of these malware families, so we began following leads to find out how far the rabbit hole goes.

This presentation will show key findings and methods of this investigation into top Android malware distributors operating in Russia and the surrounding region. The investigation includes the discovery of 10’s of thousands of bot-controlled twitter accounts spreading links to this type of SMS fraud malware, tracing distribution through thousands of domains and custom websites, and the identification of multiple “affiliate web traffic monetization” websites based in Russia which provide custom Android SMS fraud malware packaging for their “affiliates”. During this investigation we have mapped out an entire ecosystem of actors, each providing their own tool or trade to help this underground community thrive.

Come out to this talk to find out how just how much effort and manpower is invested in defrauding Android users through this type of SMS trojan malware, and the types of organizations that are behind it.

Ryan W. Smith (@ryanwsmith13) is a Senior Research and Response Engineer at Lookout, and has been an actively making and breaking software systems for the past 11 years. With a tendency to jump into anything sufficiently interesting and challenging, his projects range from automated x86 reverse engineering to large scale network attack graph analytics. As a chronic community contributor, Ryan may have been seen speaking at any number of Honynet Project, OWASP, AHA, or UT COMSOC events.

Tim Strazzere is a Lead Research and Response Engineer at Lookout Mobile Security. Along with writing security software, he specializes in reverse engineering and malware analysis. Some interesting past projects include having reversing the Android Market protocol, Dalvik decompilers and memory manipulation on mobile devices.

return to top

BYO-Disaster and Why Corporate Wireless Security Still Sucks

Right when you thought this topic had been beaten to death, something new emerges. This horse isn’t dead yet! This talk will focus on a completely new vulnerability in the way some devices handle MsChapV2 and present some newer methods for capturing clear text credentials easily and without heavy processing power. We will walk you through a full attack against WPA2 enterprise networks using a special patched version of radius that makes this all possible. But wait, there’s more! Act now, by coming to the talk, and you’ll receive access to new automation tools to do a lot of the work for you. If you’re lazy like us and would like access to credentials without a math degree this talk is for you!

James Snodgrass enjoys pumping iron and flattening hats. His greatest aspiration in life is leveling his Ford truck and finding that next tight t-shirt.

Josh Hoover (@wishbone1138) has spent over a decade in computer security, focused on digital forensics and penetration testing. He has been attending DEF CON for 14 years but this is the first time he has ever spoken at one.

return to top

Evolving Exploits Through Genetic Algorithms

This talk will discuss the next logical step from dumb fuzzing to breeding exploits via machine learning & evolution. Using genetic algorithms, this talk will take simple SQL exploits and breed them into precision tactical weapons. Stop looking at SQL error messages and carefully crafting injections, let genetic algorithms take over and create lethal exploits to PWN sites for you!

soen (@soen_vanned) is a reverse engineer and exploit developer for the hacking team V&. As member of the team, he has participated and won Open Capture the Flag DC 16, 18, and 19. Soen also participated in the DDTEK competition in DEF CON 20.

return to top

Backdoors, Government Hacking and The Next Crypto Wars

The FBI claims it is going dark. Encryption technologies have finally been deployed by software companies, and critically, enabled by default, such that emails are flowing over HTTPS, and disk encryption is now frequently used. Friendly telcos, who were once a one-stop-shop for surveillance can no longer meet the needs of our government. What can the FBI and other agencies do to preserve their spying capabilities?

Part of the answer is backdoors: The FBI is rallying political support in Washington, DC for legislation that will give it the ability to fine Internet companies unwilling to build surveillance backdoors into their products. Even though interception systems prove to be irresistible targets for nation states, the FBI and its allies want to make our networks less secure, not more.

The other solution embraced by the FBI is hacking, by the government, against its citizens. A team of FBI agents and contractors, based in Quantico, Virginia have developed (and acquired) the capabilities to hack into systems, deliver malware capable of surreptitiously enabling a computer's webcam, collecting real-time location data, as well as exfiltrating emails, web browsing records and other documents.

While politicians are clearly scared about hacks from China, our own law enforcement agencies are clearly in the hacking business. What does this mean for the current, heated debate about cybersecurity and our ability to communicate security?

Christopher Soghoian (@csoghoian) s a privacy researcher and activist, working at the intersection of technology, law and policy. He is the Principal Technologist with the Speech, Privacy and Technology Project at the American Civil Liberties Union.

Soghoian completed his Ph.D. at Indiana University in 2012, which focused on the role that third party service providers play in facilitating law enforcement surveillance of their customers. In order to gather data, he has made extensive use of the Freedom of Information Act, sued the Department of Justice and used several other investigative research methods. His research has appeared in publications including the Berkeley Technology Law Journal and been cited by several federal courts, including the 9th Circuit Court of Appeals.

