skip to main content

DEF CON 24 Hacking Conference

Village Talks

Village Talks

In addition to the main DEF CON tracks, several of the Villages have a full-blown speaker track of their own, full of good stuff specific to their area of focus. Below we have a partial schedule (we'll update it as information comes in).

Packet Hacking Village

Friday, August 5


Presenting Security Metrics to the Board / Leadership

Walt Williams

The board of directors and corporate leadership is not interested in how many attacks your firewall has blocked, and frankly, that is not a metric, that is a measure. Difference between metrics and measurements, how metrics are constructed, and the kinds of metrics the board of directors are interested in will be discussed. In other words, how to identify how to align security metrics with business goals and objectives. The use of frameworks such as ISO 27004 to construct metrics, the pragmatic framework and its uses will also be discussed.

BIO: Walt Williams (Twitter: @LESecurity) CISSP, SSCP, CPT has served as an infrastructure and security architect at firms as diverse as GTE Internetworking, State Street Corp, Teradyne, The Commerce Group, and EMC. He has since moved to security management, where he now manages security at Lattice Engines. He is an outspoken proponent of design before build, an advocate of frameworks and standards, and has spoken at Security B-Sides on risk management as the cornerstone of a security architecture. He maintains a blog on security metrics and has presented to boards of three different organizations in diverse industries.


Deceive and Succeed: Measuring the Efficiency of a Deception Eco-System in Post-Breach Detection

Omer Zohar

Today’s networks are undergoing all sorts of sinister attacks from numerous sources and for myriad reasons. Security at the perimeter is inadequate for thwarting today’s highly intelligent attacks as hackers routinely breach the perimeter and gain entry. It isn’t long before the network is compromised and critical information is stolen. We must now assume that, despite significant investments in prevention, breaches are going to happen. An additional approach is required. Security teams must go on the offensive, creating a web of non-stop, real-time detection operations using multiple vectors against an ever-changing landscape of cyber threats. Deception technology now plays a critical role. Used as a strategy for many centuries in actual warfare, the concept of deception is becoming a significant weapon in network-protection schemes. Deception technology doesn’t rely on known attack patterns and monitoring. Instead, it employs very advanced luring techniques to entice attackers away from valuable company assets and into pre-set traps, thus revealing their presence. It is able to detect threats in real time without relying on any signatures, heuristics or complex behavioral patterns. But how effective is a deception strategy in detecting breaches? What method works best? How does it integrate with current security operations already in place?

In this talk we will present findings from a first ever research which measured the efficiency of proactive deception using mini-traps and decoys in real-life threat scenarios. We have reconstructed a real enterprise environment complete with endpoints, servers, network traffic and data repositories as well as security tools such as IDS, firewall, SIEM etc. The deception layer was then integrated into the environment in 2 steps: (a) by placing decoys in the network and (b) by placing mini-traps on the assets which point to the decoys, set false credentials, trigger silent alarms and more. We then evaluated the effectiveness of the mini-traps and decoys against both automated, machine-based attacks as well as against sophisticated human attacks: The first stage involved checking the behavior of a variety of malware families against the environment and measuring the deception layer’s success in detecting their activity. For the second phase, we invited red-team professionals and white hat hackers to employ real techniques and advanced tools with the task of moving laterally in the environment and exfiltrate high value data.

BIO: Omer Zohar has over a decade of experience as a developer and researcher in the data security market. As head of Research for TopSpin Security he is responsible for the research of malware and post-breach detection methods and for defining advanced detection schemes.


Vulnerability Management: No Excuses, A Network Engineer’s Perspective

Richard Larkins

Vuln Management encompasses 3 out of the top 4 items in the SANS 20 and is a critical item for PCI DSS. Yet, so few companies manage to do it correctly. This presentation will cover the result of the author (a network geek) being unceremoniously thrown into one of those situations, and will detail the lessons learned from it. Tools used: NMap, Tripwire, Qualys, and Crayons.

BIO: Richard Larkins(Twitter: @arahel_jazz) is a Network Systems Engineer with way too many expired Cisco certifications. He has touched networks on 4 out of the 7 continents, over 10 countries, and is currently working on his third global satellite constellation ground control system. To further make life more unbearable, he has undertaken the role of network architect for the Arizona Cyber Warfare Range, which requires listening to hackers playing horrendous techno music at loud enough levels to drown out all the equipment in the room. Rich’s real bright spot in life is his wife of 23 years, Patricia, and their two Cocker Spaniel rescue dogs (Luna and Orion) who have seven legs between them. You do the math.


You are Being Manipulated


You are being manipulated. There is constant pressure coming from companies, people, and attackers. Millions are spent researching and studying your weaknesses. The attack vectors are subtle. Most times we don’t realize that manipulation has occurred until it is too late. Fear not, we can harden our defenses. We can put safeguards in place to help avoid being the victim. For me, the answer came from an unlikely source: my daughter. Small children are fantastic. Society has not yet influenced their development; therefore, children are relentless in pursuing their aims. Since they are naive to right and wrong, they will use any tool available to get their goal. How does this help? My daughter became my trainer, and this talk discusses how interacting with her has improved my defenses. Comparing her strategies to real world examples will show how to build a training framework of your own. Access to small children is not needed.

BIO: GrayRaven (Twitter: @_grayraven_) is a senior software engineer at Cisco Systems. He has been fascinated with manipulation since his childhood. Despite receiving a degree in psychology, he spent 18 years as a professional in the Information Technology space. GrayRaven spent the first seven years of his career as a system and network administrator before moving to the dark art of programming. Two years ago he stopped dabbling and tumbled down the security rabbit hole. This journey makes him believe that he is finally using his degree professionally. During his downtime, GrayRaven can be found practicing martial arts, brewing beer and mead, or writing.


Connections: Eisenhower and the Internet

Damon "Chef" Small

“Rise of the Machines” conjures thoughts of the evolution of technology from the exclusive domain of computer scientists in the early days of our industry to including everyday people using - and often wearing - Internet-connected devices. With that theme in mind, the speaker researches the history of one large, government-funded infrastructure and compares it to another. Specifically, the Eisenhower Interstate System and the Internet. “Connections: Eisenhower and the Internet” explores what the logistical challenges of moving vehicles across the Country can teach us about cybersecurity. Although these two topics seem unrelated, the speaker will take the audience on a journey that begins with early 20th century road-building projects, travels through ARPANET and the commercialization of the Internet, and arrives at current-day cyberspace. These two massive infrastructures have changed the world, and there are important lessons that the former can teach about the latter. The presentation concludes with predictions about the future of the the Information Superhighway and how information security professionals can prepare.

BIO: Chef (Twitter: @damonsmall) earned his handle from his use of cooking metaphors to describe infosec concepts to laypeople. He began his career studying music at Louisiana State University and took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Following the dotcom bust in the early 2000s, Chef began focusing on cyber security. This has remained his passion, and over the past 16 years as a security professional he has supported infosec initiatives in the healthcare, defense, and oil and gas industries. In addition to his Bachelor of Arts in Music, Chef completed the Master of Science in Information Assurance degree from Norwich University in 2005. His role as Technical Project Manager at NCC Group includes working closely with consultants and clients in delivering complex security assessments that meet varied business requirements. Recent speaking engagements include DEFCON 23, BSides Austin, BSides San Antonio, HouSecCon, and ISSA Houston.


Automated Dorking for Fun and Profit

Filip Reesalu

A dork is a specialized search engine query which reveals unintentional data leaks and vulnerable server configurations. In order to catalogue vulnerable hosts with minimal manual intervention we’re now introducing an open-source framework for grabbing newly published dorks from various sources and continuously executing them in order to establish a database of exposed hosts. A similar project (SearchDiggity, closed source, Windows only) had its latest release in 2013 and the latest blog post was published in 2014.

BIO: Filip Reesalu (Twitter: @p1dgeon) is a Security Researcher at Recorded Future. He joined the Threat Intelligence team after switching over from a data scientist role and is now responsible for analyzing malware samples and traffic as well as creating tools that benefit the community at large.


Verifying IPS Coverage Claims: Here’s How

Garett Montgomery

IPS devices are now an accepted, integral part of a defense-in-depth InfoSec strategy; by strategically positioning them on the network, attacks can be blocked before they ever reach their intended targets. But with the explosion of public exploits, polymorphic malware and an ever-increasing attack surface, how can IPS devices keep up? They all seem to have heuristic detection capabilities, which are supposed to protect you from unknown exploits, and frequent updates to protect against known vulnerabilities. But just how effective are those defenses? Sure, you can check out the Gartner magic quadrant or pay for the latest NSS Test report. Just because an IPS claims to protect you from a vulnerability doesn’t mean thats the case. In this talk, I’ll talk about some of the strengths and weakness of IPS devices, as well entire classes of exploits that cause serious problems for IPS devices. While I happen to work for a company sells a very expensive device for testing IPS devices (which is where the data and my opinions come from), I plan to focus on how the same testing methodologies can be applied and the results can be duplicated using open-source tools.

BIO: Garett Montgomery (Twitter: @garett_monty) is Security Team Lead at Ixia’s ATI Research Center, where the primary focus is on simulating attacker behaviors in order to provide realistic test scenarios for network-based protection devices. He has been simulating network-based attacks for BreakingPoint/Ixia for the last 4 years. Prior to joining BreakingPoint in 2012 he spent 2 years as a Research Engineer at TippingPoint/HP Enterprise Security. Before TippingPoint, he spent 9 years in the Navy, with last 3+ as a Security Analyst for the Naval Postgraduate School in Monterey, CA. He holds a Masters Degree in Information Assurance, as well as an active CISSP certifications (multiple others having long since lapsed).


