skip to main content

DEF CON 25 Hacking Conference



Untrustworthy Hardware and How to Fix It

Sunday at 10:00 in Track 4

20 minutes | Demo, Tool

0ctane Hacker

Modern computing platforms offer more freedom than ever before. The rise of Free and Open Source Software has led to more secure and heavily scrutinized cryptographic solutions. However, below the surface of open source operating systems, strictly closed source firmware along with device driver blobs and closed system architecture prevent users from examining, understanding, and trusting the systems where they run their private computations. Embedded technologies like Intel Management Engine pose significant threats when, not if, they get exploited. Advanced attackers in possession of firmware signing keys, and even potential access to chip fabrication, could wreak untold havoc on cryptographic devices we rely on.

After surveying all-too-possible low level attacks on critical systems, we will introduce an alternative open source solution to peace-of-mind cryptography and private computing. By using programmable logic chips, called Field Programmable Gate Arrays, this device is more open source than any common personal computing system to date. No blobs, no hidden firmware features, and no secret closed source processors. This concept isn't "unhacakable", rather we believe it to be the most fixable; this is what users and hackers should ultimately be fighting for.

0ctane is a longtime hobbyist hacker, with experience primarily in UNIX systems and hardware. Holding no official training or technical employment, 0ctane spends most of their free time building and restoring older computer systems, hanging out at surplus stores and tracking down X86 alternatives with an occasional dabbling in OSX and 802.11 exploitation. Other interests include SDR and RF exploration, networking, cryptography, computer history, distributed computing...really anything that sounds cool that I happen to stumble on at 3am.

Back to top

Evading next-gen AV using artificial intelligence

Saturday at 11:00 in Track 4

20 minutes | Demo

Hyrum Anderson Technical Director of Data Science, Endgame

Much of next-gen AV relies on machine learning to generalize to never-before-seen malware. Less well appreciated, however, is that machine learning can be susceptible to attack by, ironically, other machine learning models. In this talk, we demonstrate an AI agent trained through reinforcement learning to modify malware to evade machine learning malware detection. Reinforcement learning has produced game-changing AI's that top human level performance in the game of Go and a myriad of hacked retro Atari games (e.g., Pong). In an analogous fashion, we demonstrate an AI agent that has learned through thousands of "games" against a next-gen AV malware detector which sequence of functionality-preserving changes to perform on a Windows PE malware file so that it bypasses the detector. No math or machine learning background is required; fundamental understanding of malware and Windows PE files is a welcome; and previous experience hacking Atari Pong is a plus.

Hyrum Anderson
Hyrum Anderson is technical director of data scientist at Endgame, where he leads research on detecting adversaries and their tools using machine learning. Prior to joining Endgame he conducted information security and situational awareness research as a researcher at FireEye, Mandiant, Sandia National Laboratories and MIT Lincoln Laboratory. He received his PhD in Electrical Engineering (signal and image processing + machine learning) from the University of Washington and BS/MS degrees from Brigham Young University. Research interests include adversarial machine learning, deep learning, large-scale malware classification, active learning, and early time-series classification.

Back to top

Dealing the perfect hand - Shuffling memory blocks on z/OS

Saturday at 16:00 in 101 Track

45 minutes | Demo, Tool

Ayoul3 Pentester, Wavestone

Follow me on a journey where we p0wn one of the most secure platforms on earth. A giant mammoth that still powers the most critical business functions around the world: The Mainframe! Be it a wire transfer, an ATM withdrawal, or a flight booking, you can be sure that you've used the trusted services of a Mainframe at least once during the last 24 hours. In this talk, I will present methods of privilege escalation on IBM z/OS: How to leverage a simple access to achieve total control over the machine and impersonate other users. If you are interested in mainframes or merely curious to see a what a shell looks like on MVS, you're welcome to tag along.

Ayoub is a pentester working for Wavestone, a consulting firm based in France. He got interested in Mainframe security in 2014 when, during an audit, he noticed the big security gap between this platform and standard systems like Windows and Unix. A gap that makes little sense since z/OS has been around for a while and is used by most major companies to perform critical business operations: wire transfer, claim refunds, bookings, etc.

If you want to test some of the tools showcased during the talk, you can check out his tools:


Back to top


Sunday at 10:20 in Track 3

20 minutes | Demo, Tool

Dor Azouri Security researcher, @SafeBreach

Windows' BITS service is a middleman for your download jobs. You start a BITS job, and from that point on, BITS is responsible for the download. But what if we tell you that BITS is a careless middleman? We have uncovered the way BITS maintains its jobs queue using a state file on disk, and found a way for a local administrator to control jobs using special modifications to that file

Comprehending this file's binary structure allowed us to change a job's properties (such as RemoteURL, Destination Path...) in runtime and even inject our own custom job, using none of BITS' public interfaces. This method, combined with the generous notification feature of BITS, allowed us to run a program of our will as the LocalSystem account, within session 0. So if you wish to execute your code as NT AUTHORITY/SYSTEM and the first options that come to mind are psexec/creating a service, we now add a new option: BITSInject.

Here, we will not only introduce the practical method we formed, but also: Reveal the binary structure of the state file for you to play with, and some knowledge we gathered while researching the service flow

We will also provide free giveaways: A one-click python tool that performs the described method; SimpleBITSServer - a pythonic BITS server; A struct definition file, to use for parsing your BITS state file

Dor Azouri
Dor Azouri is a security professional, having 6+ years of unique experience with network security, malware research and infosec data analysis. Currently doing security research @SafeBreach.

Back to top

Unboxing Android: Everything you wanted to know about Android packers

Sunday at 10:00 in 101 Track

45 minutes | Demo, Tool

Avi Bashan Mobile R&D Team Leader, Check Point

Slava Makkaveev Security Researcher, Check Point

To understand the Android ecosystem today, one must understand Android packers. Whether used for protecting legitimate apps' business logic or hiding malicious content, Android packer usage is on the rise. Android packers continue to increase their efforts to prevent reverse engineers and static analysis engines from understanding what's inside the package. To do so they employ elaborate tactics, including state of the art ELF tampering, obfuscation and various anti-debugging techniques.

In this talk, we will provide an overview of the packer industry and present real world test cases. We will do a deep technical dive into the internal workings of popular Android packers, exposing the different methods which protect the app's code. As a countermeasure, we will provide various techniques to circumvent them, allowing hackers and security researchers to unpack the secrets they withhold.

Avi Bashan
Avi Bashan is a Team Leader at Check Point, former security researcher at Lacoon Mobile Security. His daily job is to play around with Android Internals, writing Linux kernel code and drinking a lot of coffee.

Slava Makkaveev
Slava Makkaveev is a Security Researcher at Check Point. Slava has vast academic and professional experience in the security field. Slava's day to day is mostly composed from reversing and hacking malwares and operating systems for fun and profit.

Back to top

Microservices and FaaS for Offensive Security

Saturday at 11:00 in 101 Track

20 minutes | Demo

Ryan Baxendale

There are more cloud service providers offering serverless or Function-as-a-service platforms for quickly deploying and scaling applications without the need for dedicated server instances and the overhead of system administration. This technical talk will cover the basic concepts of microservices and FaaS, and how to use them to scale time consuming offensive security testing tasks. Attacks that were previously considered impractical due to time and resource constraints can now be considered feasible with the availability of cloud services and the never-ending free flow of public IP addresses to avoid attribution and blacklists.

Key takeaways include a guide to scaling your tools and a demonstration on the practical benefits of utilising cloud services in performing undetected port scans, opportunistic attacks against short lived network services, brute-force attacks on services and OTP values, and creating your own whois database, shodan/censys, and searching for the elusive internet accessible IPv6 hosts.

Ryan Baxendale
Ryan Baxendale works as a penetration tester in Singapore where he leads a team of professional hackers. While his day is filled mainly with web and mobile penetration tests, he is more interested developing security tools, discovering IPv6 networks, and mining the internet for targeted low hanging fruit. He has previously spoken at XCon in Bejing on automating network pivoting and pillaging with an Armitage script, and has spoken at OWASP chapter and Null Security group meetings.


Back to top

Jailbreaking Apple Watch

Thursday at 12:00 in 101 Track 2

45 minutes | Demo

Max Bazaliy Security Researcher, Lookout

On April 24, 2015, Apple launched themselves into the wearables category with the introduction of Apple Watch. This June, at Apple's Worldwide Developer Conference, Apple announced that their watch is not only the #1 selling smartwatch worldwide by far, but also announced the introduction of new capabilities that will come with the release of watchOS 4. Like other devices, Apple Watch contains highly sensitive user data such as email and text messages, contacts, GPS and more, and like other devices and operating systems, has become a target for malicious activity.

This talk will provide an overview of Apple Watch and watchOS security mechanisms including codesign enforcement, sandboxing, memory protections and more. We will cover vulnerabilities and exploitation details and dive into the techniques used in creating an Apple Watch jailbreak. This will ultimately lead to a demonstration and explanation of jailbreaking an Apple Watch, showcasing how it can access important user data and applications.

Max Bazaliy
Max is a Security Researcher at Lookout with more than ten years of experience in areas as reverse engineering, software security, vulnerability research and advanced exploitation. Currently focusing on iOS exploitation, reverse engineering advanced mobile malware and hardware attacks. Max was a lead security researcher at Pegasus iOS malware investigation.

In the past few years, Max was a speaker on various security conferences, including BlackHat, CCC, DEF CON , Ruxcon, RSA and BSides.

Max holds a Masters degree in Computer Science and currently is PhD student at the National Technical University of Ukraine "Kyiv Polytechnic Institute" where he'working on dissertation in code obfuscation and privacy area.


Back to top

Starting the Avalanche: Application DoS In Microservice Architectures

Friday at 13:00 in Track 3

45 minutes | Demo, Tool

Scott Behrens Senior Application Security Engineer

Jeremy Heffner Senior Cloud Security Engineer

We'd like to introduce you to one of the most devastating ways to cause service instability in modern micro-service architectures: application DDoS. Unlike traditional network DDoS that focuses on network pipes and edge resources, our talk focuses on identifying and targeting expensive calls within a micro-services architecture, using their complex interconnected relationships to cause the system to attack itself — with massive effect. In modern microservice architectures it's easier to cause service instability with sophisticated requests that model legitimate traffic to pass right through web application firewalls.

We will discuss how the Netflix application security team identified areas of our microservices that laid the groundwork for these exponential-work attacks. We'll step through one case study of how a single request into an API endpoint fans out through the application fabric and results in an exponential set of dependent service calls. Disrupting even one point within the dependency graph can have a cascading effect throughout not only the initial endpoint, but the dependent services backing other related API services.

We will then discuss the frameworks we collaborated on building that refine the automation and reproducibility of testing the endpoints, which we've already successfully leveraged against our live production environment. We will provide a demonstration of the frameworks which will be open sourced in conjunction with this presentation. Attendees will leave this talk understanding architectural and technical approaches to identify and remediate application DDoS vulnerabilities within their own applications. Attendees will also gain a greater understanding on how take a novel new attack methodology and build an orchestration framework that can be used at a global scale.

Scott Behrens
Scott Behrens is currently employed as a senior application security engineer for Netflix. Prior to Netflix Scott worked as a senior security consultant at Neohapsis and an adjunct professor at DePaul University. Scott's expertise lies in both building and breaking for application security at scale. As an avid coder and researcher, he has contributed to and released a number of open source tools for both attack and defense. Scott has presented security research at DEF CON , DerbyCon, OWASP AppSec USA, Shmoocon, Shakacon, Security Forum Hagenberg, Security B-sides Chicago, and others.


Jeremy Heffner
Jeremy Heffner is a software and security professional who has worked on numerous commercial and government projects. His passion is for securing and building scalable, survivable, and fault-tolerant distributed systems. His focus includes cyber attack and defense, information gathering and analysis, and scaling systems globally through automation and dynamic optimization.

Back to top

The call is coming from inside the house! Are you ready for the next evolution in DDoS attacks?

Sunday at 12:00 in Track 3

45 minutes | Art of Defense

Steinthor Bjarnason Senior Network Security Analyst, Arbor Networks

Jason Jones Security Architect, Arbor Networks

The second half of 2016 saw the rise of a new generation of IoT botnets consisting of webcams and other IoT devices. These botnets were then subsequently used to launch DDoS attacks on an unprecedented scale against Olympic-affiliated organizations, OVH, the web site of Brian Krebs and Dyn.

Early 2017, a multi-stage Windows Trojan containing code to scan for vulnerable IoT devices and inject them with Mirai bot code was discovered. The number of IoT devices which were previously safely hidden inside corporate perimeters, vastly exceeds those directly accessible from the Internet, allowing for the creation of botnets with unprecedented reach and scale.

This reveals an evolution in the threat landscape that most organizations are completely unprepared to deal with and will require a fundamental shift in how we defend against DDoS attacks.

This presentation will include:
- An analysis of the Windows Mirai seeder including its design, history, infection vectors and potential evolution.
- The DDoS capabilities of typically infected IoT devices including malicious traffic analysis.
- The consequences of infected IoT devices inside the corporate network including the impact of DDoS attacks, originating from the inside, targeting corporate assets and external resources.
- How to detect, classify and mitigate this new threat.

Steinthor Bjarnason
Steinthor Bjarnason is a Senior Network Security Analyst on Arbor Networks ASERT team, performing applied research on new technologies and solutions to defend against DDoS attacks.

Steinthor has 17 years of experience working on Internet Security, Cloud Security, SDN Security, Core Network Security and DDoS attack mitigation. Steinthor is an inventor and principal of the Cisco Autonomic Networking Initiative, with a specific focus on Security Automation where he holds a number of related patents.


Jason Jones
Jason Jones is the Security Architect for Arbor Networks' ASERT team. His primary role involves reverse engineering malware, architecting of internal malware processing infrastructure, feed infrastructure and botnet monitoring infrastructure in addition to other development tasks. Jason has spoken at various industry conferences including BlackHat USA, FIRST, BotConf, REcon, and Ruxcon

Back to top

Abusing Certificate Transparency Logs

Friday at 15:00 in Track 4

45 minutes | Demo, Tool

Hanno Böck Hacker and freelance journalist

The Certificate Transparency system provides public logs of TLS certificates. While Certificate Transparency is primarily used to uncover security issues in certificates, its data is also valuable for other use cases. The talk will present a novel way of exploiting common web applications like Wordpress, Joomla or Typo3 with the help of Certificate Transparency.

Certificate Transparency has helped uncover various incidents in the past where certificate authorities have violated rules. It is probably one of the most important security improvements that has ever happened in the certificate authority ecosystem. In September 2017 Google will make Certificate Transparency mandatory for all new certificates. So it's a good time to see how it could be abused by the bad guys.

Hanno Böck
Hanno Böck is a hacker and freelance journalist. He regularly covers IT security issues for the German IT news site and publishes the monthly Bulletproof TLS Newsletter. He also runs the Fuzzing Project, an effort to improve the security of free and open source software supported by the Linux Foundation's Core Infrastructure Initiative.


Back to top

Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science

Sunday at 13:00 in Track 4

45 minutes | Art of Defense, Demo, Tool

Daniel Bohannon (DBO) Senior Consultant, MANDIANT

Lee Holmes Lead Security Architect, Microsoft

Attackers, administrators and many legitimate products rely on PowerShell for their core functionality. However, its power has made it increasingly attractive for attackers and commodity malware authors alike. How do you separate the good from the bad?

A/V signatures applied to command line arguments work sometimes. AMSI-based (Anti-malware Scan Interface) detection performs significantly better. But obfuscation and evasion techniques like Invoke-Obfuscation can and do bypass both approaches.

Revoke-Obfuscation is a framework that transforms evasion into a treacherous deceit. By applying a suite of unique statistical analysis techniques against PowerShell scripts and their structures, what was once a cloak of invisibility is now a spotlight. It works with .evtx files, command lines, scripts, ScriptBlock logs, Module logs, and is easy to extend.

Approaches for evading these detection techniques will be discussed and demonstrated.

Revoke-Obfuscation has been used in numerous Mandiant investigations to successfully identify obfuscated and non-obfuscated malicious PowerShell scripts and commands. It also detects all obfuscation techniques in Invoke-Obfuscation, including two new techniques being released with this presentation.

Daniel Bohannon (DBO)
Daniel Bohannon is a Senior Incident Response Consultant at MANDIANT with over seven years of operations and information security experience. He is the author of the Invoke-Obfuscation and Invoke-CradleCrafter PowerShell obfuscation frameworks


Lee Holmes
Lee Holmes is the lead security architect of Microsoft's Azure Management group, covering Azure Stack, System Center, and Operations Management Suite. He is author of the Windows PowerShell Cookbook, and an original member of the PowerShell development team.


Back to top

Game of Drones: Putting the Emerging "Drone Defense" Market to the Test

Saturday at 16:00 in Track 4

45 minutes | Art of Defense, Demo, Tool

Francis Brown Partner, Bishop Fox

David Latimer Security Analyst, Bishop Fox

When you learned that military and law enforcement agencies had trained screaming eagles to pluck drones from the sky, did you too find yourself asking: "I wonder if I could throw these eagles off my tail, maybe by deploying delicious bacon countermeasures?" Well you'd be wise to question just how effective these emerging, first generation "drone defense" solutions really are, and which amount to little more than "snake oil".

There is no such thing as "best practices" when it comes to defending against "rogue drones", period. Over the past 2 years, new defensive products that detect and respond to "rogue drones" have been crawling out of the woodwork. The vast majority are immature, unproven solutions that require a proper vetting.

We've taken a MythBusters-style approach to testing the effectiveness of a variety of drone defense solutions, pitting them against our DangerDrone. Videos demonstrating the results should be almost as fun for you to watch as they were for us to produce. Expect to witness epic aerial battles against an assortment of drone defense types, including:

• trained eagles and falcons that hunt "rogue drones"
• fighter drones that hunt and shoot nets
• drones with large nets that swoop in and snatch up 'rogue drones'
• surface-to-air projectile weapons, including bazooka-like cannons that launch nets, and shotgun shells containing nets
• signal jamming and hijacking devices that attack drone command and control interfaces
• even frickin' laser beams and Patriot missiles!

We'll also be releasing DangerDrone v2.0, an upgraded version of our free Raspberry Pi-based pentesting quadcopter (basically a ~$500 hacker's laptop, that can also fly). We'll be giving away a fully functional DangerDrone v2.0 to one lucky audience member!

So come see what's guaranteed to be the most entertaining talk this year and find out which of these dogs can hunt!

Francis Brown
Francis Brown, CISA, CISSP, MCSE, is a Managing Partner at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions as well as U.S. and foreign governments. Before joining Stach & Liu, Francis served as an IT Security Specialist with the Global Risk Assessment team of Honeywell International where he performed network and application penetration testing, product security evaluations, incident response, and risk assessments of critical infrastructure. Prior to that, Francis was a consultant with the Ernst & Young Advanced Security Centers and conducted network, application, wireless, and remote access penetration tests for Fortune 500 clients.

Francis has presented his research at leading conferences such as Black Hat USA, DEF CON , RSA, InfoSec World, ToorCon, and HackCon and has been cited in numerous industry and academic publications.

Francis holds a Bachelor of Science and Engineering from the University of Pennsylvania with a major in Computer Science and Engineering and a minor in Psychology. While at Penn, Francis taught operating system implementation, C programming, and participated in DARPA-funded research into advanced intrusion prevention system techniques.

David Latimer
David Latimer is a Security Analyst at Bishop Fox, a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on network and web application penetration testing.

He won a state Cisco Networking Skills competition for Arizona in 2013. He has acted as a network engineer for one of Phoenix's largest datacenters, PhoenixNAP, where he architected large-scale virtualization clusters and assisted with backup disaster recovery services.

Back to top

How we created the first SHA-1 collision and what it means for hash security

Friday at 14:00 in Track 4

45 minutes | Demo, Tool

Elie Bursztein Anti-abuse research lead, Google

In February 2017, we announced the first SHA-1 collision. This collision combined with a clever use of the PDF format allows attackers to forge PDF pairs that have identical SHA-1 hashes and yet display different content. This attack is the result of over two years of intense research. It took 6500 CPU years and 110 GPU years of computations which is still 100,000 times faster than a brute-force attack.

In this talk, we recount how we found the first SHA-1 collision. We delve into the challenges we faced from developing a meaningful payload, to scaling the computation to that massive scale, to solving unexpected cryptanalytic challenges that occurred during this endeavor.

We discuss the aftermath of the release including the positive changes it brought and its unforeseen consequences. For example it was discovered that SVN is vulnerable to SHA-1 collision attacks only after the WebKit SVN repository was brought down by the commit of a unit-test aimed at verifying that Webkit is immune to collision attacks.

Building on the Github and Gmail examples we explain how to use counter-cryptanalysis to mitigate the risk of a collision attacks against software that has yet to move away from SHA-1. Finally we look at the next generation of hash functions and what the future of hash security holds

Elie Bursztein
Elie Bursztein leads Google's anti-abuse research, which helps protect users against Internet threats. Elie has contributed to applied-cryptography, machine learning for security, malware understanding, and web security; authoring over fifty research papers in the field. Most recently he was involved in finding the first SHA-1 collision.

Elie is a beret aficionado, tweets at @elie, and performs magic tricks in his spare time. Born in Paris, he received a Ph.D from ENS-cachan in 2008 before working at Stanford University and ultimately joining Google in 2011. He now lives with his wife in Mountain View, California.


Back to top

XenoScan: Scanning Memory Like a Boss

Saturday at 14:00 in Track 4

45 minutes | Demo, Tool

Nick Cano Hacker

XenoScan is the next generation in tooling for hardcore game hackers. Building on the solid foundation from older tools like Cheat Engine and Tsearch, XenoScan makes many innovations which take memory scanning to a whole new level.

This demo-heavy talk will skip the fluff and show the power of the tool in real-time. The talk will demonstrate how the tool can scan for partial structures, detect complex data structures such as binary trees or linked lists, detect class-instances living on the heap, and even group detected class instances by their types. Additional, these demos will take a look at the tool's extensibility by working not only on native processes, but also on Nintendo games running in emulators. You're not all game hackers, so the talk will also show how XenoScan can be useful in the day-to-day workflow of reverse engineers and hackers.

When I'm not doing demos, I'll be drilling down to the low-level to talk about the nitty gritty details of what's happening, how it works, and why it works.

By the end of the talk, you'll see the true power of a well-made, smart memory scanner. You'll be empowered to use it in your day to day hacking, whether that is on games, malware, or otherwise. For those of you that are really interested in the tool, it is completely open-source and all development is done on an interactive livestream, meaning you can participate in and learn from future development.

Nick Cano
Nick Cano is the author of "Game Hacking: Developing Autonomous Bots for Online Games" (No Starch Press), a Senior Security Architect at Cylance, and a life-long programmer and hacker. Programming since the age of 12 and hacking games since the age of 15, Nick has a strong background with both software development and Reverse Engineering. Nick has a history developing and selling bots for MMORPGs, advising game developers on hardening their games against bots, and making innovations in the EDR space for next-gen AV companies.


Back to top

Weaponizing the BBC Micro:Bit

Friday at 11:00 in Track 2

45 minutes | Demo, Tool, Exploit

Damien "virtualabs" Cauquil Senior security researcher, Econocom Digital Security

In 2015, BBC sponsored Micro:Bit was launched and offered to one million students in the United Kingdom to teach them how to code. This device is affordable and have a lot of features and can be programmed in Python rather than C++ like the Arduino. When we discovered this initiative in 2016, we quickly thought it was possible to turn this tiny device into some kind of super-duper portable wireless attack tool, as it is based on a well-known 2.4GHz RF chip produced by Nordic Semiconductor.

It took us a few months to hack into the Micro:Bit firmware and turn it into a powerful attack tool able to sniff keystrokes from wireless keyboards or to hijack and take complete control of quadcopters during flight. We also developed many tools allowing security researchers to interact with proprietary 2.4GHz protocols, such as an improved sniffer inspired by the mousejack tools designed by Bastille. We will release the source code of our firmware and related tools during the conference.

The Micro:Bit will become a nifty platform to create portable RF attack tools and ease the life of security researchers dealing with 2.4GHz protocols !

Damien "virtualabs" Cauquil
Damien Cauquil is a senior security researcher at Digital Security (CERT-UBIK), a French security company focused on IoT and related ground breaking technologies. He spoke at various international security conferences including Chaos Communication Camp,,Hack In Paris and a dozen times at the Nuit du Hack (one of the oldest French security conferences).


Back to top

Ghost in the Droid: Possessing Android Applications with ParaSpectre

Sunday at 10:20 in Track 4

20 minutes | Demo, Tool

chaosdata Senior Security Consultant, NCC Group

Modern Android applications are large and complex, and can be a pain to analyze even without obfuscation - static analysis can only get one so far, the debugger sucks, Frida doesn't give you enough access to the Java environment, and editing smali or writing Xposed hooks can be time consuming and error prone. There has to be a better way!

What if we could inject a command line REPL into an app to drive functionality? And what if we could also make writing function hooks fast and easy?

In this talk, I will introduce ParaSpectre, a platform for dynamic analysis of Android applications that injects JRuby into Android applications. It bundles a hook configuration web API, a web application interface to configure and edit hooks, and a connect-back JRuby REPL to aid application exploration from the inside-out. It supports various selectors to match classes and methods, can be reconfigured on-the-fly without requiring a device reboot, and takes the pain out of writing method hooks for Android apps.

ParaSpectre is for developers and security researchers alike. While not itself a debugger, it provides a level of access into a running application that a debugger generally won't.

chaosdata(aka "Jeff") is a security consultant by day, and sometimes by night. He hacks on embedded systems, mobile apps and devices, web apps, and complicated things that don't have names. He also likes exotic candies.


Back to top

Inside the "Meet Desai" Attack: Defending Distributed Targets from Distributed Attacks

Thursday at 15:00 in 101 Track

45 minutes | Art of Defense

CINCVolFLT (Trey Forgety) Director of Government Affairs & IT Ninja, NENA: The 9-1-1 Association

In October of 2016, a teenage hacker triggered DTDoS attacks against 9-1-1 centers across the United States with five lines of code and a tweet. This talk provides an in-depth look at the attack, and reviews and critiques the latest academic works on TDoS attacks directed at 9-1-1 systems. It then discusses potential mitigation strategies for legacy TDM and future all-IP access networks, as well as disaggregated "over-the-top" originating services and the devices on which both the access network providers and originating service providers rely.

CINCVolFLT (Trey Forgety)
CINCVolFLT (Trey Forgety) is Director of Government Affairs for NENA: The 9-1-1 Association. He previously served as a Presidential Management Fellow in the U.S. Department of Homeland Security's Office of Emergency Communications, with rotations in the Federal Communications Commission's Public Safety and Homeland Security Bureau, and the U.S. Department of Commerce's National Telecommunications and Information Administration. A sometimes-piratical sailor and inveterate tinkerer, CINCVolFLT's recent activities have included promoting the use of new location technologies in wireless carriers' networks, and serving as pro bono counsel to QueerCon. He holds a B.S. in Applied Physics and a J.D., both from the University of Tennessee (GO VOLS!).


