skip to main content

DEF CON 22 Hacking Conference


Keep your eyes on this space, we'll be adding new talks frequently!

DEF CON 101 Presentations

DEF CON 101 - The Talk






DEF CON 101 is the Alpha to the closing ceremonies' Omega. It's the place to go to learn about the many facets of Con and to begin your Defconian Adventure. Whether you're brand new or a long time attendee, DC101 can start you on the path toward maximizing your DEF CON Experiences.

Known Aliases: HighWiz, The Dark Lord, Tom Riddle, "The Swamp Fox", The Earl of Grantham, And your excellency sir, (to you).
Known Affliations: The Tribe
Wanted For: Advanced Persistent Trolling, viceregicide, Conspiring with Jesuits, Igniting the Doom of Valyria, Drag Racing the Kessel Run, Putting the Ram in the Rama Lama Ding Dong, Long walks on the beach.
May be traveling with: Alan Turing, Karl Möbius, Charles Babbage, the Chilean national soccer team, and a devious pink elephant.


Twitter: @highwiz

Lockheed (@TheLockheed) was in charge of the DEF CON Network Operations Group since DEF CON 4, and in 2013 took over as Chief of Operations for DEF CON (because you never retire from DEF CON, you only get promoted!) Lock has over 25 years of experience in the technology field. He's had jobs ranging from tech writer, mainframe operator, product engineer, product marketing manager, and is currently Sr Director in charge of the Global IT Group for Sony PlayStation Worldwide Studios. He's been in the video game industry for over 10 years and strongly believes his PS4 can kick your XBOX's butt!

Twitter: @TheLockheed

Pyr0 is "that guy" who oversees the Contests, Events, and Villages at DEF CON. He's been attending since DC6 and has been gooning since DC7. He is the founder of Skytalks, one of those 303 peoples, and also proudly reps Security Tribe (RECOGNIZE!). He loves great scotch, good vodka, smart girls, explosives, and big black . . . guns. ALSO:DONGS

Twitter: @lmcomie

Roamer is (as of this writing) the retired Sr. Goon in charge of the DEF CON Vendor Area (let's see how that works out). He has been on DEF CON staff since DEF CON 8. He was the founder of the DEF CON WarDriving contest the first 4 years of it's existence and has also run the slogan contest in the past. Roamer is the guitarist for the Goon Band, Recognize. Although having no actual skills his ability to drink virtually every Goon and attendee under the table has gained him massive prominence in the scene and elevated him to the lofty station you see him in today. When not "working" at DEF CON he is "working" as the Global Information Security Manager and Sr. Enterprise Architect for Sony PlayStation WorldWide Studios.

Twitter: @shitroamersays

LosT mucks around with DEF CON on occasion. He is the creator of the Hardware Hacking Village, the LosT@Defcon Mystery Challenge, and for the past few years the DEF CON badges and badge challenges. Russ says he's the official DEF CON Puzzlemaster, but LosT still doesn't believe him. In his other life LosT enjoys playing the bass and linguistics, among other things. He's also been known to study mathematics, electrical engineering and physics in his spare time.

Twitter: @1o57

Protecting SCADA From the Ground Up

AlxRogan (Aaron Bayles)

Industrial Control Systems (ICS) and SCADA are everywhere, whether you know it or not. Not only do they track flow rates and turn signs for businesses, but they also activate fans and dampers for fire protection and control water distribution in your town. You can't count on ICS and SCADA to be completely off the net anymore, they are being networked internally and Internet-facing more and more. Common Enterprise IT security methods and practices don't fully cover these systems, so come and learn how you should architect and protect the infrastructure that keeps the lights on

AlxRogan was born and raised in the Oil and Gas industry, and has worked (off and on) there since 1995. He has gooned since DEF CON 12, and is a professional contest participant (CTF, Wardriving, ScavHunt). In his work experience, he has consulted for energy generating companies, health care providers, US and local government, and education/research institutions. He was previously the Information Security Architect for a mid-size oil and gas company in Houston and currently consults (again) on IT, Industrial Control Systems (ICS), and SCADA security. Also, his real name is Aaron Bayles not AlxRogan. Alex Rogan is a Character from The Last Starfighter.

Twitter: @AlxRogan

DEF CON the Mystery, Myth and Legend


It's hard to throw a stone these days without hitting a security/hacking conference. But, when every year the Las Vegas Metro SWAT Team stages for an interdiction of your convention, you know you have something "different". From crawling through Air Ducts to surreptitiously "acquiring" telco equipment, these are the stories of DEF CON you don't often hear about. The stories of yesteryear that not only helped shape defcon but also the people who make up today's hacker and infosec communities at large. DEF CON is the event that helped spawn a generation of hackers and changed the landscape of information security. So come join us for a trip down memory lane as we reveal some of the secrets and stories of what architected the mystery, myth and legend of the hacker community you see today... Now that the statues of limitation have passed.

Panel classified until further notice

AWS for Hackers

Beaker (Seth Van Ommen)

What tool does every hacker need in their toolset? The entire goddamn giant that is Amazon in their back pocket. AWS is an extremely useful tool for anyone from early noobs just getting their feet wet to seasoned veterans who will become even more kickass. All you need to get started is an internet connection and some keys. Also, CLOUD, there, I said it motherfuckers.

Beaker is an odd creature even by DEF CON standards. If Hunter S Thompson, Tesla, and a spork had a love child this would approximate the Beaker. He’s spent his working life diddling computers for various organizations from early startups to three letter agencies and is still amazed this produces a paycheck. Beaker is known for mixing interesting chemicals within Beaker which often results in projects of unlikely completion

Twitter: @swordofomen

Detecting Bluetooth Surveillance Systems

Grant Bugher Perimeter Grid

Departments of Transportation around the United States have deployed "little white boxes" -- Bluetooth detectors used to monitor traffic speeds and activity. While they're supposedly anonymous, they detect a nearly-unique ID from every car, phone, and PC that passes by. In this presentation, I explore the documentation on these surveillance systems and their capabilities, then build a Bluetooth detector, analyzer, and spoofer with less than $200 of open-source hardware and software. Finally, I turn my own surveillance system on the DOT's and try to detect and map the detectors.

Grant Bugher has been hacking since the early 90's and working professionally in information security for the last 9 years. He is currently a security architect for a cloud computing provider, and has previously been a program manager and software engineer on a variety of widely-used developer tools and platforms. Grant is a prior speaker at BlackHat USA and a regular DefCon attendee since DefCon 16. Most of his research and work is on cloud compute and storage platforms, application security, and detecting attacks against web-scale applications.

Twitter: @fishsupreme


Dropping Docs on Darknets: How People Got Caught

Adrian Crenshaw TrustedSec &

Most of you have probably used Tor before, but I2P may be unfamiliar. Both are anonymization networks that allow people to obfuscate where their traffic is coming from, and also host services (web sites for example) without it being tied back to them. This talk will give an overview of both, but will focus on real world stories of how people were deanonymized. Example cases like Eldo Kim & the Harvard Bomb Threat, Hector Xavier Monsegur (Sabu)/Jeremy Hammond (sup_g) & LulzSec, Freedom Hosting & Eric Eoin Marques and finally Ross William Ulbricht/“Dread Pirate Roberts” of the SilkRoad, will be used to explain how people have been caught and how it could have been avoided.

Adrian Crenshaw has worked in the IT industry for the last seventeen years. He runs the information security website, which specializes in videos and articles that illustrate how to use various pen-testing and security tools. He did the cert chase for awhile (MCSE NT 4, CNE, A+, Network+. i-Net+) but stopped once he had to start paying for the tests himself. He holds a Master of Science in Security Informatics, works for TrustedSec as a Senior Security Consultant and is one of the co-founders of Derbycon.

Twitter: @irongeek_adc

Hacking 911: Adventures in Disruption, Destruction, and Death

Christian “quaddi” Dameff MD

Jeff “r3plicant” Tully MD

Peter Hefley Senior Manager - Sunera

Ever wonder what you would do if the people you needed most on the worst day of your entire life just weren’t there?

Emergency medical services (EMS) are the safety nets we rely on every day for rapid, life-saving help in the absolute gravest of circumstances, but these services rely on antiquated infrastructures that were outdated twenty years ago with vulnerabilities large enough to drive an ambulance through, little municipal governmental support for improved security, and a severe lack of standardized security protocols.

Join quaddi, r3plicant, and Peter- two MDs and a security pro as they review the archaic nature of the 911 dispatch system and its failure to evolve with a cellular world, the problems that continue to plague smaller towns without the resources of large urban centers, how the mischief of swatting and phreaking can quickly transform into the mayhem of cyberwarfare, and the medical devastation that arises in a world without 911. Addressing these problems is a Herculean task but the alternative is a system susceptible to total ownage at the worst possible time.

Christian “quaddi” Dameff and Jeff “r3plicant” Tully are recently graduated physicians, researchers, and DEF CON regulars with a passion for the intersection between security and healthcare. With a shared background in resuscitation and emergency medical services research, and the evolving use of technology in the practice and delivery of care, quaddi and r3plicant have positioned themselves at the forefront of a new group of practitioners savvy in the myriad of ways that security (or lack thereof) is beginning to shape the medicine of the future.

Twitter: @CDameffMD @jefftullymd

Peter Hefley is an information security consultant with experience in the retail, payment processing, financial, energy, defense, and healthcare industries. Enraged by constant reports that his PHI has been lost by Tricare and recognizing opportunities for improvement in healthcare, he seeks to improve the field by facilitating partnerships between security folk and clinicians.

Twitter: @PeterHefley

How to Disclose an Exploit Without Getting in Trouble

Jim Denaro CipherLaw

Tod Beardsley Engineering Manager, Metasploit project

You have identified a vulnerability and may have developed an exploit. What should you do with it? You might consider going to the vendor, blogging about it, or selling it. There are risks in each of these options. This session will cover the risks to security researchers involved in publishing or selling information that details the operation of hacks, exploits, vulnerabilities and other techniques. This session will provide practical advice on how to reduce the risk of legal action and suggest several approaches to responsible disclosure.

Jim Denaro (@CipherLaw) is the founder of CipherLaw, a Washington, D.C.-based consultancy and focuses his practice on the legal, technical, and ethical issues faced by innovators in information security. Jim is a frequent speaker and writer on legal issues in information security and has experience in a wide range of technologies, including intrusion detection and prevention, botnet investigation, malware discovery and remediation, and cryptography. Jim is a regular consultant on responsible disclosure policies and is involved in programs to shield researchers who disclose responsibly.

Jim has completed professional coursework at MIT and Stanford in computer security and cryptography. He also holds technical certifications from the Cloud Security Alliance (CCSK) and Cisco Systems (CCENT), and has passed the CISSP examination (pending certification). Before becoming an attorney, Jim spent obscene amounts of time looking at PPC assembly in MacsBug.

Tod Beardsley (@todb) is engineering manager for the open source Metasploit project, as well as one of the core developers on the framework. His background is primarily in intrusion prevention, vulnerability assessment and identification, anti-fraud/anti-phishing countermeasures, penetration testing and compliance auditing, intrusion detection and response, protocol analysis, and host hardening. He is also interested in computer crime forensics and recovery, reverse engineering and binary analysis, steganographic communication channels, and cryptography in general.

Tod’s technical specialties include protocol analysis and reverse engineering, intrusion detection and prevention, phishing and online fraud, open source software engineering collaboration, and application vulnerability research and exploitation.

Reverse Engineering Mac Malware

Sarah Edwards SANS Institute

Dynamic malware reverse engineering helps forensic analysts and reverse engineers gather quick data points such as callout domains, file download URLs or IP addresses, and dropped or modified files. These methods have long been used on Windows why not Mac malware? This presentation introduces the audience to methods, tools, and resources to assist reversing Mac binaries with a Mac. Topics include Mach-O file format, virtualization, analysis VM setup, and various analysis tools (native and 3rd-party). This presentation is intended for those familiar with dynamic analysis (with a touch of static thrown in) or for those reverse engineering masters of the Windows executable to get a introductory idea of how to start analyzing Mac malware.

Sarah is an senior digital forensic analyst who has worked with various federal law enforcement agencies. She has performed a variety of investigations including computer intrusions, criminal, counter‐intelligence, counter-narcotic, and counter‐terrorism. Sarah's research and analytical interests include Mac forensics, mobile device forensics, digital profiling and malware reverse engineering. Sarah has presented at the following industry conferences; Shmoocon, CEIC, Bsides*, TechnoSecurity, HTCIA and the SANS DFIR Summit. She has a Bachelor of Science in Information Technology from Rochester Institute of Technology and a Masters in Information Assurance from Capitol College. Sarah is the author of the new SANS Mac Forensic Analysis Course - FOR518.

NSA Playset: PCIe

Joe FitzPatrick Hardware Security Resources, LLC

Miles Crabill Security Researcher

Hardware hacks tend to focus on low-speed (jtag, uart) and external (network, usb) interfaces, and PCI Express is typically neither. After a crash course in PCIe Architecture, we'll demonstrate a handful of hacks showing how pull PCIe outside of your system case and add PCIe slots to systems without them, including embedded platforms. We'll top it off with a demonstration of SLOTSCREAMER, an inexpensive device we've configured to access memory and IO, cross-platform and transparent to the OS - all by design with no 0-day needed. The open hardware and software framework that we will release will expand your NSA Playset with the ability to tinker with DMA attacks to read memory, bypass software and hardware security measures, and directly attack other hardware devices in the system. Anyone who has installed a graphics card has all the hardware experience necessary to enjoy this talk and start playing NSA at home!

Joe is an Instructor, Consultant, and Researcher at Joe specializes in low-cost attacks, hardware tools, and hardware design for security. Previously, he spent 8 years doing test/debug and hardware pen-testing of desktop and server microprocessors, as well as conducting security validation training for hardware validators worldwide. In addition to side projects on PCIe, RTL security validation, and simple sidechannel attacks, Joe currently teaches "Secure Hardware Development for Integrated Circuits" and Co-teaches "Software Exploitation via Hardware Exploits" alongside Stephen Ridley.

Twitter: @securelyfitz

Miles Crabill is a rising junior at Lewis & Clark College in Portland, OR. He is interested in computer security education and is a contributor to EDURange, an NSF funded framework for deploying computer security scenarios.

Oh Bother, Cruising The Internet With Your Honeys, Creating Honeynets For Tracking Criminal Organizations

Terrence Gareau

Mike Thompson

Bandwidth, computing power, and software advancements have empowered hackers to quickly scan for and exploit services across the Internet. While this is a major issue, it does allow researchers to track criminal activity with strategically placed honeypots that lure and trap criminals, allowing organizations to put that information to use improving network security. This talk will outline how to use DDoS vulnerable services to develop a honeypot network that will extract valuable information from the Internet and produce a data feed that can be used to protect online assets with kibana, elasticsearch, logstash, and AMQP.

As A10 Networks’ Principal Research Scientist, Terrence Gareau leads the company’s security engineering and response team tasked with providing A10 customers in-depth DDoS research and advisories they require to continually improve their network security defenses.

Prior to joining A10, Gareau was Principal Security Architect and the founding member of the PLXsert for Prolexic Technologies. He began his IT security career more than 10 years ago, and has broad expertise in enterprise security and distributed denial of services (DDoS) mitigation, prevention and recovery. Gareau has mitigated some of the Internet’s largest DDoS attacks for both government agencies and private enterprises, and has lead architecture, engineering and research teams, creating solutions to protect client networks, establishing security testing policies, network and digital forensics, and serving as the subject matter expert for multiple private and government organizations.

Prior to Prolexic, Gareau worked for the Food and Drug Administration (FDA) and CNI. A recognized expert in DDoS attack mitigation, Gareau has shared his knowledge at NIH, FDA, DoD, DHS, and other organizations.

Mike “The Janitor” Thompson lives in a mushroom bin and not in a box. The Janitor by day, is the Director of Architecture and Engineering for ADC, Cloud (e.g. cumulus, stratus, cirrus, nimbus) and Security for A10 Networks and by night an animal who spits out fire-breathing code for whatever. He worked as a Pen Tester and has provided security-consulting services for many global corporations. The Janitor was part of A10's technical team, which assisted Microsoft as part of the Citadel and Zero Access botnet takedown, is the lead OpenStack Developer and part of the SERT for A10. His favorite pass-times besides being alive are hanging with the fam, building robots and playing with his car. His message to the world "Kiddies ->welfare sucks, grow a brain and learn to code." and "value is like beauty it is solely in the eye of the beholder…put the mirror down when I am talking to you!"

The Monkey in the Middle: A pentesters guide to playing in traffic.

Anch (Mike Guthrie)

Prank your friends, collect session information and passwords, edit traffic as it goes by.. become the Monkey(man)-In-The-Middle and do it all…

This presentation will teach you a penetration testers view of man in the middle (MITM) attacks. It will introduce the tools, techniques and methods to get traffic to your hosts. Demonstrations of the tools and methods involved will be presented. Come learn new and interesting ways to prank your friends, experience the all porn internet (redux), learn what mallory is and how to use it, learn how to direct traffic to your proxy, deal with SSL and certificates in interesting ways, and make sure you go (mostly) undetected.

Anch is the lead for the Chickasaw Nation Industries Red Team performing penetration tests, and accreditation's for the public and private sector.

Anch has 11 years experience in cyber security. He was the Network Security Architect at a major power administration. At Mentor Graphics he spent time as a network engineer providing enterprise networking, firewall and VPN support for a global network comprising of 72 connected sites worldwide. He has been involved in or lead over 75 penetration tests on over 200 networks.

Anch's background related to control systems is unrivaled in the bulk power generation and transmission areas. During this time he developed unique perspectives on the areas of compliance and regulation in the power industry.

Twitter: @boneheadsanon

Investigating PowerShell Attacks

Ryan Kazanciyan Technical Director, Mandiant

Matt Hastings Consultant, Mandiant

Over the past two years, we've seen targeted attackers increasingly utilize PowerShell to conduct command-and-control in compromised Windows environments. If your organization is running Windows 7 or Server 2008 R2, you've got PowerShell 2.0 installed (and on Server 2012, remoting is enabled by default!). This has created a whole new playground of attack techniques for intruders that have already popped a few admin accounts (or an entire domain). Even if you're not legitimately using PowerShell to administer your systems, you need to be aware of how attackers can enable and abuse its features.

This presentation will focus on common attack patterns performed through PowerShell - such as lateral movement, remote command execution, reconnaissance, file transfer, etc. - and the sources of evidence they leave behind. We'll demonstrate how to collect and interpret these forensic artifacts, both on individual hosts and at scale across the enterprise. Throughout the presentation, we'll include examples from real-world incidents and recommendations on how to limit exposure to these attacks.

Ryan Kazanciyan is a Technical Director with Mandiant and has ten years of experience in incident response, forensic analysis, and penetration testing. Since joining Mandiant in 2009, he has led incident response and remediation efforts for dozens of Fortune 500 organizations, focusing on targeted attacks, industrial espionage, and financial crime. He has also helped develop Mandiant's investigative methodologies, forensic analysis techniques, and technologies to address the challenges posed by skilled intruders in complex environments. Prior to his work in incident response, Ryan led and executed penetration tests for both private and public-sector clients. His background included red-team operations in Windows and Unix environments, web application security assessments, and social engineering. As a lead instructor and content author for Mandiant's incident response training, Ryan also regularly teaches classes for corporate security teams, federal law enforcement, and at industry conferences.

Twitter: @ryankaz42

Matt Hastings is a Consultant with Mandiant, a division of FireEye, Inc. Based in the Washington D.C area, Matt focuses on enterprise-wide incident response, high-tech crime investigations, penetration testing, strategic corporate security development, and security control assessments; working with the Federal government, defense industrial base, financial industry, Fortune 500 companies, and global organizations.

Twitter: @HastingsVT

Is This Your Pipe? Hijacking the Build Pipeline.

Kyle Kelley Developer Support Engineer, Rackspace

Greg Anderson Software Security Engineer,Rackspace

As developers of the web, we rely on tools to automate building code, run tests, and even deploy services. What happens when we're too trusting of CI/CD pipelines? Credentials get exposed, hijacked, and re-purposed. We'll talk about how often and what happens when people leak public cloud credentials, how some are protecting themselves using encrypted secrets, how to bypass protections against leaking decrypted secrets and how to turn their Jenkins into your own butler. Come hijack credentials out of repositories, steal hidden and encrypted secrets using builds, and hijack infrastructure via their continuous deployment.

Kyle Kelley writes software, sneaks in security tomfoolery, and dabbles in as many open source projects as possible. During the day he writes code, builds systems, and helps developers with APIs and SDKs, infrastructure design, and not hanging themselves in the clouds. On the side he does ops and dev work for various open source projects, including their build infrastructure and public facing sites. He loves strange bugs.

Greg Anderson is a Software Security Engineer at Rackspace. He likes to find different ways to poke things and watch them fall over. Breaking things in automation over large scale server deployments is his forte.

Twitter: @rgbkrk

GitHub: rgbkrk

Screw Becoming A Pentester - When I Grow Up I Want To Be A Bug Bounty Hunter!

Jake Kouns CISO, Risk Based Security

Carsten Eiram Chief Research Officer, Risk Based Security

Everywhere you turn it seems that companies are having serious problems with security, and they desperately need help. Getting into information security provides an incredible career path with what appears to be no end in sight. There are so many disciplines that you can choose in InfoSec with the fundamental argument being whether you join Team Red or Team Blue. Most people tend to decide on the Red team and that becoming a professional pentester is the way to go, as it is the most sexy (and typically pays well). However, with bug bounties currently being all the rage and providing a legal and legitimate way to profit off vulnerability research, who really wants to be a pentester, when you can have so much more fun being a bug bounty hunter!

Researcher motivation in the old days and options for making money off of vulnerabilities were much different than today. This talk analyzes the history of selling vulnerabilities, the introduction of bug bounties, and their evolution. We cover many facets including the different types of programs and the ranges of money that can be made. We then focus on researchers, who have currently chosen the bug bounty hunter lifestyle and provide details on how to get involved in bug bounty programs, which likely pay the best, and which vendors you may want to avoid. What constitutes a good bug bounty program that makes it worth your time? What do you need to know to make sure that you keep yourself out of legal trouble?

Ultimately, we’ll provide thoughts on the value of bug bounties, their future, and if they can be a full-time career choice instead of a more traditional position such as pentesting.

Jake Kouns is the CISO for Risk Based Security and the CEO of the Open Security Foundation, that oversees the operations of the and Mr. Kouns has presented at many well-known security conferences including RSA, DEF CON, CISO Executive Summit, EntNet IEEE GlobeCom, FIRST, CanSecWest, SOURCE and SyScan. He is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT.

Twitter: @jkouns

Carsten Eiram is the Chief Research Officer of Risk Based Security and previously worked 10 years for Secunia, managing the Research team. Carsten has a reverse engineering background and extensive experience in the field of Vulnerability Intelligence, referring to himself as a vulnerability connoisseur. He has deep insights into vulnerabilities, root causes, and trends, and is also an avid vulnerability researcher, having discovered critical vulnerabilities in high-profile products from major vendors including: Microsoft, Adobe, Symantec, IBM, Apple, Novell, SAP, Blue Coat, and Trend Micro. Carsten has been interviewed for numerous news articles about software security and has presented at conferences such as FIRST Conference, RSA Conference, DEF CON, RVAsec, as well as keynoting Defcamp 2013. He is also a regular contributor to the "Threat of the Month" column in SC Magazine, a credited contributor for the "CWE/SANS Top 25 Most Dangerous Software Errors" list, and member of the CVE Editorial Board and FIRST VRDX-SIG.

Twitter: @CarstenEiram

Home Alone with localhost: Automating Home Defense

Chris Littlebury Senior Penetration Tester, Knowledge Consulting Group, Inc.

Home automation is everywhere, and so are their exploits. This presentation will go over a brief history of home automation techniques, cover modern technologies used today, detail some of the current exploits used against modern automation and security systems, and give examples on how to defend against them. You'll be provided with the knowledge necessary to build your own home-Skynet system- complete with passive and active defenses against physical and wireless attacks. If you like Raspberry Pis, RF hacks, dirty soldering jobs, and even dirtier code, then this is your talk.

Chris Littlebury is a Senior Penetration Tester with Knowledge Consulting Group (KCG). He enjoys hardware hacking, turning wrenches, and opportunities to combine the two. He also claims to have created the first Raspberry Pi-powered, wireless BBQ smoker.

