skip to main content

DEF CON 27 Hacking Conference

Speakers

Speakers

HTTP Desync Attacks: Smashing into the Cell Next Door

Sunday at 12:00 in Track 3
45 minutes | Demo, Tool

albinowax Head of Research, PortSwigger

HTTP requests are traditionally viewed as isolated, standalone entities. In this session, I'll introduce techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $50k in bug bounties.

Using these targets as case studies, I’ll show you how to delicately amend victim's requests to route them into malicious territory, invoke harmful responses, and lure credentials into your open arms. I’ll also demonstrate using backend reassembly on your own requests to exploit every modicum of trust placed on the frontend, gain maximum privilege access to internal APIs, poison web caches, and compromise my favourite login page.

Although documented over a decade ago, a fearsome reputation for difficulty and collateral damage has left this attack optimistically ignored for years while the web's susceptibility grew. By applying fresh ideas and new techniques, I’ll unveil a vast expanse of vulnerable systems ranging from huge content delivery networks to bespoke backends, and ensure you leave equipped to devise your own desync techniques and tailor attacks to your target of choice.

albinowax
James Kettle is Head of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on using web cache poisoning to turn caches into exploit delivery systems. James has extensive experience cultivating novel attack techniques, including server-side RCE via Template Injection, client-side RCE via malicious formulas in CSV exports, and abusing the HTTP Host header to poison password reset emails and server-side caches. He has spoken at numerous prestigious venues including both BlackHat USA and EU, and OWASP AppSec USA and EU.

Twitter: @albinowax
Website: https://skeletonscribe.net/

Back to top

Want Strong Isolation? Just Reset Your Processor

Sunday at 13:00 in Track 4
45 minutes | Demo, Tool

Anish Athalye PhD student at MIT

Today's systems sandbox code through traditional techniques: memory protection and user-kernel mode. Even high-security devices like hardware cryptocurrency wallets use such an architecture. Unfortunately, this arrangement has a history of security bugs due to misconfigured protection hardware, bugs in kernel code, hardware bugs, and side channels.

This talk proposes a new approach to isolation for devices like crypto wallets: separate the user and kernel onto two CPUs and multiplex processes by completely resetting the user processor between tasks so that there is no leakage.

Processor reset is more complicated than might be expected. Simply asserting the reset line isn't enough to clear all CPU-internal state, but it turns out that software can be used to clear this state. However, reasoning about the correctness of such code is challenging. This talk presents a tool that can be used to develop and formally verify the correctness of reset code for a given CPU implementation.

This talk also walks through a design of a wallet based on this reset-based isolation technique, discusses known security vulnerabilities in current designs such as the Ledger and Trezor wallets (including bugs in MPU misconfiguration, system calls, and drivers), and explores how a reset-based design could prevent such vulnerabilities.

Anish Athalye
Anish is a PhD student at MIT working on systems, security, and formal verification. He is currently interested in making hardware wallets more secure. In his free time, he enjoys bending neural networks to his will: among other exploits, he has mastered the art of transfiguration (as far as computers are concerned), exemplified by turning a turtle into a rifle.

Twitter: @anishathalye
Websites: anish.io (academic), anishathalye.com(blog)

Back to top

HackPac: Hacking Pointer Authentication in iOS User Space

Friday at 13:00 in Track 1
45 minutes | Demo, Tool, Exploit

Xiaolong Bai

Min (Spark) Zheng

Pointer Authentication (in short, PAuth) is the latest security mechanism in iOS. It is proposed to protect the integrity of pointers with hardware-assisted encryption, thus eliminating the threats of code-reuse attacks. In PAuth, a cryptographic signature called PAC is calculated from a pointer value and inserted into the pointer. When the pointer is about to be used, the PAC is extracted and verified whether it is consistent with the original pointer value. In this way, PAuth is able to ensure that the pointers are not tampered. iOS deployed PAuth in user-space system services, protecting pointers that may affect the control flow and preventing code-reuse attacks like ROP and JOP.

However, in our study, we found that a fatal flaw in the implementation of iOS PAuth makes user-space system services till vulnerable to code-reuse attacks. The flaw is: iOS uses the same signing key in different user-space processes. This flaw allows a signed pointer from a malicious process can be correctly verified in a system service, thus making it possible to launch JOP. In this talk, we will explain how we found the flaw and why it is inevitable. In advance, we will demonstrate how to leverage this flaw and launch JOP attacks in a PAuth-protected system service. Also, we will propose a new tool, PAC-gadget, to automatically find JOP gadgets in PAuth-protected binaries.

Xiaolong Bai
Xiaolong Bai (twitter@bxl1989, github@bxl1989) is a security engineer in Alibaba Orion Security Lab. Before joining Alibaba, he received his Ph.D. degree in Tsinghua University. He has published several research papers on top conferences including IEEE S&P, Usenix Security, CCS, NDSS, and presented his research in Black Hat, DEF CON, HITB, CanSecWest, etc. He has been acknowledged by famous vendors, including Apple, Google, Facebook, Evernote, and Tencent for his contribution in discovering the vulnerabilities in their systems and improving the security of their products. He is a member of the OverSky team for private jailbreaking development.