Back to top

WSUSpendu: How to hang WSUS clients

Saturday at 10:20 in Track 3

20 minutes | Demo, Tool

Romain Coltel Lead product manager at Alsid

Yves Le Provost Security auditor at ANSSI

You are performing a pentest. You just owned the first domain controller. That was easy. All the computers are belong to you. But unfortunately, you can't reach the final goal. The last target is further in the network, non accessible and heavily filtered. Thankfully, one last hope remains. You realize the target domain pulls its updates from the WSUS server of the compromised domain, the one you fully control. Hope is back... But once again, it fails. The only tools available for controlling the updates are not working: they require a network attack that is prevented by the network architecture and the server configuration. All hope is lost...

We will present you a new approach, allowing you to circumvent these limitations and to exploit this situation in order to deliver updates. Thus, you will be able to control the targeted network from the very WSUS server you own. By extension, this approach may serve as a basis for an air gap attack for disconnected networks.

Our talk will describe vulnerable architectures to this approach and also make some in-context demonstration of the attack with new public tooling. Finally, as nothing is inescapable, we will also explain how you can protect your update architecture.

Romain Coltel
Romain Coltel is the lead product manager in a french startup, Alsid IT, tackling Active Directory problems down to the core, and he's thus currently doing a lot of research and development on various Active Directory technologies. He's also teaching the well-received SANS SEC660 in France, each time with the author's congratulations at the end of the session.

Before that, he was acquiring his experience in the french National Cybersecurity Agency (ANSSI) as an IT auditor, where he performed penetration testing, various security researches and tools development. As a development example, he's the lead developer of dislocker, a tool to decrypt BitLocker-encrypted partitions on Linux, OSX and FreeBSD. He also implemented the AES-XEX and -XTS modes for the famous mbedTLS library.

Yves Le Provost
Yves Le Provost is a security auditor for more than 10 years. He's working for ANSSI, the french National Cybersecurity Agency since 5 years ago. During these five years defending french administrations, he specialized in database security, OS internals, SCADA architecture and penetration testing.

In parallel, he's teaching french engineering schools about various security topics.

Back to top

D0 No H4RM: A Healthcare Security Conversation

Saturday at 20:00 - 22:00 in Modena Room

Evening Lounge

Christian "quaddi" Dameff MD MS Hacker

Jeff "r3plicant" Tully MD Hacker

Beau Woods Deputy director of the Cyber Statecraft Initiative in the Brent Scowcroft on International Security

Joshua Corman Director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center

Michael C. McNeil Privacy and security expert, Philips Healthcare

Jay Radcliffe Senior Security Consultant and Researcher, Rapid7

Suzanne Schwartz, MD, MBA Associate Director for Science & Strategic Partnerships, FDA'Center for Devices & Radiological Health (CDRH)

Previously a free-flowing, fast moving conversation between old friends and new colleagues in a dimly lit and alcohol soaked off-strip hotel suite, the third annual edition of "D0 No H4rm" moves to the better lit and even more alcohol soaked auspices of the DEF CON 25 Evening Lounge for a two hour session that links makers, breakers, and wonks in the healthcare space for a continuation of what may be one of the most important conversations in all of hackerdom- how to ensure the safety and security of patients in a system more connected and vulnerable than ever before. Join physician researchers quaddi and r3plicant, and researcher turned wonk Beau Woods as they offer an update on the state of the field and curate an interactive and engaging panel before breaking out the bottle and getting social. Continuing a tradition that has sparked professional connections, project ideas, and enduring friendships, "D0 No H4rm" aims to offer a prescription for the future, and we want your voice to be heard.

Christian "quaddi" Dameff MD MS
Christian (quaddi) Dameff is an emergency medicine physician, former open capture the flag champion, prior DEF CON speaker, and researcher. Published works include topics such as therapeutic hypothermia after cardiac arrest, novel drug targets for myocardial infarction patients, and other Emergency Medicine related works with an emphasis on CPR optimization. Security research topics including hacking critical healthcare infrastructure and medical devices. This is his thirteenth DEF CON.


Jeff "r3plicant" Tully MD
Jeff Tully is an anesthesiologist, pediatrician, and researcher with an interest in understanding the ever-growing intersections between health care and technology. Prior to medical school he worked on "hacking" the genetic code of Salmonella bacteria to create anti-cancer tools, and throughout medical training has remained involved in the conversations and projects that will secure healthcare and protect our patients as we face a brave new world of remote care, implantable medical devices, and biohacking.


Beau Woods
Beau Woods is the deputy director of the Cyber Statecraft Initiative in the Brent Scowcroft on International Security. His focus is the intersection of cyber (yes, he'll drink for that) security and the human condition, primarily around Cyber Safety. This comes out of the I Am The Cavalry initiative, ensuring the connected technology that can impact life and safety is worthy of our trust. Beau started his career working at a regional health provider, protecting patients by defending medical data and devices.


Joshua Corman
Joshua Corman is the director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center and a founder of I am The Cavalry (dot org). Corman previously served as CTO for Sonatype, director of security intelligence for Akamai, and in senior research and strategy roles for The 451 Group and IBM Internet Security Systems. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to the world's increasing dependence on digital infrastructure. Josh's unique approach to security in the context of human factors, adversary motivations, and social impact has helped position him as one of the most trusted names in security. He also serving as an adjunct faculty for Carnegie Mellon's Heinz College and on the 2016 HHS Cybersecurity Task Force.

Michael C. McNeil
Michael C. McNeil is a noted privacy and security expert who leads the Global Product Security and Services organization at Philips Healthcare. In this capacity, McNeil leads the global product security and data protection program for the company. He is also a member of the Visual Privacy Advisory Council (VPAC) , Medical Device Privacy Consortium (MDPC), Medical Device Innovation, Safety and Services Consortium (MDISS) and a frequent speaker at privacy and security conferences around the world.

Jay Radcliffe
Jay Radcliffe is a Senior Security Consultant and Researcher at Rapid7. He is an offensive penetration tester with a knack for hardware hacking and embedded device security. He has given dozens of presentations at conferences around the world including DEF CON and Blackhat including several on the security of insulin pumps.

Suzanne Schwartz, MD, MBA
Suzanne Schwartz, MD, MBA is the Associate Director for Science & Strategic Partnerships at FDA's Center for Devices & Radiological Health (CDRH). Among other public health concerns, her portfolio has most notably included medical device cybersecurity, for which she chairs CDRH's Cybersecurity Working Group. She also co-chairs the Government Coordinating Council for Healthcare & Public Health critical infrastructure sector. Before FDA, Suzanne was a full time surgical faculty member at Weill Cornell Medical College.

Back to top

Breaking Bitcoin Hardware Wallets

Sunday at 10:00 in Track 3

20 minutes | Demo, Exploit

Josh Datko Principal Engineer, Cryptotronix LLC

Chris Quartier Embedded Engineer, Cryptotronix, LLC

The security of your bitcoins rests entirely in the security of your private key. Bitcoin hardware wallets help protect against software-based attacks to recover or misuse your key. However, hardware attacks on these wallets are not as well studied. In 2015, Jochen Hoenicke was able to extract the private key from a TREZOR using a simple power analysis technique. While that vulnerability was patched, he suggested the Microcontroller on the TREZOR, which is also the same on the KeepKey, may be vulnerable to additional side channel attacks.

In this presentation we will quickly overview fault injection techniques, timing, and power analysis methods using the Open Source Hardware tool, the ChipWhisperer. We then show how to apply these techniques to the STM32F205 which is the MCU on the Trezor and KeepKey. Lastly, we will present our findings of a timing attack vulnerability and conclude with software and hardware recommendations to improve bitcoin hardware wallets. We will show and share our tools and methods to help you get started in breaking your own wallet!

Josh Datko
Josh Datko is the owner of Cryptotronix, an embedded security consultancy. As a submarine officer, he was sent to Afghanistan to ensure that the Tailiban did not develop a submarine force—mission accomplished! He wrote a book on BeagleBones and crypto hardware which not many people have read, talked about embedded security at Portland BSides and HOPE, and presented a better way to make a hardware implant at DEF CON 22 which hopefully helped the NSA improve their spying.

Chris Quartier
Chris is the lead embedded hacker at Cryptotronix. He has worked at both big companies and IoT startups as an embedded developer working on bare metal and embedded linux board bring up, driver development, and trying to get those little logic analyzer clips to stay connected to a target. He's hacked on radios, rail guns, and fitness trackers but not all at the same time.

Back to top

DEF CON 101 Panel

Thursday at 16:00 in 101 Track

105 minutes | Hacker History, Audience Participation

HighWiz Founder, DC101

Malware Unicorn

Niki7a Director of Content & Coordination, DEF CON

Roamer CFP Vocal Antagonizer, DEF CON



The DEF CON panel is the place to go to learn about the many facets of DEF CON and to begin your DEF CONian Adventure. Here you will begin your adventure that will include more than just listening in the talk tracks. You can get hands-on experience in the Villages and witness amazing feats of programming in Demo Labs. You may even display your own powers by participating in a contest or two in the Events and Contest Area. The panel will give you what you need to know to navigate DEF CON to your best advantage. We have speakers who will regale you with tales of how they came to be at DEF CON and (hopefully) inspire you with their personal experiences. Oh yeah, there is the time honored "Name the Noob", with lots of laughs and even some prizes.

Born of glitter and moon beams, HighWiz is the things that dreams are made of and nightmares long to be... Years ago, with the help of some very awesome people, he set about to create an event that would give the n00bs of DEF CON a place to feel welcomed and further their own pursuit of knowledge. HighWiz is the fabled Man on the Mountain whom people seek to gain a taste of his forbidden knowledge. He is a rare sighting at DEF CON only to be glimpsed by those lucky few.

Malware Unicorn
As a girl growing up, she was told she could be anything so she decided to be a unicorn. Ever since, she has made it her mission to ensure the truth is out there. Do not attempt to use malware pickup lines on her as she will pull them apart and you risk having your face impaled. Though she is fierce, she is also graceful, peaceful and determined. She is also an awesome artist.

There is truly only one sorceress that ensures the machinations of Def Con continue to move. She is both in tune with the magic and digital functions and is the power behind the CFP board from start to finish as well as the coordination of so many other activities behind the curtain. She works tirelessly year-round to make sure everything runs smoothly. Also, she is fun at parties and awesome AF.


Appearing in a cloud of (cigarette) smoke, Roamer is a man full of whiskey and ideas. He has appeared at DEF CON since before (almost) the beginning. He is a renown author, speaker, pontificator and is famous for giving the most entertaining Worldwide Wardrive talk. He is also the Grand Vizier of All Things Vendor - you are welcome.

Wiseacre was introduced to DEF CON by Roamer. Though he appeared at his first DEF CON because of the Capture the Flag contest, Roamer and HighWiz showed him how to make DEF CON so much more than simply attending the talks. From then on he made a point to participate in as much as he could. Of course, this was all within the limits of social anxiety so, if it allowed participation as a wallflower, he was in! Now, he wants to make sure everyone else gets to know as much as possible about this year's conference. In his private life, Mike hacks managers and is happy anyone listens to him at all. Mike would like to thank Highwiz for everything.

Shaggy has the Voice of Barry White, the brains of Albert Einstein and the soul of Bea Arthur. He has a few philosophies on life: He believes that while the righteous keep moving forward, those with clean hands become stronger and stronger . That the field of battle between God and Satan is the human soul. It is in the soul that the battle rages every moment of life. He also believes that one should Start by doing what's necessary; then do what's possible; and suddenly you are doing the impossible. Because You learn to speak by speaking, to study by studying, to run by running, to work by working, and just so, you learn to love by loving. All those who think to learn in any other way deceive themselves.

Back to top

Panel: DEF CON Groups

Friday at 17:00 in Track 2

45 minutes | Audience Participation

Jeff Moss (Dark Tangent) Founder, DEF CON


Brent White (B1TKILL3R) DCG and DC615

Jayson E. Street DCG Ambassador

Grifter DC801

Jun Li DC010

S0ups DC225

Major Malfunction DC4420

Do you love DEF CON? Do you hate having to wait for it all year? Well, thanks to DEF CON groups, you're able to carry the spirit of DEF CON with you year round, and with local people, transcending borders, languages, and anything else that may separate us!

In this talk, you'll hear from DEF CON's founder, Dark Tangent, who is also moderating the panel. Jayson E. Street, the Ambassador of DEF CON groups will also discuss updates about the program and share information from his global travel to help start groups around the world. We will also discuss what DEF CON groups are, how to get involved, as well as ideas for how to run a group, location ideas, and how to spread the word.

Founders of their own local DEF CON groups will also discuss the awesome projects of their groups, as well as projects from other groups, to give ideas to take back to your own DEF CON group. Projects we'll discuss range from custom badge build, IoT devices, vintage gaming systems, custom built routers, smarthome devices and more!

Jeff Moss (Dark Tangent)
Bio Coming soon.

Bio Coming soon.

Brent White (B1TKILL3R)
Bio Coming soon.

Jayson E. Street
Bio Coming soon.

Bio Coming soon.

Jun Li
Bio Coming soon.

Bio Coming soon.

Major Malfunction
Bio Coming soon.

Back to top

From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices

Thursday at 11:00 in 101 Track

45 minutes

Patrick DeSantis Senior Security Research Engineer, Cisco Talos

Stringing together the exploitation of several seemingly uninteresting vulnerabilities can be a fun challenge for security researchers, penetration testers, and malicious attackers. This talk follows some of the paths and thought processes that one researcher followed while evaluating the security of several new "out of the box" Industrial Control System (ICS) and Internet of Things (IoT) devices, using a variety of well known exploitation and analysis techniques, and eventually finding undocumented, root-level, and sometimes un-removable, backdoor accounts.

Patrick DeSantis
Patrick DeSantis is a security researcher with Cisco Talos and focuses his efforts on discovery and exploitation of vulnerabilities in technologies that have an impact on the physical world, such as Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), Internet of Things (IoT), and anything else that looks like it's asking to be hacked. Patrick's background includes work in both the public and private sectors, as well as a pile of information security certifications and a few college degrees.


Back to top

Koadic C3 - Windows COM Command & Control Framework

Saturday at 13:00 in Track 2

45 minutes | Demo, Tool

Sean Dillon (zerosum0x0) Senior Security Analyst, RiskSense, Inc.

Zach Harding (Aleph-Naught-) Senior Security Analyst, RiskSense, Inc.

Koadic C3, or COM Command & Control, is a Windows post-exploitation tool similar to other penetration testing rootkits such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using the Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.

An in-depth view of default COM objects will be provided. COM is a fairly underexplored, large attack surface in Windows. We will share lots of weird Windows scripting quirks with interesting workarounds we discovered during the course of development. Post exploitation with PowerShell has grown in popularity in recent years, and seeing what can be done with just the basic Windows Script Host is an interesting exploration. In addition, defenses against this type of tool will be discussed, as the Windows Script Host is more tightly coupled to the core of Windows than PowerShell is.

It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has available). We also found numerous ways to "fork to shellcode" in an environment which traditionally does not provide such capabilities. This talk is based on original research by ourselves, as well as the previous amazing work of engima0x3, subTee, tiraniddo, and others.

Sean Dillon (zerosum0x0)
Sean Dillon is a senior security analyst at RiskSense, Inc. He has an established research focus on attacking the Windows kernel, and was the first to reverse engineer the DOUBLEPULSAR SMB backdoor. He is a co-author of the ETERNALBLUE Metasploit module and contributions to the project. He has previously been a software engineer in the avionics and insurance industries, and his favorite IDE is still GW-Basic on DOS.

Zach Harding (Aleph-Naught-)
Zach Harding is a senior security analyst at RiskSense, Inc. Zach formerly served in the US Army as a combat medic. He, along with Sean Dillon and others, improved leaked NSA code to release the "ExtraBacon 2.0" Cisco ASA exploit package. He is an avid tester of every penetration tool he can get a hold of. You know the guy who's always looking for available public WiFi, or fiddling with a kiosk machine? That's Zach.

Back to top

Next-Generation Tor Onion Services

Friday at 13:00 in Track 4

45 minutes | 0025

Roger Dingledine The Tor Project

Millions of people around the world use Tor every day to protect themselves from surveillance and censorship. While most people use Tor to reach ordinary websites more safely, a tiny fraction of Tor traffic makes up what overhyped journalists like to call the "dark web". Tor onion services (formerly known as Tor hidden services) let people run Internet services such as websites in a way where both the service and the people reaching it can get stronger security and privacy.

I wrote the original onion service code as a toy example in 2004, and it sure is showing its age. In particular, mistakes in the original protocol are now being actively exploited by fear-mongering "threat intelligence" companies to build lists of onion services even when the service operators thought they would stay under the radar.

These design flaws are a problem because people rely on onion services for many cool use cases, like metadata-free chat and file sharing, safe interaction between journalists and their sources, safe software updates, and more secure ways to reach popular websites like Facebook.

In this talk I'll present our new and improved onion service design, which provides stronger security and better scalability. I'll also publish a new release of the Tor software that lets people use the new design.

Roger Dingledine
Roger Dingledine is President and co-founder of the Tor Project, a non-profit that writes software to keep people around the world safe on the Internet.

Roger is a leading researcher in anonymous communications and a frequent public speaker. He coordinates and mentors academic researchers working on Tor-related topics, he is on the board of organizers for the international Privacy Enhancing Technologies Symposium (PETS), and he has authored or co-authored over two dozen peer-reviewed research papers on anonymous communications and privacy tools.

Among his achievements, Roger was chosen by the MIT Technology Review as one of its top 35 innovators under 35, he co-authored the Tor design paper that won a Usenix Security "Test of Time" award, and he has been recognized by Foreign Policy magazine as one of its top 100 global thinkers.

Roger graduated from The Massachusetts Institute of Technology and holds a Master's degree in electrical engineering and computer science as well as undergraduate degrees in computer science and mathematics.

Back to top

$BIGNUM steps forward, $TRUMPNUM steps back: how can we tell if we're winning?

Saturday at 10:00 in Track 2

45 minutes

Cory Doctorow, science fiction author, activist, journalist and blogger.

Is Net Neutrality on the up or down? Is DRM rising or falling? Is crypto being banned, or will it win, and if it does, will its major application be ransomware or revolution? Is the arc of history bending toward justice, or snapping abruptly and plummeting toward barbarism?

It's complicated.

A better world isn't a product, it's a process. The right question isn't, "Does the internet make us better or worse," its: "HOW DO WE MAKE AN INTERNET THAT MAKES THE WORLD BETTER?" We make the world better with code, sure, but also with conversations, with businesses, with lawsuits and with laws.

We don't know how to get to a better world, but we know which direction it's in, and we know how to hill-climb towards it. If we keep heading that way, we'll get *somewhere*. Somewhere good. Somewhere imperfect. Somewhere where improvement is possible.

Cory Doctorow
Cory Doctorow ( is a science fiction author, activist, journalist and blogger - the co-editor of Boing Boing ( and the author of WALKAWAY, a novel for adults, a YA graphic novel called IN REAL LIFE, the nonfiction business book INFORMATION DOESN'T WANT TO BE FREE, and young adult novels like HOMELAND, PIRATE CINEMA and LITTLE BROTHER and novels for adults like RAPTURE OF THE NERDS and MAKERS. He works for the Electronic Frontier Foundation, is a MIT Media Lab Research Affiliate, is a Visiting Professor of Computer Science at Open University and co-founded the UK Open Rights Group. Born in Toronto, Canada, he now lives in Los Angeles.


Back to top

Breaking the x86 Instruction Set

Friday at 14:00 in Track 3

45 minutes | Demo, Tool

Christopher Domas Security Researcher, Battelle Memorial Institute

A processor is not a trusted black box for running code; on the contrary, modern x86 chips are packed full of secret instructions and hardware bugs. In this talk, we'll demonstrate how page fault analysis and some creative processor fuzzing can be used to exhaustively search the x86 instruction set and uncover the secrets buried in your chipset. We'll disclose new x86 hardware glitches, previously unknown machine instructions, ubiquitous software bugs, and flaws in enterprise hypervisors. Best of all, we'll release our sandsifter toolset, so that you can audit - and break - your own processor.

Christopher Domas
Christopher Domas is a cyber security researcher and embedded systems engineer, currently investigating low level processor exploitation. He is best known for releasing impractical solutions to non-existent problems, including the world's first single instruction C compiler (M/o/Vfuscator), toolchains for generating images in program control flow graphs (REpsych), and Turing-machines in the vi text editor. His more relevant work includes the binary visualization tool ..cantor.dust.. and the memory sinkhole x86 privilege escalation exploit.


Back to top

Welcome to DEF CON 25

Friday at 10:00 in Track 2

20 minutes | Hacker History

The Dark Tangent Founder, DEF CON

The Dark Tangent welcomes everyone to DEF CON 25, our silver anniversary!

The Dark Tangent

Back to top

Dark Data

Friday at 15:00 in Track 3

45 minutes

Svea Eckert NDR

Andreas Dewes PhD

A judge with preferences for hard core porn, a police officer investigating a cyber-crime, a politician ordering burn out medication - this kind of very personal and private information is on the market. Get sold to who is willing to pay for.

In a long time experiment, with the help of some social engineering techniques, we were able to get our hands on the most private data you can find on the internet. Click stream data of three million German citizens. They contain every URL they have looked at, every second, every hour, every day for 31 days. In our talk we will not only show how we got that data, but how you can de-anonymize it with some simple techniques.

This data is collected worldwide by big companies, whose legal purpose is to sell analytics and insights for marketers and businesses. In the shadow of Google and Facebook, companies have evolved, their names unknown to a broader public but making billions of dollars with your data. The new oil of the 20th century.

Our experiment shows in a drastic way, what the youngest decision reversing the Broadband Privacy Rule means. What the consequences for everyday life could be, when ISPs are allowed to sell your browsing data. And why that piece of regulation from the FCC was so important regarding privacy and constitutional rights.

Svea Eckert
Svea Eckert works as a freelance journalist for Germany's main public service broadcaster "Das Erste" (ARD). She is researching and reporting investigative issues for the PrimeTime news shows and high quality documentaries. Her main focus lies on new technology: computer and network security, digital economics and data protection.

Bigger projects and documentaries are for example "Superpower Wikileaks?" (ARD), "Facebook - Billion Dollar Business friendship" (ARD), her first book "Monitored and spied out: Prism, NSA, Facebook & Co" and in 2015 "Netwars" (ARD). Svea Eckert studied "Journalism and Communications" and Economics in Hamburg. She completed her journalistic training at NDR, Hamburg and Hannover.

Twitter: @sveckert

Andreas Dewes
Andreas Dewes is a trained physicist with a PhD in experimental quantum computing and a degree in quantitative economics. He has a passion for data analysis and software development. He has received numerous awards for his work on data analysis and his work on data privacy and big data has been featured in the national and international press.

Twitter: @japh44
Github: adewes

Back to top

Panel - An Evening with the EFF

Friday at 20:00 - 22:00 in Trevi Room

Evening Lounge | 0025

Kurt Opsahl Deputy Executive Director & General Counsel, Electronic Frontier Foundation

Nate Cardozo EFF Senior Staff Attorney

Eva Galperin EFF Director of Cyber security

Shabid Buttar Director of Grassroots Advocacy

Kit Walsh EFF Staff Attorney

Relax and enjoy in an evening lounge while you get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age. This Evening Lounge discussion will include updates on current EFF issues such as surveillance online, encryption (and backdoors), and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, discussion of our technology project to protect privacy and speech online, updates on cases and legislation affecting security research, and much more.

Kurt Opsahl
KURT OPSAHL is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders' Rights Project. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal. In 2014, Opsahl was elected to the USENIX Board of Directors.

@kurtopsahl, @eff

Nate Cardozo
NATE CARDOZO is a Senior Staff Attorney on the Electronic Frontier Foundation's digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF's Who Has Your Back? report and Coders' Rights Project. Nate has projects involving cryptography and the law, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate spent two years in private practice before returning to his senses and to EFF in 2012. Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings where he has taught first-year legal writing and moot court. He brews his own beer, has been to India four times, and watches too much Bollywood.

Eva Galperin
EVA GALPERIN is EFF's Director of Cybersecurity. Prior to 2007, when she came to work for EFF, Eva worked in security and IT in Silicon Valley and earned degrees in Political Science and International Relations from SFSU. Her work is primarily focused on providing privacy and security for vulnerable populations around the world. To that end, she has applied the combination of her political science and technical background to everything from organizing EFF's Tor Relay Challenge, to writing privacy and security training materials (including Surveillance Self Defense and the Digital First Aid Kit), and publishing research on malware in Syria, Vietnam, Kazakhstan. When she is not collecting new and exotic malware, she practices aerial circus arts and learning new languages.

Shabid Buttar
SHAHID BUTTAR is EFF’s Director of Grassroots Advocacy, who leads EFF's grassroots and student outreach efforts, including the organizing the Electronic Frontier Alliance. He's a constitutional lawyer focused on the intersection of community organizing and policy reform as a lever to shift legal norms, with roots in communities across the country resisting mass surveillance. From 2009 to 2015, he led the Bill of Rights Defense Committee as Executive Director. After graduating from Stanford Law School in 2003, where he grew immersed in the movement to stop the war in Iraq, Shahid worked for a decade in Washington, D.C. He first worked in private practice for a large California-based law firm, with public interest litigation projects advancing campaign finance reform, and marriage equality for same-sex couples as early as 2004, when LGBT rights remained politically marginal. From 2005 to 2008, he helped build a national progressive legal network and managed the communications team at the American Constitution Society for Law & Policy, and in 2008 and 2009 he founded the program to combat racial & religious profiling at Muslim Advocates. Outside of work, Shahid DJs and produces electronic music, writes poetry & prose, kicks rhymes, organizes guerilla poetry insurgencies, plays capoeira, speaks truth to power on Truthout, occasionally elucidates legal scholarship, and documents counter-cultural activism for the Burning Man Journal.

Kit Walsh
KIT WALSH is a staff attorney at EFF, working on free speech, net neutrality, copyright, coders' rights, and other issues that relate to freedom of expression and access to knowledge. She has worked for years to support the rights of political protesters, journalists, remix artists, and technologists to agitate for social change and to express themselves through their stories and ideas. Prior to joining EFF, Kit led the civil liberties and patent practice areas at the Cyberlaw Clinic, part of Harvard's Berkman Center for Internet and Society, and previously Kit worked at the law firm of Wolf, Greenfield & Sacks, litigating patent, trademark, and copyright cases in courts across the country. Kit holds a J.D. from Harvard Law School and a B.S. in neuroscience from MIT, where she studied brain-computer interfaces and designed cyborgs and artificial bacteria.

Back to top

Attacking Autonomic Networks

Saturday at 14:00 in 101 Track

45 minutes | Demo, Exploit

Omar Eissa Security Analyst, ERNW GmbH

Autonomic systems are smart systems which do not need any human management or intervention. Cisco is one of the first companies to deploy the technology in which the routers are just "Plug and Play" with no need for configuration. All that is needed is 5 commands to build fully automated network. It is already supported in pretty much all of the recent software images for enterprise level and carrier grade routers/switches.