In the forest of knowledge with 1o57


Dashing and daring
Courageous and caring
Faithful and friendly
With stories to share
All through the forest
He sing's out in chorus
Marching along
As his songs fill the air

You best beware
Bouncing here and there and everywhere
High adventure that's beyond compare
LosT will be there

Magic and mystery
Are part of his history
Along with the secret
Of mystery juice
His legend is growing
He takes pride in knowing
He'll fight for what's right
In whatever he'll do

LosT mucks around with DEF CON on occasion. He is the creator of the Hardware Hacking Village, the LosT@Defcon Mystery Challenge, and for the past few years the DEF CON badges and badge challenges. Russ says he's the official DEF CON Puzzlemaster, but LosT still doesn't believe him. In his other life LosT enjoys playing the bass and linguistics, among other things. He's also been known to study mathematics, electrical engineering and physics in his spare time.

Twitter: @1o57

Meddle: Framework for Piggy-back Fuzzing and Tool Development

Geoff McDonald Anti-Virus Researcher at Microsoft

Towards simplifying the vulnerability fuzzing process, this presentation introduces a moddable framework called Meddle that can be used to piggy-back on existing application’s knowledge of protocol by performing piggy-back fuzzing. Meddle is an open source Windows x86 and x64 user-mode C# application that uses IronPython plugins to provide a familiar interface for fuzzing. Why bother spending time understanding the protocol just to try break it?

Two vulnerability fuzzing attacks using Meddle will be demonstrated - one attacking the open source rdp server XRDP, and the other attacking general driver communications from user-mode processes. Several vulnerabilities found with the XRDP server will be briefly discussed, including two that may be exploited for RCE prior to authentication. These attacks are typically based on a piggy-back application (such as the Remote Desktop Connection Client, mstsc.exe), the piggy-back application performs a benchmarking operation, and then fuzzing begins through a parallel set of the piggy-back instances attacking each event sequentially.

Although originally designed as a vulnerability fuzzing framework, Meddle is well-suited for developing reverse-engineering and malware analysis tools. Two simple tools will be presented based on Meddle, including:

  • 1. A capture tool for communication between usermode processes and kernel mode drivers along with a parser to view the captures in Windows Message Analyzer.
  • 2. Malware sandboxing environment proof-of-concept.

In conclusion, the attendees should be able leave the session with a basic understanding of how to use the Meddle framework as well as their own ideas for tools to develop and targets to attack.

Geoff is an anti-virus researcher working with Microsoft Malware Protection Center with most of his experience in reverse-engineering malware and related vulnerabilities. As a hobby, Geoff can often be found developing reverse-engineering and vulnerability fuzzing tools -some of which can be found on his personal website

Instrumenting Point-of-Sale Malware: A Case Study in Communicating Malware Analysis More Effectively

Wesley McGrew Assistant Research Professor, Mississippi State University

The purpose of this talk is to promote the adoption of better practices in the publication and demonstration of malware analyses. For various reasons, many popular analyses of malware do not contain information required for a peer analyst to replicate the research and verify results. This hurts analysts that wish to continue to work more in-depth on a sample, and reduces the value of such analyses to those who would otherwise be able to use them to learn reverse engineering and improve themselves personally. This paper and talk proposes that we borrow the concept of “executable research” by supplementing our written analysis with material designed to illustrate our analysis using the malware itself. Taking a step beyond traditional sandboxes to implement bespoke virtual environments and scripted instrumentation with commentary can supplement written reports in a way that makes the analysis of malware more sound and useful to others.

As a case-study of this concept, an analysis of the recent high-profile point-of-sale malware, JackPOS is presented with enough information to replicate the analysis on the provided sample. A captured command-and-control server is included and Python-based harnesses are developed and presented that illustrate points of interest from the analysis by instrumenting the execution of the malware itself.

Wesley McGrew (@McGrewSecurity) is an assistant research professor at Mississippi State University's Department of Computer Science and Engineering, where he works with the newly formed Distributed Analytics and Security Institute. He recently earned a Ph.D. in computer science for his research in vulnerability analysis of SCADA HMI systems. He also lectures for the MSU National Forensics Training Center, which provides free digital forensics training to law enforcement and wounded veterans. In the spring 2013 semester, he began teaching a self-designed course on reverse engineering to students at MSU, using real-world, high-profile malware samples, as part of gaining NSA CAE Cyber Ops certification for MSU. Wesley has presented at Black Hat USA and DEF CON, and is the author of penetration testing and forensics tools that he publishes through his personal/consultancy website,

Twitter: @McGrewSecurity

One Man Shop: Building an effective security program all by yourself

Medic (Tim McGuffin)

At past DEF CON events, including DEF CON 101, most of the attendees we’ve encountered were either new to the field of security or had security functions in their job description on top of other job duties such as system administration or programming. The purpose of this talk, which is based on real world experiences, is to introduce a multi-year approach to methodologies, techniques, and tools that will allow someone who may be the sole security staff member for an organization to build an effective security program in a cost effective and resource constrained manner. If security is a process, this will provide a “Step 1” to getting that process started.

Tim was voted “most likely to be indicted” by his high school senior class, but has since gone on to gain the trust of large organizations and their executive management, which may or may not be a good thing. He holds a few industry certifications and is a member of a few security organizations, but considers his insomnia and attention deficit problems far more important to his career.

Twitter: @NotMedic

RF Penetration Testing, Your Air Stinks

RMellendick (Rick Mellendick)

DaKahuna (John Fulmer)

The purpose of this talk is to discuss the effective radio frequency (RF) tools, tactics, and procedures that we recommend security professionals use when performing a repeatable RF penetration test. This talk will cover the fundamental processes used to identify the RF within the environment, identify the vulnerabilities specific to that environment, and offer attack methodology to exploit those vulnerabilities.

This talk will cover the hardware and software that we recommend for users just starting out all the way from N00bz to l33t hax0rs.

To provide some hands on experience with RF penetration testing, we have developed the Wireless Capture the Flag (WCTF) in the Wireless Village at DEF CON.

We will provide an over view of this contest designed to test your skills, and give you a shooting range to practice and compete, and level of experience doesn’t matter, the willingness to learn will get you much further.

RMellendick builder and breaker of RF things, inventor of the WCTF, defender of good and evil depending on your perspective, spends way too much time with his head in the air, sniffing the RF. And of course his last name is still MELLENDICK.

Twitter: @rmellendick

By day, DaKahuna supports a large government agency reviewing and criticizing network and security architectures, advising on matters related to information assurance and information security policies, standards and guidance. By night he enjoys snooping the Ether be it the amateur radio bands or his neighbors wireless networks. In his off time he can be found on the pistol or rifle range enjoying the smell of burnt gunpowder. He is a father of two, grandfather or three, a 24 year Navy veteran, holder of an amateur radio Extra Class license and a staunch supporter and exerciser of his 2nd and 4th rights.

Touring the Darkside of the Internet. An Introduction to Tor, Darknets, and Bitcoin

Metacortex Security Researcher

Grifter Security Researcher

This is an introduction level talk. The talk itself will cover the basics of Tor, Darknets, Darknet Market places, and Bitcoin. I will start by giving the audience an overview of Tor and how it works. I will cover entry nodes, exit nodes, as well as hidden services. I will then show how you connect to Tor on both Linux/OSX and Windows and demo it off. Once we are connected to Tor, I am going to show how to find Tor hidden services and then demo off browsing around some marketplaces. Once the audience has a solid grasp on what the market places offer, I am going to start dealing the process of purchasing something off of it. I will cover bitcoin and bitcoin mining. After we know about how bitcoin works, we will cover purchasing items. I will cover purchasing PO Box's and the pickup of packages. Finally I will finish up with some concerns you may want to be aware of and my recommendations to help make the use of TOR, Bitcoin, and Marketplaces more secure.

As a infosec professional by day, Metacortex much prefers his hacker by night persona. Most of his free time time is spent helping run both DC801 and the Salt Lake City based HackerSpace 801 Labs. He loves talking about anything hacking related and does everything he can to help promote and build the northern Utah hacking community.

Twitter: @metacortex

Grifter has been a DEF CON Goon for 14 years. He is currently the Senior Goon in charge of DEF CON Evening Event space and the DEF CON Villages. In previous lives he served as a Security, Vendor, and Skybox Goon, Coordinator of the DEF CON Movie Channel, former Organizer of the Scavenger Hunt, and Administrator of the DEF CON Forums. He birthed the idea of the DEF CON Villages and DC Groups into the world, and he's not sorry about it.

Grifter has spoken at DEF CON numerous times, as well as related Hacker, Security, and Industry conferences. He has co-authored several books on various information security topics, and has somehow found a way to convince people to give him money for what he keeps inside his head.(The technical stuff, not the dirty stuff…yet.) He uses this money to provide food and shelter for his family in Salt Lake City, Utah, where he is an active part of DC801, and a founding member of the 801 Labs hackerspace.

USB for all!

Jesse Michael Security Researcher

Mickey Shkatov Security Researcher

USB is used in almost every computing device produced in recent years. In addition to well-known usages like keyboard, mouse, and mass storage, a much wider range of capabilities exist such as Device Firmware Update, USB On-The-Go, debug over USB, and more. What actually happens on the wire? Is there interesting data we can observe or inject into these operations that we can take advantage of? In this talk, we will present an overview of USB and its corresponding attack surface. We will demonstrate different tools and methods that can be used to monitor and abuse USB for malicious purposes.

Jesse Michael has been working in security for over a decade and is currently a security researcher at a Fortune 50 company who spends his time causing trouble and finding low-level hardware security vulnerabilities in modern computing platforms.

Mickey Shkatov is a security researcher at a fortune 50 company covering a variety of topics in software, firmware and hardware. He also spend most of his time trying to find new ways to annoy Jesse.

ShareEnum: We Wrapped Samba So You Don’t Have To

Lucas Morris Manager, Crowe Horwath

Michael McAtee Senior Consultant, Crowe Horwath

CIFS shares can tell you a lot about a network, including file access, local administrator access, password reuse, etc.. Until now most people have relied on add-ons to scanning tools to implement Microsoft’s complicated network APIs. Some tools wrap existing clients, such as smbclient, or use RPC calls; however, this is inefficient. What we need is a scanner that utilizes the closest thing we can get to Microsoft’s SMB libraries to scan network shares efficiently and quietly. ShareEnum uses the underlying Samba client libraries to list shares, permissions, and even recurse down file trees gathering information including what is stored in each directory.

Lucas is a manager responsible for leading application security assessments and penetration testing services to various clients at Crowe Horwath LLP. Lucas is responsible for developing the methodology infrastructure reviews, penetration testing services and to aid clients in developing strategies for secure technologies within corporate environments. He also focuses on developing new tools, resources, and research within the Crowe Technology Risk consulting group. For the past seven years Lucas has been working on penetration testing, security program design, application security testing, and information security assessment testing annually.

Michael is a senior security consultant at Crowe Horwath and responsible for management of Crowe's Security Penetration & Forensics labs. With a passion for programming and security, Michael has been involved in developing security tools for automation and assessment needs at Crowe. Michael's experience includes enterprise Windows administration, enterprise network design, penetration testing, and security consulting and is part of over 35 security engagements annually.

An Introduction to Back Dooring Operating Systems for Fun and Trolling

Nemus Security Researcher

So you want to setup a back door? Have you ever wondered how its done and what you can do to detect back doors on your network and operating systems? Ever wanted to setup a back door to prank a friend?. This presentations will do just that. We will go over the basics of back doors using SSH, NET CAT, Meterpreter and embedding back doors into custom binaries along with the logistics of accessing them after they are in place.

Nemus is a security enthusiast at night and spends his days working in the payment card industry developing RESTFul APIs for bill pay using cash payments. Lance works with open source systems, and enjoys setting up and hardening Linux systems. He has over 11 years of experience working in information technology focusing on system administration and software development and has begun to focus his career on information security. He developed a love for security at Salt Lake Community College after being immersed into it by his professors. Nemus help found the Defcon 801 hackerspace and currently holds the position on the board of directors for 801 Labs, which is the corporation that runs the DC801 hackerspace located in downtown Salt Lake City.

Twitter: @Lost_Nemus

Panel - Diversity in Information Security

Jennifer Imhoff-Dousharm Informatics student, co-organizer of theSummit, NCWIT affiliate member

Sandy “Mouse” Clark Security Researcher and part-time Phd. candidate

Kristin Paget

Jolly Full time hacker

Vyrus Independent Security Consultant

Scott Martin CIO Spikes Security

Discussion from the point of view of a diverse panel of leading representatives currently in or thinking of becoming part of the Information Security industry. This panel will give you insight to the evolutionary landscape of diversity in the hacking community. We will present statistical evidence showing the lack of sub-culture representation in the hacking community and while these numbers have been decreasing we can still work to encourage cultural variance. By analyzing how diversity is critical to improving the information security industry we will explore positive approaches to encourage recruiting and retention of deficient subcultures, removing of unconscious bias’ and discouraging inclusiveness, and introduce the audience to a wide variety of existing support structures. There will be no witch hunt here, there will be no judgement, only information. All of this and more will be answered with open and honest dialogue into one of the most controversial issues currently within our community.

Jennifer Imhoff-Dousharm - Lil Jinni is currently a student of informatics and network security. She is a primary coordinator for Vegas 2.0 and co-founder/principal of the Cuckoo's Nest hacker space. She is an affiliate member of NCWIT and avid participant in many local women in tech groups. When not studying, planning theSummit fundraiser, or herding hackers, she spends her free cycles as a Curiosity Hacked guild leader and Kitchen OverLord contributor.

Twitter: @lil_jinni

Sandy Clark (Mouse) is a security researcher and part-time Phd. candidate in the Distributed Systems Lab at the University of Pennsylvania and is advised by Matt Blaze and co-advised by Jonathan Smith. Her research focuses on understanding the mechanisms involved in the computer security Arms Race, and in modeling the cyber-security eco-system. Early in her career, she wrote the back-up flight control computer for the US Air Force F-16 aircraft, and a gate-level software simulator for NASA), after several years as a sys-admin for Princeton University, she ended up in the hacker community. It was at a hackercon that someone introduced her to Matt Blaze and he invited her to come hang around his lab at Penn. Her first project was breaking wiretap systems and with its success and after much encouragement and mentoring, she got the courage to enroll as a student. It is taking much longer for her to get her degree than she thought (going back to school is hard as a grownup), but definitely worth it!

Her broad experience, excessive curiosity and ability to make connections from many different areas is leading to some interesting new ways to think about systems security. She's still an active member of the hacker community and considers it one of her missions in life to bridge the gap between hackers and academia.

Sandy can be reached at or

Kristin Paget - Princess Kristin hacks hardware, software, networks, radios, people, the law, herself, and society - and she’s still getting warmed up. She’s been hacking things ever since she heard that POKE 35136,0 gave her infinite lives in Manic Miner, and she's truly thrilled to be returning to Def Con after taking a couple of years off the speaking circuit to de-anonymize her brain.

Twitter: @KristinPaget

Jolly - Hacker, Photographer and conference addict. Jolly has previously been a back to back winner of Hacker Fortress. In the past 2 years he has not stayed in any one place more than 11 days. His team, Jolly and Friends, has won Capture the Flag. Avid health nut. Loves taking advantage of vendors easy contests to win prizes at conferences.

Twitter: @Jolly

Carl "Vyrus" Vincent is a self-proclaimed nerd who learned to build radios from his grandfather, a fellow nerd who worked in the aerospace industry. Carl first attended Def Con as a teenager and earned money doing small IT projects while still in high school. Today he his an independent security consultant.

Twitter: @vyrus001

Scott Martin is currently CIO of Spikes Security and formerly the Director of Firewall Operations for Symantec Corporation. He works throughout the Silicon Valley advising various startups and is the Committee Chair for Donations and Community Outreach for Vegas 2.0

Android Hacker Protection Level 0

Tim Strazzere Lead Research & Response Engineer

Jon Sawyer CTO of Applied Cybersecurity LLC

Obfuscator here, packer there - the Android ecosystem is becoming a bit cramped with different protectors for developers to choose. With such limited resources online about attacking these protectors, what is a new reverse engineer to do? Have no fear, after drinking all the cheap wine two Android hackers have attacked all the protectors currently available for everyones enjoyment! Whether you've never reversed Android before or are a hardened veteran there will be something for you, along with all the glorious PoC tools and plugins for your little heart could ever desire.

Tim "diff" Strazzere is a Lead Research and Response Engineer at Lookout Mobile Security. Along with writing security software, he specializes in reverse engineering and malware analysis. Some interesting past projects include having reversing the Android Market protocol, Dalvik decompilers and memory manipulation on mobile devices. Past speaking engagements have included DEFCON, BlackHat, SyScan, HiTCON and EICAR.

Jon "Justin Case" Sawyer - 31 yr old father of four, and CTO of Applied Cybersecurity LLC. Jon likes to spend his nights with a fine (cheap) glass of wine, writing exploits for the latest Android devices. When not researching vulnerabilities or writing exploits, he dabbles in dalvik obfuscation.

Standing Up an Effective Penetration Testing Team

Wiseacre (Mike Petruzzi)

Many talks give you information on how to be a better penetration tester. The majority are technical talks on improving techniques or learning new tools. This talk aims to teach the attendees the techniques and pitfalls of putting together a penetration team. It goes beyond identifying the right people to be on the team and the talk explores the concepts of planning, performing and reporting the test. The talk also looks at getting to the root of a client’s problem and how to be paid to return.

Mike Petruzzi has been hacking managers for over 25 years. Mike is a Senior Cyber Security Penetration Testing Specialist working at a Federal civilian agency for the last 10 years.. Yup, that's the title he was given. Prior to that, he worked at SAIC for five years performing penetration tests, risk assessments and certification and accreditation. Naturally, he got all his IT experience as the result of selling beer, wine and liquor. He has tricked everyone into believing that he can do anything at all.

Twitter: @wiseacre_mike

Data Protection 101 - Successes, Fails, and Fixes

PTzero (Peter Teoh)

Don't be a Target! How do you protect your organization's data assets? If you're dealing with customers you will likely have their personally identifiable information (PII). Even if you don't have customer data, your HR department will definitely have employees' personal data. What about other sensitive documents like source code, business strategy, etc.?

If you're new to Data Protection (a.k.a. Data Loss Prevention), this presentation will walk you through the basics of how to set up your own successful program. We will also walk through other techniques beyond traditional Data Protection that will enhance your security posture.

Peter Teoh was thrust into the world of data protection in 2010. After learning how to spell DLP, he went on to successfully design and build his company's data loss prevention program from scratch. He is a jack of all trades at heart having implemented firewalls, DNS/DHCP services, email systems, web proxies, and VPNs, among other things. This is his fourth year at DEF CON and first year presenting.

Twitter: @pteoh

Anatomy of a Pentest; Poppin' Boxes like a Pro


Are you excited about hacking and want to be a pentester in the next few years? Let this talk be your guide in understanding what is required to effectively assess a network and all of its associated components. We’ll review subjects ranging from assessment toolsets, environment configurations, timelines, what to do when you’ve accidentally brought down the entire finance department, and how to gently handle the situation when you tell the CIO his baby is ugly.

These techniques and processes can are geared towards to your typical penetration testing processes. The talk has been structured so that not only veterans can benefit from the processes, but the newer/aspiring pentesters can establish a solid foundation for their own work! Hack on.

PushPin is an uptight, perfectionist, who is very rarely content working with idiots and enjoys his Jell-O Pudding cups. He can neither confirm nor deny working for any of the three letter agencies that oversee WMDs, high energy weapons [LASERS, YO], and play around with other countries. It is literally impossible to see him without his laptop at any given time during the day and has been told frequently to put it away in public; otherwise, you’ll find him at work devoid of any form of social life. I hate you all, seriously..

Twitter: @X72

Blinding The Surveillance State

Christopher Soghoian Principal Technologist, American Civil Liberties Union

We live in a surveillance state. Law enforcement and intelligence agencies have access to a huge amount of data about us, enabling them to learn intimate, private details about our lives. In part, the ease with which they can obtain such information reflects the fact that our laws have failed to keep up with advances in technology. However, privacy enhancing technologies can offer real protections even when the law does not. That intelligence agencies like the NSA are able to collect records about every telephone call made in the United States, or engage in the bulk surveillance of Internet communications is only possible because so much of our data is transmitted in the clear. The privacy enhancing technologies required to make bulk surveillance impossible and targeted surveillance more difficult already exist. We just need to start using them.

Christopher Soghoian is a privacy researcher and activist, working at the intersection of technology, law and policy. He is the Principal Technologist with the Speech, Privacy and Technology Project at the American Civil Liberties Union. Soghoian completed his Ph.D. in 2012, which focused on the role that third party service providers play in facilitating law enforcement surveillance of their customers.

Bug Bounty Programs Evolution

Nir Valtman Enterprise Security Architect

Bug bounty programs have been hyped in the past 3 years, but this concept was actually widely implemented in the past. Nowadays, we can see big companies spending a lot of money on these programs, while understanding that this is the right way to secure software. However, there are lots of black spots in these programs which most of you are not aware of, such as handling with black hat hackers, ability to control the testers, etc. Henceforth, this presentation explains the current behaviors around these programs and predicts what we should see in the future.

Nir is employed by NCR Corporation as Enterprise Security Architect of NCR Retail, and also works as co-founder and CTO in his start-up company, Crowdome. Before the acquisition of Retalix by NCR, Nir was the Chief Security Officer of R&D in the company. As part of his previous positions in the last decade, he has worked as Chief Security Architect, Senior Technology Consultant, Application Security Consultant, Systems Infrastructure Security Consultant and a Technological Trainer. While in these positions, Nir was not only consulting, but also performing hands-on activities in various fields, i.e. hardening, penetration testing, and development for personal\internal applications. In addition, Nir released an open source anti-defacement tool called AntiDef and has written a publication about QRbot, an iPhone QR botnet POC he developed.

Nir has a BSc in computer science, but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities.

Practical Foxhunting 101

Adam Wirth (SimonJ) Communications Systems Engineer, MasterPeace Solutions LTD

The basic skills needed to quickly locate wireless emitters are easy to learn and no special equipment is required. Despite this, relatively few people have the know-how to put their equipment to work locating emitters as part of penetration testing, RF environment mapping, or tracking their geriatric neighbors using the emanations from their pacemakers. In this talk, you'll learn simple techniques for finding wireless emitters in the environment using readily-available equipment, and how to select and configure foxhunting gear. You'll also get a brief introduction to some more-advanced topics and techniques.

Adam Wirth
(SimonJ) is a wireless communications software and systems engineer with more than 15 years professional experience. He has spent the majority of his career working on esoteric wireless communications for even-more-esoteric purposes, including RF emitter geolocation. He won both the foxhunting challenges in the WiFi Pentathlon at DEFCON 21 using nothing but an unrooted Android tablet, and wants more of a challenge this year.

Client-Side HTTP Cookie Security: Attack and Defense

David Wyde Software engineer, Cisco

HTTP cookies are an important part of trust on the web. Users often trade their login credentials for a cookie, which is then used to authenticate subsequent requests. Cookies are valuable to attackers: passwords can be fortified by two-factor authentication and "new login location detected" emails, but session cookies typically bypass these measures. This talk will explore the security implications of how popular browsers store cookies, ways in which cookies can be stolen, and potential mitigations.

David Wyde is a security researcher at Cisco Systems, with a background in web application development. His favorite type of cookie is double chocolate chip, but HTTP cookies are a close second. When he's not working with software, he enjoys playing chess, dodgeball, ping pong, and N64 Super Smash Bros.


The Making of DEFCOIN

Xaphan (Jeff Thomas)

Beaker (Seth Van Ommen)

Anch (Mike Guthrie)

If the Juggalos can do it why can't we? We will discuss what it took to create DEFCOIN, the pitfalls we ran into along the way, how many times we had to reset the block chain before release (oops) and even what a block chain and other funny words like that mean. Come learn the basics of crypto-currencies, what they are, how they work and watch us attempt to show how real money and electricity is converted to fake money and heat. | @defcoin

Xaphan is a "Senior Cyber Security Penetration Testing Specialist" for the US Department of Energy. He has been a penetration tester for 16 years, but maintains his sanity with a variety of distractions. This is his 15th defcon, but the first time he has done ANYTHING that requires effort or commitment while in Las Vegas.