Twitter: @bxl1989
Website: https://xiaolongbai.weebly.com/
Github: https://github.com/bxl1989/

Min (Spark) Zheng
Min (Spark) Zheng (twitter@SparkZheng, github@zhengmin1989) is a security expert in Alibaba Orion Security Lab. He received his Ph.D. degree in the CSE department of the CUHK. His research focuses on malware analysis, smartphone (Android & iOS) security, system design and implementation. Before receiving Alibaba A-Star offer award in 2015, he worked in FireEye, Baidu and Tencent. He was the champion of GeekPwn 2014 and AliCTF 2015. He won the “best security researcher” award in FIT 2016 for detecting the iOS/macOS vulnerabilities, XcodeGhost virus and WormHole RCE vulnerability. He is a member of the OverSky team for private jailbreaking development. He presented his research in DEF CON, HITB, BlackHat, RUXCON, etc.

Twitter: @SparkZheng

Back to top

Help Me, Vulnerabilities. You're My Only Hope

Sunday at 12:00 in Track 4
45 minutes | Tool, Exploit

Jacob Baines Research Engineer, Tenable

MikroTik routers keep getting owned. They’ve been exploited by advanced threats like VPNFilter, Slingshot APT, and Trickbot. They’ve been compromised by coin miners, botnets, and who knows what else. With each new campaign the security industry publishes new indicators of compromise and everyone moves on.

However, MikroTik administrators operate in a sandbox. They have very limited access to the router’s underlying file system and almost no ability to directly interact with the Linux operating system. Due to these limitations, file hashes cannot answer the fundamental question that is asked again and again on the MikroTik forums, “Have I been compromised?”

It’s time the users had their question answered. In this talk, I’ll present three vulnerabilities that can help MikroTik administrators break out of the sandbox. I’ll show how to use these vulnerabilities to help determine if the router has been compromised.

Jacob Baines
Jacob is the founding member of Tenable's Zero Day Research group. He focuses much of his research efforts on routers and other IoT devices. Sometimes he even finds vulnerabilities.

Twitter: @junior_baines

Back to top

Hacking WebAssembly Games with Binary Instrumentation

Sunday at 10:00 in Track 3
45 minutes | Demo, Tool

Jack Baker

WebAssembly is the newest way to play video games in your web browser. Both Unity3d and Unreal Engine now support WebAssembly, meaning the amount of WebAssembly games available is growing rapidly. Unfortunately the WebAssembly specification is missing some features game hackers might otherwise rely on. In this talk I will demonstrate adapting a number of game hacking techniques to WebAssembly while dealing with the limitations of the specification.

For reverse engineers, I will show how to build and inject your own "watchpoints" for debugging WebAssembly binaries and how to insert symbols into a stripped binary.

For game hackers, I will show how to use binary instrumentation to implement some old-school game hacking tricks and show off some new ones.

I will be releasing two tools: a binary instrumentation library built for modifying WebAssembly binaries in the browser, and a browser extension that implements common game hacking methods a la Cheat Engine.

Jack Baker
Jack Baker is a professional vulnerability researcher and amateur video game hacker. His primary areas of expertise include web application security, embedded reverse engineering, and Tony Hawk's Pro Skater 3.

Github: https://github.com/Qwokka

Back to top

The ABC of Next-Gen Shellcoding

Sunday at 11:00 in Track 1
45 minutes | Demo, Tool

Hadrien Barral Hacker

Rémi Géraud-Stewart Hacker

Georges-Axel Jaloyan PhD Student at ENS

Shellcodes are short executable stubs that are used in various attack scenarios, whenever code execution is possible. After briefly recalling how they work in general and what interesting things they can do, besides obviously running a reverse-shell, we'll have to deal with the reality that shellcodes are usually not particularly stealthy, due in part to the very suspicious presence of non-printable characters. In a tutorial-like fashion, we'll address increasingly more complex constraints. As a reward, we reveal new methods for writing in particular alphanumeric shellcodes and attacking platforms for which (to the best of our knowledge) no such shellcode was previously known.

Don't know anything about constrained shellcodes? Do not worry: we'll start from the ground up. Black-belt in shellcoding? We have you covered, stay until the end were we'll get our hands dirty!

Hadrien Barral
Hadrien Barral is an R&D engineer, focusing on Operating Systems, Security and High-Assurance software. In his spare time, he enjoys hacking on various and obscure systems.

Rémi Géraud-Stewart
Rémi Géraud-Stewart is a cryptologist and security expert with Ecole normale superieure in Paris, focusing on intrusion and cyberwarfare.

Georges-Axel Jaloyan
Georges-Axel Jaloyan is a PhD student at Ecole normale supérieure in Paris focusing on formal methods applied to reverse-engineering, in collaboration with the French Alternative Energies and Atomic Energy Commission (CEA).

Back to top

Are Quantum Computers Really A Threat To Cryptography? A Practical Overview Of Current State-Of-The-Art Techniques With Some Interesting Surprises

Thursday at 12:00 in DC101, Paris Theatre
45 minutes | Demo

Andreas Baumhof Vice President Quantum Technologies, QuintessenceLabs Inc.

