skip to main content

DEF CON 24 Hacking Conference



DEF CON 24 Presentations

DIY Nukeproofing: A New Dig at 'Datamining'

3AlarmLampScooter Hacker

Does the thought of nuclear war wiping out your data keep you up at night? Don't trust third party data centers? Few grand burning a hole in your pocket and looking for a new Sunday project to keep you occupied through the fall? If you answered yes to at least two out of three of these questions, then 3AlarmLampscooter's talk on extreme pervasive communications is for you! You'll learn everything from calculating radiation half layer values to approximating soil stability involved in excavating your personal apocalypse-proof underground data fortress.

3AlarmLampScooter is an enigmatic armored mammal of the genus homo sapiens sapiens sapiens troglodyte found in caves and tunnels across the southeastern United States. As moderator of the subreddit /r/Neutron, 3AlarmLampscooter's enunciation espouses pervasive communication via excavation to protect from radiation and conflagration. When above-ground, 3AlarmLampscooter is a vocal transhumanism advocate developing 3D printed construction materials.

Reddit: /u/3AlarmLampScooter

Back to top

The Remote Metamorphic Engine: Detecting, Evading, Attacking the AI and Reverse Engineering

Amro Abdelgawad Founder, Immuneye

As a matter of fact, it is all about time to reverse engineer the most complex piece of code. Code complicity techniques are usually used just to increase the time and effort needed for reverse engineering. The desired effect of code complicity can be magnified using mechanisms that decrease and narrow the allowed time frame for any reverse engineering attempt into few milliseconds. Such approach can be applied using a metamorphic engine that is aware of the time dimension.

Beyond metamorphic applications for AV evasion, in this talk, we will present a novel approach to resist and evade reverse engineering using a remote metamorphic engine that generates diversified morphed machine code of a very short expiration lifetime. Our approach is based on a client-server model using challenge-response communication protocol made of morphed machine code rather than data. We will show how any reverse engineering attempt on such model will be forced to execute or emulate the morphed code. Thus the code will always have an upper hand to detect, evade and attack the reverse engineering environment. Our approach is immune to static code analysis as the functionalities and the communication protocol used are dynamically diversified remotely and do not exist in packed executable files. On the other hand, clock synchronized morphed machine code driven by a remote metamorphic engine would trap dynamic RE attempts in the maze of metamorphism. One that is immune to code tampering and reversing by detecting the non-self.

We will present the fundamental difference between metamorphic and polymorphic techniques used to evade AV compared to the ones that can be used to resist RE. We will show how a remote diversified metamorphic self-modifying code with a very short expiration lifetime can detect, evade, and resist any code analysis, reverse engineering, machine learning and tampering attempts.

Amro Abdelgawad is a security researcher and the founder of Immuneye. He has more than 15 years experience in software security and reverse engineering. He has experienced both sides of software security in vulnerability researching, penetration testing, reverse engineering, exploit development and the defensive side as a chief security officer for software companies running wide infrastructures. Amro is currently working as a security researcher where his main interests are analyzing malware, vulnerability researching and developing artificial software immunity.

Back to top


Kor Adana Writer & Technical Supervisor, MR. ROBOT
Dark Tangent Founder, DEF CON
Marc Rogers
Ryan Kazanciyan Chief Security Architect, Tanium
Andre McGregor Director of Security, Tanium
Kim Zetter Senior Staff Reporter, Wired

MR. ROBOT is a rare treat - a network television show whose hacker protagonist is a fully realized character with a realistically attainable set of skills. No hyper-typing, no gibberish masquerading as tech jargon, no McGuffins to magically paper over plot holes with hacker dust. MR. ROBOT takes the tech as seriously as the drama.

One of the main reasons for this verisimilitude is the work of Kor Adana, MR. ROBOT's advisor on all things hackish. His fingerprints are on every terminal window in the show. Another advisor to the show is our very own CJunky - known to the outside world as hacker and raconteur Marc Rogers. Join Dark Tangent for a panel discussion of MR. ROBOT: the phenomenon, the hacks and the crazy ways the show seems to pull its storylines from the future. Bring your questions, and keep an eye out for late-breaking special guests.

Kor Adana’s interest in technology started as a child when he tried to build a red box to get free calls on pay phones. By the time he was in middle school, he was building his own computer systems and getting into trouble. After obtaining a B.S. in IT Network Administration, Kor went on to work in enterprise network security for one of the world’s largest automakers. He performed penetration testing, designed security policies, managed enterprise-wide eDiscovery, and conducted forensics for legal and HR matters. While there, he also worked alongside NASA in a high-profile government investigation. He eventually left the IT world to pursue his true passion, writing for film and television. He’s worked with the producers of THE WALKING DEAD, THE SHIELD, LOST, and DEXTER. He is currently a writer and technical supervisor for USA's Golden Globe Award-winning drama, MR. ROBOT. He also has one of his own projects in development with Universal Cable Productions.

Ryan Kazanciyan is the Chief Security Architect for Tanium and has thirteen years of experience in incident response and forensics, penetration testing, and security architecture. Prior to joining Tanium, Ryan was a technical director and lead investigator at Mandiant, where he worked with dozens of Fortune 500 organizations impacted by targeted attacks.

Ryan has presented security research at dozens of events worldwide, including Black Hat, DEFCON, and RSA. He has led training sessions for hundreds of the FBI's cyber squad agents, and was a contributing author for "Incident Response and Computer Forensics, 3rd Edition", published in 2014.

Andre McGregor is at DEFCON 24 celebrating his one-year anniversary as Tanium’s Director of Security responsible for internal cybersecurity. Prior to joining Tanium, Andre was a fresh-faced new agent with the FBI working cases like the NYC Subway bomber and Times Square car bomb while arresting his share of Italian Organized Crime bosses. His computer engineering background led him to help form FBI New York’s first cyber national security squad focused on computer intrusions from China, Russia, and Iran. Having deploying with NSA Blue Team and DHS US-CERT/ICS-CERT as a technically-trained cyber agent, Andre has led numerous large-scale cyber investigations ranging from financial crimes to critical infrastructure protection. In his free time, when he wasn’t sifting through terabytes of Netflow with SiLK and playing around with Autopsy and IDA, Andre was an FBI firearms instructor, dive team medic, and a volunteer firefighter driving fire trucks. After graduating from Brown University, Andre worked as an engineer at Goldman Sachs and later transitioned to IT Director at Cardinal Health/Advogent. Having shed the badge and gun last year, Andre currently serves as the FBI cyber technical consultant for the TV show Mr. Robot.

Kim Zetter is an award-winning, senior staff reporter at Wired covering cybercrime, privacy, and security. She is writing a book about Stuxnet, a digital weapon that was designed to sabotage Iran's nuclear program.

Dark Tangent & Marc Rogers Bios to come

So You Think You Want To Be a Penetration Tester

Anch Hacker

So, you think you want to be a penetration tester, or you already are and don't understand what the difference between you and all the other "so called" penetration testers out there. Think you know the difference between a Red Team, Penetration Test and a Vulnerability assessment? Know how to write a report your clients will actually read and understand? Can you leverage the strengths of your team mates to get through tough roadblocks, migrate, pivot, pwn and pillage? No? well this talk is probably for you then! We will go through the fascinating, intense and often crazily boring on-site assessment process. Talk about planning and performing Red Teams, how they are different, and why they can be super effective and have some fun along the way. I'll tell you stories that will melt your face, brain and everything in between. Give you the answers to all of your questions you never knew you had, and probably make you question your life choices. By the end of this session you will be ready to take your next steps into the job you've always wanted, or know deep inside that you should probably look for something else. There will be no judgment or shame, only information, laughter and fun.

Anch currently works on a Red Team for an agency with a 3 letter acronym. It's not secret squirrel, or hush hush he just doesn't like to talk about himself very much. He has 15 years of experience in penetration testing and cyber security with a background in control systems and security architecture.

Twitter: @boneheadsanon

Back to top

SITCH - Inexpensive, Coordinated GSM Anomaly Detection

ashmastaflash Hacker

It's recently become easier and less expensive to create malicious GSM Base Transceiver Station (BTS) devices, capable of intercepting and recording phone and sms traffic. Detection methods haven't evolved to be as fast and easy to implement. Wireless situational awareness has a number of challenges. Categorically, these challenges are usually classified under Time, Money, or a lot of both. Provisioning sensors takes time, and the fast stuff usually isn’t cheap. Iterative improvements compound the problem when you need to get software updates to multiple devices in the field. I’ll present a prototype platform for GSM anomaly detection (called SITCH) which uses cloud-delivered services to elegantly deploy, manage, and coordinate the information from many independent wireless telemetry sensors (IoT FTW). We’ll talk about options and trade-offs when selecting sensor hardware, securing your sensors, using cloud services for orchestrating firmware, and how to collect and make sense of the data you’ve amassed. Source code for the prototype will be released as well. The target audience for this lecture is the hacker/tinkerer type with strong systems and network experience. A very basic understanding of GSM networks is a plus, but not required.

Ashmastaflash is a native of southeast Tennessee and a recent transplant to San Francisco. He entered the security domain through systems and network engineering, spent a number of years in network security tooling and integration, and currently works in R&D for CloudPassage.

Back to top

A Journey Through Exploit Mitigation Techniques in iOS

Max Bazaliy Staff Engineer, Lookout

Over the past year, Apple has consistently added features to prevent exploitation of the iOS kernel. These features, while largely misunderstood, provide a path for understanding of the iOS security model going forward. This talk will examine the history of iOS’s exploit mitigations from iOS 8 to iOS 9.3 in order to teach important features of the architecture. This talk will cover various enhancements that stop attackers from dynamically modifying the functionality of system services, but also resulted in the defeat of all known exploitation through function hooking. Additionally, we will explore how the ability to use PLT interception and the use of direct memory overwrite are no longer options for exploit writers because of recent changes. Finally, we will cover the code-signing mechanism in depth, userland and kernel implementations and possible ways to bypass code-sign enforcement.

Max Bazaliy is a security researcher at Lookout. He has over 9 years of experience in the security research space. Max has experience in native code obfuscation, malware detection and iOS exploitation. Before joining Lookout Max was working in malware research and software protection areas, most recently at Bluebox Security. Currently he is focused on mobile security research, XNU and LLVM internals. Max holds a Master's degree in Computer Science.

Twitter: @mbazaliy

Back to top

Phishing without Failure and Frustration

Jay Beale CTO InGuardians Inc.
Larry Pesce Director of Research, InGuardians

You want to phish your company or your client. You’ve never done this for work before, you’ve got a week to do it, and you figure that’s plenty of time. Then someone objects to the pretext at the last minute. Or spam filters block everything. Or you decide to send slowly, to avoid detection, but the third recipient alerts the entire company. Or you can only find 5 target addresses. We’ve all been there on our first professional phishing exercise. What should be as easy as building a two page web site and writing a clever e-mail turns into a massively frustrating exercise with a centi-scaled corpus of captured credentials. In this talk, we’ll tell you how to win at phishing, from start to finish, particularly in hacking Layer 8, the "Politics" layer of the OSI stack that’s part of any professional phishing engagement. We’ll share stories of many of our experiences, which recently included an investigation opened with the US Security and Exchange Commission (SEC). Finally, we’ll tell you how we stopped feeling frustrated, learned to handle the politics, and produced successful phishing campaigns that hardened organizations at the human layer, and started to screw things up for the bad actors.

Jay Beale has created several security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which have been used throughout industry and government. He has served as an invited speaker, program chair and trainer at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the ‘Stealing the Network’ series. Jay is a founder and the CTO of the information security consulting company InGuardians, where way too many clients’ staff have enthusiastically given him their passwords.

Twitter: @jaybeale
Jay Beale on Facebook

Larry Pesce, the Director of Research at InGuardians, has a long history with hacking that began with the family TV when he was a kid, rebuilding it after it caught on fire. Both times. Later, as a web developer for a university in the early days of the Internet, he managed some of the first layer 3-switched networks in the world. Larry holds a handful of SANS certs, wrote a book or two and co-founded the multiple international award-winning security podcast, "Paul's Security Weekly". When not pursuing these activities, work-related passions have also involved leveraging OSINT for attack surface development.

Outside of work, Larry enjoys long walks on the beach weighed down by his ham radio (DE KB1TNF) and thinking of ways to survive the pending zombie apocalypse.

Back to top

ask the eff

(Ab)using Smart Cities: The Dark Age of Modern Mobility

Matteo Beccaro CTO, Opposing Force
Matteo Collura Electronic Engineering Student, Politecnico di Torino

Since these last few years our world has been getting smarter and smarter. We may ask ourselves: what does smart mean? It is the possibility of building systems which are nodes of a more complex network, digitally connected to the internet and to the final users. Our cities are becoming one of those networks and over time more and more elements are getting connected to such network: from traffic lights to information signs, from traffic and surveillance cameras to transport systems.

This last element, also called as Smart Mobility is the subject of our analysis, divided in three sub-element, each one describing a different method of transport in our city: Private transport: for this method we analyze the smart alternatives aimed to make parking activity easy, hassle free and more convenient Shared transport: we focus our attention on those systems which are sharing transport vehicles. In particular we deal with bike sharing which seems to be the most wide spread system in European cities Public transport: object of our analysis for this section is the bus, metro and tram network The aim of our analysis is understanding the ecosystem which each element belongs to and performing a security evaluation of such system. In this way the most plausible attack and fraud scenarios are pointed out and the presence of proper security measures is checked.

All the details discussed here are collected from a sample city, but the same methodology and concept can be applied to most of the smart cities in the world.

Matteo Beccaro is a security researcher, enrolled in Computer Engineering at Politecnico of Turin. He's co-founder and CTO of Opposing Force s.r.l., the first Italian offensive physical security company. Matteo works and researches on network protocols, NFC and EACS security. He's been selected as speaker at some of most prestigious international conferences like: DEF CON 21, 30th Chaos Communication Congress (30C3), BlackHat USA Arsenal 2014, DEF CON 22 SkyTalks, BlackHat Europe 2014, TetCon 2015, DEF CON 23 e ZeroNights 2015. As Chief Technical Officer of Opposing Force, Matteo works on vulnerability research activities and building physical intrusion.

Twitter: @_bughardy_

Matteo Collura is a student of Electronic Engineering at Politecnico di Torino. He has been studying Wireless networks and in the last few years he focused on NFC and Bluetooth. He presented the results of a progressive work of research at several conferences: DEF CON 21 (Las Vegas, 2013), 30C3 (Hamburg 2013), DEF CON Skytalks (Las Vegas, 2014), BlackHat USA 2014 Arsenal (Las Vegas), DEF CON 23 (Las Vegas, 2015), ZeroNights 2015 (Moscow) . He is going to continue his studies with a MSc in Electronic Engineering , Systems and Controls.

Twitter: @eagle1753

Back to top

Examining the Internet's pollution

Karyn Benson Graduate Student

Network telescopes are collections of unused but BGP-announced IP addresses. They collect the pollution of the Internet: scanning, misconfigurations, backscatter from DoS attacks, bugs, etc. For example, several historical studies used network telescopes to examine worm outbreaks.

In this talk I will discuss phenomena that have recently induced many sources to send traffic to network telescopes. By examining this pollution we find a wealth of security-related data. Specifically, I'll touch on scanning trends, DoS attacks that leverage open DNS resolvers to overwhelm authoritative name servers, BitTorrent index poisoning attacks (which targeted torrents with China in their name), a byte order bug in Qihoo 360 (while updating, this security software sent acknowledgements to wrong IP addresses... for 5 years), and the consequence of an error in Sality's distributed hash table.

Karyn recently defended her PhD in computer science. Prior to starting graduate school she wrote intrusion detection software for the US Army. When not looking at packets, Karb eats tacos, runs marathons, and collects state quarters.

Back to top

An Introduction to Pinworm: Man in the Middle for your Metadata

bigezy Hacker
saci Hacker

What is the root cause of memory and network traffic bloat? Our current research using tools we previously released Badger at Black Hat in 2014 and the Kobra released at BsidesLV 2015 shows a 40 percent increase in outside unique IP traffic destinations and a 400 percent increase in data transmitted towards these destinations. But through the course of the research we found currently used IRP monitoring tools were lacking to help produce enough information to forensically investigate the exfiltration of user metadata. Pinworm is a sniffer that shows all created IRPs created in the kernel in I/O devices. The IRPs are correlated with the processes that created them and the called driver stack. With network traffic data we are off to the races. Using pinworm which we released this week, we will show forensic case studies from cradle to grave of what happens when you do things online in social media sites.

Like all of our previously released tools, Pinworm is a framework including server side code you can use to collect and display user metadata inline in browser frames. Does this metadata collection happen in the browser, in userland, or in the kernel? Come to our talk and find out. We will demonstrate the collection of user metadata and collecting this information in a live browser session. Then we will show you how to intercept your personal data before it leaves your computer keeping your privacy, well, private. BYOTFH (Bring your own tin foil hat).

bigezy has spent his career defending critical infrastructure hacking it from the inside to keep things from blowing up. Bigezy got his black badge from DEF CON in 2003. Bigezy currently works as a cyber security researcher at a place where these things are done. During the last 25 years, Bigezy has worked at fortune 500 companies in the electric sector, financial sector, and telecom. He has spoke at numerous conferences worldwide including bsidesLV and the DEF CON Crypto and Privacy village last year. Bigezy is also the president of Hackito Ergo Sum in Paris France. @bigezy_ When you are a one legged boogeyman slash system internals hacker, every kick is a flying kick.

Twitter: @bigezy

saci takes pride in his disdain for hypocrisy. We are sure you have seen him around in the usual places, and maybe you think you know who he is. But, you will never quite know who he is until you come to the talk.

Twitter: @itsasstime

Back to top

Jittery MacGyver: Lessons Learned from Building a Bionic Hand out of a Coffee Maker

Evan Booth Engineer

In May of 2015, it was estimated that a pod-based coffee maker could be found in nearly one in three American homes. Despite the continued popularity of these single-cup coffee conjurers at home as well as in the workplace, it has become clear that these devices are not impervious to mechanical and/or electrical failure. It was this intersection of extremely prevalent hardware and relatively short lifespan that prompted me to begin exploring the upper limits of what could be created by repurposing one of the most popular pod-based machines: the Keurig. In this session, we will walk through some real-world examples of ‘MacGyver’-style creative problem-solving, we'll go hands on (yes, pun intended) with stuff made from repurposed Keurigs, and finally, I'll reflect on lessons learned from looking for potential in things most people deem common and unremarkable.

Evan Booth Evan Booth loves to build stuff out of other stuff, he tends to break things for curiosity's sake. Throughout 2013 and into 2014, in an effort to highlight hypocrisy and "security theater" brought about by the TSA, through a research project called "Terminal Cornucopia," Evan created an arsenal ranging from simple, melee weapons to reloadable firearms to remotely-trigger incendiary suitcases—all solely comprised of items that anyone can purchase inside most airport terminals *after* the security checkpoint. Given the right ingredients, a big cardboard box can be a time machine, spaceship, minecart, or a telephone booth that only calls people named "Steve" who live in the future.

Twitter: @evanbooth

Back to top

Exploiting and Attacking Seismological Networks... Remotely

Bertin Bervis Bonilla Founder, NETDB.IO
James Jara Founder & CTO, NETDB.IO

In this presentation we are going to explain and demonstrate step by step in a real attack scenario how a remote attacker could elevate privileges in order to take control remotely in a production seismological network located at 183mts under the sea. We found several seismographs in production connected to the public internet providing graphs and data to anyone who connects to the embed web server running at port 80. The seismographs provide real time data based in the perturbations from earth and surroundings, we consider this as a critical infrastructure and is clear the lack of protection and implementation by the technicians in charge.

We are going to present 3 ways to exploit the seismograph which is segmented in 3 parts: Modem (GSM, Wi-Fi, Satellite, GPS,Com serial) {web server running at port 80 , ssh daemon} Sensor (Device collecting the data from ground or ocean bottom) Battery (1 year lifetime) Apollo server (MAIN acquisition core server) These vulnerabilities affect the Modem which is directly connected to the sensor , a remote connection to the modem it's all that you need to compromise the whole seismograph network. After got the root shell our goal is execute a post exploitation attack , This specific attack corrupts/modifies the whole seismological research data of a country/ area in real time. We are going to propose recommendations and best practices based on how to deploy a seismological network in order to avoid this nasty attacks.

Bertin Bervis Bonilla is a security researcher focused in offensive security, reverse engineering and network attacks and defense, Bertin has been speaker in several security conferences in his country and latin america such OWASP Latin Tour , DragonJAR conference and EKOPARTY, He is the founder of NetDB - The Network Database project , a computer fingerprint/certificate driven search engine. Formerly is a network engineer working for a five letters us networking company in San Jose Costa Rica.

Twitter: @bertinjoseb

James Jara is the founder and CTO of NETDB.IO , a search engine of internet of things focused in info-security research. He likes Bitcoin Industry, Open Source and framework development and gave various presentations on security conferences like EkoParty. Interested machine learning for mobile, Internet of Things (IoT) devices and industrial systems used in critical infrastructure networks. Sport-coder!

Back to top

All Your Solar Panels are Belong to Me

Fred Bret-Mounet Hacker

I got myself a new toy: A solar array... With it, a little device by a top tier manufacturer that manages its performance and reports SLAs to the cloud. After spending a little time describing why it tickled me pink, I'll walk you through my research and yes, root is involved! Armed with the results of this pen test, we will cover the vendor's reaction to the bee sting: ostrich strategy, denial, panic, shooting the messenger and more. Finally, not because I know you get it, but because the rest of the world doesn't, we'll cover the actual threats associated with something bound to become part of our critical infrastructure. Yes, in this Shodan world, one could turn off a 1.3MW solar array but is that as valuable as using that device to infiltrate a celebrity's home network?

Fred Bret-Mounet's descent into the underworld of security began as a pen tester at @stake. Now, he leads a dual life--info sec leader by day, rogue hacker by night. His life in the shadows and endless curiosity has led to surprising home automation hacks, playing with Particle Photons and trying to emulate Charlie & Chris' car hacking on his I3.

Twitter: @fbret

Back to top

Introduction the Wichcraft Compiler Collection : Towards Universal Code Theft

Jonathan Brossard (endrazine) Master of Darkness,

With this presentation, we take a new approach to reverse engineering. Instead of attempting to decompile code, we seek to undo the work of the linker and produce relocatable files, the typical output of a compiler. The main benefit of the later technique over the former being that it does work. Once achieved universal code ‘reuse’ by relinking those relocatable objects as arbitrary shared libraries, we'll create a form of binary reflection, add scripting capabilities and in memory debugging using a JIT compiler, to attain automated API prototyping and annotation, which, we will argue, constitutes a primary form of binary code self awareness. Finally, we'll see how abusing the dynamic linker internals shall elegantly solve a number of complex tasks for us, such as calling a given function within a binary without having to craft a valid input to reach it.

The applications in terms of vulnerability exploitation, functional testing, static analysis validation and more generally computer wizardry being tremendous, we'll have fun demoing some new exploits in real life applications, and commit public program profanity, such as turing PEs into ELFs, functional scripting of sshd in memory, stealing crypto routines without even disassembling them, among other things that were never supposed to work. All the above techniques have been implemented into the Wichcraft Compiler Collection, to be released as proper open source software (MIT/BSD-2 licenses) exclusively at DEF CON 24.

Jonathan Brossard is a computer whisperer from France, although he's been living in Brazil, India, Australia and now lives in San Francisco. For his first conference at DEF CON 16, he hacked Microsoft Bitlocker, McAffee Endpoint and a fair number of BIOS Firmwares. During his second presentation at DEF CON 20, he presented Rakshasa, a BIOS malware based on open source software, the MIT Technology review labeled &lquo;incurable and undetectable&rquo;.

This year will be his third DEF CON ... Endrazine is also known in the community for having run the Hackito Ergo Sum and NoSuchCon conferences in France, participating to the Shakacon Program Committee in Hawaii, and authoring a number of exploits over the past decade. Including the first remote Windows 10 exploit and several hardcore reverse engineering tools and whitepapers. Jonathan is part of the team behind MOABI.COM, and acts as the Principal Engineer of Product Security at Salesforce.