Twitter: @slugbait

Beaker is an odd creature even by DEF CON standards. If Hunter S Thompson, Tesla, and a spork had a love child this would approximate the Beaker. He’s spent his working life diddling computers for various organizations from early startups to three letter agencies and is still amazed this produces a paycheck. Beaker is known for mixing interesting chemicals within Beaker which often results in projects of unlikely completion

Twitter: @swordofomen

Anch is the lead for the Chickasaw Nation Industries Red Team performing penetration tests, and accreditation's for the public and private sector.

Anch has 11 years experience in cyber security. He was the Network Security Architect at a major power administration. At Mentor Graphics he spent time as a network engineer providing enterprise networking, firewall and VPN support for a global network comprising of 72 connected sites worldwide. He has been involved in or lead over 75 penetration tests on over 200 networks.

Anch's background related to control systems is unrivaled in the bulk power generation and transmission areas. During this time he developed unique perspectives on the areas of compliance and regulation in the power industry.

Twitter: @boneheadsanon

Paging SDR... Why should the NSA have all the fun?

Xaphan (Jeff Thomas)

n00bz (Jason Malley)

Remember pagers? Those things the dealers used in the first season of The Wire? Did you know that people still use them? Sure you may have turned off that old pager and put in your desk drawer, but that doesnt mean the back end infrastructure was turned off.

This talk will cover the basics of POCSAG/FLEX decoding using cheap SDR dongles and free software. We will also present examples of the kind of unencrypted data that is still being broadcast through the regional and national pager networks.

Xaphan is a "Senior Cyber Security Penetration Testing Specialist" for the US Department of Energy. He has been a penetration tester for 16 years, but maintains his sanity with a variety of distractions. This is his 15th defcon, but the first time he has done ANYTHING that requires effort or commitment while in Las Vegas.

Twitter: @slugbait

n00bz (or his n00bzness or el n00berino if you’re not into the whole brevity thing) pays the bills by working for a F100 company doing Compliance and IT Security Globally by way of Wall Street and D&T. He grew up tying up phone lines across South Florida with his Bosun whistle. His love for all things wireless are due to his love of software defined radio and hatred of getting up to change the TV channel when the remote was lost. He has spoken at DEF CON, HackMiami (%27), DerbyCon and when advised of his right to remain silent, plead the fif!

Twitter: @n00bznet


Bypass firewalls, application white lists, secure remote desktops under 20 seconds

Zoltán Balázs Chief Technology Officer at MRG Effitas

In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.

I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!

Zoltan (@zh4ck) is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing.

Before MRG Effitas, he worked for 5 years in the financial industry as an IT Security expert, and for 2 years as a senior IT security consultant at one of the Big Four companies. His main expertise areas are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie browser tool, consisting of POC malicious browser extensions for Firefox, Chrome and Safari. He has been invited to present at information security conferences worldwide including Hacker Halted USA, OHM, Hacktivity, Ethical Hacking, Defcamp.

He is a proud member of the team, 2nd runner up at global Cyberlympics 2012 hacking competition.

PropLANE: Kind of keeping the NSA from watching you pee

Rob Bathurst (evilrob)

Russ Rogers (russr)

Mark Carey (phorkus)

Ryan Clarke (L0stboy)

No one likes to be watched, especially on the Internet. Your Internet…habits are only for you to know, not ISPs, hotels, government agencies, your neighbor, that creepy guy down the street with the cantenna, or anyone else. With your privacy in mind; we’ve combined two things every good hacker should have, a Propeller powered DEF CON badge (DC XX in our case) and a somewhat sober brain to turn the DC badge (with some modifications) into an inline network encryption device. This modified badge, loving called the PropLANE, will allow you to keep your peer-to-peer network traffic away from the prying eyes of the aforementioned creepy guy down the street and impress all the cool hacker peoples of the gender you prefer.

Evilrob is a Security Engineer with over 13 years of experience with large network architecture and security engineering. His current focus is on network security architecture, tool development, and high-assurance encryption devices. He spends his waking moments contemplating new and terrible ways to make and break things as the Overlord of Engineering at Peak Security.

Phorkus is the starry eyed Chief Scientist of Peak Security, and a long time goon at DEF CON. He bends bits to his will, and dismays audiences with his whimsical narrations of physics, organic nutrition, and what it means to be god. He will amaze and astound. He's also very likely to confuse.

Russr is a security expert with over 20 years of experience, and has been an active member of the DEF CON community and staff for the past 17 years. He's the CEO and co-founder of Peak Security.

LosTboY is the puzzle master and badge lord for DEF CON. He's a coder, a hacker, and a fancy dresser. LosT is well known for his exploits, including the popular Mystery Box Challenge, and the amazing DEF CON badges.

Twitter: @PeakSec

Getting Windows to Play with Itself: A Hacker's Guide to Windows API Abuse

Brady Bloxham Principal Security Consultant, Silent Break Security

Windows APIs are often a blackbox with poor documentation, taking input and spewing output with little visibility on what actually happens in the background. By analyzing (and abusing) the underlying functionality of these seemingly benign APIs, we can effectively manipulate Windows into performing stealthy custom attacks bypassing the latest in protective defenses. In this talk, we’ll get Windows to play with itself nonstop while revealing 0day persistence, previously unknown DLL injection techniques, and Windows API tips and tricks that any good penetration tester and/or malware developer should know. :) To top it all off, a custom HTTP beaconing backdoor will be released leveraging the newly released persistence and injection techniques. So much Windows abuse, so little time.


Brady Bloxham is founder and Principal Security Consultant at Silent Break Security, where he focuses on providing advanced, custom penetration testing services. Brady started his career working for the various three letter agencies, where he earned multiple awards for exceptional performance in conducting classified network operations. Brady stays current in the information security field by presenting at various hacker conferences, as well as providing training on building custom offensive security tools and advanced penetration testing techniques. Brady also maintains the PwnOS project and holds several highly respected industry certifications. :)

Weaponizing Your Pets: The War Kitteh and the Denial of Service Dog

Gene Bransfield Principle Security Engineer at Tenacity Solutions, Inc.

WarKitteh: In my job I have to deliver frequent Information Security briefings to both technical and non-technical professionals. I noticed that as the material got more technical, I began to lose the non-technical crowd. Therefore, I started including humorous pictures of cats and made the briefings include stories about those cats. This worked, and I soon became notorious for my presentation style. After delivering one of those presentations, an audience member offered to lend me their cat tracking collar. The collar contained a GPS device and a cellular component and would track your cats movements throughout the neighborhood. Me being the guy I am, I thought “All you need now is a WiFi sniffing device and you'd have a War Kitteh.” I laughed, and started working on it.

DoS Dog: With apologies to LadyMerlin (who has since blessed the project) I attended Outerz0ne one year and LadyMerlin brought her dog. They had labeled the puppy the “Denial of Service Dog” as the pooch demanded so much attention that it was impossible to complete any task other than petting the dog. I thought that if you loaded a doggie backpack with different equipment (e.g. a Pineapple) you could create a Denial of Service Dog of a different kind.

Gene Bransfield is a Principle System Security Engineer with Tenacity Solutions Inc. In his 20 years of Information Systems and Cyber Security experience he has performed penetration testing and security compliance assessments; he has authored security policy; and has provided information security consulting to government and civilian clientèle. He has a Masters Degree in Information Security and Assurance from George Mason University and maintains several industry certifications. He is a husband, a father, and a dog owner. Despite subject material, he does not own a cat.

Through the Looking-Glass, and What Eve Found There

Luca "kaeso" Bruno Research Engineer, Eurecom

Mariano "emdel" Graziano Ph.D. Student, Eurecom

Traditionally, network operators have provided some kind of public read-only access to their current view of the BGP routing table, by the means of a "looking glass”.

In this talk we inspect looking glass instances from a security point of view, showing many shortcomings and flaws which could let a malicious entity take control of critical devices connected to them.

In particular, we will highlight how easy it is for a low-skilled attacker to gain access to core routers within multiple ISP infrastructures.

Luca is currently a research engineer at Eurecom in Sophia-Antipolis (FR). He graduated as a Systems and Networks Engineer at Telecom Paristech and Politecnico di Torino, and is a Debian Developer and an active FLOSS evangelist. Luca's research area includes security of embedded devices, Internet core infrastructure and mobile networks (GSM/LTE).

Twitter: @lucabruno

Mariano is currently a Ph.D. student in the Software and Systems Security group of Eurecom in Sophia-Antipolis (France). He earned a Master of Science in Computer and Communication Networks from Politecnico di Torino (Italy). Mariano is interested in challenging security researches, ranging from hypervisors to backbone routers.

Twitter: @emd3l

Summary of Attacks Against BIOS and Secure Boot

Yuriy Bulygin Chief Threat Architect, Intel Security

Oleksandr Bazhaniuk Security Researcher, Intel Security

Andrew Furtak Security Researcher, Intel Security

John Loucaides Security Researcher, Intel Security

A variety of attacks targeting platform firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as secure boot, OS loaders, and SMM. Windows 8 Secure Boot provides an important protection against bootkits by enforcing a signature check on each boot component.

This talk will detail and organize some of the attacks and how they work. We will demonstrate a full software bypass of secure boot. In addition, we will describe underlying vulnerabilities and how to assess systems for these issues using chipsec (, an open source framework for platform security assessment. We will cover BIOS write protection, forensics on platform firmware, attacks against SMM, attacks against secure boot, and various other issues. After watching, you should understand how these attacks work, how they are mitigated, and how to test a system for the vulnerability.

Yuriy Bulygin is a Chief Threat Architect. Over the past 8 years he has enjoyed analyzing the security of everything from OS to CPU microcode and hardware. He is now leading a security threat research team, advancing research in security threats to modern PC, mobile, and embedded platforms and protections.

Twitter: @c7zero

Oleksandr Bazhaniuk is a security researcher and reverse engineer with background in automation of binary vulnerability analysis. He is also a co-founder of DCUA, the first DEF CON group in Ukraine.

Twitter: @ABazhaniuk

Andrew Furtak is a security researcher focusing on security analysis of firmware and hardware of modern computing platforms and a security software engineer in the past. Andrew holds a MS in Applied Mathematics and Physics from the Moscow Institute of Physics and Technology.

John Loucaides is a security researcher who is currently focusing on responding to platform security issues. He has performed security analysis for a wide variety of targets from embedded systems to enterprise networks, developing repeatable methods for improving assurance.

I am a legend: Hacking Hearthstone with machine learning

Elie Bursztein Security Researcher, Google

Celine Bursztein Founder, PetSquare

Want to become a legend at Hearthstone -- Blizzard's new blockbuster collecting card game -- or simply learn how to play better? Then pull up a chair by the hearth and join us for a talk about Hearthstone mechanics and how to improve your chance of winning using machine learning and data mining. This talk is packed with examples that show how to use the tools that we are releasing at Defcon.

First, we will show you how to uncover the most undervalued cards by building a pricing model reflecting the cards' abilities. Next we will explain how decks can be optimized by tweaking their mana curve to maximize mana efficiency. Finally, we will cover how to predict with relatively good accuracy what opponents are likely to play turn-by-turn by data-mining game replays and building a predictive model that uses that information.

Even if you've never heard of Hearthstone before (shame on you!), you should still come to to the talk. That's because it's fun and the techniques discussed can help you improve your performance on other collectible cards games including Magic.

Elie leads Google's anti-abuse research, where he invents new ways to protect the company's users against cyber-criminal activities and Internet threats. He recently redesigned Google's CAPTCHA to make it easier, and made Chrome safer and faster by implementing better cryptography. Hacking games has been a long time hobby for Elie, who spends far too much time playing Hearthstone and Starcraft. He even managed to turn his passion for games to defcon talks, research papers and won a best paper award for his work on map-hacking. Born in Paris, France, Elie wears berets and love to do cards tricks when in good company.

Celine is the founder of PetSquare, a Silicon Valley startup dedicated to animals and their owners. She's crazy about animals and building a product about them was a great way to combine her biology and engineering skills (she holds a PhD in biology and a master's degree in computer science). When Celine is not busy visiting every zoo on the planet or playing Diablo 3 and Hearthstone, she picks every lock she can. She discovered this lockpicking passion when she successfully cracked her father's safe at the tender age of 7.

The Secret Life of Krbtgt

Christopher Campbell Security Researcher

A tale of peril and woe, Krbtgt is the domain account that you just can't quit. Quiet and harmless, it has been with your enterprise since you first installed Active Directory. Although disabled, it has witnessed years of poor configurations, remote code execution vulnerabilities and bad administrator passwords. Come hear Krbtgt's story and see why its days should be numbered. If you don't laugh, you'll cry. This talk is targeted at Windows administrators, penetration testers and incident handlers and will explore why Microsoft's implementation of Kerberos is not the answer to its many credential problems.

Chris is a security practitioner with over a decade of experience attacking and securing enterprise networks. Currently, he is a security researcher and developer for the Harris Corporation. Formerly, Chris spent over 12 years in the U.S. Army Reserve and spent four years as an operator in the Computer Exploitation section of the U.S. Army Red Team. He has a Master of Science in Information Assurance from Capitol College and holds several industry certifications that he’d prefer you not hold against him. Chris is one of the developers of PowerSploit and has given presentations at BlackHat USA, Derbycon, Shmoocon Firetalks and multiple Bsides events. He maintains a blog at and is active on twitter (@obscuresec).

The $env:PATH less Traveled is Full of Easy Privilege Escalation Vulns

Christopher Campbell Security Researcher

15 years after APT was released for Linux, Microsoft is finally going to ship Windows with a package manager! Windows PowerShell OneGet is the easiest and fastest way to install applications and will be a fundamental part of how Microsoft wants you to administer your enterprise. In this talk we will go over OneGet, Nuget and Chocolatey and observe some of the security problems that will have to be overcome before widespread adoption. We will go over the hundreds of privilege escalation vulnerabilities that were found in the over 1800 unique packages that are already available on the repository server. We will also demo vulnerabilities against one of the package managers and PowerShell itself. Come see how to find third-party privilege escalation bugs at scale with the newest addition to PowerSploit.

Chris is a security practitioner with over a decade of experience attacking and securing enterprise networks. Currently, he is a security researcher and developer for the Harris Corporation. Formerly, Chris spent over 12 years in the U.S. Army Reserve and spent four years as an operator in the Computer Exploitation section of the U.S. Army Red Team. He has a Master of Science in Information Assurance from Capitol College and holds several industry certifications that he’d prefer you not hold against him. Chris is one of the developers of PowerSploit and has given presentations at BlackHat USA, Derbycon, Shmoocon Firetalks and multiple Bsides events. He maintains a blog at and is active on twitter (@obscuresec).

Hacking US (and UK, Australia, France, etc.) traffic control systems

Cesar Cerrudo CTO, IOActive Labs

Probably many of us have seen that scene from "Live Free or Die Hard" (Die Hard 4) were the "terrorist hackers" manipulate traffic signals by just hitting Enter key or typing a few keys, I wanted to do that! so I started to look around and of course I couldn't get to do the same, that's too Hollywood style! but I got pretty close. I found some interesting devices used by traffic control systems on important cities such as Washington DC, Seattle, New York, San Francisco, Los Angeles, etc. and I could hack them :) I also found that these devices are also used in cities from UK, France, Australia, China, etc. making them even more interesting. This presentation will tell the whole story from how the devices were acquired, the research, on site testing demos (at Seattle, New York and Washington DC), vulnerabilities found and how they can be exploited, and finally some possible NSA style attacks (or should I say cyberwar style attacks?) Oh, I almost forgot, after this presentation anyone will be able to hack these devices and mess traffic control systems since there is no patch available (sorry didn't want to say 0day ;)) I hope that after this I still be allowed to enter (or leave?) the US

Cesar Cerrudo is CTO at IOActive Labs where he leads the team in producing ongoing cutting edge research in the areas of SCADA, mobile device, application security and more. Formerly the founder and CEO of Argeniss Consulting, acquired by IOActive, Cesar is a world renown security researcher and specialist in application security.

Throughout his career, Cesar is credited with discovering and helping to eliminate dozens of vulnerabilities in leading applications including Microsoft SQL Server, Oracle database server, IBM DB2, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows, Yahoo! Messenger, etc. In addition, Cesar has authored several white papers on database, application security, attacks and exploitation techniques and he has been invited to present at a variety of companies and conferences including Microsoft, Black Hat, Bellua, CanSecWest, EuSecWest, WebSec, HITB, Microsoft BlueHat, EkoParty, FRHACK, H2HC, Defcon, Infiltrate, etc. Cesar collaborates with and is regularly quoted in print and online publications including eWeek, ComputerWorld, and other leading journals.

Twitter: @cesarcer

The Cavalry Year[0] & a Path Forward for Public Safety

Joshua Corman CTO, Sonatype

Nicholas J Percoco VP Strategic Services, Rapid7

At DEF CON 21, The Cavalry was born. In the face of clear & present threats to "Body, Mind & Soul" it was clear: The Cavalry Isn't Coming... it falls to us... the willing & able... and we have to try to have impact. Over the past year, the initiative reduced its focus and increased its momentum. With a focus on public safety & human life we did our best "Collecting, Connecting, Collaborating" to ensure the safer technology dependence in: Medical, Automotive, Home Electronics & Public Infrastructure. We will update the DEF CON hearts & minds with lessons learned from our workshops & experiments, successes & failures, and momentum in industry and with public policy makers. Year[0] was encouraging. Year[1] will require more structure and transparency if we are to rise to these challenges... As a year of experimentation comes to an end, we will share where we've been, take our licks, and more importantly outline a path forward...

Joshua Corman is the Chief Technology Officer for Sonatype. Previously, Corman served as a security researcher and strategist at Akamai Technologies, The 451 Group, and IBM Internet Security Systems. A respected innovator, he co-founded Rugged Software and IamTheCavalry to encourage new security approaches in response to the world’s increasing dependence on digital infrastructure. Josh's unique approach to security in the context of human factors, adversary motivations and social impact has helped position him as one of the most trusted names in security. He is also an adjunct faculty for Carnegie Mellon’s Heinze College, IANS Research, and a Fellow at the Ponemon Institute. Josh received his bachelor's degree in philosophy, graduating summa cum laude, from the University of New Hampshire.

Twitter: @joshcorman

Nicholas J. Percoco is vice president of strategic services at Rapid7. In his role he leads a team that advises customers on how to mitigate and respond to threats using data driven analysis to empower more relevant, timely, and impactful decisions. Over the past decade, Nicholas has presented security research with a focus on custom malware, mobile devices, and data breach trends to audience all over the world including a Keynote at RSA Conference 2013, TEDx Naperville, and eights previous talks at DEF CON. When he is not on an airplane or working with customers, he enjoys running the THOTCON hacking conference in Chicago, trying new and interesting craft beers, and being a founding member of the Cavarly movement. Prior to Rapid7, he ran SpiderLabs at Trustwave before taking a few months off to explore the Great Pit of Carkoon on Tatooine. Now that he is back on planet Earth, you can find him on Twitter as "c7five".

Follow @iamthecavalry on Twitter.

NSA Playset: DIY WAGONBED Hardware Implant over I2C

Josh Datko Founder, Cryptotronix, LLC

Teddy Reed Security Engineer

In this talk we present an open source hardware version of the NSA's hardware trojan codenamed WAGONBED. From the leaked NSA ANT catalog, WAGONBED is described as a malicious hardware device that is connected to a server's I2C bus. Other exploits, like IRONCHEF, install a software exploit that exfiltrate data to the WAGONBED device. Once implanted, the WAGONBED device is connected to a GSM module to produce the NSA's dubbed CROSSBEAM attack.

We present CHUCKWAGON, an open source hardware device that attaches to the I2C bus. With the CHUCKWAGON adapter, we show how to attach an embedded device, like a BeagleBone, to create your own hardware implant. We show how to add a GSM module to CHUCKWAGON to provide the hardware for the CROSSBEAM exploit. We improve the WAGONBED implant concept by using a Trusted Platform Module (TPM) to protect data collection from the target. The talk will demonstrate how these features can be used for good, and evil!

Josh Datko is the founder of Cryptotronix, an open source hardware company that designs and manufactures security devices for makers. After graduating from the U.S. Naval Academy, Josh served on a submarine where he was the radio communication officer and manager of the key management program. While an embedded software engineer for a defense contractor, he was recalled back to active duty for a brief tour in Afghanistan. In June, he completed his Master's of Computer Science from Drexel University with a focus on systems, security, and privacy. He founded Cryptotronix in 2013.

Twitter: jbdatko

Teddy Reed is a security engineer obsessed with network analysis and developing infrastructure security protections. He has held several R&D positions within US laboratories with focuses on enterprise security defense, system assessments, and system and hardware emulation.

Abuse of Blind Automation in Security Tools

Eric (XlogicX) Davisson Security Researcher

Ruben Alejandro (chap0) Security Researcher

It is impossibly overwhelming for security personnel to manually analyze all of the data that comes to them in a meaningful way. Intelligent scripting and automation is key. This talk aims to be a humorous reminder of why the word “intelligent” really matters; your security devices might start doing some stupid things when we feed them.

This talk is about abusing signature detection systems and confusing or saturating the tool or analyst. Some technologies you can expect to see trolled are anti-virus, intrusion detection, forensic file carving, PirateEye (yep), grocery store loyalty cards (huh?), and anything we can think of abusing.

Expect to see some new open-source scripts that you can all use. The presenters don't often live in the high-level, so you may see the terminal, some hex and bitwise maths, raw signatures, and demonstrations of these wacky concepts in action. We don't intend to present dry slides on “hacker magic” just to look 1337. We want to show you cool stuff that we are passionate about, stuff we encourage everyone to try themselves, and maybe inspire new ideas (even if they're just pranks...especially).

Eric has obtained degrees in computer engineering, business, and criminal justice. He has SANS certifications for GCIH, GCIA and is currently studying for GREM. This isn't so important to Eric, however, this is the type of thing we like seeing in bios.

His interest is in the obscure. While having a basic grip on the general XSS, SQLi, Buffer Overflow (OWASP top whatever), he finds obscurity much more interesting; it's true adventure to him. He enjoys all things low level (and would argue all hackers should), this means he has an “amateur” background in embedded/assembly and does some ignorant EE stuff. He also tries to replace every script with a well crafted regular expression.

Eric currently resides in Phoenix Arizona. He is active in his local 2600 community. Finally, he has fond memories of DEFCON at Alexis Park.

Twitter: @XlogicX

Ruben Alejandro has professional experience in security along with some of the certifications that come with it. His interests a geared to the offensive side of security; he's made some contributions to metasploit and exploitdb. He is really into the community and doesn't want to bore anyone with anymore InfoSec in this bio, he just looks forward to chatting with everyone at the con and having a good time.

Twitter: @_chap0

Elevator Hacking - From the Pit to the Penthouse

Deviant Ollam The CORE Group

Howard Payne The CORE Group

Throughout the history of hacker culture, elevators have played a key role.  From the mystique of students at MIT taking late-night rides upon car tops (don't do that, please!) to the work of modern pen testers who use elevators to bypass building security systems (it's easier than you think!) these devices are often misunderstood and their full range of features and abilities go unexplored.  This talk will be an in-depth explanation of how elevators work... allowing for greater understanding, system optimizing, and the subversion of security in many facilities. Those who attend will learn why an elevator is virtually no different than an unlocked staircase as far as building security is concerned!

While paying the bills as a security auditor and penetration testing consultant with his company, The CORE Group, Deviant Ollam is also member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. Deviant runs the Lockpicking Village with TOOOL at HOPE, DEFCON, ShmooCon, etc, and he has conducted physical security training sessions for Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the United States Military Academy at West Point, and the United States Naval Academy at Annapolis. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.

Twitter: @deviantollam, @TCGsec

Howard Payne is an elevator consultant from New York specializing in code compliance and accident investigations. He has logged over 9,000 hours examining car-tops, motor rooms, and hoistways in cases ranging from minor injuries to highly-publicized fatalities, and has contributed to forensic investigations that have been recognized by local, State, and Federal courts. Howard has appeared on national broadcast television making elevators do things they never should. When he's not riding up and down high-rise hoistways, he moonlights as a drum and bass DJ and semi-professional gambler. His favorite direction is Up and his favorite elevator feature is riot mode.