Between 2009 and 2010, he was the first ever in-house technologist at the Federal Trade Commission (FTC)'s Division of Privacy and Identity Protection, where he worked on investigations of Facebook, Twitter, MySpace and Netflix.

return to top

How to Hack Your Mini Cooper: Reverse Engineering Controller Area Network (CAN) Messages on Passenger Automobiles

This presentation introduces the underlying protocols on automobile communication system networks of passenger vehicles and evaluates their security. Although reliable for communication, vehicle protocols lack inherit security measures. This work focuses strongly on controller area networks (CANs) and the lack of authentication and validation of CAN messages. Current data security methods for CAN networks rely on the use of proprietary CAN message IDs along with physical boundaries between the CAN bus and the outside world. As we all know, security through obscurity is not true security. These message IDs can be reverse engineered and spoofed to yield a variety of results. This talk discusses methods for reverse engineering proprietary CAN messages. These reverse engineered messages are then injected onto the CAN bus of a 2003 Mini Cooper with the help of cheap Arduino hardware hacking. Additionally, a proof of concept will be demonstrated on how to build your own rogue CAN node to take over a CAN network and potentially manipulate critical components of a vehicle. The proof of concept demonstrates taking full control of the instrument cluster using the reverse engineering methods presented.

Jason Staggs is currently a graduate student in computer science and a security research assistant at the Institute for Information Security (iSec) at The University of Tulsa. He also is involved with The University of Tulsa's Crash Reconstruction Research Consortium (TU-CRRC) where he occasionally gets to hack and wreck a variety of vehicles. Before attending graduate school, Jason worked as a cyber-security analyst for a leading information security firm, True Digital Security in Tulsa, OK. Jason holds a Bachelors degree in Information Assurance and Forensics from Oklahoma State University along with several industry certifications. His research interests include network intrusion detection systems, digital forensics, critical infrastructure protection, and reverse engineering.

return to top

An Open Letter - The White Hat's Dilemma: Professional Ethics in the Age of Swartz, PRISM and Stuxnet

The information security world is constantly buffeted by the struggle between whitehats, blackhats, antisec, greenhats, anarchists, statists and dozens of other self-identified interest groups. While much of this internecine conflict is easily dismissed as "InfoSec Drama", the noise of interpersonal grudges often obscures a legitimate and important debate: what is the definition of "security" to whom do we provide it?

The last several years have made this external argument and internal ethical debate much more difficult to individuals gainfully employed in InfoSec, thanks to politically motivated prosecutions, domestic surveillance by democratic societies, and even the direct targeting of large companies by their home nations. What rules should guide us in deciding what jobs to take, what services to provide, and our actions in the public sphere?

This talk does not have the answers, but hopefully can help the overall community ask the right questions. We will begin with the speaker's personal experience working for Aaron Swartz's defense and on several high-profile civil cases. We will then discuss recent events in offensive cyber-warfare and the new dilemmas this poses for defenders. Finally, the speaker will present one possible framework for ethical decision making in such a complicated time, and will unveil an effort to affect change in the White Hat community.

Alex Stamos is a co-founder and CTO of iSEC Partners. While helping to build iSEC into an industry leader, Alex has been focused on helping his clients address their most difficult security challenges. He has worked to secure mobile platforms, cloud computing infrastructures and other emerging technologies while pushing forward the industry's understanding of how to build trustworthy systems in these new computing paradigms. He is a frequent speaker at conferences such as BlackHat, FS-ISAC, the Critical Infrastructure Protection Congress, Infragard, CanSecWest and Interop. Before forming iSEC, Alex was a Managing Security Consultant at @stake and had operational security responsibility at Loudcloud. He received a BSEE from the University of California, Berkeley.

return to top

Collaborative Penetration Testing With Lair

Lair is an open-source project developed for and by pentesters. Built on Meteor and Node.js with a dash of Python, Lair is a web application that normalizes, centralizes, and manages diverse test data from a number of common tools including Nmap, Nessus, Nexpose, and Burp. Unlike existing alternatives, Lair encourages team-based collaboration by automatically pushing updates to team members in real time. Paired with it's workflow and documentation management, Lair offers a single solution for performing a detailed, thorough penetration test individually or as a team in a manner that has not been done before.

Tom Steele (@_tomsteele) hails from Seattle Washington where he works as a Security Consultant at FishNet Security. The dynamic nature of his current role allows him to touch many areas of the offensive security spectrum. When not working he can be found gaming and creating tools to solve complex problems.

Dan Kottmann As a consultant in FishNet Security's security assessment practice, Dan performs social engineering and network and wireless penetration tests. Dan has roughly nine years of consulting experience and five years of professional experience in the security industry.

return to top

DNS May Be Hazardous to Your Health

The largest manufacturer of laptops, one of the largest consulting firms, and a big data behemoth all walk into a bar...