Twitter: @endrazine
Facebook: toucansystem

Back to top

Bypassing Captive Portals and Limited Networks

Grant Bugher Perimeter Grid

Common hotspot software like Chilispot and Sputnik allow anyone to set up a restricted WiFi router or Ethernet network with a captive portal, asking for money, advertising, or personal information in exchange for access to the Internet. In this talk I take a look at how these and similar restrictive networks work, how they identify and restrict users, and how with a little preparation we can reach the Internet regardless of what barriers they throw up.

Grant Bugher has been hacking and coding since the early 90's and working professionally in information security for the last 12 years. He is currently a security engineer for a cloud service provider, and has previously been an architect, program manager and software engineer on a variety of online services, developer tools and platforms. Grant is a prior speaker at BlackHat and DEF CON and a regular DEF CON attendee since DEF CON 16. Most of his research and work is on cloud computing and storage platforms, application security, and detecting & investigating attacks against web-scale applications.

Twitter: @fishsupreme.

Back to top

VLAN hopping, ARP Poisoning and Man-In-The-Middle Attacks in Virtualized Environments

Ronny Bull Assistant Professor of Computer Science, Utica College & Ph.D. Candidate, Clarkson University
Dr. Jeanna N. Matthews Associate Professor of Computer Science, Clarkson University
Ms. Kaitlin A. Trumbull Undergraduate CS Research Assistant, Utica College

Cloud service providers offer their customers the ability to deploy virtual machines in a multi-tenant environment. These virtual machines are typically connected to the physical network via a virtualized network configuration. This could be as simple as a bridged interface to each virtual machine or as complicated as a virtual switch providing more robust networking features such as VLANs, QoS, and monitoring. At DEF CON 23, we presented how attacks known to be successful on physical switches apply to their virtualized counterparts. Here, we present new results demonstrating successful attacks on more complicated virtual switch configurations such as VLANs. In particular, we demonstrate VLAN hopping, ARP poisoning and Man-in-the-Middle attacks across every major hypervisor platform. We have added more hypervisor environments and virtual switch configurations since our last disclosure, and have included results of attacks originating from the physical network as well as attacks originating in the virtual network.

Mr.Bull is an Assistant Professor of Computer Science at Utica College with a focus in computer networking and cybersecurity. He is also a Computer Science Ph.D. candidate at Clarkson University focusing on Layer 2 network security in virtualized environments. Ronny earned an A.A.S. degree in Computer Networking at Herkimer College in 2006 and completed both a B.S. and M.S. in Computer Science at SUNYIT in 2011. He also co-founded and is one of the primary organizers of the Central New York Intercollegiate Hackathon event which brings together cybersecurity students from regional colleges to compete against each other in offensive and defensive cybersecurity activities.

Dr. Matthews is an Associate Professor of Computer Science at Clarkson University. Her research interests include virtualization, cloud computing, computer security, computer networks and operating systems. Jeanna received her Ph.D. in Computer Science from the University of California at Berkeley in 1999. She is currently the co-editor of ACM Operating System Review and a member of the Executive Committee of US-ACM, the U.S. Public Policy Committee of ACM. She is a former chair of the ACM Special Interest Group on Operating Systems (SIGOPS). She has written several popular books including Running Xen: A Hands-On Guide to the Art of Virtualization and Computer Networking: Internet Protocols In Action.

Miss Trumbull is an undergraduate student at Utica College working on her bachelors degree in Computer Science with a concentration in computer and network security. She is also an officer of the Utica College Computer Science club (a.k.a. The UC Compilers). Kaitlin is currently working as an undergraduate research assistant to Professor Bull.

Back to top

Crypto: State of the Law

Nate Cardozo Senior Staff Attorney, Electronic Frontier Foundation

Strong end-to-end encryption is legal in the United States today, thanks to our victory in what’s come to be known as the Crypto Wars of the 1990s. But in the wake of Paris and San Bernardino, there is increasing pressure from law enforcement and policy makers, both here and abroad, to mandate so-called backdoors in encryption products. In this presentation, I will discuss in brief the history of the first Crypto Wars, and the state of the law coming into 2016. I will then discuss what happened in the fight between Apple and the FBI in San Bernardino and the current proposals to weaken or ban encryption, covering proposed and recently enacted laws in New York, California, Australia, India, and the UK. Finally, I will discuss possible realistic outcomes to the Second Crypto Wars, and give my predictions on what the State of the Law will be at the end of 2016.

Nate Cardozo is a Senior Staff Attorney on the Electronic Frontier Foundation’s digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF’s cryptography policy and the Coders’ Rights Project. Nate has projects involving export controls on software, state-sponsored malware, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings.

Twitter: @ncardozo

Back to top

Robot Hacks Video Games: How TASBot Exploits Consoles with Custom Controllers

Allan Cecil (dwangoAC) President, North Bay Linux User's Group

TASBot is an augmented Nintendo R.O.B. robot that can play video games without any of the button mashing limitations us humans have. By pretending to be a controller connected to a game console, TASBot triggers glitches and exploits weaknesses to execute arbitrary opcodes and rewrite games. This talk will cover how these exploits were found and will explore the idea that breaking video games using Tool-Assisted emulators can be a fun way to learn the basics of discovering security vulnerabilities. After a brief overview of video game emulators and the tools they offer, I'll show a live demo of how the high accuracy of these emulators makes it possible to create a frame-by-frame sequence of button presses accurate enough to produce the same results even on real hardware. After demonstrating beating a game quickly I'll show how the same tools can be used to find exploitable weaknesses in a game's code that can be used to trigger an Arbitrary Code Execution, ultimately treating the combination of buttons being pressed as opcodes. Using this ability, I'll execute a payload that will connect a console directly to the internet and will allow the audience to interact with it. An overview of some of the details that will be described in the talk can be found in an article I coauthored for the PoC||GTFO journal (Pokemon Plays Twitch, page 6 ).

Allan Cecil (dwangoAC) is the President of the North Bay Linux User's Group. He acts as an ambassador for, a website devoted to using emulators to complete video games as quickly as the hardware allows. He participates in Games Done Quick charity speedrunning marathons using TASBot to entertain viewers with never-before-seen glitches in games. By day, he is a senior engineer at Ciena Corporation working on OpenStack Network Functions Virtualization orchestration and Linux packet performance optimization testing.

Twitter: @MrTASBot
Twitch.TV: dwangoac
YouTube: dwangoac

Back to top

Toxic Proxies - Bypassing HTTPS and VPNs to Pwn Your Online Identity

Alex Chapman Principal Researcher, Context Information Security
Paul Stone Principal Researcher, Context Information Security

Rogue access points provide attackers with powerful capabilities, but in 2016 modern privacy protections such as HTTPS Everywhere, free TLS certificates and HSTS are de-facto standards. Surely our encrypted traffic is now safe on the local coffee shop network? If not, my VPN will definitely protect me... right? In this talk we'll reveal how recent improvements in online security and privacy can be undermined by decades old design flaws in obscure specifications. These design weakness can be exploited to intercept HTTPS URLs and proxy VPN tunneled traffic. We will demonstrate how a rogue access point or local network attacker can use these new techniques to bypass encryption, monitor your search history and take over your online accounts. No logos, no acronyms; this is not a theoretical crypto attack. We will show our techniques working on $30 hardware in under a minute. Online identity? Compromised. OAuth? Forget about it. Cloud file storage? Now we're talking.

Alex Chapman is a Principal Security Researcher at Context Information Security in the UK, where he performs vulnerability discovery, exploit development, bespoke protocol analysis and reverse engineering. He has been credited in security advisories for a number of major software products for vendors such as Citrix, Google, Mozilla and VMware, and has presented his research at security conferences around the world. He has spent the past several months making things (for a change), poking holes in old technologies, and pointing out security flaws which have no place in modern day software.

Twitter: @noxrnet

Paul Stone is a Principal Security Researcher at Context Information Security in the UK where he performs vulnerability research, reverse engineering, and tool development. He has a focus on browser security and has reported a number of vulnerabilities in the major web browsers including Chrome, Internet Explorer, Firefox, and Safari. He has spoken at a number of Black Hat conferences, presenting the well-received 'Pixel-Perfect Timing Attacks' and 'Next Generation Clickjacking' talks. Paul's recent obsession has been Bluetooth LE and has helped create the RaMBLE Android app for collecting and analyzing BLE data.

Twitter: @pdjstone

Back to top

NG9-1-1: The Next Generation of Emergency Ph0nage

CINCVolFLT (Trey Forgety) Director of Government Affairs & IT Ninja, NENA: The 9-1-1 Association
AK3R303 (Alex Kreilein) CTO & Co-Founder, SecureSet

For 48 years, 9-1-1 has been /the/ emergency telephone number in the United States. It's also been mired in 48-year-old technology. So let's just put that on the internet, right? What could possibly go wrong? Without the radical segmentation of the PSTN, the move to IP networks (even the private, managed kind) will bring new 9-1-1 capabilities AND new vulnerabilities. This talk builds on the work of quaddi, r3plicant, and Peter Hefley (see &lquo;Hacking 911: Adventures in Destruction, Disruption, and Death,&rquo; DEF CON 22, It provides an overview of NG9-1-1 architecture and security concerns, and identifies critical attack surfaces that Public Safety Answering Points need to monitor and secure. Familiarity with NENA's i3 and NG-SEC standards may be helpful, but is not required.

CINCVolFLT (Trey Forgety) is Director of Government Affairs for NENA: The 9-1-1 Association. He previously served as a Presidential Management Fellow in the U.S. Department of Homeland Security's Office of Emergency Communications, with rotations in the Federal Communications Commission's Public Safety and Homeland Security Bureau, and the U.S. Department of Commerce's National Telecommunications and Information Administration. A sometimes-piratical sailor and inveterate tinkerer, CINCVolFLT's recent activities have included work on establishing a backup timing source for telecom networks to ensure service during GPS outages or jammin, and serving as pro bono counsel to QueerCon.He holds a B.S. in Applied Physics and a J.D., both from the University of Tennessee (GO VOLS!).

Twitter: @cincvolflt

AK3R303 (Alex Kreilein) is Managing Partner and CTO of SecureSet, which is a cybersecurity services provider specializing in education and startup acceleration. Previously, AK3R303 was a Technology Strategist with the U.S. Department of Homeland Security and a Guest Researcher at the National Institute of Standards and Technology focusing on public safety and mobile communications network security. He holds a B.A. from Fordham University where he studied nuclear game theory through the political science department in Beijing, China. He holds an M.A. in National Security & Strategic Studies from the US Naval War College, and is an M.S. / Ph.D. candidate at the CU Boulder College of Engineering & Applied Sciences in Telecom Engineering.

Twitter: @ak3r303

Back to top

Machine Duping 101: Pwning Deep Learning Systems

Clarence Chio ML Hacker

Deep learning and neural networks have gained incredible popularity in recent years. The technology has grown to be the most talked-about and least well-understood branch of machine learning. Aside from it's highly publicized victories in playing Go, numerous successful applications of deep learning in image and speech recognition has kickstarted movements to integrate it into critical fields like medical imaging and self-driving cars. In the security field, deep learning has shown good experimental results in malware/anomaly detection, APT protection, spam/phishing detection, and traffic identification. This DEF CON 101 session will guide the audience through the theory and motivations behind deep learning systems. We look at the simplest form of neural networks, then explore how variations such as convolutional neural networks and recurrent neural networks can be used to solve real problems with an unreasonable effectiveness. Then, we demonstrate that most deep learning systems are not designed with security and resiliency in mind, and can be duped by any patient attacker with a good understanding of the system. The efficacy of applications using machine learning should not only be measured with precision and recall, but also by their malleability in an adversarial setting. After diving into popular deep learning software, we show how it can be tampered with to do what you want it do, while avoiding detection by system administrators.

Besides giving a technical demonstration of deep learning and its inherent shortcomings in an adversarial setting, we will focus on tampering real systems to show weaknesses in critical systems built with it. In particular, this demo-driven session will be focused on manipulating an image recognition system built with deep learning at the core, and exploring the difficulties in attacking systems in the wild. We will introduce a tool that helps deep learning hackers generate adversarial content for arbitrary machine learning systems, which can help make models more robust. By discussing defensive measures that should be put in place to prevent the class of attacks demonstrated, we hope to address the hype behind deep learning from the context of security, and look towards a more resilient future of the technology where developers can use it safely in critical deployments.

Clarence Chio graduated with a B.S. and M.S. in Computer Science from Stanford, specializing in data mining and artificial intelligence. He currently works as a Security Research Engineer at Shape Security, building a product that protects high valued web assets from automated attacks. At Shape, he works on the data analysis systems used to tackle this problem. Clarence spoke on Machine Learning and Security at PHDays, BSides Las Vegas and NYC, Code Blue, SecTor, and Hack in Paris. He had been a community speaker with Intel, and is also the founder and organizer of the ‘Data Mining for Cyber Security’ meetup group, the largest gathering of security data scientists in the San Francisco Bay Area.

Twitter: @cchio

Back to top

A Monitor Darkly: Reversing and Exploiting Ubiquitous On-Screen-Display Controllers in Modern Monitors

Ang Cui PHD, CEO & Chief Scientist, Red Balloon Security
Jatin Kataria Principal Research Scientist, Red Balloon Security
Francois Charbonneau Research Scientist, Red Balloon Security

There are multiple x86 processors in your monitor! OSD, or on-screen-display controllers are ubiquitous components in nearly all modern monitors. OSDs are typically used to generate simple menus on the monitor, allowing the user to change settings like brightness, contrast and input source. However, OSDs are effectively independent general-purpose computers that can: read the content of the screen, change arbitrary pixel values, and execute arbitrary code supplied through numerous control channels. We demonstrate multiple methods of loading and executing arbitrary code in a modern monitor and discuss the security implication of this novel attack vector.

We also present a thorough analysis of an OSD system used in common Dell monitors and discuss attack scenarios ranging from active screen content manipulation and screen content snooping to active data exfiltration using Funtenna-like techniques. We demonstrate a multi-stage monitor implant capable of loading arbitrary code and data encoded in specially crafted images and documents through active monitor snooping. This code infiltration technique can be implemented through a single pixel, or through subtle variations of a large number of pixels. We discuss a step-by-step walk-through of our hardware and software reverse-analysis process of the Dell monitor. We present three demonstrations of monitoring exploitation to show active screen snooping, active screen content manipulation and covert data exfiltration using Funtenna.

Lastly, we discuss realistic attack delivery mechanisms, show a prototype implementation of our attack using the USB Armory and outline potential attack mitigation options. We will release sample code related to this attack prior to the presentation date.

Dr. Ang Cui is the Founder and Chief Scientist of Red Balloon Security. Dr. Cui received his PhD from Columbia University in 2015. His doctoral dissertation, titled "Embedded System Security: A Software-based Approach", focused exclusively on scientific inquiries concerning the exploitation and defense embedded systems. Ang has focused on developing new technologies to defend embedded systems against exploitation. During the course of his research, he has uncovered a number of serious vulnerabilities within ubiquitous embedded devices like Cisco routers, HP printers and Cisco IP phones. Dr. Cui is also the author of FRAK and the inventor of Software Symbiote technology. Ang has received various awards on his work on reverse engineering commercial devices and is also the recipient of the Symantec Graduate Fellowship and was selected as a DARPA Riser in 2015.

Jatin Kataria is a Principal Research Scientist at Red Balloon Security. His research focus is on the defense and exploitation of embedded devices. Jatin earned his master’s degree from Columbia University and a bachelor’s degree from Delhi College of Engineering. Previously, he has worked as a System Software Developer at NVIDIA and as an Associate Software Engineer at Mcafee.

Francois Charbonneau is a embedded security researcher who spent the better part of his career working for the Canadian government until he got lost and wondered into New York City. He now works as a research scientist for Red Balloon Security where he lives a happy life, trying to make the world a more secure place, one embedded device at a time.

Back to top

Universal Serial aBUSe: Remote Physical Access Attacks

Rogan Dawes Researcher, Sensepost
Dominic White CTO, SensePost

In this talk, we’ll cover some novel USB-level attacks, that can provide remote command and control of, even air-gapped machines, with a minimal forensic footprint, and release an open-source toolset using freely available hardware.

In 2000, Microsoft published its 10 Immutable laws of security [1]. One of which was "if a bad guy has unrestricted access to your computer, it's not your computer anymore." This has been robustly demonstrated over the years. Examples include numerous DMA-access attacks against interfaces such as firewire [2], PCMCIA and thunderbolt [3] as well as USB-based attacks including simple in-line keyloggers, "evil maid" attacks [4] and malicious firmware [5].

Despite these warnings, groups such as the NSA were still able to use physical access to bypass software controls with toolsets such as COTTONMOUTH [6]. Likewise, criminals have been able to defraud banks with a handful of simple hardware tricks [7]. While some progress has been made to secure some devices against some threats, such as the use of full disc encryption, or the impact of Apple's secure enclave in the physical security of the iPhone [8], most laptops and desktops remain vulnerable to attacks via physical interfaces.

In our experience, organisations merely view USB devices as a channel for malware or unsanctioned communications, and rely on protections placed elsewhere in their defensive stack to deal with them, but few deal with the risk the USB interface presents directly. There are many scenarios where gaining physical access to hosts is plausible [9], and having done so can provide access to "chewy" internal networks [10] ripe for lateral movement.

While most people are familiar with USB devices, many don't realise the extent to which the USB standard allows seemingly innocuous devices to have multiple personalities. There has been an extensive amount of research into malicious USB devices, such as TURNIPSCHOOL [15], GoodFET/Facedancer [16], Shikra [17], Rubber Ducky [11], USBdriveby [12] and BadUSB [5]. However, none of these implement an end-to-end attack either because that was not their intention, they only focus on a part of the attack or the project was never completed.

Additionally, existing attacks are predominantly "send only" with no built-in bidirectional communications. They usually rely on the executed payload and the host’s networks for any advanced remote access. Thus, these payloads can leave a significant forensic footprint in the form of network communications and on-host behaviours, and leave them vulnerable to anti-malware controls. Numerous companies are improving toolsets to detect such attacks [13][14]. Lastly, these attacks are often "spray and pray", unable to account for variations in the user's behaviour or computer setup.

Our approach is to create a stealthy bi-directional channel between the host and device, with remote connectivity via 3G/Wi-Fi/Bluetooth and offload the complexity to our hardware, leaving a small simple stub to run on the host. This talk will discuss the process of creating a set of malicious USB devices using low cost hardware. The design and toolkit will be released during the talk.

Our toolkit provides three significant improvements over existing work. The first is the ability to gain a stealthy bi-directional channel with the host via the device. No traffic is generated on the target network (i.e it would work against air-gapped hosts). This is done via the use of either a raw HID device or standard USB class printer driver linked to our device, with the stub merely wrapping commands and their output to our device. The second is the ability to communicate with the device remotely via Wi-Fi/3G/Bluetooth, allowing for updates to the payloads, exfiltration of data, real-time interaction with the host and an ability to debug problems. This also has the advantage that any network controls are bypassed. Finally, the stub running on the host will leave a minimal forensic trail, making detection of the attack, or analysis of it later, difficult. For completeness sake, a new transport for metasploit was developed to allow metasploit payloads to be used instead.

Our hope is that the tools will provide a method of demonstrating the risk of physical bypasses of software security without an NSA budget, and encourage defences to be built in this area.

[1] "10 Immutable Laws of Security"
[2] "Physical memory attacks via Firewire/DMA - Part 1: Overview and Mitigation"
[3] "Thunderstrike 2"
[4] "Evil Maid goes after TrueCrypt!"
[5] "Turning USB peripherals into BadUSB"
[6] "Your USB cable, the spy: Inside the NSA’s catalog of surveillance magic"
[7] "How bank hackers stole £1.25 million with a simple piece of computer hardware"
[8] "Apple vs FBI"
[9] "Users Really Do Plug in USB Drives They Find"
[10] "The Design of a Secure Internet Gateway"
[11] "USB Rubber Ducky Wiki"
[12] "USBDriveBy"
[13] "Cylance, Math vs Malware"
[14] "Carbon Black, Next Generation Endpoint Security"
[15] "NSA Playset, TURNIPSCHOOL"
[16] "Facedancer2"
[17] "The Shikra"

Rogan Dawes is a senior researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague’s frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies; WebScarab. In recent years, Rogan has turned his attentions towards hardware hacking; and these days many suspect him to be at least part cyborg. A good conversation starter is to ask him where he keeps his JTAG header.

Dominic White is the CTO of SensePost, an information security company based in South Africa and London. He has worked in the industry for 12 years. He tweets as @singe.

Back to top

CANSPY: a Framework for Auditing CAN Devices

Jonathan-Christofer Demay Airbus Defence and Space
Arnaud Lebrun Airbus Defence and Space

In the past few years, several tools have been released allowing hobbyists to connect to CAN buses found in cars. This is welcomed as the CAN protocol is becoming the backbone for embedded computers found in smartcars. Its use is now even spreading outside the car through the OBD-II connector: usage-based policies from insurance companies, air-pollution control from law enforcement or engine diagnostics from smartphones for instance. Nonetheless, these tools will do no more than what professional tools from automobile manufacturers can do. In fact, they will do less as they do not have knowledge of upper-layer protocols. Security auditors are used to deal with this kind of situation: they reverse-engineer protocols before implementing them on top of their tool of choice. However, to be efficient at this, they need more than just being able to listen to or interact with what they are auditing. Precisely, they need to be able to intercept communications and block them, forward them or modify them on the fly. This is why, for example, a framework such as Burp Suite is popular when it comes to auditing web applications. In this paper, we present CANSPY, a framework giving security auditors such capabilities when auditing CAN devices. Not only can it block, forward or modify CAN frames on the fly, it can do so autonomously with a set of rules or interactively using Ethernet and a packet manipulation framework such as Scapy.

It is also worth noting that it was designed to be cheap and easy to build as it is mostly made of inexpensive COTS. Last but not least, we demonstrate its versatility by turning around a security issue usually considered when it comes to cars: instead of auditing an electronic control unit (ECU) through the OBD-II connector, we are going to partially emulate ECUs in order to audit a device that connects to this very connector.

Jonathan-Christofer Demay, PhD is the current penetration testing team leader at AIRBUS Defence and Space. As a former academic researcher, he has been working on IDS bypassing, intrusion detection and general network security. Now a consultant for various key industries and government bodies, he is working on incident response, penetration testing and social engineering.

Arnaud Lebrun is a command and control engineer currently working at AIRBUS Defence and Space. He is focusing on security issues for several projects in the aerospace industry and related areas such as radioactive waste disposal facilities or large telescopes. He also supports the penetration testing team for perimeters that include ICS infrastructures or embedded electronics.

Back to top

Auditing 6LoWPAN Networks using Standard Penetration Testing Tools

Jonathan-Christofer Demay Airbus Defence and Space
Adam Reziouk
Arnaud Lebrun

The Internet of Things is expected to be involved in the near future in all major aspects of our modern society. On that front, we argue that 6LoWPAN is a protocol that will be a dominant player as it is the only IoT-capable protocol that brings a full IP stack to the smallest devices. As evidence of this, we can highlight the fact that even the latest ZigBee Smart Energy standard is based on ZigBee IP which itself relies on 6LoWPAN, a competitor of the initial ZigBee protocol. Efficient IP-based penetration testing tools have been available to security auditors for years now. However, it is not that easy to use them in the context of a 6LoWPAN network since you need to be able to join it first. In fact, the difficult part is to associate with the underlying IEEE 802.15.4 infrastructure.

Indeed, this standard already has two iterations since its release in 2003 and it provides with several possibilities regarding network topology, data transfer model and security suite. Unfortunately, there is no off-the-shelf component that provides, out of the box, with such a wide range of capabilities. Worst still, some of them deviate from the standard and can only communicate with components from the same manufacturer. In this paper, we present the ARSEN project: Advanced Routing for 6LoWPAN and Ethernet Networks. It provides security auditors with two new tools.

First, a radio scanner capable of identifying IEEE 802.15.4 infrastructures and for each one of them their specificities, including several deviations from the standard that we encountered in actual security audits.