Twitter: @SgtHowardPayne

Why Don’t You Just Tell Me Where The ROP Isn’t Suppose To Go

David Dorsey Lead Security Researcher at Click Security

Using a ROP chain to bypass operating system defenses is commonplace and detecting this technique while executing is still difficult. This talk will discuss a method built on Intel’s dynamic binary instrumentation tool, Pin, to dynamically detect ROP attacks against the Microsoft Windows operating system. The method is designed to detect ROP attacks that use the return instruction and the indirect call instruction. We will discuss how we determine if a return or indirect call is jumping to a valid location. Then we will show examples of the method working, discuss its effectiveness, and its limitations. After the talk, the source code for the pintool will be released.

David has been in the security industry on the defensive side for nearly 10 years and has been focusing on file analysis for the last 5 years. He likes tearing apart shellcode and figuring out what the attack is trying to accomplish.

Steganography in Commonly Used HF Radio Protocols

Paul Drapeau Principal Security Researcher, Confer Technologies Inc.

Brent Dukes

Imagine having the capability to covertly send messages to an individual or a larger audience, without the need for large centralized infrastructure where your message could be observed, intercepted, or tampered with by oppressive governments or other third parties. We will discuss the opportunities and challenges with steganography implementations in widely used amateur radio digital modes, and present a proof of concept implementation of hiding messages within innocuous transmissions using the JT65 protocol. This technique could theoretically be used to implement a low cost, low infrastructure, covert, world wide short message broadcasting or point to point protocol. No messages in codes or ciphers intended to obscure the meaning thereof were actually transmitted over the amateur bands during the creation of this talk.

Paul Drapeau is currently the Principal Security Researcher for Confer Technologies Inc. He has held senior level IT security roles and consulted on information security topics for various organizations for over 15 years. Paul has a bachelor's degree in computer science from the University of Rhode Island and has been licensed as an amateur radio operator since 1986.

Brent Dukes has a decade of experience working in software and systems engineering roles. He spends his nights tied to various hardware hacking projects sitting in pieces all over his lab, and participating in CTFs. His idea of fun is reverse engineering and modifying toys and consumer electronics for the purposes of good. Brent has been a licensed amateur radio operator since 2006.

Paul Drapeau - Twitter: @pdogg77
Brent Dukes - Twitter: @TheDukeZip

Saving Cyberspace by Reinventing File Sharing


Internet access is a basic human right, due to its unparalleled capacity to deliver content and information. Recently, our right to share files online has been under assault by governments, corporations, and others who fear openness and personal privacy rights. People have been persecuted, fined, and even imprisoned for simply sharing data electronically. As private conversations transition from the home to the web, we're losing our fundamental rights to privacy and personal beliefs.

While many of us believe that information should be and can be freely shared, we are not without blame. As experts in our fields we have at our disposal an arsenal of tools, experience, and technologies to open up the Internet for limitless file sharing without fear of retribution or loss of personal privacy and freedom. Saving cyberspace means that there are times when we need to break the mold of old and stale thinking – creating something new and beautiful that has the power to change the world.

This presentation is a free data manifesto, a historical analysis, and a recipe for creating a new approach to file sharing that's free from snooping, intervention, and interruption from all outside entities. If you've ever been concerned about the risks and insecurity of file sharing, make sure to attend. Understanding our right to share is the first step to changing the world.

Eijah is a Senior Programmer at a world-renowned game development studio. He has over 15 years of software development and IT Security experience. His career has covered a broad range of Internet and mid-range technologies, core security, and system architecture. In his previous role, Eijah was a portfolio director and software security expert in the financial service industry. Eijah has been an adjunct faculty member at multiple colleges, has spoken about security and development at conferences, and holds a master’s degree in Computer Science. Eijah is an active member of the hacking community and is an avid proponent of Internet freedom.

Twitter: @demon_saw

Empowering Hackers to Create a Positive Impact

Keren Elazari

In March 2014 I spoke at the annual TED conference about why hackers are a vital part of the information age. I claimed that the world actually needs hackers, and that they play an important social, political and technology role. At first I thought I will encounter objection, but I found out I was preaching to the choir. Surprisingly, many of the smart, powerful, rich people at TED thought hackers were just great. Then I realized: I was preaching to the WRONG choir. It’s the hackers who are the change agents, and the only ones who can make a difference when it comes to the future of the net. That’s why this talk will speak to the heart of the hacking community about the practical things hackers can do to create a positive impact on the world. Essentially, it’s about being a good hacker while staying out of jail and making the world a better place – with things like community outreach projects, crypto parties, voluntary red teams, responsible disclosure and stopping the spread of FUD.

Keren has been a key member of the Israeli Cyber Security & Hacking scene for the past 14 years. Since 2000, Keren has been employed with leading Israeli security firms, government organizations, Big 4 and Fortune 500 companies. Keren currently covers emerging security technologies as a security industry research analyst with GigaOM research. In 2014, Keren was invited to speak at the prestigious TED conference about the important social & political role of hackers. In recent years, Keren has been a featured speaker at events like DLD 2013, RSA Conference 2013, WIRED 2012 and the NATO International conference on Cyber Conflict. Keren holds a CISSP security certification, a BA in History and Philosophy of Science and is currently a research fellow and MA candidate with the prestigious Science, Security & Technology workshop at Tel Aviv University. In 2012, Keren held the position of Security Teaching Fellow with Singularity University, a private think tank in Mountain View, California.

Just What The Doctor Ordered?

Scott Erven Founder & President SecMedic, Inc

Shawn Merdinger Healthcare Security Researcher

You have already heard the stories of security researchers delivering lethal doses of insulin to a pump, or delivering a lethal shock to a vulnerable defibrillator. But what is the reality of medical device security across the enterprise? Join us for an in-depth presentation about a three-year independent research project, encompassing medical devices across all modalities inside today’s healthcare landscape. Think they are firewalled off? Well think again. Scarier yet, many remain Internet facing and are vulnerable to strategic attack with the potential loss for human life. And yes you will be amazed at what we found in just 1 hour! We will prove that an attacker can access medical devices at thousands of healthcare facilities from anywhere in the world with the potential loss of human life.

This discussion will also highlight the fallout from security standards not being a requirement for medical device manufacturers, and our experience in identifying and reporting vulnerabilities. We will provide our insight into what needs to be done for healthcare organizations to respond to the new threat of cyber-attack against medical devices. We are working towards a future where cyber security issues in medical devices are a thing of the past. We will discuss the recent success and traction we have gained with healthcare organizations, federal agencies and device manufacturers in addressing these security issues. The train is now moving, so please join us to find out how you can get involved and make a difference by ensuring patient safety.

Scott Erven is a healthcare security visionary and thought leader; with over 15 years’ experience in Information Technology & Security. He is also the Founder and President of SecMedic, Inc. His research on medical device security has been featured in Wired and numerous media outlets worldwide. Mr. Erven has presented his research and expertise in the field internationally. He has been involved in numerous IT certification development efforts as a subject matter expert in Information Security. His current focus is research affecting human life and public safety issues inside today’s healthcare landscape.

Shawn Merdinger is a security researcher with 15 years' information security and IT experience.  He is founder of MedSec, a LinkedIn group focused on medical device security risks with over 500 members and has worked with Cisco Systems, TippingPoint, an academic medical center, and as a independent security researcher and consultant.  He's served as technical editor for 12 security books from Cisco Press, Pearson, Syngress and Wiley.  Shawn has presented original security research at DEFCON, DerbyCon, Educause, ShmooCon, CONfidence, NoConName, O’Reilly, IT Underground, InfraGard, ISSA, CarolinaCon and SecurityOpus.  He holds a master's from the University of Texas at Austin and two bachelor's from the University of Connecticut.

Logging ALL THE THINGS Without All The Cost With Open Source Big Data Tools </buzzwords>

Zack Fasel Managing Partner, Urbane Security

Many struggle in their job with the decision of what events to log in battle against costly increases to their licensing of a commercial SIEM or other logging solution. Leveraging the open source solutions used for "big-data" that have been proven by many can help build a scalable, reliable, and hackable event logging and security intelligence system to address security and (*cringe*) compliance requirements. We’ll walk through the various components and simple steps to building your own logging environment that can extensively grow (or keep sized just right) with just additional hardware cost and show numerous examples you can implement as soon as you get back to work (or home).

Zack Fasel is a Founding Partner at Urbane Security, a solutions-focused vendor-agnostic information security services firm focusing on providing innovative defense, sophisticated offense and refined compliance services. Heading up Urbane's Research and Security Services divisions, Zack brings his years of diverse internal and external experience to drive Urbane's technical solutions to organizations top pain points. His previous research and presentations at conferences have spread across numerous domains including Windows authentication flaws, femtocells, open source defensive security solutions and unique network and application attack vectors. When not selling out, he can be found lost in the untz unce wubs, dabbling in instagram food photography, or eating scotch and drinking gummy bears (that's right, right?).  More information on him can be found at and on Urbane Security at

Check Your Fingerprints: Cloning the Strong Set

Richard Klafter (Free) Senior Software Engineer, Optimizely

Eric Swanson (Lachesis) Software Developer

The web of trust has grown steadily over the last 20 years and yet the tooling that supports it has remained stagnant despite staggering hardware advancement. Choices that seemed reasonable 20 years ago (32bit key ids or even 64bit key ids) are obsolete. Using modern GPUs, we have found collisions for every 32bit key id in the strong set, with matching signatures and key-sizes (e.g. RSA 2048). Although this does not break the encryption the web of trust is built on, it further erodes the usability of the web of trust and increases the chance of human error. We will be releasing the tool we developed to find fingerprint collisions. Vanity GPG key anyone?

Richard Klafter is a senior software engineer at Optimizely specializing in web security. In his free time you’ll find him writing new software or breaking existing software. He coauthored scallion (, a vanity address generator for Tor’s hidden services.

Eric Swanson is a freelance software developer with a passion for netsec. He coauthored scallion, a vanity address generator for Tor’s hidden services.

Shellcodes for ARM: Your Pills Don't Work on Me, x86

Svetlana Gaivoronski PhD student, Moscow State University, Russia

Ivan Petrov Masters student, Moscow State University, Russia

Despite that it is almost 2014, the problem of shellcode detection, discovered in 1999, is still a challenge for researchers in industry and academia. The significance of remotely exploitable vulnerabilities does not seem to fade away. The number of remotely exploitable vulnerabilities continues to grow despite the significant efforts in improving code quality via code analysis tools, code review, and plethora of testing methods.

The other trend of recent years is the rise of variety of ARM-based devices such as mobile phones, tablets, etc. As of now the total number of ARM-based devices exceeds the number of PCs in times. This trend sometimes is terrifying as people trust almost all aspects of their lives to such digital devices. People care much more about convenience than security of the data. For example, mobile phones now knows our financial information, health records, keeps a lot of other private data. That's why ARM-based systems became a cherry pie for attackers.

There is a variety of shellcode detection methods that work more or less acceptable with x86-based shellcodes. There are even hybrid solutions that combine capabilities of existing approaches. Unfortunately, almost all of them focus on a fixed set of shellcode features, specific for x86 architecture. This work aims to cover this gap.

This work makes the following contributions:

  • • We provide an analysis of existing shellcode detection methods with regards to their applicability to shellcodes developed for ARM architecture. As a result, we show that most of existing algorithms are not applicable for shellcodes written for ARM. Moreover, the methods that work for ARM shellcodes produce too many false positives to be applicable for real-life network channels and 0-day detection.
  • • We analyzed available ARM-based shellcodes from public exploit databases, and identified a set of ARM shellcode features that distinguishes them from x86 shellcodes and benign binaries.
  • • We implemented our detectors of ARM shellcode features as an extension for Demorpheus[1] shellcode detection open-source library. The algorithm used for generation of detectors’ topology guarantees the solution to be optimal in terms of computational complexity and false positive rate.

Svetlana Gaivoronski is a PhD student at Computer Systems Lab, Computer Science Dept. of Moscow State University, Russia. Svetlana was a member of the Bushwhackers CTF team. Svetlana worked at Redsecure project (experimental IDS/IPS) at Moscow State University. At summer 2013 Svetlana worked in Microsoft Research on a botnets detection in clouds project. Now Svetlana works on shellcode-detection and DDoS-mitigation projects. Her primary interests are network worm propagation detection and filtering, shellcode detection, static and runtime analysis of malware, DDoS detection and filtering.

Twitter: @SadieSv

Ivan Petrov is a master student at Computer Systems Lab, Computer Science Dept. of Moscow State University, Russia. Ivan is an active member of Bushwhackers CTF team, which is the winner of iCTF competitions this year. Ivan works on shellcode-detection projects. His primary interests are mobile security and network security, including analysis of ARM-based malware.

Twitter: _IvanPetrov_

Blowing up the Celly - Building Your Own SMS/MMS Fuzzer

Brian Gorenc Zero Day Initiative, HP Security Research

Matt Molinyawe Zero Day Initiative, HP Security Research

Every time you hand out your phone number you are giving adversaries access to an ever-increasing attack surface. Text messages and the protocols that support them offer attackers an unbelievable advantage. Mobile phones will typically process the data without user interaction, and (incorrectly) handle a large number of data types, including various picture, audio, and video formats. To make matters worse, you are relying on the carriers to be your front line of defense against these types of attacks. Honestly, the mobile device sounds like it was custom built for remote exploitation.

The question you should be asking yourself is: How do I find weaknesses in this attack surface? This talk will focus on the "do-it-yourself" aspect of building your own SMS/MMS fuzzer. We will take an in-depth look at exercising this attack surface virtually, using emulators, and on the physical devices using OpenBTS and a USRP. To help ease your entry into researching mobile platforms, we will examine the messaging specifications along with the file formats that are available for testing. The value of vulnerabilities in mobile platforms has never been higher. Our goal is to ensure you have all the details you need to quickly find and profit from them.

Brian Gorenc is the manager of Vulnerability Research in HP's Security Research organization where his primary responsibility is running the world’s largest vendor-agnostic bug bounty program, the Zero Day Initiative (ZDI). He’s analyzed and performed root cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions.

Brian’s current research centers on discovering new vulnerabilities, analyzing attack techniques, and identifying vulnerability trends. His work has led to the discovery and remediation of numerous critical vulnerabilities in Microsoft, Oracle, Novell, HP, open-source software, SCADA systems, and embedded devices. He has also presented at numerous security conferences such as Black Hat, DEF CON, and RSA.

Matt Molinyawe is a vulnerability analyst and exploit developer for HP’s Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability. He was also part of HP’s winning team at Pwn2Own/Pwn4Fun who exploited Internet Explorer 11 on Windows 8.1 x64. Prior to being part of ZDI, he worked at L-3 Communications, USAA, and General Dynamics – Advanced Information Systems.

In his spare time, he was also a 2005 and 2007 US Finalist as a Scratch DJ. He also enjoys video games and has obtained National Hero status in QWOP and beat Contra using only the laser without dying a single time. Matt has a B.S. in Computer Science from the University of Texas at Austin.

Mass Scanning the Internet: Tips, Tricks, Results

Robert Graham

Paul McMillan

Dan Tentler

Scanning the net -- the entire net -- is now a thing. This talk will discuss how to do it, such as how to get an ISP that will allow scanning, tools to do the scanning (such as 'masscan'), tools to process results, and dealing with abuse complaints. We Internet, such as all the SCADA/ICS systems we've found. We've only scratched the surface -- the Dark Internet of Things is waiting for more things to be discovered. We expect the audience to have a working knowledge of existing portscanners, namely nmap.

Robert Graham is the CEO of Errata Security, a pentest/consulting firm. He's known for creating the first IPS, the BlackICE series of products, sidejacking, and masscan. In his spare time, he scans the Internet. He has been speaking at several conferences a year for the past decade.

Twitter: @erratarob

Paul McMillan is a security engineer at Nebula. He also works on the security teams for several open source projects. When he's not building or breaking clouds, he enjoys cocktails and photography.

Twitter: @paulm

Dan Tentler is Co-Founder of a pre-launch startup, a boutique Red Team and security services firm. Previously, Dan has been the sole proprietor of Aten Labs, a freelance Information Security consultancy firm in San Diego. He is often paid to be the bad guy. He's allergic to cyber.

Twitter: @viss

Deconstructing the Circuit Board Sandwich: Effective Techniques for PCB Reverse Engineering

Joe Grand aka Kingpin Grand Idea Studio

Printed Circuit Boards (PCBs), used within nearly every electronic product in the world, are physical carriers for electronic components and provide conductive pathways between them. Created as a sandwich of alternating copper and insulating substrate layers, PCBs can reveal clues about system functionality based on layout heuristics or how components are interconnected. By accessing each individual copper layer of a PCB, one can reconstruct a complete circuit layout or create a schematic diagram of the design.

In this presentation, Joe examines a variety of inexpensive, home-based solutions and state-of-the-art technologies that can facilitate PCB reverse engineering through solder mask removal, delayering, and non-destructive imaging. The work is based on Joe's Research and Analysis of PCB Deconstruction Techniques project performed as part of DARPA's Cyber Fast Track program.

Joe Grand is an electrical engineer and hardware hacker. He runs Grand Idea Studio ( and specializes in the design of consumer and hobbyist embedded systems. He created the electronic badges for DEFCON 14 through 18 and was a co-host of Discovery Channel's Prototype This. Back in the day, he was a member of the infamous hacker group L0pht Heavy Industries.

Twitter: @joegrand

Saving the Internet (for the Future)

Jason Healey Director, Cyber Statecraft Initiative, Atlantic Council

Saving the Internet (for the Future): Last year, the Dark Tangent wrote in the DC XXI program that the "balance has swung radically in favor of the offense, and defense seems futile." It has always been easier to attack than to defend on the Internet, even back to 1979 when it was written that "few if any security controls can stop a dedicated" red team. We all accept this as true but the community rarely ever looks at the longer term implications of what happens to the internet if one side has a persistent advantage year after year, decade after decade. Is there a tipping point where the internet becomes no longer a Wild West but Somalia, a complete unstable chaos where the attackers don't just have an advantage but a long-term supremacy? This talk will look at trends and the role of hackers and security researchers.

Jason Healey is the Director of the Cyber Statecraft Initiative of the Atlantic Council, focusing on international cooperation, competition and conflict in cyberspace, and the editor of the first history of conflict in cyberspace, A Fierce Domain: Cyber Conflict, 1986 to 2012. He has worked cyber issues since the 1990s as a policy director at the White House, executive director at Goldman Sachs in Hong Kong and New York, vice chairman of the FS-ISAC (the information sharing and security organization for the finance sector) and a US Air Force intelligence officer. He is a board member of Cyber Conflict Studies Association, lecturer in cyber policy at Georgetown University and author of dozens of published essays and papers. Just in 2013 presented or spoke in Brussels, Rome, Istanbul, Reykjavik, London, Tallinn, Stockholm, Munich, Seoul, Bali, New York, New Orleans, Las Vegas, San Francisco, and Washington, DC.

Burner Phone DDOS 2 dollars a day : 70 Calls a Minute

Weston Hecker Sr Systems Security Analyst/ Network Security

Phone DDOS research. Current proof of concept is dealing with Samsung SCH-U365 QUALCOMM prepaid Verizon phone custom firmware was written that makes it into an anonymous DOS systems It Does PRL list hopping and several other interesting evasion methods. The new firmware allows two features one, you text it a number and it will spam call that number 70 times a min. till battery dies. All for 2 dollars a day. And second feature is that if a number that is in address book calls it, automatically picks up on speaker phone. Also ways to mitigate this attack with load balancing Call manager and Captcha based systems.

Weston is a Systems Network Analyst/Penetrations Tester/President of Computer Security Association of North Dakota, Tons of computer security certs, Studied Computer Science/Geophysics, 9 years Computer security experience, Disaster recovery, attended DEF CON since DEF CON 9

Tools. Weston has developed Custom plug ins for Scanning tools that are specific to ISP Gear ex. Calex, brocade more obscure ISP gear. Made custom “iPhone” enclosures for teensy 3.0 that I use on pen tests. Custom Arduino board RFID scanner attachment that mounts under workers chair and scans wallet.

twitter: @westonhecker

Hack All The Things: 20 Devices in 45 Minutes

CJ Heres Security Consultant

Amir Etemadieh Security researcher at Accuvant LABS

Mike Baker Co-Founder OpenWRT

Hans Nielsen Senior Security Consultant at Matasano

When we heard “Hack All The Things,” we took it as a challenge. So at DEF CON this year we’re doing exactly that, we’re hacking everything. We’ve taken all of our previous experience exploiting embedded devices and used it to bring you a presentation filled with more exploits than ever before™. This presentation will feature exploits for over 20 devices including but not limited to TVs, baby monitors, media streamers, network cameras, home automation devices, and VoIP gateways. Gain root on your devices, run unsigned kernels; it’s your hardware, it’s internet connected, and it’s horribly insecure.

We will also be following last year’s tradition of handing out free hardware to assist the community in rooting their devices. This year we will have a select number of eMMC adapters for presentation attendees.

Amir Etemadieh (@zenofex) is a Research Scientist on the R&D team at Accuvant LABS. Amir founded the GTVHacker group which has released public exploits for every device within the Google TV platform as well as multiple other non-Google TV devices including The Roku Media Player and The Google Chromecast. Prior to starting GTVHacker, Amir conducted independent research on a long list of consumer devices and is currently listed on multiple "Security Hall of Fame" pages for successfully completing bug bounties.

CJ Heres (@cj_000) is an IT systems manager and security consultant who works with a simple philosophy: using a simple approach, one can solve most complex problems. CJ's recent work has been heavily focused on consumer electronics including Blu-Ray players, thermostats, Smart TVs, media streaming devices such as the Roku and Google TV, DVR's, and everything inbetween. CJ has previously spoken at DEF CON 20 and 21, as well as B-Sides Boston 2013.

Mike Baker (@gtvhacker) (AKA [mbm]) is a firmware developer, better known as the Co-Founder behind OpenWrt. He hacks stuff.

Hans Nielsen (@n0nst1ck) is a security wizard at Matasano Security. When he isn't busy protecting your in-house and external applications from evil, he enjoys writing software, hacking apart consumer electronics, designing prototype boards. Hans is a tinkerer at heart with an ability to quickly reverse and/or design hardware and software through whatever means necessary.

What the Watchers See: Eavesdropping on Municipal Mesh Cameras for Giggles (or Pure Evil)

Dustin Hoffman Senior Engineer, Exigent Systems Inc.

Thomas (TK) Kinsey Senior Engineer, Exigent Systems Inc.

Municipalities across the nation are deploying IP-based 802.11 wireless mesh networks for city-wide services, including cameras and microphones for police monitoring, and remote audio broadcasting. Once deployed, the standards-based nature of these networks make it easy for cash-strapped cities to use them for all manner of other IP-based services too.

In this presentation we examine a deployed and operational municipal mesh network designed by LeverageIS using Firetide hardware and Firetide's proprietary Firetide Mesh (formerly "Automesh") wireless mesh protocol. In the process, we decode the previously undocumented mesh protocol enough to (1) "tune in" to live feeds from the various cameras positioned across the city, just like we were in police headquarters, and (2) inject arbitrary video into these streams. There's a demo site for you to see the municipal camera streams for yourself, and our code is included. We'll cover wireless mesh networks and other basic theory, so no prior technical knowledge is required.

Dustin Hoffman is the president and senior engineer of Exigent Systems Inc., an IT services firm. He’s interesting in how all kinds of complex systems work and interact, whether technical, organizational, legal, or economic. It often involves otherwise public data used in non-obvious ways.

Thomas (TK) Kinsey is a senior engineer at Exigent Systems Inc. You'll find him breaking things and (usually) putting them back together. High School "IT Guy" -> PC Retail slave -> noob sysadmin -> not so noob net/sysadmin -> Now. Networks/VoIP are his current focus, some sort of BSD is usually involved.

Stolen Data Markets: An Economic and Organizational Assessment

Tom Holt Associate Professor, Michigan State University

Olga Smirnova Assistant Professor, Eastern Carolina University

Yi-Ting Chua Michigan State University

Since the TJX corporation revealed a massive data breach in 2007, incidents of mass data compromise have grabbed media attention. The substantial loss of customer data and resulting fraud have seemingly become more common, including the announcement of the Target and Neiman Marcus compromises in 2013. As a result, the social and technical sciences are increasingly examining the market for data resale which is driven in part by these data breaches. This research is increasingly driven by assessments of web forum-based markets with varying depth of content and representativeness. As a result, there is a great deal of speculation about the profit margins and economy for stolen data. Researchers rarely provide metrics for the cost of various products, and some argue that the type of forum analyzed may provide inaccurate data on the costs of information. In fact, Herley and Florencio argue that open forums are largely a lemon market, where advertised costs are low but the risk of loss is quite high. Similarly, there is limited research considering the organizational structure of actors in the marketplace. Some in the media use the terms gangs or mafias to refer to the thieves and data sellers who acquire information, but this may not accurate reflect the realities of the relationships between buyers, sellers, moderators, and others who facilitate transactions.