This is the bright side of the technology. On the other hand, the configuration is hidden and the interfaces are inaccessible. The protocol is proprietary and there is no mechanism to know what is running within your network.

In this talk, we will have a quick overview on Cisco's Autonomic Network Architecture, then I will reverse-engineer the proprietary protocol through its multiple phases. Finally, multiple vulnerabilities (overall 5) will be presented, one of which allows to crash systems remotely by knowing their IPv6 address.

Omar Eissa
Omar Eissa is a security Analyst working for ERNW. His interests are network security and reverse-engineering. He is a professional Cisco engineer with various years of experience in enterprise and ISPs networks. He has given talks and workshops at various telco events and conferences like Troopers17 and Black Hat USA 2017.

Back to top

Demystifying Windows Kernel Exploitation by Abusing GDI Objects.

Saturday at 13:00 in 101 Track

45 minutes | Demo, Exploit

5A1F (Saif El-Sherei) Security Analyst, SensePost

Windows kernel exploitation is a difficult field to get into. Learning the field well enough to write your own exploits require full walkthroughs and few of those exist. This talk will do that, release two exploits and a new GDI object abuse technique.

We will provide all the detailed steps taken to develop a full privilege escalation exploit. The process includes reversing a Microsoft's patch, identifying and analyzing two bugs, developing PoCs to trigger them, turning them into code execution and then putting it all together. The result is an exploit for Windows 8.1 x64 using GDI bitmap objects and a new, previously unreleased Windows 7 SP1 x86 exploit involving the abuse of a newly discovered GDI object abuse technique.

5A1F (Saif El-Sherei)
Saif is a senior analyst with SensePost. He has a keen interest in exploit development and sharing everything he learns. Over the years he has released several exploitation tutorials, examples and a grammar-based browser fuzzer, wadi (DEF CON 23).


Back to top

Panel: Meet The Feds

Friday at 10:20 in Track 4

75 minutes

Andrea Matwyshyn Cranky law professor.

Terrell McSweeny Commissioner, Federal Trade Commission

Dr. Suzanne Schwartz FDA

Leonard Bailey Special Counsel for National Security, Computer Crime & Intellectual Property Section, Criminal Division, U.S. Department of Justice

Lisa Wiswell Principal, Grimm
Fellow, Center for Strategic and International Studies

Making legal and policy progress on security is hard, especially when it involves coordinating with teams inside and across federal agencies/departments. But, there *are* success stories. DOJ, FDA, FTC, and DoD have all evolved in positive directions in their approach to security over the last five years, engaging more robustly with the security research community. The panelists will introduce their respective agencies/ departments, explain their missions, and describe the evolution of their organizations' approach across time to security and security research. As always, the panelists look forward to answering your questions.

Andrea Matwyshyn
Andrea Matwyshyn is an academic and author whose work focuses on technology and innovation policy, particularly information security, consumer privacy, intellectual property, and technology workforce pipeline policy. She is a (tenured full) professor of law / professor of computer science (by courtesy) at Northeastern University, where she is the co-director of the Center for Law, Innovation, and Creativity (CLIC). Andrea is also a faculty affiliate of the Center for Internet and Society at Stanford Law School and a visiting research collaborator at the Center for Information Technology Policy at Princeton University, where she was the Microsoft Visiting Professor of Information Technology Policy during 2014-15. She is a Senior Fellow of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center on International Security and a US-UK Fulbright Commission Cyber Security Scholar award recipient in 2016-2017. In 2014, she served as the Senior Policy Advisor/ Academic in Residence at the U.S. Federal Trade Commission. Prior to entering the academy, she was a corporate attorney in private practice.

Terrell McSweeny
Terrell McSweeny serves as a Commissioner of the Federal Trade Commission. When it comes to tech issues, Commissioner McSweeny has focused on the valuable role researchers and hackers can play protecting consumer data security and privacy. She opposes bad policy and legislative proposals like mandatory backdoors and the criminalization of hacking and believes that enforcers like the FTC should work with the researcher community to protect consumers. She wants companies to implement security by design, privacy by design and data ethics by design–but recognizes that, in the absence of regulation, enforcement and research are the only means of holding companies accountable for the choices they make in the ways that they hold and use consumer data.


Dr. Suzanne Schwartz
Dr. Suzanne Schwartz is the Associate Director for Science & Strategic Partnerships at FDA’s Center for Devices & Radiological Health (CDRH). In this role, she assists the CDRH Director and Deputy Director for Science in the development, execution and evaluation of the Center’s biomedical science and engineering programs. Suzanne is passionate about cultivating critical dialogue across sectors and across entities towards advancing innovation in the biomedical space and within healthcare, where complex multifaceted problems exist. Suzanne joined FDA in October 2010. Initially recruited as a Commissioner’s Fellow, she became a Medical Officer in the Office of Device Evaluation, transitioning in September 2012 to become the Director of CDRH’s Emergency Preparedness/Operations and Medical Countermeasures (EMCM) Program in the Office of the Center Director for the past 4 years. Among other public health concerns, her portfolio has most notably included medical device cybersecurity, for which she chairs CDRH’s Cybersecurity Working Group. She also co-chairs the Government Coordinating Council for Healthcare & Public Health critical infrastructure sector. Before FDA, Suzanne was a full time surgical faculty member at Weill Cornell Medical College, New York. Suzanne’s career has spanned the private sector as well, having served as Medical Director & Tissue Bank Director of Ortec International, a development stage medical device company focused on tissue engineering therapeutic approaches to burns and chronic wounds. Suzanne earned an MD from Albert Einstein College of Medicine, trained in General Surgery & Burn Trauma at the New York Presbyterian Hospital - Weill Cornell Medical Center; an executive MBA from NYU Stern School of Business, and completed the National Preparedness Leadership Initiative – Harvard School of Public Health & Kennedy School of Government.

Leonard Bailey
Leonard Bailey joined the Department of Justice's Terrorism and Violent Crime Section (TVCS) in 1991 where he handled litigation and investigations, managed departmental policies governing criminal enforcement and intelligence collection, and participated in the negotiation of international treaties concerning terrorist funding. He subsequently served as Special Counsel and Special Investigative Counsel to the Department's Inspector General while conducting investigations of senior Department officials and sensitive departmental programs. In 2000, he joined the Computer Crime and Intellectual Property Section (CCIPS) where he has prosecuted cases involving federal violations of computer crime and intellectual property statutes; advised on matters related to searching and seizing electronic evidence, investigating and prosecuting network intrusions, and conducting electronic surveillance; and chaired the Organization of American States' Group of Government Experts on Cybercrime. He has been Special Counsel for National Security in CCIPS since 2008. In 2009, he accepted a position as Senior Counselor to the Assistant Attorney General for the National Security Division, where he managed issues associated with cybersecurity, critical infrastructure protection, and national security investigations and operations involving cyber threats to national security. In 2012, he managed and set cyber policy for the Department of Justice as an Associate Deputy Attorney General before returning to the Criminal Division in 2013. Leonard received his B.A. from Yale University in 1987 and his J.D. from Yale Law School in 1991. He is an adjunct professor at Georgetown Law School, where he teaches cybersecurity law..

Lisa Wiswell
Lisa Wiswell worked for the better part of the past decade with the Department of Defense to shift its culture to interact more positively with the hacker community. At the Defense Digital Service, she hacked the Department of Defense bureaucracy and its antiquated and restrictive policies and processes. She was appointed Special Assistant to the Deputy Assistant Secretary of Defense for Cyber Policy in the Office of the Secretary of Defense where she supported senior DoD leaders by formulating and implementing policies and strategies to improve DoD’s ability to operate in digital space – specifically providing guidance and governance over the manning, training, and equipping of the Cyber Mission Force. Prior to serving in the Obama Administration, she served as Technology Portfolio Manager at the Defense Advanced Research Projects Agency overseeing a portfolio of cyberwarfare initiatives directly contributing to national security. Prior to supporting the DoD, Lisa worked on Capitol Hill for her home Member of Congress. She holds a BA in History and Political Science from the Maxwell School of Public Citizenship at Syracuse University, and a Masters in Technology Management from Georgetown University. Lisa is a privacy rights and STEM outreach advocate. She is now a Principal at Grimm and a Fellow at the Center for Strategic and International Studies.

Back to top

Panel - Meet the Feds (who care about security research)

Saturday at 20:00 - 22:00 in Capri Room

Evening Lounge

Allan Friedman Director of Cybersecurity, National Telecommunications and Information Administration, US Department of Commerce

Amélie E. Koran Deputy Chief Information Officer, U.S. Department of Health and Human Services, Office of the Inspector General

Leonard Bailey Special Counsel for National Security, Computer Crime & Intellectual Property Section, Criminal Division, U.S. Department of Justice

Nick Leiserson Legislative Director, Office of Congressman James R. Langevin (RI-02)

Kimber DowsettSecurity Architect, 18F

Security research is no longer a foreign concept in Washington, DC. A growing number of policymakers are not only thinking about its importance, but are eager to work with hackers to better understand the implications of policy and to help hackers navigate laws that affect security research. Officials from the Department of Commerce, the Department of Justice, Health & Human Services, General Services Administration, and Congress will talk about how security policy has been evolving; help you understand how you can get involved and make your voice heard; and host an extended Q&A. Hear about everything from making laws more hacker friendly to encryption to government bug bounties to IoT security. It's your opportunity to meet the feds and ask them anything.

Allan Friedman
Allan Friedman is the Director of Cybersecurity Initiatives at National Telecommunications and Information Administration in the US Department of Commerce. He coordinates NTIA's multistakeholder processes, bringing together the community on issues like vulnerability disclosure and IoT Security. Prior to joining the Federal Government, Friedman spent over a decade as a noted cybersecurity and technology policy researcher at Harvard's Computer Science Department, the Brookings Institution, and George Washington University's Engineering School. He has a degree in computer science from Swarthmore College and a Ph.D. in public policy from Harvard University, and is the Co-Author of "Cybersecurity and Cyberwar: What Everyone Needs to Know".

Amélie E. Koran
serves as the Deputy Chief Information Officer for the U.S. Department of Health and Human Services, Office of the Inspector General. Amélie’s path to DHHS OIG took her the long way around - through multiple industry sectors, academia, and the public sector. Her professional experience includes time spent at The Walt Disney Company, Carnegie Mellon University CERT/CC, Mandiant, The World Bank, and The American Chemical Society. She began her time in the public sector as Lead Enterprise Security Architect for the U.S. Department of the Interior, eventually moving on to lead Continuous Diagnostics and Mitigation implementation for the U.S. Treasury Department. Amélie later spent time on a leadership development rotation as part of the President’s Management Council Fellowship serving the Federal CIO in supporting cybersecurity policy analysis and legislative review, where she took an active role in the government-wide Open Data Initiative and helped in giving “birth” to the United States Digital Service (USDS). She’s an ardent advocate for innovative approaches to hiring talent and rationally applying security strategies and technologies for the Federal Government space.


Leonard Bailey
Mr. Bailey is Special Counsel for National Security in the Computer Crime and Intellectual Property Section. He has prosecuted computer crime cases and routinely advises on cybersecurity, searching and seizing electronic evidence, and conducting electronic surveillance. He has managed DOJ cyber policy as Senior Counselor to the Assistant Attorney General for the National Security Division and then as an Associate Deputy Attorney General. He has also served as Special Counsel and Special Investigative Counsel for DOJ's Inspector General. Mr. Bailey is a graduate of Yale University and Yale Law School. He has taught courses on cybercrime and cybersecurity at Georgetown Law School and Columbus School of Law in Washington, D.C.

Nick Leiserson
Nick Leiserson is Legislative Director to Congressman Jim Langevin (RI-02), a senior member of the House Armed Services and Homeland Security Committees and the co-founder of the Congressional Cybersecurity Caucus. Leiserson serves as Rep. Langevin's principal advisor on an array of issues, particularly homeland security; judiciary; and technology policy. He holds a degree in computer science from Brown University.

Kimber Dowsett
Kimber Dowsett is the Security Architect for 18F, a digital services agency based within the US Government’s General Services Administration, who secures cloud infrastructure architecture while also serving as the Chief Incident Responder for the 18F platform. She is passionate about privacy, encryption, and building user-driven technology for the public.

Recently named one of the 2017 Top Women in Cybersecurity by CyberScoop, Kimber’s background is in Information Security, Incident Response, Security Policy, and Penetration Testing. She is an avid admirer of Chiroptera and is a connoisseur of comic books and video games.


Back to top

Secure Tokin' and Doobiekeys: How to roll your own counterfeit hardware security devices

Saturday at 11:00 in Track 2

45 minutes | Demo, Tool

Joe FitzPatrick

Michael Leibowitz Senior Trouble Maker

Let's face it, software security is still in pretty bad shape. We could tell ourselves that everything is fine, but in our hearts, we know the world is on fire. Even as hackers, it's incredibly hard to know whether your computer, phone, or secure messaging app is pwned. Of course, there's a Solution(tm) - hardware security devices.

We carry authentication tokens not only to secure our banking and corporate VPN connections, but also to access everything from cloud services to social networking. While we've isolated these 'trusted' hardware components from our potentially pwnd systems so that they might be more reliable, we will present scenarios against two popular hardware tokens where their trust can be easily undermined. After building our modified and counterfeit devices, we can use them to circumvent intended security assumptions made by their designers and users. In addition to covering technical details about our modifications and counterfeit designs, we'll explore a few attack scenarios for each.

Sharing is Caring, so after showing off a few demonstration, we'll walk you through the process of rolling your own Secure Tokin' and Doobiekey that you can pass around the circle at your next cryptoparty.

Joe FitzPatrick
Joe is an Instructor and Researcher at Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He has spent the past 5 years developing and leading hardware security related training, instructing hundreds of security researchers, pen testers, hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.


Michael Leibowitz
Michael has done hard-time in real-time. An old-school computer engineer by education, he spends his days hacking the mothership for a large semiconductor company. Previously, he developed and tested embedded hardware and software, dicked around with strap-on boot roms, mobile apps, office suites, and written some secure software. On nights and weekends he hacks on electronics, writes DEF CON CFPs, and contributes to the NSA Playset.


Back to top

Secret Tools: Learning about Government Surveillance Software You Can't Ever See

Friday at 10:00 in Track 4

20 minutes | 0025

Peyton "Foofus" Engel Attorney at Hurley, Burish & Stanton, S.C.

Imagine that you're accused of a crime, and the basis of the accusation is a log entry generated by a piece of custom software. You might have some questions: does the software work? how accurate is it? how did it get the results that it did? Unfortunately, the software isn't available to the public. And you can't get access to the source code or even a working instance of the software. All you get are assurances that the software is in use by investigators around the globe, and doesn't do anything that law enforcement isn't supposed to be doing. Because you can trust the government, right?

This talk will look at a family of tools designed for investigating peer-to- peer networks. By synthesizing information from dozens of search warrant affidavits, and a few technical sources, we're able to put together at least a partial picture of the software's capabilities. But we'll also look at the reasons the government offers for keeping these tools out of the public eye and talk about whether they make sense. Finally, we'll examine the implications that investigations based on secret capabilities have for justice.

Peyton "Foofus" Engel
After 18 years in IT, with 16 of those years spent in security and penetration testing, Foofus now works as an attorney. But because he's got significant experience with the Internet and security, one area of his practice focuses on consulting with litigants where digital evidence is at stake. In this capacity he does forensic analysis and assists other attorneys with strategy for presenting (or calling into question) computer-based evidence. In his spare time, Foofus enjoys cooking, playing guitar, and opera. Oh, and remember CoffeeWars? Foofus was pretty involved with that

Back to top

Backdooring the Lottery and Other Security Tales in Gaming over the Past 25 Years

Sunday at 11:00 in Track 2

45 minutes

Gus Fritschie CTO, SeNet International

Evan Teitelman Engineer, SeNet International

In this talk Gus and Evan will discuss the recent Hot Lotto fraud scandal and how one MUSL employee, Eddie Tipton, was able to rig several state lotteries and win $17 million (or perhaps more). Gus' firm is actively supporting the prosecution in this case. Evan was responsible for identifying and analyzing how Eddie was able to rig the RNG.

Details on the rigged RNG and other details from the case will be presented publicly for the first time during this talk.

For historical context other related attacks including the Ron Harris and hacking keno in the 1990's and a recent incident involving a Russian hacking syndicate's exploitation of slot machines will also be discussed.

Gus Fritschie
Gus Fritschie has been involved in information security since 2000. About 5 years ago (after his previous DEF CON presentation on iGaming security) he transitioned a significant portion of his practice into the gaming sector. Since then he has established himself and SeNet as the IT security leader in in gaming. He has supported a number of clients across the gaming spectrum from iGaming operators, land-based casinos, gaming manufacturer, lotteries, tribal gaming, and daily fantasy sports. In his free time he is a recreationally poker player (both online and B&M).


Evan Teitelman
Bio coming soon.

Back to top

MEATPISTOL, A Modular Malware Implant Framework

Friday at 17:00 in Track 3

45 minutes | Demo, Tool

FuzzyNop (Josh Schwartz) Director of Offensive Security @ Salesforce

ceyx (John Cramb) Hacker

Attention Red Teamers, Penetration Testers, and Offensive Security Operators, isn't the overhead of fighting attribution, spinning up infrastructure, and having to constantly re-write malware an absolute pain and timesink!?! It was for us too, so we're fixing that for good (well, maybe for evil). Join us for the public unveiling and open source release of our latest project, MEATPISTOL, a modular malware framework for implant creation, infrastructure automation, and shell interaction. This framework is designed to meet the needs of offensive security operators requiring rapid configuration and creation of long lived malware implants and associated command and control infrastructure. Say goodbye to writing janky one-off malware and say hello to building upon a framework designed to support efficient yoloscoped adversarial campaigns against capable targets.

FuzzyNop (Josh Schwartz) & ceyx (John Cramb)
FuzzyNop and ceyx were raised by computerized wolves with a penchant for fine art and rum based cocktails. While technically from different mothers and also sides of the world, they formed the first cyber wolf brothership shell-bent to ameliorate the state of targeted malware implants to support the ongoing war against the institutionalized mediocrity of the corporate shadow government. Working in tandem with dolphin researchers funded by the oligarch llamas they have found a way to synthesize powdered ethanol into mechanical pony fuel. Leading Offensive Security functions at Salesforce is merely a front to confuse the saurian overlords of their true purpose yet to be revealed...

Back to top

Call the plumber - you have a leak in your (named) pipe

Sunday at 14:00 in 101 Track

45 minutes | Demo

Gil Cohen CTO, Comsec group

The typical security professional is largely unfamiliar with the Windows named pipes interface, or considers it to be an internal-only communication interface.
As a result, open RPC (135) or SMB (445) ports are typically considered potentially entry points in "infrastructure" penetration tests.

However, named pipes can in fact be used as an application-level entry vector for well known attacks such as buffer overflow, denial of service or even code injection attacks and XML bombs, depending on the nature of listening service to the specific pipe on the target machine.

As it turns out, it seems that many popular and widely used Microsoft Windows-based enterprise applications open a large number of named pipes on each endpoint or server on which they are deployed, significantly increase an environment's attack surface without the organization or end user being aware of the risk.
Since there's a complete lack of awareness to the entry point, there's very limited options available to organizations to mitigate it, making it a perfect attack target for the sophisticated attacker.

In this presentation we will highlight how named pipes have become a neglected and forgotten external interface. We will show some tools that can help find vulnerable named pipes, discuss the mitigations, and demonstrate the exploitation process on a vulnerable interface.

Gil Cohen
Gil is an experienced application security instructor, architect, consultant and pentester just starting his 12th year in the field.

With past experience in the civilian, government and military cyber security industries, Gil currently serves as the CTO of Comsec Group, in charge of training, research, service lines, methodologies and quality assurance.

With a long time record as an SQL injection fanatic, Gil was responsible for publishing the "SQL Injection Anywhere" technique in 2010, which is currently in use in a variety of automated scanners in the market, and enables the blind detection and exploitation of potential injections in any part of the SQL statement.

He also has a taste for nostalgia, and has been working for a while on abuses to protocols that software developers would prefer to forget.


Back to top

I Know What You Are by the Smell of Your Wifi

Sunday at 10:00 in Track 2

20 minutes | Art of Defense, Demo, Tool, Audience Participation,

Denton Gentry Software Engineer

Existing fingerprinting mechanisms to identify client devices on a network tend to be coarse in their identification. For example they can tell it is an iPhone of some kind, or that it is a Samsung Android device of some model. They might look at DHCP information to know its OS, see if the client responds to SSDP, or check DNS-SD TXT responses.

By examining Wi-Fi Management frames we can identify the device much more specifically. We can tell a iPhone 5S from an iPhone 5, a Samsung Galaxy S8 from an S7, an LG G5 from a G4. This talk describes how the signature mechanism works.

Specifically identifying the client is the first step toward further scanning or analysis of that client's behavior on the network.

Denton Gentry
Denton Gentry is a software engineer who has worked at a lot of places and plans to work at a few more.

Back to top

Introducing HUNT: Data Driven Web Hacking & Manual Testing

Saturday at 17:00 in Track 3

45 minutes | Demo, Tool

Jason Haddix Head of Trust and Security @ Bugcrowd

What if you could super-charge your web hacking? Not through pure automation (since it can miss so much) but through powerful alerts created from real threat intelligence? What if you had a Burp plugin that did this for you? What if that plugin not only told you where to look for vulns but also gave you curated resources for additional exploitation and methodology? What if you could organize your web hacking methodology inside of your tools? Well, now you do! HUNT is a new Burp Suite extension that aims to arm web hackers with parameter level suggestions on where to look for certain classes of vulnerabilities (SQLi, CMDi, LFI/RFI, and more!). This data is parsed from hundreds of real-world assessments, providing the user with the means to effectively root out critical issues. Not only will HUNT help you assess large targets more thoroughly but it also aims to organize common web hacking methodologies right inside of Burp suite. As an open source project, we will go over the data driven design of HUNT and it's core functionality.

Jason Haddix
Jason is the Head of Trust and Security at Bugcrowd. Jason trains and works with internal security engineers to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. He also works with Bugcrowd to improve the security industries relations with the researchers. Jason's interests and areas of expertise include mobile penetration testing, black box web application auditing, network/infrastructure security assessments, and static analysis. Jason lives in Santa Barbara with his wife and three children. Before joining Bugcrowd Jason was the Director of Penetration Testing for HP Fortify and also held the #1 rank on the Bugcrowd leaderboard for 2014.


Contributor Acknowledgement:
The Speaker would like to acknowledge the following for their contribution to the presentation.

JP Villanueva is a Trust & Security Engineer at Bugcrowd. Before Bugcrowd, JP spent 2 years as an Application Security Engineer and another 2 years as a Solutions Architect at WhiteHat Security helping customers become more secure. JP has also presented at OWASP and Interop DarkReading events. In his free time, JP enjoys playing classic video games and hacking on bug bounty programs.

Fatih is an Application Security Engineer at Bugcrowd and Bug Hunter located in Istanbul/Turkey. Before Bugcrowd, he was a security consultant at InnoveraBT and performed penetration testing for clients including government, banks, trade, and finance companies. His expertise includes network, web applications, mobile security assessments, and auditing. He also holds OSCP, OSCE, GWAPT certifications.

Ryan Black is the Director of Technical Operations at Bugcrowd where he heads strategy and operations for the Application Security Engineering team. This group reviews and validates tens of thousands of vulnerability reports to bug bounty programs.

Prior to joining Bugcrowd, Ryan developed and led the static analysis and code review team for HP Fortify on Demand, later expanding to DevOps tooling and integrations for the enterprise. He has also held various InfoSec and technology positions at companies such as Aflac and Apple in the last decade. In addition to professional experience, he holds several industry certifications and participates in a variety of open source software projects and initiatives. On personal time he enjoys coding, gaming, various crafts, and nature activities with his wife, two kids, and three dogs.

Vishal Shah is an Application Security Engineer specializing in web and mobile security at Bugcrowd. Prior to Bugcrowd, Vishal spent time as a Security Consultant with Cigital hacking and building automation for hackers. In his free time, Vishal enjoys working out, CTFs, and playing video games.

Back to top

Opt Out or Deauth Trying !- Anti-Tracking Bots Radios and Keystroke Injection

Thursday at 11:00 in 101 Track 2

45 minutes | 0025, Demo, Tool, Exploit

Weston Hecker Principal Application Security Engineer, "NCR"

It's hard not to use a service now days that doesn't track your every move and keystroke if you absolutely must use these systems why not give them the most useless information possible. Along with the fact that several companies are tracking their customers online now they are taking it to physical brick and mortar stores this talk will be geared looking at the attack surface of instore tracking and attacking these systems for the purpose of overloading their systems or making the information so inaccurate that it becomes useless. Watch as a 32 year old hackers online profile is turned to that of a 12 year old girl who loves horses!

Weston Hecker
With 12 Years Pen-testing, 13 years' security research and programming experience. Weston is currently working on the application security team of NCR Weston has recently Spoken at DEF CON 22,23 and 24, Blackhat 2016, HOPE11, Hardware.IO 2016, Takdowncon 2016, ICS cyber security 2016, Bsides Boston, Enterprise Connect 2016 ISC2-Security Congress, SC-Congress Toronto and over 60 other speaking engagements from regional events to universities on security subject matter. Working with A Major University's research project with Department of Homeland Security on 911 emergency systems and attack mitigation.Found several vulnerabilities' in very popular software and firmware. Including Microsoft, Qualcomm, Samsung, HTC, Verizon.

Back to top

Tracking Spies in the Skies

Saturday at 15:00 in Track 2

45 minutes | Art of Defense, 0025, Tool

Jason Hernandez Hacker / Technical Editor, North Star Post

Sam Richards Editor and Journalist, North Star Post

Jerod MacDonald-Evoy Journalist, North Star Post

Law enforcement agencies have used aircraft for decades to conduct surveillance, but modern radio, camera, and electronics technology has dramatically expanded the power and scope of police surveillance capabilities. The Iraq War and other conflicts have spurred the development of mass surveillance technologies and techniques that are now widely available to domestic police. The FBI, DEA, and other agencies flew powerful surveillance aircraft over cities for years in relative secrecy before breaking in to public attention in 2015. This presentation will discuss the capabilities of these aircraft, the discovery of the FBI and others' surveillance fleets, and continued efforts to shed light on aerial surveillance. We will discuss a method for detecting surveillance indicators in real time based on mutilateration of aggregated ADS-B data, and introduce code for detecting surveillance indicators from flight behavior.

Jason Hernandez
Jason Hernandez researches surveillance technology and reports on it for the North Star Post. Jason has a BS in economics, and has worked in the mining and technology industries. Jason has worked on algorithms to detect surveillance aircraft from ADS-B flight data.


Sam Richards
Sam Richards is an independent journalist, and founder of the North Star Post. Sam pieced together hundreds of FAA and corporate records to uncover the FBI's secret fleet of surveillance aircraft.


Jerod MacDonald-Evoy
Jerod MacDonald-Evoy is a journalist with the North Star Post, and a documentary filmmaker.