His research explores many self-inflicted gaps that continue to plague even the largest companies. These gaps are often seen as trivial and ignored, thus making all of their DNS investments lead to a false sense of security. Too much effort and trust go into vendor solutions when 'common sense' and 'due diligence' were never deliverables requested in the RFP. Before we invest in securing our domains, it may be wise to ensure we own them. Before we harden our resolvers to prevent poisoning, maybe we should ensure our clients are querying what is expected. Before we make operational decisions about how client resolver settings should be configured, maybe should consider the consequences to DNS behavior. Before we call DNS secure, maybe we should understand what it is doing.

Robert Stucke (@bobx) has 14 years of professional experience in information security. He has lead security consulting teams, worked with multiple fortune 50 clients, served as architect, developer, incident responder, and chief antagonist. As an independent researcher, he has developed custom solutions for large clients revolving around DNS intelligence and is constantly looking for new ways to use and abuse the resources many companies tend to neglect. Many of his tools are considered the cornerstone of fortune 50 security operation centers for detecting and mitigating advanced targeted attacks.

return to top

Predicting Susceptibility to Social Bots on Twitter

Are some Twitter users more naturally predisposed to interacting with social bots and can social bot creators exploit this knowledge to increase the odds of getting a response?

Social bots are growing more intelligent, moving beyond simple reposts of boilerplate ad content to attempt to engage with users and then exploit this trust to promote a product or agenda. While much research has focused on how to identify such bots in the process of spam detection, less research has looked at the other side of the question—detecting users likely to be fooled by bots.

This talk provides a summary of research and developments in the social bots arms race before sharing results of our experiment examining user susceptibility.

We find that a users' Klout score, friends count, and followers count are most predictive of whether a user will interact with a bot, and that the Random Forest algorithm produces the best classifier, when used in conjunction with appropriate feature ranking algorithms. With this knowledge, social bot creators could significantly reduce the chance of targeting users who are unlikely to interact.

Users displaying higher levels of extroversion were more likely to interact with our social bots. This may have implications for eLearning based awareness training as users higher in extraversion have been shown to perform better when they have greater control of the learning environment.

Overall, these results show promise for helping understand which users are most vulnerable to social bots.

Chris Sumner (@thesuggmeister) is a co-founder of the not-for-profit Online Privacy Foundation who actively participate in and contribute to the emerging discipline of Social Media Behavioral Residue research. Chris has previously spoken on this area of research at conferences including BlackHat, DEF CON, 44CON, the European Conference on Personality and the International Conference on Machine Learning and Applications.

Randall Wald is a postdoctoral researcher investigating data mining and machine learning at Florida Atlantic University. Following his BS in Biology from the California Institute of Technology, Randall chose to shift his focus to computer science, applying his domain knowledge towards bioinformatics and building models to predict disease. He also studies machine learning for other domains, including machine condition monitoring, software engineering, and social networking.

return to top

EDS: Exploitation Detection System

In the last several years, exploits have become the strongest weapons in cyber warfare. Exploit developers and vulnerability researchers have now become the nuclear scientists of the digital world. OS Companies and third party companies have created several security mitigation tools to make it harder to use these vulnerabilities and have made exploit creation harder.

In this presentation, I will talk about a new security mitigation tool which is based on the co-operation of several mitigations to cover their weaknesses. It's based on monitoring the memory changes without decreasing the performance of the running application and creates a multi-layer protection with regular mitigations.

Amr Thabet (@Amr_Thabet) a Malware Researcher at Q-CERT with 5+ years experience in reversing malware and researching. I'm the Author of many open-source tools like Pokas Emulator and Security Research and Development Framework (SRDF).

return to top

The Government and UFOs: A Historical Analysis by Richard Thieme

This talk is about the ways the many components of governments interact and respond to challenging and anomalous events--highly relevant to hacking by all definitions and at all levels. If you donít know the lay of the land, you can not engage in appropriate research and reconnaissance, counter-measures, and operations.

The proliferation of reliable reports of unidentified flying objects from the 1940s forward represented just such a challenge. The phenomenon was anomalous, well-documented, and certainly challenging because, as Major General John Samford said, "credible people have seen incredible things."

The UFO History Group includes some of the best researchers in the field. Richard Thieme was privileged to be invited to join the group and their project which resulted, after nearly 5 years of work, in "UFOs and Government: A Historical Inquiry," an outstanding work of historical scholarship that nevertheless reads like a fascinating detective story. In almost 600 pages and with nearly 1000 citations, the work illuminates the response of the government since the early 1940s. how and why policies were set, and how they were executed. The book has been recommended by CHOICE, the primary resource for academic libraries, for inclusion by libraries at all levels because the book stands out as "an exception" in a field filled with speculation (there is virtually none in this book). Other reviews say, "this is the best book about the UFO phenomena that was ever written" and "UFOs and Government is a triumph of sober, conscientious scholarship unlikely to be equaled for years to come."