Crawling for APIs

Ryan Mitchell

As client machines become more powerful and JavaScript becomes more ubiquitous, servers are increasingly serving up code for browsers to execute, rather than the display-ready pages of the past. This changes the face of web scraping dramatically, as simply wget’ing and parsing the response from a URL becomes useless without executing bulky JavaScript with third party plugins, reading through code logic manually, and/or digging through piles of browser junk. However, moving page logic client side can also create data vulnerabilities, as companies leave internal APIs exposed to the world, in order for their client side code to make use of them. I’ll show some examples of this practice on traditionally “impossible to scrape” pages, and also some tools I’ve developed to crawl domains and discover and document these hidden APIs in an automated way. While many bot prevention measures focus on traditional page scraping and site manipulation, scripts that crawl sites through API calls, rather than in a “human like” way through URLs, may present unique security challenges that modern web development practices do not sufficiently address.

BIO: Ryan Mitchell is a Senior Software Engineer at Hedgeserv

Saturday, August 6


The Arizona Cyber Warfare Range: Learn by Destruction

Richard Larkins, Anthony Kosednar

Want to run all those tools you have always heard about, but don’t have the hardware to do it? Or - does your Boss want you to learn NMap, but won’t let you run it on any of the corporate networks? This presentation will show what can happen when a couple of dedicated and slightly unbalanced individuals come together to establish the largest volunteer staffed, donation funded Cyber Offensive and Defensive Training facility in the world. Attendees will be shown how real hardware and real tools can be used remotely to further increase their Cyber talents.

BIO: Richard Larkins(Twitter: @arahel_jazz) is a Network Systems Engineer with way too many expired Cisco certifications. He has touched networks on 4 out of the 7 continents, over 10 countries, and is currently working on his third global satellite constellation ground control system. To further make life more unbearable, he has undertaken the role of network architect for the Arizona Cyber Warfare Range, which requires listening to hackers playing horrendous techno music at loud enough levels to drown out all the equipment in the room. Rich’s real bright spot in life is his wife of 23 years, Patricia, and their two Cocker Spaniel rescue dogs (Luna and Orion) who have seven legs between them. You do the math.

BIO: Anthony Kosednar (Twitter: @akosednar) is an Information Security Engineer with a background in Aerospace. By day he helps secure corporations and large events (such as Super Bowl XLIX). By night, he puts on the cape of software architect for the Arizona Cyber Warfare Range. Through the darkness of night he helps program the systems that operate the range.


How to Find 1,352 WordPress XSS Plugin Vulnerabilities in 1 Hour (not really)

Larry W. Cashdollar

I’ll discuss my methodology in attempting to download all 50,000 WordPress plugins, automated vulnerability discovery, automated proof of concept creation and automated proof of concept verification. I’ll go into where I went wrong, what I’d change and where I succeeded..

BIO: Larry W. Cashdollar (Twitter: @_larry0) has been working in the security field and finding vulnerabilities for over 15 years. With over 100 CVEs to his name, he is a known researcher in the field. You can see many of the disclosed vulnerabilities at He is a member of the SIRT at Akamai Technologies.


HTTP/2 & QUIC - Teaching Good Protocols To Do Bad Things

Catherine (Kate) Pierce, Vyrus

The meteoric rise of SPDY, HTTP/2, and QUIC has gone largely unremarked upon by most of the security field. QUIC is an application-layer UDP-based protocol that multiplexes connections between endpoints at the application level, rather than the kernel level. HTTP/2 (H2) is a successor to SPDY, and multiplexes different HTTP streams within a single connection. More than 10% of the top 1 Million websites are already using some of these technologies, including much of the 10 highest traffic sites. Whether you multiplex out across connections with QUIC, or multiplex into fewer connections with HTTP/2, the world has changed. We have a strong sensation of Déjà vu with this work and our 2014 Black Hat USA MPTCP research. kkkkWe find ourselves discussing a similar situation in new protocols with technology stacks evolving faster than ever before, and Network Security is largely unaware of the peril already upon it. This talk briefly introduces QUIC and HTTP/2, covers multiplexing attacks beyond MPTCP, discusses how you can use these techniques over QUIC and within HTTP/2, and discusses how to make sense of and defend against H2/QUIC traffic on your network. We will also demonstrate, and release, some tools with these techniques incorporated.

BIO: Catherine (Kate) Pierce (Twitter: @secvalve) is a Senior Security Consultant for Cisco, who is based in Wellington, New Zealand. Formerly a Security Consultant for Neohapsis in the USA, she has engaged with a widespread and varied range of clients to assist them in understanding their current security state, adding resilience into their systems and processes, and managing their ongoing security risk. Day-to-day she undertakes a mix of advising clients around their security, client-focused security assessments (such as penetration tests), and security research. She has spoken at her work at many security conferences, including Black Hat USA, Source Boston, Nolacon, Kiwicon, ACSC and several others. While she has recently presented on Network Security, her true loves are application security enablement, complex systems security, and cross-discipline security analogues.

Carl Vincent (Twitter: @vyrus001) is a Customer Solutions Consultant for the recently consolidated Cisco Security Solutions group, where he performs a variety of security assessment types. As an information security professional, as well as personal hobbyist, his passion is to continually research ever increasingly elaborate methods of elegantly executed hypothetical crime. He also practices personal information warfare, and most of his biographic details online are somewhat exaggerated.


Now You See Me, Now You Don’t

Joseph Muniz, Aamir Lakahni

Many people leave behind bread crumbs of their personal life on social media, within systems they access daily, and on other digital sources. Your computer, your smartphone, your pictures and credit reports all create a information rich profile about you. This talk will discuss all the different threats that leak your information and how attackers can use open source intelligence to find you. We will discuss techniques used by law enforcement and private investigators to track individuals. Learn how you can protect your online footprint, reduce your digital trail, and securing your privacy.

BIO: Joseph Muniz (Twitter: @SecureBlogger) is an architect at Cisco Systems and researcher. He has extensive experience in designing security solutions for the top Fortune 500 corporations and US Government. Joseph’s current role gives him visibility into the latest trends in cyber security both from leading vendors and customers. Joseph runs The Security Blogger website, a popular resource for security and product implementation. He is the author and contributor of several publications including a recent Cisco Press book focused on security operations centers (SOC).

BIO: Aamir Lakhani (Twitter: @aamirlakhani) is a leading senior security strategist for Fortinet. He is responsible for providing IT security solutions to major enterprises and government organizations. He has extensive experience around reverse malware engineering, DarkNet research, and offensive security. Known as Dr. Chaos, operates the popular security social media blog by the same name.


Attacks on Enterprise Social Media

Mike Raggo

Current threat vectors show targeted attacks on social media accounts owned by enterprises and their employees. Most organizations lack a defense-in-depth strategy to address the evolving social media threat landscape. The attacks are outside their network, commonly occur through their employee’s personal accounts, and circumvent existing detection technologies. In this presentation we’ll explore the taxonomy of social media impersonation attacks, phishing scams, information leakage, espionage, and more. We’ll then provide a method to categorize these threats and develop a methodology to adapting existing incident response processes to encompass social media threats for your organization.

BIO: Mike Raggo (Twitter: @Mike Raggo) has over 20 years of security research experience. Michael is the author of “Mobile Data Loss: Threats & Countermeasures” and “Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols” for Syngress Books, and contributing author for “Information Security the Complete Reference 2nd Edition”. A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, is a participating member of FSISAC/BITS, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, HackCon, and SANS.


Dynamic Population Discovery for Lateral Movement Detection (Using Machine Learning)

Rod Soto, Jospeh Zadeh

The focus of this presentation is to describe ways to automate the discovery of different asset classes and behavioral profiles within an enterprise network. We will describe data driven techniques to derive fingerprints for specific types of individual and subgroup behaviors. The goal of these methods is to add context to communications taking place within an enterprise as well as being able to identify when certain asset profiles change there behavioral fingerprint in such a way as to indicate compromise. The type of profiles we want to discover can be tied to human behavior (User Fingerprinting) or particular asset classes like WebServers or Databases (Hardware/Software Fingerprinting). Finally enriching these profiles with a small amount of network context lets us break down the behaviors across different parts of the network topology.

These techniques become important when we want to passively monitor for certain attacks against server hardware even without visibility into the local logs running on the server. For example we will cover the automated discovery and enrichment of DMZ assets and how we use these techniques to profile when a server has been planted with a Webshell or when an asset has been used to covertly exfil data. The methods we propose should be generic to apply to a wide variety of any kind of Layer 4/ Layer 7 traffic or just PCAP data alone..

BIO: Rod Soto (Twitter: @rodsoto) has over 15 years of experience in information technology and security. Currently working as a Security Researcher at Splunk User Behavioral Analytics. He has spoken at ISSA, ISC2, OWASP, DEF CON, Hackmiami, Bsides and also been featured in Rolling Stone Magazine, Pentest Magazine, Univision and CNN. Rod Soto was the winner of the 2012 Black Hat Las Vegas CTF competition and is the founder and lead developer of the Kommand & KonTroll competitive hacking Tournament series.

BIO: Joseph Zadeh (Twitter: @josephzadeh) studied mathematics in college and received a BS from University California, Riverside and an MS and PhD from Purdue University. While in college, he worked in a Network Operation Center focused on security and network performance baselines and during that time he spoke at DEF CON and Torcon security conferences. Most recently he joined Caspida as a security data scientist. Previously, Joseph was part of the data science consulting team at Greenplum/Pivotal helping focused on Cyber Security analytics and also part of Kaiser Permanente’s first Cyber Security R&D team.


Fuzzing For Humans: Real Fuzzing in the Real World

Joseph Pereyda

Fuzzing tools are frequently seen in big-name conferences, attached to big-name hacks and big-name hackers. Fuzzers are an incredibly useful offensive tool, and equally critical for a defensive player. But anyone who has tried to use these big-name fuzzers to secure their own software has seen how ineffective they can be. The fuzzing world is plagued with over-hyped and under-developed fuzzers that will suck the life out of anyone who dares try to sort through their waterlogged codebase. Meanwhile, commercial players stand by ready to support big businesses, but not open source. Commercial fuzzers may be good business, and their existence is a boon for the industry, but they are not sufficient for widespread security. They keep the power of fuzzing locked up for those willing to pay big bucks. And the closed source nature stamps out community, leaving each business to develop their own practices. In this talk, Joshua will provide a practical perspective on fuzzing, explore the hurdles confronting current open source tools and pave a path forward. Attendees will also receive an introduction to DIY fuzzers using modern frameworks.