Back to top

Get-$pwnd: Attacking Battle-Hardened Windows Server

Saturday at 10:00 in Track 3

20 minutes | Demo, Tool

Lee Holmes Principal Security Architect, Microsoft

Windows Server has introduced major advances in remote management hardening in recent years through
PowerShell Just Enough Administration ("JEA"). When set up correctly, hardened JEA endpoints can provide
a formidable barrier for attackers: whitelisted commands, with no administrative access to the underlying
operating system.

In this presentation, watch as we show how to systematically destroy these hardened endpoints by exploiting
insecure coding practices and administrative complexity.

Lee Holmes
Lee Holmes is the lead security architect of Microsoft's Azure Management group, covering Azure Stack,
System Center, and Operations Management Suite. He is author of the Windows PowerShell Cookbook,
and an original member of the PowerShell development team.

Back to top

Bypassing Android Password Manager Apps Without Root

Sunday at 13:00 in Track 2

45 minutes | Demo, Exploit

Stephan Huber Fraunhofer SIT

Siegfried Rasthofer Fraunhofer SIT

Security experts recommend using different, complex passwords for individual services, but everybody knows the issue arising from this approach: It is impossible to keep all the complex passwords in mind. One solution to this issue are password managers, which aim to provide a secure, centralized storage for credentials. The rise of mobile password managers even allows the user to carry their credentials in their pocket, providing instant access to these credentials if required. This advantage can immediately turn into a disadvantage as all credentials are stored in one central location. What happens if your device gets lost, stolen or a hacker gets access to your device? Are your personal secrets and credentials secure?

We say no! In our recent analysis of well-known Android password manager apps, amongst them are vendors such as LastPass, Dashlane, 1Password, Avast, and several others, we aimed to bypass their security by either stealing the master password or by directly accessing the stored credentials. Implementation flaws resulted in severe security vulnerabilities. In all of those cases, no root permissions were required for a successful attack. We will explain our attacks in detail. We will also propose possible security fixes and recommendations on how to avoid the vulnerabilities.

Stephan Huber
Stephan Huber is a security researcher at the Testlab mobile security group at the Fraunhofer Institute for Secure Information Technology (SIT). His main focus is Android application security testing and developing new static and dynamic analysis techniques for app security evaluation. He found different vulnerabilities in well-known Android applications and the AOSP. In his spare time he enjoys teaching students in Android hacking.

Siegfried Rasthofer
Siegfried Rasthofer is a vulnerability- and malware-researcher at Fraunhofer SIT (Germany) and his main research focus is on applied software security on Android applications. He developed different tools that combine static and dynamic code analysis for security purposes and he is the founder of the CodeInspect reverse engineering tool. He likes to break Android applications and found various AOSP exploits. Most of his research is published at top tier academic conferences and industry conferences like DEF CON, BlackHat, HiTB, AVAR or VirusBulletin.

Back to top

Amateur Digital Archeology

Thursday at 13:00 in 101 Track

45 minutes

Matt 'openfly' Joyce Hacker at NYC Resistor

'Digital Archeology' is actually the name of a Digital Forensics text book. But what if we used forensics techniques targetting cyber crime investigations to help address the void in Archeology that addresses digital media and silicon artifacts. At NYC Resistor in Brooklyn we've gotten into the world of Digital Archeology on several occasions and the projects have been enjoyable and educational.

Now, imagine what could happen if a bunch of hackers are able to get their hands on a laptop pulled off of a space shuttle.

Then come to our talk and find out what ACTUALLY happened. I bought a laptop at auction that claimed to be off a Shuttle Mission. It turns out to have been mostly authentic. This will be a little foray into the history of this device and what I could find out about it, and how I did that.

Spoiler Alert: We found out a lot.

Bonus: I may have found the sister laptop of this laptop (serial numbers match)

Matt 'openfly' Joyce
Matt Joyce hates writing in the third person. He is a hacker at NYC Resistor in Brooklyn. He used to do NASA shit for a project called Nebula. He currently is doing this talk in no way representing current or past employers. Matt's last talk was at the American Homebrewer's Association.

Back to top

(Un)Fucking Forensics: Active/Passive (i.e. Offensive/Defensive) memory hacking/debugging.

Saturday at 10:20 in Track 4

20 minutes | Hacker History, Art of Defense, Demo, Tool

K2 Director, IOACTIVE

How to forensic, how to fuck forensics and how to un-fuck cyber forensics.

Defense: WTF is a RoP, why I care and how to detect it statically from memory. Counteract "Gargoyle" attacks.

Defense: For one of DEF CON 24's more popular anti-forensics talks (see int0x80 - Anti Forensics). In memory (passive debugging) techniques that allows for covert debugging of attackers (active passive means that we will (try hard to) not use events or methods that facilities are detectable by attackers).

Offense: CloudLeech - a cloud twist to Ulf Frisk Direct Memory Attack

K2 (w00w00, ADM, undernet, efnet, The Honeynet Project) is a devil in the details person who does not take themselves too serious and appreciates a good laugh. Earlier DEF CON presentations included polymorphic shellcode in the form of ADMMutate (see ADM Crew), low-level process detection, with page table analysis (Weird-Machine motivated shell code) and using the branch tracing store backdoor trick on Windows to counter Ransom ware, detect RoP (RunTime + HW Assisted) and draw cool graphs — "BlockFighting with a Hooker: BlockfFghter2!". All three of these are open source tools available (EhTrace and inVtero.Net are under active development).


Back to top

Hacking Democracy

Friday at 20:00 - 22:00 in Capri Room

Evening Lounge

Mr. Sean Kanuck Stanford University, Center for International Security and Cooperation

Are you curious about the impact of fake news and influence operations on elections? Are you concerned about the vulnerability of democratic institutions, the media, and civil society? Then come engage with your peers and the first US National Intelligence Officer for Cyber Issues on ways to hack democracy. He will: (1) provide a low-tech, strategic analysis of recent events, foreign intelligence threats, and the future of information warfare; (2) lead a Socratic dialogue with attendees about the trade-offs between national security and core democratic values (such as freedom, equality, and privacy); and (3) open the floor to audience questions and/or a moderated group debate.

This session is intended to be informal and participatory. It will cover a range of issues from supply chain attacks on voting machines to psychological operations by using an interdisciplinary approach that encompasses constitutional law, world history, game theory, social engineering, and international affairs. The discussion will occur against the backdrop of cyber security and critical infrastructure protection, but it will not examine any specific hardware or software systems; rather, it will concern the conceptual formulation and conduct of modern strategic influence campaigns. No specific knowledge is required, but a skeptical mind and mischievous intellect are a must.

Mr. Sean Kanuck
Sean Kanuck is an attorney and strategic consultant who advises governments, corporations, and entrepreneurs on the future of information technology. Sean is affiliated with Stanford University's Center for International Security and Cooperation and has received several international appointments, including: Chair of the Research Advisory Group for the Global Commission on the Stability of Cyberspace (Hague, Netherlands), Distinguished Visiting Fellow at Nanyang Technological University (Singapore), and Distinguished Fellow with the Observer Research Foundation (New Delhi, India). He regularly gives keynote addresses for global audiences on a variety of cyber topics, ranging from risk analysis to identity intelligence to arms control.

Sean served as the United States' first National Intelligence Officer for Cyber Issues from 2011 to 2016. He came to the National Intelligence Council after a decade of experience in the Central Intelligence Agency's Information Operations Center, including both analytic and field assignments. In his Senior Analytic Service role, he was a contributing author for the 2009 White House Cyberspace Policy Review, an Intelligence Fellow with the Directorates for Cybersecurity and Combating Terrorism at the National Security Council, and a member of the United States delegation to the United Nations Group of Governmental Experts on international information security.

Prior to government service, Sean practiced law with Skadden Arps in New York, where he specialized in mergers and acquisitions, corporate finance, and banking matters. He is admitted to the bar in New York and Washington DC, and his academic publications focus on information warfare and international law. Sean holds degrees from Harvard University (A.B., J.D.), the London School of Economics (M.Sc.), and the University of Oslo (LL.M.). He also proudly serves as a Trustee of the Center for Excellence in Education, a charity promoting STEM education that is based in McLean, Virginia.


Back to top

Hacking Democracy: A Socratic Dialogue

Friday at 12:00 in Track 4

45 minutes

Mr. Sean Kanuck Stanford University, Center for International Security and Cooperation

In the wake of recent presidential elections in the US and France, "hacking" has taken on new political and social dimensions around the globe. We are now faced with a world of complex influence operations and dubious integrity of information. What does that imply for democratic institutions, legitimacy, and public confidence?

This session will explore how liberal democracy can be hacked — ranging from direct manipulation of electronic voting tallies or voter registration lists to indirect influence over mass media and voter preferences — and question the future role of "truth" in open societies. Both domestic partisan activities and foreign interventions will be considered on technical, legal, and philosophical grounds. The speaker will build on his experience as an intelligence professional to analyze foreign capabilities and intentions in the cyber sphere in order to forecast the future of information warfare. Audience members will be engaged in a Socratic dialogue to think through how modern technologies can be used to propagate memes and influence the electorate. The feasibility of, and public policy challenges associated with, various approaches to hacking democracy will also be considered. This conceptual discussion of strategic influence campaigns will not require any specific technical or legal knowledge

Mr. Sean Kanuck
Sean Kanuck is an attorney and strategic consultant who advises governments, corporations, and entrepreneurs on the future of information technology. Sean is affiliated with Stanford University's Center for International Security and Cooperation and has received several international appointments, including: Chair of the Research Advisory Group for the Global Commission on the Stability of Cyberspace (Hague, Netherlands), Distinguished Visiting Fellow at Nanyang Technological University (Singapore), and Distinguished Fellow with the Observer Research Foundation (New Delhi, India). He regularly gives keynote addresses for global audiences on a variety of cyber topics, ranging from risk analysis to identity intelligence to arms control.

Sean served as the United States' first National Intelligence Officer for Cyber Issues from 2011 to 2016. He came to the National Intelligence Council after a decade of experience in the Central Intelligence Agency's Information Operations Center, including both analytic and field assignments. In his Senior Analytic Service role, he was a contributing author for the 2009 White House Cyberspace Policy Review, an Intelligence Fellow with the Directorates for Cybersecurity and Combating Terrorism at the National Security Council, and a member of the United States delegation to the United Nations Group of Governmental Experts on international information security.

Prior to government service, Sean practiced law with Skadden Arps in New York, where he specialized in mergers and acquisitions, corporate finance, and banking matters. He is admitted to the bar in New York and Washington DC, and his academic publications focus on information warfare and international law. Sean holds degrees from Harvard University (A.B., J.D.), the London School of Economics (M.Sc.), and the University of Oslo (LL.M.). He also proudly serves as a Trustee of the Center for Excellence in Education, a charity promoting STEM education that is based in McLean, Virginia.


Back to top

Hacking Smart Contracts

Friday at 11:00 in Track 3

45 minutes | Demo

Konstantinos Karagiannis Chief Technology Officer, Security Consulting, BT Americas

It can be argued that the DAO hack of June 2016 was the moment smart contracts entered mainstream awareness in the InfoSec community. Was the hope of taking blockchain from mere cryptocurrency platform to one that can perform amazing Turing-complete functions doomed? We've learned quite a lot from that attack against contract code, and Ethereum marches on. Smart contracts are a key part of the applications being created by the Enterprise Ethereum Alliance, Quorum, and smaller projects in financial and other companies. Ethical hacking of smart contracts is a critical new service that is needed. And as is the case with coders of Solidity (the language of Ethereum smart contracts), hackers able to find security flaws in the code are in high demand.

Join Konstantinos for an introduction to a methodology that can be applied to Solidity code review ... and potentially adapted to other smart contract projects. We'll examine the few tools that are needed, as well as the six most common types of flaws, illustrated using either public or sanitized real world" vulnerabilities.

Konstantinos Karagiannis
Konstantinos Karagiannis is the Chief Technology Officer for Security Consulting at BT Americas. In addition to guiding the technical direction of ethical hacking and security engagements, Konstantinos specializes in hacking financial applications, including smart contracts and other blockchain implementations. He has spoken at dozens of technical conferences around the world, including Black Hat Europe, RSA, and ISF World Security Congress.


Back to top

The Brain's Last Stand

Friday at 10:00 in Track 3

45 minutes

Garry Kasparov Avast Security Ambassador

Former world chess champion Garry Kasparov has a unique place in history as the proverbial "man" in "man vs. machine" thanks to his iconic matches against the IBM supercomputer Deep Blue. Kasparov walked away from that watershed moment in artificial intelligence history with a passion for finding ways humans and intelligent machines could work together. In the spirit of "if you can't beat'em, join'em," Kasparov has explored that potential for the 20 years since his loss to Deep Blue. Navigating a practical and hopeful approach between the utopian and dystopian camps, Kasparov focuses on how we can rise to the challenge of the AI revolution despite job losses to automation and refuting those who say our technology is making us less human. He includes concrete examples and forward-looking strategies on AI.

Garry Kasparov
Garry Kasparov was born in Baku, Azerbaijan, in the Soviet Union in 1963. He became the youngest world chess champion in history in 1985 and was the world's top-rated player for 20 years, until he retired in 2005. His matches against arch-rival Anatoly Karpov and the IBM supercomputer Deep Blue popularized chess and machine intelligence in unprecedented ways. Kasparov became a pro-democracy leader in Russia and an outspoken defender of individual freedom around the world, a mission he continues as the chairman of the New York-based Human Rights Foundation. He is a Visiting Fellow at the Oxford-Martin School, where his lectures focus on human-machine collaboration. Kasparov is a provocative speaker who appears frequently before business, academic, and political audiences to speak about decision-making, strategy, technology, and artificial intelligence. His influential writings on politics, cognition, and tech have appeared in dozens of major publications around the world. He has written two acclaimed series of chess books and the bestsellers How Life Imitates Chess on decision-making and Winter Is Coming on Russia and Vladimir Putin. His new book, Deep Thinking: Where Machine Intelligence Ends and Human Creativity Begins comes out in May 2017. In 2016, he was named a Security Ambassador by Avast, where he discusses cybersecurity and the digital future. He lives in New York City with his wife Dasha and their two children.


Back to top

Horror stories of a translator and how a tweet can start a war with less than 140 characters

Friday at 20:00 - 22:00 in Modena

Evening Lounge

El Kentaro Hacker

Translators are invisible, when they are present it is assumed that they know the language and are accurately translating between the languages. But how do you assure that the translator is accurately translating or working without an agenda? Although many of the case studies presented in this talk will focus on translating between different languages, the basic premise can be applied in any case where information needs to be shared among 2 or more different contexts. (i.e.: Sales vs Engineering, Government vs Private sector etc) . The talk will showcase publicly known historical cases and personal experiences where translation errors (accidental and deliberate) have lead to misunderstandings some with dire consequences. Also the talk will showcase using translators as an offensive tool (i.e.:How to create more credible fake news). We as a society consume more information and consume it faster than before, we have to be aware of the dangers that are inherit with bad translations. Also the infosec/cyber security profession because of the potential for large scale global impacts and or the need to maintain operational security poses unique considerations when translating or using a translator. This talk will highlight the unique challenges of using a translator or translations in such environments.

El Kentaro
El Kentaro / That Guy in Tokyo.

El Kentaro has been a communications facilitator between Japan and the rest of the world in the information technology industry since 1996. For the last 7 years Kentaro has solely focused on providing interpretation services for the infosec/cyber security industry in Japan. Kentaro also provided the Japanese subtitles for the DEF CON documentary released in 2015 and is a member of the CODE BLUE Security Conference held annually in Japan.

Back to top

Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods

Friday at 16:00 in 101 Track

45 minutes | Demo

Matt Knight Senior Software Engineer, Threat Research at Bastille

Marc Newlin Security Researcher at Bastille

What do the Dallas tornado siren attack, hacked electric skateboards, and insecure smart door locks have in common? Vulnerable wireless protocols. Exploitation of wireless devices is growing increasingly common, thanks to the proliferation of radio frequency protocols driven by mobile and IoT. While non-Wi-Fi and non-Bluetooth RF protocols remain a mystery to many security practitioners, exploiting them is easier than one might think.

Join us as we walk through the fundamentals of radio exploitation. After introducing essential RF concepts and characteristics, we will develop a wireless threat taxonomy by analyzing and classifying different methods of attack. As we introduce each new attack, we will draw parallels to similar wired network exploits, and highlight attack primitives that are unique to RF. To illustrate these concepts, we will show each attack in practice with a series of live demos built on software-defined and hardware radios.

Attendees will come away from this session with an understanding of the mechanics of wireless network exploitation, and an awareness of how they can bridge their IP network exploitation skills to the wireless domain.

Matt Knight
Matt Knight is a software engineer and applied security researcher at Bastille, with a background in hardware, software, and wireless security. Matt's research focuses on preventing exploitation of the myriad wireless networking technologies that connect embedded devices to the Internet of Things. Notably, in 2016 he exposed the internals of the closed-source LoRa PHY based on blind signal analysis. Matt holds a BE in Electrical Engineering from Dartmouth College.


Marc Newlin
Marc Newlin is a wireless security researcher at Bastille, where he discovered the MouseJack and KeySniffer vulnerabilities affecting wireless mice and keyboards. A glutton for challenging side projects, Marc competed solo in two DARPA challenges, placing third in the DARPA Shredder Challenge, and second in the first tournament of the DARPA Spectrum Challenge.


Back to top

Persisting with Microsoft Office: Abusing Extensibility Options

Saturday at 10:00 in 101 Track

20 minutes | Demo

William Knowles MWR InfoSecurity

One software product that red teamers will almost certainly find on any compromised workstation is Microsoft Office. This talk will discuss the ways that native functionality within Office can be abused to obtain persistence. The following opportunities for Office-based persistence will be discussed:

(1) WLL and XLL add-ins for Word and Excel - a legacy add-in that allows arbitrary DLL loading.
(2) VBA add-ins for Excel and PowerPoint - an alternative to backdoored template files, which executes whenever the applications load.
(3) COM add-ins for all Office products - an older cross-application add-in that leverages COM objects.
(4) Automation add-ins for Excel - user defined functions that allow command execution through spreadsheet formulae.
(5) VBA editor (VBE) add-ins for all VBA using Office products - executing commands when someone tries to catch you using VBA to execute commands.
(6) VSTO add-ins for all Office products - the newer cross-application add-in that leverages a special Visual Studio runtime.

Each persistence mechanism will be discussed in terms of its relative advantages and disadvantages for red teamers. In particular, with regards to their complexity to deploy, privilege requirements, and applicability to Virtual Desktop Infrastructure (VDI) environments which hinder the use of many traditional persistence mechanisms.

The talk isn't all red - there's also some blue to satisfy the threat hunters and incident responders amongst us. The talk will finish with approaches to detection and prevention of these persistence mechanisms.

William Knowles
William Knowles is a Security Consultant at MWR InfoSecurity. He is primarily involved in purple team activities, which involves objective-based testing to simulate real-world threats, and helping organizations to identify effective defenses against them with regards to both prevention and detection. Prior to joining the security industry, he completed a PhD in Computer Science at Lancaster University. His research interests include post-exploitation activities and offensive PowerShell.


Back to top

Cisco Catalyst Exploitation

Friday at 17:00 in 101 Track

45 minutes | Demo

Artem Kondratenko Penetration Tester, Security Researcher

On March 17th, Cisco Systems Inc. made a public announcement that over 300 of the switches it manufactures are prone to a critical vulnerability that allows a potential attacker to take full control of the network equipment.

This damaging public announcement was preceded by Wikileaks' publication of documents codenamed as "Vault 7" which contained information on vulnerabilities and description of tools needed to access phones, network equipment and even IOT devices.

Cisco Systems Inc. had a huge task in front of them - patching this vast amount of different switch models is not an easy task. The remediation for this vulnerability was available with the initial advisory and patched versions of IOS software were announced on May 8th 2017.

We all heard about modern exploit mitigation techniques such as Data Execution Prevention, Layout Randomization. But just how hardened is the network equipment? And how hard is it to find critical vulnerabilities?

To answer that question I decided to reproduce the steps necessary to create a fully working tool to get remote code execution on Cisco switches mentioned in the public announcement.

This presentation is a detailed write-up of the exploit development process for the vulnerability in Cisco Cluster Management Protocol that allows a full takeover of the device.

Artem Kondratenko
Artem is a Penetration Tester at Kaspersky Lab. On time between red team engagements he is doing security research of software and hardware appliances. Author of multiple CVE's on VMware Virtualization Platforms (CVE-2016-5331, CVE-2016-7458, CVE-2016-7459, CVE-2016-7460). Enjoys contributing to the community by writing penetration testing tools such as Invoke-Vnc (PowerShell vnc injector, part of CrackMapExec) and Rpivot (reverse socks4 proxy, now part of BlackArch Linux Distro).


Back to top

The Adventures of AV and the Leaky Sandbox

Friday at 16:00 in Track 2

45 minutes | Demo, Tool

Itzik Kotler Co-Founder & CTO, SafeBreach

Amit Klein VP Security Research, SafeBreach

Everyone loves cloud-AV. Why not harness the wisdom of clouds to protect the enterprise? Consider a high-security enterprise with strict egress filtering - endpoints have no direct Internet connection, or the endpoints' connection to the Internet is restricted to hosts used by their legitimately installed software. Let's say there's malware running on an endpoint with full privileges. The malware still can't exfiltrate data due to the strict egress filtering.

Now let'also assume that this enterprise uses cloud-enhanced anti-virus (AV).You'd argue that if malware is already running on the endpoint with full privileges, then an AV agent can't degrade the security of the endpoint. And you'd be completely wrong.

In this presentation, we describe and demonstrate a novel technique for exfiltrating data from highly secure enterprises which employ strict egress filtering. Assuming the endpoint has a cloud-enhanced antivirus installed, we show that if the AV employs an Internet-connected sandbox in its cloud, it in fact facilitates such exfiltration. We release a tool implementing the exfiltration technique, and provide real-world results from several prominent AV products. We also provide insights on AV in-the-cloud sandboxes. Finally we address the issues of how to further enhance the attack, and possible mitigations.

Itzik Kotler
Itzik Kotler is CTO and Co-Founder of SafeBreach. Itzik has more than a decade of experience researching and working in the computer security space. He is a recognized industry speaker, having spoken at DEF CON, Black Hat USA, Hack In The Box, RSA, CCC and H2HC. Prior to founding SafeBreach, Itzik served as CTO at Security-Art, an information security consulting firm, and before that he was SOC Team Leader at Radware. (NASDQ: RDWR).


Amit Klein
Amit Klein is a world renowned information security expert, with 26 years in information security and over 30 published technical papers on this topic. Amit is VP Security Research at SafeBreach, responsible for researching various infiltration, exfiltration and lateral movement attacks. Before SafeBreach, Amit was CTO for Trusteer (acquired by IBM) for 8.5 years. Prior to Trusteer, Amit was chief scientist for Cyota (acquired by RSA) for 2 years, and prior to that, director of Security and Research for Sanctum (acquired by Watchfire, now part of IBM security division) for 7 years. Amit has a B.Sc. from the Hebrew University in Mathematics and Physics (magna cum laude, Talpiot program), recognized by InfoWorld as a CTO of the year 2010 , and has presented at BlackHat USA, HITB, RSA USA, OWASP, CertConf, BlueHat, CyberTech, APWG and AusCERT.

Back to top

DC to DEF CON: Q&A with Congressmen James Langevin and Will Hurd

Saturday at 15:00 - 17:00 in Capri Room

Lounge Format

Representative James Langevin (D-RI)

Representative Will Hurd (R-TX)

Ever wondered if there was such thing as a “hacker-friendly” member of Congress? We found some and convinced them to come to DEF CON so you can meet them too! In this first-of-its-kind DEF CON session, two of the most hacker-friendly Congress critters will join DEF CON for an engaging and interactive session with the security research community.

Join the Atlantic Council’s Cyber Statecraft Initiative for a candid discussion with Representatives Will Hurd (R-TX) and James Langevin (D-RI). The two Congressmen will share their thoughts on the latest developments in cybersecurity policymaking on the Hill and provide a unique opportunity for the audience to ask questions, exchange ideas, and maybe even answer some of the Congressmen’s questions.

Rep. Will Hurd (R-TX)
Rep Hurd was born and raised in San Antonio, Texas. He attended John Marshall High School and Texas A&M University, where he majored in Computer Science and served as Student Body President.

After college, Will served as an undercover officer in the CIA in the Middle East and South Asia for nearly a decade, collecting intelligence that influenced the National Security agenda. Upon leaving the CIA, he became a Senior Advisor with a cybersecurity firm, covering a wide range of complex challenges faced by manufacturers, financial institutions, retailers, and critical infrastructure owners. He was also a partner with a strategic advisory firm helping businesses expand into international markets.

In 2015, Will was elected to the 114th Congress and currently serves on the Committee of Oversight and Government Reform and chairs the Information Technology Subcommittee. He also sits on the Committee on Homeland Security and is the Vice Chair of the Border and Maritime Security Subcommittee. In 2017, Will was appointed by Speaker Ryan to serve on the House Permanent Select Intelligence Committee, to replace Representative Mike Pompeo upon his confirmation as Director of the CIA.

Rep. James Langevin (D-RI)
Rep. Langevin first ran for office in 1986, when he was elected a Delegate to Rhode Island’s Constitutional Convention and served as its secretary. Two years later, he won election to the Rhode Island House of Representatives.

In 1994, Langevin defeated a Republican incumbent to become the nation’s youngest Secretary of State. He transformed the office into “the people’s partner in government” and took on the challenge of reforming Rhode Island’s outdated election system. Langevin also established the state’s Public Information Center and, with Brown University, published “Access Denied,” which examined the General Assembly’s compliance with the Open Meetings Law and documented routine and widespread violations.

In 1998, Langevin easily won re-election to his second term as Secretary of State, achieving the largest plurality of any general officer in this century, and in 2000, he made a successful run for the U.S. House of Representatives, where he has served the Second Congressional District ever since.

Langevin graduated from Rhode Island College and earned a Master’s Degree in Public Administration from the Kennedy School of Government at Harvard University. He resides in Warwick, Rhode Island

Back to top

DC to DEF CON: Q&A with Congressmen James Langevin and Will Hurd

Sunday at 15:00 in 101 Track

Representative James Langevin (D-RI)

Representative Will Hurd (R-TX)

Joshua Corman Director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center

The past year has seen major disruptions at the intersection of security and society. “Cybersecurity” has been thrust into the public consciousness frighteningly widely and quickly. Issues of public policy impact our colleagues and our community, beyond the technology layer. Some in the public policy community are actively encouraging our community to engage, recognizing the need for a technically literate voice of reason from the security research community. DEF CON is proud to host two members of Congress, who braved their way from DC to DEF CON as ambassadors from their community to ours.

Joshua Corman will engage Rep. Jim Langevin (D-RI) and Rep. Will Hurd (R-TX), in a candid, on-the-record “fireside chat” style conversation. DEF CON attendees will hear their perspectives on the state of cyber policy and what can be done to improve technical literacy in the dialogs. The members will also reflect on their experience at DEF CON, hanging out with hackers, and how they can make their voice known in the public policy conversation.