You have never heard a talk like this – about a subject that has been ridiculed and marginalized intentionally for sixty years as a matter of policy and politics. As Don Quixote said, "insanity is seeing things as they really are." This speech uses UFO phenomena as dye in the arteries of "how things really are."

Richard Thieme (@neuralcowboy) has established a reputation for edgy thinking, the mindset of a hacker, and radical clarity ("insanity is seeing things as they really are," said Don Quixote). Jeff Moss said of him, "His ability to be open minded. conspiratorial, ethical and subversive at the same time is inspiring." Clint Brooks, Asst. Deputy Director of NSA (ret) said, "Thieme takes us to the edge of cliffs we know are there but rarely visit."

He is an author and professional speaker focused on the deeper implications of technology, religion, and science for twenty-first century life. He has published hundreds of articles, dozens of short stories, three books with more coming, and has delivered hundreds of speeches. A novel, FOAM, is in progress and ìA Richard Thieme Reader,î collecting fiction and non-fiction, interviews and book reviews, will be published in 2013.

Thieme speaks professionally about the challenges posed by new technologies and the future, how to redesign ourselves to meet these challenges, and creativity in response to radical change. He has spoken for numerous hacker, security and intel conferences around the world. He recently spent a day at NSA doing a speech, a panel, and a discussion. His column, "Islands in the Clickstream," was distributed to thousands of subscribers in sixty countries before collection as a book in 2004. When a friend at the NSA told him, "The only way you can tell the truth [that we discuss during a decade-long project on intelligence and ethics] is through fiction," he returned to writing short stories, one result of which is "Mind Games," a collection of nineteen stories. Other edgy realities are referenced in the recently published and critically extolled "UFOs and Government: A Historical Inquiry" to which he contributed, a 5-year research project using material from inside the military and intelligence communities to document government responses to the phenomena from WW2 to the present.

return to top

BoutiqueKit: Playing WarGames with expensive rootkits and malware

"Theoretical" targeted rootkits need to play by different rules than the common malware that ends up filling our inboxes with spam and attempting to steal our CC numbers... The costs involved of getting popped are huge in comparison, the value is in the secrecy of being truly hidden and embedded for the long term.

I've spent the past year considering what the next level of rootkits would look like and how we can protect ourselves against them. This talk will cover a handful of advanced hiding mechanisms at a technical level. The talk will also touch on legal implications and existing frameworks for expensive advanced threats.

Josh 'm0nk' Thomas (@m0nk_dot) Security researcher, mobile phone geek, mesh networking evangelist and general breaker of things electronic. Typical projects of interest span the hardware / software barrier and rarely have a UI. m0nk has spent the last year or two digging deep into Android and iOS internals, with a major focus on both the network stack implementation and the driver and below hardware interfaces. He uses IDA more frequently than Eclipse (and a soldering iron more than both). His life dreams are to ride a robot unicorn on a moonlit beach and make the world a better place, but mostly the unicorn thing... Josh is currently employed by the nice people @ Accuvant LABS and the very mean people @ MonkWorks, LLC.

return to top

C.R.E.A.M. Cache Rules Evidently Ambiguous, Misunderstood

Common wisdom dictates that web applications serving sensitive data must use an encrypted connection (i.e., HTTPS) to protect data in transit. Once served, that same sensitive data must be protected at rest, either through encryption, or more appropriately by not storing the sensitive data on disk at all. In the past, web browser disk caching policies maintained a distinction between HTTP and HTTPS requests, typically refusing to cache HTTPS requests. With today's bandwidth- and performance-hungry AJAX and HTML5 applications, most modern browsers treat all content (including HTTPS) as safe to cache to disk unless explicitly restricted by the server. This silent "shift" of responsibility from browser to web-application server has eluded both secure web-application and safe-browsing paradigms, leaving consumers exposed. Even OWASP recommended guidelines for creating secure web applications are wrong regarding this topic [1].

We tested over thirty sites that provide personal financial, health, and insurance-related information to determine what, if any, sensitive information was cached to disk and the results were surprising. Over 70% of tested sites cached sensitive information, ranging from account balances to bank-check images, bank statements, and full credit reports.

We will discuss not only the technical details of these caching vulnerabilities, but also the history behind the "shift" in cache policy responsibility, the breakdown in conventional wisdom concerning web application and web-browser security policies, the ramifications of caching PII to disk, and the potential widespread violation of most compliance standards, including PCI, HIPAA, SOX, and government standards such as FIPS or Common Criteria.