BIO: Joshua Pereyda (Twitter: @jtpereyda) is a software engineer specializing in information and network security. He currently works in the critical infrastructure industry with employers heavily invested in software and hardware security. Among his passions are hacking, teaching kids to program, Netflix with his wife, and figuring out how he can get paid to do it all --legally.

Joshua is the maintainer of boofuzz, a fork of the renowned Sulley fuzzing framework. He has a hole in his heart to pour into the open source hacking community.


Mining VirusTotal for Operational Data and Applying a Quality Control On It

Gita Ziabari

More than one million samples are being submitted and analyzed by more than 50 AV engines in VirusTotal on daily basis. Factors such as filtering, scaling the detected engines, scaling the categories in network data, scaling the HTTP responses are being used in conjunction of an algorithm for constructing an operational data. The filtered data are being clustered based on their malware type with indication of their malware names. The obtained data is also being evaluated by another algorithm for removing the aged and less scaled data on daily basis. The used APIs, algorithms and source code will be presented to the audiences. The tool could be downloaded for immediate use.

BIO: Gita Ziabari (Twitter: @gitaziabari) is working at Fidelis Cybersecurity as a Senior Threat Research Engineer. She has more than 12 years of experience in threat research, networking, testing and building automated frameworks.


Fiddler on the Roof: A No-Nonsense Look at Fiddler and Its Usage

Morgan “Indrora” Gangwere

Fiddler lives in the same family as mitmproxy, Burp, and other “man in the middle” tools. Topics covered in this talk include: scripting the Fiddler proxy, making arbitrary requests, redirection and attacking Windows 8 and UAP applications.

BIO: Morgan “Indrora” Gangwere (Twitter: @indrora) is a student at the University of New Mexico. He breaks things for fun when not studying.

Sunday, August 7


LTE and Its Collective Insecurity

Chuck McAuley, Chris Moore

The world of LTE is enshrouded in acronym soup, mystery, and technical documents that implement security by obscurity. In this talk, we will shed light on the magic that is the evolved packet core, otherwise known as the EPC. The EPC is the packet routing engine that connects the tower to the Internet. We will discuss the network communication protocols, core infrastructure elements, and basic architecture of this system. In closing, we will disclose successful crashes and kills that we have had in this network and discuss the potential for large scale communication disruption.

BIO: Chuck McAuley is a Principal Security Researcher at Ixia Communications. For the last ten years Chuck has been doing performance and security testing of inline networking devices. If it passes packets and does deep packet inspection, he’s probably tested it. In his spare time he stares at Wireshark trying to decipher the tea leaves.

BIO: Chris Moore is an SE Dev Manager for a network test company. He was an SE for around a decade before this breaking, dissecting, and exposing every sort of network box under the guise of performance and security testing.


Incident Code Name: When SkyFalls A Shaken, Not Stirred, James Bond Tale on Incident Response


The headlines shout the latest exploits of rogue actors and nation states. The hunters, cloaked in anonymity, strike without warning, devouring Intellectual Property and destroying corporate reputations. Potential victims cower in Fear, Uncertainty and Doubt, hoping they can hide in plain view. But can we learn from the hunters strategies to mount an effective defense? In this talk we’ll take a look at events that took place on the James Bond film Skyfall. We will look at the film from the Incident Response point of view, and analyze the events and actions that took place in the film with comparisons of real life examples. Finally, we’ll create a profile of the “evil” characters in the film along with James Bond and the team behind him at MI6. What team member would you be? Q, the weapons geek? Moneypenny, sidekick and junior field agent? M, the shrewd manager? Or James Bond, the tip of the spear, utilizing multiple strategies and tools to defeat his opponents.

BIO: Plug (Twitter: @plugxor) is currently a Senior Security Analyst at Verizon Digital Media Services (EdgeCast Networks). He started his journey in computer security back in 1996 when he discovered a 2600 magazine that eventually that lead him to his first LA2600 meeting in 1998. From that point forward he has been involved in computer security. With over 18 years of IT experience, he has worked as Systems Administrator, Security Analyst and Security Engineer in the Finance and Telecom sector. In his free time he enjoys building Legos, playing with synthesizers and modular systems, when possible he volunteers his time to computer security events.

Crypto and Privacy Village

Friday, August 5

10:30 (Bronze 2)

Tabletop Cryptography


A basic understanding of cyphers and cryptography is part of a solid foundation for anyone in the InfoSec field. Today we use crypto without much second thought, but cryptography, or the use of ciphers and codes to protect secrets, has been around for thousands of years. Until the early 20th century, encryption was done with pen and paper or simple mechanical devices. My Tabletop Cryptography talk is about the history of cryptography and cryptanalysis as well as fun with examples of crypto-puzzles that can all be completed without the use of modern infernal computing devices.

BIO: nibb13 (Twitter: @nibb13) Husband, father, infosec geek.

11:00 (Bronze 2)

This Year in Crypto & Privacy [KEYNOTE]

Whitney Merrill, Justin Culbertson, Peter Teoh, Chaim Cohen, Karl Koscher, Albert Carlson, Nick Sullivan, Jennifer Fernick & Per Thorsheim

It’s been a very busy year in cryptography and privacy. The Crypto & Privacy Village organizers and CFP Board will discuss developments and trends in the past year. They will cover the things you might have missed and a few of the things that were hard to miss.

BIO: Whitney Merrill (Twitter: @wbm312) is an attorney at the Federal Trade Commission in San Francisco, California where she works on consumer protection issues involving technology. She received her Masters in Computer Science from the University of Illinois at Urbana-Champaign and her law degree from the University of Illinois College of Law. She specializes in information security, computer crime, privacy, and Internet law. Her recent research focuses on Android privacy, digital forensics, and the legal issues surrounding encryption. While at UIUC, she was a member of the Illinois Security Lab. She loves solving and creating puzzles.

BIO: Justin Culbertson (Twitter: @jus341) is a software developer, organizer for the Crypto & Privacy Village, and DarkNet Operative. He is interested in cryptocurrencies, decentralized systems, and digital privacy.

BIO: Peter Teoh (Twitter: @pteoh) currently runs the technology compliance program for his employer. He has a personal and professional interest in data privacy and protection. In his free time he wrangles cats for amusement. Pete is also a member of the DEF CON CFP Review Board (Workshops) and Goon.

BIO: Chaim Cohen (Twitter: @chaimtime) is a computer science high school teacher in New Jersey. In his free time, he hosts Security:inThirty, a security podcast, teaching people that salted hashes are not breakfast. At home he teaches his son emoji as a second language, and 11 comes after 10.

BIO: Karl Koscher (Twitter: @supersat) is a postdoctoral researcher at the University of California San Diego where he specializes in embedded systems security. In 2011, he and his collaborators were the first to demonstrate a complete remote compromise of a car over cellular, Bluetooth, and other channels. In addition to breaking systems, he also works on creating tools and technologies to enable developers to automatically find (and fix) potential security vulnerabilities in their embedded systems.

BIO: Jennifer Fernick (Twitter: @enjenneer) is a researcher and PhD candidate at the Institute for Quantum Computing and the Centre for Applied Cryptographic Research at the University of Waterloo. Her research centres around quantum-resistant cryptography, computational complexity, quantum algorithms, and related issues in privacy, cryptographic standardization, and technology policy.

BIO: Albert Carlson (Twitter: @ltzap) began his hacking career soon after he began taking programming courses in High School in Chicago in 1975. Upon completion of his BSCompEng degree from the University of Illinois at Urbana in 1981, he joined the US Army as a Military Intelligence Officer specializing in Electronic Warfare and Cryptography. Since retiring due to injury he has completed many projects including: designing the first handsets, chargers for the first European cell phones, a cell phone simulator, design of industrial gas dehydrators for pollution control, design of airborne electronic warfare systems for classified airborne frames, the design of aircraft black box pingers, more than 50 ASICs and 150 FPGAs for various purposes, implementation of some of the first air bubble detectors in IVs, design of the digital section of a capacitive pressure sensor, design of some of the first microprocessor train and bus door systems, implementation of the HDTV chipset for Zenith, and design of some of the first local data loop products or the central office.

Dr. Carlson’s research interests include: cryptography, set theoretic estimation, natural language, patterns in language, physical security, critical infrastructure protection, and hardware security. He has published twelve papers on security with four articles in submission and has three patents in security with six more pending. In May 2016 Dr. Carlson joined CipherLoc Corporation as the Chief Scientist for the company. He directs research into cryptography and security. Much of his work centers around polymorphism and information theory.

BIO: Per Thorsheim (Twitter: @thorsheim) is the founder of PasswordsCon. Among other things he revealed LinkedIn was hacked in 2012, confirmed the Ashley Madison leaks in 2015, and played a role in making the major webmail providers implement RFC 3207 STARTTLS support to better protect your privacy. He does training for news reporters on digital security & privacy, source protection and reader/customer privacy.

12:00 (Bronze 2)

Practical Text-Based Steganography: Exfiltrating Data from Secure Networks and Socially Engineering SecOps Analysts [WORKSHOP]

Joe Gervais

This workshop introduces real-world uses of text-based steganography to cloak your communications from the omnipresent web of machines and their human collaborators. Attendees will learn techniques to simply and repeatably bypass DLP controls and defeat data whitelisting enforced by Multi Level Security (MLS) devices. You will also learn methods for generating social engineering attacks against SecOps analysts and censors who may review your communications, plus techniques to counter frequency analysis attacks against your cloaked communications. All of this is accomplished using only simple Python scripts and text-based ciphers of your choosing. Attendees will then use the toolset to generate their own custom ciphers and social engineering attacks as we work through scenarios together.