Secondly, a border router capable of routing IPv6 datagrams between Ethernet and 6LoWPAN networks while adapting to the specificities identified by the scanner. As a result, the combination of both effectively allows security auditors to use available IP-based penetration testing tools on different 6LoWPAN networks.

Jonathan-Christofer Demay, PhD is the current penetration testing team leader at AIRBUS Defence and Space. As a former academic researcher, he has been working on IDS bypassing, intrusion detection and general network security. Now a consultant for various key industries and government bodies, he is working on incident response, penetration testing and social engineering.

Adam Reziouk is an electronics and automation engineer currently working on wireless communications and industrial network security at AIRBUS Defence and Space. He holds a master's degree in electrical and electronic engineering and has been conducting vulnerability research activities on programmable logic controllers, connected devices and smart grids.

Arnaud Lebrun is a command and control engineer currently working at AIRBUS Defence and Space. He is focusing on security issues for several projects in the aerospace industry and related areas such as radioactive waste disposal facilities or large telescopes. He also supports the penetration testing team for perimeters that include ICS infrastructures or embedded electronics.

Back to top

DEF CON 101 Panel

Mike Petruzzi (wiseacre)
Ryan Clark (LosT)
Nikita Kronenberg

DEF CON has changed for the better since the days at the Alexis Park. It has evolved from a few speaking tracks to an event that still offers the speakers, but also Villages, where you can get hands-on experience and Demo Labs where you can see tools in action. Of course, there is still the Entertainment and Contest Area, as well as Capture The Flag. There is so much more to DEF CON than there was in the past and it is our goal to help you get the best experience possible. In addition to introducing each of the different aspects and areas of DEF CON, we have a panel of speakers that will talk about how they came to be part of DEF CON and their personal experiences over the years. Oh yeah, there is the time honored "Name the Noob", lots of laughs and maybe even some prizes. Plus, stay for the after party. Seriously, there is an after party. How awesome is that?

Mike Petruzzi (wiseacre) started at DEF CON participating in the Capture the Flag contest. Determined to do better the next year, he participated again. This time the format was 36 hours straight. He realized he was missing out on everything else that was happening at DEF CON. From then on he made a point to participate in as much as he could. Of course, within the limits of social anxiety so, if it allowed participation as a wallflower, he was in! Now, he wants to make sure everyone else gets to know as much as possible about this year's conference. In his private life, Mike hacks managers and is happy anyone listens to him at all. Mike would like to thank Highwiz for everything.

Ryan "LosT" Clarke has been involved with DEF CON for 16 years. In addition to his role on the CFP board, LosT serve's as DEF CON's official Cryptographer and Puzzle Master. He is best known for his early LosT @ CON Mystery Challanges designed to force creative thinking, and also introduced him to his amazing wife! Now he is responsible for designing the badges and lanyards for DEF CON, in addition to torturing a subculture of enthusiastic crypto fans with his ever-so-subtle clues and red herring rabbit holes in his yearly Badge challenge. LosT enjoys learning as much as he can about as much as he can. He can usually be found around CON in the 1o57 room, mostly encouraging and sometimes distracting a ragged band of sleep-deprived attendees who are racing to complete the challenge.

CrYpT first attended DEF CON at DC10 as CrAzE, where he made the common mistake of staying on the sidelines and not actively participating in all DEF CON had to offer. The experience was tough for him and he did not return for many years. He tried again at DC17, but this time he made the decision to start putting himself out there. After a marked improvement in the quality of his experience, he was determined to make each year better than the last. At DC20 he received the handle CrYpT from Y3t1 and met some people who would remain his closest friends to this day (looking at you Clutch). Now he leads the awesome, hard-working Inhuman Registration team in their quest to badge all the people. He's a member of the CFP Review Board and Security Tribe. In an effort to help welcome all the new faces at DEF CON, he is returning for his second year to the DC 101 panel. He encourages people to reach out and ask questions so they can get the most bang for their badge.

Born of glitter and moon beams, HighWiz is the things that dreams are made of and nightmares long to be... Years ago, with the help of some very awesome people* he set about to create an event that would give the n00bs of Def Con a place to feel welcomed and further their own pursuit of knowledge. For years he has held onto the simple tenet that "You get out of Def Con what you put into it". Sometimes HighWiz can be a bit much to swallow and hard to take. HighWiz is a member of the CFP Review Board and Security Tribe.

*Some (but not all) of the people HighWiz would like to thank for helping to make 101 into what it is today : Runnerup, Wiseacre, Nikita, Roamer, Lockheed, Pyr0, Zac, V3rtgio, 1o57, Neil, Beaker, AlxRogan, Jenn, Zant, GM1, Clutch, TheDarkTangent, Siviak, Ripshy, Valkyrie, Xodia, Flipper and all the members of Security Tribe. After taking a year off from the 101 Panel, HighWiz is honored to once again be participating in it, as it marks its eighth year.

Jay Korpi is not of the traditional hacker world; CrYpT invited him to DEF CON 6 years ago, and as a surgical first assist, he decided it was not of any interest to him. CrYpT insisted every year until finally three years ago CrYpT told him "there are people there smarter than you..." Jay couldn't believe it and had to see it for himself. His first year, it was obvious there were MANY people smarter than he was. Once he met some amazing people who were both inviting and generous, Jay vowed to get involved with DEF CON somehow so he could provide the same experience to others. He found his opportunity last year when he joined the Inhuman Registration team and was invited to share his experiences on the DC 101 panel. He attributes these opportunities to his willingness to put himself out there and meet as many people as possible from his very first CON.

Nikita Kronenberg Nikita works to ensure DEF CON runs as smoothly as one can expect from a hacker conference. In addition to planning a vast array of details prior to DEF CON and thwarting issues while onsite, she also serves as the Director of Call For Papers and Workshops. In this role she systematically processes hundreds of submissions, organizes the CFP Board, and manages the entire CFP process from beginning to end. While no one relishes the job of rejecting submissions, Nikita strives to make the experience more positive with personal feedback and alternative speaking opportunities. Once talks have been selected, she weaves the final list into a comprehensive four day schedule over multiple speaking tracks. She serves as a primary point-of-contact for speakers leading up to DEF CON and acts as a liaison between speakers, press, and social media content organizers. Beyond the CFP, Nikita also works full-time on various behind-the-scenes administration and project management for DEF CON. As a DEF CON goon for the past 13 years, her superpowers involve putting out fires before they spark and juggling a multitude of tasks while balancing on an over-inflated ball. - rkut nefr ldbj gtjd bjws oayh qtmf york uykr fqwx awtr kumf giwk nxtw -

Twitter: @Niki7a

Back to top

pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle

Brad Dixon, Hacker

Security assessments of embedded and IoT devices often begin with testing how an attacker could recover firmware from the device. When developers have done their job well you'll find JTAG locked-up, non-responsive serial ports, locked-down uboot, and perhaps even a home brewed secure-boot solution. In this session you'll learn details of a useful hardware/software penetration technique to attempt when you've run out of easier options. We've used this technique on two commercial device security assessments successfully and have refined the technique on a series of test devices in the lab. This session will cover the prerequisites for successful application of the technique and give you helpful hints to help your hack! Best of all this technique, while a bit risky to the hardware, is easy to try and doesn't require specialized equipment or hardware modification. We are going to take pieces of metal and stab them at the heart of the hardware and see what happens. For the hardware/firmware developer you'll get a checklist that you can use to reduce your vulnerability to this sort of attack.

Brad Dixon once told his parents that if they gave him a Commodore 64 it would be the last computer he'd ever want. He never got that Commodore 64. Nevertheless Brad managed to become a computer nerd at a young age. Brad studied Computer Engineering at Georgia Tech and jumped into embedded software engineering. He worked for many years helping developers to design embedded Linux into telecom, network, and mobile products. Brad also took a turn as a product manager for embedded development tools and a mobile location analytics product. At Carve Systems he hacks IoT, embedded, and Linux systems.

Back to top

Weaponizing Data Science for Social Engineering: Automated E2E Spear Phishing on Twitter

Delta Zero (John Seymour) Data Scientist, ZeroFOX
KingPhish3r (Philip Tully) Senior Data Scientist, ZeroFOX

Historically, machine learning for information security has prioritized defense: think intrusion detection systems, malware classification and botnet traffic identification. Offense can benefit from data just as well. Social networks, especially Twitter with its access to extensive personal data, bot-friendly API, colloquial syntax and prevalence of shortened links, are the perfect venues for spreading machine-generated malicious content. We present a recurrent neural network that learns to tweet phishing posts targeting specific users. The model is trained using spear phishing pen-testing data, and in order to make a click-through more likely, it is dynamically seeded with topics extracted from timeline posts of both the target and the users they retweet or follow. We augment the model with clustering to identify high value targets based on their level of social engagement such as their number of followers and retweets, and measure success using click-rates of IP-tracked links. Taken together, these techniques enable the world's first automated end-to-end spear phishing campaign generator for Twitter.

John Seymour is a Data Scientist at ZeroFOX, Inc. by day, and Ph.D. student at University of Maryland, Baltimore County by night. He researches the intersection of machine learning and InfoSec in both roles. He's mostly interested in avoiding and helping others avoid some of the major pitfalls in machine learning, especially in dataset preparation (seriously, do people still use malware datasets from 1998?) He has spoken at both DEF CON and BSides, and aims to add BlackHat USA and SecTor to the list in the near future.

Twitter: @_delta_zero

Philip Tully is a Senior Data Scientist at ZeroFOX, a social media security company based in Baltimore. He employs natural language processing and computer vision techniques in order to develop predictive models for combating threats emanating from social media. His pivot into the realm of infosec is recent, but his experience in machine learning and artificial neural networks is not. Rather than learning patterns within text and image data, his previous work focused on learning patterns of spikes in large-scale recurrently connected neural circuit models. He is an all-but-defended computer science PhD student, in the final stages of completing a joint degree at the Royal Institute of Technology (KTH) and the University of Edinburgh.

Twitter: @phtully

Back to top

Stumping the Mobile Chipset

Adam Donenfeld Senior Security Researcher, Check Point

Following recent security issues discovered in Android, Google made a number of changes to tighten security across its fragmented landscape. However, Google is not alone in the struggle to keep Android safe. Qualcomm, a supplier of 80% of the chipsets in the Android ecosystem, has almost as much effect on Android’s security as Google. With this in mind, we decided to examine Qualcomm’s code in Android devices. During our research, we found multiple privilege escalation vulnerabilities in multiple subsystems introduced by Qualcomm to all its Android devices in multiple different subsystems. In this presentation we will review not only the privilege escalation vulnerabilities we found, but also demonstrate and present a detailed exploitation, overcoming all the existing mitigations in Android’s Linux kernel to run kernel-code, elevating privileges and thus gaining root privileges and completely bypassing SELinux.

Adam Donenfeld is a lead mobile security researcher at Check Point with vast experience in the mobile research field. From a young age he has been hacking and reverse engineering for fun and profit. Prior to Check Point Adam served in an Israeli elite intelligence unit, as a security researcher. In his free time, Adam studies German.

Back to top

Vulnerabilities 101: How to Launch or Improve Your Vulnerability Research Game

Joshua Drake VP of Platform Research and Exploitation, Zimperium
Steve Christey Coley Principal INFOSEC Engineer, MITRE

If you’re interested in vulnerability research for fun or profit, or if you’re a beginner and you’re not sure how to progress, it can be difficult to sift through the firehose of technical information that’s out there. Plus there are all sorts of non-technical things that established researchers seem to just know. There are many different things to learn, but nobody really talks about the different paths you can take on your journey. We will provide an overview of key concepts in vulnerability research, then cover where you can go to learn more - and what to look for. We’ll suggest ways for you to choose what you analyze and provide tools and techniques you might want to use. We’ll discuss different disclosure models (only briefly, we promise!), talk about the different kinds of responses to expect from vendors, and give some advice on how to write useful advisories and how to go about publishing them. Then, we’ll finish up by covering some of the ‘mindset’ of vulnerability research, including skills and personality traits that contribute to success, the different stages of growth that many researchers follow, and the different feelings (yes, FEELINGS) that researchers can face along the way. Our end goal is to help you improve your chances of career success, so you can get a sense of where you are, where you want to go, and what you might want to do to get there. We will not dig too deeply into technical details, and we’d go so far as to say that some kinds of vulnerability research do not require deep knowledge anyway. Vulnerability research isn’t for everyone, but after this talk, maybe you’ll have a better sense of whether it’s right for you, and what to expect going forward.

Joshua J. Drake is the VP of Platform Research and Exploitation at Zimperium Enterprise Mobile Security and lead author of the Android Hacker's Handbook. Joshua focuses on original research such as reverse engineering and the analysis, discovery, and exploitation of security vulnerabilities. He has over 10 years of experience researching and exploiting a wide range of application and operating system software with a focus on Android since early 2012. In prior roles, he served at Accuvant Labs, Rapid7's Metasploit, and VeriSign's iDefense Labs. Joshua previously spoke at Black Hat, DEF CON , RSA, CanSecWest, REcon, Ruxcon/Breakpoint, Toorcon, and DerbyCon. Other notable accomplishments include; helping spur mobile ecosystem change in 2015, exploiting Oracle's JVM at Pwn2Own 2013, exploiting the Android browser via NFC with Georg Wicherski at Black Hat USA 2012, and winning DEF CON 18 CTF with ACME Pharm in 2010.

Twitter: @jduck

Steve Christey Coley is a Principal Information Security Engineer in the Cyber Security Division at The MITRE Corporation, supporting FDA CDRH on medical device cyber security. Steve was co-creator and Editor of the CVE list and chair of the CVE Editorial Board from 1999 to 2015. He is the technical lead for CWE, the Common Weakness Scoring System (CWSS), and the CWE/SANS Top 25 Software Most Dangerous Software Errors. He was a co-author of the influential ‘Responsible Vulnerability Disclosure Process’ IETF draft with Chris Wysopal in 2002. He was an active contributor to other community-oriented efforts such as CVSS, CVRF, and NIST's Static Analysis Tool Exposition (SATE). His interests include adapting traditional IT security methodologies to new areas, software assurance, improving vulnerability information exchange, and making the cybersecurity profession more inclusive for anybody who seeks a place in it. He holds a B.S. in Computer Science from Hobart College.

Twitter: @sushidude

Back to top

Sk3wlDbg: Emulating All (well many) of the Things with Ida

Chris Eagle sk3wl 0f fucking r00t

It is not uncommon that a software reverse engineer finds themselves desiring to execute a bit of code they are studying in order to better understand that code or alternatively to have that code perform some bit of useful work related to the reverse engineering task at hand. This generally requires access to an execution environment capable of supporting the machine code being studied, both at an architectural level (CPU type) and a packaging level (file container type). Unfortunately, this is not always a simple matter. The majority of analysts do not have a full complement of hosts available to support a wide variety of architectures, and virtualization opportunities for non-intel platforms are limited. In this talk we will discuss a light weight emulator framework for the IDA Pro disassembler that is based on the Unicorn emulation engine. The goal of the project is to provide an embedded multi-architectural emulation capability to complement IDA Pro's multi-architectural disassembly capability to enhance the versatility of one of the most common reverse engineering tools in use today.

Chris Eagle is a registered hex offender. He has been taking software apart since he first learned to put it together over 35 years ago. His research interests include computer network operations, malware analysis and reverse/anti-reverse engineering techniques. He is the author of The IDA Pro Book and has published a number of well-known IDA plug-ins. He is also a co-author of Gray Hat Hacking. He has spoken at numerous conferences including Black Hat, DEF CON , Shmoocon, and ToorCon. Chris also organized and led the Sk3wl of r00t to two DEF CON Capture the Flag championships and produced that competition for four years as part of the DDTEK organization.

Twitter: @sk3wl

Back to top

Eavesdropping on the Machines

Tim ‘t0rch’ Estell Solution Architect, BAE Systems
Katea Murray Cyber Researcher, Leidos

After the Rise of the Machines they'll need to communicate. And we'll need to listen in. The problem is that proprietary protocols are hard to break. If Wireshark barfs then we're done. Or can we listen in, break their Robot Overlord messages and spill it all to the meat-space rebels? Attend this talk to learn techniques for taking network data, identifying unknown protocols, and breaking them down to something you can exploit. Rebels unite!

Tim Estell, a hacker since learning how to mod a TRS-80 game in the ‘80s. Since then he’s reversed protocols, leveraged hardware, and managed teams for many concepts of operation. He remains convinced machines will never exceed meat space innovation and so welcomes our new Robot Overlords, if only because their cause is lost. Rebels unite!

Katea Murray, a programmer who turned to hacking in the early 00’s, she’s reversed and co-opted many tools and toys consumer’s touch, from old-school boat anchors to the latest mobile devices. Along the way she’s pulled recruits to the rebel cause through internships, outreach, and high energy. When she’s not watching sports she’s hacking as a sport. Game on!

Back to top

I Fight For The Users, Episode I - Attacks Against Top Consumer Products

Zack Fasel Managing Partner, Urbane
Erin Jacobs Managing Partner, Urbane

This is not just another "I found a problem in a single IOT device" talk. Focusing on attacking three major consumer product lines that have grown rapidly in the past years, Zack and Erin will review flaws they’ve discovered and weaponized against home Windows installs, DIY security solutions, personal fitness tracking devices, and digital notification devices. We’ll review the security of these popular products and services in a ‘consumer reports’ style walkthrough, the attack methods against the 21 devices reviewed, release some tools for the lulz, and highlight the threats facing similar products. It's time to Fight for the Users. END OF LINE.

Zack Fasel and Erin Jacobs are Partners at Urbane Security, a solutions-focused vendor-neutral information security services firm focusing on providing innovative defense, sophisticated offense and refined compliance services.

Heading up Urbane's Research and Security Services divisions, Zack brings his years of diverse internal and external experience to drive Urbane's technical solutions to organizations top pain points. His previous research and presentations at conferences have spread across numerous domains including Windows authentication flaws, femtocells, open source defensive security solutions, cloud security, and unique network and application attack vectors. When not selling out, he can be found lost in the untz unce wubs, dabbling in instagram food photography, or eating scotch and drinking gummy bears (that's right, right?). More information on Zack can be found by searching for "zfasel" and on Urbane Security at

Leading the charge of Urbane’s Compliance and Enterprise Risk Management divisions, Erin brings her years of executive level experience coupled with deep and diverse technical knowledge to help organizations accurate prioritize and address the security and compliance risks they face. Her prior talks and research have spread across numerous domains, including technical solutions for compliance requirements, OSX reversing, diversity in tech, and IOT. More information on Erin can be found by following @SecBarbie on twitter.

Twitter: @UrbaneSec @zfasel @SecBarbie

Back to top

101 Ways to Brick your Hardware

Joe FitzPatrick
Joe Grand (Kingpin) Grand Idea Studio

Spend some time hacking hardware and you'll eventually render a piece of equipment unusable either by accident or intentionally. Between us, we've got decades of bricking experience that we'd like to share. We'll document the most common ways of temporarily or permanently damaging your hardware and ways to recover, if possible. We'll also talk about tips on how to avoid bricking your projects in the first place. If you're getting into hardware hacking and worried about messing something up, our stories will hopefully prevent you from experiencing the same horrors we did. If you're worried about an uprising of intelligent machines, the techniques discussed will help you disable their functionality and keep them down.

Joe FitzPatrick is an Instructor and Researcher at Joe has spent over a decade working on low-level silicon debug, security validation, and hardware penetration testing, and hardware security training. In between training and bricking hardware, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects.

Twitter: @securelyfitz

Joe Grand also known as Kingpin, is a computer engineer, hardware hacker, former DEF CON badge designer, runner, daddy, honorary doctor, TV host, member of L0pht Heavy Industries, and the proprietor of Grand Idea Studio.

Twitter: @joegrand

Back to top

Breaking the Internet of Vibrating Things : What We Learned Reverse Engineering Bluetooth- and Internet-Enabled Adult Toys

follower Hacker
goldfisk Hacker

The Internet of Things is filled with vulnerabilities, would you expect the Internet of Vibrating Things to be any different? As teledildonics come into the mainstream, human sexual pleasure has become connected with the concerns of privacy and security already familiar to those who previously only wanted to turn on their lights, rather than their lover. Do you care if someone else knows if you or your lover is wearing a remote control vibrator? Do you care if the manufacturer is tracking your activity, sexual health and to whom you give control? How do you really know who is making you squirm with pleasure? And what happens when your government decides your sex toy is an aid to political dissidents? Because there’s nothing more sexy than reverse engineering we looked into one product (the We-Vibe 4 Plus from the innocuously named "Standard Innovation Corporation") to get answers for you.

Attend our talk to learn the unexpected political and legal implications of internet connected sex toys and, perhaps more importantly, how you can explore and gain more control over the intimate devices in your life. Learn the reverse engineering approach we took--suitable for both first timers and the more experienced--to analyze a product that integrates a Bluetooth LE/Smart wireless hardware device, mobile app and server-side functionality. More parts means more attack surfaces! Alongside the talk, we are releasing the "Weevil" suite of tools to enable you to simulate and control We-Vibe compatible vibrators. We invite you to bring your knowledge of mobile app exploits, wireless communication hijacking (you already hacked your electronic skateboard last year, right?) and back-end server vulnerabilities to the party. It’s time for you to get to play with your toys more privately and creatively than before.

Please note: This talk contains content related to human sexuality but does not contain sexually explicit material. The presenters endorse the DEF CON Code of Conduct and human decency in relation to matters of consent--attendees are welcome in the audience if they do the same. Keep the good vibes. :)

follower talks with computers and humans. Six years after first speaking at DEF CON about vulnerabilities in the Internet of Things, the fad hasn’t blown over so is back doing it again. An interest in code and hardware has lead to Arduino networking and USB projects and teaching others how to get started with Arduino. Tim O'Reilly once called follower a ‘troublemaker’ for his Google Maps reverse engineering.

Twitter: @rancidbacon

goldfisk spins fire by night and catches up with computer science lectures, also by night. And wishes headphone cables would stop getting caught on stuff. An interest in reverse engineering can be blamed on a childhood playing with electronics and re-implementing browser games in Scratch.

Twitter: @g0ldfisk

Back to top

Direct Memory Attack the Kernel

Ulf Frisk Penetration Tester

Inexpensive universal DMA attacking is the new reality of today! In this talk I will explore and demonstrate how it is possible to take total control of operating system kernels by DMA code injection. Once control of the kernel has been gained I will execute code and dump gigabytes of memory in seconds. Full disk encryption will be defeated, authentication will be bypassed and shells will be spawned. This will all be made possible using a $100 piece of hardware together with the easy to use modular PCILeech toolkit - which will be published as open source after this talk.

Ulf Frisk is a penetration tester working in the Swedish financial sector. Ulf focuses mainly on online banking security solutions, penetration testing and it-security audits during daytime and low-level coding during nighttime. Ulf has been working professionally with security since 2011 and has a dark past as a developer.

Twitter: @UlfFrisk


Back to top

Hacker-Machine Interface - State of the Union for SCADA HMI Vulnerabilities

Brian Gorenc Senior Manager, Trend Micro Zero Day Initiative
Fritz Sands Security Researcher, Trend Micro Zero Day Initiative

Over the last year, synchronized and coordinated attacks against critical infrastructure have taken center stage. Remote cyber intrusions at three Ukrainian regional electric power distribution companies in December 2015 left approximately 225,000 customers without power. Malware, like BlackEnergy, is being specially developed to target supervisory control and data acquisition (SCADA) systems. Specifically, adversaries are focusing their efforts on obtaining access to the human-machine interface (HMI) solutions that act as the main hub for managing the operation of the control system. Vulnerabilities in these SCADA HMI solutions are, and will continue to be, highly valuable as we usher in this new era of software exploitation. This talk covers an in-depth analysis performed on a corpus of 200+ confirmed SCADA HMI vulnerabilities. It details out the popular vulnerability types discovered in HMI solutions developed by the biggest SCADA vendors, including Schneider Electric, Siemens, General Electric, and Advantech. It studies the weaknesses in the technologies used to develop HMI solutions and describes how critical vulnerabilities manifest in the underlying code. The talk will compare the time-to-patch performance of various SCADA vendors along with a comparison of the SCADA industry to the rest of the software industry. Finally, using the data presented, additional guidance will be provided to SCADA researchers along with a prediction on what we expect next in attacks that leverage SCADA HMI vulnerabilities.