Jacob Thompson is a security analyst at Independent Security Evaluators, a Baltimore, Maryland, company specializing in high-end, custom security assessments of computer hardware and software products. Jacob holds an M.S. in Computer Science from the University of Maryland, Baltimore County. His primary security interests include analyzing commercial software products for design flaws and other vulnerabilities, reverse engineering, and cryptography. Prior to joining ISE, Jacob served as a Computer Science teaching assistant and briefly worked as an intern software engineer developing desktop and embedded applications for process control systems.

return to top

Insecurity - A Failure of Imagination

Homeowners, apartment complexes, and businesses throughout the United States and Canada have purchased locks from one of the leading manufacturers in the country in the belief that they were secure. Advertising represents they are the highest grade of residential security available as a result of security ratings from different Standards organizations. While the design of this lock effectively resists certain forms of covert and forced entry that are common with other mechanical cylinders, there are also what we perceive as serious design flaws that will allow these locks to be opened, bypassed, or decoded in seconds. Because this is one of the most popular locks in America, the consumer needs to understand the inherent security vulnerabilities in order to assess their risk.

In this presentation we analyze the design of this lock and earlier similar designs implemented by other manufacturers. The focus is on a failure of the design engineers to understand different methods of bypass and to protect against them, and why standards and what they purport to define may be misleading and misrepresent the real security of a product.

Consumers rely upon the representations of manufacturers and the security ratings of locks by Underwriters Laboratory and the Builders Hardware Manufacturers Association to assure them of the quality and resistance to attack of the locks they buy. We present evidence that millions of homeowners and businesses that have implemented these locks can be vulnerable to simple methods of entry of which they may not be aware.

This is a classic example of insecurity engineering in a very clever and unique mechanical lock. Unfortunately, the very unique mechanism also provides the basis for several incredibly simple attacks that can be performed with a minimum of time, tools and training.

Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He is the principal attorney for Investigative Law Offices, P.C. and as part of his practice represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. Marc and his associates also conduct technical fraud investigations and deal with related legal issues.

Marc has authored five police textbooks, including "Locks, Safes, and Security", which is recognized as a primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two- volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book (LSS+) is also available online.

Marc has written extensively about the security vulnerabilities of products and has appeared in numerous television and radio interviews and news reports as well as magazine articles during the past thirty years. He is a member of several professional organizations including the American Bar Association (ABA, American Society for Industrial Security (ASIS), Associated Locksmiths of America (ALOA), Association of Firearms and Tool mark Examiners (AFTE), American Polygraph Association (APA) and the American Police Polygraph Association (APPA).

Tobias Bluzmanis was born in Caracas, Venezuela. Tobias came to the United States in 1995 and was granted citizenship in 2000. He has been a professional locksmith for the past 20 years. Tobias is an expert in Covert Methods of Entry and has developed many unique forms of bypass, custom tools, including a decoder for Medeco locks, which was the impetus for the book "Open in Thirty Seconds".

return to top

HTTP Time Bandit

While web applications have become richer to provide a higher level user experience, they run increasingly large amounts of code on both the server and client sides. A few of the pages on the web server may be performance bottlenecks. Identifying those pages gives both application owners as well as potential attackers the chance to be more efficient in performance or attack. We will discuss a tool created to identify weaknesses in the web application by submitting a series of regular requests to it. With some refinement and data normalizations performed on the gathered data, and then performing more testing based on the latter, it is possible to pinpoint the single most (CPU or DB) resource-consuming page of the application. Armed with this information, it is possible to perform more efficient DOS/DDOS attacks with very simple tools. The presentation will be accompanied by demos of the tool performing testing and attacking on various targets. The tool will be published for the interested researchers to play with.

Vaagn Toukharian is Principal Engineer for Qualys's Web Application Scanner. Was involved with security industry since 1999. Experience includes work on Certification Authority systems, encryption devices, large CAD systems, Web scanners. Outside of work interests include Photography, and Ironman Triathlons.

Tigran Gevorgyan was born in Yerevan, Armenia. Graduated from Yerevan State University with honors in 1996. Immigrated to USA in 1999. Worked in various companies in network security field, such as Network Associates, Imperito Networks and Qualys.

return to top

The Growing Irrelevance of US Government Cybersecurity Intelligence Information

The rapidly changing threat landscape has finally provided relevant business justification for commercial companies to invest in developing cybersecurity intelligence that used to be the domain of the government – and they are doing it at a pace that is making the value of government “Classified" cybersecurity information increasingly irrelevant. The organic intelligence being developed by private companies and the informal cybersecurity intelligence coming out of the research community and some “Invitation Only" or “You’re Not Invited” groups is simply more actionable and more valuable than that provided by the government. While the federal government will always, and should always, have important visibility of the threat, the evolution of technology is giving the private sector the means to develop sophisticated, high quality information that rivals the government.

Mark Weatherford is a Principal at The Chertoff Group and advises clients on a broad array of cybersecurity services. As one of the nation’s leading experts on cybersecurity, Mr. Weatherford works with organizations around the Nation and around the world by creating comprehensive security strategies for core business operations and objectives.

Mr. Weatherford also serves on the Advisory Board at both Cylance and Coalfire and is a member of the Bipartisan Policy Commission Electric Grid Cyber Security Initiative and the Idaho National Laboratory Strategic Advisory Group (SAG) for Electric Grid Resilience.