BIO: TryCatchHCF / Joe Gervais is the Principal InfoSec Engineer & Lead Pentester at LifeLock, and author of the Cloakify exfiltration toolset. He has 25+ years of security- and software engineering experience, mostly in US gov't/DoD sectors, and served as an Intelligence Analyst and Counterintelligence Specialist in the United States Marine Corps. Education includes a bachelors degree in Cognitive Science, and a masters degree in Information Assurance.

1:00 (Bronze 2)

When Privacy Goes Poof! Why It's Gone and Never Coming Back

Richard Thieme

“Get over it!” as Scott McNeeley said years ago about the end of privacy as we knew it is not the best advice. Only by understanding why it is gone and never coming back can we have a shot at rethinking what privacy means in the context of our evolving humanity. Richard Thieme provides a historical and social context for some of that rethinking. He goes both deep and wide and challenges contemporary discussions of privacy to get real and stop using a 20th century framework.

Our technologies have changed everything, including us. We humans are loosely bounded systems of energy and information. We interact with other similar systems, both organic and inorganic, "natural" and "artificial." These “differently sentient systems” all consist of nodes in intersecting networks extending in several dimensions. We have always known we were like cells in a body, but we emphasized “cell-ness.” Now we have to emphasize “body-ness” and re-imagine who we have become.

What we see depends on the level of abstraction at which we choose to look. Patterns extracted from data are either meta-data or just more data, depending on the level of scrutiny. The boundaries we like to imagine around our identities, our psyches, our "private internal spaces," are violated in both directions, in and out, by symbolic data that, when aggregated, constitutes “us.” It's like orange juice, broken down into different states before recombination as new juice; it is reconstituted by others but still constitutes “us,” and we are known by others more deeply in recombination than we know ourselves.

To understand privacy - even what we mean by “individual human beings” who want it - requires a contrary opinion. Privacy is honored in lip service, but not in the marketplace, where it is violated or taken away or eroded every day. To confront the challenges generated by technological change, we have to know what is happening so we can re-imagine what we mean by privacy, security, and identity. We can't say what we can't think. We need new language to articulate our experience and grasp the nature of the context in which we live. Then we can take the abstractions of data analytics and Big Data down to our level.

The weakest link in discussions of privacy is the definition of privacy, and the definition of privacy is not what we think. But pursue the real at your peril: Buddhists call enlightenment a “nightmare in daylight.” Yet when the screaming stops, it is enlightenment, still, after all. That clarity, that state of being, is the goal of this presentation.

BIO: Richard Thieme (Twitter: @neuralcowboy) is an author and professional speaker focused on the challenges posed by new technologies and the future, how to redesign ourselves to meet these challenges, and creativity in response to radical change. ”His column, "Islands in the Clickstream," was distributed to subscribers in sixty countries before collection as a book in 2004. When a friend at the National Security Agency said after they worked together on ethics and intelligence issues, "The only way you can tell the truth is through fiction," he returned to writing short stories, 19 of which are collected in “Mind Games.” His latest works include the stunning novel “FOAM,” (Exurban Press September 2015) and "A Richard Thieme Reader" (Exurban Press 2016) in 5 volumes of collected fiction and non-fiction on Kindle. He is also co-author of the critically extolled “UFOs and Government: A Historical Inquiry,” a 5-year research project using material exclusively from government documents and other primary sources, now in 65 university libraries

2:00 (Bronze 2)

Lessons from the Hacking of Ashley Madison

Per Thorsheim

Ashley Madison, the dating site promoting adultery in their slogan “Life is short. Have an affair.” got hacked in July 2015. Millions of customers’ most intimate details were released in August 2015 by the hackers, after the service owners refused to close down business. As the biggest public breach of sensitive personal information ever, there are many lessons to be learned in terms of data protection, hacktivism, crisis management, media handling, and pitfalls that must be avoided. All this told from a very personal perspective, and with a background story showing the real value of good security & privacy for all.

BIO: Per Thorsheim (Twitter: @thorsheim) is the founder of PasswordsCon. Among other things he revealed LinkedIn was hacked in 2012, confirmed the Ashley Madison leaks in 2015, and played a role in making the major webmail providers implement RFC 3207 STARTTLS support to better protect your privacy. He does training for news reporters on digital security & privacy, source protection and reader/customer privacy.

3:00 (Bronze 2)

Instegogram: Exploiting Instagram for C2 via Image Steganography

Amanda Rousseau, Hyrum Anderson and Daniel Grant

Exploiting social media sites for command-and-control (C2) has been growing in popularity in the past few years. But both Good and Bad guys have privacy concerns about their communication methods. Discoverable encryption may not always be the answer. By using image stenography we hide command-and-control messages in plain sight within digital images posted to the social media site Instagram. In this presentation, we will demo Instegogram as well as discuss how to detect and prevent it.

BIO: Amanda (Twitter: @_Amanda_33) absolutely loves malware. She works as a Malware Researcher at Endgame who focuses on dynamic behavior detection both on Windows and OSX platforms.

BIO: Hyrum Anderson (Twitter: @thorsheim) is a data scientist at Endgame who researches problems in adversarial machine learning and deploys solutions for large scale malware classification. He received a PhD in signal processing and machine learning from the University of Washington.

BIO: Daniel Grant is a data scientist at Endgame focusing on behavioral analysis and anomaly detection. He received a MS in Operations Research from Georgia Tech and likes building things that find bad guys when they are being sneaky.

3:30 (Bronze 2)

Introducing Man In The Contacts attack to trick encrypted messaging apps

Jeremy Matos

Mobile messaging applications have recently switched to end-to-end encryption. With debates at the government level to ask for backdoors, those tools are perceived as unbreakable. Yet, most of the implementations trust the contact information stored in the smartphone. Given that end-users hardly know a few phone numbers and that modifying contacts is easy, we will introduce a new type of attack: Man In The Contacts (MITC). Without studying any cryptography, we will examine how WhatsApp, Telegram and Signal behave when an Android application is tampering with the contacts in background. For some scenarios, the end-user can be fooled in talking to the wrong person and a MITM proxy can be implemented. Finally, we will discuss about countermeasures both at the technical and usability levels.

BIO: Jeremy Matos (Twitter: @SecuringApps) has been working in building secure software over the last 10 years. With an initial academic background as a developer, he was involved in designing and implementing a two-factor authentication product with challenging threat models, particularly when delivering a public mobile application. As a consultant he helped in the security requirements definition and implementation, including cryptographic protocols, for applications where the insider is the enemy. He also led code reviews and security validation activities for companies exposed to reputation damage. In addition, he participated in research projects to mitigate Man-In-The-Browser and Man-In-The-Mobile attacks.

4:00 (Bronze 2)

Getting Started in Cryptography with Python

Amirali Sanatinia

Today we use cryptography almost everywhere. From surfing the web over https, to working remotely over ssh. However, many of us do not appreciate the subtleties of crypto primitives, and the lack of correct and updated resources leads to design and development of vulnerable applications. In this talk, we cover the building block of modern crypto, and how to develop secure applications in Python.

BIO: Amirali Sanatinia is a Computer Science PhD candidate at Northeastern University, and holds a Bachelors degree in CS from St Andrews University. His research focuses on cyber security and privacy, and was covered by venues such as MIT Technology Review and ACM Tech News. He is also the OWASP Boston NEU Student chapter founder and leader.

5:00 (Bronze 1)

Revocation, the Frailty of PKI

Mat Caughron, Trey Blalock

PKI is weak. One reason is that revocation methods all have failure modes. Direct revocation, Cert Revocation Lists, OCSP (online certificate status protocol predominant on iOS), and now Short Lived Cert's and Certificate Transparency, this presentation will spell out how revocation works, what protocols handle this, and how you can use revocation techniques to improve your security or conduct pen testing. Attendees will walk away with a greater understanding of PKI’s weaknesses, and actionable techniques to wield PKI with greater force and effect. Useful for the general public interested in PKI, and also pen testers and auditors.

BIO: Mat (aka cryptophile) (Twitter: @cl0kd) is a privacy advocate and all around software security guy. Former cisco red teamer, Fortifier, Cigitalist and TMobster. From April 2013 to April 2016, he ran the trust store on a large global set of web clients for the Fruit Company prodsec team. cryptofile self-identifies with *nix and the Alexis Park era cons.

BIO: PrivacyGeek (Twitter: @treyblalock) is a privacy advocate, penetration tester, and countersurveillance advisor. He used to manage global security for the world’s largest financial transaction hub, was a forensics expert witness on several high-profile cases, currently works on large-scale security automation projects and occasionally does talks on Big Data security. PrivacyGeek encourages others to start and support more groups like the EFF to protect different aspects of the Internet and human-rights long-term.

5:30 (Bronze 2)

privacy by design - it's n0t that difficult

Petri Koivisto

Privacy by design is (still) hot topic at the moment. Why? Data privacy has become one of the customers basic assumptions and they are aware to demand evidence how you doing it. Privacy by design is not that difficult, if you have a bit of common sense and creativity. This presentation will give you a new way of thinking how to build privacy into whatever design you may have, through simple house example, layered approach thinking, humour and audience participation.

BIO: Petri Koivisto (Twitter: @PetriKoivisto) is a privacy advocate, penetration tester, and countersurveillance advisor. He used to manage global security for the world’s largest financial transaction hub, was a forensics expert witness on several high-profile cases, currently works on large-scale security automation projects and occasionally does talks on Big Data security. PrivacyGeek encourages others to start and support more groups like the EFF to protect different aspects of the Internet and human-rights long-term.

6:00 (Bronze 2)

State of the Curve - 2016

Deirdre Connolly

There's been a lot happening in the world of elliptic curve cryptography lately: new IETF-approved curves for use in protocols like TLS, Juniper's Dual_EC_DRBG getting its points swapped in the wild, and new advances in isogeny-based crypto that may keep some form of ECC alive in a post-quantum world. In this talk we'll touch on these topics as we get a broad look at the current state of curves in modern cryptography.