Brian Gorenc is the senior manager of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world’s most popular software. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions.

Twitter: @thezdi, @maliciousinput

Fritz Sands is a security researcher with Trend Micro's Zero Day Initiative. In this role, he analyzes and performs root-cause analysis on vulnerabilities submitted to the ZDI program, which is the world's largest vendor-agnostic bug bounty program. Fritz also focuses on writing tools to perform static and dynamic analysis for discovering vulnerabilities. Prior to joining the ZDI in 2014, Sands was in Microsoft's Trustworthy Computing and Secure Windows Initiative operations where he audited Windows code and developed dynamic analysis tools, and before that he was a system developer for multiple iterations of Microsoft Windows.

Twitter: @FritzSands

Back to top

BSODomizer HD: A Mischievous FPGA and HDMI Platform for the (M)asses

Joe Grand (Kingpin) Grand Idea Studio
Zoz Hacker

At DEF CON 16 in 2008, we released the original BSODomizer (, an open source VGA pranking tool and introductory hacking platform for the multicore Propeller micro-controller. Hours of productivity were replaced with rage and frustration as unwitting computer users were confronted with fake Blue Screens of Death and revolting ASCII art. But, the world has changed. The machines have risen in capability. HDMI is the graphical transmission protocol of choice and hacking with micro-controllers is standard issue. The as-seen-on-HDTV duo of Joe Grand and Zoz return with the next generation of mischievous hardware, a device that supplants or captures any inline HDMI signal in a discreet, pentest-worthy package. BSODomizer HD is an FPGA-based system that not only improves on the graphics interception and triggering features of its predecessor, but can now capture screenshots of a target system and also provides a fully open design that you can use for your own experiments into the mystical world of massive, customizable arrays of digital logic. We'll guide you through the process of going from lamer zero to hacker hero with FPGAs, while savagely fucking with a few unfortunate friends along the way!

Joe Grand, also known as Kingpin, is a computer engineer, hardware hacker, former DEF CON badge designer, runner, daddy, honorary doctor, TV host, member of L0pht Heavy Industries, and the proprietor of Grand Idea Studio.

Twitter: @joegrand

Zoz is a robotics engineer, prankster, and renaissance hacker. Other than BSODs, things he enjoys faking include meteorite impacts, crop circles, and alien crash landings.

Back to top

Slouching Towards Utopia: The State of the Internet Dream

Jennifer S. Granick Director of Civil Liberties, Stanford Center for Internet and Society

Is the Internet going to live up to its promise as the greatest force for individual freedom that the world has ever known? Or is the hope for a global community of creative intellectual interaction lost…for now?

In last year’s Black Hat keynote—entitled "Lifecycle of a Revolution"—noted privacy and civil liberties advocate Jennifer Granick told the story of the Internet utopians, people who believed that Internet technology could greatly enhance creative and intellectual freedom. Granick argued that this Dream of Internet Freedom was dying, choked off by market and government forces of centralization, regulation, and globalization. The speech was extremely popular. Almost 8000 people watched it at Black Hat. It was retweeted, watched and read by tens of thousands of people. Boing Boing called it "the speech that won Black Hat (and DEF CON )."

This year, Granick revisits the state of the Internet Dream. This year’s crypto war developments in the U.S. and U.K. show governments’ efforts to control the design of technologies to ensure surveillance. The developments also show that governments see app stores as a choke point for regulation and control, something that couldn’t easily happen with general purpose computers and laptops but which could be quite effective in a world where most people access the network with mobile devices.

Also in the past year, the European Court of Justice embraced blocking orders and ISP liability in the name of stopping copyright infringement, privacy violations, and unflattering comments from ever being published online. The effect of these developments is to force Internet companies to be global censors on the side of online civility against the free flow of information and opinion. If we want to realize some of the promise of the Internet utopian vision, we are going to have to make some hard political choices and redesign communications technology accordingly. The future could look a lot like TV, or we could work to ensure our technology enshrines individual liberties. This talk will help attendees join that effort.

In 1995, Jennifer Granick attended her first DEF CON at the Tropicana Hotel. Since then, she has defended hackers and coders in computer crime, copyright, DMCA and other cases. Jennifer left her criminal law practice in 2001 to help start the Stanford Center for Internet and Society (CIS). From 2001 to 2007, Jennifer was Executive Director of CIS and taught Cyberlaw, Computer Crime Law, Internet intermediary liability, and Internet law and policy. From 2008 to 2010, Jennifer worked with the boutique firm of Zwillgen PLLC and as Civil Liberties Director at the Electronic Frontier Foundation. Today, Jennifer has returned to CIS as Director of Civil Liberties. She teaches, practices, speaks, and writes about computer crime and security, electronic surveillance, technology, privacy, and civil liberties. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of Florida.

Twitter: @granick
Center for Internet and Society
Just Security

Back to top

Escaping The Sandbox By Not Breaking It

Marco Grassi KEENLAB of Tencent
Qidan He KEENLAB of Tencent

The main topic of this technical talk will be "sandboxes" and how to escape them. One of the main component of the modern operating systems security is their sandbox implementation. Android for example in recent versions added SELinux to their existing sandbox mechanism, to add an additional layer of security. As well OS X recently added System Integrity Protection as a ‘system level’ sandbox, in addition to the regular sandbox which is ‘per-process’.

All modern OS focus on defense in depth, so an attacker and a defender must know these mechanisms, to bypass them or make them more secure. We will focus on Android and iOS/OSX to show the audience the implementations of the sandbox in these operating systems, the attack surface from within interesting sandboxes, like the browser, or applications sandbox.

Then we will discuss how to attack them and escape from our restricted context to compromise further the system, showcasing vulnerabilities. We think that comparing Android with iOS/OSX can be very interesting since their implementation is different, but the goal for attackers and defenders is the same, so having knowledge of different sandboxes is very insightful to highlight the limitations of a particular implementation. The sandboxes some years ago were related mainly to our desktop, mobile phone or tablet. But if we look now at the technology trend, with Automotive and IOT, we can understand that sandboxes will be crucial in all those technologies, since they will run on mainstream operating system when they will become more popular.

Marco Grassi is currently a Senior Security Researcher of the KEEN Lab of Tencent (previously known as KEEN Team). He was one of the main contributors at Pwn2Own 2016 for the Safari target with sandbox escape to root. He is a member of the team who won the title of ‘Master Of Pwn’ at Pwn2Own 2016. Formerly he was a member of NowSecure R&D Team, where he researched solutions for mobile security products and performed reverse engineering, pentesting and vulnerability research in mobile OS applications and devices. When he’s not poking around mobile devices, he enjoys developing embedded and electronic systems. He has spoken at several international security conferences such as ZeroNights, Black Hat, Codegate, HITB and cansecwest.

Twitter: @marcograss

Qidan He (a.k.a Edward Flanker) is a security researcher focusing on mobile security at KeenLab of Tencent (former known as Keen Team). His major experience includes Android/iOS/OSX security and program analysis. He has reported several vulnerabilities in Android system core components, which were confirmed and credited in multiple advisories. He has also found multiple vulnerabilities in OSX kernel, which are awaiting patch and credit. He is the winner of Pwn2Own 2016 OSX Category and member of Master of Pwn Champion team. He has spoken at conferences like Blackhat, CanSecWest, HITCON and QCON.

Twitter: @flanker_hqd

Back to top

Feds and 0Days: From Before Heartbleed to After FBI-Apple

Jay Healey Senior Research Scholar, Columbia University

Does the FBI have to tell Apple of the vuln it used to break their iPhone? How many 0days every year go into the NSA arsenal -- dozens, hundreds or thousands? Are there any grown-ups in Washington DC watching over FBI or NSA as they decide what vulns to disclose to vendors and which to keep to themselves? These are all key questions which have dominated so much of 2016, yet there's been relatively little reliable information for us to go on, to learn what the Feds are up to and whether it passes any definition of reasonableness.

Based on open-source research and interviews with many of the principal participants, this talk starts with the pre-history starting in the 1990s before examining the current process and players (as it turns out, NSA prefers to discover their own vulns, CIA prefers to buy). The current process is run from the White House with "a bias to disclose" driven by a decision by the President (in because of the Snowden revelations). The entire process was made public when NSA was forced to deny media reports that it had prior knowledge of Heartbleed.

Jason Healy is a Senior Research Scholar at Columbia University's School for International and Public Affairs. During his time in the White House, he coordinated efforts to secure the Internet and US critical infrastructure. He started his career as a US Air Force intelligence officer where he helped create the first joint cyber command, in 1998 and is a Senior Fellow at the Atlantic Council.

Twitter: @Jason_Healey

Back to top

Hacking Next-Gen ATM's From Capture to Cashout

Weston Hecker Senior Security Engineer & Pentester, Rapid7

MV (Chip & Pin) card ATM's are taking over the industry with the deadlines passed and approaching the industry rushes ATM's to the market. Are they more secure and hack proof? Over the past year I have worked at understanding and breaking the new methods that ATM manufactures have implemented on production ‘Next Generation’ Secure ATM systems. This includes bypassing Anti-skimming/Anti-Shimming methods introduced to the latest generation ATM's. along with NFC long range attack that allows real-time card communication over 400 miles away. This talk will demonstrate how a $2000-dollar investment criminals can do unattended ‘cash outs’ touching also on failures of the past with EMV implementations and how credit card data of the future will most likely be sold with the new EMV data having such a short life span.

With a rise of the machines theme demonstration of ‘La-Cara’ and automated Cash out machine that works on Current EMV and NFC ATM's it is an entire fascia Placed on the machine to hide the auto PIN keyboard and flash-able EMV card system that is silently withdrawing money from harvested card data. This demonstration of the system can cash out around $20,000/$50,000 in 15 min.

11 Years Pen-testing, 12 years’ security research and programming experience. Working for a security Company in the Midwest Weston has recently Spoken at DEF CON 22 & 23, Black Hat USA 2016, Enterprise Connect 2016 ISC2-Security Congress, SC-Congress Toronto, HOPE11, BSIDES Boston and over 50 other speaking engagements from telecom Regional events to University’s on security subject matter. Working with A Major University's research project with Department of Homeland Security on 911 emergency systems and attack mitigation. Attended school in Minneapolis Minnesota. Computer Science and Geophysics. Found several vulnerabilities’ in very popular software and firmware. Including Microsoft, Qualcomm, Samsung, HTC, Verizon.

Back to top

Hacking Hotel Keys and Point of Sale Systems: Attacking Systems Using Magnetic Secure Transmission

Weston Hecker Senior Security Engineer & Pentester, Rapid7

Take a look at weaknesses in Point of sale systems and the foundation of hotel key data and the Property management systems that manage the keys. Using a modified MST injection method Weston will demonstrate several attacks on POS and Hotel keys including brute forcing other guest’s keys from your card information as a start point. And methods of injecting keystrokes into POS systems just as if you had a keyboard plugged into the system. This includes injecting keystrokes to open cash drawer and abusing Magstripe based rewards programs that are used a variety of environments from retail down to rewards programs in Slot Machines.

11 Years Pen-testing, 12 years’ security research and programming experience. Working for a security Company in the Midwest Weston has recently Spoken at DEF CON 22 & 23, Black Hat USA 2016, Enterprise Connect 2016 ISC2-Security Congress, SC-Congress Toronto, HOPE11, BSIDES Boston and over 50 other speaking engagements from telecom Regional events to University’s on security subject matter. Working with A Major University's research project with Department of Homeland Security on 911 emergency systems and attack mitigation. Attended school in Minneapolis Minnesota. Computer Science and Geophysics. Found several vulnerabilities’ in very popular software and firmware. Including Microsoft, Qualcomm, Samsung, HTC, Verizon.

Back to top

Developing Managed Code Rootkits for the Java Runtime Environment

Benjamin Holland ISU Team, DARPA's Space/Time Analysis for Cybersecurity (STAC)

Managed Code Rootkits (MCRs) are terrifying post-exploitation attacks that open the doors for cementing and expanding a foothold in a target network. While the concept isn't new, practical tools for developing MCRs don't currently exist. Erez Metula released ReFrameworker in 2010 with the ability to inject attack modules into the C# runtime, paving the way for MCRs, but the tool requires the attacker to have knowledge of intermediate languages, does not support other runtimes, and is no longer maintained. Worse yet, the ‘write once, run anywhere’ motto of managed languages is violated when dealing with runtime libraries, forcing the attacker to write new exploits for each target platform.

This talk debuts a free and open source tool called JReFrameworker aimed at solving the aforementioned challenges of developing attack code for the Java runtime while lowering the bar so that anyone with rudimentary knowledge of Java can develop a managed code rootkit. With Java being StackOverflow's most popular server side language of 2015 the Java runtime environment is a prime target for exploitation. JReFrameworker is an Eclipse plugin that allows an attacker to write simple Java source to develop, debug, and automatically modify the runtime. Best of all, working at the intended abstraction level of source code allows the attacker to ‘write once, exploit anywhere’. When the messy details of developing attack code are removed from the picture the attacker can let his creativity flow to develop some truly evil attacks, which is just what this talk aims to explore.

Ben Holland is a PhD student at Iowa State University with experience working on two high profile DARPA projects. He has extensive experience writing program analyzers to detect novel and sophisticated malware in Android applications and served on the ISU team as a key analyst for DARPA's Automated Program Analysis for Cybersecurity (APAC) program. He's lectured on security topics for university courses in program analysis and operating system principles. Ben has given multiple talks at professional clubs as well as security and academic conferences. His past work experience has been in research at Iowa State University, mission assurance at MITRE, government systems at Rockwell Collins, and systems engineering at Wabtec Railway Electronics. Ben holds a M.S. degree in Computer Engineering and Information Assurance, a B.S. in Computer Engineering, and a B.S. in Computer Science. Currently he serves on the ISU team for DARPA's Space/Time Analysis for Cybersecurity (STAC) program.

Twitter: @daedared

Back to top

How to Do it Wrong: Smartphone Antivirus and Security Applications Under Fire

Stephan Huber Fraunhofer SIT
Siegfried Rasthofer Fraunhofer SIT & TU Darmstadt

-Today’s evil often comes in the form of ransomware, keyloggers, or spyware, against which AntiVirus applications are usually an end user’s only means of protection. But current security apps not only scan for malware, they also aid end users by detecting malicious URLs, scams or phishing attacks.

Generally, security apps appear so self-evidently useful that institutions such as online-banking providers even require users to install anti-virus programs. In this talk, however, we show that the installation of security applications, at least in the context of smartphones, can sometimes open the phone to a number of attack vectors, making the system more instead of less vulnerable to attacks.

In a recent research we conducted on Android security apps from renowned vendors such as Kaspersky, McAfee, Androhelm, Eset, Malwarebytes or Avira. When conducting a study of the apps’ security features (Antivirus and Privacy Protection, Device Protection, Secure Web Browsing, etc.) it came as a shock to us that every inspected application contained critical vulnerabilities, and that in the end no single of the promoted security features proved to be sufficiently secure. In a simple case, we would have been able to harm the app vendor’s business model by upgrading a trial version into a premium one at no charge.

In other instances, attackers would be able to harm the end user by completely disabling the malware-scanning engine remotely. Or how about accessing confidential data by exploiting broken SSL communication, broken self-developed "advanced" crypto implementations or through SQL-injections?

Yes, we can. On top, we were able to bypass the secure browsing protection and abuse it for code execution. The most alarming findings, however, were security applications that we were able to actually turn into a remote access trojan (RAT) or into ransomware. In light of all those findings, one must seriously question whether the advice to install a security app onto one’s smartphone is a wise one. In this talk, we will not only explain our findings in detail but also propose possible security fixes.

Stephan Huber is a security researcher at the testlab mobile security group at the Fraunhofer Institute for Secure Information Technology (SIT). His main focus is Android application security testing and developing new static and dynamic analysis techniques for app security evaluation. He found different vulnerabilities in well-known Android applications and the AOSP. In his spare time he enjoys teaching students in Android hacking.

Siegfried Rasthofer is a fourth year PhD student at the TU Darmstadt (Germany) and Fraunhofer SIT and his main research focus is on applied software security on Android applications. He developed different tools that combine static and dynamic code analysis for security purposes. He likes to break Android applications and found various AOSP exploits. Most of his research is published at top tier academic conferences and very recently he started publishing at industry conferences like BlackHat, VirusBulletin or AVAR.

Back to top

Anti-Forensics AF

int0x80 (of Dual Core), Hacker

This presentation is the screaming goat anti-forensics version of those ‘Stupid Pet Tricks’ segments on late night US talk shows. Nothing ground-breaking here, but we'll cover new (possibly) and trolly (definitely) techniques that forensic investigators haven't considered or encountered. Intended targets cover a variety of OS platforms.

int0x80 is the rapper in Dual Core. Drink all the booze, hack all the things!

Twitter: @dualcoremusic
DualCoreMusic on Facebook

Back to top

How to get good seats in the security theater? Hacking boarding passes for fun and profit.

Przemek Jaroszewski CERT Polska/NASK

While traveling through airports, we usually don't give a second thought about why our boarding passes are scanned at various places. After all, it's all for the sake of passengers' security. Or is it? The fact that boarding pass security is broken has been proven many times by researchers who easily crafted their passes, effectively bypassing not just ‘passenger only’ screening, but also no-fly lists. Since then, not only security problems have not been solved, but boarding passes have become almost entirely bar-coded. And they are increasingly often checked by machines rather than humans. Effectively, we're dealing with simple unencrypted strings of characters containing all the information needed to decide on our eligibility for fast lane access, duty-free shopping, and more...

With a set of easily available tools, boarding pass hacking is easier than ever, and the checks are mostly a security theater. In my talk, I will discuss in depth how the boarding pass information is created, encoded and validated. I will demonstrate how easy it is to craft own boarding pass that works perfectly at most checkpoints (and explain why it doesn't work at other ones).

I will also discuss IATA recommendations, security measures implemented in boarding passes (such as digital signatures) and their (in)effectiveness, as well as responses I got from different institutions involved in handling boarding passes. There will be some fun, as well as some serious questions that I don't necessarily have good answers to.

Przemek Jaroszewski is a member of CERT Polska (part of Research and Academic Computer Network in Poland) since 2001, where his current position is the head of incident response. He started his education as a programmer at Warsaw University of Technology, to eventually get his master's degree in Social Psychology from University of Social Sciences and Humanities in Warsaw. A frequent flyer in both professional and private lives, and a big aviation enthusiast - using every opportunity to learn about everything from inner workings of airports, airlines, ATC etc. to life-hacking of loyalty programs.

Back to top

Backdooring the Frontdoor

Jmaxxz Hacker

As our homes become smarter and more connected we come up with new ways of reasoning about our privacy and security. Vendors promise security, but provide little technical information to back up their claims. Further complicating the matter, many of these devices are closed systems which can be difficult to assess. This talk will explore the validity of claims made by one smart lock manufacturer about the security of their product. The entire solution will be deconstructed and examined all the way from web services to the lock itself. By exploiting multiple vulnerabilities Jmaxxz will demonstrate not only how to backdoor a front door, but also how to utilize these same techniques to protect your privacy.

Jmaxxz works as a software engineer for a Fortune 100 company, and is a security researcher for pleasure. His FlashHacker program was featured in Lifehacker's most popular free downloads of 2010. More recently he has contributed to the node_pcap project which allows interfacing with libpcap from node. His other interests include lock picking and taking things apart.

Twitter: @jmaxxz

Back to top

Discovering and Triangulating Rogue Cell Towers

JusticeBeaver (Eric Escobar) Security Engineer, Barracuda Networks Inc

The number of IMSI-catchers (rogue cell towers) has been steadily increasing in use by hackers and governments around the world. Rogue cell towers, which can be as small as your home router, pose a large security risk to anyone with a phone. If in range, your phone will automatically connect to the rogue tower with no indication to you that anything has happened. At that point, your information passes through the rogue tower and can leak sensitive information about you and your device. Currently, there are no easy ways to protect your phone from connecting to a rogue tower (aside from some Android apps which are phone specific and require root access). In this talk I'll demonstrate how you can create a rogue cell tower detector using generic hardware available from Amazon. The detector can identify rogue towers and triangulate their location. The demonstration uses a software defined radio (SDR) to fingerprint each cell tower and determine the signal strength of each tower relative to the detector. With a handful of these detectors working together, you can identify when a rogue cell tower enters your airspace, as well as identify the signal strength relative to each detector. This makes it possible to triangulate the source of the new rogue cell tower.

JusticeBeaver (Eric Escobar) is a Security Engineer at Barracuda Networks. His interests are broad and generally include putting computers in places you wouldn't expect. From chicken coops to rockets and even bee hives. Before being called to the dark side, Eric procured a Bachelor's and Master's degree in Civil Engineering. He now enjoys all things wireless, from WiFi, to SDR, and Ham Radio. Last year his team placed 1st in DEF CON 23's Wireless CTF.

Back to top

Blockfighting with a Hooker -- BlockfFghter2!

K2 Director, IOACTIVE

What's your style of hooking? My hooking Style? It's like hooking without hookers.

The use cases for hooking code execution are abundant and this topic is very expansive. EhTracing (pronounced ATracing) is technique that allows monitoring/altering of code execution at a high rate with several distinct advantages.

  • Full context (registers, stack & system state) hooking can be logged without needing to know a function prototype and changes to execution flow can be made as desired.
  • Traditional detours like hooking requires a length disassembly engine than direct binary .text segment modifications to insert an intended hook (no changes to binary needed with EhTrace).
  • Block/Branch stepping enables a simplification of analysis code (does not need to do a full procedure/function graph recognition/traversal). This will feature focus on the use of VEH and the DR7 backdoor in x64 Windows.

    In a nutshell, EhTrace enables very good performance, in proc debugging and a dead simple RoP hook primitive. Some neat graphics and visualizations will be made some of the early examples up at

    This novel implementation for hookers establishes a model for small purpose built block-fighting primitives to be used in order to analyze & do battle, code vs. code.

    As a special bonus "round 3 FIGHT!" we will see a hypervisor DoS that will cause a total lockup for most hypervisors (100%+ utilization per CORE). This goes to show that emulating or even adapting a hypervisor to a full CPU feature set is exceedingly hard and it’s unlikely that a sandbox/hypervisor/emulator will be a comprehensive solution to evade detection from adversarial code for some time.

    Let’s have some fun blockfighting with some loose boxed hookers!

    K2 likes to poke around at security cyber stuff, writing tools and exploits to get an understanding of what’s easy, hard and fun/profit! He’s written and contributed to books, papers and spent time at security conferences over the years.

    K2 currently works with IOActive and enjoys a diverse and challenging role analyzing some of the most complex software systems around.

    Twitter @IOACTIVE

Back to top

Cunning with CNG: Soliciting Secrets from Schannel

Jake Kambic Hacker

Secure Channel (Schannel) is Microsoft's standard SSL/TLS Library underpinning services like RDP, Outlook, Internet Explorer, Windows Update, SQL Server, LDAPS, Skype and many third party applications. Schannel has been the subject of scrutiny in the past several years from an external perspective due to reported vulnerabilities, including a RCE.

What about the internals? How does Schannel guard its secrets? This talk looks at how Schannel leverages Microsoft's CryptoAPI-NG (CNG) to cache the master keys, session keys, private and ephemeral keys, and session tickets used in TLS/SSL connections. It discusses the underlying data structures, and how to extract both the keys and other useful information that provides forensic context about connection. This information is then leveraged to decrypt session that use ephemeral cipher suites, which don't rely on the private key for decryption. Information in the cache lives for at least 10 hours by default on modern configurations, storing up to 20,000 entries for client and server each. This makes it forensically relevant in cases where other evidence of connection may have dissipated.