Rep. Will Hurd (R-TX)
Rep Hurd was born and raised in San Antonio, Texas. He attended John Marshall High School and Texas A&M University, where he majored in Computer Science and served as Student Body President.

After college, Will served as an undercover officer in the CIA in the Middle East and South Asia for nearly a decade, collecting intelligence that influenced the National Security agenda. Upon leaving the CIA, he became a Senior Advisor with a cybersecurity firm, covering a wide range of complex challenges faced by manufacturers, financial institutions, retailers, and critical infrastructure owners. He was also a partner with a strategic advisory firm helping businesses expand into international markets.

In 2015, Will was elected to the 114th Congress and currently serves on the Committee of Oversight and Government Reform and chairs the Information Technology Subcommittee. He also sits on the Committee on Homeland Security and is the Vice Chair of the Border and Maritime Security Subcommittee. In 2017, Will was appointed by Speaker Ryan to serve on the House Permanent Select Intelligence Committee, to replace Representative Mike Pompeo upon his confirmation as Director of the CIA.

Rep. James Langevin (D-RI)
Rep. Langevin first ran for office in 1986, when he was elected a Delegate to Rhode Island’s Constitutional Convention and served as its secretary. Two years later, he won election to the Rhode Island House of Representatives.

In 1994, Langevin defeated a Republican incumbent to become the nation’s youngest Secretary of State. He transformed the office into “the people’s partner in government” and took on the challenge of reforming Rhode Island’s outdated election system. Langevin also established the state’s Public Information Center and, with Brown University, published “Access Denied,” which examined the General Assembly’s compliance with the Open Meetings Law and documented routine and widespread violations.

In 1998, Langevin easily won re-election to his second term as Secretary of State, achieving the largest plurality of any general officer in this century, and in 2000, he made a successful run for the U.S. House of Representatives, where he has served the Second Congressional District ever since.

Langevin graduated from Rhode Island College and earned a Master’s Degree in Public Administration from the Kennedy School of Government at Harvard University. He resides in Warwick, Rhode Island

Joshua Corman

Joshua Corman is the director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center and a founder of I am The Cavalry (dot org). Corman previously served as CTO for Sonatype, director of security intelligence for Akamai, and in senior research and strategy roles for The 451 Group and IBM Internet Security Systems. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to the world's increasing dependence on digital infrastructure. Josh's unique approach to security in the context of human factors, adversary motivations, and social impact has helped position him as one of the most trusted names in security. He also serving as an adjunct faculty for Carnegie Mellon's Heinz College and on the 2016 HHS Cybersecurity Task Force.

Back to top

The spear to break the security wall of S7CommPlus

Saturday at 10:00 in Track 4

20 minutes | Exploit

Cheng ICS Security Researcher, NSFOCUS

Zhang Yunhai Security researcher of NSFOCUS Security Team

In the past few years, attacks against industrial control systems (ICS) have increased year over year. Stuxnet in 2010 exploited the insecurity of the S7Comm protocol, the communication protocol used between Siemens Simatic S7 PLCs to cause serious damage in nuclear power facilities. After the exposure of Stuxnet, Siemens has implemented some security reinforcements into the S7Comm protocol. The current S7CommPlus protocol implementing encryption has been used in S7-1200 V4.0 and above, as well as S7-1500, to prevent attackers from controlling and damaging the PLC devices.
Is the current S7CommPlus a real high security protocol? This talk will demonstrate a spear that can break the security wall of the S7CommPlus protocol. First, we use software like Wireshark to analyze the communications between the Siemens TIA Portal and PLC devices. Then, using reverse debugging software like WinDbg and IDA we can break the encryption in the S7CommPlus protocol. Finally, we write a MFC program which can control the start and the stop of the PLC, as well as value changes of PLC's digital and analog inputs & outputs.
Based on the research above, we present two security proposals at both code level and protocol level to improve the security of Siemens PLC devices.

Cheng Lei is an Industrial Control System Security researcher at NSFOCUS. His interest is mainly about PLC and DCS vulnerability exploitation and security enhancement. Over the years he has released three Siemens CVE vulnerability

Zhang Yunhai
is a security researcher of NSFOCUS Security Team, working on computer security for more than a decade.He has spoken at security conferences such as Blackhat and BlueHat. He has won the Microsoft Mitigation Bypass Bounty 4 years in a row since 2014.

Back to top

Uncovering useful and embarrassing info with Maltego

Standby Speakers at in

45 minutes | Demo

Andrew MacPherson Ops/Dev - Paterva

The talk has two sections - useful and embarrassing.

In the 'useful' section of this fun filled talk we show how we combine the power of Maltego and Shodan to hunt for ICS devices on the Internet. We tackle the difficult problem of finding the function, owners and locations of these devices using OSINT and Maltego. The result is a one click sequence of transforms that makes finding interesting ICS devices child's play. In the 'embarrassing' section we look at how network footprinting (which we've refined to an art in Maltego) becomes useful for identifying and profiling people who's job description involves lots of lies and who probably does not want to be associated with the data that's out there on them.

Andrew MacPherson
Andrew Macpherson is the operations manager at Paterva. With a degree in Information Science and an uncanny knowledge of cat memes he successfully 0day'd at Paterva in 2007. With a decade of graphing, arguing and tea making he has proved to be a valuable asset at the company. Aside from Maltego'ing everything that looks like a nail he also has a keen interest in hardware and security.


Back to top

Controlling IoT devices with crafted radio signals

Friday at 13:00 in 101 Track

45 minutes | Demo, Tool

Caleb Madrigal Hacker, FireEye/Mandiant

In this talk, we'll be exploring how wireless communication works. We'll capture digital data live (with Software-Defined Radio), and see how the actual bits are transmitted. From here, we'll see how to view, listen to, manipulate, and replay wireless signals. We'll also look at interrupting wireless communication, and finally, we'll even generate new radio waves from scratch (which can be useful for fuzzing and brute force attacks). I'll also be demoing some brand new tools I've written to help in the interception, manipulation, and generation of digital wireless signals with SDR.

Caleb Madrigal
Caleb Madrigal is a programmer who enjoys hacking and mathing. He is currently working as a senior software engineer on Incident Response software at Mandiant/FireEye. Most of his recent work has been in Python, Jupyter, Javascript, and C. Caleb has been into security for a while... in high school, he wrote his own (bad) cryptography and steganography software. In college, he did a good bit of "informal pen testing". Recently, Caleb has been playing around with SDR, IoT hacking, packet crafting, and a good bit of math/probability/AI/ML.


Back to top

Real-time RFID Cloning in the Field

Thursday at 15:00 in 101 Track 2

20 minutes | Demo, Tool, Audience Participation

Dennis Maldonado Adversarial Engineer - LARES Consulting

Ever been on a job that required you to clone live RFID credentials? There are many different solutions to cloning RFID in the field and they all work fine, but the process can be slow, tedious, and error prone. What if there was a new way of cloning badges that solved these problems? In this presentation, we will discuss a smarter way for cloning RFID in the field that is vastly more efficient, useful, and just plane cool. We will go over the current tools and methods for long-range RFID cloning, than discuss and demonstrate a new method that will allow you to clone RFID credentials in the field in just seconds, changing the way you perform red team engagements forever.

Dennis Maldonado
Dennis Maldonado is a Security Consultant at LARES Consulting. His current work includes penetration testing, red teaming, and security research. Dennis' focus is encompassing all forms information security into an assessment in order to better simulate a real world attack against systems and infrastructure. As a security researcher and evangelist, Dennis spends his time sharing what he knows about Information Security with anyone willing to learn. Dennis co-founded Houston Locksport in Houston, Texas where he shares his love for lock-picking and physical security as well as Houston Area Hackers Anonymous (HAHA), a meet-up for hackers and InfoSec professionals in the Houston area. Dennis is also a returning speaker to DEF CON having spoken at DEF CON 23 and DEF CON 24.


Back to top

Twenty Years of MMORPG Hacking: Better Graphics, Same Exploits

Saturday at 13:00 in Track 3

45 minutes | Demo, Exploit

Manfred (@_EBFE) Security Analyst at Independent Security Evaluators

In theme with this year's DEF CON this presentation goes through a 20 year history of exploiting massively multiplayer online role-playing games (MMORPGs). The presentation technically analyzes some of the virtual economy-devastating, low-hanging-fruit exploits that are common in nearly every MMORPG released to date. The presenter, Manfred (@_EBFE), goes over his adventures in hacking online games starting with 1997's Ultima Online and subsequent games such as Dark Age of Camelot, Anarchy Online, Asherons Call 2, ShadowBane, Lineage II, Final Fantasy XI/XIV, World of Warcraft, plus some more recent titles such as Guild Wars 2 and Elder Scrolls Online and many more!

The presentation briefly covers the exploit development versus exploit detection/prevention arms race and its current state. Detailed packet analysis and inference on what the code looks like server side in order for some of the exploits to be possible is presented.

This presentation includes a live demonstration of at least one unreleased exploit to create mass amounts of virtual currency in a recent and popular MMORPG.

Manfred (@_EBFE)
Manfred (@_EBFE) has been reverse engineering and exploiting MMORPGs for 20 years. During that time, he ran a successful business based solely on exploiting online games in order to supply virtual goods to retailers. He has reverse engineered communication protocols for over 22 well known and popular MMORPGs and in certain cases circumvented anti tampering and software/hardware fingerprinting countermeasures. Manfred is currently a security researcher and analyst at Independent Security Evaluators (@ISEsecurity).


Back to top

Malicious CDNs: Identifying Zbot Domains en Masse via SSL Certificates and Bipartite Graphs

Sunday at 13:00 in Track 3

45 minutes | Art of Defense

Thomas Mathew OpenDNS (Cisco)

Dhia Mahjoub Head of Security Research, Cisco Umbrella (OpenDNS)

Prior research detailing the relationship between malware, bulletproof hosting, and SSL gave researchers methods to investigate SSL data only if given a set of seed domains. We present a novel statistical technique that allow us to discover botnet and bulletproof hosting IP space by examining SSL distribution patterns from open source data while working with limited or no seed information. This work can be accomplished using open source datasets and data tools.

SSL data obtained from scanning the entire IPv4 namespace can be represented as a series of 4 million node bipartite graphs where a common name is connected to either an IP/CIDR/ASN via an edge. We use the concept of relative entropy to create a pairwise distance metric between any two common names and any two ASNs. The metric allows us to generalize the concept of regular and anomalous SSL distribution patterns.

Relative entropy is useful in identifying domains that have anomalous network structures. The domains we found in this case were related to the Zbot proxy network. The Zbot proxy network contains a structure similar to popular CDNs like Akamai, Google, etc but instead rely on compromised devices to relay their data. Through layering these SSL signals with passive DNS data we create a pipeline that can extract Zbot domains with high accuracy.

Thomas Mathew
Thomas Mathew is a Security Researcher at OpenDNS (now part of Cisco) where he works on implementing pattern recognition algorithms to classify malware and botnets. His main interest lies in using various time series techniques on network sensor data to identify malicious threats. Previously, Thomas was a researcher at UC Santa Cruz, the US Naval Postgraduate School, and as a Product and Test Engineer at handsfree streaming video camera company Looxcie, Inc. He presented at ISOI APT, BruCon, FloCon and Kaspersky SAS.

Dhia Mahjoub
Dr. Dhia Mahjoub is the Head of Security Research at Cisco Umbrella (OpenDNS). He leads the core research team focused on large scale threat detection and threat intelligence and advises on R&D strategy. Dhia has a background in networks and security, has co-authored patents with OpenDNS and holds a PhD in graph algorithms applied on Wireless Sensor Networks problems. He regularly works with prospects and customers and speaks at conferences worldwide including Black Hat, Defcon, Virus Bulletin, BotConf, ShmooCon, FloCon, Kaspersky SAS, Infosecurity Europe, RSA, Usenix Enigma, ACSC, NCSC, and Les Assises de la sécurité.

Back to top

Trojan-tolerant Hardware & Supply Chain Security in Practice

Saturday at 14:00 in Track 2

45 minutes | Art of Defense, Demo, Tool

Vasilios Mavroudis Doctoral Researcher, University College London

Dan Cvrcek Co-founder, Enigma Bridge Ltd

The current consensus within the security industry is that high-assurance systems cannot tolerate the presence of compromised hardware components. In this talk, we challenge this perception and demonstrate how trusted, high-assurance hardware can be built from untrusted and potentially malicious components.

The majority of IC vendors outsource the fabrication of their designs to facilities overseas, and rely on post-fabrication tests to weed out deficient chips. However, such tests are not effective against: 1) subtle unintentional errors (e.g., malfunctioning RNGs) and 2) malicious circuitry (e.g., stealthy Hardware Trojans). Such errors are very hard to detect and require constant upgrades of expensive forensics equipment, which contradicts the motives of fabrication outsourcing.

In this session, we introduce a high-level architecture that can tolerate multiple, malicious hardware components, and outline a new approach in hardware compromises risk management. We first demo our backdoor-tolerant Hardware Security Module built from low-cost commercial off-the-shelf components, benchmark its performance, and delve into its internals. We then explain the importance of "component diversification" and "non-overlapping supply chains", and finally discuss how "mutual distrust" can be exploited to further reduce the capabilities of the adversaries.

Vasilios Mavroudis
Vasilios Mavroudis is a doctoral researcher in the Information Security Group at University College London. He studies security and privacy aspects of digital ecosystems, with a focus on emerging technologies and previously unknown attack vectors.

He is currently working on a high-assurance cryptographic hardware. In cooperation with industrial partners, he has recently prototyped a high-assurance hardware architecture, that maintains its security properties even in the presence of malicious hardware components.

Past works include his recent publication on the ultrasound tracking ecosystem which received wide-spread attention and is considered the seminal work on that ecosystem, and auditing tools for the Public Key Infrastructure of Deutsche Bank. Moreover, he has participated in an international consortium studying large-scale security threats in telecommunication networks, and cooperated with UC Santa Barbara in several projects, including a detection system for evasive web-malware.

Vasilios holds an Information Security MSc from UCL, and a BSc on Computer Science from University of Macedonia, Greece.

Dan Cvrcek
Dan Cvrcek is a security architect and engineer learning how to run his start-up Enigma Bridge. He has extensive experience with large banking systems from operational procedures to system architectures: Swift, card payment processing, UK Faster Payments, large key management systems. His hardware encounters include smart cards, custom and embedded systems, and hardware security modules, from design, testing, defences to attacks. He reverse-engineered a hidden API of Chrysalis-ITS crypto modules (now SafeNet) with Mike Bond, Steven Murdoch and others. Dan got his uni degrees (PhD and Associate Prof.) from Brno University of Technology, and had fun as a post-doc at the University of Cambridge (2003-2004, 2007-2008), Deloitte London (2008-2009), start-ups, freelance security consultant (2010-2016) - clients include Barclays and Deutsche Bank, co-founded Enigma Bridge in 2015.


Contributor Acknowledgement:
The Speakers would like to acknowledge the following for their contribution to the presentation.

George Danezis, Professor (University College London)
Petr Svenda, Security Researcher (Masaryk University)

Back to top

Where are the SDN Security Talks?

Thursday at 10:00 in 101 Track2

45 minutes | Demo, Tool

Jon Medina Protiviti

Software Defined Networking is no longer a fledgling technology. Google, Amazon, Facebook, and Verizon all rely on the scalability, programmability, flexibility, availability, and yes, security provided by SDN. So why has there only ever been one DEF CON speaker presenting on SDN and security?

This talk will provide a brief introduction to SDN and security, demonstrate ways of compromising and securing a Software Defined Network and will illustrate new ways of using the power of open source SDN coupled with machine learning to maintain self-defending networks.

Jon Medina
Jon Medina (@ackSec) is a security nerd who has worked in networking and security capacities for everything from the Department of Defense, to the Fortune 500, to state and local government. He currently works for Protiviti providing security consulting for a wide variety of clients and industries. His interests outside of work include traveling, hockey, strange beers, and his bulldog. He's spoken at Shmoocon, BSides, and many other security events and conferences.


Back to top

Exploiting 0ld Mag-stripe information with New technology

Thursday at 15:20 in 101 Track 2

20 minutes | Demo, Tool, Exploit

Salvador Mendoza Hacker

A massive attack against old magnetic stripe information could be executed with precision implementing new technology. In the past, a malicious individual could spoof magstripe data but in a slow and difficult way. Also brute force attacks were tedious and time-consuming. Technology like Bluetooth could be used today to make a persistent attack in multiple magnetic card readers at the same time with audio spoof.

Private companies, banks, trains, subways, hotels, schools and many others services are still using magstripe information to even make monetary transactions, authorize access or to generate "new" protocols like MST(Magnetic Secure Transmission) During decades the exploitation of magstripe information was an acceptable risk for many companies because the difficulty to achieve massive attacks simultaneously was not factible. But today is different.

Transmitting magstripe information in audio files is the faster and easier way to make a cross-platform magstripe spoofer. But how an attacker could transmit the audio spoof information to many magnetic card readers at the same time? In this talk, we will discuss how an attacker could send specific data or achieve a magstripe jammer for credit card terminals, PoS or any card reader. Also, how it could be implemented to generate brute force attacks against hotel door locks or tokenization processes as examples.

Salvador Mendoza
Salvador Mendoza is a security researcher focusing in tokenization processes, mag-stripe information and embedded prototypes. He has presented on tokenization flaws and payment methods at Black Hat USA, DEF CON, DerbyCon, Ekoparty, BugCON and Troopers. Salvador designed different tools to pentest mag-stripe and tokenization processes. In his designed toolset includes MagSpoofPI, JamSpay, TokenGet and lately SamyKam.


Back to top

"Tick, Tick, Tick. Boom! You're Dead." — Tech & the FTC

Friday at 16:00 in Track 4

45 minutes

Whitney Merrill Privacy, eCommerce & Consumer Protection Counsel, Electronic Arts

Terrell McSweeny Commissioner, Federal Trade Commission

The Federal Trade Commission is a law enforcement agency tasked with protecting consumers from unfair and deceptive practices. Protecting consumers on the Internet and from bad tech is nothing new for the FTC. We will take a look back at what the FTC was doing when DEF CON first began in 1993, and what we've been doing since. We will discuss enforcement actions involving modem hijacking, FUD advertising, identity theft, and even introduce you to Dewie the e-Turtle. Looking forward, we will talk about the FTC's future protecting consumers' privacy and data security and what you can do to help.

Whitney Merrill
Whitney Merrill is a hacker, ex-fed, and lawyer. She's currently a privacy attorney at Electronic Arts (EA), and in her spare time, she runs the Crypto & Privacy Village (come say hi!). Recently, she served her country as an attorney at the Federal Trade Commission where she worked on a variety of consumer protection matters including data security, privacy, and deceptive marketing and advertising. Whitney received her J.D. and master's degree in Computer Science from the University of Illinois at Urbana-Champaign.


Terrell McSweeny
Terrell McSweeny serves as a Commissioner of the Federal Trade Commission. This year marks her fourth time at DEF CON . When it comes to tech issues, Commissioner McSweeny has focused on the valuable role researchers and hackers can play protecting consumer data security and privacy. She opposes bad policy and legislative proposals like mandatory backdoors and the criminalization of hacking and believes that enforcers like the FTC should work with the researcher community to protect consumers. She wants companies to implement security by design, privacy by design and data ethics design - but recognizes that, in the absence of regulation, enforcement and research are the only means of holding companies accountable for the choices they make in the ways that they hold and use consumer data.


Back to top

Friday the 13th: JSON attacks!

Sunday at 14:00 in Track 4

45 minutes | Demo, Exploit

Alvaro Muñoz Principal Security Researcher,Hewlett Packard Enterprise

Oleksandr Mirosh Senior Security QA Engineer, Hewlett Packard Enterprise

2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution (RCE from now on) gadget finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues.

One of the most suggested solutions for avoiding Java deserialization issues was to move away from Java Deserialization altogether and use safer formats such as JSON. In this talk, we will analyze the most popular JSON parsers in both .NET and Java for potential RCE vectors.

We will demonstrate that RCE is also possible in these libraries and present details about the ones that are vulnerable to RCE by default. We will also discuss common configurations that make other libraries vulnerable.

In addition to focusing on JSON format, we will generalize the attack techniques to other serialization formats. In particular, we will pay close attention to several serialization formats in .NET. These formats have also been known to be vulnerable since 2012 but the lack of known RCE gadgets led some software vendors to not take this issue seriously. We hope this talk will change this. With the intention of bringing the due attention to this vulnerability class in .NET, we will review the known vulnerable formats, present other formats which we found to be vulnerable as well and conclude presenting several gadgets from system libraries that may be used to achieve RCE in a stable way: no memory corruption — just simple process invocation.

Finally, we will provide recommendations on how to determine if your code is vulnerable, provide remediation advice, and discuss alternative approaches.

Alvaro Muñoz
Alvaro Muñoz (@pwntester) works as Principal Software Security Researcher with HPE Security Fortify, Software Security Research (SSR). His research focuses on different programming languages and web application frameworks searching for vulnerabilities or unsafe uses of APIs. Before joining the research team, he worked as an Application Security Consultant helping enterprises to deploy their application security programs. Muñoz has presented at many Security conferences including DEF CON , RSA, AppSecEU, Protect, DISCCON, etc and holds several infosec certifications, including OSCP, GWAPT and CISSP, and is a proud member of int3pids CTF team. He blogs at


Oleksandr Mirosh
Oleksandr Mirosh has over 9 years of computer security experience, including vulnerability research, penetration testing, reverse engineering, fuzzing, developing exploits and consulting. He is working for HPE Software Security Research team investigating and analyzing new threats, vulnerabilities, security weaknesses, new techniques of exploiting security issues and development vulnerability detection, protection and remediation rules. In the past, he has performed a wide variety of security assessments, including design and code reviews, threat modelling, testing and fuzzing in order to identify and remove any existing or potentially emerging security defects in the software of various customers.

Back to top

CableTap: Wirelessly Tapping Your Home Network

Saturday at 16:00 in Track 3

45 minutes | Demo, Tool, Exploit

Marc Newlin Security Researcher at Bastille Networks

Logan Lamb Security Researcher at Bastille Networks

Chris Grayson Founder and Principal Engineer at Web Sight.IO

We discovered a wide array of critical vulnerabilities in ISP-provided, RDK-based wireless gateways and set-top boxes from vendors including Cisco, Arris, Technicolor, and Motorola. Our research shows that it was possible to remotely and wirelessly tap all Internet and voice traffic passing through the affected gateways, impacting millions of ISP customers.

Imagine for a moment that you want a root shell on an ISP-provided wireless gateway, but you're tired of the same old web vulns. You want choice. Maybe you want to generate the passphrase for the hidden Wi-Fi network, or log into the web UI remotely using hard-coded credentials.

Don't have an Internet connection? Not to worry! You can just impersonate a legitimate ISP customer and hop on the nearest public hotspot running on another customer's wireless gateway. Once online, you can head on over to GitHub and look at the vulnerability fixes that haven't yet been pushed to customer equipment.

In this talk, we will take you through the research process that lead to these discoveries, including technical specifics of each exploit. After showcasing some of the more entertaining attack chains, we will discuss the remediation actions taken by the affected vendors.

Marc Newlin
Marc is a wireless security researcher at Bastille, where he discovered the MouseJack and KeySniffer vulnerabilities affecting wireless mice and keyboards. A glutton for challenging side projects, Marc competed solo in two DARPA challenges, placing third in the DARPA Shredder Challenge, and second in the first tournament of the DARPA Spectrum Challenge.

Logan Lamb
Logan joined Bastille Networks in 2014 as a security researcher focusing on applications of SDR to IoT. Prior to joining Bastille Networks, he was a member of CSIR at Oak Ridge National Lab where his focus was on symbolic analysis of binaries and red-teaming critical infrastructure.

Chris Grayson
Christopher Grayson (OSCE) is the founder and principal engineer at Web Sight.IO. In this role he handles all operations, development, and research efforts. Christopher is an avid computing enthusiast hailing from Atlanta, Georgia. Having made a habit of pulling things apart in childhood, Chris has found his professional home in information security. Prior to founding Web Sight.IO, Chris was a senior penetration tester at the security consultancy Bishop Fox, and a research scientist at the Georgia Institute of Technology. During his tenure at these organizations, Chris became a specialist in network penetration testing and in the application of academic tactics to the information security industry, both of which contributed to his current research focus of architecting and implementing high-security N-tier systems. Chris attended the Georgia Institute of Technology where he received a bachelor's degree in computational media, a master's degree in computer science, and where he organized and led the Grey H@t student hacking organization.

Back to top

DNS - Devious Name Services - Destroying Privacy & Anonymity Without Your Consent

Saturday at 12:00 in Track 3

45 minutes | Art of Defense

Jim Nitterauer Senior Security Specialist, AppRiver, LLC

You've planned this engagement for weeks. Everything's mapped out. You have tested all your proxy and VPN connections. You are confident your anonymity will be protected. You fire off the first round and begin attacking your target. Suddenly something goes south. Your access to the target site is completely blocked no matter what proxy or VPN you use. Soon, your ISP contacts you reminding you of their TOS while referencing complaints from the target of your engagement. You quickly switch MAC addresses and retry only to find that you are quickly blocked again!

What happened? How were you betrayed? The culprit? Your dastardly DNS resolvers and more specifically, the use of certain EDNS0 options by those resolvers.

This presentation will cover the ways in which EDNS OPT code data can divulge details about your online activity, look at methods for discovering implementation by upstream DNS providers and discuss ways in which malicious actors can abuse these features. We will also examine steps you can take to protect yourself from these invasive disclosures.

The details covered will be only moderately technical. Having a basic understanding of RFC 6891 and general DNS processes will help in understanding. We will discuss the use of basic tools including Wireshark, Packetbeat, Graylog and Dig.

Jim Nitterauer
Currently a Senior Security Specialist at AppRiver, LLC., his team is responsible for global network deployments and manages the SecureSurf global DNS infrastructure and SecureTide global spam & virus filtering infrastructure as well as all internal applications. They also manage security operations for the entire company. He holds a CISSP certification. He is also well-versed in ethical hacking and penetration testing techniques and has been involved in technology since the late 1980s when punch cards were still a thing.

Jim has presented at NolaCon, ITEN WIRED, BSides Las Vegas, BSides Atlanta, CircleCityCon and several smaller conferences. He regularly attends national security conferences and is passionate about conveying the importance of developing, implementing and maintaining security policies for organizations. His talks convey unique and practical techniques that help attendees harden their security in practical and easy-to-deploy ways.

Jim is a senior staff member with BSides Las Vegas, a member of the ITEN WIRED Planning Committee and the president of the Florida Panhandle (ISC)2 Chapter. When not at the computer, Jim can be found working out, playing guitar, traveling or just relaxing with an adult beverage.