BIO: Deirdre Connolly (Twitter: @durumcrustulum) is a self-taught cryptography enthusiast and a senior software engineer at Brightcove, where she drives application security. She has a BS in Electrical Engineering and Computer Science from MIT.

6:00 (Bronze 1)

Security Logs Aren’t Enough: Logging for User Data Protection

Alisha Kloc

Uh-oh - your startup just made headlines, but not for the reason you wanted: one of your employees has been accused of stealing a customer’s PII! Surely you can get to the bottom of the situation by checking your security logs… right? Right? Probably not, in fact. Most security logs don’t contain enough information to determine the crucial facts of a user data privacy issue: the “who”, “whom”, “what”, “where”, “when”, and “why” of user data accesses. Without all these pieces of information, as well as signals and alerts that make use of them, you can’t reconstruct the activity and motivations of your employees when they’re accessing user data. Find out how to supercharge your data access logging and ensure your users’ data is well-protected.

BIO: Alisha Kloc has worked in the security and privacy industry for over seven years, most recently at Google where she works hard to protect users’ data. She is passionate about data security and user privacy, and believes in combining technology, policy, and culture to ensure users’ protection.

7:00 (Bronze 1)

How to Backdoor Diffie-Hellman

David Wong

Lately, several backdoors in cryptographic constructions, protocols and implementations have been surfacing in the wild: Dual-EC in RSA's B-Safe product, a modified Dual-EC in Juniper's operating system ScreenOS and a non-prime modulus in the open-source tool socat. Many papers have already discussed the fragility of cryptographic constructions not using nothing-up-my-sleeve numbers, as well as how such numbers can be safely picked. However, the question of how to introduce a backdoor in an already secure, safe and easy to audit implementation has so far rarely been researched (in the public).

BIO: David Wong (Twitter: @lyon01_david) is a Security Consultant at the Cryptography Services team of NCC Group. He has been working in Security for over a year now, being part of several publicly funded open source audits such as the OpenSSL and the Let's Encrypt ones. He has conducted research in many domains in cryptography, publishing whitepapers as well as writing numerous editions of the Cryptography Services private bulletin. He has been a trainer for cryptography courses at BlackHat US 2015 and BlackHat US 2016.

Saturday, August 6

10:00 (Bronze 1)

Silicon Valley and DC talk about freedom, crypto, and the cybers

Alex Stamos, Rep. Eric Swalwell, Rep. Will Hurd

In this session the CSO of a major tech company (Facebook) will interview these (2-4) Congresscritters on their views on encryption, balancing different ideas of security, and the future of the Internet as a tool for oppression or freedom.

BIO: Alex (Twitter: @alexstamos) discovered DEF CON 5 at the ripe old age of 18 (his dad rented the room). Since then, he broke a lot of things, built a company to foster security research, and fought on the front lines of a transforming industry. He's currently “bought-in” as the Chief Security Officer at Facebook, dedicated to protecting the billions of people who use its products and to ensuring a safe future for the open and connected world.

BIO: Rep. Eric Swalwell (Twitter: @RepSwalwell)(D-CA 15th)

BIO: Rep. Will Hurd (Twitter: @HurdontheHill) (R-TX 23rd)

10:30 (Bronze 2)

Oops, I Cracked My PANs


PCI DSS allows hashing as a technique for tokenizing or protecting stored cardholder data, calling hashes “irreversible”. Interestingly PCI does not require using salts or other advanced hashing techniques to strengthen these hashes. Using oclHashcat with a custom patch of our own, a list of valid IINs, and a GPU cracking rig we will show how to reverse the supposedly irreversible one-way hashes of payment card numbers, ultimately demonstrating that we can completely crack a “PCI Compliant” database of hashed PANs in a few hours.

BIO: qu0rum (Twitter: @qu0rum) started life as a developer during the dot com boom and quickly realized that writing secure code is a lot harder than breaking other people’s code so he hooked up with a security consulting company and got into penetration testing back before that was a popular thing to do. 15 years later he has handed off the day-to-day pen testing responsibilities to a new generation of testers and spends most of his time working with clients’ executives, convincing them that they should have someone test their security and figuring out what their testing programs should look like, but he’s still breaking stuff and writing about it in a desperate attempt to save the world from its own horrible code.

As his straight-laced corporate alter-ego, qu0rum has presented at a number of information security conferences including Black Hat Briefings USA, RSA Conference, Infosec World, the ISSA Conference, Computerworld Expo, and at United States Secret Service Electronic Crimes Task Force meetings. His commentary has been featured in television and print information security news, including CBS Evening News, NBC News, CNN Money, USA Today, CSO Magazine, Secure Computing Magazine, Network Computing Magazine, and CRN.

11:00 (Bronze 2)

JWTs in a Flash!

Evan Johnson

The new(ish) JOSE standard is growing rapidly in popularity. Many people are excited to adopt the new standard and use it to build interesting and new things with JWT! Let's get everyone up to speed on JWT's, talk about the do's and don't regarding JWTs, review some JWT uses, and use JWT's effectively.

BIO: Evan Johnson (Twitter: @ejcx) is a security systems engineer at CloudFlare. He loves breaking things and can distinguish diet pepsi from diet coke by taste.

11:00 (Bronze 1)

SSL Visibility, Uncovered

Andrew Brandt

Blue Coat Systems is a large network and cloud security company who counts many of the world's most important companies as its clients. Among its product offerings are a range of appliances collectively called the Advanced Threat Protection suite, which include a standalone SSL man-in-the-middle decryption device known as SSL Visibility (SSL-V). Both the company and this particular product have been much maligned, but SSL-V has become a vital and important tool in the incident responder kit. This presentation will attempt to bring clarity to the many misconceptions about SSL Visibility, including how it works, what it can and can't do, and why SSL-V isn't as scary as some people make it out to be.

BIO: Andrew Brandt (Spike) (Twitter: @threatresearch) is the Director of Threat Research at Blue Coat Systems. He is a former editor and columnist for a large consumer tech publication and Internet privacy expert who found his way into the world of malware analysis and network forensics from investigative journalism. In his day job, he infects computers with malware in order to observe their behavior and retrospectively learn about the communications methods and control networks criminals use to manage infected hosts.

11:30 (Bronze 2)

The State of HTTPS: securing web traffic is not what it used to be


Do you truly love your users and wrap them in the warm, confidential arms of forward-secrecy ciphersuites? Or do you uncaringly shove their fragile, unencrypted data out into the cold, transparent tubes, shivering and naked as it wanders across a hostile Internet?

For too long the practice of serving non-sensitive websites over HTTPS has been viewed as unnecessary, costly, and a waste of cycles. Fortunately, the once-plausible criticisms have been challenged and are falling away. Choosing to implement HTTPS is now a matter of principle and it should be fully embraced as the default transfer method for all web traffic.

BIO: J.J. (Twitter: @SecureUtah) is a resident of Utah and wants to help make the Internet a safer place for everyone. After speaking at Utah's 2015 SAINTCON on the importance of HTTPS he decided to extend his interest in secure communications beyond the Con and commit to advocating for widespread HTTPS adoption. He created to serve as an information resource as well as a public tracker of which prominent Utah websites implement HTTPS correctly. His goal is to work with and convince every website to switch entirely to HTTPS and to inspire advocates in other states to champion the cause in their communities.

12:00 (Bronze 1)

Code Breaking - Catching a Cheat

Nezer Zaidenberg (scipio)

We describe the great contract bridge scandal of 2015 on which the top world top pairs were found to cheat by illegal information transfer.

We describe the inaccurate accusation against one of the pairs (Mr. Lotan Fisher and Mr. Ron Schwartz).

We describe our statistical efforts to prove lack of sufficient evidence for conviction beyond reasonable doubt.

We describe our discovery of the real code in which information is transferred and means to discover it.

BIO: Nezer is a researcher in the IT faculty university of Jyväskylä, Finland and computer science faculty member in College of Management, Israel.

12:00 (Bronze 2)

Breaking Bad Crypto: BB'06 [WORKSHOP]

Filippo Valsorda

Learn cryptography, or at least why you should stay away from it, the fun way! By breaking some yourself, live. After doing hash extension and CBC padding oracles the past years, today we'll implement one of the evergreens of crypto attacks: the Bleichenbacher '06 e=3 RSA signature forgery.

Bleichenbacher '06 is a common attack against RSA that allows an attacker to fake a signature. It broke Firefox, then GnuTLS, then again Firefox (BERserk), then python-rsa... And who knows next. You'll learn how it works, how to mount it, and then attack real world implementations with your own code.

The session is 100% hands-on, with very little material (basically just docs, a target server implementation, and some client boilerplate). I'll explain the crypto and attack basics and then proceed to code the exploit live, along with the audience, stopping often to analyze and compare outputs and milestones.

No slides, just cold hard code and data produced along the way. No cryptography experience needed at all. Bring your laptop and Python chops

BIO: Filippo Valsorda (Twitter: @FiloSottile) is a systems and cryptography engineer at CloudFlare, where he kicked DNSSEC until it became something deployable. Nevertheless, he's probably best known for making popular online vulnerability tests, including the original Heartbleed test. He’s really supposed to implement cryptosystems, not break them, but you know how it is.

3:00 (Bronze 2)

Ask the EFF: The Year in Digital Civil Liberties

Kurt Opsahl, Nate Cardozo, Andrew Crocker, Dr. Jeremy Giliula, Eva Galperin, Katitza Rodriguez

Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation’s premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as surveillance online, encryption (and backdoors), and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, discussion of our technology project to protect privacy and speech online, updates on cases and legislation affecting security research, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you.

BIO: KURT OPSAHL is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders' Rights Project. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal. In 2014, Opsahl was elected to the USENIX Board of Directors.

BIO: NATE CARDOZO is a Senior Staff Attorney on the Electronic Frontier Foundation’s digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF's Who Has Your Back? report and Coders' Rights Project. Nate has projects involving cryptography and the law, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate spent two years in private practice before returning to his senses and to EFF in 2012. Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings where he has taught first-year legal writing and moot court. He brews his own beer, has been to India four times, and watches too much Bollywood.