This presentation will explore the economy and organizational composition of stolen data markets through qualitative and quantitative analyses of a sample of threads from 13 Russian and English language forums involved in the sale of stolen data. We present estimates for the costs of various forms of data, and examine the relationship between various social and market conditions and the advertised price for dumps and other financial data. The findings support the argument that higher risk conditions within a forum are associated with lower prices for data, while more legitimate and organized markets have higher prices. In addition, the organizational composition of the market are explored using a qualitative analysis which finds that the markets are primarily collegial in nature at the individual level, enabling individuals to work together in order to facilitate transactions. There is also a distinct division of labor between participants on the basis of the products sold and skill sets available and some evidence of long-term market stability on the basis of managerial structures and time in operation. Finally, quantitative social network analysis techniques are applied to this sample of forums to assess network density, user centrality, and the resiliency of the network structures observed. The policy implications of this study for consumers, law enforcement, and security analysts will be discussed in depth to provide improved mechanisms for the disruption and takedown of stolen data markets globally.

Dr. Thomas Holt is an Associate Professor in the School of Criminal Justice at Michigan State University specializing in cybercrime, policing, and policy. He received his Ph. D. in Criminology and Criminal Justice from the University of Missouri-Saint Louis in 2005. He has published extensively on cybercrime and cyberterror with over 35 peer-reviewed articles in outlets such as Crime and Delinquency, Sexual Abuse, the Journal of Criminal Justice, Terrorism and Political Violence, and Deviant Behavior. He has published multiple edited books, including Corporate Hacking and Technology-Driven Crime with coeditor Bernadette Schell (2011), Crime On-Line: Correlates, Causes and Context, now in its 2nd Edition, and a co-author of Digital Crime and Digital Terror, 2nd edition (2010). He has also received multiple grants from the National Institute of Justice and the National Science Foundation to examine the social and technical drivers of Russian malware writers, data thieves, and hackers using on-line data. He has also given multiple presentations on computer crime and hacking at academic and professional conferences, as well as hacker conferences across the country including DEF CON and HOPE.

twitter: @spartandevilshn

Olga Smirnova is an Assistant Professor in the Department of Political Science at Eastern Carolina University. She received her Ph. D. from the University of North Carolina at Charlotte and conducts research on the role of public policy in urban and regional economic development, state and local government, and the interaction of land use and transportation policy. She is also skilled in social network analysis and has applied this analysis technique to various on-line data sources to understand the social world of computer hackers and malware writers.

Yi Ting Chua is a Ph. D. student in the School of Criminal Justice at Michigan State University whose interests include cybercrime and policy analysis.

Raspberry MoCA - A recipe for compromise

Andrew Hunt Senior Information Security Engineer, Bechtel

Media over Coax Alliance (MoCA) is a protocol specification to enable assured high-bandwidth connections for the high demands of voice, video, and high-speed data connections – the ‘triple play.’ Verizon, Cox, Comcast, and many other service providers have adopted MoCA as the de facto networking technology used to provide in-home broadband services. This is accomplished by encapsulating Ethernet protocols over coaxial cabling common to interior television wiring. In this presentation, the vulnerabilities presented by the use of MoCA encapsulation in conjunction with common recommended coaxial wiring standards are realized with the development of Raspberry MoCA, an embedded device that provides a drop-in, automated exploitation kit which can be installed outside the target structure in less than five minutes, providing remote access and complete control over the connecting LAN.

Andrew Hunt is an Senior Information Security Engineer at Bechtel with more than fourteen years of experience working in the defense, health care, and energy industries. He is a certified incident responder, forensics practitioner, and malware reverse engineer. His research includes “Visualizing the Hosting Patterns of Modern Cybercriminals” and “Multimedia over Coaxial Alliance (MoCA): Operation and Security Posture,” as well as projects in non-attributable open-source data collection, Android malware and forensics, deployable sensor data collection over unreliable communications links, and large-scale CND data analytics. Andrew contributed to the Passive DNS Tool Project and established training programs in memory forensics and log data analysis. He is a regular presenter, with speaking engagements at George Mason University, Brigham Young University-Hawaii, Shakacon, ISSA Hawaii, and ISSA National Capital Region. Andrew devotes his spare time to travelling with his family, introducing his children to new cultures and experiences.

Girl… Fault-Interrupted.

Maggie Jauregui Software Security Test Engineer

GFCI's (Ground Fault Circuit Interrupts) are a practically unnoticeable part of our daily lives, except maybe for when you have to fumble around with the Reset button on your hair dryer to get it to work, of course.

I discovered a way to completely melt (magic smoke demo included!) the GFCI mechanism for  several off-the-shelf electro domestics wirelessly using specific RF frequencies. Similarly, I'm able to trip other GFCI's (the type built-in to several apartment/home walls) creating a DoS on running electro domestics.

Electro domestics might not be the worst this vulnerability has to offer, since GFCI's are used on many different types of electronics.

I plan on building a directional antenna to hopefully perform remote electro domestic DoS. I will list all vulnerable patents, my discovered vulnerable products, all applicable frequencies, and all affected switch types (such as AFCI's). I also commit to do responsible disclosure of any sensitive electrical attacks, such as RF interference for equipment upon which people's lives or livelihoods may depend.

Maggie Jauregui (@MagsJauregui) owns end-to-end Security Validation for the Wireless Product R&D group at Intel Corporation. She has around 3 years of security validation experience, specifically doing fuzzing, secure code review, and ad hoc penetration testing. At her previous job, Maggie owned DirectX Security Validation for the Graphics Driver Team at Intel Mexico after an internship in the 3D team doing Graphics Driver Sanity validation  for the same group. Maggie studied her Bachelor in Computer Science at Tecnológico de Monterrey, Campus Guadalajara (2005-2010). Maggie's interests also include genetics, singing (lead female vocal of Agavers rock band), and modern/classic dancing.


Extreme Privilege Escalation On Windows 8/UEFI Systems

Corey Kallenberg MITRE

Xeno Kovah MITRE

It has come to light that state actors install implants in the BIOS. Let no one ever again question whether BIOS malware is practical or present in the wild. However, in practice attackers can install such implants without ever having physical access to the box. Exploits against the BIOS can allow an attacker to inject arbitrary code into the platform firmware. This talk will describe two such exploits we developed against the latest UEFI firmware.

The UEFI specification has more tightly coupled the bonds of the operating system and the platform firmware by providing the well-defined "runtime services" interface between the OS and the firmware. This interface is more expansive than the interface that existed in the days of conventional BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore, Windows 8 has introduced APIs that allow accessing this UEFI interface from a userland process. Vulnerabilities in this interface can potentially allow a userland process to escalate its privileges from "ring 3" all the way up to that of the platform firmware, which includes permanently attaining control of the very-powerful System Management Mode (SMM).

This talk will disclose two vulnerabilities that were discovered in the Intel provided UEFI reference implementation, and detail the unusual techniques needed to successfully exploit them.

Corey Kallenberg is a security researcher for The MITRE Corporation who has spent several years investigating operating system and firmware security on Intel computers. In 2012 he coauthored work presented at DEF CON and IEEE S&P on using timing based attestation to detect Windows kernel hooks. In 2013 he helped discover critical problems with current implementations of the Trusted Computing Group's "Static Root of Trust for Measurement" and co-presented this work at NoSuchCon and Blackhat USA. Later, he discovered several vulnerabilities which allowed bypassing of "signed BIOS enforcement" on a number of systems, allowing an attacker to make malicious modifications to the platform firmware. These attacks were presented at EkoParty, HITB, and PacSec. Recently, Corey has presented attacks against the UEFI "Secure Boot" feature. Corey is currently continuing to research the security of UEFI and the Intel architecture.

twitter: @coreykal

Xeno Kovah is a Lead InfoSec Engineer at The MITRE Corporation, a non-profit company that runs 6 federally funded research and development centers (FFRDCs) as well as manages CVE. He is the team lead for the BIOS Analysis for Detection of Advanced System Subversion project. On the predecessor project, Checkmate, he investigated kernel/userspace memory integrity verification & timing-based attestation. Both projects have a special emphasis on how to make it so that the measurement agent can't just be made to lie by an attacker. Xeno is also the founder and leading contributor to

twitter: @xenokovah

Special thanks to the contributing researchers for their help in co-authoring:

John Butterworth is a security researcher at The MITRE Corporation who currently specializes in Intel firmware security. In 2012 he co-authored the whitepaper "New Results for Timing-Based Attestation" which used timing based attestation to detect Windows kernel hooks. This research was presented at DEF CON and the 2012 IEEE Symposium on Security and Policy. In 2013 he and his colleagues authored "BIOS Chronomancy:Fixing the Static Root of Trust for Measurement" which proposed using Timing-Based Attestation during the BIOS boot process to resolve critical problems which they had found with current implementations of the Trusted Computing Group's "Static Root of Trust for Measurement". He has presented this research at NoSuchCon, Black Hat USA, SecTor, SEC-T, Breakpoint, and Ruxcon. Following this he has created a tool called Copernicus designed to determine just how prevalent vulnerable BIOS is in industry. John is currently continuing to research the security of BIOS/UEFI and the Intel architecture.

Sam Cornwell is a Sr. InfoSec Engineer at The MITRE Corporation, a not-for-profit company that runs 6 federally funded research and development centers (FFRDCs) as well as manages CVE. Since 2011 he has been working on projects such as Checkmate (a kernel and userspace memory integrity verification & timing-based attestation tool), Copernicus, a (BIOS extractor and configuration checker), and several other private security sensors designed to combat sophisticated threats. He has also researched and developed attacks against UEFI SecureBoot.

Secure Random By Default

Dan Kaminsky Chief Scientist, White Ops

As a general rule in security, we have learned that the best way to achieve security is to enable it by default. However, across operating systems and languages, random number generation is always exposed via two separate and most assuredly unequal APIs -- insecure and default, and secure but obscure.

Why not fix this? Why not make JavaScript and PHP and Java and Python and even libc rand() return strong entropy? What are the issues stopping us? Should we just shell back to /dev/urandom, or is there merit to userspace entropy gathering? How does fork() and virtualization impact the question? What of performance, and memory consumption, and headless machines?

Turns out the above questions are not actually rhetorical. Just because a change might be a good idea doesn't mean it's a simple one. This will be a deep dive, but one that I believe will actually yield a fix for the repeated *real world* failures of random number generation systems.

Dan Kaminsky has been a noted security researcher for over a decade, and has spent his career advising Fortune 500 companies such as Cisco, Avaya, and Microsoft.Dan spent three years working with Microsoft on their Vista, Server 2008, and Windows 7 releases.

Dan is best known for his work finding a critical flaw in the Internet’s Domain Name System (DNS), and for leading what became the largest synchronized fix to the Internet’s infrastructure of all time. Of the seven Recovery Key Shareholders who possess the ability to restore the DNS root keys, Dan is the American representative. Dan is presently developing systems to reduce the cost and complexity of securing critical infrastructure.

Masquerade: How a Helpful Man-in-the-Middle Can Help You Evade Monitoring.

Ryan Lackey Founder, CryptoSeal, Inc.

Marc Rogers Principal Security Researcher, Lookout

The Grugq Information Security Researcher

Sometimes, hiding the existence of a communication is as important as hiding the contents of that communication. While simple network tunneling such as Tor or a VPN can keep the contents of communications confidential, under active network monitoring or a restrictive IDS such tunnels are red flags which can subject the user to extreme scrutiny.Format-Transforming Encryption (FTE) can be used to tunnel traffic within otherwise innocuous protocols, keeping both the contents and existence of the sensitive traffic hidden.

However, more advanced automated intrusion detection, or moderately sophisticated manual inspection, raise other red flags when a host reporting to be a laser printer starts browsing the web or opening IM sessions, or when a machine which appears to be a Mac laptop sends network traffic using Windows-specific network settings.

We present Masquerade: a system which combines FTE and host OS profile selection to allow the user to emulate a user-selected operating system and application-set in network traffic and settings, evading both automated detection and frustrating after-the-fact analysis.

Ryan Lackey, Founder of CryptoSeal, founded HavenCo, the world’s first offshore datahaven, and has worked as a defense contractor in Iraq and Afghanistan, at various technology startups, and is currently working on a secure hardware-based router for business travelers.

Marc Rogers is an English hacker, Director of SecOps for DEF CON, and works as Principal Security Researcher for Lookout.

The Grugq is a pioneering information security researcher with over a decade of professional experience. He has worked extensively with digital forensic analysis, binary reverse engineering, rootkits, Voice over IP, telecommunications and financial security. The Grugq's professional career has included Fortune 100 companies, leading information security firms and innovative start-ups. Claims to fame:

- pioneered anti-forensics
- developed "userland exec"
- released voip attack software
- decade of experience in infosec
- long term liaison w/ digital underground
- described as "extremely handsome" [by his mom]
- 1992 sussex County 3-legged race, 2nd place

The Grugq has spoken at dozens of conferences over the last 7 years; provided expert training courses to .gov, .mil, police and businesses; domain expertise on forensics, voip, telecommunications and financial systems.

Panel: Ephemeral Communications: Why and How?

Ryan Lackey Founder, CryptoSeal, Inc.

Jon Callas Silent Circle

Elissa Shevinsky Glimpse

Possibly more to come.....

Ephemeral communications applications are increasingly popular ways, especially among younger users, to communicate online. In contrast to “once it’s on the Internet, it’s forever”, these applications promise to delete information rapidly, or to maintain anonymity indefinitely, lowering inhibitions to share sensitive or personal content. There are several types of these applications, as well as ephemeral or anonymous publication use of mainstream tools, with unique security features and general utility. Key people from the major ephemeral applications will debate where the market is, where it’s going, and how these systems can best balance user desires with technical and legal requirements.

Ryan Lackey, Founder of CryptoSeal, founded HavenCo, the world’s first offshore datahaven, and has worked as a defense contractor in Iraq and Afghanistan, at various technology startups, and is currently working on a secure hardware-based router for business travelers.

Jon Callas, CTO of SilentCircle, is co-founder of PGP Corporation and Silent Circle.

Elissa Shevinsky, Founder of Glimpse.

(more bios will be coming shortly)

NinjaTV - Increasing Your Smart TV’s IQ Without Bricking It

Felix Leder Director, malware research, Blue Coat Norway

Smart TVs are growing in popularity. Set-top boxes like Apple TV, Roku, or WD TV can make your “normal” TV "smart" and Smart TVs even smarter. Despite their functionality, they’re often missing interesting features, like bit-torrent, VPN and even specific TV channels. This presentation is about how to hack into WD TV set-top boxes and how to add experimental functionality without the risk of bricking it. Whether you want to add exotic TV channels, watch right from bit-torrent, or are crazy enough to do bitcoin mining on your TV – you are in charge. We will demonstrate several methods to become root using everything from remote exploits to hardware hacking. Unfortunately, just becoming root isn’t sufficient to make persistent changes. Because stronger modifications put your device at risk of bricking or of losing specific services, you must dig deeper. We are going to present and release our "adjusted" firmware that keeps all the manufacturer's encryption and service DRM keys intact. The firmware is minimally invasive and enables customization without risk. Patching becomes as easy as an SMB software upload. For those who want get deeper and dirtier, we will explain the firmware structure, how to extract the relevant encryption keys, and discuss the protected software modules. This includes a short overview of relevant tools to do hot-patching, live-debugging, and pointers to get started on reverse engineering core applications.

Felix Leder leads the mobile threat research at Blue Coat. Taking things apart has been a life time passion for him. His hobbies, like collecting bugs in malware and botnet takeovers, have resulted in successful take-downs of large malicious networks. As a member of The Honeynet Project he is heavily involved in open source security and has been instrumental in developing a number of malware analysis solutions, including Cuckoo box, Norman's Malware Analyzer G2, and Blue Coat's MAA.

Dark Mail

Ladar Levison Founder of Lavabit, LLC

Stephen Watt Lead Developer, Reference Implementation, Dark Mail

Data privacy and anonymity have long been cornerstone interests of the computer security world, but not particularly important to the general public. News events in the past year have seen the political climate shift radically, and now data privacy has become big business with secure mail solutions being the focal point of this new found attention.

Dark Mail is not the only solution in the secure mail space, but just as Lavabit’s preoccupation with privacy and user autonomy was a rarity when it started over a decade ago, it hopes once again to push mail security forward into a new frontier. It is Dark Mail's objective to achieve the highest degree of security possible - with the introduction of an interoperable mail protocol as an open standard. To that end, we are publishing documents describing the protocol, along with a reference implementations of the client and server under a free software license.

What most of the secure email systems in the privacy race have prioritized in tandem are ease of use for the masses, and cryptographically secure encryption of message contents between a sender and recipient. Additionally, they tend to place trust for private key management and encryption in the hands of the end user, and not the mail server.

While this would certainly be an improvement over traditional SMTP, it leaves much to be desired. Where do other solutions fall short? Metadata. Dark Mail is designed to minimize the leakage of metadata so that ancillary information like subject lines, recipients, and attachments doesn’t fall into the hands of curious third parties. That means all information about the mail and its contents are completely opaque to everybody but the parties communicating - including the servers handling the messages in transit. Accomplishing these goals wasn’t possible using existing standards, which is why we created a security enhanced flavor of SMTP for mail delivery dubbed DMTP.

What separates dmail from competing secure mail designs is the level of security it affords the user while retaining its simplicity of use. We have automated the key management functions, so complex cryptography operations are handled without user interaction. Of equal importance is the need for an implementation that is open to peer review, security audits, and cryptanalysis. Unlike many commercial solutions, dmail isn’t tethered to a single centralized provider; instead it offers the ability for anybody to host secure mail services. Like today, users will be able to access their mail from anywhere, using a web client with client-side encryption, or a traditional client application on their mobile or desktop device for an even greater degree of security. An open standard will guarantee that users have the freedom to adopt any dmail-compatible client or server implementation of their choosing.

Most attendees of this presentation will be familiar with the curious story of Lavabit's demise. While Lavabit's hosted mail service refused to surrender unfettered access to its users' secrets, this course of action may not be the obvious choice for network administrators placed in similar situations. Most digital surveillance efforts require the service provider to be complicit with the wiretapping requests of law enforcement. Dmail aims to protect messages from surveillance and tampering - whether it be subversive or coerced - by placing that capability beyond the reach of service providers. With dmail the keys belong to the user, and the message decryption occurs on the user’s device. Even so, users can choose how much to trust a service provider - with standardized modes that reside at different points along the security vs usability spectrum.

After running through an overview of the Dark Internet Mail Environment, this talk will delve into the details, showcasing the new protocols: DMTP and DMAP. Then highlight the schemes used by these protocols to provide automagical encryption and illustrate the mechanisms which have been developed to protect against advanced threats. To close the talk, we will provide a public demonstration of the reference implementation – showing the Volcano client and Magma server in action.

Ladar Levison is the Founder of Lavabit, LLC. Founded in 2004 (and originally named Nerdshack), Lavabit served as a place for free private and secure email accounts. By August of 2013, Lavabit had grown to over 410,000 users, with more than 10,000 paid subscribers. Levison created Lavabit because he believes that privacy is a fundamental, necessary right for a functioning, fair and free democracy. On August 8, 2013, he made the bold decision to shut down his business after ?refusing to become complicit in crimes against the American people.? Presently, Levison is serving as the project manager and lead architect for the Dark Mail Initiative, while continuing to vigorously advocate for the privacy and free speech rights of all Americans.

Stephen Watt is the lead developer of Dark Mail's reference implementation. With a recent past as interesting as (albeit a bit more checkered than) Levison's, Watt faced an unusual, landmark 2008 federal indictment in the TJ Maxx intrusion. For merely writing the software used in the breach, Watt was given a 2 year federal prison sentence and ordered to pay $171.5 million in restitution. Because he refused to cooperate at all with the federal investigation into himself and his friends, he emerged from prison with his pride in tact.

Since his 2011 release Watt has spoken at several security conferences about his extraordinary legal experience. By joining the Dark Mail initiative, he hopes to continue a lifelong pattern of developing massively disruptive software with complete indifference to getting rich from it.

Oracle Data Redaction is Broken

David Litchfield Security specialist, Datacom TSS

The Oracle data redaction service is a new feature introduced with Oracle 12c. It allows sensitive data, such as PII, to be redacted or masked to prevent it being exposed to attackers. On paper this sounds like a great idea but in practice, Oracle's implementation is vulnerable to multiple attacks that allow an attacker to trivially bypass the masking and launch privilege escalation attacks.

David Litchfield is a computer security researcher with a special interest in buffer overflow exploitation and database systems. He has written and contributed to several books including the Shellcoder's Handbook, The Database Hacker's Handbook and the Oracle Hacker's Handbook. He spends his spare time diving with great white sharks.

Twitter: @dlitchfield

Weird-Machine Motivated Practical Page Table Shellcode & Finding Out What's Running on Your System

Shane Macaulay Director of Cloud Security, IOActive

Windows7 & Server 2008R2 and earlier kernels contain significant executable regions available for abuse. These regions are great hiding places and more; e.g. Using PTE shellcode from ring3 to induce code into ring0. Hiding rootkits with encoded and decoded page table entries.

Additional ranges/vectors, Kernel Shim Engine, ACPI/AML, boot-up resources & artifacts will also be shown to be useful for code gadgets.

Understanding the state of affairs with the changes between Win7/8 and what exposures were closed and which may remain. APT threats abuse many of these areas to avoid inspection.

By the end of this session will also show you how to walk a page table, why Windows8 makes life easier, what to look for and how to obtain a comprehensive understanding of what possible code is hiding/running on your computer.

Final thoughts on using a VM memory snapshot to fully describe/understand any possible code running on a Windows system.

Shane “K2” Macaulay last DEF CON presentation was an offensive tool ADMmutate during DEF CON 9 but has more recently been focused on defensive techniques and helped develop an APT detection service ( used to protect Microsoft OS platforms.

Shane has spent time finding ways to fully understand the state of system code to understand “What is actually running on your computer?” to aid in forensic analysis, incident response and enterprise protection capacities.

Shane is currently employed by IOActive as Directory of Cloud Security and has presented at many previous security conferences/venues.

Catching Malware En Masse: DNS and IP Style

Dhia Mahjoub Senior Security Researcher, OpenDNS

Thibault Reuille Security Researcher, OpenDNS Inc

Andree Toonk Manager of Network Engineering, OpenDNS

The Internet is constantly growing, providing a myriad of new services both legitimate and malicious. Criminals take advantage of the scalable, distributed, and rather easily accessible naming, hosting and routing infrastructures of the Internet. As a result, the battle against malware is raging on multiple fronts: the endpoint, the network perimeter, and the application layer. The need for innovative measures to gain ground against the enemy has never been greater.

In this talk, we will present a novel and effective multi-pronged strategy to catch malware at the DNS and IP level, as well as our unique 3D visualization engine.

We will describe the detection systems we built, and share several successful war stories about hunting down malware domains and associated rogue IP space.

At the DNS level, we will describe original methods for tracking botnets, both fast flux and DGA-based. We use a combination of fast, light-weight graph clustering and DNS traffic analysis techniques and threat intelligence feeds to rapidly detect botnet domain families, identify new live CnC domains and IPs, and mitigate them.

At the IP level, classical reputation methods assign “maliciousness” scores to IPs, BGP prefixes, or ASNs by merely counting domains and IPs. Our system takes an unconventional approach that combines two opposite, yet complementary views and leads to more effective predictive detections.

(1) On one hand, we abstract away from the ASN view. We build the AS graph and investigate its topology to uncover hotspots of malicious or suspicious activities and then scan our DNS database for new domains hosted on these malicious IP ranges. To confirm certain common patterns in the AS graph and isolate suspicious address space, we will demonstrate novel forensics and investigative methods based on the monitoring of BGP prefix announcements.