Jake Kambic is a DFIR researcher and network penetration tester

Twitter: @TinRabbit

Back to top

Stargate: Pivoting Through VNC to Own Internal Networks

Yonathan Klijnsma Senior Threat Intelligence Analyst, Fox-IT
Dan Tentler (Viss) Founder, Phobos Group

VNC is a great tool to use if you need to get to a box you're not physically near. The trouble with VNC is that it was invented 15+ years ago and hasn't been improved upon in any significant way. Besides the internet of things being sprinkled with VNC endpoints, there are companies which use VNC to such a large degree they need a VNC proxy on their perimeter to get to all the internal VNC hosts - some of which are ICS/SCADA devices. Stargate is the result of discovering a vulnerability in these VNC proxies that allows you to proxy basically anything. This allows you to do anything from using them as anonymous proxies, conduct reflective scanning, pivoting into the internal network behind it, and more. In this presentation we will show you exactly what Stargate is, how we encountered it, the 'fun' things you can do with the Stargates all around the globe and we will release the Stargate tool which anyone can use to talk to/through these devices.

Yonathan Klijnsma is a senior threat intelligence analyst working for Fox-IT, a Dutch IT security company. Yonathan specializes in the analysis and tracking of attack campaigns, work out the attacker profiles and investigate the techniques and tools used by attackers. Yonathan's area of focus lies in the espionage related cases. Outside of work Yonathan likes taking things apart and figuring out how they work; be it physical devices or digital like malware or ransomware. Occasionally a write-up of one of these projects ends up on his personal blog.

Dan Tentler is the founder and CEO of The Phobos Group, a boutique information security services company. Previously a co-founder of Carbon Dynamics, and a security freelancer under the Aten Labs moniker, Dan has found himself in a wide array of different environments, ranging from blue team, to red team, to purple team, to ‘evil hacker for a camera crew’. When not obtaining shells or explaining against how to get shelled, Dan enjoys FPV racing, homebrewing, and internet troublemaking.

Back to top

101 Sentient Storage - Do SSDs Have a Mind of Their Own?

Tom Kopchak Director of Technical Operations, Hurricane Labs

Solid state drives drives are fundamentally changing the landscape of the digital forensics industry, primarily due to the manner in which they respond to the deletion of files. Previous research has demonstrated that SSDs do not always behave in an equivalent manner to magnetic hard drives, however, the scope of these differences and the conditions that lead to this behavior are still not well understood. This basic, undeniable anomaly regarding file storage and recovery begs one simple, yet critical question: can the data being mined for evidence be trusted?

This talk presents research on the forensic implications of SSDs from one of the most comprehensive studies to date. The goal of this study was to demonstrate and quantify differences across a sample pool of drives in an array of tests conducted in a controlled environment. These tests explored the variations between drive firmware, controllers, interfaces, operating systems, and TRIM state.

Further observations revealed that some drives behaved nearly identical to the control drive, while others showed that the prospects of recovering deleted data was significantly reduced. This presentation will demonstrate these differences and provide a framework to allow forensics investigators to determine the likelihood of successful deleted file recovery from an evidence bearing solid state drive.

Tom Kopchak is the Director of Technical Operations at Hurricane Labs, where he pretends to manage a team of network and system engineers, but is still an engineer and technology geek at heart. While new to the DEF CON stage, Tom’s speaking experience includes numerous talks on breaking full disk encryption (including BSides LV) and numerous other talks at other conferences around the country. He holds a Master’s degree in Computing Security from the Rochester Institute of Technology. When he is not working with computers, Tom enjoys composing, music improvisation (Acts of Music), and playing both the piano and organ.

Twitter: @tomkopchak

Back to top

'Cyber' Who Done It?! Attribution Analysis Through Arrest History

Jake Kouns CISO, Risk Based Security

There have been over 20,000 data breaches disclosed exposing over 4.8 billion records, with over 4,000 breaches in 2015 alone. It is clear there is no slowdown at all and the state of security is embarrassing. The total cybercrime cost estimates have been astronomical and law enforcement has been struggling to track down even a fraction of the criminals, as usual.

Attribution in computer compromises continues to be a surprisingly complex task that ultimately isn’t definitive in most cases. Rather than focusing on learning from security issues and how companies can avoid these sorts of data breaches in the future, for most media outlets the main topic after a breach continues to be attribution. And if we are honest, the media have painted an "interesting" and varied picture of "hackers" over the years, many of which have caused collective groans or outright rage from the community.

The Arrest Tracker project was started in 2011 as a way to track arrests from all types of "cyber" (drink!) and hacking related incidents. This project aims to track computer intrusion incidents resulting in an arrest, detaining of a person or persons, seizure of goods, or other related activities that are directly linked to computer crimes.

The Arrest Tracker project currently has 936 arrests collected as of 4/23/2016. How does tracking this information help and what does the data tell us? A lot actually! Who is behind these data breaches and what are the demographics such as average age, gender, and nationality? Which day of the week are you most likely to be arrested? How many arrests lead to assisting authorities to arrest others? How many work by themselves versus part of a group? These observations, and a lot more, paint an interesting picture of the computer crime landscape.

Jake Kouns is the CISO for Risk Based Security that provides vulnerability and data breach intelligence. He has presented at many well-known security conferences including DEF CON , Black Hat, DerbyCon, FIRST, CanSecWest, RSA, SOURCE, SyScan and many more. He is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. With all of that said, many people are shocked to find out that he has a CISO title, and many others can’t believe that he has been attending DEF CON since the good old days of Alexis Park!

Twitter: @jkouns
Risk Based Security

Back to top

Hacker Fundamentals and Cutting Through Abstraction


Continuing the series of hacker foundational skills,  YbfG jvyy nqqerff shaqnzragny fxvyyf gung rirel unpxre fubhyq xabj.  Whfg sbe sha jr jvyy nyfb tb sebz gur guerr onfvp ybtvp tngrf gb n shapgvbany cebprffbe juvyr enpvat n pybpx.  Qb lbh xabj ubj n cebprffbe ernyyl jbexf?  Jul qb lbh pner?  Pbzr svaq bhg.  Bu, naq pelcgb.

Ryan "1o57" Clarke self-identifies as a hacker. Formerly a member of the Advanced Programs Group (APG) at Intel, he continues to do 'security stuff' for other companies and groups.  Professionally LosT's history includes working for various groups and companies, as well as for the University of Advancing Technology where he set up the robotics and embedded systems degree program.  He has consulted for the Department of Energy, Fortune 50 companies, and multiple domestic and international organizations.  For DEFCON he has created the Hardware Hacking Village, the LosT@Defcon Mystery Challenge, and conference badges, cryptography, and puzzles. As DEFCON’s official cryptographer and puzzle master, his activities have included aspects of network intrusion and security, social engineering, RED and BLUE team testing, mathematics, linguistics, physical security, and various other security and hacker related skillsets.  1o57's academic background and and interests include computational mathematics, linguistics, cryptography, electrical engineering, computer systems engineering and computer science-y stuff.

Back to top

Compelled Decryption - State of the Art in Doctrinal Perversions

Ladar LevisonFounder, Lavabit, LLC.

Get mirandized for an encrypted world. This talk will cover the legal doctrines and statues our government is perverting to compel individuals into decrypting their data, or conscript technology companies into subverting the security of their own products. We’ll survey the arguments being advanced by prosecutors, the resulting case law, and the ethical dilemmas facing technology companies. The session will cover the rights and civil liberties we’ve already lost, and review the current threats to our collective freedoms. We’ll cover what an individual needs to know if they want to avoid compelled decryption, and keep their data private. We’ll also discuss strategies that third parties (friends, f/oss developers, and technology companies) can use to resist conscription and build trust through transparency. Because knowing your rights, is only half the battle

Ladar Levison serves as the founder, president, and chief executive of Lavabit, where he has worked the past 12 years. Founded in 2004 (and originally called Nerdshack), Lavabit was created because Mr. Levison believes that privacy is a fundamental, necessary right for a functioning, free and fair democratic society. Presently, Mr. Levison is focused on Lavabit's Dark Mail Initiative, which aims to make end-to-end email encryption automatic and ubiquitous, while continuing to vigorously advocate for the privacy and free speech rights of all. Mr. Levison’s involvement in the internet can be traced to the early days of the world wide web, when he built his first website, in the early nineties for the fledgling Mosiac web browser (from the National Center for Supercomputing Applications).

Prior, Mr. Levison operated a dialup bulletin board service, and worked as a computer technician assembling custom computer systems. With more than 10 years of experience as an independent consultant, Mr. Levison has brought to bear his skills as a project manager, business analyst, systems engineer, software developer, database administrator, systems administrator, and information security specialist.

Mr. Levison’s career has involved working with several dozen multinational companies in the financial, consumer electronics, and retail sectors. The websites Mr. Levison built have drawn millions of visitors, and the software he's written has touched, albeit behind the scenes, the lives of millions more. Over the years, Mr. Levison has written and published numerous technical specifications and authored several editorial pieces. Mr. Levison frequently speaks at a variety of conferences, has appeared as an expert on numerous network television shows, and appeared in several documentaries; including the Oscar winning film, /Citizenfour/.

Mr. Levison has also been involved with several popular free open source software projects. Mr. Levison holds fifteen certifications, with the vast majority from Microsoft and International Business Machines. Mr. Levison received his Bachelor of Arts and Bachelor of Science degrees from Southern Methodist University, where he studied finance, English, political science and computer science. Additionally, Mr. Levison spent a year studying international relations at Georgetown University. A native of San Francisco, California, he currently resides in Dallas, Texas where he lives with his best friend, and principal cheerleader, Princess, the Italian Greyhound he rescued in 2010.

Twitter: @kingladar

Back to top

Let’s Get Physical: Network Attacks Against Physical Security Systems

Ricky ‘HeadlessZeke’ LawshaeHacker

With the rise of the Internet of Things, the line between the physical and the digital is growing ever more hazy. Devices that once only existed in the tangible world are now accessible by anyone with a network connection. Even physical security systems, a significant part of any large organization’s overall security posture, are being given network interfaces to make management and access more convenient. But that convenience also significantly increases the risk of attack, and hacks that were once thought to only exist in movies, like opening a building’s doors from a laptop or modifying a camera feed live, are now possible and even easy to pull off. In this talk, we will discuss this new attack surface and demonstrate various ways an attacker can circumvent and compromise devices such as door controllers, security cameras, and motion sensors over the network, as well as ways to protect yourself from such attacks.

Ricky ‘HeadlessZeke’ Lawshae has spent the better part of the last decade voiding warranties and annoying vendors for both business and pleasure. He has spoken at several conferences including DEF CON , Ruxcon, Recon, and Insomnihack on a variety of topics involving network protocols and embedded devices. By day, he works as a mild-mannered security researcher for TippingPoint DVLabs. By night, he roams the streets in search of justice.

Twitter: @HeadlessZeke

Back to top

Can You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-driving Vehicle

Jianhao Liu Director of ADLAB, Qihoo 360
Chen Yan PhD student, Zhejiang University
Wenyuan Xu Professor, Electrical Engineering, Zhejiang University

To improve road safety and driving experiences, autonomous vehicles have emerged recently, and they can sense their surroundings and navigate without human inputs. Although promising and proving safety features, the trustworthiness of these cars has to be examined before they can be widely adopted on the road. Unlike traditional network security, autonomous vehicles rely heavily on their sensory ability of their surroundings to make driving decision, which opens a new security risk. Thus, in this talk we examine the security of the sensors of autonomous vehicles, and investigate the trustworthiness of the 'eyes' of the cars. In this talk, we investigate sensors whose measurements are used to guide driving, i.e., millimeter-wave radars, ultrasonic sensors, forward-looking cameras. In particular, we present contactless attacks on these sensors and show our results collected both in the lab and outdoors on a Tesla Model S automobile. We show that using off-the-shelf hardware, we are able to perform jamming and spoofing attacks, which caused the Tesla's blindness and malfunction, all of which could potentially lead to crashes and greatly impair the safety of self-driving cars. To alleviate the issues, at the end of the talk we propose software and hardware countermeasures that will improve sensor resilience against these attacks.

Jianhao Liu is the director of ADLAB at Qihoo 360. He specializes in the security of Internet of Things and Internet of Vehicles. He has reported a security vulnerability of Tesla Model S, led a security research on the remote control of a BYD car, and participated in the drafting of security standards among the automobile society. Being a security expert employed by various information security organizations and companies, he is well experienced in security service, security evaluation, and penetration test.

Chen Yan is a PhD student at Zhejiang University in the Ubiquitous System Security Laboratory. His research focuses on the security and privacy of wireless communication and embedded systems, including automobile, analog sensors, and IoT devices.

Wenyuan Xu is a professor in the College of Electrical Engineering at Zhejiang University and an associate professor in the Department of Computer Science and Engineering at University of South Carolina. She received her Ph.D. degree in Electrical and Computer Engineering from Rutgers University in 2007. Her research interests include wireless security, network security, and IoT security. She is among the first to discover vulnerabilities of tire pressure monitor systems in modern automobiles and automatic meter reading systems. Dr. Xu received the NSF Career Award in 2009. She has served on the technical program committees for several IEEE/ACM conferences on wireless networking and security, and she is an associated editor of EURASIP Journal on Information Security.

Back to top

Drones Hijacking - multi-dimensional attack vectors and countermeasures

Aaron Luo Security Expert, Trend Micro

Drone related applications have sprung up in the recent years, and the drone security has also became a hot topic in the security industry. This talk will introduce some general security issues of the drones, including vulnerabilities existing in the radio signals, WiFi, Chipset, FPV system, GPS, App, and SDK. The most famous and popular drone product will be used to demonstrate the security vulnerabilities of each aspects, and recommendation of enforcements. The talk will also demo how to take control of the drone through the vulnerabilities.

The topic of hacking by faking the GPS signals has been shared before in Black Hat and DEF CON in the past, this talk will extend this topic to the drone security. we will demo the real-time hijacking program that we created for various drone, this program can take full control of the Drone’s maneuver by simply keyboard input. In addition, we will also introduce how to detect the fake GPS signals.

An open source tool supporting u-box GPS modules and SDR to detect fake GPS signals will be shared and published in the GitHub.

Aaron Luo is the cyber threat expert from Trend Micro Core Technology Group. Prior to joining Trend Micro, Aaron worked as a security consultant in the government cybercrime investigation department focusing on malware analysis, network forensics and protocol analysis.

He has started his security research since 2005 and is active in the information security communities in Taiwan. He was the founder of PHATE hacker group, and a core member of ZUSO Security. Now he is a member of CHROOT/HITCON security research group and is interested in reverse engineering, developing security attack/defense tools (such as Firewall, HIPS system, protocol analysis, RAT, shellcode, vulnerability scanner), network forensics, RF, IoT, and penetration testing.

Aaron has several research papers published in HITCON and SYSCAN360 such as "The Concept of Game Hacking & Bypassing Game Protection (Hackshield)" in HITCON (Hacks in Taiwan Conference) 2009 when he was just eighteen years old. Until today, he is still the youngest speaker ever in HITCON, and "Smashing iOS Apps For Fun And Profit" was also published in the 1st SYSCAN360 (2012).

Back to top

Platform agnostic kernel fuzzing

James Loureiro Researcher, MWR InfoSecurity
Georgi Geshev Security Researcher, MWR InfoSecurity

A number of toolsets have been around for a while which propose methods for identifying vulnerabilities in kernels, in particular POSIX kernels. However, none of these identified a method for generic fuzzing across Windows and POSIX kernels and have not been updated for some time.

This presentation will outline the research which has occurred in order to find exploitable bugs across both Windows and POSIX kernels, focusing on fuzzing system calls and library calls in the Windows environment. System calls will be briefly explained, how they work and how these can be fuzzed in order to find bugs. The presentation will then move on to explaining core libraries in the Windows environment and how to fuzz these effectively.

Other issues with creating a kernel fuzzing environment will be discussed, such as effective logging of calls in which the machine could BSOD and kernel panic, and how to correctly reproduce vulnerabilities that have been identified by the fuzzer. We will also cover efficient scaling of a kernel fuzzer so that a number of virtual machines are in operation that can generate a large number of crashes.

Finally, a brief summary of the vulnerabilities that have been identified will be provided.

James Loureiro is a researcher at MWR InfoSecurity. During this time he has conducted research into a number of technologies, particularly ICS. Further, James has conducted research into Adobe Reader and other widely deployed platforms, which have identified vulnerabilities. These can be found on the MWR Labs website - James has also presented previously at BSides London on this topic.

Georgi Geshev is a security researcher for MWR InfoSecurity in the UK. Born in the Eastern Bloc, a true wannabe Aussie now, he appreciates roo steaks and golden ales. His main areas of interest include bug hunting, reverse engineering and network protocols. It is a well known fact that Georgi only knows about MQ technology.

Twitter: @NerdKernel, @munmap, @mwrlabs

Back to top

Light-Weight Protocol! Serious Equipment! Critical Implications!

Lucas Lundgren Senior Security Consultant, FortConsult (Part of NCC Group)
Neal Hindocha Principal Consultant, FortConsult (Part of NCC Group)

The presentation will begin by discussing the protocol ( and results from a simple query on shodan, showing the number of servers directly available on the internet. We will then go through the protocol specifications which shows that security is more or less non-existent. We are able to directly connect to many of the servers which are open to the internet, and following protocol specifications, see what devices they are communicating with.

We will show how its possible to extract data on all subscriptions available on the server using a ruby script, which basically gives a detailed list of the devices. However, it is not only the list of devices we are getting. The data returned by our script also contains things like session tokens (for web pages), social security numbers, phone numbers, names and other sensitive data used for one purpose or another in the communication to and from the devices.

We will show how messages can be posted into the message queues and in turn received by the devices that subscribe to the various queues. This means that we are able to issue commands targeting the range of devices we have discovered, that use this protocol. We have however also discovered that this is not limited to messages and commands, if supported by the device, we can actually issue firmware updated, simply by sending something similar to "FIRMWAREUPDATEHERE:".

A specific example of what we can see and do is a home automation system we discovered. We got a list of every sensor and its status. Furthermore, we got exact GPS coordinates from the mobile app used to control the home automation. So in this case, not only were we able to control the system, we even knew when the owner was away.

The talk will move on to show various implementations where webclients and SQL servers are hooked in. Much of the communication data is stored in various databases, and because we have access, we can use MQTT to attack the database and web servers.

Multiple tools have been developed by us already to support testing the protocol and fuzzing endpoints. we will show the tools used in various demos and release them at the end of the talk! These tools are currently scripts containing various protocol implementations, that can be used to target servers and extract, or inject, data. We also have a small client that implements all interesting areas of the protocol which we use for server-to-client testing.

We believe this talk is going to have a significant impact on MQTT and anyone who uses it. This is an old protocol from 1999. Its fast and reliable, but its missing security.

We also be believe this talk will trigger a discussion about light-weight IoT protocols and security, which is much needed at this point in time.

Lucas Lundgren has a vast experience in IT security, with the "bad luck" (or tendency) to annoy companies by reporting vulnerabilities in their products.

Lucas started breaking things at the age of twelve, and has reported numerous vulnerabilities in various products.

Having worked with penetration testing professionally for over 12 years, Lucas has held IT Security positions within companies such as Sony Ericsson and IOActive. He has also been part of Corelan Team before moving on to FortConsult (Part of NCC Group)

Lucas has been breaking everything from OS vendors and financials, and he has spent a considerable amount of time inside "impenetrable fortresses".

Lucas is primarily focusing on penetration testing as well as fuzzing and exploit development, no matter the platform or medium, were he also has a passion for IoT and Smart Technology.

Neal Hindocha has been working in the security industry since 1999. He began his work at Symantec, reverse engineering malware and writing signature for Symantec's antivirus products. From there, he moved on to penetration testing, and has since been a consultant for Verizon Business and Trustwave, where he helped build the mobile testing services and focused on deliveries for advanced projects.

Currently, Neal is a Principal Consultant at FortConsult (part of NCC Group), focusing on new service areas such as cloud and IoT, whilst still reversing the odd malware and delivering pentests.

Back to top

Sticky Keys To The Kingdom: Pre-auth RCE Is More Common Than You Think

Dennis Maldonado (AKA Linuz) Security Consultant - LARES Consulting
Medic (Tim McGuffin) Security Consultant - LARES Consulting

With minimal to no effort, we can gain SYSTEM level access to hundreds, if not, thousands of machines on the internet [remotely]. No, this is not a new super 1337 exploit and no this is not even a new technique. No super fancy website with poorly designed logo is necessary, there is nothing new here. Tim and Dennis have discovered that something only stupid sysadmins would do turns out to be much more prevalent than expected. What starts off as a sysadmin's innocent attempt to fix an issue, turns into complete compromise of entire servers/workstations with no effort needed from the attacker. Tim and Dennis will discuss how we came to this realization and explain how we automated looking for these issues in order to find hundreds of vulnerable machines over the internet. Tim and Dennis explain the tool developed for automation, provide statistics discovered from our research, and go over ways to protect yourself from falling victim to the issue.

Dennis Maldonado is a Security Consultant at LARES Consulting. His current work includes penetration testing, infrastructure assessments, red teaming, and security research. Dennis’ focus is encompassing all forms information security into an assessment in order to better simulate a real world attack against systems and infrastructure. As a security researcher and evangelist, Dennis spends his time sharing what he knows about Information Security with anyone willing to learn. Dennis is a returning speaker to DEF CON and has presented at numerous workshops and meet-ups in the Houston area. Dennis co-founded Houston Locksport in Houston, Texas where he shares his love for lock-picking physical security as well as Houston Area Hackers Anonymous (HAHA), a meet-up for hackers and InfoSec professionals in the Houston area.

Twitter: @DennisMald

Tim was voted "most likely to be indicted" by his high school senior class, but has since gone on to gain the trust of large organizations and their executive management, which may or may not be a good thing. He holds a few industry certifications and is a member of a few security organizations, but considers his insomnia and attention deficit problems far more important to his career.

Twitter: @NotMedic

Back to top

Meet the Feds

Jonathan Mayer Chief Technologist, Enforcement Bureau, Federal Communications Commission
Lorrie Cranor Chief Technologist, Federal Trade Commission
Ed Felten Deputy United States Chief Technology Officer, White House Office of Science and Technology Policy

The federal government is increasingly addressing policy issues that intersect with technology--especially security and privacy. This session explains how the government is responding, including technology leaders from the Federal Communications Commission, the Federal Trade Commission, and the White House Office of Science and Technology. After an overview of recent policy initiatives, and an explanation of opportunities for public service, this session will consist of an extended Q&A. It's your opportunity to meet the feds and ask them anything.

Lorrie Cranor is Chief Technologist of the Federal Trade Commission. She joins the FTC from Carnegie Mellon University, where she is a Professor of Computer Science and Engineering and Public Policy, and where she directs the CyLab Usable Privacy and Security Laboratory. Lorrie was previously a researcher at AT&T Labs Research and has also taught at the Stern School of Business at New York University. She has authored over 150 research papers on online privacy and usable security, and has played a central role in establishing the usable privacy and security research community, including her founding of the Symposium on Usable Privacy and Security. She is also a co-director of Carnegie Mellon’s Privacy Engineering masters’ program. Lorrie holds a doctorate in Engineering and Policy, masters’ degrees in Computer Science, and Technology and Human Affairs, and a bachelor’s degree in Engineering and Public Policy, from Washington University in St. Louis, Missouri.

Twitter: @TechFTC

Edward W. Felten serves as Deputy Unites States Chief Technology Officer, within the White House Office of Science and Technology Policy. Ed comes to the White House from Princeton University, where he is the Robert E. Kahn Professor of Computer Science and Public Affairs and the founding Director of the Center for Information Technology Policy. Before rejoining the Princeton faculty, Ed served as the first Chief Technologist at the U.S. Federal Trade Commission, and worked with the U.S. Department of Justice Antitrust Division. Ed has published more than 100 papers and two books on technology law and policy. Ed is a member of the National Academy of Engineering and the American Academy of Arts and Sciences, and is a Fellow at the Association for Computing Machinery. He earned his bachelor’s degree in Physics with Honors from the California Institute of Technology and his master’s and doctoral degrees in Computer Science and Engineering from the University of Washington.