BIO: ANDREW CROCKER is a staff attorney on the Electronic Frontier Foundation’s civil liberties team. He focuses on EFF’s national security and privacy docket, as well as the Coders' Rights Project. While in law school, Andrew worked at the Berkman Center for Internet and Society, the American Civil Liberties Union’s Speech, Privacy, and Technology Project, and the Center for Democracy and Technology. He received his undergraduate and law degrees from Harvard University and an M.F.A. in creative writing from New York University. His interests include Boggle and donuts.

BIO: DR. JEREMY GILIULA is a Staff Technologist at the Electronic Frontier Foundation where he focuses on a wide variety of tech policy topics including net neutrality, big data, mobile privacy, and privacy issues associated with drones and autonomous vehicles. At a young age Jeremy was sidetracked from his ultimate goal of protecting digital civil liberties by the allure of building and programming robots. He went to Caltech for undergrad, where he spent four years participating in the DARPA Grand Challenge, a competition to create a vehicle capable of traversing the desert autonomously. He then got his PhD in computer science from Stanford University, where his research focused on the design and analysis of algorithms for guaranteeing the safety of systems that employ machine learning and other AI techniques in an online fashion.

BIO: EVA GALPERIN is EFFs Global Policy Analyst, and has been instrumental in highlighting government malware designed to spy upon activists around the world. A lifelong geek, Eva misspent her youth working as a Systems Administrator all over Silicon Valley. Since then, she has seen the error of her ways and earned degrees in Political Science and International Relations from SFSU. She comes to EFF from the US-China Policy Institute, where she researched Chinese energy policy, helped to organize conferences, and attempted to make use of her rudimentary Mandarin skills.

BIO: KATITZA RODRIGUEZ (Twitter: @txitua) is EFF's international rights director. She concentrates on comparative policy of international privacy issues, with special emphasis on law enforcement, government surveillance, and cross border data flows. Her work in EFF's International Program also focuses on cybersecurity at the intersection of human rights. Katitza also manages EFF's growing Latin American programs. She is an advisor to the UN Internet Governance Forum (2009-2010), and a member of the Advisory Board of Privacy International. Before joining EFF, Katitza was director of the international privacy program at the Electronic Privacy Information Center in Washington D.C., where amongst other things, she worked on The Privacy and Human Rights Report, an international survey of privacy law and developments. Katitza is well known to many in global civil society and in international policy venues for her work at the U.N. Internet Governance Forum and her pivotal role in the creation and ongoing success of the Civil Society Information Society Advisory Council at the Organisation for Economic Co-operation and Development, for which she served as the civil society liaison while at EPIC from 2008 to March 2010. Katitza holds a Bachelor of Law degree from the University of Lima, Peru.

4:00 (Bronze 2)

Highlights from the Matasano Challenges [WORKSHOP]

Matt Cheung

The Matasano Challenges were a set of challenges designed to increase understanding of weaknesses in implementations of cryptosystems. In this workshop we will work through a selection of challenges that will give exposure to a variety of attacks. The goal of this workshop is to allow participants to more carefully consider decisions when designing systems that use cryptography as well as how to assess other systems.

* Participation in this workshop will require some programming skills to conduct the attacks.

* Participants should have a laptop with a development environment for the language of their choice. They should also have burp suite or another MITM proxy of their choice.

BIO: Matt (Twitter: @nullpsifer) Matt developed his interest and skills in cryptography during graduate work in Mathematics and Computer Science. During this time he had an internship at HRL Laboratories LLC working on implementing elliptic curve support for a Secure (in the honest-but-curious model) Two-Party Computation protocol. From there he implemented the version secure in the malicious model. He currently works as a QA engineer at Veracode, but continues to learn about cryptography in his spare time.

Sunday, August 7

11:30 (Bronze 2)

Managing digital codesigning identities in an engineering company

Evgeny Sidorov, Eldar Zaitov

If your company develop mobile or desktop apps you probably know that in the modern world they should be digitally signed. When you try to solve a problem of code signing in big environments, you'll face a lot of difficulties: signing keys access management (especially in Continuous Integration), malware signing prevention and pitfails like SHA-1 deprecation. We successfully implemented a custom CodeSigning-As-A-Service solution capable of signing executables running on Android, iOS, Windows (usermode code, kernel drivers, installation packages etc.), Java apps and applets and solving all mentioned problems.

BIO: Evgeny Sidorov is an Information Security Officer at the major Russian search engine company Yandex. Evgeny works in the Application Security Engineering Team and is responsible for developing and embedding various defence techniques in web and mobile applications. He finished his Master degree in applied mathematics at the Institute of Cryptography, Telecommunications and Computer Science of Moscow.

BIO: Formely a software engineer Eldar Zaitov switched to information security in 2010, made pentesting for major Russian banks and companies. Was one of the initial members of CTF team More Smoked Leet Chicken, participated in DEF CON CTF finals. In 2012 joined Application Security Engineering Team at Yandex. Presented some information security talks at ZeroNights and YaC. Eldar is a maintainer of

12:00 (Bronze 1)

"My Usability Goes to 11": A Hacker's Guide to User Experience Research

Greg Norcie

Tor. PGP. OTR. We have privacy enhancing technologies (PETs), but when was the last time you used privacy software that “just worked’’? Just like security cannot be an afterthought bolted on after the software is written, neither can usability. In this talk, we will discuss why usable PETs are important, why creating usable PETs is challenging, and conclude by describing a real usability evaluation of the Tor Browser Bundle, with a focus on how hackers can perform practical usability evaluations of their own, using tools from the fields of experimental psychology and behavioral economics.

BIO: Greg Norcie (Twitter: @gregnorc) is a Staff Technologist at the Center for Democracy and Technology. Before he dropped out of his PhD to move to DC and fight in the crypto wars, Greg was a PhD student doing usable security research at Indiana University, where performed the first peer reviewed lab study of the Tor Browser Bundle’s usability.

12:00 (Bronze 2)

Crypto for Criminals: The OPSEC Concerns in Using Cryptography

John Bambenek

It’s a given that the use of cryptography is a good thing to protect confidentiality and privacy of one’s online activities. However, there are a variety of pieces of information and metadata that can still be useful to attribute the individual using the crypto. This talk will cover OPSEC concerns with using crypto (and when not to use it). Additionally, a tool for random generation of self-signed certs will be discussed.

BIO: John Bambenek (Twitter: @bambenek) is Manager of Threat Systems at Fidelis Cybersecurity and an incident handler with the Internet Storm Center. He has been engaged in security for 15 years researching security threats. He is a published author of several articles, book chapters and one book. He has contributed to IT security courses and certification exams covering such subjects as penetration testing, reverse engineering malware, forensics, and network security. He has participated in many incident investigations spanning the globe. He speaks at conferences around the world and runs several private intelligence groups focusing on takedowns and disruption of criminal entities.

12:30 (Bronze 2)

Backdooring Cryptocurrencies: The Underhanded Crypto Contest Winners

Taylor Hornby, Adam Caudill

The Underhanded Crypto Contest is an annual competition that brings out the best ways of subtly inserting weaknesses into cryptography protocols and software. By understanding how adversarially-crafted weaknesses go unnoticed, we get better at discovering these errors in our designs and code. In this talk we present the technical details of the best one or two contest entries.

BIO: Taylor (Twitter: @UnderCrypto) is known for his carefully-written security tools, including a side-channel-free password generator and a cryptography library for PHP. He regularly contributes to a number of open source projects by security auditing and reviewing source code. As a recent graduate of the University of Calgary, his research is focused on exploit defense mechanisms and side-channel attacks. In his spare time, he enjoys studying physics from a computer science perspective and is an organizer of the Underhanded Crypto Contest.

BIO: Adam Caudill is a security consultant with over 15 years of experience in security and software development; with a focus on application security, secure communications, and cryptography. Active blogger, open source contributor, and advocate for user privacy and protection. His work has been cited by many media outlets and publications around the world, from CNN to Wired and countless others.

IoT Village

Friday, August 5

10:10 (Bronze 4)

Exploiting a Smart Fridge: a Case Study in Kinetic Cyber

Kevin Cooper, Ben Ramsey

Networked smart appliances can reduce energy costs and provide detailed situational awareness. However, the same remote access used for benevolent command and control can be leveraged by an adversary for reconnaissance and to cause real world kinetic effects if security is compromised. In this talk, we exploit a commercially available smart fridge to evaluate its sensor capabilities and to demonstrate the potential for delivering kinetic cyber effects. As a proof of concept, we use the fridge ambient humidity sensor to reveal its geographic location and nearby human activity. We also quantify the potential for intentional flooding. Finally, the fridge compartments are heated by abusing the compressor and defrosters to evaluate the potential for damaging temperature-sensitive medical supplies. We demonstrate that within two hours the refrigeration compartment and freezer can be raised above 30 °C (86 °F) and 20 °C (68°F), respectively, remotely via the Internet.

We highlight the interesting things that an attacker can do with network access to a smart fridge. How hot can the fridge get when the attacker turns off cooling and blasts the defrosters? How much water per hour can be released out of the fridge door? We answer these questions and more. We also show that the fridge ambient humidity sensor is sensitive enough to tell whether or not it is raining outside, which reveals geographic location. Hell, we will even give away hardware to the crowd.

BIO: Kevin Cooper is a computer scientist with a passion for network security. He frequently competes in CTF exercises and has extensive experience with reverse engineering, digital forensics, and network penetration testing.

BIO: Ben Ramsey, PhD, CISSP, has been building and breaking networks for over a decade. He specializes in embedded system security and low-rate wireless protocols, such as ZigBee, Z-Wave, and Bluetooth Low Energy. He has published in academic journals and presented his research at multiple conferences, including GLOBECOM, MILCOM, SenseApp, and ShmooCon.