Prior to joining The Chertoff Group, Mr. Weatherford was appointed as the Department of Homeland Security’s first Deputy Under Secretary for Cybersecurity. Before joining DHS, Mr. Weatherford was the Vice President and Chief Security Officer at the North American Electric Reliability Corporation (NERC) where he directed the cybersecurity and critical infrastructure protection program and worked with electric utility companies across North America. Prior to NERC, Mr. Weatherford was appointed by Governor Arnold Schwarzenegger to serve as California’s first Chief Information Security Officer and was also the first Chief Information Security Officer for the State of Colorado, where he was appointed by two successive governors. As a former U.S. Navy Cryptologic Officer, Mr. Weatherford led the United States Navy’s Computer Network Defense operations and the Naval Computer Incident Response Team (NAVCIRT).

Mr. Weatherford earned a bachelor’s degree from the University of Arizona, amaster’s degree from the Naval Postgraduate School and holds the Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) certifications. He was one of the Information Security magazine “Security 7 Award” winners in 2008, was awarded SC Magazine’s “CSO of the Year” award in 2010, and was named one of the “10 Most Influential People in Government Information Security” by GovInfoSecurity in both 2012 and 2013.

return to top

Prowling Peer-to-Peer Botnets After Dark

Peer-to-peer botnets have become the backbone of the cybercrime ecosystem. Due to their distributed nature, they are more difficult to understand and contain than traditional botnets. To combat this problem, we have developed the open-source framework *prowler* for peer-to-peer botnet tracking and node enumeration. It combines efficient crawling strategies with the ability to plug in implementations for custom application layer protocols. In this talk, attendees will learn how to use prowler to reconnoiter and track peer-to-peer botnets. We will show some real-world examples, interpret the results, and discuss pitfalls and challenges. We will then examine how these results can be used in attempts to attack and take over peer-to-peer botnets.

Tillmann Werner works at CrowdStrike where his duties include analyzing targeted threats, developing defence strategies and prototyping analysis tools for the company. He specializes in reverse engineering, honeypot technologies and containment strategies for large-scale attacks. As a member of the Honeynet Project, Tillmann is actively involved with the global IT security community and is a regular speaker on the international conference circuit.

return to top

Reality Hackers

Reality Hackers. Technology, wit, and hacker culture fuse in an electrified movement for digital freedom. Meet the activists who make and break technology to ensure free speech and private communication for political dissidents, and to combat global censorship. This film gives a behind-the-scenes look at those who are sometimes characterized as outlaws, but who may be the vanguard defenders of freedom for all. Partially shot at DEF CON 19, the film shows the real people behind the headlines as they navigate the complexities of modern geo-political struggles. Featuring over eight DEF CON speakers, multiple CCC participants, and members of the German Pirate Party, Reality Hackers is an intimate portrait of characters who use technology to alter the world.

Rebecca Wexler is a documentary filmmaker and Fellow at Yale University Law School. She co-founded and taught the Yale Visual Law Project, which applies documentary filmmaking as an analytic form of knowledge production in the law. Rebecca holds an M.Phil in the history and philosophy of science from Cambridge University, where she studied on a Gates-Cambridge fellowship. She holds a B.A. from Harvard College. She has worked as Associate Producer and Researcher on documentaries distributed by PBS American Experience, HBO, VH1, and PBS/WETA, and has Directed and Produced films for the Yale Art Gallery, La Maison EuropÈene de la Photographie, the Long Wharf Theatre, and the Provincetown International Film Festival.

Paul Sanderson has won over 30 national awards, including nine CINE Golden Eagles. The Library of Congress in Washington, D.C. has honored Mr. Sanderson by placing one of his films in its permanent collection. His programs have appeared on NBC, PBS, The Discovery Channel, A&E Network, The History Channel and CNBC. His films have premiered at Radio City Music Hall, Lincoln Center, the Metropolitan Museum of Art, the Museum of Modern Art, the American Museum of Natural History and the Smithsonian.

return to top

Defeating Internet Censorship with Dust, the Polymorphic Protocol Engine

The greatest danger to free speech on the Internet today is filtering of traffic using protocol fingerprinting. Protocols such as SSL, Tor, BitTorrent, and VPNs are being summarily blocked, regardless of their legal and ethical uses. Fortunately, it is possible to bypass this filtering by reencoding traffic into a form which cannot be correctly fingerprinted by the filtering hardware. I will be presenting a tool called Dust which provides an engine for reencoding traffic into a variety of forms. By developing a good model of how filtering hardware differentiates traffic into different protocols, a profile can be created which allows Dust to reencode arbitrary traffic to bypass the filters.