Twitter: @EdFelten44

Jonathan Mayer is Chief Technologist for the Federal Communications Commission Enforcement Bureau. His responsibilities include cybersecurity, consumer privacy, and network neutrality matters. Jonathan is also a Cybersecurity Fellow at Stanford University, where he is completing a PhD in Computer Science. He previously graduated from Stanford Law School, where he served as a lecturer on technology security, privacy, and surveillance. He received his undergraduate degree from the Woodrow Wilson School of Public and International Affairs at Princeton University. Jonathan was named to the Forbes "30 Under 30" in 2014, for his contributions to technology security and privacy.

Back to top

Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools

Wesley McGrew Director of Cyber Operations, HORNE Cyber

Following previous presentations on the dangers penetration testers face in using current off-the-shelf tools and practices (Pwn the Pwn Plug and I Hunt Penetration Testers), this third presentation explores how widely available learning materials used to train penetration testers lead to inadequate protection of client data and penetration testing operations. With widely available books and other training resources targeting the smallest set of prerequisites, in order to attract the largest audience, many penetration testers adopt the techniques used in simplified examples to real world tests, where the network environment can be much more dangerous. Malicious threat actors are incentivized to attack and compromise penetration testers, and given current practices, can do so easily and with dramatic impact.

This presentation will include a live demonstration of techniques for hijacking a penetration tester's normal practices, as well as guidance for examining and securing your current testing procedures. Tools shown in this demonstration will be released along with the talk.

Wesley currently oversees and participates in penetration testing in his role of Director of Cyber Operations for HORNE Cyber Solutions. He has presented on topics of penetration testing, vulnerabilities, and malware analysis at DEF CON and Black Hat USA. He teaches a self-designed course on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley graduated from Mississippi State University's Department of Computer Science and Engineering and previously worked at the Distributed Analytics and Security Institute. He holds a Ph.D. in computer science for his research in vulnerability analysis of SCADA HMI systems.


Back to top

Research on the Machines: Help the FTC Protect Privacy & Security

Terrell McSweeny Commissioner, Federal Trade Commission
Lorrie Cranor Chief Technologist, Federal Trade Commission

Machines are getting smarter – so consumer protection enforcers like the Federal Trade Commission need to get smarter too. The FTC is the lead federal agency for protecting the privacy rights and data security of American consumers. In the last year, it brought several enforcement actions against companies for violating consumer privacy and data security and launched new initiatives – PrivacyCon, Start with Security, and a new Office of Technology Research and Investigation– to improve its capabilities and responsiveness to new threats to consumer privacy and security. But the FTC needs your help. Today it is announcing a call for research on specific topics in order to broaden its capabilities to protect consumers. Come learn about the policy responses to the rise of the machines, the FTC’s cases and research initiatives, and how you can help.

Terrell McSweeny serves as a Commissioner of the Federal Trade Commission. This year marks her third time at DEF CON . When it comes to tech issues, Commissioner McSweeny has focused on the valuable role researchers and hackers can play protecting consumer data security and privacy. She opposes bad policy and legislative proposals like mandatory backdoors and the criminalization of hacking and believes that enforcers like the FTC should work with the researcher community to protect consumers. She wants companies to implement security by design, privacy by design and data ethics by design –but recognizes that, in the absence of regulation, enforcement and research are the only means of holding companies accountable for the choices they make in the ways that they hold and use consumer data.

Twitter: @TMcSweenyFTC

Lorrie Cranor joined the Federal Trade Commission as Chief Technologist in January 2016. She is on leave from Carnegie Mellon University where she is a Professor of Computer Science and of Engineering and Public Policy, Director of the CyLab Usable Privacy and Security Laboratory (CUPS), and Co-director of the MSIT-Privacy Engineering masters program. She also co-founded Wombat Security Technologies, an information security awareness training company. Cranor has authored over 150 research papers on online privacy and usable security, and has played a central role in establishing the usable privacy and security research community, including her founding of the Symposium on Usable Privacy and Security. She is a Fellow of the ACM and IEEE.

Twitter: @TechFTC

Back to top

Samsung Pay: Tokenized Numbers, Flaws and Issues

Salvador Mendoza Student & Researcher

Samsung announced many layers of security to its Pay app. Without storing or sharing any type of user's credit card information, Samsung Pay is trying to become one of the securest approaches offering functionality and simplicity for its customers.

This app is a complex mechanism which has some limitations relating security. Using random tokenize numbers and implementing Magnetic Secure Transmission (MST) technology, which do not guarantee that every token generated with Samsung Pay would be applied to make a purchase with the same Samsung device. That means that an attacker could steal a token from a Samsung Pay device and use it without restrictions.

Inconvenient but practical is that Samsung's users could utilize the app in airplane mode. This makes impossible for Samsung Pay to have a full control process of the tokens pile. Even when the tokens have their own restrictions, the tokenization process gets weaker after the app generates the first token relating a specific card.

How random is a Spay tokenized number? It is really necessary to understand how the tokens heretically share similarities in the generation process, and how this affect the end users' security.

What are the odds to guess the next tokenized number knowing the previous one?

Salvador Mendoza is a college student & researcher.


Beyond the MCSE: Red Teaming Active Directory

Sean Metcalf Founder & Security Principal, Trimarc

Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities, so why do red teams barely scratch the surface when it comes to leveraging the data it contains? This talk skips over the standard intro to Active Directory fluff and dives right into the compelling offensive information useful to a Red Teamer, such as quickly identifying target systems and accounts. AD can yield a wealth of information if you know the right questions to ask. This presentation ventures into areas many didn't know existed and leverages capability to quietly identify interesting accounts & systems, identify organizations the target company does business with regularly, build target lists without making a sound, abuse misconfigurations/existing trusts, and quickly discover the most interesting shares and their location. PowerShell examples and AD defense evasion techniques are provided throughout the talk.

Let's go beyond the MCSE and take a different perspective on the standard AD recon and attack tactics.

Sean Metcalf is founder and principal security consultant at Trimarc (, an information security consulting firm focused on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON , and DerbyCon security conferences. Sean has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog,

Twitter: @PyroTek3

Back to top

Use Their Machines Against Them: Loading Code with a Copier

Mike Principal Cyber Security Engineer, The MITRE Corporation

We've all worked on ‘closed systems’ with little to no direct Internet access. And we've all struggled with the limitations those systems put on us in the form of available tools or software we want to use. I didn't like struggling, so I came up with a method to load whatever I wanted on to a closed system without triggering any common security alerts. To do this I had to avoid accessing the Internet or using mag media. In the end all I needed was an office multi-function machine and Excel. It's all any insider needs.

For my presentation and demo, I'll show you how I delivered a select group of PowerSploit tools to a clean, isolated machine. Of course, Excel has been known as vector for macro viruses for quite some time and some of the techniques--such as hex-encoding binary data and re-encoding it on a target machine--are known binary insertion vectors but I have not found any prior work on an insider using these techniques to deliver payloads to closed systems. You'll leave my presentation knowing why Excel, umm, excels as an insider attack tool, how to leverage Excel features to load and extract arbitrary binary data from a closed network, and what to do if this really frightens you.

Mike has over 20 years experience in the military. He has been part of everything from systems acquisition, to tactical intelligence collection, to staff work, to leading a unit dedicated to data loss prevention. He recently retired from active military service and is now working as a systems security engineer. This is Mike's first security conference presentation and will also be the first public release of a tool he has written. Mike has previously published twice in 2600 magazine. Mike is super proud of his OSCP certification. He's also a CISSP.

Twitter: @miketofet

Back to top

MouseJack: Injecting Keystrokes into Wireless Mice

Marc Newlin Security Researcher, Bastille Networks

What if your wireless mouse was an effective attack vector? Research reveals this to be the case for mice from Logitech, Microsoft, Dell, Lenovo, Hewlett-Packard, Gigabyte, and Amazon. Dubbed 'MouseJack', this class of security vulnerabilities allows keystroke injection into non-Bluetooth wireless mice. Imagine you are catching up on some work at the airport, and you reach into your laptop bag to pull out your phone charger. As you glance back at your screen, you see the tail end of an ASCII art progress bar followed by your shell history getting cleared.

Before you realize what has happened, an attacker has already installed malware on your laptop. Or maybe they just exfiltrated a git repository and your SSH keys. In the time it took you to plug in your phone, you got MouseJacked. The attacker is camped out at the other end of the terminal, equipped with a commodity USB radio dongle and a directional patch antenna hidden in a backpack, and boards her plane as soon as the deed is done. The reality of MouseJack is that an attacker can inject keystrokes into your wireless mouse dongle from over 200 meters away, at a rate of up to 7500 keystrokes per minute (one every 8ms).

Most wireless keyboards encrypt the data going between the keyboard and computer in order to deter sniffing, but wireless mouse traffic is generally unencrypted. The result is that wireless mice and keyboards ship with USB dongles that can support both encrypted and unencrypted RF packets. A series of implementation flaws makes it possible for an attacker to inject keystrokes directly into a victim's USB dongle using easily accessible, cheap hardware, in most cases only requiring that the user has a wireless mouse. The majority of affected USB dongles are unpatchable, making it likely that vulnerable computers will be common in the wild for the foreseeable future.

This talk will explain the research process that lead to the discovery of these vulnerabilities, covering specific tools and techniques. Results of the research will be detailed, including protocol behavior, packet formats, and technical specifics of each vulnerability. Additional vulnerabilities affecting 14 vendors are currently in disclosure, and will be revealed during this talk.

Marc is a security researcher and software engineer at Bastille Networks, where he focuses on RF/IoT threats present in enterprise environments. He has been hacking on software defined radios since 2013, when he competed as a finalist in the DARPA Spectrum Challenge. In 2011, he wrote software to reassemble shredded documents for the DARPA Shredder Challenge, finishing the competition in third place out of 9000 teams.

Twitter: @marcnewlin

Back to top

Honey Onions: Exposing Snooping Tor HSDir Relays

Guevara Noubir Professor, College of Computer and Information Science, Northeastern University
Amirali Sanatinia PhD candidate, College of Computer and Information Science, Northeastern University

Tor is a widely used anonymity network that protects users' privacy and and identity from corporations, agencies and governments. However, Tor remains a practical system with a variety of limitations, some of which were indeed exploited in the recent past. In particular, Tor's security relies on the fact that a substantial number of its nodes do not misbehave.

Previous work showed the existence of malicious participating Tor relays. For example, there are some Exit nodes that actively interfere with users' traffic and carry out man-in-the-middle attacks. In this work we expose another category of misbehaving Tor relays (HSDirs), that are integral to the functioning of the hidden services and the dark web. The HSDirs act as the DNS directory for the dark web. Because of their nature, detecting their malicious intent and behavior is much harder. We introduce, the concept of honey onions (honions), a framework to detect misbehaving Tor relays with HSDir capability. By setting up and deploying a large scale honion over Tor for more than 72 days, we are able to obtain lower bounds on misbehavior among HSDirs.

We propose algorithms to both estimate the number of snooping HSDirs and identify them, using optimization and feasibility techniques. Our experimental results indicate that during the period of our work at least 110 such nodes were snooping information about hidden services they host. We reveal that more than half of them were hosted on cloud infrastructure and delayed the use of the learned information to prevent easy traceback. Furthermore, we provide the geolocation map of the identified snooping Tor HSDirs

Guevera Noubir holds a PhD in Computer Science from EPFL and is currently a Professor at Northeastern University. His research focuses on privacy, and security. He is a recipient of the National Science Foundation CAREER Award (2005). He led the winning team of the 2013 DARPA Spectrum Cooperative Challenge. Dr. Noubir held visiting research positions at Eurecom, MIT, and UNL. He served as program co-chair of several conferences in his areas of expertise such as the ACM Conference on Security and Privacy in Wireless and Mobile Networks, and IEEE Conference on Communications and Network Security. He serves on the editorial board of the ACM Transaction on Information and Systems Security, and IEEE Transaction on Mobile Computing.

Amirali Sanatinia is a Computer Science PhD candidate at Northeastern advised by Professor Guevara Noubir, and holds a Bachelors degree in CS from St Andrews University. His research focuses on cyber security and privacy, and was covered by venues such as MIT Technology Review and ACM Tech News. He is also the OWASP Boston NEU Student chapter founder and leader

Back to top

How to Design Distributed Systems Resilient Despite Malicious Participants

Radia Perlman EMC Fellow

Often distributed systems are considered robust if one of the components halts. But a failure mode that is often neglected is when a component continues to operate, but incorrectly. This can happen due to malicious intentional compromise, or simple hardware faults, misconfiguration, or bugs. Unfortunately, there is no single add-on to designs that will fix this case. This talk presents three very different systems and how they each handle resilience despite malicious participants. The problems, and the solutions, are very different. The important message of this talk is that there is no one solution, and that this case must be considered in designs.

Radia Perlman is a Fellow at EMC. She has made many contributions to the fields of network routing and security protocols including robust and scalable network routing, spanning tree bridging, storage systems with assured delete, and distributed computation resilient to malicious participants. She wrote the textbook Interconnections , and cowrote the textbook Network Security. She holds over 100 issued patents. She has received numerous awards including lifetime achievement awards from ACM's SIGCOMM and Usenix, election to National Academy of Engineering, induction into the Internet Hall of Fame, and induction into the Inventor Hall of Fame. She has a PhD from MIT.

Back to top

Game over, man! – Reversing Video Games to Create an Unbeatable AI Player

Dan ‘AltF4’ Petro Security Associate, Bishop Fox

"Super Smash Bros: Melee." - Furrowed brows, pain in your thumbs, trash talk your Mom would blush to hear. That sweet rush of power you once knew as you beat all the kids on your block will be but a distant memory as SmashBot challenges you to a duel for your pride — live on stage. SmashBot is the Artificial Intelligence I created that plays the cult classic video game Smash Bros optimally. It can't be bargained with. It can't be reasoned with. It doesn't feel pity, remorse, or fear. This final boss won't stop until all your lives are gone.

What started as a fun coding project in response to a simple dare grew into an obsession that encompassed the wombo-combo of hacking disciplines including binary reverse engineering, AI research, and programming. When not used to create a killer doomsday machine, these same skills translate to hacking Internet of Things (IoT) devices, developing shellcode, and more. Forget about Internet ending zero-day releases and new exploit kits. Come on down and get wrecked at a beloved old video game. Line up and take your turn trying to beat the AI yourself, live on the projectors for everyone to see. When you lose though, don't run home and go crying to yo Momma.

Dan Petro is a Security Associate at Bishop Fox, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application and network penetration testing. He has presented at numerous conferences, including Black Hat USA, DEF CON , HOPE, BSides, and ToorCon. He has also been a featured guest speaker at Arizona State University, South Mountain Community College, and the Dark Reading University series. Dan has been quoted in various industry and mainstream publications such as Business Insider, Wired, The Guardian, and Mashable among others. He is widely known for the tools he has created: the Chromecast-hacking device, the RickMote ContRoller, and Untwister, a tool used for breaking pseudorandom number generators. He also organizes Root the Box, a capture the flag security competition. Additionally, Dan often appears on local and national news to discuss topical security issues. Dan holds a Master’s Degree in Computer Science from Arizona State University and doesn’t regret it.

Back to top

Ask the EFF

Kurt Opsahl Deputy Executive Director, General Counsel, EFF
Nate Cardozo Senior Staff Attorney, EFF
Andrew Crocker Staff attorney, EFF
Dr. Jeremy Giliula Staff Technologist, EFF
Eva Galperin GlobalPolicy Analyst, EFF
Katitza Rodriguez International rights director, EFF

Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation’s premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as surveillance online, encryption (and backdoors), and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, discussion of our technology project to protect privacy and speech online, updates on cases and legislation affecting security research, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you.

KURT OPSAHL is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders' Rights Project. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal. In 2014, Opsahl was elected to the USENIX Board of Directors.

NATE CARDOZO is a Senior Staff Attorney on the Electronic Frontier Foundation’s digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF's Who Has Your Back? report and Coders' Rights Project. Nate has projects involving cryptography and the law, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate spent two years in private practice before returning to his senses and to EFF in 2012. Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings where he has taught first-year legal writing and moot court. He brews his own beer, has been to India four times, and watches too much Bollywood.

ANDREW CROCKER is a staff attorney on the Electronic Frontier Foundation’s civil liberties team. He focuses on EFF’s national security and privacy docket, as well as the Coders' Rights Project. While in law school, Andrew worked at the Berkman Center for Internet and Society, the American Civil Liberties Union’s Speech, Privacy, and Technology Project, and the Center for Democracy and Technology. He received his undergraduate and law degrees from Harvard University and an M.F.A. in creative writing from New York University. His interests include Boggle and donuts.

DR. JEREMY GILIULA is a Staff Technologist at the Electronic Frontier Foundation where he focuses on a wide variety of tech policy topics including net neutrality, big data, mobile privacy, and privacy issues associated with drones and autonomous vehicles. At a young age Jeremy was sidetracked from his ultimate goal of protecting digital civil liberties by the allure of building and programming robots. He went to Caltech for undergrad, where he spent four years participating in the DARPA Grand Challenge, a competition to create a vehicle capable of traversing the desert autonomously. He then got his PhD in computer science from Stanford University, where his research focused on the design and analysis of algorithms for guaranteeing the safety of systems that employ machine learning and other AI techniques in an online fashion.

EVA GALPERIN is EFFs Global Policy Analyst, and has been instrumental in highlighting government malware designed to spy upon activists around the world. A lifelong geek, Eva misspent her youth working as a Systems Administrator all over Silicon Valley. Since then, she has seen the error of her ways and earned degrees in Political Science and International Relations from SFSU. She comes to EFF from the US-China Policy Institute, where she researched Chinese energy policy, helped to organize conferences, and attempted to make use of her rudimentary Mandarin skills.

KATITZA RODRIGUEZ is EFF's international rights director. She concentrates on comparative policy of international privacy issues, with special emphasis on law enforcement, government surveillance, and cross border data flows. Her work in EFF's International Program also focuses on cybersecurity at the intersection of human rights. Katitza also manages EFF's growing Latin American programs. She is an advisor to the UN Internet Governance Forum (2009-2010), and a member of the Advisory Board of Privacy International. Before joining EFF, Katitza was director of the international privacy program at the Electronic Privacy Information Center in Washington D.C., where amongst other things, she worked on The Privacy and Human Rights Report, an international survey of privacy law and developments. Katitza is well known to many in global civil society and in international policy venues for her work at the U.N. Internet Governance Forum and her pivotal role in the creation and ongoing success of the Civil Society Information Society Advisory Council at the Organisation for Economic Co-operation and Development, for which she served as the civil society liaison while at EPIC from 2008 to March 2010. Katitza holds a Bachelor of Law degree from the University of Lima, Peru. Katitza's twitter handle is @txitua.

Back to top

Side-channel Attacks on High-security Electronic Safe Locks

Plore Hacker

Electronic locks are becoming increasingly common on consumer-grade safes, particularly those used to secure guns. This talk explores vulnerabilities of several UL-listed Type 1 "High Security" electronic safe locks. Using side-channel attacks, we recover the owner-configured keycodes on two models of these locks from outside of locked safes without any damage to the locks or safes. Discussion includes power-line analysis, timing attacks, and lockout-defeat strategies on embedded devices.

An embedded software developer with a background in electrical engineering, Plore has long been fascinated by computer security and locks. One day he found himself wondering if the trust bestowed on electronic locks was actually misplaced. He decided to investigate.

Back to top

Hiding Wookiees in HTTP - HTTP smuggling is a thing we should know better and care about

regilero DevOp, Makina Corpus

HTTP is everywhere, everybody wants to write an HTTP server. So I wrote mine :-) But mine not fast, and come with an HTTP client which sends very bad HTTP queries. My tool is a stress tester for HTTP servers and proxies, and I wrote it because I found flaws in all HTTP agents that I have checked in the last year i.e. nodejs, golang, Apache httpd, FreeBSD http, Nginx, Varnish and even Haproxy. This presentation will try to explain how flaws in HTTP parsers can be exploited for bad things; we'll play with HTTP to inject unexpected content in the user browser, or perform actions in his name.

If you know nothing about HTTP it should be understandable, but you'll have to trust me blindly at the end. If you think you know HTTP, you have no reason to avoid this talk. Then, the short part, I will show you this new Open Source stress tool that I wrote and hope that you will remember it when you'll write your own HTTP parser for you new f** language.

regilero is a DevOp, and this started far before this term. Twenty years in open Source as web developer, sysadmin, web security training, database performance, tuning, audits. Took some time to be on the apache top responder in Stack Overflow, some stuff on SaltStack, made two daughters also. HTTP was the missing piece, like everyone he use it every day, but never took the time to really test the HTTP tools. Last year he started checking... and found some interesting issues.

Twitter: @regilero
Stack Overflow

Back to top

Esoteric Exfiltration

WIlla Cassandra Riggins(abyssknight) Penetration Tester, Veracode

When the machines rise up and take away our freedom to communicate we're going to need a way out. Exfiltration of data across trust boundaries will be our only means of communication. How do we do that when the infrastructure we built to defend ourselves is the very boundary we must defeat? We use the same pathways we used to, but bend the rules to meet our needs. Whether its breaking protocol, attaching payloads, or pirating the airwaves we'll find a way. We'll cover using a custom server application to accept 'benign' traffic, using social and file sharing to hide messages, as well as demo some long range mesh RF hardware you can drop at a target for maximum covert ops.

Willa Cassandra Riggins is a penetration tester at Veracode, and was previously part of the Lockheed Martin CIS Red Team. She started her career as a developer and pivoted into security to help fight the pandemic that is developer apathy. Her background spans the software development lifecycle, but her heart is in root shells and crown jewels. She can be found making things at FamiLAB in Orlando, hacking at the local DC407 meet-ups, staffing the socials at BSides Orlando, and marketing all the things at OWASP Orlando.

Twitter: @willasaywhat

Back to top

Six Degrees of Domain Admin - Using Graph Theory to Accelerate Red Team Operations

Andy Robbins (@_wald0), Offensive Network Services Team Lead, Veris Group
Rohan Vazarkar (@cptjesus) Penetration Tester, Veris Group
Will Schroeder (@harmj0y) Researcher, Veris Group

Active Directory domain privilege escalation is a critical component of most penetration tests and red team assessments, but standard methodology dictates a manual and often tedious process – gather credentials, analyze new systems we now have admin rights on, pivot, and repeat until we reach our objective. Then -- and only then -- we can look back and see the path we took in its entirety. But that may not be the only, nor shortest path we could have taken. By combining our concept of derivative admin (the chaining or linking of administrative rights), existing tools, and graph theory, we can reveal the hidden and unintended relationships in Active Directory domains.

Bob is an admin on Steve’s system, and Steve is an admin on Mary’s system; therefore, Bob is effectively (and perhaps unintentionally) an admin on Mary’s system. While existing tools such as Nmap, PowerView, CrackMapExec, and others can gather much of the information needed to find these paths, graph theory is the missing link that gives us the power to find hidden relationships in this offensive data. The application of graph theory to an Active Directory domain offers several advantages to attackers and defenders. Otherwise invisible, high-level organizational relationships are exposed. All possible escalation paths can be efficiently and swiftly identified. Simplified data aggregation accelerates blue and red team analysis. Graph theory has the power and the potential to dramatically change the way you think about and approach Active Directory domain security.

Andy Robbins is the Offensive Network Services lead for Veris Group's Adaptive Threat Division. He has performed penetration tests and red team assessments for a number of Fortune 500 commercial clients and major U.S. Government agencies. In addition, Andy researched and presented findings related to a business logic flaw with certain processes around handling ACH files affecting thousands of banking institutions around the country at DerbyCon. He has a passion for offensive development and red team tradecraft, and helps to develop and teach the ‘Adaptive Red Team Tactics’ course at BlackHat USA.

Twitter: @_wald0

Rohan Vazarkar is a penetration tester and red teamer for Veris Group's Adaptive Threat Division, where he helps assess fortune 500 companies and a variety of government agencies. Rohan has a passion for offensive development and tradecraft, contributing heavily to EyeWitness and the EmPyre projects. He has presented at BSides DC, and helps to develop and teach the ‘Adaptive Penetration Testing’ course at BlackHat USA.

Twitter: @cptjesus

Will Schroeder is security researcher and red teamer for Veris Group's Adaptive Threat Division. He is a co-founder of the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a co-founder and core developer of the PowerShell post-exploitation agent Empire. He has presented at a number of security conferences on topics spanning AV-evasion, post-exploitation, red team tradecraft, and offensive PowerShell.