12:10 (Bronze 4)

The FCC’s Cybersecurity Risk Reduction Initiatives and Activities

David Simpson

The consumer benefits of the IoT are anticipated to be exceedingly large with 5G wireless technologies underpinning much of the evolving IoT landscape. However, IoT will also greatly expand the cyber attack surface for consumer appliances. This session will discuss the FCC’s initiatives to better posture the telecommunications sector to combat cyber threats to the communications critical infrastructure and solicit attendee participation in developing appropriate FCC policy objectives for 5G.

This is not a typical government monologue; this talk is an interactive, engaging, informative discussion of the FCC’s cybersecurity risk reduction initiatives to combat the most pressing threats to the communications critical infrastructure that would undermine the integrity and deployment of the IoT. It will explain the unique vulnerabilities inherent in 5G and explore opportunities to design 5G in a manner that reduces risk for the IoT.

BIO: Rear Admiral (ret.) David Simpson was appointed Chief of the FCC’s Public Safety and Homeland Security Bureau in November 2013. He brings to this role more than 20 years of ICT experience supporting the DoD, working closely with other agencies to provide secure communication services and improve cyber defense readiness. Simpson is a native of Burbank, CA and a 1982 graduate of the United States Naval Academy. He earned a master's degree in systems technology from the Naval Postgraduate School.

1:00 (Bronze 1)

Sense & Avoid: Some laws to know before you break IoT

Elizabeth Wharton

Connected devices provide a new playground of attack and vulnerability vectors to implement, test, and protect. Launching a home-built drone to test wireless access points, for example, may require authorization from the Federal Aviation Administration and the Federal Communications Commission. Testing connected car software? There’s a new Digital Millennium Copyright Act exemption carve out for research but be wary of the Computer Fraud and Abuse Act dangers. Before incorporating connected technology as part of your research, know where to find the regulatory traps and ways to minimize their legal impact. This presentation will provide an overview of federal privacy, security, and safety regulations triggered by IoT research and a breakdown of recent federal enforcement actions. Gain knowledge of the potential research risks and a sense of when to run, change an approach, or abandon if avoiding breaking the law while breaking IoT matters.

Research is hard enough and companies whose products are being tested don't always welcome vulnerability disclosures. Solid research shouldn't be rewarded with threats of lawsuits or hiring defense lawyers. Minimize the risks, spend the money saved on beer or more gear.

BIO: Elizabeth (Twitter: @LawyerLiz) is a technology-focused business and public policy attorney and host of the national radio show "Buzz Off with Lawyer Liz." She's presented on the privacy, research, and risk management issues surrounding unmanned aircraft and information security before legislators and conferences including Security BSides Las Vegas and F3Expo. Elizabeth also serves as a mentor adviser for CyberLaunch accelerator’s information security and machine learning focused early stage startup companies.

2:00 (Bronze 4)

Picking Bluetooth Low Energy Locks from a Quarter Mile Away

Anthony Rose, Ben Ramsey

Many Bluetooth Low Energy (BLE) enabled deadbolts and padlocks have hit the market recently. These devices promise convenience and security through smartphone control. We investigated sixteen of these products from multiple vendors and discovered wireless vulnerabilities in most of them. Using a $50 antenna, we successfully picked vulnerable locks from over 400 meters away. In this presentation we introduce open source tools to crack each of the vulnerable BLE locks. Furthermore, after surveying the open source Bluetooth hacking tools currently available, we find very little support for BLE. So, to make discovering and range finding to BLE devices easier, we introduce a new open source warwalking tool compatible with both Bluetooth Classic and BLE.

These locks are being relied upon by consumers to protect their homes and property and they need to be fully aware of the risks. By revealing the security vulnerabilities in BTLE locks from multiple vendors and by releasing open source tools to crack them wirelessly, we hope to put pressure on companies to improve security in future products. Plus, we will perform live demos of two of our tools.

BIO: Anthony Rose is an electrical engineer with five years of network security experience. His prior work includes traffic and quality optimization for wireless video protocols. Currently he focuses on Bluetooth security and wireless penetration testing.

BIO:Ben Ramsey, PhD, CISSP, has over a decade of experience in network security research. His work focuses on critical infrastructure protection and low power wireless protocols, such as ZigBee, Z-Wave, and Bluetooth Low Energy. He has published in several academic journals and has presented research at multiple conferences, including GLOBECOM, MILCOM, SenseApp, and ShmooCon.

3:00 (Bronze 1)

BtleJuice: the Bluetooth Smart Man In The Middle Framework

Damien Cauquil

The BtleJuice framework provides all the features to perform Man-in-the-middle attacks on devices using Bluetooth Low Energy (also known as Bluetooth Smart) and requires no expensive hardware nor SDR device. This talk will discuss most of its features, how to use it to assess the security of smart devices and find vulnerabilities, including live demos. The framework source code will be released just before the talk.

BIO: Damien Cauquil is a senior security researcher at Digital Security (CERT-UBIK), a French security company focused on IoT and related ground breaking technologies. He spoke at various international security conferences including Chaos Communication Camp,, Hack In Paris and a dozen of times at the Nuit du Hack (one of the oldest French security conferences).

4:00 (Bronze 1)

Is Your Internet Light On? Protecting Consumers in the Age of Connected Everything

Terrell McSweeny, Joe Calandriano

Learn about the FTC’s efforts to push for improvements in IoT security, including our law enforcement actions challenging inadequate data security in devices like webcams and routers, upcoming workshops on emerging technology issues including drones and smart TVs, our Start with Security business education initiative, and the expansion of the agency’s in-house research and investigation capabilities. In January 2015 the FTC issued a report on the IoT, finding a troubling lack of security in many IoT products. We’ll provide an update on the agency’s and policy activities since then, tips for how to bring issues to the FTC’s attention, and a review of some of the challenges that remain.

BIOS: Terrell McSweeny (Twitter: @TMcSweenyFTC) is a Commissioner of the Federal Trade Commission and this is her third time at DEF CON. When it comes to tech issues, Commissioner McSweeny has focused on the valuable role researchers and hackers can play protecting consumer data security and privacy. She opposes bad policy and legislative proposals like mandatory backdoors and the criminalization of hacking. She believes that enforcers like the FTC should work with the researcher community to protect consumers

BIO:Joe Calandrino, PhD is the Research Director of the Federal Trade Commission’s Office of Technology Research and Investigation. With a PhD in computer science focused on security and privacy from Princeton, Dr. Calandrino is personally motivated to see the work and views of the security community drive educated government action and policy. From personal experience uncovering vulnerabilities in voting machine source code, contributing to the cold-boot attack on disk encryption (for which he won a prestigious Pwnie Award!), or revealing ways that recommendations can leak information, he has seen how security research can teach valuable lessons and make us safer. His goals at the FTC include continuing to build both its internal technical expertise and its bonds with the larger security community.

5:00 (Bronze 4)

Live Drone RF Reverse Engineering

Marc Newlin, Matt Knight

Reverse engineering wireless protocols is not as difficult as you might think! Join us and collaborate as we reverse engineer the RF protocol used by an AirHogs drone, from start to finish. You are invited to bring your own gear and follow along, or sit back and enjoy the spectacle.

What to Expect:

We will start with some basic RF fundamentals and introduce the tools we will be using. Next, we will collect open source intelligence about the drone from Google and the FCC website.

Armed with our OSINT, a SDR, and GNU Radio, we will reverse engineer the packet format and protocol used by the drone.

Using a SDR, we will implement a transceiver capable of communicating with the drone. Bringing it all together, we will go airborne (with a killswitch ready should the proverbial shit hit the fan).

What to Bring:

If you want to get some hands on RF reverse engineering experience, we encourage you to bring a laptop running GNU Radio, your 2.4GHz capable software defined radio, and an AirHogs Fury Jump Jet!

BIO: Marc is a security researcher at Bastille Networks, where he focuses on RF/IoT threats present in enterprise environments. He has been hacking on software defined radios since 2013, when he competed as a finalist in the DARPA Spectrum Challenge. In 2011, he wrote software to reassemble shredded documents for the DARPA Shredder Challenge, finishing the competition in third place out of 9000 teams.

BIO:Matt Knight is a software engineer and security researcher with Bastille Networks, where he seeks to discover vulnerabilities in the ubiquitous wireless interfaces that connect embedded devices to the Internet of Things.

Saturday, August 6

10:10 (Bronze 4)

Hot Wheels: Hacking Electronic Wheelchairs

Stephen Chavez, Specter

We are going to exploit a Sunrise Quickie Rhythm power wheelchair that uses the CAN BUS protocol with Arduino/Raspberry PI hardware. We will show how easy it is to inject standard CAN messages to take full control of the chair and block all user input from the main joystick controller. And in addition, provide some basic open source tools to allow people to customize their chairs more easily.

Some electronic wheelchairs use the same signaling bus as cars do: the Controller Area Network (CAN). But they use a specialized commutation protocol like RNET that leverages CAN BUS signaling. The Quickie Rhythm chair uses RNET electronics that we studied inside and out. And it turns out many other chairs use RNET electronics as a standardized protocol. RNET is also closed and proprietary, but we reverse engineered the protocol which will allow people customize their chairs.

Power wheelchairs have become increasingly sophisticated both for increasing their capabilities and for connecting users to the world at large. Some include Bluetooth functionality, which can be an easy way to attack chairs. It is time to teach people to understand how their chairs work, and show them the current status of software security on the chairs.

Special thanks to:
Steven Beaty, my professor who helped me get organized for DEFCON 24. I thank him for doing a ton of meetings with me. Solid State Depot, a hacker space in Boulder, Colorado. This hackerspace has some of the coolest people I ever met in my life. They allowed me to use their tools and they fully supported me in hacking power wheelchairs. Metropolitan State University of Denver, they paid all of my expenses for DEF CON.