Twitter: @jnitterauer

Back to top

Linux-Stack Based V2X Framework: All You Need to Hack Connected Vehicles

Saturday at 14:00 in Track 3

45 minutes | Demo, Tool

p3n3troot0r (Duncan Woodbury) Hacker

ginsback (Nicholas Haltmeyer) Hacker

Vehicle-to-vehicle (V2V) and, more generally, vehicle-to-everything (V2X) wireless communications enable semi-autonomous driving via the exchange of state information between a network of connected vehicles and infrastructure units. Following 10+ years of standards development, particularly of IEEE 802.11p and the IEEE 1609 family, a lack of available implementations has prevented the involvement of the security community in development and testing of these standards. Analysis of the WAVE/DSRC protocols in their existing form reveals the presence of vulnerabilities which have the potential to render the protocol unfit for use in safety-critical systems. We present a complete Linux-stack based implementation of IEEE 802.11p and IEEE 1609.3/4 which provide a means for hackers and academics to participate in the engineering of secure standards for intelligent transportation systems.

p3n3troot0r (Duncan Woodbury)
Car hacker by trade, embedded systems security engineer by day. Entered the field of cyberauto security in 2012 through the Battelle CAVE red team and had the opportunity to improve the world by hacking transportation systems. Co-founded multiple security companies focused on building tools for automated exploitation of automotive systems (, open-source frameworks for V2X, secure digital asset management, and 3D printing electric cars ( out of your garage ( DEF CON lurker since the age of 17, recently having joined forces with friends and mentors to organize and host the DEF CON Car Hacking Village.

p3n3troot0r began working V2X with ginsback two years ago and realized the opportunity, in lieu of any open-source or full-stack V2X implementation, to bring the security community in to the driver's seat in the development of next-gen cyberauto standards. Together they have engaged the thought leaders in this space, and via the long-awaited integration of this stack into the mainline Linux kernel, the global development community is given the opportunity to participate in the development of automated and connected transportation systems.

ginsback (Nicholas Haltmeyer)
AI researcher and security professional. Began work in automotive security through the DEF CON Car Hacking Village and have since developed V2X software and routing schemes. Extensive experience in signal processing and RF hacking, including vital sign monitoring, activity recognition, and biometric identification through RF.

Given the (abyssal) state of automotive cybersecurity, ginsback aims to develop and field tools for V2X that open collaboration with the hacker community. As intelligent transit reaches critical mass, attacks on V2X infrastructure have the potential to cause incredible damage. ginsback partnered with p3n3troot0r to develop a free as in freedom V2X interface and extend an invitation for the community to discover and fix flaws in the design of what will soon be a massive network of connected vehicles.

Back to top

Weaponizing Machine Learning: Humanity Was Overrated Anyway

Sunday at 14:00 in Track 2

45 minutes | Demo, Tool

Dan "AltF4" Petro Senior Security Associate, Bishop Fox

Ben Morris Security Analyst, Bishop Fox

At risk of appearing like mad scientists, reveling in our latest unholy creation, we proudly introduce you to DeepHack: the open-source hacking AI. This bot learns how to break into web applications using a neural network, trial-and-error, and a frightening disregard for humankind.

DeepHack can ruin your day without any prior knowledge of apps, databases - or really anything else. Using just one algorithm, it learns how to exploit multiple kinds of vulnerabilities, opening the door for a host of hacking artificial intelligence systems in the future.

This is only the beginning of the end, though. AI-based hacking tools are emerging as a class of technology that pentesters have yet to fully explore. We guarantee that you'll be either writing machine learning hacking tools next year, or desperately attempting to defend against them.

No longer relegated just to the domain of evil geniuses, the inevitable AI dystopia is accessible to you today! So join us and we'll demonstrate how you too can help usher in the destruction of humanity by building weaponized machine learning systems of your own - unless time travelers from the future don't stop us first.

Dan "AltF4" Petro
Dan Petro is a Senior Security Associate at Bishop Fox, a consulting firm providing cybersecurity services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing and network penetration testing.

Dan likes to hear himself talk, often resulting in conference presentations including several consecutive talks at Black Hat USA and DEF CON in addition to appearances at HOPE, BSides, and ToorCon. He is widely known for the tools he creates: the Rickmote Controller (a Chromecast-hacking device), Untwister (a tool used for breaking pseudorandom number generators) and SmashBot (a merciless Smash Bros noob-pwning machine). He also organizes Root the Box, a capture the flag security competition.

Dan holds has a Master of Science in Computer Science from Arizona State University and still doesn't regret it.


Ben Morris
Ben Morris is a Security Analyst at Bishop Fox, a consulting firm providing cybersecurity services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing, network penetration testing, and red-teaming.

Ben also enjoys performing drive-by pull requests on security tools and bumbling his way into vulnerabilities in widely used PHP and .NET frameworks and plugins. Ben has also contributed to Root the Box, a capture the flag security competition.

Back to top

Teaching Old Shellcode New Tricks

Friday at 13:00 in Track 2

45 minutes | Demo

Josh Pitts Hacker

Metasploit x86 shellcode has been defeated by EMET and other techniques not only in exploit payloads but through using those payloads in non-exploit situations (e.g. binary payload generation, PowerShell deployment, etc..). This talk describes taking Metasploit payloads (minus Stephen Fewer's hash API), incorporating techniques to bypass Caller/EAF[+] checks (post ASLR/DEP bypass) and merging those techniques together with automation to make something better.

Josh Pitts
Josh Pitts has over 15 years experience conducting physical and IT security assessments, IT security operations support, penetration testing, malware analysis, reverse engineering and forensics. Josh has worked in US Government contracting, commercial consulting, and silicon valley startups. He likes to write code that patches code with other code via The Backdoor Factory (BDF), has co-authored an open-source environmental keying framework (EBOWLA), and once served in the US Marines.


Back to top

Popping a Smart Gun

Saturday at 17:00 in Track 4

45 minutes | Demo, Exploit

Plore Hacker

Smart guns are sold with a promise: they can be fired only by authorized parties. That works in the movies, but what about in real life? In this talk, we explore the security of one of the only smart guns available for sale in the world. Three vulnerabilities will be demonstrated. First, we will show how to make the weapon fire even when separated from its owner by a considerable distance. Second, we will show how to prevent the weapon from firing even when authorized by its owner. Third, we will show how to fire the weapon even when not authorized by its owner, with no prior contact with the specific weapon, and with no modifications to the weapon.

Plore is an electrical engineer and embedded software developer based in the United States. At DEF CON 24, he spoke about cracking high-security electronic safe locks.


Back to top

Digital Vengeance: Exploiting the Most Notorious C&C Toolkits

Saturday at 15:00 in Track 4

45 minutes | Demo, Tool, Exploit

Professor Plum Hacker

Every year thousands of organizations are compromised by targeted attacks. In many cases the attacks are labeled as advanced and persistent which suggests a high level of sophistication in the attack and tools used. Many times, this title is leveraged as an excuse that the events were inevitable or irresistible, as if the assailants' skill set is well beyond what defenders are capable of. To the contrary, often these assailants are not as untouchable as many would believe.

If one looks at the many APT reports that have been released over the years some clear patterns start to emerge. A small number of Remote Administration Tools are preferred by actors and reused across multiple campaigns. Frequently sited tools include Gh0st RAT, Plug-X, and XtremeRAT among others. Upon examination, the command and control components of these notorious RATs are riddled with vulnerabilities. Vulnerabilities that can be exploited to turn the tables from hunter to hunted.

The presentation will disclose several exploits that could allow remote execution or remote information disclosure on computers running these well-known C&C components. It should serve as a warning to those actors who utilize such toolsets. That is to say, such actors live in glass houses and should stop throwing stones.

Professor Plum
Professor Plum is an experienced reverse engineer, developer, and digital forensics examiner. He holds a graduate degree in Information Security from Johns Hopkins University, and has worked numerous computer incident investigations spanning the globe. He currently works as a Senior Threat Researcher for a Fortune 500 cybersecurity company and previously worked for the Department of Defense performing vulnerability research, software development, and Computer Network Operations.


Back to top

The Internet Already Knows I'm Pregnant

Friday at 17:00 in Track 4

45 minutes | Exploit

Cooper Quintin Staff Technologist - EFF

Kashmir Hill Journalist - Gizmodo Media

Women's health is big business. There are a staggering number of applications for Android to help people keep track of their monthly cycle, know when they may be fertile, or track the status of their pregnancy. These apps entice the user to input the most intimate details of their lives, such as their mood, sexual activity, physical activity, physical symptoms, height, weight, and more. But how private are these apps, and how secure are they really? After all, if an app has such intimate details about our private lives it would make sense to ensure that it is not sharing those details with anyone such as another company or an abusive partner/parent. To this end EFF and Journalist Kashmir Hill have taken a look at some of the privacy and security properties of over a dozen different fertility and pregnancy tracking apps. Through our research we have uncovered several privacy issues in many of the applications as well as some notable security flaws as well as a couple of interesting security features.

Cooper Quintin
Cooperq is a security researcher and programmer at EFF. He has worked on projects such as Privacy Badger, Canary Watch, Ethersheet, and analysis of state sponsored malware. He has also performed security trainings for activists, non profit workers and ordinary folks around the world. He previously worked building websites for non-profits, such as Greenpeace, Adbusters, and the Chelsea Manning Support Network. He also was a co-founder of the Hackbloc hacktivist collective. In his spare time he enjoys playing music and participating in street protests.


Kashmir Hill
Kashmir Hill is a journalist who writes about privacy and security. She is a senior reporter at Gizmodo Media and has previously written for Fusion, Forbes Magazine and Above The Law.


Back to top

From "One Country - One Floppy" to "Startup Nation" - the story of the early days of the Israeli hacking community, and the journey towards today's vibrant startup scene

Saturday at 16:00 in Track 2

45 minutes | Hacker History

Inbar Raz Principal Researcher, PerimeterX Inc.

Eden Shochat Equal Partner, Aleph

The late 80's and early 90's played a pivotal role in the forming of the Israeli tech scene as we know it today, producing companies like Checkpoint, Waze, Wix, Mobileye, Viber and billions of dollars in fundraising and exits. The people who would later build that industry were in anywhere from elementary school to high school, and their paths included some of the best hacking stories of the time (certainly in the eyes of the locals). The combination of extremely expensive Internet and international dial system, non-existent legal enforcement and a lagging national phone company could not prevent dozens of hungry-for-knowledge kids from teaching themselves the dark arts of reversing, hacking, cracking, phreaking and even carding. The world looked completely different back then and we have some great stories for you. We will cover the evolution of the many-years-later-to-be-named-Cyber community, including personal stories from nearly all categories. Come listen how the Israeli Cyber "empire" was born, 25 years ago, from the perspectives of 2:401/100 and 2:401/100.1.

Inbar Raz
Inbar has been reverse engineering for nearly as long as he has been living. It started with a screwdriver, pliers, wire cutters, and his grandfather's ECG machine, and gradually transitioned into less destructive research. In 1984, aged 9, he started programming on his Dragon 64. At 13 he got his first PC - Amstrad PC1512 - and within a year was already into reverse engineering. It wasn't long before he discovered how to access the X.25 network, Bitnet and Fidonet, and through high-school he was a key figure in the Israeli BBS scene.

Inbar spent most of his career in the Internet and Data Security field, and the only reason he's not in jail right now is because he chose the right side of the law at an early age. In fact, nowadays he commonly lectures about Ethical Hacking and Coordinated Vulnerability Disclosure.

Inbar specializes in outside-the-box approach to analyzing security and finding vulnerabilities, and is currently the Principal Researcher at PerimeterX, researching and educating the public on Automated Attacks on Websites.


Eden Shochat
Eden Shochat builds stuff, most recently Aleph, +$330MM venture capital fund; The Junction, voted #1 startup program in Israel;, a massive face recognition API acquired by Facebook; Aternity, the leading user-centric enterprise IT platform, acquired by Riverbed; and GeekCon, Europe's biggest makers conference. Eden grew up in Nigeria, where he was bored into assembly programming for the Z80 chip, graduated into the demo and cracking scenes while being thrown out of high-school but ended up being a (somewhat) productive member of society.


Back to top

PEIMA (Probability Engine to Identify Malicious Activity): Using Power Laws to address Denial of Service Attacks

Sunday at 10:20 in Track 2

20 minutes | Art of Defense, Demo, Tool

Redezem Hacker

Denial of service. It requires a low level of resources and knowledge, it is very easy to deploy, it is very common and it is remarkable how effective it is overall. PEIMA is a brand new method of client side malicious activity detection based on mathematical laws, usually used in finance, text retrieval and social media analysis, that is fast, accurate, and capable of determining when denial of service attacks start and stop without flagging legitimate heavy interest in your server erroneously. However, denial of service attacks aren't the only type of anomalous activity you can look at with PEIMA. Learn what kinds of unusual identifying metrics you can get out of your network and users to help detect intrusions and, ultimately, defend your assets.

Redezem hails from the southern hemisphere, specifically Perth, Australia, the most isolated capital city on the planet. He's been an avid computer tinkerer in this desolate, sunny, beach-ridden wasteland from a young age, and has been a "hacker" since he stole his dad's passwords to get at the internet as a kid. Having worked part time as a web application developer during his undergraduate degree in computer science, he specialised into intrusion detection in his honours year, and is currently performing his PhD into new and fantastic network anomaly detection mechanisms at Curtin University. He currently also lectures, and works part-time as a security consultant.

Back to top

An ACE Up the Sleeve: Designing Active Directory DACL Backdoors

Friday at 16:00 in Track 3

45 minutes | Demo

Andy Robbins Red Team Lead

Will Schroeder Offensive Engineer

Active Directory (AD) object discretionary access control lists (DACLs) are an untapped offensive landscape, often overlooked by attackers and defenders alike. The control relationships between AD objects align perfectly with the "attackers think in graphs" philosophy and expose an entire class of previously unseen control edges, dramatically expanding the number of paths to complete domain compromise.

While DACL misconfigurations can provide numerous paths that facilitate elevation of domain rights, they also present a unique chance to covertly deploy Active Directory persistence. It's often difficult to determine whether a specific AD DACL misconfiguration was set intentionally or implemented by accident. This makes Active Directory DACL backdoors an excellent persistence opportunity: minimal forensic footprint, and maximum plausible deniability.

This talk will cover Active Directory DACLs in depth, our "misconfiguration taxonomy", and enumeration/analysis with BloodHound's newly released feature set. We will cover the abuse of AD DACL misconfigurations for the purpose of domain rights elevation, including common misconfigurations encountered in the wild. We will then cover methods to design AD DACL backdoors, including ways to evade current detections, and will conclude with defensive mitigation/detection techniques for everything described.

Andy Robbins
As a Red Team lead, Andy Robbins has performed penetration tests and red team assessments for a number of Fortune 100 commercial clients, as well as federal and state agencies. Andy presented his research on a critical flaw in the ACH payment processing standard in 2014 at DerbyCon and the ISC2 World Congress, and has spoken at other conferences including DEF CON , BSidesLV, ekoparty, ISSA International, and Paranoia Conf in Oslo. He has a passion for offensive development and red team tradecraft, and helps to develop and teach the "Adaptive Red Team Tactics" course at BlackHat USA.


Will Schroeder
Will Schroeder is a offensive engineer and red teamer. He is a co-founder of Empire/Empyre, BloodHound, and the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a Microsoft PowerShell MVP. He has presented at a number of conferences, including DEF CON , DerbyCon, Troopers, BlueHat Israel, and various Security BSides.


Back to top

Using GPS Spoofing to control time

Friday at 14:00 in 101 Track

45 minutes | Tool

David "Karit" Robinson Security Consultant, ZX Security

GPS is central to a lot of the systems we deal with on a day-to-day basis. Be it Uber, Tinder, or aviation systems, all of them rely on GPS signals to receive their location and/or time.

GPS Spoofing is now a valid attack vector and can be done with minimal effort and cost. This raises some concerns when GPS is depended upon by safety of life applications. This presentation will look at the process for GPS and NMEA (the serial format that GPS receivers output) spoofing, how to detect the spoofing attacks and ways to manipulate the time on GPS synced NTP servers. We will also explore the implications when the accuracy of the time on your server can no longer be guaranteed.

David "Karit" Robinson
Dave/Karit has worked in the IT industry for over 10 years. In this time he has developed a skillset that encompasses various disciplines in the information security domain. Dave is currently part of team at ZX Security in Wellington and works as a penetration tester. Since joining ZX Security Dave has presented at Kiwicon, BSides Canberra and Unrestcon and also at numerous local meetups; along with running training at Kiwicon and Syscan. He has a keen interest in lock-picking and all things wireless.


Back to top

Wiping out CSRF

Thursday at 13:00 in 101 Track 2

45 minutes | Art of Defense, Demo

Joe Rozner Senior Software Security Engineer, Prevoty

CSRF remains an elusive problem due to legacy code, legacy frameworks, and developers not understanding the problem or how to protect against it. Wiping out CSRF introduces primitives and strategies for building solutions to CSRF that can be bolted on to any http application where http requests and responses can be intercepted, inspected, and modified. Modern frameworks have done a great job at providing solutions to the CSRF problem that automatically integrate into the application and solve most of the conditions. However, many existing apps and new apps that don't take advantage of these frameworks or use them incorrectly are still plagued with this problem. Wiping out CSRF will provide an in depth overview of the various reasons that CSRF occurs and provide payload examples to target those specific issues and variations. We'll see live demos of these attacks and the protections against them. Next we'll look at how to compose these primitives into a complete solution capable of solving most cases of CSRF explaining the limits and how to layer them to address potential short comings. Finally we'll finish by looking at Same Site Cookies, a new extension to cookies that could be the final nail in the coffin, and see how to use the prior solution as a graceful degradation for user agents that don't support it yet.

Joe Rozner
Joe (@jrozner) is a software engineer at Prevoty where he has built semantic analysis tools, language runtimes, generalized solutions to common vulnerability classes, and designed novel integration technology leveraging runtime memory patching. He has a passion for reverse engineering, exploitation, teaching, and sharing research with others. He is the undisputed champion of the Brawndo and Booze competition from DEF CON s past with his Irish Car Mutilator winning in both the drink and dip categories.


Back to top

The Black Art of Wireless Post Exploitation

Sunday at 12:00 in 101 Track

45 minutes | Demo, Tool

Gabriel "solstice" Ryan Gotham Digital Science

Most forms of WPA2-EAP have been broken for nearly a decade. EAP-TTLS and EAP-PEAP have long been susceptible to evil twin attacks, yet most enterprise organizations still rely on these technologies to secure their wireless infrastructure. The reason for this is that the secure alternative, EAP-TLS, is notoriously arduous to implement. To compensate for the weak perimeter security provided by EAP-TTLS and EAP-PEAP, many organizations use port based NAC appliances to prevent attackers from pivoting further into the network after the wireless has been breached. This solution is thought to provide an acceptable balance between security and accessibility. The problem with this approach is that it assumes that EAP is exclusively a perimeter defense mechanism. In this presentation, we will present a novel type of rogue access point attack that can be used to bypass port-based access control mechanisms in wireless networks. In doing so, we will challenge the assumption that reactive approaches to wireless security are an acceptable alternative to strong physical layer protections such as WPA2-EAP using EAP-TLS.

Gabriel "solstice" Ryan
Gabriel is a pentester, CTF player, and Offsec R&D. He currently works for Gotham Digital Science, where he provides full scope red team penetration testing capabilities for a diverse range of clients. Previously he has worked at OGSystems and Rutgers University. He also is a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. Things that make him excited include obscure wireless attacks, evading antivirus, and playing with fire. In his spare time, he enjoys live music and riding motorcycles.


Back to top

Taking Windows 10 Kernel Exploitation to the next level - Leveraging write-what-where vulnerabilities in Creators Update

Saturday at 17:00 in Track 2

45 minutes | Demo, Exploit

Morten Schenk Security Advisor, Improsec

Since the release of Windows 10 and especially in the Anniversary and Creators Updates, Microsoft has continued to introduce exploit mitigations to the Windows kernel. These include full scale KASLR and blocking kernel pointer leaks.

This presentation picks up the mantle and reviews the powerful read and write kernel primitives that can still be leveraged despite the most recent hardening mitigations. The presented techniques include abusing the kernel-mode Window and Bitmap objects, which Microsoft has attempted to lock down several times. Doing so will present a generic approach to leveraging write-what-where vulnerabilities.

A stable and precise kernel exploit must be able to overcome KASLR, most often using kernel driver leaks. I will disclose several previously unknown KASLR bypasses in Windows 10 Creators Update. Obtaining kernel-mode code execution on Windows has become more difficult with the randomization of Page Table entries. I will show how a generic de-randomization of the Page Table entries can be performed through dynamic reverse engineering. Additionally, I will present an entirely different method which makes the usage of Page Table entries obsolete. This method allocates an arbitrary size piece of executable kernel pool memory and transfers code execution to it through hijacked system calls

Morten Schenk
Morten Schenk (@blomster81) is a security advisor and researcher at Improsec ApS, with a background in penetration testing, red teaming and exploit development. Having a high craving for learning and torture based on taking certifications like OSCP, OSCE and OSEE, Morten's research is specifically focused on binary exploitation and mitigation bypasses on Windows. He blogs about his research at


Back to top

Social Engineering The News

Standby Speaker

45 minutes

Michael Schrenk

It might be called "fake news" but at it's heart, it's the latest wave of social engineering. This apolitical talk explores the similarities between traditional social engineering and today's "fake news". During this talk, Michael Schrenk will show how social engineers use OPSEC (Operations Security) to plan a successful social attack. Additionally, you'll also learn the about the economics of "fake news", who's making the money, and how much, and how information is weaponized. This talk will also reveal that the news has been socialized for a long time, and that socially engineered news lead to the start of the Spanish American War. We'll also explore techniques to guard against social engineering in general, and specifically in the media.

Michael Schrenk
While best known in The USA for his work with botnets and webbots, Michael Schrenk is known across Europe for teaching Investigative Journalists privacy and hacking techniques. In addition, he has developed multiple weekend workshops for The Centre for Investigative Journalism at City College in London England. Along with his teaching, Michael has also gathered data for some of the biggest news agencies in Europe. Today, Mike is based right here in Las Vegas, Nevada.


Back to top

Total Recall: Implanting Passwords in Cognitive Memory

Sunday at 11:00 in 101 Track

45 minutes

Tess Schrodinger

What is cognitive memory? How can you "implant" a password into it? Is this truly secure? Curiosity around these questions prompted exploration of the research and concepts surrounding the idea of making the authentication process more secure by implanting passwords into an individual's memory. The result? The idea is that you are not able to reveal your credentials under duress but you are still able to authenticate to a system. We will begin with an understanding of cognitive memory. Implicit versus explicit memory will be defined. The concepts of the subconscious, unconscious, and consciousness will be addressed. The stages of memory pertaining to encoding, storage and retrieval as well as the limitations of human memory along with serial interception sequence learning training will round out our build up to the current research and experimentation being done with the proposal to implant passwords into an individual's cognitive memory.

Tess Schrodinger
Tess is a security engineer and researcher with over twenty years of experience in security and counterintelligence. Her areas of interest are Insider Threat, Quantum Computing, Security Awareness, Cryptography, and Triathlons.


Back to top

Open Source Safe Cracking Robots - Combinations Under 1 Hour! (Is it bait? Damn straight it is.)

Friday at 12:00 in Track 2

45 minutes | Demo, Tool, Exploit

Nathan Seidle Founder, SparkFun Electronics

We've built a $200 open source robot that cracks combination safes using a mixture of measuring techniques and set testing to reduce crack times to under an hour. By using a motor with a high count encoder we can take measurements of the internal bits of a combination safe while it remains closed. These measurements expose one of the digits of the combination needed to open a standard fire safe. Additionally, 'set testing' is a new method we created to decrease the time between combination attempts. With some 3D printing, Arduino, and some strong magnets we can crack almost any fire safe. Come checkout the live cracking demo during the talk!

Nathan Seidle
Nathan Seidle is the founder of SparkFun Electronics in Boulder, Colo. Nathan founded SparkFun in 2003 while an undergraduate student studying electrical engineering. After building the company across 14 years to over 130 employees he now heads the SparkX Lab within SparkFun, tinkering, hacking and building new products.

Nathan has built a large catalog of off the beaten path projects including a 12' GPS clock, a wall sized Tetris interface, an autonomous miniature electric bat-mobile, a safe cracking robot, and a hacked bathroom scale to measure the weight of his beehive. He believes strongly in the need to teach the next generation of technical citizens.

Nathan is a founding member of the Open Source Hardware Association. He has served on the board of OSHWA and continues to promote and serve the organization. Nathan has been invited to the White House to participate in discussions around intellectual property policy and patent reform and attended multiple White House Maker Faires. Nathan has spoken in front of Congress on copyright and trademark policy. He has presented on the many facets of manufacturing and open hardware at the National Science Foundation, Google, and Sketching in Hardware. Nathan has guest lectured at numerous institutions including MIT, Stanford and West Point Academy.

In their off time, Nathan and his wife Alicia can be found making rather silly electronics projects together for their local Public Library, their nieces and nephews, and Burning Man. Nathan and Alicia live in Boulder, Colorado with their pet tree Alfonso.

@chipaddict, @sparkfun,

Back to top

Man in the NFC

Sunday at 14:00 in Track 3

45 minutes | Demo, Tool

Haoqi Shan Wireless security researcher

Jian Yuan Wireless security researcher

NFC (Near Field Communication) technology is widely used in security, bank, payment and personal information exchange fields now, which is highly well-developed. Corresponding, the attacking methods against NFC are also emerged in endlessly. To solve this problem, we built a hardware tool which we called "UniProxy". This tool contains two self-modified high frequency card readers and two radio transmitters, which is a master-slave way. The master part can help people easily and successfully read almost all ISO 14443A type cards, (no matter what kind of this card is, bank card, ID card, Passport, access card, or whatever. No matter what security protocol this card uses, as long as it meets the ISO 14443A standard) meanwhile replaying this card to corresponding legal card reader via slave part to achieve our "evil" goals. The master and slave communicate with radio transmitters and can be apart between 50 - 200 meters.

Haoqi Shan
Haoqi Shan is currently a wireless/hardware security researcher in UnicornTeam of 360 Radio Security Research Dept. He focuses on Wi-Fi penetration, GSM system, embedded device hacking, building hacking tools, etc. He made serial presentations about Femto cell hacking, RFID hacking and LTE devices hacking on DEF CON , Cansecwest, Syscan360 and HITB, etc.

Jian Yuan
Yuan Jian is a security researcher in UnicornTeam of 360 Radio Security Research Dept. He is mainly focused on the security of Internet of things, NFC, GPS, etc. He was a speaker at the DEF CON Car Hacking Village.

Contributor Acknowledgement:

The Speakers would like to acknowledge Yuan Jian, for his contribution to the presentation. Yuan Jian is a security researcher in UnicornTeam of 360 Radio Security Research Dept. He is mainly focused on the security of Internet of things, NFC, GPS, etc. He was a speaker at the DEF CON Car Hacking Village.

Back to top

Driving down the rabbit hole

Saturday at 12:00 in 101 Track

45 minutes | Demo

Mickey Shkatov Security Researcher, McAfee.