Twitter: @harmj0y

Back to top

How to Overthrow a Government

Chris Rock Founder and CEO, Kustodian

Direct from the mind of the guy who bought you the "I will kill you" presentation at DEF CON 23, is another mind bending, entertaining talk. This time it’s bigger and badder than before.

Are you sick and tired of your government? Can’t wait another 4 years for an election? Or do you want to be like the CIA and overthrow a government overseas for profit or fun? If you answered yes to one or more of these questions than this talk is for you! Why not create your own cyber mercenary unit and invoke a regime change to get the government you want installed? After all, if you want the job done right, sometimes you have to do it yourself.

Find out how over the last 60 years, governments and resource companies have been directly involved in architecting regime changes around world using clandestine mercenaries to ensure deniability. This has been achieved by destabilizing the ruling government, providing military equipment, assassinations, financing, training rebel groups and using government agencies like the CIA, Mossad and MI-5 or using foreign private mercenaries such as Executive Order and Sandline. Working with Simon Mann an elite ex SAS soldier turned coup architect who overthrew governments in Africa, Chris Rock will show you how mercenary coup tactics directly applied to digital mercenaries to cause regime changes as the next generation of "Cyber Dogs of War".

Chris will walk you through a cyber regime change from start to finish on a real country and show you how to architect a coup achieving the same result as a traditional mercenary operation without any blood spilt. This will include taking ownership of all facets of government including finance, telecommunications, transportation, commercial companies and critical infrastructure such a power, water and oil. You will learn:
• Traditional military mercenary coup tactics used by the infamous 32 Battalion in Africa, Executive Order and Sandline that can be directly applied to a cyber mercenary regime change.
• How to architect a cyber coup using advisor’s, hackers and the general populace, using misinformation, professional agitators, false information and financing.
• How to gather intelligence to analyze a government’s systemic weaknesses on financial, societal values and political climates that is leader or country specific to structure your attack.
• How to identify and prioritize government resources, infrastructure and commercial companies and how to use these compromised assets to stage the coup.
• Combine physical and digital techniques and have the best of both worlds to own a countries infrastructure.
• Hot to manipulate the media using propaganda targeting journalists flawed multiple "source" rules for a story.
• The Grand finale of a cyber regime change on a real country from beginning to end using the above techniques with operational footage. Come to this talk and find out how you too can be your own dictator, benevolent or merciless that part is up to you.

Chris Rock presented "I will kill you" at DEF CON 23 has been active in the security industry for the last 20 years and is the founder and CEO of Kustodian, a specialized security company that specializes in Security Operations Centres, Penetration testing and independent research. Kustodian is an Australian, Middle East and Hong Kong registered company that has been operational for over 10 years. Chris has also spent 12 years in the banking sector and provides security services around the world for small, medium and large companies. Chris Rock also created SIEMonster, an open source, scalable, free Security Incident and Event Management (SIEM) as a commercial alternative to Splunk, ArcSight and AlienVault. SIEMonster can be run on Amazon AWS or Virtual machines and details can be found on

Twitter: @_kustodian_

Back to top

Picking Bluetooth Low Energy Locks from a Quarter Mile Away

Anthony Rose Hacker
Ben Ramsey, Hacker

Many Bluetooth Low Energy (BLE) enabled deadbolts and padlocks have hit the market recently. These devices promise convenience and security through smartphone control. We investigated sixteen of these products from multiple vendors and discovered wireless vulnerabilities in most of them. Using a $50 antenna, we successfully picked vulnerable locks from over 400 meters away. In this presentation we introduce open source tools to crack each of the vulnerable BLE locks. Furthermore, after surveying the open source Bluetooth hacking tools currently available, we find very little support for BLE. So, to make discovering and range finding to BLE devices easier, we introduce a new open source war-walking tool compatible with both Bluetooth Classic and BLE.

Anthony Rose is an electrical engineer with five years of network security experience. His prior work includes traffic and quality optimization for wireless video protocols. Currently he focuses on Bluetooth security and wireless penetration testing.

Ben Ramsey, PhD, CISSP, has over a decade of experience in network security research. His work focuses on critical infrastructure protection and low power wireless protocols, such as ZigBee, Z-Wave, and Bluetooth Low Energy. He has published in several academic journals and has presented research at multiple conferences, including GLOBECOM, MILCOM, SenseApp, and ShmooCon.

Back to top

Weaponize Your Feature Codes

Nicholas Rosario (MasterChen), VoIP Administrator

Almost everyone is familiar with feature codes, also known as star codes, such as *67 to block caller ID or *69 to find out who called you last. What if the feature codes could be used as a weapon? Caller ID spoofing, tDOSing (Call flooding), and SMS flooding are known attacks on phone networks, but what happens when they become as easy to launch as dialing *40?

Weaponize Your Feature Codes will first take the audience through a brief history of feature codes and common usage, and then demonstrate the more nefarious applications. The presentation will share the Asterisk code used to implement these "rogue" features, and mention possible ways of mitigation. While this talk builds upon previous work from the author, referenced in past DEF CON presentations, the new code written makes carrying out such attacks ridiculously easy

Nicholas RosarioMasterChen, is currently a VoIP Administrator. He has been published in 2600: The Hacker Quarterly twice for his research on the Asterisk PBX system and has given presentations at BSides Las Vegas and the DEF CON 303 Skytalks. His most recent research blends technology with psychological principles. MasterChen is an active member of the SYNShop hacker space in Las Vegas, NV and a co-founder and host of the weekly GREYNOISE infosec podcast.

Twitter: @chenb0x
Instagram: @chenb0x

Back to top

Propaganda and You (and your devices) - How media devices can be used to coerce, and how the same devices can be used to fight back.

The Bob Ross Fan Club Security Software Engineer

Any novice in the security field can tell you the importance of sanitizing input that is being read into computer systems. But what steps do most of us take in sanitizing the input that is read into the computer systems known as our brains? This presentation will go over the attack vector that is known as Propaganda. By studying works such as Manufacturing Consent (by Noam Chomsky and Ed Herman) we can learn of the various manipulations that happen to media before it reaches the end reader.

Armed with the knowledge of how propaganda works, a person could attempt a more healthy diet of media consumption. Computer and data networks are heavily utilized by those wishing to push agendas, but who is to say these same technologies can not be utilized to fight back? Developers have access to all sorts of tools that help accomplish this feat, such as web scrapers, natural language tool kits, or even the reddit source code repository. This talk will walk the audience through some different techniques that can be used for better media consumption.

The Bob Ross Fan Club is currently working as a security software engineer for embedded linux systems. Has previously been apart of published research efforts on the topics of user privacy and the threats posed by the tracking practices employed by internet companies.

Twitter: @bobross_fc

Back to top

Attacking BaseStations - an Odyssey through a Telco's Network

Henrik Schmidt, IT Security Researcher, ERNW GmbH
Brian Butterly T Security Researcher, ERNW GmbH

As introduced in our former series of talks ‘LTE vs. Darwin‘ there are quite a few of holes in the LTE specs. Now, having our own Macro BaseStation (an eNodeB) on the desk, we will demonstrate practical approaches to and attacks on real life devices. More and more devices are using mobile radio networks such as GSM, UMTS and LTE and there has already been quite a bit of research on (in)securities on the radio part, but only few people have had a look behind the scenes. Luckily, we had the chance to have just this look and now we would like to raise the curtain for the community. Initially we will quickly cover our complete odyssey from starting up an eNodeB for the first time, checking out the available interfaces and emulating the core network through to starting attacks. In the main part of the talk we will give a rather practical insight into the (in-)security features of basestations. We will start with valid backend connections and how these connections can be abused to reconfigure both a single eNodeB and a complete subnet on a telco network. We will then continue with the ‘official’ maintenance approach with the vendor's tools and webinterfaces giving an attacker both local and remote access to the device. All in all the talk will cover general and specific vulnerabilities in both basestations and the backend network.

Hendrik Schmidt and Brian Butterly are seasoned security researchers with vast experiences in large and complex enterprise networks. Over the years they focused on evaluating and reviewing all kinds of network protocols and applications. They love to play with packets and use them for their own purposes. In this context they learned how to play around with telecommunication networks, wrote protocol fuzzers and spoofers for testing their implementation and security architecture. Both are pentesters and consultants at the German based ERNW GmbH and will happily share their knowledge with the audience.

Back to top

Retweet to Win: How 50 lines of Python made me the luckiest guy on Twitter

Hunter Scott Hacker

In this talk, I'll share how I won 4 Twitter contests per day, every day, for 9 months straight. I'll discuss the methods I used, the delightfully random and surprising things I won, and how to run a Twitter contest to prevent people like me from winning.

Hunter Scott is an electrical and computer engineer with over 7 years of experience designing and implementing hardware systems. He has lead electrical development on a variety of projects, from robotics to communication systems. He has experience in improvising and quickly building prototype and proof of concept designs as well as implementing mission critical, high reliability designs. He has a degree in computer engineering from Georgia Tech and is currently working at a startup you've never heard of (yet!). His work has been featured in publications such as Gizmodo, Quartz, Engadget, CNN, The Chicago Tribune, The Guardian, and NPR. His other projects can be seen at

Twiter: @hunterscott

Back to top

How to Make Your Own DEF CON Black Badge

Mickey Shkatov (@Laplinker) Intel Advanced Threat Research
Michael Leibowitz (@r00tkillah) Senior Trouble Maker
Joe FitzPatrick (@securelyfitz) Instructor & Researcher,
Dean Pierce (@deanpierce) Security Researcher, Intel
Jesse Michael (@jessemichael) Security Researcher, Intel
Kenny McElroy (@octosavvi) Hacker

Yes, we did, we made our own DEF CON black badges. Why? Because we didn't want to wait in line ever again-- Not really. We are a bunch of hackers that always look for a challenge, and what better challenge is there than to try and reverse engineer from scratch three DEF CON black badges? In this talk we will go through the 2 year long process of making the DC14, DC22 and DC23 Black badges which include amazing hacking techniques like social engineering, patience, reverse engineering, EAGLE trickery, head to desk banging and hoping it is passable to a goon and not shameful to DT, 1057, and Joe.

Speaker Name Mickey (@laplinker) is a security researcher and a member of the Advanced Threat Research team. His areas of expertise include vulnerability research, hardware and firmware security, and embedded device security. Mickey has presented some of his past research at DEF CON , Black Hat, BruCON, Bsides PDX, PacSec, and HES.

Twitter: @laplinker

Michael has done hard-time in real-time. An old-school computer engineer by education, he spends his days championing product security for a large semiconductor company. Previously, he developed and tested embedded hardware and software, dicked around with strap-on boot roms, mobile apps, office suites, and written some secure software. On nights and weekends he hacks on electronics, writes DEF CON CFPs, and contributes to the NSA Playset.

Twitter: @rootkillah

Joe FitzPatrick is an Instructor and Researcher at Joe has spent over a decade working on low-level silicon debug, security validation, and hardware penetration testing, and hardware security training. In between training and bricking hardware, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects

Twitter: @sefcurelyfitz

Dean Pierce is a computer security researcher from Portland, Oregon. Dean has 15 years of experience in the field, with former DEF CON talks on breaking WiFi, WiMAX, and GSM networks. Author of many silly tools, creator of many silly websites. Security researcher by night, and security researcher that gets paid by day, Dean is currently doing tool development and attack modeling on Intel Corporation’s internal penetration testing team.

Twitter: @deanpierce

Jesse Michael spends his time annoying Mickey and finding low-level hardware security vulnerabilities in modern computing platforms.

Twitter: @jessemichael Kenny McElroy is a Security Researcher, Lock picker, Tinkerer, Embedded hacker, Jam Skater, SMT solderer, SDR twiddler, Space Geek and Bluewire Artist.

Twitter: @octosavvi

Back to top

Forcing a Targeted LTE Cellphone into an Unsafe Network

Haoqi Shan Hardware/Wireless security researcher, Qihoo 360
Wanqiao Zhang Communication security researcher, Qihoo 360

LTE is a more advanced mobile network but not absolutely secure. Recently there already some papers those exposed the vulnerabilities of LTE network. In this presentation, we will introduce one method which jointly exploits the vulnerabilities in tracking area update procedure, attach procedure, and RRC redirection procedure, and finally can force a targeted LTE cellphone to downgrade into a malicious GSM network, then consequently can eavesdrop its data traffic or even voice call. This attack is not a simple DoS attack. It can select the targeted cellphone by filtering the IMSI number (IMSI catcher function), so it will not influence the other cellphones and keep them still in the real network. Further more, it can force the cellphone into the malicious network that we setup (a fake network) or we assign (operator’s network), therefore the cellphone has no chance to choose other secure network. This is the danger point of this attack.

Haiqi Shan, currently a wireless/hardware security researcher in Unicorn Team. He focuses on GSM system, router/switcher hacking etc. Other research interests include reverse engineering on embedded devices such as femto-cell base station. He has gave presentations about GSM devices hacking and wireless hacking suit on DEF CON, Cansecwest, Syscan

Wanqiao Zhang, is a communication security researcher, from Unicorn Team of Qihoo 360 China. She received her master degree in electronic information engineering form Nanjing University of Aeronautics and Astronautics in 2015. Fascinated by the world of wireless security, she is currently focus on the security research of the GPS system and the cellular network

Back to top

Cyber Grand Shellphish

Yan Shoshitaishvili PhD Student, UC Santa Barbara
Antonio Bianchi UC Santa Barbara
Kevin Borgolte UC Santa Barbara
Jacopo Corbetta UC Santa Barbara
Francesco Disperati UC Santa Barbara
Andrew Dutcher UC Santa Barbara
Giovanni Vigna UC Santa Barbarae
Aravind Machiry UC Santa Barbara
Chris Salls UC Santa Barbara
Nick Stephens UC Santa Barbara
Fish Wang UC Santa Barbara
John Grosen UC Santa Barbara

Last year, DARPA ran the qualifying event for the Cyber Grand Challenge to usher in the era of automated hacking. Shellphish, a rag-tag team of disorganized hackers mostly from UC Santa Barbara, decided to join the competition about ten minutes before the signups closed.

Characteristically, we proceeded to put everything off until the last minute, and spent 3 sleepless weeks preparing our Cyber Reasoning System for the contest. Our efforts paid off and, as we talked about last DEF CON , against all expectations, we qualified and became one of the 7 finalist teams. The finals of the CGC will be held the day before DEF CON.

If we win, this talk will be about how we won, or, in the overwhelmingly likely scenario of something going horribly wrong, this talk will be about butterflies.

In all seriousness, we've spent the last year working hard on building a really kickass Cyber Reasoning System, and there are tons of interesting aspects of it that we will talk about. Much of the process of building the CRS involved inventing new approaches to automated program analysis, exploitation, and patching. We'll talk about those, and try to convey how hackers new to the field can make their own innovations.

Other aspects of the CRS involved extreme amounts of engineering efforts to make sure that the system optimally used its computing power and was properly fault-tolerant. We'll talk about how automated hacking systems should be built to best handle this. Critically, our CRS needed to be able to adapt to the strategies of the systems fielded by the other competitors. We'll talk about the AI that we built to strategize throughout the game and decide what actions should be taken.

At the end of this talk, you will know how to go about building your own autonomous hacking system! Or you might know a lot about butterflies.

Shellphish is a mysterious hacking collective famous for being great partiers and questionable hackers. The secret identities of the Shellphish CGC team are those of researchers in the security lab of UC Santa Barbara. When they're not CTFing or surfing, they're doing hard-hitting security research. Their works have been published in numerous academic venues and featured in many conferences. In 2015, they unleashed angr, the next (current?) generation of binary analysis, and have been working hard on it ever since!

Back to top

Cheap Tools for Hacking Heavy Trucks

Six_Volts Research Mercenary
Haystack Vehicle Data Ninja

There has been much buzz about car hacking, but what about the larger heavy-duty brother, the big rig? Heavy trucks are increasingly networked, connected and susceptible to attack. Networks inside trucks frequently use Internet connected devices even on safety-critical networks where access to brakes and engine control is possible. Unfortunately, tools for doing analysis on heavy trucks are expensive and proprietary. Six_Volts and Haystack have put together a set of tools that include open hardware and software to make analyzing these beasts easier and more affordable.

Six_Volts is a "research mercenary" and has worked on High Performance Computing, embedded systems, vehicle networking and forensics, electronics prototyping and design, among other things. He's crashed cars for science, done digital forensics on a tangled mess of wires that used to be a semi truck, built HPC clusters out of old (and new) hardware, designed tools to extract data from vehicle EDRs, and in his spare time trains teams of students to defend enterprise networks.

Twitter: @Six_Volts

Haystack Haystack was a computer science student researching process control security, when one day he was recruited by a nefarious mechanical engineering professor hell-bent on dominating the field of accident reconstruction. After a series of dangerous training missions to various accident sites and junkyards, Haystack can now cut electronic control modules from wrecked trucks with surgical precision and extract crash data from them that was previously thought to be unrecoverable.

Back to top

Maelstrom - Are You Playing with a Full Deck? : Using a Newly Developed Attack Life Cycle Game to Educate, Demonstrate and Evangelize.

Shane Steiger, Esq. CISSP, Chief Endpoint Security Architect

As a defender, have you ever been asked ‘do they win?’ How about ‘what products or capabilities should I buy to even the odds?’ Mapping the functionality to a standard list of desired capabilities only gets you so far. And, many vendors require an organization to pay for a framework, or for access to a framework, to enable tactical and strategic campaigns. Wouldn’t it be great to have an open source way to pick strategies? So what do you do? Build out your own defensive campaigns based on research, taxonomies and gameification. Building the attacker’s point of view is our expertise (at a CON). We have plenty of research here to talk about that point of view. How about building out the defender’s point of view based on the attacker’s life cycle? Defenders can use this as a defensive ‘compliment’ to begin a legitimate defensive campaign. Maybe the defender could even ‘gamify’ the approach? An attacker’s approach, a defender’s approach and a progressive life cycle with a defender’s set of targets built on things we all know, love and hate: project management. I think we have a game!

Build out rules, much like real life, then bring on the attackers, bring on the defenders and play a little game to educate, demonstrate and evangelize. Watch strategies played by both attackers and defenders. Switch sides and learn to be a Purple Teamer! Digitize it and watch the game play people or even play itself; the true rise of the machine.

Wanna Play?!

Shane began his professional career with a large food manufacturer where he helped build and secure SCADA/ICS systems across 90+ food manufacturing plants in the US. From there he spent 6 years helping to develop and build the functionality of a security team for a large pharmaceutical distributor. Currently, he is the Chief Endpoint Security Architect for a Fortune 50 technology company. His interests reside in cyber resiliency techniques, internet of things, building/breaking things and muscle cars. To think, his 25+ year passion for all things geeky started with hacking the school library computer and getting detention. Shane is also a licensed attorney. Please don't hold this against him.

Back to top

Help, I've got ANTs!!!

Tamas Szakaly Lead Security Researcher, PR-Audit Ltd., Hungary

As stated in my bio, besides computer security I also love fligh simulators and mountain biking. Last year I gave a talk about hacking a flight simulator (among other games), it was only fitting to research something related to my other hobby too. Old day's bike speedometers have evolved quite a bit, and nowadays a lot of bikers (swimmers, runners, ers) do their sport with tiny computers attached to them. These computers do much more than measuring speed: they have GPS, they can store your activities, can be your training buddy, and they can communicate with various sensors (cadence, power meter, heart rate monitors, you name it), mobile phones, each other, and with PCs. One of the communication protocols used by these devices is ANT. Never heard of it? Not surprising, it is not very well known despite being utilized by a lot of gadgets including, but not limited to sport watches, mobile phones, weight scales, some medical devices, and even bicycle lights and radars. When I bought my first bike computer I rationalized it with thoughts like ‘this will help me navigate on the mountain’, or ‘I can track how much I've developed’, but deep down I knew the real reason was my curiosity about this lesser known, lesser researched protocol.

One of my favorite kind of weaknesses are the ones caused by questionable design decisions, and can be spotted without actual hands-on experience with the product itself, just by reading the documentation. Well this is exactly what happened here, I had some attack vectors ready and waiting well before I received the actual device. To top it all, I've also found some implementation bugs after getting my hands on various Garmin devices.

After a brief introduction to the ANT, ANT+ and ANT-FS protocols, I'll explain and demo both the implementation and the protocol weaknesses and reach the already suspected conclusion that ANT and the devices that use it are absolutely insecure: anybody can access your information, turn off your bike light, or even replace the firmware on your sport watch over the air.

Tamas is the lead IT security researcher at PR-Audit Ltd., a company focusing mainly on penetration testing and SIEM software developing. Previously he participated in a cooperation between ELTE Department of Meteorology and the Paks Nuclear Power Plant Ltd. which goal was to develop TREX, a toxic waste emission simulator using CUDA. The scene from RoboCop where the kid defeats the evil robot with just a laptop and a serial cable made a huge impression on him, and after seeing the movie, his path was set: he was bound to be a hacker. His first experiences in this field involved poking around various copy protection schemes, and for this day his favorite areas of expertise are the ones that require some mangling of binary files. Besides computer security he also loves mountain biking and flight simulators.

Twitter: @sghctoma
Facebook: sghctoma

Back to top

Playing Through the Pain? - The Impact of Secrets and Dark Knowledge on Security and Intelligence Professionals

Richard Thieme ThiemeWorks

Dismissing or laughing off concerns about what it does to a person to know critical secrets does not lessen the impact when those secrets build a different map of reality than "normals" use and one has to calibrate narratives to what another believes. The cognitive dissonance that inevitably causes is managed by some with denial who live as if refusing to feel the pain makes it disappear. But as Philip K. Dick said, reality is that which, when you no longer believe in it, refuses to go away. And when cognitive dissonance evolves into symptoms of traumatic stress, one ignores those symptoms at one's peril. But the constraints of one's work often make it impossible to speak aloud about those symptoms, because that might threaten one's clearances, work, and career. The real cost of security work and professional intelligence goes beyond dollars. It is measured in family life, relationships, and mental and physical well-being.

The divorce rate is as high among intelligence professionals as it is among medical professionals, for good reason - how can relationships be based on openness and trust when one's primary commitments make truth-telling and disclosure impossible?

Richard Thieme has been around that space for years. He has listened to people in pain because of the compelling necessities of their work, the consequences of their actions, the misfiring of imperfect plans, and the burdens of - for example - listening to terrorists slit someone's throat in real time, then having to act as if they had a normal day at the office. Thieme touched on some of this impact in his story, "Northward into the Night," published in the Ranfurly Review, Big City Lit, Wanderings and Bewildering Stories before collection in "Mind Games." The story illuminates the emotional toll of managing multiple personas and ultimately forgetting who you are in the first place.

The bottom line is, trauma and secondary trauma have identifiable symptoms and they are everywhere in the "industry." The "hyper-real" space which the national security state creates by its very nature extends to normals, too, now, but it's more intense for professionals. Living as "social engineers," always trying to understand the other's POV so one can manipulate and exploit it, erodes the core self. The challenge is not abstract or philosophical, it's existential, fired into our faces every day at point blank range, and it constitutes an assault on authenticity and integrity. Sometimes sanity is at stake, too, and sometimes, life itself. In one week, two different people linked to the CIA told Thieme that going into that agency was like becoming a scientologist. Think about what that analogy means. For his own sake and sanity, Thieme has thought about it a lot and that's what this talk is about - the real facts of the matter and strategies for effective life-serving responses.

Richard Thieme is an author and professional speaker focused on the challenges posed by new technologies and the future, how to redesign ourselves to meet these challenges, and creativity in response to radical change. His column, ‘Islands in the Clickstream,’ was distributed to subscribers in sixty countries before collection as a book in 2004. When a friend at the National Security Agency said after they worked together on ethics and intelligence issues, ‘The only way you can tell the truth is through fiction,’ he returned to writing short stories, 19 of which are collected in "Mind Games."