(2) On the other hand, we drill down to a granularity finer than the BGP prefix. For this, we zero in on re-assigned IP ranges reserved by bad customers within large prefixes to host Exploit kit domains, browlock, and other attack types. We will present various techniques we devised to efficiently discover suspicious smaller ranges and sweep en masse for candidate suspicious IPs.

Our system provides actionable intelligence and preemptively detects and blocks malicious IP infrastructures prior to, or immediately after some of them are used to wage malware campaigns, therefore decisively closing the detection gap. During this presentation, we will publicly share some of the tools we built to gather this predictive intelligence.

The discussion of these detection engines and “war stories” wouldn’t be complete without a visualization engine that adequately displays the use cases and offers a graph navigation and investigation tool.

Therefore, in this presentation, we will present and publicly release for the first time our own 3D visualization engine, demonstrating the full process which transforms raw data into stunning 3D visuals. We will also present different techniques used to build and render large graph datasets: Force Directed algorithms accelerated on the GPU using OpenCL, 3D rendering and navigation using OpenGL ES, and GLSL Shaders. Finally, we will present a few scripts and methods used to explore our large networks. Every concept is intended to detect and highlight precise features and will be presented with its corresponding visual representation related to malware detection use cases.

Dhia Mahjoub works on research and development problems involving DNS, security, big data analysis, and networks. He focuses on building fast predictive threat detection systems based on the monitoring and analysis of traffic and hosting infrastructures. Dhia holds a PhD in Computer Science from Southern Methodist University, Dallas with a specialty in graph theory applied on Wireless Sensor Networks. He has a background in Computer Networks with experience in writing sniffers and port scanners among other things. Dhia presented his research at BSides NOLA, APWG eCrime, BSides Raleigh, BotConf, BSides San Francisco, ISOI 13, SOURCE Boston and will be talking at the upcoming BSides NOLA and VirusBulletin. He is also member of the non-profit security research group MalwareMustDie helping track botnets and other malicious sources on the Internet.

Twitter: @DhiaLite

Thibault Reuille is a Security Researcher at OpenDNS Inc. His research is mainly focused on big data visualization. At a very young age, Thibault fell in love with the demo scene and everything related to computer generated art. He started to teach himself 3D graphics and went to EPITA school in Paris, France. He later joined the LSE, the computer security laboratory, for a total period of 4 years where he spent a lot of time breaking everything he could. He built a solid knowledge of reverse engineering, pen-testing, secure programming, exploit writing and many other (in)security related techniques. After obtaining his master's degree in 2010. Thibault decided to move to California and accepted a position at Nvidia Corporation. This is where he had the chance to refine his 3D graphics knowledge and to dig deep inside the GPU mechanisms and the OpenGL API. He stayed at this position for 4 years. Finally, Thibault found a new job at OpenDNS Inc. as a Security Researcher and has been working there since June 2013. He is developing a 3D engine capable of rendering large amount of data and extract intelligent patterns from it using advanced graph theory. He believes the combination of visualization, distributed computing and machine learning is the key to take computer intelligence to the next level. Thibault has given several presentations in world renowned conferences, such as:
CanSecWest Vancouver (March 14, 2014)
BSides SF (February 23, 2014)
BayThreat 4 (December 6, 2013)

You can consult some of his work here:

And some of his artsy work here :

Twitter: @ThibaultReuille

Andree Toonk is the manager of network engineering at OpenDNS. At OpenDNS Andree is responsible for the OpenDNS global Network architecture, development, implementation and operations of the OpenDNS infrastructure. Managing all aspects:transit, peering, anycast, DDOS mitigation, facilities, routing, switching, firewalls, etc. Andree is the founder and lead developer of, where he specializes in BGP routing and BGP security incidents such as routing hijacks and large scale outages. Andree received his M.Sc. degree in System and Network Engineering from the University of Amsterdam. He has presented about network security at network engineering conferences around the world such as Nanog and Terena and Canheit.

Twitter: @atoonk

Old Skewl Hacking: Porn Free!

Major Malfunction

Having cut his teeth (and scarred his mind) on hotel Infra-Red controlled TV systems, spent ten years scanning the skies for 'interesting' satellite feeds, in this, the 3rd in his series of 'Old Skewl Hacking' talks, Major Malfunction once again, and with great personal sacrifice, goes down on^winto the depths of late-night terrestrial broadcast television to determine how secure 'Pay Per View' / 'Pay Per Night' systems are, and if Debbie really did 'do' Dallas (she did). With a total disgregard for his own sanity and/or eyesight, he takes one for the team and forces himself through not just one, not just two, but possibly even three whole months^wnights^whours of terrible Cockney porn to uncover their darkest secrets (for those wishing to spare themselves from exposure to potentially harmful images from this talk, here's the executive summary: don't spend the £5, they cut out all the pink^wgood bits. There's better stuff for free on that there Internets).

Parental Advisory: Viewer discretion advised: Nudity, sex (moderate? nasty? who can say?), swearing, bad taste.

Defcon Kids Advisory: See Above! Get your Mom^wDad to bring you to this one! There will be a live demo. There will be BOOBIES! Anti-Sexism Advisory: Please don't Red Card me! I'm not trying to be a douchebag, but that's what they transmit: BOOBIES!

Health and Safety Advisory: Just say no. Stay away. Really.

Terms & conditions apply. You may be charged for entry. "Porn Free" or "Major Malfunction" will never appear on your bill. Always wipe clean after use.

Major Malfunction is a mystery wrapped in an enigma, wrapped in an old beach towel. He lives in a carefully constructed fantasy world of nuclear bunkers, clandestine meetings with taxi drivers at airports, satellite feeds and prohibited weapons.

This is what his neighbours have to say about him:

"He was always such a polite young man. He never caused any trouble, and kept himself to himself. They say it's always the quiet ones, don't they? Who knew? Who knew?"

"Somebody actually lives there???"

"Mr. Snuggles has never been quite the same..."

Twitter: @rfidiot
Facebook: adam.laurie.73


Major Malfunction

Zac Franken

Software Defined Radio has been quietly revolutionising the world of RF. However, the same revolution has not yet taken place in RFID. The proliferation of RFID/NFC devices means that it is unlikely that you will not interact with one such device or another on a daily basis. Whether it's your car key, door entry card, transport card, contactless credit card, passport, etc. you almost certainly have one in your pocket right now!

RFIDler is a new project, created by Aperture Labs, designed to bring the world of Software Defined Radio into the RFID spectrum. We have created a small, open source, cheap to build platform that allows any suitably powerful microprocessor access to the raw data created by the over-the-air conversation between tag and reader coil. The device can also act as a standalone 'hacking' platform for RFID manipulation/examination. The rest is up to you!

Adam "Major Malfunction" Laurie is a security consultant working in the field of electronic communications, and a Director of Aperture Labs Ltd., who specialise in reverse engineering of secure systems. He started in the computer industry in the late Seventies, and quickly became interested in the underlying network and data protocols. During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and wrote the world's first CD ripper, 'CDGRAB'. He was also involved various early open source projects, including 'Apache-SSL' which went on to become the de-facto standard secure web server. Since the late Nineties he has focused his attention on security, and has been the author of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities.

Zac Franken has been working in the computer and technology industry for over 20 years for major industry players such as ICL, Informix, British Airways and Motorola. Founding his first company, Point 4 Consulting at the age of 25, he built it into a multi-million pound technology design consultancy. Point 4 provided critical back end technology and management for major web sites such as The Electronic Telegraph, MTV, United Airlines, Interflora, Credit Suisse,BT, Littlewoods and Sony. Following Point 4 he went on to found Ablaise, a company that manages the considerable intellectual property generated by Point 4, and Aperture Labs. Zac's research focuses on access control systems, biometric devices and embedded systems security, and he has spoken and trained at information security conferences in Europe and the US publicly and for private and governmental audiences. He is responsible for identifying major vulnerabilities in various access control and biometric systems, and has a passion for creating devices that emulate access control tokens either electronic physical or biometric. Zac has been responsible both directly and indirectly for changing access control guidelines for several western governments. Zac is currently a director of Aperture Labs Ltd, a company that specialises in reverse engineering and security evaluations of embedded systems.

Attacking the Internet of Things using Time

Paul McMillan Security Engineer, Nebula

Internet of Things devices are often slow and resource constrained. This makes them the perfect target for network-based timing attacks, which allow an attacker to brute-force credentials one character at a time, rather than guessing the entire string at once. We will discuss how timing attacks work, how to optimize them, and how to handle the many factors which can prevent successful exploitation. We will also demonstrate attacks on at least one popular device. After this presentation, you will have the foundation necessary to attack your own devices, and a set of scripts to help you get started.

Paul McMillan is a security engineer at Nebula. He also works on the security teams for several open source projects. When he's not building or breaking the internet, he enjoys, cocktails and photography.

Open Source Fairy Dust

John Menerick Security Researcher, Netsuite

Over the past 30 years, the Internet and open source software have worked in tandem. The Internet has provided an environment for open source software to prosper. Some would say the Internet and open source software are indistinguishable. From low level cryptography to critical services, the Internet’s foundation is built upon open source building blocks. These blocks are crumbling.

This presentation will tread through popular open source projects, common fallacies, peer into 0days, walk trends, and break code. When we are finished, you will be able to use the same techniques and tools to break or protect the Internet’s building blocks.

John Menerick works on Security @ NetSuite. John’s interests include cracking clouds, modeling complex systems, developing massive software-defined infrastructures, and is the outlier in your risk model.


A Survey of Remote Automotive Attack Surfaces

Charlie Miller Security Engineer, Twitter

Chris Valasek Director of Threat Intelligence, IOActive

Automotive security concerns have gone from the fringe to the mainstream with security researchers showing the susceptibility of the modern vehicle to local and remote attacks. A malicious attacker leveraging a remote vulnerability could do anything from enabling a microphone for eavesdropping to turning the steering wheel to disabling the brakes.

Last year, we discussed 2 particular vehicles. However, since each manufacturer designs their fleets differently; analysis of remote threats must avoid generalities. This talk takes a step back and examines the automotive network of a large number of different manufacturers from a security perspective. From this larger dataset we can begin to answer questions like: Are some cars more secure from remote compromise than others? Has automotive network security changed for the better (or worse) in the last 5 years? What does the future of automotive security hold and how can we protect our vehicles from attack moving forward?

Charlie Miller is a security engineer at Twitter. Back when he still had time to research, he was the first with a public remote exploit for both the iPhone and the G1 Android phone. He is a four time winner of the CanSecWest Pwn2Own competition. He has authored three information security books and holds a PhD from the University of Notre Dame. He has hacked browsers, phones, cars, and batteries. Charlie spends his free time trying to get back together with Apple, but sadly they still list their relationship status as "It's complicated".

Twitter: @0xcharlie

Christopher Valasek is the Director of Security Intelligence at IOActive, an industry leader in comprehensive computer security services. Valasek specializes in offensive research methodologies with a focus in reverse engineering and exploitation. Valasek is known for his extensive research in the automotive field and his exploitation and reverse engineering of Windows. Valasek is also the Chairman of SummerCon, the nation's oldest hacker conference.

Twitter: @nudehaberdasher

Learn how to control every room at a luxury hotel remotely: the dangers of insecure home automation deployment

Jesus Molina Security Consultant

Have you ever had the urge to create mayhem at a hotel? Force every hotel guest to watch your favorite TV show with you? Or wake your neighbors up (all 290 of them!) with blaring music and with their blinds up at 3 AM?

For those with the urge, I have the perfect place for you. The St. Regis ShenZhen, a gorgeous luxury hotel occupying the top 28 floors of a 100 story skyscraper, offers guests a unique feature: a room remote control in the form of an IPAD2. The IPAD2 controls the lighting, temperature, music, do not disturb light, TV, even the blinds and other miscellaneous room actions. However, the deployment of the home automation protocol contained several fatal flaws that allow an arbitrary attacker to control virtually every appliance in the hotel remotely. I discovered these flaws and as a result, I was able to create the ultimate remote control: Switch TV off 1280,1281,1283 will switch off the TV in these three room. The attacker does not even need to be at the hotel – he could be in another country.

This talk provides a detailed discussion of the anatomy of the attack: an explanation of reverse engineering of the KNX/IP home automation protocol; a description of the deployment flaws; blueprints on how to create an Ipad Trojan to send commands outside the hotel; and, of course, solutions to avoid all these pitfall in future deployments. Attendees will gain valuable field lessons on how to improve wide scale home automation architectures and discussion topics will include the dangers of utilizing legacy but widely used automation protocols, the utilization of insecure wireless connection, and the use of insecure and unlocked commodity hardware that could easily be modified by an attacker.

The attack has important implications for large scale home automation applications, as several hotels around the world are beginning to offer this room amenity. The severity of these types of security flaws cannot be understated – from creating a chaotic atmosphere to raising room temperatures at night with fatal consequences – hoteliers need to understand the risks and liabilities they are exposed to by faulty security deployments.

Jesus Molina is an independent security consultant. As a former security researcher at Fujitsu Laboratories of America he created several prototypes and corresponding patents on ground breaking research, including self-erasable memories and mobile trusted virtual machins. He has acted as a chair at the Trusted Computing Group, a NSF grant reviewer, and guest editor at IEEE Security & Privacy. He has worked in offensive security research demonstrating flaws in SmartMeters. Mr. Molina holds a Ms. and a PhD. from the University of Maryland.

Twitter: @verifythentrust

Generating ROP payloads from numbers

Alexandre Moneger Cisco Systems

Is it possible to generate a ROP payload whilst using as few gadgets from the target binary as possible? Is it also possible to build any shellcode in memory regardless of the opcodes in the target binary? An approach to this is to build the ROP payload by summing selected pieces of memory together and copying them to a stack in the process address space. A method and tool will be presented, which allows to stitch together selected numbers found in memory into a payload and execute it.

Return Oriented Programming is at the core of modern exploitation technics, but the automation of the payload generation can be time consuming. The intent was to write a tool which is able to generate a generic enough ROP payload that it worked in most situations. I will present a new method to generate ROP payloads which relies on very few gadgets within the target binary (sometimes none), nor will rely on string copying particular bytes to build the in memory payload.

Alex Moneger Alex Moneger works as a security engineer for Cisco Systems in the Cloud Web Security unit. The fun part of his working hours are spent trying to find efficient ways of detecting anomalous behaviours in http streams, thinking of ways to improve the efficacy of the web scanning process and dealing with whatever http and tls corner cases are thrown at him.

His personal security interests are geared towards low level security, such as fuzzing, exploit writing and network security.

DEF CON Comedy Jam Part VII, Is This The One With The Whales?

David Mortman @mortman

Rich Mogull @rmogull

Chris Hoff @beaker

Dave Maynor @erratadave

Larry Pesce @haxorthematrix

James Arlen @myrcurial

Rob Graham @erratarob

Alex Rothman Shostack @ars_infosectica

Weeeeeeeeee're baaaaaack. Bring out your FAIL. It's the most talked about panel at DEF CON! A standing room only event with a wait list at the door. Nothing is sacred, not the industry, not the audience, not even each other. Last year we raised over $2000 for the EFF and over $5000 over the last 5 years, let's see how much we can raise this year....

David Mortman is the Chief Security Architect and Distinguished Engineer at Dell Enstratius and is a Contributing Analyst at Securosis. Before enStratus, he ran operations and security for C3. Formerly the Chief Information Security Officer for Siebel Systems, Inc., Previously, Mr. Mortman was Manager of IT Security at Network Associates. Mr. Mortman has also been a regular panelist and speaker at RSA, Blackhat, DEF CON and BruCon as well. Mr.Mortman sits on a variety of advisoryboards including Qualys, Lookout and Virtuosi. He holds a BS in Chemistry from the University of Chicago. David writes for Securosis, Emergent Chaos and the New School blogs.

James Arlen, CISA, is a senior consultant at Leviathan Security Group providing security consulting services to the utility, healthcare and financial verticals. He has been involved with implementing a practical level of information security in Fortune 500, TSE 100, and major public-sector corporations for over 20 years. James is also a contributing analyst with Securosis, faculty at IANS and a contributor to the Liquidmatrix Security Digest. Best described as: "Infosec geek, hacker, social activist, author, speaker, and parent." His areas of interest include organizational change, social engineering, blinky lights and shiny things.

Larry is a Senior Security Analyst with InGuardians performing penetration testing, wireless assessments, and hardware hacking. He also diverts a significant portion of his attention co-hosting the Paul's Security Weekly podcast and likes to tinker with all things electronic and wireless, much to the disappointment of his family, friends, warranties, and his second Leatherman Multi-tool. Larry is an Extra Class Amateur Radio operator (KB1TNF) and enjoys developing hardware and real-world challenges for the Mid-Atlantic Collegiate Cyber Defense Challenge.

More Bios to come soon.

Panel: Ask the EFF: The Year in Digital Civil Liberties

Kurt Opsahl Deputy General Counsel, Electronic Frontier Foundation

Nate Cardozo EFF Staff Attorney

Mark Jaycox EFF Legislative Analyst

Yan Zhu EFF Staff Technologist

Eva Galperin EFF Global Policy Analyst

KURT OPSAHL is the Deputy General Counsel of the Electronic Frontier Foundation focusing on civil liberties, free speech and privacy law. Opsahl has counseled numerous computer security researchers on their rights to conduct and discuss research. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook.” In 2007, Opsahl was named as one of the “Attorneys of the Year” by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal, which established the reporter’s privilege for online journalists. In addition to his work at EFF, Opsahl is a member of the USENIX Board of Directors.

NATE CARDOZO is a Staff Attorney on the Electronic Frontier Foundation’s digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF's Who Has Your Back? report and Coders' Rights Project. Nate has projects involving automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate spent two years in private practice before returning to his senses and to EFF in 2012. Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings where he has taught first-year legal writing and moot court.

EVA GALPERIN is EFFs Global Policy Analyst, and has been instrumental in highlighting government malware designed to spy upon activists around the world. A lifelong geek, Eva misspent her youth working as a Systems Administrator all over Silicon Valley. Since then, she has seen the error of her ways and earned degrees in Political Science and International Relations from SFSU. She comes to EFF from the US-China Policy Institute, where she researched Chinese energy policy, helped to organize conferences, and attempted to make use of her rudimentary Mandarin skills.

MARK JAYCOX is a Legislative Analyst for EFF. His issues include user privacy, civil liberties, surveillance law, and "cybersecurity." When not reading legal or legislative documents, Mark can be found reading non-legal and legislative documents, exploring the Bay Area, and riding his bike. He was educated at Reed College, spent a year abroad at the University of Oxford (Wadham College), and concentrated in Political History. The intersection of his concentration with advancing technologies and the law was prevalent throughout his education, and Mark's excited to apply these passions to EFF. Previous to joining EFF, Mark was a Contributor to ArsTechnica, and a Legislative Research Assistant for LexisNexis.

YAN ZHU is a Staff Technologist with EFF. Yan writes code and words to enable pervasive encryption and protect Internet users' privacy. Besides maintainingHTTPS Everywhere at EFF, she is a core developer ofSecureDrop and founder of the Worldwide Aaron Swartz Memorial Hackathon Series. In her spare time, Yan writes about the intersection of computer security and humansand tries to find interesting ways to break web applications. She holds a B.S. in Physics from MIT and was a National Science Foundation Graduate Research Fellow at Stanford.

Twitter: @eff
Twitter: @kurtopsahl

The NSA Playset: RF Retroreflectors

Michael Ossmann Great Scott Gadgets

Of all the technologies revealed in the NSA ANT catalog, perhaps the most exotic is the use of RF retroreflectors for over-the-air surveillance. These tiny implants, without any power supply, transmit information intercepted from digital or analog communications when irradiated by radio signals from an outside source. This modern class of radar eavesdropping technology has never been demonstrated in public before today. I've constructed and tested my own RF retroreflectors, and I'll show you how they work and how easy they are to build with modest soldering skills. I'll even bring along some fully assembled units to give away. Now you can add RF retroreflectors to your own NSA Playset and play along with the NSA!

Michael Ossmann is a wireless security researcher who makes hardware for hackers. Best known for the open source HackRF, Ubertooth, and Daisho projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.

VoIP Wars: Attack of the Cisco Phones

Fatih Ozavci Senior Security Consultant, Sense of Security

Many hosted VoIP service providers are using Cisco hosted collaboration suite and Cisco VoIP solutions. These Cisco hosted VoIP implementations are very similar; they have Cisco Unified Communication services, SIP protocol for IP Phones of tenants, common conference solutions, Skinny protocol for compliance, generic RTP implementation, VOSS Solutions product family for management services for tenants. Cisco hosted VoIP implementations are vulnerable to many attacks, including:

  • VLAN attacks
  • SIP trust hacking
  • Skinny based signalling attacks
  • Bypassing authentication and authorisation
  • Call spoofing
  • Eavesdropping
  • Attacks against IP Phone management services
  • Web based vulnerabilities of the products

The presentation covers Skinny and SIP signalling attacks, 0day bypass technique for call spoofing and billing bypass, LAN attacks against supportive services for IP Phones, practical 0day attacks against IP Phone management and tenant services. Attacking Cisco VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by the presenter). It has a dozen modules to test trust hacking issues, signalling attacks against SIP services and Skinny services, gaining unauthorised access, call spoofing, brute-forcing VoIP accounts and debugging services using as MITM. Furthermore, Viproy provides these attack modules in a penetration testing environment and full integration. The presentation contains live demonstration of practical VoIP attacks and usage of new Viproy modules.

Fatih Ozavci is a Security Researcher and Senior Consultant with Sense of Security. He is the author of the Viproy VoIP Penetration and Exploitation Testing Kit and MBFuzzer Mobile Application MITM Fuzzer tool, he has also published a paper about Hacking SIP Trust Relationships. Fatih has discovered many unknown security vulnerabilities and design and protocol flaws in VoIP environments for his customers, and analyses VoIP design and implementation flaws which help to improve VoIP infrastructures. Additionally, he has completed numerous mobile application penetration testing services including but not limited to reverse engineering of mobile applications, exploiting mobile services level vulnerabilities, attacking data transporting and storing features of mobile applications. His current researches are based on attacking mobile VoIP clients, VoIP service level vulnerabilities, web based VoIP and video conference systems, decrypting custom mobile application protocols and MITM attacks for mobile applications. While Fatih is passionate about VoIP penetration testing, mobile application testing and IPTV testing, he is also well versed at network penetration testing, web application testing, reverse engineering, fuzzing and exploit development. Fatih presented his VoIP research and tool in 2013 at DEF CON 21 (USA), Blackhat Arsenal USA 2013, Cluecon 2013 (USA), Athcon 2013 (Greece), and Ruxcon 2013. Also Fatih will present 2 training sessions at Auscert 2014 as well, "Next Generation Attacks and Countermeasures for VoIP" and "Penetration Testing of Mobile Applications and Services".

Panel — Surveillance on the Silver Screen- Fact or Fiction?

Nicole Ozer Technology and Civil Liberties Policy Director, ACLU of California

Kevin Bankston Policy Director, New America Foundation's Open Technology Institute

Timothy Edgar Fellow, Watson Institute for International Studies, Brown University

Join ACLU and others for a fun-filled surveillance tour of the movies - from Brazil to Bourne - to talk about what is still fiction and what is now fact. What is technologically possible? What is legal? And what is happening in the courts, Congress, and in companies and communities to reset the balance between government surveillance and individual liberties.

Kevin Bankston is the Policy Director of the New America Foundation's Open Technology Institute, where he works in the public interest to promote policy and regulatory reforms to strengthen communities by supporting open communications networks, platforms, and technologies, with a focus on issues of Internet surveillance and censorship. Prior to leading OTI's policy team, Kevin was a Senior Counsel and the Director of the Free Expression Project at the Center for Democracy & Technology. From that position, he spent two years advocating on a wide range of Internet and technology policy issues both international and domestic, most recently organizing a broad coalition of companies and civil society organizations to demand greater transparency around the US government's surveillance practices. Prior to joining CDT, he worked for nearly a decade at the Electronic Frontier Foundation, specializing in free speech and privacy law with a focus on government surveillance, Internet privacy, and location privacy. As a Senior Staff Attorney at EFF, he regularly litigated issues surrounding free expression and electronic surveillance, and was a lead counsel in EFF's lawsuits against the National Security Agency and AT&T, challenging the legality of the NSA warrantless wiretapping program first revealed in 2005. He received his JD at the University of Southern California Law School after receiving his BA at the University of Texas at Austin.