Dust is different than other approaches because it is not simply another obfuscated protocol. It is an engine which can encode traffic according to the given specifications. As the filters change their algorithms for protocol detection, rather than developing a new protocol, Dust can just be reconfigured to use different parameters. In fact, Dust can be automatically reconfigured using examples of what traffic is blocked and what traffic gets through. Using machine learning a new profile is created which will reencode traffic so that it resembles that which gets through and not that which is blocked. Dust has been created with the goal of defeating real filtering hardware currently deployed for the purpose of censoring free speech on the Internet. In this talk I will discuss how the real filtering hardware work and how to effectively defeat it.

Brandon Wiley (@blanu) is a peer-to-peer pioneer who creates tools to circumvent Internet censorship. In 1999 he co-founded the Freenet project to create a censorship-resistant publishing platform. He is also known for the Curious Yellow superworm design. When working for BitTorrent, Inc. he was given the difficult task of trying to reason with the Internet service providers that were engaging in BitTorrent throttling. More recently he has been working for the Tor project on their next generation blocking-resistant protocols such as pyobfsproxy and obfs3. He is currently in the final stages of his PhD, where he is studying all of the most popular Deep Packet Inspection hardware and figuring out how to defeat it. His interests include Bayesian statistics, polymorphic encodings, and chiptune music.

return to top


The onslaught of Bring Your Own Device(s) in recent years places a new focus on the security of wireless networks. In "The BYOD PEAP Show", Josh Yavor explores fundamental flaws in one of the most common and widely supported 802.1x authentication protocols used by countless corporate WPA2-Enterprise networks today. A series of events in the recent past created a situation in which PEAP can no longer be used safely. In this talk, we will re-trace this path and investigate how the combination of BYOD, new technology and new tools led to this situation. A live demonstration with audience participation will punctuate the danger of supporting PEAP. Attendees will leave with an understanding of the underlying flaws, methods of exploitation, a set of tools and most importantly, how to secure WPA2-Enterprise networks that currently support PEAP. A new tool, peapshow, will be released after DEF CON and will make testing and exploitation of this issue truly trivial.

Besides, this is DEF CON. Someone has to mess with the WiFi.

Josh Yavor (@schwascore) is a Security Engineer at iSEC Partners, an information security firm specializing in application, network, and mobile security. At iSEC, Josh specializes in web application security and network penetration testing. Josh holds a MS in Computer, Information and Network Security from DePaul University. At DePaul, he focused on network security while also developing an interest in incident response and SCADA/ICS. Prior to working at iSEC, Josh operated an independent IT consulting and managed services business with a special focus on security related projects.

return to top

Android WebLogin: Google's Skeleton Key

Millions of businesses worldwide trust in Google Apps to run their organization's domain. The life-blood of these organizations is routinely stored with Google accounts and accessed with mobile devices. This talk explores how an adversary can parlay the compromise of a single Android device into a complete Google apps domain takeover. The attack vectors explored in this talk make use of various design considerations made by Google to enhance the user-experience and can be equally utilized with malware or physical device access.

Several iterations of malicious Android applications were created using these techniques. The apps were then analyzed with multiple Android Anti-Virus products and subsequently published in Google's Play Store. The PoC iterations and analysis results provide some insight into the state of Google's Bouncer and Android malware analysis at the end-point.

The final part of the talk is aimed at identifying best practices to minimize risk as well as guidelines for recovering from security incident.

Craig Young (@CraigTweets) is a computer security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT). He has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, and others. His research has resulted in numerous CVE assignments and recognition in the Google Application Security Hall of Fame. His BSides SF talk on Google's 2-step verification system provided the impetus for Google to deploy security fixes which make millions of Google users safer.

return to top

Hacking Driverless Vehicles

Are driverless vehicles ripe for the hacking? Autonomous and unmanned systems are already patrolling our skies and oceans and being tested on our streets and highways. All trends indicate these systems are at an inflection point that will show them rapidly becoming commonplace. It is therefore a salient time for a discussion of the capabilities and potential vulnerabilities of these systems.

This session will be an informative and light-hearted look at the current state of civil driverless vehicles and what hackers or miscreants might do to mess with them. Topics covered will include common sensors, decision profiles and their potential failure modes that could be exploited. With this talk Zoz aims to both inspire unmanned vehicle fans to think about robustness to adversarial and malicious scenarios, and to give the paranoid false hope of resisting the robot revolution. He will also present details of how students can get involved in the ultimate sports events for robot hacking, the autonomous vehicle competitions.