Jesse Michael Security Researcher, McAfee.

Oleksandr Bazhaniuk Security Researcher

Over the past few years, cars and automotive systems have gained increasing attention as cyber-attack targets.  Cars are expensive.  Breaking cars can cost a lot.  So how can we find vulnerabilities in a car with no budget?  We’ll take you with us on a journey from zero car security validation experience through the discovery and disclosure of multiple remotely-exploitable automotive vulnerabilities.  Along the way, we’ll visit a wrecking yard, reassemble (most) of a 2015 Nissan Leaf in our lab, discuss how we picked our battles, fought them, and won.  During our talk, we’ll examine the details of three different classes of vulnerabilities we found in this vehicle, how they can be exploited, and the potential ramifications to the owner of their real-world exploitation.  We’ll also discuss the broader scope of the vulnerabilities discovered, how they extend beyond just this specific vehicle, and what the industry can do better to prevent these types of problems in the future.

Mickey Shkatov
Mickey Shkatov is a security researcher and a member of the McAfee Advanced Threat Research team. His areas of expertise include vulnerability research, hardware and firmware security, and embedded device security


Jesse Michael
Jesse Michael has been working in security for over a decade and is currently a member of the McAfee Advanced Threat Research team who spends his time causing trouble and finding low-level hardware security vulnerabilities in modern computing platforms


Oleksandr Bazhaniuk
Oleksandr Bazhaniuk is a security researcher and reverse engineer with background in automation of binary vulnerability analysis. He is also a co-founder of DCUA, the first DEF CON group in Ukraine.


Back to top

Here to stay: Gaining persistency by abusing advanced authentication mechanisms

Saturday at 17:00 in 101 Track

45 minutes | Demo

Marina Simakov Security researcher, Microsoft

Igal Gofman Security researcher, Microsoft

Credentials have always served as a favorite target for advanced attackers, since these allow to efficiently traverse a network, without using any exploits.

Moreover, compromising the network might not be sufficient, as attackers strive to obtain persistency, which requires the use of advanced techniques to evade the security mechanisms installed along the way.

One of the challenges adversaries must face is: How to create threats that will continuously evade security mechanisms, and even if detected, ensure that control of the environment can be easily regained?

In this talk, we briefly discuss some of the past techniques for gaining persistency in a network (using local accounts, GPOs, skeleton key, etc.) and why they are insufficient nowadays.

Followed by a comprehensive analysis of lesser known mechanisms to achieve persistency, using non-mainstream methods (such as object manipulation, Kerberos delegation, etc.).

Finally, we show how defenders can secure their environment against such threats.

Marina Simakov
Marina Simakov is a security researcher at Microsoft, with a specific interest in network based attacks.

She holds an M.Sc in computer science, with several published articles. Gave a talk at BlueHat IL 2016 regarding attacks on local accounts.


Igal Gofman
Igal Gofman is a security Researcher at Microsoft. Igal has a proven track record in network security, research oriented development and threat intelligence.

His research interests include network security, intrusion detection and operating systems.

Before Microsoft, Igal was a Threat Response Team Lead at Check Point Software Technologies leading the development of the intrusion detection system.


Back to top

Abusing Webhooks for Command and Control

Saturday at 11:20 in 101 Track

20 minutes | Demo, Tool

Dimitry Snezhkov Security Consultant, X-Force Red, IBM

You are on the inside of the perimeter. And maybe you want to exfiltrate data, download a tool, or execute commands on your command and control server (C2). Problem is - the first leg of connectivity to your C2 is denied. Your DNS and ICMP traffic is being monitored. Access to your cloud drives is restricted. You've implemented domain fronting for your C2 only to discover it is ranked low by the content proxy, which is only allowing access to a handful of business related websites on the outside.

We have all been there, seeing frustrating proxy denies or triggering security alarms making our presence known.
Having more choices when it comes to outbound network connectivity helps. In this talk we'll present a technique to establish such connectivity with the help of HTTP callbacks (webhooks). We will walk you through what webhooks are, how they are used by organizations. We will then discuss how you can use approved sites as brokers of your communication, perform data transfers, establish almost realtime asynchronous command execution, and even create a command-and-control communication over them, bypassing strict defensive proxies, and even avoiding attribution.

Finally, we'll release the tool that will use the concept of a broker website to work with the external C2 using webhooks.

Dimitry Snezhkov
Dimitry Snezhkov does not like to refer to himself in the third person ;) but when he does he is a Sr. Security Consultant for X-Force Red at IBM, currently focusing on offensive security testing, code hacking and tool building.


Back to top

Phone system testing and other fun tricks

Friday at 15:00 in Track 2

45 minutes | Demo, Tool

"Snide" Owen Hacker

Phone systems have been long forgotten in favor of more modern technology. The phreakers of the past left us a wealth of information, however while moving forward the environments as a whole have become more complex. As a result they are often forgotten, side tracked or neglected to be thoroughly tested. We’ll cover the VoIP landscape, how to test the various components while focussing on PBX and IVR testing. The security issues that may be encountered are mapped to the relative OWASP category for familiarity. Moving on I’ll demonstrate other fun ways that you can utilize a PBX within your future offensive endeavours.

"Snide" Owen
"Snide" Owen has worked in various IT fields from tech support to development. Combining that knowledge he moved into the security field by way of Application Security and is now on an offensive security research team. He enjoys both making and breaking, tinkering with various technologies, and has experimented for prolonged periods with PBX's and the obscure side of VoIP.

Back to top

Hacking travel routers like it's 1999

Friday at 10:20 in Track 2

20 minutes | Demo, Exploit

Mikhail Sosonkin Security Researcher, Synack Inc.

Digital nomads are a growing community and they need internet safety just like anyone else. Trusted security researchers have warned about the dangers of traveling through AirBnB’s. Heeding their advice, I purchased a HooToo TM06 travel router to create my own little enclave while I bounce the globe. Being a researcher myself, I did some double checking.

So, I started fuzzing and reverse engineering. While the TM06 is a cute and versatile little device - protection against network threats, it is not. In this talk, I will take you on my journey revealing my methodology for discovering and exploiting two memory corruption vulnerabilities. The vulnerabilities are severe and while they’ve been reported to the vendor, they are very revealing data points about the security state of such devices. While the device employs some exploitation mitigations, there are many missing. I will be showing how I was able to bypass them and what mitigations should’ve been employed, such as NX-Stack/Heap, canaries, etc, to prevent me from gaining arbitrary shellcode execution.

If you’re interested in security of embedded/IoT systems, travel routers or just good old fashioned MIPS hacking, then this talk is for you!

Mikhail Sosonkin
Mikhail Sosonkin is a Security Researcher at Synack where he digs into the security aspects of low level systems. He enjoys automating aspects of reverse engineering and fuzzing in order to better understand application internals. Mikhail has a CS degree from NYU, where he has also taught Application Security, and a Software Engineering masters from Oxford University. Being a builder and a hacker at heart, his interests are in vulnerability analysis, automation, malware and reverse engineering. Mikhail much enjoys speaking at such conferences as ZeroNights in Moscow and DEF CON in Las Vegas!

@hexlogic, Blog

Back to top

Genetic Diseases to Guide Digital Hacks of the Human Genome: How the Cancer Moonshot Program will Enable Almost Anyone to Crash the Operating System that Runs You or to End Civilization...

Sunday at 12:00 in Track 4

45 minutes

John Sotos Chief Medical Officer, Intel Corporation

The human genome is, fundamentally, a complex open-source digital operating system (and set of application programs) built on the digital molecules DNA and RNA.

The genome has thousands of publicly documented, unpatchable security vulnerabilities, previously called "genetic diseases." Because emerging DNA/RNA technologies, including CRISPR-Cas9 and especially those arising from the Cancer Moonshot program, will create straightforward methods to digitally reprogram the genome in free-living humans, malicious exploitation of genomic vulnerabilities will soon be possible on a wide scale.

This presentation shows the breathtaking potential for such hacks, most notably the exquisite targeting precision that the genome supports — in effect, population, and time — spanning annoyance to organized crime to civilization-ending pandemics far worse than Ebola.

Because humans are poor at responding to less-than-immediate threats, and because there is no marketplace demand for defensive technologies on the DNA/RNA platform, the hacker community has an important role to play in devising thought-experiments to convince policy makers to initiate defensive works, before offensive hacks can be deployed in the wild. Hackers can literally save the world... from ourselves.

John Sotos
John Sotos is Chief Medical Officer at Intel Corporation. He has been programming computers continuously since 1970, excepting four years of medical school at Johns Hopkins, where he also trained as a transplantation cardiologist. His professional interests include hacking the medical diagnostic process, first with a book on edge cases, called "Zebra Cards: An Aid to Obscure Diagnosis," followed by six years as a medical technical consultant on the popular television series "House, MD." His masters degree in artificial intelligence is from Stanford, and he is a co-founder of He is a long-time air rescue flight surgeon for the National Guard; however, the opinions presented here are his own, and do not necessarily represent those of the Department of Defense or Intel.

Back to top

Exploiting Continuous Integration (CI) and Automated Build systems

Sunday at 11:00 in Track 3

45 minutes | Demo, Tool, Exploit

spaceB0x Sr. Security Engineer at LeanKit Inc.

Continuous Integration (CI) systems and similar architecture has taken new direction, especially in the last few years. Automating code builds, tests, and deployments is helping hordes of developers release code, and is saving companies a great amount of time and resources. But at what cost? The sudden and strong demand for these systems have created some widely adopted practices that have large security implications, especially if these systems are hosted internally. I have developed a tool that will help automate some offensive testing against certain popular CI build systems. There has been a large adoption of initiating these builds through web hooks of various kinds, especially changes to public facing code repositories. I will start with a brief overview of some of the more popular CI tools and how they are being used in many organizations. This is good information for understanding, at a high level, the purpose of these systems as well as some security benefits that they can provide. From there we will dive into specific examples of how these different CI implementations have created vulnerabilities (in one case to a CI vendor themselves). Last we will explore the tool, its purpose, and a demonstration of its use. This tool takes advantage of the configurations of various components of the build chain to look for vulnerabilities. It then has the capability to exploit, persist access, command and control vulnerable build containers. Most of the demonstration will revolve around specific CI products and repositories, however the concepts are applicable across most build systems. The goal here is to encourage further exploration of these exploitation concepts. The tool is built "modularly" to facilitate this. If you are new to CI and automated build systems, or if you have been doing it for years, this talk and tool will help you to better secure your architecture

spaceB0x is extremely dedicated to his work in information security. He is the Sr. Security Engineer at a software company called LeanKit. He likes, and occasionally succeeds at, security dev-opsing, web application and network penetration testing, and some other security things. He has written tools for secure key management within automation infrastructures, capturing netflow data, and pwning automated build systems. He loves the hacker community, learning new things, and exploring new ideas.


Back to top

Breaking Wind: Adventures in Hacking Wind Farm Control Networks

Saturday at 10:20 in 101 Track

20 minutes

Jason Staggs Security Researcher at the University of Tulsa

Wind farms are becoming a leading source for renewable energy. The increased reliance on wind energy makes wind farm control systems attractive targets for attackers. This talk explains how wind farm control networks work and how they can be attacked in order to negatively influence wind farm operations (e.g., wind turbine hijacking). Specifically, implementations of the IEC 61400-25 family of communications protocols are investigated (i.e., OPC XML-DA). This research is based on an empirical study of a variety of U.S. based wind farms conducted over a two year period. We explain how these security assessments reveal that wind farm vendor design and implementation flaws have left wind turbine programmable automation controllers and OPC servers vulnerable to attack. Additionally, proof-of-concept attack tools are developed in order to exploit wind farm control network design and implementation vulnerabilities.

Jason Staggs
Dr. Jason Staggs is an independent information security researcher with strong interests in critical infrastructure protection, telecommunications, penetration testing, network security and digital forensics. Jason has spoken at national and international conferences, authored various peer-reviewed publications and lectured undergraduate and graduate level courses on a variety of cyber security topics. His expertise in digital forensics has enabled him to provide invaluable assistance to law enforcement agencies at the local, state and federal levels in order to solve high-profile cybercrimes. In his spare time, Jason enjoys reverse engineering proprietary network stacks in embedded devices and diving through ancient RFCs to demystify obscure network protocols. Jason attended graduate school at The University of Tulsa where he earned his M.S. and Ph.D. degrees in Computer Science.

Back to top

Hacking the Cloud

Thursday at 14:00 in 101 Track

45 minutes | Demo

Gerald Steere Cloud Wrecker, Microsoft

Sean Metcalf CTO, Trimarc

You know the ins and outs of pivoting through your target's domains. You've had the KRBTGT hash for months and laid everything bare. Or have you?

More targets today have some or all of their infrastructure in the cloud. Do you know how to follow once the path leads there? Red teams and penetration testers need to think beyond the traditional network boundaries and follow the data and services they are after. This talk will focus on how to take domain access and leverage internal access as a ticket to your target's cloud deployments.

We will also discuss round trip flights from cloud to on-premises targets and what authorizations are required to access your target's cloud deployments. While this talk is largely focused on Microsoft Azure implementations, the concepts can be applied to most cloud providers.

Gerald Steere
Gerald Steere has been a member of the C+E Red Team since joining Microsoft in June 2014. He regularly dives into the deepest corners of Azure looking for vulnerabilities unique to the cloud scale environment and collecting all the creds. Prior to that, he was a security auditor and penetration tester for three civilian Federal agencies, where he acquired a love for obtaining and cracking as many passwords as possible. He has spoken on cloud security topics at multiple BlueHat events and most recently at BSides Seattle.


Sean Metcalf
Sean Metcalf is founder and principal consultant at Trimarc Security, LLC (, which focuses on mitigating, detecting, and when possible, preventing modern attack techniques. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON, and DerbyCon security conferences.

Sean has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog,


Back to top

Rage Against the Weaponized AI Propaganda Machine

Friday at 11:00 in 101 Track

45 minutes | 0025

Suggy (AKA Chris Sumner) Researcher, The Online Privacy Foundation

Psychographic targeting and the so called "Weaponized AI Propaganda Machine" have been blamed for swaying public opinion in recent political campaigns. But how effective are they? Why are people so divided on certain topics? And what influences their views? This talk presents the results of five studies exploring each of these questions. The studies examined authoritarianism, threat perception, personality-targeted advertising and biases in relation to support for communication surveillance as a counter-terrorism strategy. We found that people with an authoritarian disposition were more likely to be supportive of surveillance, but that those who are less authoritarian became increasingly supportive of such surveillance the greater they perceived the threat of terrorism. Using psychographic targeting we reached Facebook audiences with significantly different views on surveillance and demonstrated how tailoring pro and anti-surveillance ads based on authoritarianism affected return on marketing investment. Finally, we show how debunking propaganda faces big challenges as biases severely limit a person's ability to interpret evidence which runs contrary to their beliefs. The results illustrate the effectiveness of psychographic targeting and the ease with which individuals' inherent differences and biases can be exploited.

Suggy (AKA Chris Sumner)
Suggy is the lead researcher and co-founder of the not-for-profit Online Privacy Foundation, who contribute to the field of psychological research in online contexts. He has authored papers and spoken on this topic at DEF CON and other noteworthy security, psychology, artificial intelligence and machine learning conferences. For the past 4 years, Suggy has served as a member of the DEF CON CFP review board. By day, he works in security strategy at Hewlett Packard Enterprise.


Back to top

Porosity: A Decompiler For Blockchain-Based Smart Contracts Bytecode

Thursday at 12:00 in 101 Track

45 minutes | Demo, Tool

Matt Suiche Founder, Comae Technologies

Ethereum is gaining a significant popularity in the blockchain community, mainly due to fact that it is design in a way that enables developers to write decentralized applications (Dapps) and smart-contract using blockchain technology.

Ethereum blockchain is a consensus-based globally executed virtual machine, also referred as Ethereum Virtual Machine (EVM) by implemented its own micro-kernel supporting a handful number of instructions, its own stack, memory and storage. This enables the radical new concept of distributed applications.

Contracts live on the blockchain in an Ethereum-specific binary format (EVM bytecode). However, contracts are typically written in some high-level language such as Solidity and then compiled into byte code to be uploaded on the blockchain. Solidity is a contract-oriented, high-level language whose syntax is similar to that of JavaScript.
This new paradigm of applications opens the door to many possibilities and opportunities. Blockchain is often referred as secure by design, but now that blockchains can embed applications this raise multiple questions regarding architecture, design, attack vectors and patch deployments.

As we, reverse engineers, know having access to source code is often a luxury. Hence, the need for an open-source tool like Porosity: decompiler for EVM bytecode into readable Solidity-syntax contracts - to enable static and dynamic analysis of compiled contracts.

Matt Suiche
Matt Suiche is recognized as one of the world's leading authorities on memory forensics and application virtualization.

He is the founder of the United Arab Emirates based cyber-security start-up Comae Technologies. Prior to founding Comae, he was the co-founder & Chief Scientist of the application virtualization start-up CloudVolumes which was acquired by VMware in 2014. He also worked as a researcher for the Netherlands Forensic Institute.

His most notable research contributions enabled the community to perform memory-based forensics for Mac OS X memory snapshots but also Windows hibernation files.
Since 2009, Matt has been recognized as a Microsoft Most Valuable Professional in Enterprise Security due to his various contributions to the community.


Back to top

Game of Chromes: Owning the Web with Zombie Chrome Extensions

Sunday at 13:00 in 101 Track

45 minutes | Demo

Tomer Cohen R&D Security Team Leader,

On April 16 2016, an army of bots stormed upon Wix servers, creating new accounts and publishing shady websites in mass. The attack was carried by a malicious Chrome extension, installed on tens of thousands of devices, sending HTTP requests simultaneously. This "Extension Bot" has used Wix websites platform and Facebook messaging service, to distribute itself among users. Two months later, same attackers strike again. This time they used infectious notifications, popping up on Facebook and leading to a malicious Windows-runnable JSE file. Upon clicking, the file ran and installed a Chrome extension on the victim's browser. Then the extension used Facebook messaging once again to pass itself on to more victims.

Analyzing these attacks, we were amazed by the highly elusive nature of these bots, especially when it comes to bypassing web-based bot-detection systems. This shouldn't be surprising, since legit browser extensions are supposed to send Facebook messages, create Wix websites, or in fact perform any action on behalf of the user.

On the other hand, smuggling a malicious extension into Google Web Store and distributing it among victims efficiently, like these attackers did, is let's say - not a stroll in the park. But don't worry, there are other options.

Recently, several popular Chrome extensions were found to be vulnerable to XSS. Yep, the same old XSS every rookie finds in so many web applications. So browser extensions suffer from it too, and sadly, in their case it can be much deadlier than in regular websites. One noticeable example is the Adobe Acrobat Chrome extension, which was silently installed on January 10 by Adobe, on an insane number of 30 million devices. A DOM-based XSS vulnerability in the extension (found by Google Project Zero) allowed an attacker to craft a content that would run Javascript as the extension.

In this talk I will show how such a flaw leads to full and permanent control over the victim's browser, turning the extension into zombie. Additionally, Shedding more light on the 2016 attacks on Wix and Facebook described in the beginning, I will demonstrate how an attacker can use similar techniques to distribute her malicious payload efficiently on to new victims, through popular social platforms - creating the web's most powerful botnet ever.

Tomer Cohen
Tomer Cohen leads the team at responsible for all R&D and production systems security. Previous to that, Tomer has worked as an application security expert in several firms. Tomer was also one of the founders of "Magshimim" cyber training program, which teaches development and cyber security among high-school students in the periphery of Israel.

Back to top

When Privacy Goes Poof! Why It's Gone and Never Coming Back

Saturday at 12:00 in Track 2

45 minutes | 0025

Richard Thieme a.k.a. neuralcowboy

"Get over it!" as Scott McNeeley said - unhelpfully. Only if we understand why it is gone and not coming back do we have a shot at rethinking what privacy means in a new context. Thieme goes deep and wide as he rethinks the place of privacy in the new social/cultural context and challenges contemporary discussions to stop using 20th century frames. Pictures don't fit those frames, including pictures of "ourselves."

We have always known we were cells in a body, but we emphasized "cell-ness". Now we have to emphasize "body-ness" and see ourselves differently. What we see depends on the level of abstraction at which we look. The boundaries we imagine around identities, psyches, private internal spaces," are violated in both directions, going in and going out, by data that, when aggregated, constitutes "us". We are known by others more deeply in recombination from metadata than we know ourselves. We are not who we think we are.

To understand privacy - even what we mean by "individuals" who want it - requires a contrary opinion. Privacy is honored in lip service, but not in the marketplace, where it is violated every day. To confront the challenges of technological change, we have to know what is happening to "us" so we can re-imagine what we mean by privacy, security, and identity. We can't say what we can't think. We need new language to grasp our own new "human nature" that has been reconstituted from elements like orange juice.

The weakest link in discussions of privacy is the definition of privacy, and the definition of privacy is not what we think. Buddhists call enlightenment a "nightmare in daylight", yet it is enlightenment still, and that kind of clarity is the goal of this presentation.

Richard Thieme a.k.a. neuralcowboy
Richard Thieme is an author and professional speaker focused on the challenges posed by new technologies and the future, how to redesign ourselves to meet these challenges, and creativity in response to radical change. His column, "Islands in the Clickstream," was distributed to subscribers in sixty countries before collection as a book in 2004. When a friend at the National Security Agency said after they worked together on ethics and intelligence issues, "The only way you can tell the truth is through fiction," he returned to writing short stories, 19 of which are collected in "Mind Games". His latest work is the stunning novel "FOAM", published by Exurban Press September 2015. He is also co-author of the critically extolled "UFOs and Government: A Historical Inquiry", a 5-year research project using material exclusively from government documents and other primary sources, now in 65 university libraries

His work has been taught at universities in Europe, Australia, Canada, and the United States, and he has guest lectured at numerous universities, including Purdue University (CERIAS), the Technology, Literacy and Culture Distinguished Speakers Series of the University of Texas, the "Design Matters" lecture series at the University of Calgary, and as a Distinguished Lecturer in Telecommunications Systems at Murray State University. He addressed the reinvention of "Europe" as a "cognitive artifact" for curators and artists at Museum Sztuki in Lodz, Poland, keynoted CONFidence in Krakow 2015, and keynoted "The Real Truth: A World's Fair" at Raven Row Gallery, London, He recently keynoted Code Blue in Tokyo. He loved Tokyo. He has spoken for the National Security Agency, the FBI, the Secret Service, the US Department of the Treasury, and Los Alamos National Labs and has keynoted "hacker",security, and technology conferences around the world. He spoke at DC 24 in 2016 for the 21st year.

Twitter and skype: neuralcowboy
Linked In and FB: Richard Thieme

Back to top

MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt)

Saturday at 15:00 in 101 Track

45 minutes | Demo, Tool

Chris ThompsonRed Team Ops Lead, IBM X-Force Red

Windows Defender Advanced Threat Protection will soon be available for all Blue Teams to utilize within Windows 10 Enterprise, which includes detection of post breach tools, tactics and techniques commonly used by Red Teams, as well as behavior analytics. Combined with Microsoft Advanced Threat Analytics for user behavior analytics across the Domain, Red Teamers will soon face a significantly more challenging time maintaining stealth while performing internal recon, lateral movement, and privilege escalation in Windows 10/Active Directory environments.

This talk highlights challenges to red teams posed by Microsoft's new tools based on common hacking tools/techniques, and covers techniques which can be used to bypass, disable, or avoid high severity alerts within Windows Defender ATP and Microsoft ATA, as well as TTP used against mature organizations that may have additional controls in place such as Event Log Forwarding and Sysmon

Chris Thompson
Chris is Red Team Operations Lead at IBM X-Force Red. He has extensive experience performing penetration testing and red teaming for clients in a wide variety of industries. He's led red teaming operations against defense contractors and some of North America's largest banks.

He's on the board for CREST USA (, working to help mature the pentesting industry. Chris also teaches Network & Mobile Pentesting at one of Canada's largest technical schools.

Hacking his way through life, Chris likes to pretend he's a good drone pilot, lock picker, and mountain biker.

Twitter: @retBandit

Back to top

DOOMed Point of Sale Systems

Saturday at 15:00 in Track 3

45 minutes | Demo, Exploit

trixr4skids Security Engineer

In response to public security breaches many retailers have begun efforts to minimize or completely prevent the transmission of unencrypted credit card data through their store networks and point of sale systems. While this is definitely a great improvement over the previous state of affairs; it places the security of transactions squarely in the hands of credit card terminals purchased from third party vendors. These terminals have a security posture that is often not well understood by the retail chains purchasing them. To better understand if the trust placed in these devices is warranted, the attack surface and hardening of a commonly deployed credit card terminal series is reviewed and a discussion of reverse engineered security APIs is presented. Despite the reduced attack surface of the terminals and hardened configuration, attacks that allow recovery of magstripe track data and PIN codes are demonstrated to be possible.

trixr4skids is a security engineer and a recovering consultant. He enjoys hardware hacking, reverse engineering, the occasional webapp RCE, robots, beer, and of course robots that bring him beer. As a child he enjoyed taking apart everything he could get his hands on in a quest to figure out how it worked (his parents did not always appreciate this). He could never figure out what the green rectangles with the black rectangles on them did and often resorted to smashing them with a hammer to see what was inside. Since then he has learned more effective ways to go about discovering the secrets those black things are hiding and even how to make them do different things than intended. His current research projects include attacking embedded devices based on the rabbit 2000/3000 CPUs, studying the security of payment card systems, and hacking anything interesting that he can buy off eBay.


Back to top

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!

Friday at 12:00 in Track 3

45 minutes | Demo, Tool, Exploit

Orange Tsai Security Consultant from DEVCORE

We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.

Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.

Understanding the basics of this technique, the audience won't be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.

Orange Tsai
Cheng-Da Tsai, also as known as Orange Tsai, is member of DEVCORE and CHROOT from Taiwan. Speaker of conference such as HITCON, WooYun and AVTokyo. He participates numerous Capture-the-Flags (CTF), and won 2nd place in DEF CON 22 as team member of HITCON.

Currently focusing on vulnerability research & web application security. Orange enjoys to find vulnerabilities and participates Bug Bounty Program. He is enthusiasm for Remote Code Execution (RCE), also uncovered RCE in several vendors, such as Facebook, Uber, Apple, GitHub, Yahoo and Imgur.

Back to top

A Picture is Worth a Thousand Words, Literally: Deep Neural Networks for Social Stego

Saturday at 13:00 in Track 4

45 minutes | Tool

Philip Tully Principal Data Scientist, ZeroFOX

Michael T. Raggo Chief Security Officer, 802 Secure

Images, videos and other digital media provide a convenient and expressive way to communicate through social networks. But such broadcastable and information-rich content provides ample illicit opportunity as well. Web-prevalent image files like JPEGs can be disguised with foreign data since they're perceivably robust to minor pixel and metadata alterations. Slipping a covert message into one of the billions of daily posted images may be possible, but to what extent can steganography be systematically automated and scaled?