Timothy H. Edgar is a visiting fellow at the Institute and adjunct professor of law at the Georgetown University Law Center. His work focuses on the unique policy challenges posed by growing global cyber conflict, particularly in reconciling security interests with fundamental values, including privacy and Internet freedom. Mr. Edgar served under President Obama as the first director of privacy and civil liberties for the White House National Security Staff, focusing on cybersecurity, open government, and data privacy initiatives. From 2006 to 2009, he was the first deputy for civil liberties for the director of national intelligence, reviewing new surveillance authorities, the terrorist watchlist, and other sensitive programs. He has also been counsel for the information sharing environment, which facilitates the secure sharing of terrorism-related information. He has a JD from Harvard Law School, where he served on the Harvard Law Review, and an AB from Dartmouth College.

Nicole Ozer developed and has led the technology and civil liberties work for the ACLU in California since 2004. Nicole is a nationally recognized expert on issues at the intersection of consumer privacy and government surveillance and free speech and the Internet. Nicole developed Demand Your dotRights, ACLU's national online privacy campaign and spearheaded the passage of both the first RFID and digital book privacy laws in the nation. Nicole is the author of numerous legal and policy publications, including Losing the Spotlight: A Study of California's Shine the Light Law, Privacy & Free Speech: It's Good for Business, a primer of dozens of case studies and tips for baking safeguards into the business development process. Her most recent law review article, Putting Online Privacy Above the Fold: Building a Social Movement and Creating Corporate Change, was published by the NYU Review Law & Social Change in 2012. Nicole graduated magna cum laude from Amherst College, studied comparative civil rights history at the University of Cape Town, South Africa, and earned her J.D. with a Certificate in Law and Technology from Boalt Hall School of Law, University of California Berkeley. Nicole blogs at and tweets @nicoleozer.

Playing with Car Firmware or How to Brick your Car

Paul Such 0x222 Founder of SCRT


A lot of papers have already been done/produced on hacking cars through ODB2/CanBus. Looking at the car firmware could also be something really fun :) How to access the firmware, hidden menus & functionalities, hardcoded SSID, users and passwords (yes, you read right), are some of the subjects we will cover during this short presentation.

Paul Such 0x222 is a security engineer and the founder of SCRT, a Swiss company specialized in ethical hacking / penetration test and digital forensic since 2002. He is also the organizer of the Insomni'hack event (CTF and security conference in Switzerland)

Twitter: @0x222

Florian Gaultier (Agix) is a security enthusiast working for SCRT France since 2012. He is also the founder of StHack security conference in Bordeaux (FRANCE) and member of w3stormz CTF team. Loving reverse engineering he was happy to work on this project.

Twitter: @agixid

Measuring the IQ of your Threat Intelligence feeds

Alex Pinto Chief Data Scientist, MLSec Project

Kyle Maxwell Researcher

Threat Intelligence feeds are now being touted as the saving grace for SIEM and log management deployments, and as a way to supercharge incident detection and even response practices. We have heard similar promises before as an industry, so it is only fair to try to investigate. Since the actual number of breaches and attacks worldwide is unknown, it is impossible to measure how good threat intelligence feeds really are, right? Enter a new scientific breakthrough developed over the last 300 years: statistics!

This presentation will consist of a data-driven analysis of a cross-section of threat intelligence feeds (both open-source and commercial) to measure their statistical bias, overlap, and representability of the unknown population of breaches worldwide. Are they a statistical good measure of the population of "bad stuff" happening out there? Is there even such a thing? How tuned to your specific threat surface are those feeds anyway? Regardless, can we actually make good use of them even if the threats they describe have no overlap with the actual incidents you have been seeing in your environment?

We will provide an open-source tool for attendees to extract, normalize and export data from threat intelligence feeds to use in their internal projects and systems. It will be pre-configured with current OSINT network feed and easily extensible for private or commercial feeds. All the statistical code written and research data used (from the open-source feeds) will be made available in the spirit of reproducible research. The tool itself will be able to be used by attendees to perform the same type of tests on their own data.

Join Alex and Kyle on a journey through the actual real-world usability of threat intelligence to find out which mix of open source and private feeds are right for your organization.

Alex Pinto is the Chief Data Scientist of MLSec Project. The goal of the project is to provide a platform for hypothesis testing for people interested in the development of machine learning algorithms to support the information security monitoring practice. He has over 14 years dedicated to information security solutions architecture, strategic advisory and monitoring. He has experience with a great range of security products, and has managed SOCs and SIEM implementations for way too long. Alex currently currently holds the CISSP-ISSAP, CISA, CISM and PMP certifications, not that anyone cares. He was also a PCI QSA for almost 7 years, but is almost fully recovered.

Twitter: @alexcpsec

Kyle Maxwell is a private-sector threat intelligence analyst and malware researcher working with incident response and security operations. He is a GPL zealot, believes in UNIX uber alles, and supports his local CryptoParty. Kyle holds a degree in Mathematics from the University of Texas at Dallas.

Twitter: @kylemaxwell

Secure Because Math: A Deep Dive On Machine Learning-Based Monitoring

Alex Pinto Chief Data Scientist, MLSec Project

We could all have predicted this with our magical Big Data analytics platforms, but it seems that Machine Learning is the new hotness in Information Security. A great number of startups with ‘cy’ and ‘threat’ in their names that claim that their product will defend or detect more effectively than their neighbour's product "because math". And it should be easy to fool people without a PhD or two that math just works.

Indeed, math is powerful and large scale machine learning is an important cornerstone of much of the systems that we use today. However, not all algorithms and techniques are born equal. Machine Learning is a most powerful tool box, but not every tool can be applied to every problem and that’s where the pitfalls lie.

This presentation will describe the different techniques available for data analysis and machine learning for information security, and discuss their strengths and caveats. The Ghost of Marketing Past will also show how similar the unfulfilled promises of deterministic and exploratory analysis were, and how to avoid making the same mistakes again. 

Finally, the presentation will describe the techniques and feature sets that were developed by the presenter on the past year as a part of his ongoing research project on the subject, in particular present some interesting results obtained since the last presentation on DefCon 21, and some ideas that could improve the application of machine learning for use in information security, especially in its use as a helper for security analysts in incident detection and response.

Alex Pinto is the Chief Data Scientist of MLSec Project. The goal of the project is to provide a platform for hypothesis testing for people interested in the development of machine learning algorithms to support the information security monitoring practice. He has over 14 years dedicated to information security solutions architecture, strategic advisory and monitoring. He has experience with a great range of security products, and has managed SOCs and SIEM implementations for way too long. Alex currently currently holds the CISSP-ISSAP, CISA, CISM and PMP certifications, not that anyone cares. He was also a PCI QSA for almost 7 years, but is almost fully recovered.

Twitter: @alexcpsec

Abusing Software Defined Networks

Gregory Pickett Cybersecurity Operations, Hellfire Security

Software Defined Networking (SDN) transfers all forwarding decisions to a single controller and provides the network with the same degree of control and flexibility as the cloud. And with all the major vendors onboard, it will soon be supporting networks everywhere. But current implementations are full of weaknesses that could easily turn this utopian dream of the future into a nightmare and leave networks world-wide exposed.

With clear-text wire protocol implementations, little support for switch TLS, no authentication for nodes, poorly conceived rate-limiting features in the controllers, controller APIs that don’t require authentication , and back-door netconf access, the leading platforms Floodlight and OpenDaylight, are ripe for attack.

And in this session, using a new toolkit that I developed, I’ll demonstrate by showing you how to locate and identify these controllers, impersonate switches to DoS them, and engage their wide-open APIs and backdoors to map the network, locate targets, and control access to the network … even hide from sensors. But all is not lost, because I’ll show how to protect them too. Because dream or nightmare, SDN can make a difference in the real world if we just protect it right.

Gregory Pickett CISSP, GCIA, GPEN has a background in intrusion analysis for Fortune 100 companies but now heads up Hellfire Security’s Managed Security Services efforts and participates in their assessment practice as a network security subject matter expert. As a security professional, his primary area of focus and occasional research is networks with an interest in using network traffic to better understand, to better defend, and sometimes to better exploit the hosts that live on them. He holds a B.S. in Psychology which is completely unrelated but interesting to know. While it does nothing to contribute to how he makes a living, it does demonstrate how screwed up he actually is.

twitter: @shogun7273

NSA Playset : GSM Sniffing

Pierce Security Researcher

Loki Security Researcher

A5/1, as implemented in GSM, was broken wide open in 2003, yet GSM is still the most widely used mobile communications protocol in the world. Introducing TWILIGHTVEGETABLE, our attempt to pull together the past decade of GSM attacks into a single, coherent toolset, and finally make real, practical, GSM sniffing to the masses.

Loki and Pierce are security researchers in Portland, Oregon who operate out of the BrainSilo hackerspace. They each have a decade of experience breaking various forms of wireless and telecom networks, and a passion for empowering the security community.

Cyberhijacking Airplanes: Truth or Fiction?

Dr. Phil Polstra Associate Professor of Digital Forensics, Bloomsburg University of Pennsylvania

Captain Polly Associate Professor of Aviation, University of Dubuque

There have been several people making bold claims about the ability to remotely hack into aircraft and hijack them from afar. This talk will take a systematic look at the mechanisms others are claiming would permit such cyberhijacking. Each of the most popular techniques will be examined mythbuster style. Along the way several important aircraft technologies will be examined in detail.

Attendees will leave with a better understanding of ADS-B, ADS-A, ACARS, GPS, transponders, collision avoidance systems, autopilots, and avionics networking and communications. No prior knowledge is assumed for attendees.

The primary presenter is a pilot, flight instructor, aviation professor, aircraft mechanic, aircraft inspector, avionics technician, and plane builder who has also worked on the development of some of the avionics systems found in modern airliners.

The second presenter is a former airline pilot with thousands of hours in airliners who is currently an aviation professor in charge of a simulator program.

Phil was born at an early age. He cleaned out his savings at age 8 in order to buy a TI99-4A computer for the sum of $450. Two years later he learned 6502 assembly and has been hacking computers and electronics ever since.

Dr. Phil currently works as a professor of digital forensics. His research focus over the last few years has been on the use of microcontrollers and small embedded computers for forensics and pentesting. Phil has developed a custom pentesting Linux distro and related hardware to allow an inexpensive army of remote pentesting drones to be built using the BeagleBone Black computer boards. This work is described in detail in Phil's book "Hacking and Penetration Testing With Low Power Devices" (Syngress, 2014). Prior to entering academia, Phil held several high level positions at well-known US companies. He holds a couple of the usual certs one might expect for someone in his position.

Phil is also an accomplished aviator with several thousand hours of flight time. He holds 12 ratings including instructor, commerical pilot, mechanic, inspector, and avionics tech. When not working, he likes to spend time with his family, fly, hack electronics, and has been known to build airplanes.

twitter: @ppolstra

Captain Polly is a former airline pilot at a major US airline. She is currently an Associate Professor of Aviation at a private midwestern university. Polly has thousands of hours of flight time in airliners and small aircraft. She runs a simulator program that includes a number of airliner simulators.

Am I Being Spied On? Low-tech Ways Of Detecting High-tech Surveillance

Dr. Phil Polstra Associate Professor of Digital Forensics, Bloomsburg University of Pennsylvania

Is someone spying on you? This talk will present several low-tech ways that you can detect even high-tech surveillance. Topics covered will include: detecting surveillance cameras with your cell phone, signs that you are under physical surveillance, detecting active and passive bugs with low cost devices, and detecting devices implanted inside computers, tablets, and cell phones.

Phil was born at an early age. He cleaned out his savings at age 8 in order to buy a TI99-4A computer for the sum of $450. Two years later he learned 6502 assembly and has been hacking computers and electronics ever since.

Dr. Phil currently works as a professor of digital forensics. His research focus over the last few years has been on the use of microcontrollers and small embedded computers for forensics and pentesting. Phil has developed a custom pentesting Linux distro and related hardware to allow an inexpensive army of remote pentesting drones to be built using the BeagleBone Black computer boards. This work is described in detail in Phil's book "Hacking and Penetration Testing With Low Power Devices" (Syngress, 2014). Prior to entering academia, Phil held several high level positions at well-known US companies. He holds a couple of the usual certs one might expect for someone in his position.

Phil is also an accomplished aviator with several thousand hours of flight time. He holds 12 ratings including instructor, commerical pilot, mechanic, inspector, and avionics tech. When not working, he likes to spend time with his family, fly, hack electronics, and has been known to build airplanes.

twitter: @ppolstra

Detecting and Defending Against a Surveillance State

Robert RowleySecurity Researcher, Trustwave Spiderlabs

This talk is based on semi-recent reported leaks that detail how state-actors could be engaging in surveillance against people they deem as 'threats'. I will cover the basics on what was leaked, and focus the talk on how to detect hardware bugs, implanted radio transceivers, firmware injections, cellular network monitoring, etc...

No need to bring your tin-foil hats though, the discussion here is a pragmatical approach to how to detect such threats and identify if you have been targeted. No blind faith approaches, or attempts to sell any privacy snake oil will be found here.

Robert is a Security Researcher for Trustwave Spiderlabs as has been an active member of the Southern California hacking scene for over the last 10+ years. Co-Founding Irvine underground and recently presenting on many topics including Juice Jacking, Web Application Security and more… I am presenting on a personal passion this time, Privacy.

Acquire current user hashes without admin privileges

Anton Sapozhnikov KPMG

If an attacker has only user level access to an infected machine inside corporate internal network, that means he or she has quite a limited number of ways to get the password of that user. Already known techniques require additional network access or great amount of luck. Having no access to internal network and absence of admin privileges is a common case during spear phishing attacks and social engineering activities. This talk will cover a brand new technique to grab credentials from a pwned machine even without admins privileges. The technique is possible due to a design flaw in the Windows SSPI implementation. A proof of concept tool will also be presented.

Anton Sapozhnikov has more than 7 years of experience in penetration testing, worked with many companies from the Fortune Global 500 list. In his spare time Anton participates in CTFs with More Smoked Leet Chicken, the team awardee and winner of Codegate, HITB, DEFCON, etc. Anton currently works for KPMG's Information Risk Management practice performing penetration testing, risk assessment, framework alignment, and policy development engagements.

Twitter: @snowytoxa

You're Leaking Trade Secrets

Michael Schrenk Business Intelligence Specialist

Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet.

Michael Schrenk is an online Business Intelligence Specialist, who has developed industrial webbots and botnets for the past twenty years. He is a five-time DEFCON speaker, including last year's talk, “How my Botnet Purchased Millions of Dollars in Cars and defeated the Russian Hackers”. Mike is also the author of “Webbots, Spiders, and Screen Scrapers”, 2nd Edition (2012, No Starch Press, San Francisco).

Veil-Pillage: Post-exploitation 2.0

Will Schroeder security researcher, Veris Group

The Veil-Framework is a project that aims to bridge the gap between pentesting and red team toolsets. It began with Veil-Evasion, a tool to generate AV-evading payload executables, expanded into payload delivery with the release of Veil-Catapult, and branched into powershell functionality with the release of Veil-PowerView for domain situational awareness. This talk will unveil the newest additional to the Veil-Framework, Veil-Pillage, a fully-fledged, open-source post-exploitation framework that integrates tightly with the existing framework codebase.

We’ll start with a quick survey of the post-exploitation landscape, highlighting the advantages and disadvantages of existing tools. We will cover current toolset gap areas, and how the lack of a single solution with all the options and techniques desired drove the development of Veil-Pillage. Major features of the framework will be quickly detailed, and the underlying primitives that modules build on will be explained.

Veil-Pillage, released immediately following this presentation, makes it easy to implement the wealth of existing post-exploitation techniques out there, public or privately developed. Currently developed modules support a breadth of post-exploitation techniques, including enumeration methods, system management, persistence tricks, and more. The integration of various powershell post-exploitation components, assorted methods of hashdumping, and various ways to grab plaintext credentials demonstrate the operational usefulness of Veil-Pillage. The framework utilizes a number of triggering mechanisms with a preference toward stealth, contains complete command line flags for third-party integration, and has comprehensive logging and cleanup script capabilities. Welcome to Veil-Pillage: Post-Exploitation 2.0.

Will Schroeder (@harmj0y) is a security researcher and pentester/red-teamer for Veris Group, and is one of the co-founders and active developers of the Veil-Framework, a project aimed at bridging the gap between pentesting and red-team toolsets. Will recently presented at Shmoocon ‘14 on AV-evasion and custom payload delivery methods utilizing tools he developed, Veil-Evasion and Veil-Catapult. He has presented at various BSides events on the Cortana attack scripting language and obfuscated Pyinstaller loaders. He is also the author of Veil-PowerView, a tool for gaining situational awareness on Windows domains, and is an active powershell hacker. A former national lab security researcher, he is happy to finally be in the private sector.

twitter: @harmj0y

From Raxacoricofallapatorius With Love: Case Studies In Insider Threat

Tess Schrodinger

Espionage, honey pots, encryption, and lies. Clandestine meetings in hotels. The naïve girl seduced by a suave businessman. The quiet engineer who was busted by the shredded to do list found in his trash. Encryption the NSA couldn’t crack. What motivates insiders to become threats? How were they caught? What are potential red flags to be aware of? Acquire a new awareness around what makes these people tick.

Tess has over twenty years in law enforcement, investigation, forensics (bullets & blood, not 1s & 0s), and industrial security. She holds a Bachelor of Sociology, a Master of Security Management, and a graduate certificate in cybersecurity technology. One of her many current objectives is to bridge the gap between traditional security and cyber security by promoting awareness and education to the technologically ignorant who are often overwhelmed by the potential threats and how they can be targeted and to the technically gifted who are often unfamiliar with the threats, vulnerabilities, and mitigation techniques that lie outside their world of technology.

Don't DDoS Me Bro: Practical DDoS Defense

Blake Self Senior Security Architect

Shawn "cisc0ninja" Burrell SOLDIERX Crew

Layer 7 DDoS attacks have been on the rise since at least 2010, especially attacks that take down websites via resource exhaustion. Using various tools and techniques - it is possible to defend against these attacks on even a shoestring budget. This talk will analyze and discuss the tools, techniques, and technology behind protecting your website from these types of attacks. We will be covering attacks used against as well as attacks seen in Operation Ababil. Source code will be released for SOLDIERX's own DDoS monitoring system, RoboAmp.

Blake Self is most widely known for co-authoring the first commercial encrypted instant messenger with Dr. Cyrus Peikari while at VirusMD. He has also worked as a SIPRNET Administrator, Department of Defense Red Team Analyst, and R&D at various corporations. He has been attending Defcon since high school and has given several talks. He currently works in the financial sector and was directly involved in defending against the DDoS attacks of Operation Ababil. Blake holds a M.S. in Computer Science from Purdue University.

Shawn "cisc0ninja" Burrell is a long time crew member of SOLDIERX. He was a critical component of projects such as the "Hacker Database" - the largest open source database of individuals involved in the security/hacking scene. He has also worked as a SIPRNET Administrator for the Department of Defense. He currently works in threat intelligence, where he discovers current campaigns and how to defend against them. He once claimed he was the only person at Defcon who could actually dance, although that was before the conference was at its current popularity.


Hacking the FBI: How & Why to Liberate Government Records

Ryan Noah Shapiro PhD candidate, Massachusetts Institute of Technology

After narrowly avoiding a lengthy activism-related prison sentence, I began PhD work at MIT in part to map out the criminalization of political dissent in Post-9/11 America. Especially in trying to obtain records from the FBI, Freedom of Information Act (FOIA) work became an essential component of my research. However, it quickly became apparent that the FBI routinely refused to comply with FOIA. Less clear was how the Bureau was managing to accomplish this systematic violation of federal law. Consequently, I spent years using FOIA and other tools to map out the hidden mechanisms of FBI non-compliance with the Freedom of Information Act. It worked. Using the FOIA methodologies I’d developed, I began receiving tens of thousands of pages from the FBI on its targeting of domestic protest groups. As a result, the FBI is now attempting to shut down my research by arguing in court that my dissertation FOIA research itself is a threat to national security.

Such efforts by the FBI are just one component of the ongoing crisis of secrecy we now face. The records of government are the property of the people, but these records are consistently withheld from us. My talk will cover my research into the historical and contemporary use of the rhetoric and apparatus of national security to marginalize political dissent, my work to reveal the hidden mechanisms of FBI FOIA operations, the FBI’s efforts to shut down my research, the ongoing crisis of secrecy and consequent threat to democracy, and the pressing need for additional modes of hacking the FBI and other intelligence agencies to pick up where FOIA leaves off. The records of government belong to us. It’s time to reclaim them.

Ryan Shapiro is a transparency activist and PhD candidate in MIT’s Department of Science, Technology, & Society (HASTS). Ryan’s research focuses on the political functioning of national security and the policing of dissent. To this end, he currently has over 700 Freedom of Information Act (FOIA) requests in motion with the FBI, making him the FBI’s “most prolific” FOIA requestor. Ryan also has numerous FOIA requests in motion with the CIA, DIA, and NSA, as well as a host of active lawsuits against these agencies for their routine failure to comply with his FOIA requests. The FBI is even now arguing in court that Ryan’s dissertation FOIA research itself is a threat to national security.

Advanced Red Teaming: All Your Badges Are Belong To Us

Eric Smith Senior Partner, Principal Security Consultant at LARES

Josh Perrymon Senior Adversarial Engineer at LARES

By definition ”Red Teaming” or Red Team testing originated from the military whereby describing a team whose primary objective is to penetrate the security controls of “friendly” institutions while evaluating their security measures. The term is widely used today to describe any form or blend of logical, physical and social based attacks on an organization. Since the early 2000’s, LARES’ core team members have been presenting on and performing advanced Red Team attacks against all verticals and have a 100% success rate for organizational compromise when performing full scope testing.

Fresh out of the think tank of Layer 8 Labs (the R&D division of LARES) and tested in the streets on numerous engagements, this talk will focus specifically on badge access control systems, inherent flaws in their design and demonstrate direct and blended attacks against them. Live demonstrations will be given to show how these flaws lead to facility and system compromise, even against the most secure access control systems and card types being sold to the market today. Custom built tools by the LARES team members will be demonstrated throughout the talk and an interactive discussion will be held at the end of the presentation to discuss current mitigation strategies and industry needs to thwart these attacks going forward.

Eric Smith (@InfoSecMafia) is a Senior Partner and Principal Security Consultant at LARES. Eric is a well-respected, qualified, trained, and certified Ethical Hacker with over 17 years of experience in the IT/IS industry. Eric is experienced in network and application penetration testing, social engineering, Red Team/physical security, wireless, architecture, system hardening, risk/compliance assessments, and policy/procedural development. Eric holds a BS in Information Security Systems along with active CISSP and CISA certifications. When Eric isn’t compromising large scale, heavily protected fortresses, he goes on retreats in search of unicorns, horseshoes and hidden treasures that many claim to be “suicide missions”. Eric was also born with invisible gills and is referred to by close friends and closer enemies as the “phish whisperer”.

Joshua Perrymon (@packetfocus) is a Senior Adversarial Engineer at LARES. He is a well-rounded certified Ethical Hacker with over 17 years’ experience in the industry. With a focus with real-world exploitation, Josh likes the pressure of Social Engineering and Red Team testing. The type of testing that is always dynamic, and forces quick decisions and persistence. He developed the first OWASP LiveCD "LabRat", and led the Alabama OWASP Chapter. When living in Australia, Josh dove into RFID research, and over the years has worked to take these attacks from the lab to the streets, providing the most advanced and accurate real-world testing. Josh also has worked on a phishing framework over the past ten years, and is focused on bringing that technology to market. When not dressed as a janitor or electrician in attempt to breach a client facility, Josh can be found at his local drag strip playing with nitrous and turbos.

The Internet of Fails: Where IoT Has Gone Wrong and How We're Making It Right

Mark Stanislav Security Evangelist, Duo Security

Zach Lanier Sr. Security Researcher, Duo Security

This presentation will dive into research, outcomes, and recommendations regarding information security for the "Internet of Things". Mark and Zach will discuss IoT security failures both from their own research as well as the work of people they admire. Attendees are invited to laugh/cringe at concerning examples of improper access control, a complete lack of transport security, hardcoded-everything, and ways to bypass paying for stuff.