BIO: Stephen (Twitter: @redragonx) Stephen specializes in Linux, security, and programming languages such as Java, Go, Python, Rust, PHP, C, C++ , JavaScript, and C#. He has experience in Linux server administration (Apache, Postfix, Dovecot, BIND, NGINX, etc.) as well as software engineering and web design. Stephen has been programming for 10+ years and knows a quite a lot about a wide range of subjects. In his spare time, Stephen is a researcher in the field of computer and internet security and is knowledgeable about hacking, cryptography, and network attacks.

BIO:Specter is an awesome hardware hacker that loves to sniff protocols.

12:10 (Bronze 4)

How the Smart-City becomes Stupid

Denis Makrushin

Scare stories around the Internet of Things (IoT) conjure up images of bad guys in hoodies, living for hacking and making the lives of other people harder, inventing millions of ways to infiltrate your life through your gadgets. Probably nobody cares about his smart-home security, but what about Smart-City threats, which affect billions people? A huge number of public IoT devices are vulnerable for potential abuse, potentially endangering users’ data, networks of companies they belong to, or both. Based on research of various public devices, such as terminals and cameras, we offer a methodology for security analysis of these devices, which would answer the following questions:

How easy it is to compromise a terminal in the park?
What can hackers steal from there?
What can be done with hacked device?
How can the internal network of the installer organization be penetrated?
How to protect public devices from attacks?

This topic is the unique opportunity to hear about real cases of public device hacking and see the process of compromising the different terminals from the beginning to the end:

Parking and ticket terminals
Information terminals in museums/cinemas/whatever else
Hotels infrastructures
Airport infrastructure
Road Cameras/speed radars

Topic includes:

Methodology for security analysis of public IoT
Post-exploitation scenarios
Methodology for improving the security of these devices
Non-trivial protection for non-trivial device

Exclusive research of non-trivial IoThings, a lot of proofs with video-demonstration. "Watch Dogs" in real life.

BIO: Denis Makrushin is an expert of the Global Research and Analysis Team at Kaspersky Lab. He graduated from the Information Security Faculty of National Research Nuclear University. Specializes in analysis of possible threats and follows the Offensive Security philosophy. At this time, he continues his researches “Targetted Attack detection based on Game Theory methods” in graduate school of MEPhI.

1:00 (Bronze 1)

SNMP and IoT Devices: Let me Manage that for you Bro!

Bertin Bervis

In this talk i'm going to cover the basics of how snmp works and how we can use it to take control over several IoT devices with R/W permissions remotely, we are going to abuse the bad configuration issue in order to turn on/off traffic lights systems, discover ATMs, power supplies , and several industrial equipment. Also i'm going to demonstrate how a remote attacker can retrieve the password of networking devices like Huawei and Cisco equipment.

Several devices are exposed in the public internet running snmp agents with R/W permissions, this talk is going to covert how a bad management could lead to a potential attack in the IoT field with bad consequences in real life, the talk is for hackers, network engineers and security researchers and people concern about security in the IoT field.

BIO: Bertin Bervis is security researcher from san jose costa rica, he is the co-founder of the NetDB project, a certificate/fingerprint device search engine, he has been speaker in several technical security conferences like DEFCON, in Latin America EKOPARTY, DragonJar and the OWASP Latin tour. Formerly is a network engineer and software developer.

2:00 (Bronze 4)

Drone Security Advisory: Hacking Popular Drones

Ryan Satterfield

I will be discussing the security of drones and if any of the vulnerabilities affect privacy. This will include popular drones which will include discussing multiple parrot drones, Cheerson Syma x5sw, DJI Phantom 4 and other drones. This talk includes, but is not limited to remote code execution on drones, denial of service, unauthorized access and modifying video, etc.

I am hacking the most popular and most bought drones in the world. I love to make drones fall out of the sky, lose control with no way of regaining control, finding ways to modify video to frame people for crimes. If that isn't cool, what is?

BIO: I (Twitter: @I_am_ryan_S) am a hacker who started preliminary testing of Drones in 2015, but started hacking at age 9 if you count the malware I wrote but didn't release to the wild. I like legally hacking financial companies, but IOT security is my favorite. Plus, it doesn't result in threats of closing my financial account.

3:00 (Bronze 1)

Reversing and Exploiting Embedded Devices

Elvis Collado

This talk will go over the following: How all of this research got started, the critical vulnerabilities I personally discovered in modern devices, the challenges and failures I personally had with techniques like blind fuzzing, the challenges I had with not having the knowledge or funds to get into hardware hacking, figuring out how to build an exploit for a vulnerability without the need of using UART or a remote debugger, how to get started into hardware hacking once you've exhausted all means on the software side of things, how to build an effective but cheap IoT hacking lab, how to create your own low-cost 'JTAGulator' with an Arduino nano, how to cross compile and disassemble to quickly figure out CPU architectures that a person may be unfamiliar with, discussion of the open source project "Damn Vulnerable Router Firmware", and how to put this all together quickly so everyone can start finding vulnerabilities in the products they own. Also, the talk has been recently updated with comparisons of crafting exploits on x86 vs MIPS vs ARM. Before I only had x86 vs MIPS.

Note: There will be no vendor shaming. All Vendors will be renamed to “Vendor A, Vendor B, Vendor C…etc”

BIO: Elvis Collado (Twitter: @blackowl) is a Senior Security Researcher for Praetorian with a main focus in embedded electronics. Elvis got into electronics ever since he discovered his first vulnerabilities in some of the devices he personally owned. He decided to migrate his research from the desktop space to the embedded space and wants to share what he has learned with everyone.

3:30 (Bronze 4)

Internet of Thieves (or DIY Persistence)

Joseph Needleman

Sure those are silly names, but in this world of embedded devices and development, let's try something different. We will be focusing on taking those fun, innocuous devices that are making people's lives smarter and turning them into our own useful embedded [attack] platforms. We will be covering what devices work best for different situations, when and where and what to embed, and provide ways of building out persistence directly on your new pwning platform.

BIO: Joe is a security researcher who loves to experiment with embedded devices, signals, and really anything with electrical signals. He lives in a server room and would love to be let out from time to time. When not stuck in a server room or being electrocuted he also dabbles with cloud research.

4:00 (Bronze 1)


Jeff Kitson

This talk covers the reverse engineering and exploration of the Trane ComfortLink thermostats. These devices are manufactured and produced by Trane, a popular heating and cooling company offering Zwave and WiFi enabled thermostats packaged with their appliances. This talk covers a previously unreleased vulnerability in the Trane ComfortLink thermostats that allows for remote manipulation and information extraction by an attacker. The devices are vulnerable by default and this talk addresses the physical dangers posed by this vulnerability to customers. The tools and methods used in finding this vulnerability are also discussed at-length in the presentation along with a video demonstration of the exploit in action.

BIO: Jeff Kitson is a Security Researcher with the Vulnerability Assessment Team of Trustwave SpiderLabs. His career began with full-stack web development before moving into system administration and eventually vulnerability and security research. His current work includes maintaining and developing vulnerability tools within Trustwave. His research interests include IOT devices and extracting information with software defined radio.

5:00 (Bronze 4)

Thermostat Ransomware and Workshop

Ken Munro

An introductory presentation followed by a demonstration covering hardware hacking topics such as reverse engineering, firmware analysis, remote code execution, even abusing OTA updates. Attendees will come away with a practical understanding of reverse engineering and attacking these devices. We will also go through a PoC IoT ransomware attack specifically for thermostats.

Attendees will see a breakdown of the technology, with a demo showing precisely how thermostats can be compromised. Finally a workshop will give attendees a solid and in-depth understanding of the security profile of many IoT devices, using readily available home heating thermostats. After that we then run a workshop so that everyone can get to have a free reign to hack their own. We’ll provide a range of IoT thermostats and tools so it’ll be as accessible as possible to all who want to participate.

Typically, access to embedded functionality in thermostats is via their JTAG ports so we will provide a primer on those as well as giving attendees the devices and tools to enable them to fully access the device and create their own hardware attack. Specifically, we want people to come away with a practical, hands-on understanding of IoT reverse engineering and enhanced hardware hacking skills.

30 mins for the demo, and 60 mins for the workshop.

BIO: Ken (Twitter: @PenTestPartners) has been working in IT security for over 15 years. He writes for various newspapers and industry magazines, and regularly advises the broader press and news broadcasters. He works at Pen Test Partners who specialize in helping organizations understand and quantify risk to their business. In an effort to get beyond the unhelpful FUD put about by many security vendors Ken speaks widely on computer security, the Internet of Things, and takes great pleasure in highlighting vulnerabilities.

Sunday, August 7

11:00 (Bronze 1)

IoT Defenses - Software, Hardware, Wireless and Cloud

Aaron Guzman

The vast playground of IoT, and all its problems, will surely transfer from Consumer homes over to the Enterprise. Various studies have shown the effect of consumer IoT adoption in the enterprise, resulting in rouge connections into a trusted network. Items such as Smart TVs, drones, home security devices, and even connected vehicles are now being discovered in corporate networks. Industry professionals and board rooms are struggling to keep up with the growth of IoT due to the various interfaces introduced. We will discuss the many IoT attack surfaces and provide proactive security controls that are easily implemented by consumers, enterprises, and manufactures alike.

What is constantly being shared throughout the industry is how IoT is broken, vulnerable, and insecure. Various testing methodologies and guidance cheat sheets have been released without discussions on how to protect against the threats discovered. As a technical editor for an upcoming IoT security book, as well as a contributor for various security guidance documents on IoT, this talk will give practical defense guidance that attendees and manufacturers can implement.

BIO: Aaron (Twitter: @scriptingxss) is a Principal Penetration Tester in the Los Angeles area with expertise in Application Security, IoT, Mobile, Web, and Network Penetration testing. He volunteers his time as a Chapter Board Member for the OWASP Los Angeles, President for Cloud Security Alliance SoCal, and a Technical Editor for Packt Publishing . Aaron is a contributor for various IoT guidance documents from CSA, OWASP, Prpl, and others. He has held roles with companies such as Belkin, Linksys, Dell and Symantec.