His latest work is the stunning novel "FOAM," published by Exurban Press September 2015. He is also co-author of the critically extolled "UFOs and Government: A Historical Inquiry," a 5-year research project using material exclusively from government documents and other primary sources, now in 65 university libraries His work has been taught at universities in Europe, Australia, Canada, and the United States, and he has guest lectured at numerous universities, including Purdue University (CERIAS), the Technology, Literacy and Culture Distinguished Speakers Series of the University of Texas, the "Design Matters" lecture series at the University of Calgary, and as a Distinguished Lecturer in Telecommunications Systems at Murray State University.

He addressed the reinvention of "Europe" as a "cognitive artifact" for curators and artists at Museum Sztuki in Lodz, Poland, keynoted CONFidence in Krakow 2015, and keynoted "The Real Truth: A World’s Fair" at Raven Row Gallery, London, He recently keynoted Code Blue in Tokyo. He loved Tokyo. He has spoken for the National Security Agency, the FBI, the Secret Service, the US Department of the Treasury, and Los Alamos National Labs and has keynoted "hacker,"security, and technology conferences around the world. He keynoted the first two Black Hats and he is speaking at DEF CON for the 21st year.

Twitter: @neuralcowboy

Back to top

CAN i haz car secret plz?

Javier Vazquez Vidal Hardware Security Specialist at Code White Gmbh
Ferdinand Noelscher Information Security Specialist at Code White Gmbh

The CAN bus is really mainstream, and every now and then there are new tools coming out to deal with it. Everyone wants to control vehicles and already knows that you can make the horn honk by replaying that frame you captured. But is this all that there is on this topic? Reversing OEM and third party tools, capturing firmware update files on the fly, and hijacking Security Sessions on a bus are just a few examples of things that can be done as well. For this and more, we will introduce to you the CanBadger! It's not just a logger, neither an injector. It's a reversing tool for vehicles that allows you to interact in realtime with individual components, scan a bus using several protocols (yup, UDS is not the only one) and perform a series of tests that no other tool offers. The CanBadger is where the real fun begins when dealing with a vehicle, and you can build it under $60USD! If you are already done with replaying frames on the CAN bus and want to learn how that fancy chip-tuning tool deals with your car, or simply want to get Security Access to your vehicle without caring about the security key or algorithm, we are waiting for you!

Javier Vazquez Vidal is passionate about technology and specializes in hardware and embedded systems security. He studied Electromechanics and Telecommunications, developing a passion for electronics and technology since his youth. He has been part of several projects that involved well-known hardware, but his first public work was presented at DEF CON 21, the ECU tool. He developed the CHT, a tool to take over the CAN network, and had some fun with the ‘paella country’ smart meters. He is currently working as a Product Security Engineer at Code White GmbH, and has worked at companies such as Tesla, Daimler, Airbus Military and Visteon.

Ferdinand Noelscher is an information security researcher from Germany. He has been working in Information Security for several years now. Ferdinand is very passionate about Offensive Security research and has been working on numerous embedded security projects, and some lasers too. Furthermore, he gave a training together with Javier at He is currently a Security Researcher at Code White.

Back to top

Frontrunning the Frontrunners

Dr. Paul VixieCEO and Co-founder, Farsight Security, Inc.

-While some domainers allegedly brainstorm ideas for new domains to register while taking a shower, the more successful domain portfolio managers, working at scale, are believed to be ‘data driven.’ DNS queries are a material source of intelligence about domainer opportunities and operations, and also help us to understand the operational constraints around potentially combating domainers, should we want to do so. In this presentation co-authored with Farsight Security Scientist Dr. Joe St Sauver, Farsight Security CEO Dr. Paul Vixie will scrutinize failed DNS queries (‘NXDOMAINs’), looking for the same ‘opportunities’ that a domainer or typo squatter would (although we will not be acting on that data by actually registering domains).

Dr. Vixie will discuss two primary types of behavior: 1) Volumetrically-driven typo-squatting, which Dr. Vixie will measure by computing the volume of NXDOMAINs seen by domain during a 24 hour period, and the time between popular typos appearing in NXDOMAINs and those same domains being registered and actually used, and 2) Domainers programmatically exploring permutations of domains around high value domains, probing for available domains and automatically registering the most promising probed domains discovered to still be available. Both of these hypothesized behaviors should be externally observable and thus able to be confirmed by watching a real-time stream of NXDOMAIN errors, and a real-time stream of newly observed, actually-registered domains, as available from the Security Information Exchange.

Dr. Paul Vixie will experimentally confirm these hypothesized relationships and describe examples of (1) the most commonly observed types of typographical errors, (2) the brands apparently most-targeted for squatting, (3) the distribution of delays from NXDOMAIN detection to observed domain use, (4) the potential relationship between NXDOMAIN volume thresholds and TLD cost. Dr. Vixie will also explain how this information illuminates opportunities for tackling these types of domain name abuse. Time will be reserved for Q&A.

Dr. Paul Vixie is the CEO and Co-founder of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the boards of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, as ARIN Chairman in 2008 and 2009, and was a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC). He operated the ISC's F-Root name server for many years, and is a member of Cogent's C-Root team. He is a sysadmin for Op-Sec-Trust. Dr. Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He wrote Cron (for BSD and Linux), and is considered the primary author and technical architect of BIND 4.9 and BIND 8, and he hired many of the people who wrote BIND 9. He has authored or co-authored a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). His technical contributions include DNS Response Rate Limiting (RRL), DNS Response Policy Zones (RPZ), and Network Telemetry Capture (NCAP). He earned his Ph.D. from Keio University for work related to DNS and DNSSEC, and was named to the Internet Hall of Fame in 2014.

Twitter: @paulvixie

Back to top

Mouse Jiggler Offense and Defense

Dr. PhilProfessor, Bloomsburg University of Pennsylvania

A group of highly-armed individuals has just stormed into your office. They are looking to pull data from your computers which are protected with full disk encryption. In order to prevent your screen saver from activating they will likely immediately insert a mouse jiggler to prevent your screensaver lock from activating. This talk will present ways of detecting and defending against such assaults on your system by mouse jiggler wielding individuals. It will also show you how to build your own simple mouse jiggler. Nothing beyond basic Linux usage is required to understand this talk. Attendees will leave with several ways to defend against mouse jigglers and the knowledge of how to create their own mouse jigglers.

Phil was born at an early age. He cleaned out his savings as a boy in order to buy a TI99-4A computer for the sum of $450. Two years later he learned 6502 assembly and has been hacking computers and electronics ever since.

Dr. Phil currently works as a professor at Bloomsburg University of Pennsylvania. His research focus over the last few years has been on the use of microcontrollers and small embedded computers for forensics and pentesting. Phil has developed a custom pentesting Linux distro and related hardware to allow an inexpensive army of remote pentesting drones to be built using the BeagleBone Black computer boards. This work is described in detail in Phil's book "Hacking and Penetration Testing With Low Power Devices" (Syngress, 2015). Phil has also published books on Linux Forensics (Pentester Academy, 2015), USB Forensics (Pentester Academy, 2016), and Windows Forensics (Pentester Academy, 2016).

Prior to entering academia, Phil held several high level positions at well-known US companies. He holds a couple of the usual certs one might expect for someone in his position. When not working, he likes to spend time with his family, fly, hack electronics (find his Daddy and Daughter Electronics show on YouTube), and has been known to build airplanes.

Back to top

DARPA Cyber Grand Challenge Award Ceremony

Mike Walker DARPA Program Manager
Dr. Arati Prabhakar DARPA Director

On Friday morning, August 5th, DARPA will announce the prize winners and recognize the parties responsible for building and competing in the Cyber Grand Challenge (CGC), the world's first all-machine hacking tournament, which was completed August 4th. Seven high performance computers will have completed an all-machine Capture the Flag contest, reverse engineering unknown binary software, authoring new IDS signatures, probing the security of opponent software, and re-mixing defended services with machine-generated patches and defenses. Come hear about what transpired at CGC, and learn which team will be taking home the $2M grand prize, as well as the $1M second place and $750K third place prizes

Mike Walker is the DARPA program manager for the Cyber Grand Challenge. His research interests include machine reasoning about software in situ and the automation of application security lifecycles. Prior to joining DARPA, Mr. Walker worked in industry as a security software developer, Red Team analyst, enterprise security architect and research lab leader. As part of the Computer Science Corporation ‘Strikeforce’ Red Team, Mr. Walker helped develop the HEAT Vulnerability Scanner and performed Red Team engagements. Serving as a principal at the Intrepidus Group, Mr. Walker worked on Red Teams that tested America's financial and energy infrastructure for security weaknesses. Also, on the DARPA SAFER Red Team, Mr. Walker discovered flaws in prototype communications technologies. Mr. Walker has participated in various roles in numerous applied computer security competitions. He contributed challenges to DEF CON Capture the Flag (CTF) and competed on and led CTF teams at the highest levels of international competition. Mr. Walker was formerly a mentor of the Computer Security Competition Club at Thomas Jefferson High School for Science and Technology (TJHSST).

Arati Prabhakar, Ph.D., is director of the Defense Advanced Research Projects Agency (DARPA). Serving in this position since July 2012, she has focused the agency's efforts on rethinking complex military systems in fundamental ways; harnessing the information explosion to address national security challenges; and planting new seeds of technological surprise in fields as diverse as mathematics, synthetic biology, and neurotechnology.

Dr. Prabhakar has spent her career investing in world-class engineers and scientists to create new technologies and businesses. Her first service to national security started in 1986 when she joined DARPA as a program manager. She initiated and managed programs in advanced semiconductor technology and flexible manufacturing, as well as demonstration projects to insert new semiconductor technologies into military systems. As the founding director of DARPA's Microelectronics Technology Office, she led a team of program managers whose efforts spanned these areas, as well as optoelectronics, infrared imaging and nanoelectronics.

In 1993, President William Clinton appointed Dr. Prabhakar director of the National Institute of Standards and Technology, where she led the 3,000-person organization in its work with companies across multiple industries.

Dr. Prabhakar moved to Silicon Valley in 1997, first as chief technology officer and senior vice president at Raychem, and later vice president and then president of Interval Research. From 2001 to 2011, she was a partner with U.S. Venture Partners, an early-stage venture capital firm. Dr. Prabhakar identified and served as a director for startup companies with the promise of significant growth. She worked with entrepreneurs focused on energy and efficiency technologies, consumer electronics components, and semiconductor process and design technologies.

Dr. Prabhakar received her Doctor of Philosophy in applied physics and Master of Science in electrical engineering from the California Institute of Technology. She received her Bachelor of Science in electrical engineering from Texas Tech University. She began her career as a Congressional Fellow at the Office of Technology Assessment.

Dr. Prabhakar has served in recent years on the National Academies' Science Technology and Economic Policy Board, the College of Engineering Advisory Board at the University of California, Berkeley, and the red team of DARPA's Defense Sciences Research Council. In addition, she chaired the Efficiency and Renewables Advisory Committee for the U.S. Department of Energy. Dr. Prabhakar is a Fellow of the Institute of Electrical and Electronics Engineers, a Member of the National Academy of Engineering, a Texas Tech Distinguished Engineer, and a Caltech Distinguished Alumna.

Twitter: @DARPA,

Back to top

I've got 99 Problems, but Little Snitch ain't one

Patrick Wardle Director of Research, Synack

Security products should make our computers more secure, not less. Little Snitch is the de facto personal firewall for OS X that aims to secure a Mac by blocking unauthorized network traffic. Unfortunately bypassing this firewall's network monitoring mechanisms is trivial...and worse yet, the firewall's kernel core was found to contain an exploitable ring-0 heap-overflow. #fail Though briefly touching on generic firewall bypass techniques, this talk will largely focus on the kernel-mode vulnerability. Specifically, I’ll discuss bypassing OS X specific anti-debugging mechanisms employed by the product, reverse-engineering the firewall's I/O Kit kernel interfaces and 'authentication' mechanisms, and the discovery of the exploitable heap-overflow.

Finally, methods of exploitation will be briefly discussed, including how an Apple kernel-fix made this previously un-exploitable bug, exploitable on OS X 10.11

So if you simply want to see yet another 'security' product fall, or more generically, learn methods of OS X kernel extension reversing in a practical manner, then this talk is for you :)

Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes free OS X security tools. Both can be found on his website;

Twitter: @patrickwardle

Back to top

How to Remmote Control an Airliner: SecurityFLawsin Avionics

Sebastian Westerhold KF5OBS

This talk is exposing critical flaws in navigational aides, secondary surveillance radar, the Traffic Collision Avoidance System (TCAS) and other aviation related systems. The audience will gain insight into the inner workings of these systems and how these systems can be exploited. Several practical demonstrations on portable avionics will show just how easy it is to execute these exploits in real life.

Sebastian Westerhold, better known under his FCC assigned radio call-sign KF5OBS, is a well known electrical engineer with a general interest in security analysis and penetration testing. As a teenager, he has been writing articles for the leading German electronics Magazine FUNKAMATEUR and the leading European magazine Elektor. Today, his blog and YouTube channel attract electronics enthusiasts from all over the world.

Back to top

Malware Command and Control Channels: A journey into darkness

Brad WoodbergGroup Product Manager - Emerging Threats, Proofpoint,Inc.

Much of the time and attention dedicated to modern network security focuses on detecting the contemporary vulnerabilities and exploits which power the breaches that make the headlines. With almost all of the emphasis is placed around the endless cycle of new entry points, we are often overlooking what is perhaps one of the most profoundly interesting aspects of modern network breaches; the post-exploit communication of a compromised system to the attacker—known as command and control.

Once malware has compromised an end system, the tables are turned against the attackers; we go from being on defense, to being on offense. Attackers are constantly evolving their techniques and have become incredibly creative in attempting to hide their tracks, maintain control of compromised systems, and exfiltrate sensitive data. This presentation will explore how command and control channels have evolved against traditional defenses, where they are today, future predictions on their evolution, and most importantly, how you can go on the offense to protect your organization by identifying and disrupting command and control channels in your network.

Brad Woodberg is a Group Product Manager at Proofpoint Inc, leading the Emerging Threats product line. Prior to his current role at Proofpoint, he spent six years at Juniper Networks as a layer 7 security product manager and product line engineer. Prior to Juniper he worked for a security consulting company in Ann Arbor Michigan for four years delivering a variety of network security technologies and services. He is a four-time published author of network security books through O’Reilly and Syngress. He has spoken at several security conferences including DEF CON 19, CanSecWest 2011, SEMAPHOR and other regional talks. Brad is also an active mentor to up and coming security engineers who share a similar interest and passion in all things network security.

Twitter: @bradmatic517

Back to top

Attacking Network Infrastructure to Generate a 4 Tb/s DDoS for $5

Luke Young Information Security Engineer, Hydrant Labs LLC

As bandwidth, computing power, and software advancements have improved over the years, we've begun to see larger and larger DDoS attacks against organizations. Often times these attacks employ techniques such as DNS Amplification to take advantage of servers with very large uplinks. This talk explores a similar technique targeting commonly used throughput testing software typically running on very large uplinks. We will explore the process of attacking this software, eventually compromising it and gaining root access. Then we'll explore some of these servers in the real world determining the size of their uplinks and calculating the total available bandwidth at our fingertips all from a $5 VPS. We will finish up the presentation with a live demo exploiting an instance and launching a DoS.

Luke Young is a security researcher from the frozen plains of Minnesota who has spent his last three summers escaping to the much warmer Bay Area as a security intern for various tech companies, most recently as part of the Uber product security team. He presented at DEF CON 23 on the topic of exploiting bitflips in memory and has investigated a variety of well-known products and network protocols resulting in numerous CVE assignments and recognition in security Hall of Fames. He is currently attempting to balance earning his undergraduate degree with maintaining his position as one of the top 10 researchers on Bugcrowd.

Back to top

Abusing Bleeding Edge Web Standards for AppSec Glory

Bryant Zadegan Application Security Advisor & Mentor, Mach37
Ryan Lester CEO & Chief Software Architect, Cyph

Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose. In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day).

Bryant Zadegan is an application security advisor and mentor at Mach37, a security accelerator focused on pouring substantial dollars into new security technologies. When not driving developers to embrace AppSec in continuous integration, Bryant punches holes in Amazon, Google, Reddit, etc. On days when he'd rather not touch computers, he's usually nowhere to be found near DC.

Twitter: @eganist

Ryan Lester is the CEO and chief software architect for Cyph, a web-based one-click end-to-end-encrypted communications service funded in part by Mach37, Virginia's Center for Innovative Technology, and the Goel Fund. Since departing SpaceX, Ryan has dedicated the better part of a year and a half to the vision of accessible encrypted communication. Unsurprisingly, when he isn't working on building the logic for Cyph, he's usually looking for ways to break it.

Twitter: @theryanlester

Back to top

Project CITL

Mudge Zatko Director, CITL
Sarah Zatko CHief Scientist, CITL

Many industries, provide consumers with data about the quality, content, and cost of ownership of products, but the software industry leaves consumers with very little data to act upon. In fact when it comes to how secure or weak a product is from a security perspective, there is no meaningful consumer facing data. There has long been a call for the establishment of an independent organization to address this need. Last year, Mudge (from DARPA, Google, and L0pht fame) announced that after receiving a phone call from the White House he was leaving his senior position inside Google to create a non-profit organization to address this issue. This effort, known as CITL, is akin to Consumer Reports in its methodologies. While the media has dubbed it a "CyberUL", there is no focus on certifications or seals of approval, and no opaque evaluation metrics. Rather, like Consumer Reports, the goal is to evaluate software according to metrics and measurements that allow quantitative comparison and evaluation by anyone from a layperson, CFO, to security expert.

How? A wide range of heuristics that attackers use to identify which targets are hard or soft against new exploitation has been codified, refined, and enhanced. Some of these techniques are quite straightforward and even broadly known, while others are esoteric tradecraft. To date, no one has applied all of these metrics uniformly across an entire software ecosystem before and shared the results.

For the first time, a peek at the Cyber Independent Testing Lab’s metrics, methodologies, and preliminary results from assessing the software quality and inherent vulnerability in over 100,000 binary applications on Windows, Linux, and OS X will be revealed. All accomplished with binaries only. Sometimes the more secure product is actually the cheaper, and quite often the security product is the most vulnerable.

There are plenty of surprises like these that are finally revealed through quantified measurements. With this information, organizations and consumers can finally make informed purchasing decisions when it comes the security of their products, and measurably realize more hardened environments. Insurance groups are already engaging CITL, as are organizations focused on consumer safety. Vendors will see how much better or worse their products are in comparison to their competitors. Even exploit developers have demonstrated that these results enable bug-bounty arbitrage. That recommendation you made to your family members last holiday about which web browser they should use to stay safe (or that large purchase you made for your industrial control systems)? Well, you can finally see if you chose a hard or soft target… with the data to back it up.

Mudge Zatko is the Director of CITL. He has contributed significantly to disclosure and education on information and security vulnerabilities. In addition to pioneering buffer overflow work, the security work he has released contained early examples of flaws in the following areas: code injection, race conditions, side-channel attacks, exploitation of embedded systems, and cryptanalysis of commercial systems. He was the original author of the password cracking software L0phtCrack, Anti-Sniff, and L0phtWatch. In 2010 Mudge accepted a position as a program manager at DARPA where he oversaw cyber security R&D, and re-built the Agency’s approach to cyber security research. In 2013 Mudge went to work for Google where he was the Deputy Director of their Advanced Technology & Projects division. Most recently, after conversations with the White House, Mudge stood up the non-profit Cyber Independent Testing Laboratory inspired by efforts such as Consumer’s Union. He is the recipient of the Secretary of Defense Exceptional Civilian Service Award medal, an honorary Plank Owner of the US Navy Destroyer DDG-85, was inducted into the Order of Thor, the US Army’s Association of Cyber Military Professionals, recognized as a vital contributor to the creation of the US Cyber Corps (SfS PDD-63), and has received other commendations from the CIA and from the Executive Office of the President of the United States

Sarah Zatko s the Chief Scientist at CITL, a partner at L0pht Holdings, LLC, and a member of the US Army’s Order of Thor. She has presented her research on the integration of security into CS curriculum at Shmoocon and Hope. That work is also published in IEEE Security & Privacy. She holds a degree in mathematics from MIT and a Master's in computer science from Boston University.

Back to top

Realtime Bluetooth Device Detection with Blue Hydra

Zero_Chaos Director of Research and Development, Pwnie Express
Granolocks All the Things, Pwnie Express

We are releasing a new tool for discovering bluetooth devices and automatically probing them for information. Effectively we have created a new tool with an airodump-ng like display for nearby bluetooth and bluetooth low energy devices. We will discuss the challenges with finding bluetooth devices, as well as how we have overcome them using both standard bluetooth adapters and optionally ubertooth hardware. If you have ever wondered why no one released an effective tool to see all the bluetooth in the area then come by, learn a little, and leave with a tool you have always wanted. Blue Hydra will discover and track bluetooth and bluetooth low energy devices in the area, regardless of being in discoverable mode, and tracks data (bluetooth version, services, etc) as well as meta-data (signal strength, timestamps) over time. We will be going over how bluetooth operates on a high level, and how we were able to discover and track nearby devices. A deep understanding of the bluetooth protocol was not needed to develop Blue Hydra (we stood on the shoulders of giants) and will not be required to use Blue Hydra or understand it's output.

Zero_Chaos is a well known wireless hacker who helps to run the Wireless Village at DEF CON and the Wireless Capture the Flag at numerous conventions (including DEF CON ). Always quick to open his mouth when he probably shouldn't, Zero enjoys talking to people about wireless hacking and teaching anyone with an interest.

Twitter: @Zero_ChaosX

Granolocks is a long time experimenter and developer at Pwnie Express. He has a broad set of interests including long walks in the woods, travel to exotic locations and hacking the planet. Known far and wide for his dry wit and backrubbing skills, the Q&A session is not to be missed.

Twitter: @granolocks

Back to top

411: A framework for managing security alerts

Kai Zhong Application Security Engineer, Etsy
Kenneth Lee Senior Security Engineer, Etsy

Modern web applications generate a ton of logs. Suites like ELK (Elasticsearch, Logstash, Kibana) exist to help manage these logs, and more people are turning to them for their log analysis needs. These logs contain a treasure trove of information regarding bad actors on your site, but surfacing that information in a timely manner can be difficult. When Etsy moved over from Splunk to ELK in mid-2014, we realized that ELK lacked necessary functionality for real-time alerting. We needed a solution that would provide a robust means of querying ELK and enrich the data with additional context. We ended up creating our own framework to give us this functionality. We’ve named this open-source framework 411. We designed 411 as a solution for detecting and alerting on interesting anomalies and security events. The Security team at Etsy was interested in using this functionality to detect everything from XSS to monitoring for potential account compromises. First, we’ll start off with a discussion of what you should be logging into Elasticsearch. This is important to help you create useful, actionable alerts in 411. We’ll note a number of configuration tips and tricks to help you get the most out of your ELK cluster. From there, we’ll dive into 411’s features and how it allows the Etsy security team to work effectively. We’ll conclude with two demos of 411 in action. This presentation will show you several examples of useful searches you can build in 411 and how this data can be manipulated to generate clear, actionable alerts. We’ll demonstrate the built-in workflow for responding to alerts and how 411 allows you to pull up additional context as you work on an alert. Additionally, while much of our discussion will be centered around ELK, 411 can in fact be used with a variety of data sources (Several of these sources are built into 411). Whether you’re a newbie looking to learn more or a security veteran with an established system, 411 will help change the way you handle security alerts.

Kai is a security engineer at Etsy. At work, he fiddles around with security features, works on 411 and responds to the occasional bug bounty report. He went to NYU-Poly and got a degree in Computer Science, with a MS in Computer Security. In his free time, he enjoys reverse engineering, CTFs board games, starting yet another project that he’ll never finish and learning all the things.

Twitter: @sixhundredns

Kenneth Lee is a senior product security engineer at, working on everything from managing the bug bounty program to shattering the site with new vulnerabilities. Previously, Kenneth worked at FactSet Research Systems preventing The Hackers from stealing financial data. He went to Columbia and got an MS in computer science focusing on computer security. Between sweet hacks, Kenneth enjoys drinking tea and force feeding Etsy's operations team with Japanese chocolates.

Twitter: @kennysan

Back to top