Mark and Zach will also discuss the progress that their initiative,, has made since it was announced this past February at B-Sides San Francisco. Based on their own struggles with approaching smaller technology vendors with bugs and trying to handle coordinated disclosure, Mark and Zach decided to change the process and dialog that was occurring into one that is inclusive, friendly, researcher-centric. They will provide results and key learnings about the establishment of this loose organization of security-minded vendors, partners, and researchers who have decided to focus on improving information security for bootstrapped/crowd-funded IoT products and platforms.

If you're a researcher who wants to know more about attacking this space, an IoT vendor trying to refine your security processes, or just a consumer who cares about their own safety and privacy, this talk will provide some great insights to all of those ends.

Mark Stanislav is the Security Evangelist for Duo Security. With a career spanning over a decade, Mark has worked within small business, academia, startup and corporate environments, primarily focused on Linux architecture, information security, and web application development. He has presented at over 70 events internationally including RSA, ShmooCon, SOURCE Boston, and THOTCON. His security research has been featured on web sites including CSO Online, Security Ledger, and Slashdot. Mark holds a B.S. in Networking & IT Administration and an M.S. in Information Assurance, both from Eastern Michigan University. Mark is currently writing a book titled, "Two-Factor Authentication" (published by IT Governance).

Twitter: @markstanislav
Web: ;;

Zach Lanier is a Senior Security Researcher at Duo Security. Though an old net/web/app pen tester type, he has been researching mobile and embedded device security since 2009, ranging from app security, to platform security (especially Android); to device, network, and carrier security. He has presented at various public and private industry conferences, such as BlackHat, DEFCON, INFILTRATE, ShmooCon, RSA, Amazon ZonCon, and more. He is also a co-author of the "Android Hacker's Handbook" (published by Wiley).

Twitter: @quine
Web: ; ;

"Around the world in 80 cons” - A Perspective

Jayson E. Street Senior Partner of Krypton Security

After spending 15 years in the hacker / InfoSec community, I thought it was time to pause and look back upon all I have seen, everywhere I have been, all the people I met and everything I have learned. And then share some of that knowledge with people to hopefully help them have a leg up moving forward. More importantly, compare and contrast my experiences and perspectives with statistics we commonly see based on attacks and the countries of origin. Statistics tell one story, perspective tells the other. This is a talk on perspectives.

Hackers, and hacking, are perceived differently around the world and, in turn, some view our community and what we do with different eyes than ours. I believe most reports/papers we (Americans) see about that topic are skewed and never give an accurate global image. Taking a very small dose of reality and comparing it to what we're subjected to, is interesting. Being a foreign hacker attending a con, or delivering an engagement, in an alien land often led to unexpected situations that I will also share.

I will also share while searching for diversity in our global hacking culture I found things that united us more than you would expect. I show how no matter what region of the planet you come from we face a threat we all need to face and overcome.

Jayson E. Street is an author of “Dissecting the hack: The F0rb1dd3n Network” from Syngress. Also creator of He has also spoken at DEFCON, DerbyCon, UCON and at several other ‘CONs and colleges on a variety of Information Security subjects. His life story can be found on Google under “Jayson E. Street” *He is a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time’s persons of the year for 2006. ;-)

Twitter: @jaysonstreet

I Hunt TR-069 Admins: Pwning ISPs Like a Boss

Shahar Tal Security & Vulnerability Research Team Leader, Check Point Software Technologies

Residential gateway (/SOHO router) exploitation is a rising trend in the security landscape - ever so often do we hear of yet another vulnerable device, with the occasional campaign targeted against specific versions of devices through independent scanning or Shodan dorking. We shine a bright light on TR-069/CWMP, the previously under-researched, de-facto CPE device management protocol, and specifically target ACS (Auto Configuration Server) software, whose pwnage can have devastating effects on critical amounts of users. These servers are, by design, in complete control of entire fleets of consumer premises devices, intended for use by ISPs and Telco providers. or nation-state adversaries, of course (sorry NSA, we know it was a cool attack vector with the best research-hours-to-mass-pwnage ratio). We investigate several TR-069 ACS platforms, and demonstrate multiple instances of poorly secured deployments, where we could have gained control over hundreds of thousands of devices. During the talk (pending patch availability), we will release exploits to vulnerabilities we discovered in ACS software, including RCE on a popular package, leading to ACS (and managed fleet) takeover.

Shahar Tal leads a team of Security & Vulnerability Researchers at Check Point Software Technologies. Prior to joining Check Point, Shahar held leadership roles in the Israel Defense Force (IDF), where he was trained and served as an officer in elite technology R&D units. Shahar (that's Major Tal, for you) brings over ten years of experience in his game, eager to speak and share in public domain. Shahar is a proud father, husband and a security geek who still can't believe he's getting paid to travel to awesome infosec cons. When you meet him, ask him to show you his hexdump tattoo.

The Only Way to Tell the Truth is in Fiction: The Dynamics of Life in the National Security State

Richard Thieme ThiemeWorks

Over a decade ago, a friend at the National Security Agency told Richard Thieme that he could address the core issues they discussed in a context of "ethical considerations for intelligence and security professionals" only if he wrote fiction. "It's the only way you can tell the truth," he said.

Three dozen published short stories and one novel-in-progress (FOAM) later, one result is "Mind Games," published in 2010 by Duncan Long Publishing, a collection of stories that illuminates “non-consensual realities:” the world of hackers; the worlds of intelligence professionals; encounters with other intelligent life forms; and deeper states of consciousness.

A recent scholarly study of “The Covert Sphere” by Timothy Melley documents the way the growth and influence of the intelligence community since World War 2 has created precisely the reality to which that NSA veteran pointed. The source of much of what “outsiders” believe is communicated through novels, movies, and television programs. But even IC “insiders” rely on those sources as compartmentalization prevents the big picture from coming together because few inside have a “need to know.”

Thieme asked a historian at the NSA what historical events they could discuss with a reasonable expectation that their words denoted the same details. “Anything up to 1945,” the historian said with a laugh – but he wasn’t kidding.

Point taken.

This fascinating presentation illuminates the mobius strip on which all of us walk as we make our way through the labyrinth of security and intelligence worlds we inhabit of necessity, all of us some of the time and some of us all of the time. It discloses why “post-modernism” is not an affectation but a necessary condition of modern life. It addresses the words of an NSA intelligence analyst who responded to one of Thieme’s stories by saying, “most of this isn’t fiction, but you have to know which part to have the key to the code.” This talk does not provide that key, but it does provide the key to the key. It also throws into relief everything else you hear – whether from the platform or in the hallways – inside this conference. And out there in the “real world.”

“Nothing is what it seems.”

Richard Thieme is an author and professional speaker focused on the challenges posed by new technologies and the future, how to redesign ourselves to meet these challenges, and creativity in response to radical change and identify shift. His column, "Islands in the Clickstream," was distributed to subscribers in sixty countries before collection as a book in 2004. When a friend at the NSA said, "The only way you can tell the truth is through fiction," he returned to writing stories, 19 of which are collected in “Mind Games.” He is co-author of the critically acclaimed “UFOs and Government: A Historical Inquiry,” a 5-year research project using material exclusively from government documents and other primary sources, now in 50 university libraries. Speeches based on the book have been given for HITB-KL, an FBI/Infragard “superconference,” the Ryerson Astronomical Society at the University of Chicago, the Chicago Astronomical Society at Adler Planetarium, and dozens of libraries.

A novel, FOAM, is in progress and “A Richard Thieme Reader” will be published soon. His work has been taught at universities in Europe, Australia, Canada, and the United States, and he has guest lectured at numerous universities, including Purdue University (CERIAS), the Technology, Literacy and Culture Distinguished Speakers Series of the University of Texas, the “Design Matters” lecture series at the University of Calgary, “The Real Truth: A World’s Fair” at Raven Row Gallery, London, and as a Distinguished Lecturer in Telecommunications Systems Management at Murray State University. He addressed the reinvention of “Europe” as a “cognitive artifact” for curators and artists at Museum Sztuki in Lodz, Poland.

A full bio is at:
twitter and skype: neuralcowboy
linkedIn: Richard Thieme
Facebook: Richard Thieme author page

A Journey to Protect Points-of-sale

Nir Valtman Enterprise Security Architect, NCR Retail

Many point-of-sale breaches occurred in the past year and many organizations are still vulnerable against the simplest exploits. In this presentation, I explain about how points-of-sale get compromised from both retailer’s and software-vendor’s perspective. One of the most common threats is memory scraping, which is a difficult issue to solve. Hence, I would like to share with you a demonstration of how it works and what can be done in order to minimize this threat. During this presentation, I will explain the long journey took me to understand how to mitigate it, while walking through the concepts (not exposing vendor names) that don’t work and those that can work.

Nir is employed in NCR Corporation as Enterprise Security Architect of NCR Retail, and also works as co-founder and CTO in his start-up company, Crowdome. Before the acquisition of Retalix by NCR, he was Chief Security Officer of R&D in the company. As part of his previous positions in the last decade, he was working as Chief Security Architect, Senior Technology Consultant, Application Security Consultant, Systems Infrastructure Security Consultant and a Technological Trainer. During these positions, Nir was not only consulting, but also performing hands-on activities in various fields, i.e. hardening, penetration testing and development for personal\internal applications. In addition, Nir released an open source anti-defacement tool called AntiDef and written a publication about QRbot, an iPhone QR botnet POC he developed. Nir have a BSc in computer science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities.

Impostor — Polluting Tor Metadata

Charlie Vedaa

Mike Larsen

Just using Tor can bring the cops to your door. While the security community was busy scolding the Harvard bomb threat kid for his poor OPSEC, this ugly revelation was largely ignored.

Malware authors are doing their part to remedy the situation; by adding thousands of infected hosts to the Tor network, they're making Tor traffic more common, and making dragnet investigation techniques less viable.

But the hackers need to step up and help too. By taking advantage of weak detection techniques in security tools, fake Tor traffic can be injected with some simple JavaScript. We'll show how easy it is to fool open source monitoring tools, and present a variety of options for testing your closed source gear.

In this fast-paced talk we'll cover how Tor traffic is detected, how false positives can be generated, and how you can help fight for anonymity on the Internet.

Charlie Vedaa, CCIE #7502, is a fork and spoon operator for the US government. He's living proof that they'll let anyone speak at DEF CON, BSidesLV, Notacon, and HOPE.

Twitter: @charlievedaa

Mike Larsen is the world's dopest application security consultant. He's a Don Juan, lover, Lothario, straight up out the EFNET barrio.

Domain Name Problems and Solutions

Dr. Paul Vixie CEO, Farsight Security

Spammers can't use dotted quads or any other literal IP address, since SpamAssassin won't let it through, since it looks too much like spam. So, spammers need cheap and plentiful -- dare we say 'too cheap to meter'? -- domain names. The DNS industry is only too happy to provide these domain names, cheaply and at massive scale. The end result is that 90% of all domain names are crap, with more on the way. DNS registrars and registries sometimes cooperate with law enforcement and commercial takedown efforts since it results in domains that die sooner thus creating demand for more domains sooner. Spammers and other abusers of the Internet commons sometimes try to keep their domains alive a little longer by changing name server addresses, or changing name server names, many times per day. All of this action and counteraction leaves tracks, and around those tracks, security minded network and server operators can build interesting defenses including DNS RPZ, a firewall that works on DNS names, DNS responses, and DNS metadata; and NOD, a feed of Newly Observed Domains that can be used for brand enforcement, as well as an RPZ that can direct a DNS firewall to treat infant domain names unfairly. Dr. Paul Vixie, long time maintainer of BIND and now CEO of Farsight Security, will explain and demonstrate."

Dr. Paul Vixie is the CEO of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Vixie is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC).

Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He is considered the primary author and technical architect of BIND 8, and he hired many of the people who wrote BIND 9 and the people now working on BIND 10. He has authored or co-authored a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). He earned his Ph.D. from Keio University for work related to the Internet Domain Name System (DNS and DNSSEC).

Optical Surgery; Implanting a DropCam

Patrick Wardle Director of Research, Synack

Colby Moore Security Research Engineer, Synack

Video Monitoring solutions such as DropCam aim to provide remote monitoring, protection and security. But what if they could be maliciously subverted? This presentation details a reverse-engineering effort that resulted in the full compromise of a DropCam. Specifically, given physical access and some creative hardware and software hacks, any malicious software may be persistently installed upon the device.

Implanting a wireless video monitoring solution presents some unique opportunities, such as intercepting the video stream, ‘hot-micing’, or even acting as persistent access/attack point within a network. This presentation will describe such an implant and well as revealing a method of infecting either Windows or OS X hosts that are used to configure a subverted DropCam.

Patrick Wardle is Director of Research at Synack, where he leads Research and Development efforts. His current focus is on identifying emerging threats in OSX and mobile malware. In addition, Patrick is an experienced vulnerability and exploitation analyst and has found multiple exploitable 0days in major operating systems and popular client applications. In his limited spare time he writes iOS apps for fun (and hopefully one day, for profit). Patrick’s prior roles include security research work with VRL and the NSA.

Colby Moore is Security Research Engineer at Synack where he focuses on identifying critical vulnerabilities in various products and services. Ever since setting eyes on a computer he has had a burning desire to hack anything in sight, but prefers to focus on where hardware and software meet. He has been involved in the computer security community for as long as he can remember and has identified countless 0-day vulnerabilities in embedded systems, major social networks, and consumer devices. Some might say Colby has an unhealthy obsession for spontaneous adventure, things that go fast, and the occasional mischief.

Manna from Heaven: Improving the state of wireless rogue AP attacks

Dominic White CTO, SensePost

Ian de Villiers Senior Analyst, SensePost

The current state of theoretical attacks against wireless networks should allow this wireless world to be fully subverted for all but some edge cases. Devices can be fooled into connecting to spoofed networks, authentication to wireless networks can either be cracked or intercepted, and our ability to capture credentials at a network level has long been established. Often, the most significant protection users have are hitting the right button on an error message they rarely understand. Worse for the user, these attacks can be repeated per wireless network allowing an attacker to target the weakest link.

This combination of vulnerable and heavily used communications should mean that an attacker needs just arrive at a location and setup for credentials and access to start dropping from the sky. However, the reality is far from this; karma attacks work poorly against modern devices, network authentication of the weakest sort defeats rogue APs and interception tools struggle to find useful details.

This talk is the result of our efforts to bring rogue AP attacks into the modern age. The talk will provides details of our research into increasing the effectiveness of spoofing wireless networks, and the benefits of doing so (i.e. gaining access). It includes the release of a new rogue access point toolkit implementing this research.

Dominic is the CTO of SensePost, an information security company based in South Africa and London. He has worked in the industry for 10 years. He is responsible for SensePost's wireless hacking course, Unplugged. He tweets as @singe.

Ian de Villiers is a security analyst at SensePost. Coming from a development background, his areas of expertise are in application and web application assessments. Ian has spent considerable time researching application frameworks, and has published a number of advisories relating to portal platforms. He has also provided security training and spoken at security conferences internationally.

Ian previously published numerous tools, such as reDuh, but more recently, SapProxy

The Open Crypto Audit Project

Kenneth White Co-Founder, Open Crypto Audit Project

Matthew Green Research Professor, Johns Hopkins University

Join us for the story of the origins and history of the Open Crypto Audit Project (OCAP). OCAP is a community-driven global initiative which grew out of the first comprehensive public audit and cryptanalysis of the widely used encryption software TrueCrypt®. Our charter is to provide technical assistance to free and open source software projects in the public interest. We serve primarily as a coordinator for volunteers and as a funding mechanism for technical experts in security, software engineering, and cryptography. We conduct analysis and research on FOSS and other widely software, and provide highly specialized technical assistance, analysis and research on free and open source software. This talk will present how we audited TrueCrypt, detailing both the Phase I security assessment, and the Phase II cryptanalysis. Looking forward, in light of GotoFail and HeartBleed, we will discuss future plans for our next audit projects of other open source critical infrastructure.

Kenneth White is a co-founder of the CBX Group, and formerly principal scientist and senior security R&D engineer at Social & Scientific Systems. His work focuses on cloud security, machine learning, and distributed database architecture. At SSS, White led the Biomedical Informatics team that designed and runs the operations center for the largest clinical trial network in the world, with research centers in over 100 countries. Together with Matthew Green, White co-founded the TrueCrypt audit project, a community-driven initiative to conduct the first comprehensive cryptanalysis and public security audit of the widely used TrueCrypt encryption software. White holds a MEd from Harvard and is a PhD candidate in neuroscience and cognitive science, with research focusing on expert systems, real-time classification and machine learning. He is a technical reviewer for the Software Engineering Institute, and publishes and speaks frequently on computational neuroscience, signal processing, and security engineering.

Twitter: @kennwhite

Matthew D. Green, PhD is a professor of computer science at Johns Hopkins University. He teaches applied cryptography and builds secure systems. Green trained under Susan Hohenberger and Avi Rubin, and his research includes techniques for privacy-enhanced information storage, anonymous payment systems, and bilinear map-based cryptography. Green formerly served as a senior research staff member at AT&T Labs. Together with Kenneth White, he co-founded the TrueCrypt audit project, a community-driven initiative to conduct the first comprehensive cryptanalysis and public security audit of the widely used TrueCrypt encryption software. He blogs at Cryptography Engineering, and talks about cryptography and privacy.

Twitter: @matthew_d_green

Practical Aerial Hacking & Surveillance

Glenn Wilkinson Security Analyst, SensePost

The coupling of unmanned aerial vehicles (UAVs) with hacking & surveillance devices presents a novel way to track and profile individuals, as well as attack infrastructure. Whilst there have been numerous stories of stunt-hacking (attaching any existing hack to a flying toy) our research aimed to be practical and add use beyond the capability of ground based units.

In this talk we will discuss how people are already and unwittingly being tracked and surveilled by private, law enforcement, and military organizations. We will then present and demonstrate Snoopy, a mass data collection and correlation framework that uses information leaked from the wireless devices that people carry. The framework identifies, tracks, and profiles people by passively collecting wireless information from devices, as well as optionally interrogating devices for further information.

We will then discuss the advantages of having Snoopy attached to a UAV and present data and scenarios where altitude and speed are beneficial. Furthermore, we will demonstrate aerial hacking capabilities against both client devices and more generic infrastructure.

Expect audience interaction, tool releases, and Snoopy drones / t-shirts / stickers to be handed out for good audience questions.

Glenn is a Zimbabwean currently working for SensePost's UK office as a security analyst. His research has been presented at security conferences such as Black Hat (Las Vegas), 44Con (London), ZeroNights (Russia), and Hackito Ergo Sum (Paris). As a Rhodes Scholar, he holds two master's degrees from the University of Oxford.

From root to SPECIAL: Pwning IBM Mainframes

Philip “Soldier of Fortran” Young

1.1 million transactions are run through mainframes every second worldwide. From your flight to your ATM withdrawal a mainframe was involved. These critical, mainstays of the corporate IT world aren’t going anywhere. But while the hacker community has evolved over the decades, the world of the mainframe security has not.

This talk will demonstrate how to go from meeting an IBM, zSeries z/OS mainframe, getting root and eventually getting system SPECIAL, using tools that exist currently and newly written scripts. It will also show you how you can get access to a mainframe to help develop your own tools and techniques.

This talk will teach you the ‘now what’ after you've encountered a mainframe, returning the balance from the ‘computing mystics’ who run the mainframe back to the community.

Phil “Soldier of Fortran” Young is a mainframe security researcher at a large corporation where he develops audit and security requirements guidelines for the various ‘legacy‘ mainframe systems. In polite company he is referred as a ‘Mainframe Security Enthusiast’ and amongst mainframers “that f***ing guy making my life harder”. He has given talks about mainframe security at various security conferences including BlackHat, BSidesLV and Shmoocon. While at work and at home he devotes his time to researching z/OS design and implementation flaws, developing tools and writing articles and resources for other security experts to leverage as they “discover” the mainframe.

twitter: @mainframed767

PoS Attacking the Traveling Salesman

Alex Zacharis

Tsagkarakis Nikolaos Census

Our work presents a re-vamped Point-of-Sales (POS) attack targeting the transportation sector and focusing mainly on the international aviation industry. Through a real-life attack and while exposing serious security issues at an International Airport, we are re-introducing the popular PoS attack, focusing on the compromise of sensitive personal data such as travelers' identities and trip information. We will disclose all the technical details and proof-of-concepts of the attack we have performed on a real, widely used system: the WiFi time purchase kiosks located inside an International Airport. We will analyze the repercussions of the attack, focusing on the exposure of sensitive traveler information, along with the ability to perform privileged actions such as cashing out money from the kiosks. Our experience with contacting the airport's security will also be discussed.

Utilizing this attack, our team seized the opportunity to recreate the environment on which it took place in order to test a proof-of-concept malware targeting such PoS infrastucture. A step by step guide of the way our malware, named the "Travelers' Spy", exploits the available kiosk modules will be provided. The web camera and the barcode scanner are some of the modules exploited in a combination with memory scrapping to create a unique targeted malware that attacks travelers. Furthermore, a unique command channel for our malware will be introduced through specially crafted Aztec Code images posing as e-tickets. We will also release a newly developed barcode cloning and fuzzing mobile app for Android devices (the "Aztec Revenge" tool).

The tool implements a number of attacks, from simply cloning stolen e-tickets to issuing commands to our malware. "Aztec Revenge" can also be used by security researchers and penetration testers in order to fuzz barcode scanners and the web services behind them to expose security bugs. Finally, a combined attack using both the "Travelers' Spy" malware and the "Aztec Revenge" tool will be presented.

Alexandros Zaharis (BSc, MSc) currently works as a Security Officer for an NREN, dealing daily with security compliance, development & maintenance. He also holds a position as a CERT representative in the Greek National Academic & Research Security Incident Response Team, working on attack trends, penetration testing, corporate forensics, malware analysis, incident handling / response, etc. He has published a number of research papers on anti-forensics, steganalysis and user authentication architectures. In collaboration with the CENSUS Penetration team, Alex has exposed a number of critical vulnerabilities on widely used enterprise software platforms.

Tsagkarakis Nikolaos is the leader of the Census - - security testing services, focused on network and system attacks. Additionally there is a passion on using physical means to overcome security measures and gain access to each targeted asset. Specialized on Windows Internals Exploitation, Fuzzing on IR devices + other means, and network penetration testing.

How To Get Phone Companies To Just Say No To Wiretapping

Phil Zimmermann President & Co-Founder Silent Circle

Phil is going to talk about his latest projects, which are helping several mobile carriers to provide their customers with wiretap-free phone services.  These carriers are breaking ranks with the rest of their industry's century-long culture of wiretapping.  When you can get actual phone companies to join in the struggle, you know change is afoot.  And yes, Navy SEALS are involved.

Phil Zimmermann is the creator of both PGP, the most widely used email encryption software in the world, and the Zfone/ZRTP secure VoIP standard, and is now co-founder of Silent Circle.  Earlier in 2012 Phil was honored as an inductee into the 'Internet Hall of Fame.'  PC World named him one of the 'Top 50 Tech Visionaries' of the last 50 years and InfoWorld named him one of the 'Top 10 Innovators in E-business.' He has received Privacy International's 'Louis Brandeis Award,' CPSR's 'Norbert Weiner Award,' the 'EFF Pioneer Award,' and the Chrysler Award for 'Innovation in Design.'

Don't Fuck It Up!

Zoz Robotics Engineer

Online antics used to be all about the lulz; now they're all about the pervasive surveillance. Whether you're the director of a TLA just trying to make a booty call or an internet entrepreneur struggling to make your marketplace transactions as smooth as silk, getting up to any kind of mischief involving electronic communications now increasingly means going up against a nation-state adversary. And if even the people who most should know better keep fucking it up, what does that mean for the rest of us? What do the revelations about massive government eavesdropping and data ingestion mean for people who feel they have a right if not a duty to occasionally be disobedient?

It's time for a rant. Analyzing what is currently known or speculated about the state of online spying through the prism of some spectacular fuckups, this talk offers an amusing introduction to how you can maximize your chances of enduring your freedom while not fucking it up. Learn how not to fuck up covering your tracks on the internet, using burner phones, collaborating with other dissidents and more. If you have anything to hide, and all of us do, pay attention and Don't. Fuck. It. Up!

Zoz is a robotics engineer, prankster and general sneaky bastard. He has been pretty successful at pulling some cool subversive shit and not fucking it up and getting caught. He once faked a crop circle for the Discovery Channel and it was all uphill from there.