To explore this, we first report the distorting side effects rendered upon images uploaded to popular social network servers, e.g. compression, resizing, format conversion, and metadata stripping. Then, we build a convolutional neural network that learns to reverse engineer these transformations by optimizing hidden data throughput capacity. From pre-uploaded and downloaded image files, the network learns to locate candidate metadata and pixels that are least modifiable during transit, allowing stored hidden payloads to be reliably recalled from newly presented images. Deep learning typically requires tons of training data to avoid over fitting. But data acquisition is trivial using social networks' free image hosting services, which feature bulk uploads and downloads of thousands of images at a time per album.

We show that hidden data can be predictably transmitted through social network images with high fidelity. Our results demonstrate that AI can hide data in plain sight, at large-scale, beyond human visual discernment, and despite third-party manipulation. Steganalysis and other defensive forensic countermeasures are notoriously difficult, and our exfiltration techniques highlight the growing threat posed by automated, AI-powered red teaming.

Philip Tully
Philip Tully is a Principal Data Scientist at ZeroFOX. He employs natural language processing and computer vision techniques in order to develop predictive models for combating security threats emanating from social networks. He earned his joint doctorate degree in computer science from the Royal Institute of Technology (KTH) and the University of Edinburgh, and has spoken at Black Hat, DEF CON , ShowMeCon and across the neuroscience conference circuit. He's a hackademic that's interested in applying brain-inspired algorithms to both blue and red team operations.


Michael T. Raggo
Michael T. Raggo, Chief Security Officer, 802 Secure (CISSP, NSA-IAM, CSI) has over 20 years of security research experience. His current focus is wireless IoT threats impacting the enterprise. Michael is the author of "Mobile Data Loss: Threats & Countermeasures" and "data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols" for Syngress Books, and contributing author for "Information Security the Complete Reference 2nd Edition". A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, is a participating member of FSISAC/BITS and PCI, and is a frequent presenter at security conferences, including Black Hat, DEF CON , Gartner, RSA, DoD Cyber Crime, OWASP, HackCon, and SANS.

Back to top

Are all BSDs are created equally? A survey of BSD kernel vulnerabilities.

Sunday at 12:00 in Track 2

45 minutes | Demo

Ilja van Sprundel Director of penetration testing, IOActive

In this presentation I start off asking the question "How come there are only a handful of BSD security kernel bugs advisories released every year?" and then proceed to try and look at some data from several sources. It should come as no surprise that those sources are fairly limited and somewhat outdated.

The presentation then moves on to try and collect some data ourselves. This is done by actively investigating and auditing. Code review, fuzzing, runtime testing on all 3 major BSD distributions [NetBSD/OpenBSD/FreeBSD]. This is done by first investigating what would be good places where the bugs might be. Once determined, a detailed review is performed of these places. Samples and demos will be shown.

I end the presentation with some results and conclusions. I will list what the outcome was in terms of bugs found, and who -based on the data I now have- among the 3 main BSD distributions can be seen as the clear winner and loser. I will go into detail about the code quality observed and give some pointers on how to improve some code. Lastly I will try and answer the question I set out to answer ("How come there are only a handful of BSD security kernel bugs advisories released every year?").

Ilja van Sprundel
Ilja van Sprundel is experienced in exploit development and network and application testing. As IOActive's Director of Penetration Testing, he performs primarily gray-box penetration testing engagements on mobile (specializing in iOS) and runtime (specializing in Windows kernel) applications that require customized fuzzing and source code review, identifying system vulnerabilities, and designing custom security solutions for clients in technology development telecommunications, and financial services. van Sprundel specializes in the assessment of low-level kernel code and architecture/infrastructure design, having security reviewed literally hundreds of thousands of lines of code. However, as a Director, he also functions in a managerial capacity by overseeing penetration testing engagements, providing oversight regarding technical accuracy, serving as the point of contact between technical consultants and technical stakeholders, and ensuring that engagements are delivered on time and in alignment with customer's expectations. van Sprundel also is responsible to mentor and guide Associate-level consultants as they grow both their penetration testing and general consulting skillsets. He is the driver behind the team's implementation of cutting-edge techniques and tools, guided by both research and successful exploits performed during client engagements.

Back to top

The Last CTF Talk You'll Ever Need: AMA with 20 years of DEF CON Capture-the-Flag organizers

Thursday at 16:00 in 101 Track 2

105 minutes | Hacker History

Vulc@n Difensiva Senior Engineer, DDTEK

Hawaii John CTF organizer, Legit Business Syndicate

Chris Eagle CTF organizer, DDTEK

Invisigoth CTF organizer, Kenshoto

Caezar CTF organizer, Ghetto Hackers

Myles CTF organizer, Goon

Today there is practically a year-round CTF circuit, on which teams hone their skills, win prizes and attain stature. For many, the ultimate goal is to dominate in the utmost competition, DEF CON's CTF, and walk away with a coveted black badge. Capture-the-Flag (CTF) is one of DEF CON's oldest contests, dating back to DEF CON 4. Over the past decades, the perennial contest has matured into an annual event requiring months of preparation and nearly continuous dedication both of players and organizers. Organizers strive to make the events unique while taking extreme measures to prevent games from being gamed. Participants often have to cope with novel challenges while simultaneously demonstrating continued excellence in domains like reverse engineering, vulnerability discovery, exploitation, digital forensics, cryptography, and network security. In this session, we will present the evolution of DEF CON CTF, highlighting key points of advancement in the CTF culture - most of which broke new ground and are now present in other contests run around the world. Capitalizing on the multi-year tenure of recent DEF CON CTF organizers, we are able to concisely represent over 20 years of organizers on a single panel. Where else can you ask cross-generational questions about challenges of running CTF? Where else can you inquire about evolutionary design, and get answers from those that actually did it? Where else can you ask about hidden challenges, secrets, and CTF lore...from whom it originated?

The panelists represent over 20 years of DEF CON CTF organizers. Staples in the CTF community are present comprising of decades of experience in participating and organizing CTFs. On stage we have past organizers representing Legit BS, DDTEK, Kenshoto, Ghetto Hackers, and before — many of which also participated as part of top recurring teams such as Sk3wl of r00t, Ghetto Hackers, Samurai, and Team Awesome. Many also played some role (infrastructure, challenge author, announcer) in the Cyber Grand Challenge culminating last summer at DEF CON. They have received and distributed dozens of black badges. Panelists and the roles they represent for this panel: Hawaii John, Legit Business Syndicate; Chris Eagle, DDTEK; Invisigoth, Kenshoto; Caezar, Ghetto Hackers; Myles, Goon.

Vulc@n have been involved in the community since DEF CON 11, which in some ways seems recent but upon reflection is clearly more than a decade ago. In his early years he sprinted from talk to talk, dodging curious things like mid-school aged folks with baby chickens, couches in purple-dyed pools, and real dunk tanks. He even sat through talks in the blistering heat in outdoor tents at Alexis Park. Starting with his second year attending, he was pulled more and more into the CTF contest with then new-found and now lifelong friends at Sk3wl of r00t. Much of his time in the years since has been dedicated to playing in CTF or organizing it (as part of DDTEK). Ever since convincing one of his college professors to finance my first DEF CON trip, the hacker scene has been kind to him. He now finds himself in possession of two black badges (and leather jacket). More recently he was part of the Cyber Grand Challenge development team and was an on-stage referees for the all-computer hacking competition this past summer. In summary, it seems that he just keeps finding novel ways to be very involved with DEF CON and CTF.

@tvidas, @ddtek

Hawaii John
Bio coming soon.

@LegitBS_CTF, @hj_lbs

Chris Eagle
Bio coming soon.


Bio coming soon.


Bio coming soon.

Bio coming soon.

Back to top

Offensive Malware Analysis: Dissecting OSX/FruitFly via a Custom C&C Server

Friday at 10:20 in 101 Track

20 minutes | Demo, Tool

Patrick Wardle Chief Security Researcher, Synack / Creator of Objective-See

Creating a custom command and control (C&C) server for someone else's malware has a myriad of benefits. If you can take over it a domain, you then may able to fully hijack other hackers' infected hosts. A more prosaic benefit is expediting analysis. While hackers and governments may be more interested in the former, malware analysts can benefit from the later

FruitFly, the first OS X/macOS malware of 2017, is a rather intriguing specimen. Selectively targeting biomedical research institutions, it is thought to have flown under the radar for many years. In this talk, we'll focus on the 'B' variant of FruitFly that even now, is only detected by a handful of security products.

We'll begin by analyzing the malware's dropper, an obfuscated perl script. As this language is rather archaic and uncommon in malware droppers, we'll discuss some debugging techniques and fully deconstruct the script.

While this dropper component also communicates with the C&C server and supports some basic commands, it drops a binary payload in order to perform more complex actions. However, instead of fully reversing this piece of the malware, the talk will focus on an initial triage and show how this was sufficient for the creation of a custom C&C server. With such a server, we can easily coerce the malware to reveal it's full capabilities. For example, the malware invokes a handful of low-level mouse & graphics APIs, passing in a variety of dynamic parameters. Instead of spending hours reversing and debugging this complex code, via the C&C server, we can simply send it various commands and observe the effects.

Of course this approach hinges on the ability to closely observe the malware's actions. As such, we'll discuss macOS-specific tools that can monitor various events, and where necessary detail the creation of custom ones (e.g. a 'mouse sniffer' that locally observes and decodes commands sent from the malware to the OS, in order to control the mouse).

While some of this talk is FruitFly and/or macOS specific, conceptually it should broadly apply to analyzing other malware, even on other operating systems :)

Patrick Wardle
Patrick Wardle is the Chief Security Researcher at Synack, and founder of Objective-See. Having worked at NASA and the NSA, and well as presented at many security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick's focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects macOS malware and writes free macOS security tools.


Back to top

Death By 1000 Installers; on macOS, it's all broken!

Friday at 14:00 in Track 2

45 minutes | Demo, Exploit

Patrick Wardle Chief Security Researcher, Synack

Ever get an uneasy feeling when an installer asks for your password? Well, your gut was right! The majority of macOS installers & updaters are vulnerable to a wide range of priv-esc attacks.

It began with the discovery that Apple's OS updater could be abused to bypass SIP (CVE-2017-6974). Next, turns out Apple's core installer app may be subverted to load unsigned dylibs which may elevate privileges to root.

And what about 3rd-party installers? I looked at what's installed on my Mac, and ahhh, so many bugs!

Firewall, Little Snitch: EoP via race condition of insecure plist
Anti-Virus, Sophos: EoP via hijack of binary component
Browser, Google Chrome: EoP via script hijack
Virtualization, VMWare Fusion: EoP via race condition of insecure script
IoT, DropCam: EoP via hijack of binary component
and more!

...and 3rd-party auto-update frameworks like Sparkle -yup vulnerable too!

Though root is great, we can't bypass SIP nor load unsigned kexts. However with root, I discovered one could now trigger a ring-0 heap-overflow that provides complete system control.

Though the talk will discuss a variety of discovery mechanisms, 0days, and macOS exploitation techniques, it won't be all doom & gloom. We'll end by discussing ways to perform authorized installs/upgrades that don't undermine system security."

Patrick Wardle
Patrick Wardle is the Chief Security Researcher at Synack, and founder of Objective-See. Having worked at NASA and the NSA, and as well as presented at many security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick's focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes free OS X security tools.


Back to top

If You Give a Mouse a Microchip... It will execute a payload and cheat at your high-stakes video game tournament

Saturday at 11:00 in Track 3

45 minutes | Demo

skud (Mark Williams) Embedded Software Engineer

Sky (Rob Stanley) Security Software Engineer, Lead

The International, a recent esports tournament, had a 20 million dollar prize pool with over five million people tuned in to the final match. The high stakes environment at tournaments creates an incentive for players to cheat for a competitive advantage. Cheaters are always finding new ways to modify software, from attempting to sneak executables in on flash drives, to using cheats stored in Steam's online workshop which bypasses IP restrictions.

This presentation describes how one can circumvent existing security controls to sneak a payload (game cheat) onto a target computer. Esports tournaments typically allow players to provide their own mouse and keyboard, as these players prefer to use specific devices or may be obligated to use a sponsor branded device. These "simple" USB input devices can still be used to execute complex commands on a computer via the USB Human Interface Device (HID) protocol.

Our attack vector is a mouse with an ARM Cortex M series processor. The microcontroller stores custom user profiles in flash memory, allowing the mouse to retain user settings between multiple computers. We modify the device's firmware to execute a payload delivery program, stored in free space in flash memory, before returning the mouse to its original functionality. Retaining original functionality allows the mouse to be used discreetly, as it is an "expected" device at these tournaments. This concept applies to any USB device that uses this processor, and does not require obvious physical modifications.

This delivery method has tradeoffs. Our exploit is observable, as windows are created and in focus during payload delivery. The advantage to this approach is that it bypasses other security measures that are commonly in place, such as filtered internet traffic and disabled USB mass storage.

skud (Mark Williams)
Mark Williams is an embedded software engineer with experience in robotics and computer vision. His interest in embedded systems security and research builds off of a love for DIY projects, microcontrollers, and breaking things.


Sky (Rob Stanley)
Rob Stanley is a lead security software engineer with a background in reverse engineering. He enjoys working with low-level software, taking things apart and putting them back together, and malware analysis. Lately, he has turned his passion towards sharing his knowledge by teaching, and authoring CTF challenge problems.

Back to top

See no evil, hear no evil: Hacking invisibly and silently with light and sound

Thursday at 14:00 in 101 Track 2

45 minutes | Demo, Tool

Matt Wixey Senior Associate, PwC

Traditional techniques for C2 channels, exfiltration, surveillance, and exploitation are often frustrated by the growing sophistication and prevalence of security protections, monitoring solutions, and controls. Whilst all is definitely not lost, from an attacker's perspective - we constantly see examples of attackers creatively bypassing such protections - it is always beneficial to have more weapons in one's arsenal, particularly when coming up against heavily-defended networks and highly-secured environments.

This talk demonstrates a number of techniques and attacks which leverage light and/or sound, using off-the-shelf hardware. It covers everything from C2 channels and exfiltration using light and near-ultrasonic sound, to disabling and disrupting motion detectors; from laser microphones, to repelling drones; from trolling friends, to jamming speech and demotivating malware analysts.

This talk not only provides attendees with a new suite of techniques and methodologies to consider when coming up against a well-defended target, but also demonstrates, in a hopefully fun and practical way, how these techniques work, their advantages, disadvantages, and possible future developments. It also gives details of real case studies where some of these techniques have been used, and provides defenders with realistic methods for the mitigation of these attacks.

Finally, the talk covers some ideas for future research in this area.

Matt Wixey
Matt Wixey is a penetration tester on PwC's Threat and Vulnerability Management team in the UK, and leads the team's research function. Prior to joining PwC, he led a technical R&D team in a UK law enforcement agency. His research interests include bypassing air-gaps, antivirus and sandbox technologies, and RF hacking.


Back to top

Assembly Language is Too High Level

Friday at 15:00 in 101 Track

45 minutes | Demo, Tool, Exploit

XlogicX Machine Hacker

Do you have a collection of vulnerable programs that you have not yet been able to exploit? There may yet still be hope. This talk will show you how to look deeper (lower level). If you've ever heard experts say how x86 assembly language is just a one-to-one relationship to its machine-code, then we need to have a talk. This is that talk; gruesome detail on how an assembly instruction can have multiple valid representations in machine-code and vice versa. You can also just take my word for it, ignore the details like a bro, and use the tool that will be released for this talk: the Interactive Redundant Assembler (irasm). You can just copy the alternate machine code from the tool and use it in other tools like mona, use it to give yourself more options for self-modifying code, fork Hydan (stego) and give it more variety, or to create peace on earth.

XlogicX hacks at anything low level. He's unmasked sanitized IP addresses in packets (because checksums) and crafts his own pcaps with just xxd. He feeds complete garbage to forensic tools, AV products, decompression software, and intrusion detection systems. He made evil strings more evil (with automation) to exploit high consumption regular expressions. Lately he has been declaring war on assembly language (calling it too high-level) and doing all kinds of ignorant things with machine code. More information can be found on


Back to top

There's no place like - Achieving reliable DNS rebinding in modern browsers

Thursday at 10:00 in 101 Track

45 minutes | Demo, Tool, Exploit

Luke Young Senior Information Security Engineer, LinkedIn

Most people lock their doors at night, however if you walk into someone's home you likely won't find every piece of furniture bolted to the floor as well. We trust that if someone is inside our home they are supposed to be there. Unfortunately many developers treat local networks just the same, assuming all internal HTTP traffic is trusted, however this is not always the case. They incorrectly assume that their services will be protected by the same-origin policy in browsers, rather than implementing proper authentication mechanisms. By abusing this implicit trust we can gain access to confidential data and internal services which are not intended to be publicly accessible.

I will demonstrate that this is a poor security control and can be trivially bypassed via an older technique, DNS rebinding. The talk will cover how DNS rebinding works, the mitigations imposed by modern browsers and networks, and how each mitigation can be bypassed. I will discuss the notorious unreliability of DNS rebinding attacks that causes many developers to ignore the issue and how to overcome this unreliability.

Finally, I will examine a variety of popular services and tools to understand how they are affected by DNS rebinding. I will be releasing a tool that allows researchers to automate DNS rebinding attacks, the associated mitigation bypasses and generate drop-dead simple proof-of-concept exploits. I will demonstrate this tool by developing exploits for each vulnerable service, ending the talk by exploiting a vulnerable service to obtain remote-code execution, live.

Luke Young
Luke Young is a security researcher originally from the frozen plains of Minnesota who recently migrated to the much warmer state of California. He presented at DEF CON 23 on the topic of exploiting bitflips in memory, DEF CON 24 on the subject of large DDoS attacks and has investigated a variety of well-known products and network protocols resulting in numerous CVE assignments. He spends his free-time maintaining his position as one of the top researchers on various bug bounty platforms and is currently working as a Senior Information Security Engineer at LinkedIn.


Back to top

25 Years of Program Analysis

Sunday at 15:00 in 101 Track

45 minutes | Hacker History, Demo

Zardus (Yan Shoshitaishvili) Assitant Professor, Arizona State University

Last year, DARPA hosted the Cyber Grand Challenge, the culmination of humanity's research into autonomous detection, exploitation, and mitigation of software vulnerabilities. Imagine the CGC from the outside: huge racks of servers battling it out on stage, throwing exploit after exploit at each other while humans watch helplessly from the sidelines. But that vantage point misses the program analysis methods used, the subtle trade-offs made, and the actual capabilities of these systems. It also misses why, outside of the controlled CGC environment, most automated techniques don't quite scale to the analysis of real-world software!

This talk will provide a better perspective. On the 25th anniversary of DEFCON, we will go through these last 25 years of program analysis. We'll learn about the different disciplines of program analysis (and learn strange terms such as static, dynamic, symbolic, and abstract), understand the strength and drawbacks of each, and see if, and to what extent, they are used in the course of actual vulnerability analysis.

Did you know that every finalist system in the Cyber Grand Challenge used a combination of dynamic analysis and symbolic execution to find vulnerabilities, but used static analysis to patch them? Why is that? Did you know that, to make the contest feasible for modern program analysis techniques, the CGC enforced a drastically-simplified OS model? What does this mean for you, if you want to use program analysis while finding vulns and collecting bug bounties? Come to this talk, become an expert, and go on to contribute to the future of program analysis!

Zardus (Yan Shoshitaishvili)
Zardus is one of the hacking aces on Shellphish, the oldest-running CTF team in the world. He's been attending DEFCON since 2001, playing DEFCON CTF since 2009, and talking at DEFCON since 2015. Through this time, he also pursued a PhD in Computer Security, focusing on Program Analysis. The application of cutting-edge academic program analysis techniques to CTF (and, later, to his participation in the DARPA Cyber Grand Challenge, where he led Shellphish to a 3rd-place victory and a big prize payout) gave Zardus a unique understanding of the actual capabilities of the state of the art of program analysis, which in turn drove his research and culminated in the release of the angr binary analysis framework and the Mechanical Phish, one of the world's first autonomous Cyber Reasoning Systems.

Back to top

CITL and the Digital Standard - A Year Later

Friday at 12:00 in 101 Track

45 minutes | Art of Defense

Sarah Zatko Chief Scientist, Cyber ITL

A year ago, Mudge and I introduced the non-profit Cyber ITL at DEF CON and its approach to automated software safety analysis. Now, we'll be covering highlights from the past year's research findings, including our in-depth analysis of several different operating systems, browsers, and IoT products.

Parts of our methodologies have now been adopted by Consumer Reports and rolled into their Digital Standard for evaluating safety, security, and privacy, in a range of consumer devices. The standard defines important consumer values that must be addressed in product development, with the goal of enabling consumer organizations to test, evaluate, and report on whether new products protect consumer security, safety, and privacy.

Sarah Zatko
Sarah Zatko is the Chief Scientist at the Cyber Independent Testing Lab (CITL), where she develops testing protocols to assess the security and risk profile of commercial software. She also works on developing automated reporting mechanisms to make such information understandable and accessible to a variety of software consumers. The CITL is a non-profit organization dedicated to empowering consumers to understand risk in software products. Sarah has degrees in Math and Computer Science from MIT and Boston University. Prior to her position at CITL, she worked as a computer security professional in the public and private sector.

Back to top

All Your Things Are Belong To Us

Saturday at 11:20 in Track 4

75 minutes | Demo, Exploit

Zenofex Hacker

0x00string Hacker

CJ_000 Hacker

Maximus64 Hacker

Get out your rollerblades, plug in your camo keyboard, and fire up your BLT drive. It's 25 years later and we're still hacking the planet. The are back with new 0day, new exploits and more fun. Celebrating a quarter century of DEF CON the best way we know how: hacking everything!

Our presentation will showcase vulnerabilities discovered during our research into thousands of dollars of IoT gear performed exclusively for DEF CON. We will be releasing all the vulnerabilities during the presentation as 0days to give attendees the ability to go home and unlock their hardware prior to patches being released. As always, to give back to the community that has given us so much, we will be handing out free hardware during the presentation so you can hack all the things too!Come party with us while we make "All Your Things Are Belong To Us."

Zenofex (@zenofex) is a researcher with Amir founded "" which is a public research group and has released exploits for over 45 devices including the Amazon FireTV, Roku Media Player and the Google Chromecast. Amir is also a member of Austin Hackers and has spoken at a number of security conferences including DEF CON, B-Sides Austin, and InfoSec Southwest.


0x00string (@0x00string) is hacker and security researcher, a recent addition to who has presented at BSidesSATX and ISSW. His previous published work includes Reverse Engineering The Kankun Smart Plug, and Hacking The Samsung Allshare Cast Hub. His hobbies include bug collecting and hacking all the things.


Cj_000 (@cj_000) is a researcher in the Cyber and Information Security directorate at *redacted* and also a member of CJ has been involved in the release and responsible disclosure of vulnerabilities in a number of devices including TV's, media players, and refrigerators. CJ has presented at multiple DEF CON's and believes that a simple approach is often the most elegant solution.


Maximus64 (@maximus64_) is an undergraduate student at the University of Central Florida. Khoa enjoys a hardware based approach in researching embedded devices and is a master of the soldering iron. Khoa has disclosed numerous vulnerabilities in various set-top boxes and other "smart" devices to multiple vendors. He is currently listed on various "Security Hall of Fame" pages for successful bug bounty submissions including AT&T, Samsung and Roku.


Back to top

macOS/iOS Kernel Debugging and Heap Feng Shui

Friday at 10:00 in 101 Track

20 minutes

Min(Spark) Zheng Security Expert @ Alibaba Inc. Ph.D of CUHK.

Xiangyu Liu Security Engineer @ Alibaba Inc. Ph.D of CUHK.

Kernel bug is always very difficult to reproduce and may lead to the entire system panic and restart. In practice, kernel debugging is the only way to analyze panic scenes. However, implementing such a technique in real world is not an easy task since kernel code cannot be executed in the debugger, thus is hard to be tracked. Luckily, macOS has provided a very powerful kernel debugging mechanism, KDK (Kernel Development Kit), to assist people to analyze and develop kernel exploits. While for iOS, although there is no official kernel debugger, it is also possible for us to achieve kernel debugging by leveraging some tricks.

In this talk, we will share some kernel debugging techniques and their corresponding tricks on the latest iOS/macOS. In addition, we will also introduce the new kernel heap mitigation mechanisms on iOS 10/macOS 10.12 and two heap feng shui techniques to bypass them. Finally, we will demonstrate how to debug a concrete kernel heap overflow bug and then leverage our new heap feng shui techniques to gain arbitrary kernel memory read/write on the iOS 10.2/macOS 10.12.

Min(Spark) Zheng
Min(Spark) Zheng, Security Expert @ Alibaba Inc. Ph.D of CUHK.

Xiangyu Liu
Xiangyu Liu, Security Engineer @ Alibaba Inc. Ph.D of CUHK.

Back to top

'Ghost Telephonist' Impersonates You Through LTE CSFB

Sunday at 11:00 in Track 4

45 minutes | Exploit

Yuwei Zheng Hacker

Lin Huang Hacker

One vulnerability in CSFB (Circuit Switched Fallback) in 4G LTE network will be presented. In the CSFB procedure, we found the authentication step is missing. This results in that an attacker can hijack the victim's communication. We named this attack as 'Ghost Telephonist'. Several exploitations can be made based on this vulnerability. When the call or SMS is not encrypted, or weakly encrypted, the attacker can impersonate the victim to receive the "Mobile Terminated" calls and messages or to initiate the "Mobile Originated" calls and messages. Furthermore, Telephonist Attack can obtain the victim's phone number and then use the phone number to make advanced attack, e.g. breaking Internet online accounts. These attacks can randomly choose victims, or target a given victim. We verified these attack with our own phones in operators' network in a small controllable scale. The experiments proved the vulnerability really exists. The attack doesn't need fake base station so the attack cost is low. The victim doesn't sense being attacked since no fake base station and no cell re-selection. Now we are collaborating with operators and terminal manufactures to fix this vulnerability.

Yuwei Zheng
Yuwei Zheng is a senior security researcher from Radio Security Research Dept. of 360 Technology. He has rich experiences in embedded systems over 10 years. He reversed blackberry BBM, PIN, BIS push mail protocol, and decrypted the network stream successfully in 2011. He successfully implemented a MITM attack for Blackberry BES based on a modified ECMQV protocol of RIM. He focuses on the security issues of embedded hardware and IOT systems. He was the speaker of DEF CON , HITB etc.


Lin Huang
Lin HUANG is a wireless security researcher and SDR technology expert, from Radio Security Research Dept. of 360 Technology. Her interests include the security issues in wireless communication, especially the cellular network security. She was the speaker of some security conferences, DEF CON , HITB, POC etc. She is the 3GPP SA3 delegate of 360 Technology.

Contributor Acknowledgement:

The Speakers would like to acknowledge Qing YANG, for his contribution to the presentation. Qing YANG is the founder of UnicornTeam & Radio Security Research Department in 360 Technology. He has rich experiences in information security area. He made presentations at BlackHat, DEF CON , CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.

Back to top