Zoz is a robotics interface designer and rapid prototyping specialist. He is a co-founder of Cannytrophic Design in Boston and CTO of BlueSky in San Francisco. As co-host of the Discovery Channel show 'Prototype This!' he pioneered urban pizza delivery with robotic vehicles, including the first autonomous crossing of an active highway bridge in the USA, and airborne delivery of life preservers at sea from an autonomous aircraft. He also hosts the annual AUVSI Foundation student autonomous robot competitions such as Roboboat and Robosub.

return to top

Speaker Index

DEF CON 101 (Thursday)


Hacking Management, from Operations to Command

The Ninjaneers: Getting Started in Building Your Own Robots for World Domination

Decrypting DEF CON: Foundations Behind Some of the Games Hackers Play

Intro to Web Application Hacking

Oil & Gas Infosec 101

Wireless Penetration Testing 101 & Wireless Contesting

Pentesters Toolkit

Meet Pentoo, the Longest Running Pen-testing Linux Distro


Alex Abdo

Bogdan Alecu

Chema Alonso



James Arlen

Dan Auerbach


Mike Baker

Amber Baldet

Remy Baumgarten

Brent Bandelgar


Scott Behrens

Sameer Bhalotra

Joe Bialek

Zak Blacher

Tobias Bluzmanis

Todd Bonnewell

Sam Bowne (1, 2)

Robert Brese

Francis Brown


Eileen Burbridge

Daniel Burroughs

Eric Butler


Alejandro Caceres (1, 2)

Benjamin Caudill

Daniel Chechik

Ming Chow

Joseph Paul Cohen

Joshua Corman

Michael Costello

Robert Clark

Kade Crockford

Daniel "unicornFurnace" Crowley

Catherine Crump

Dinis Cruz

Ang Cui



Anat (Fox) Davidi

Sherri Davidoff

Andy Davis

James Denaro

Doug DePerry

Ambassador Joseph R. DeTrani

Christie Dudley

Piotr Duszynski



Lt. Gen. Robert Elder (1, 2)

Justin Engler

Melissa Elliott

Amir Etemadieh

Evilrob (Rob Bathurst)


Jaime Filson (WiK)


Flipper (1, 2)

Pau Oliva Fora

Zac Franken

Scott Fretheim

Rob Fuller (Mubix)

Eric Fulton


Eva Galperin

Terrence “Tuna” Gareau

Tigran Gevorgyan

Brian Gorenc

Rob Graham

Joe Grand (1, 2)

Dan Griffin


David Harrison

Justin Hendricks

CJ Heres


Ricky Hill

Nick Hitchcock

Chris Hoff

Marcia Hofmann

Ryan Holeman

Josh Hoover (wishbone)


Alberto Garcia Illera


John M. Jack

Mark Jaycox

Deepak Jeevankumar

Robert Johnson


Abraham Kang

Tom Keenan

David Kennedy

Karl Koscher

Dan Kottmann


Zach Lanier

Adam "Major Malfunction" Laurie

David Lawrence

Kenneth Lee

Wai-leng Lee

Ping Li

James R. Lint

Lockheed (1, 2)

Drea London

LosT (1, 2, 3)

Rachel Lovinger


Sean Malone

Todd Manning

Marion Marschalek

Dave Maynor

Bruce McConnnell

Wesley McGrew

Eric Milam

Charlie Miller

Nikhil Mittal

Tony Miu

Rich Mogull

David Mortman

Peiter "Mudge" Zatko



Hans Nielsen


Nicolas Oberli

Matt Ocko

Brendan O'Connor

Kyle O'Meara

Kurt Opsahl

John Ortiz

Fatih Ozavci

Nicole Ozer


Franz Payer

Nicholas J. Percoco

Michael Perklin (1, 2)

Larry Pesce

Phorkus (Mark Carey)

Gregory Pickett

Alexandre Pinto

Philip Polstra

Randi Price

Matthew Prince




Jim Rennie

Chris John Riley

Tom Ritter (1, 2)


Roamer (1, 2)

Eric Robi

Teal Rogers

Alex Rothman


Jaime Sanchez

Runa A. Sandvik

Paul Sanderson

Jennifer "savagejen" Savage

Noah Schiffman

Michael Schrenk

Jaeson Schultz

Hunter Scott

Jason Scott

Balint Seeber

Daniel Selifonov

Neil Sikka


Christopher Soghoian (1, 2)

Ryan W. Smith

Mark 'Smitty' Smith

James Snodgrass (PuNk1nPo0p)


Jasiel Spelman

Jason Staggs

Alex Stamos

Tom Steele

Mitch Stoltz

Tim Strazzere

Robert Stucke

Chris Sumner


Amr Thabet

Richard Thieme

Josh 'm0nk' Thomas

Jacob Thompson

Marc Weber Tobias

Vaagn Toukharian


Eric Van Albert

Javier Vazquez Vidal

Paul Vines


Randall Wald

Mark Weatherford (1, 2)

Rebecca Wexler

Tillmann Werner

Brandon Wiley


Josh Yavor

Craig Young



Daniel Zolnikov



Ask the EFF

DEF CON Comedy Jam Part VI

The ACLU Presents: NSA Surveillance and More

Hardware Hacking with Microcontrollers: A Panel Discussion

Meet the VCs

The Policy Wonk Lounge