Shor's Algorithm for factoring integer numbers is the big threat to cryptography (RSA/ECC) as it reduces the complexity from exponential to polynomial, which means a Quantum Computer can reduce the time to crack RSA-2048 to a mere 10 seconds. However current noisy NISQ type quantum computers are very limited to something like 16 bit RSA keys. And the quality of the current qubits is so bad that error-correction comes at a massive cost of at least 100 times the amount of qubits.

While the world is pre-occupied whether we have universal quantum computers big enough for Shor's algorithm, Quantum Annealing is stealing the show with having factored a 20-bit number just in January this year using 97 qubits. And these qubits are actually good enough to factor bigger numbers. If we assume a linear scalability, we'd "only" need around 10,000 qubits to factor a 2048bit RSA key. D-Wave announced a quantum computer with 5,640 qubits, so that puts it within reach soon.

So, could Quantum Annealing be more of a threat to cryptography than Shor's algorithm on universal quantum computers? How do these algorithms work? How do they achieve a polynomial complexity to what traditional computers need exponential time? What impact will this have on the competition from NIST for the design of post-quantum-cryptography algorithms?

Andreas Baumhof
Andreas Baumhof is Vice President Quantum Technologies at Quintessence Labs. He is responsible for all developments relating to Quantum Technologies such as Quantum Random Number Generator, Quantum Key Distribution or Quantum Computing in general. Before this role, Andreas was CTO for ThreatMetrix Inc, the global leader in digital identities, where he was responsible for software engineering. He helped lead the company to a very successful exit and a 830m USD acquisition by Lexis Nexis/RELX. Andreas holds a mathematics degree from the University of Munich. In his spare time he enjoys mountain biking, snowboarding and spending time with his family.

Twitter: @abaumhof
LinkedIn: https://www.linkedin.com/in/abaumhof/

Back to top

Backdooring Hardware Devices By Injecting Malicious Payloads On Microcontrollers

Sunday at 10:00 in Track 1
45 minutes | Demo, Tool

Sheila Ayelen Berta Security Researcher

Is targeting microcontrollers worth the effort? Nowadays, they are responsible for controlling a wide range of interesting systems, e.g., physical security systems, car’s ECUs, semaphores, elevators, sensors, critical components of industrial systems, some home appliances and even robots.

In this talk, it will be explained how microcontrollers can be backdoored too. After a quick review of basic knowledge about uC, we will dive into three different approaches to achieve payload injection, from basic to advanced techniques. The first method consists on locating the entry point of the firmware and inject our payload there, this is an easy way to execute it at least once. As a second -and more complex- technique, we will backdoor the EUSART communication injecting a malicious payload at the code routine of that hardware peripheral; we will be able to get the right memory address by inspecting the GIE, PEIE and polling process at the uC interrupt vector. Finally, the third technique allow us to take control of the microcontroller’s program flow by manipulating the stack writing memory addresses at the TOS; with this we can execute a payload made with instructions already written in the original program, performing it just like a ROP-chain technique.

Sheila Ayelen Berta
Sheila Ayelen Berta is an Information Security Specialist and Developer, who started at 12 years-old by herself. At the age of 15, she wrote her first book about Web Hacking, published by RedUSERS Editorial in several countries. Over the years, Sheila has discovered lots of vulnerabilities in popular web applications and softwares. She also has given courses of Hacking Techniques in universities and private institutes in Argentina. Sheila currently works as Security Researcher who specializes in offensive techniques, reverse engineering and exploit writing. She is also a developer in ASM (microcontrollers and microprocessors x86/x64), C/C++, Golang and Python. Sheila is an international speaker who has spoken at important security conferences such as Black Hat Briefings, DEF CON 26, DEF CON 25 CHV, HITB, HackInParis, Ekoparty, IEEE ArgenCon, Hack.Lu, OWASP Latam Tour and others.

Twitter: @UnaPibaGeek

Back to top

Behind the Scenes: The Industry of Social Media Manipulation Driven by Malware

Friday at 10:00 in Track 3
45 minutes

Olivier Bilodeau Cybersecurity Research Lead at GoSecure

Masarah Paquet-Clouston Cybersecurity Researcher at GoSecure

This talk is the grand finale of a four-year long investigation that started with analyzing an IoT botnet, to discovering the structured industry that exists behind social media manipulation (SMM). SMM is the deliberate act of paying for popularity with followers or activity on social media.

Adopting a bottom-up approach, the thorough methodology undertook to study the botnet will be presented: from building honeypots, infecting them with malware and conducting a man-in-the-middle-attack on the honeypots’ traffic to access the decrypted HTTPS content between the C&Cs and social networks. Then, the various investigative paths taken to analyze this large data set, leading to the discovery of industry actors involved in the supply chain of social media manipulation, will be presented. These investigative paths include traffic analysis, various OSINT approaches to reveal and understand actors, reverse-engineering the software that automates the use and creation of fake accounts, forum investigations, and qualitative profiling. All actors involved in the industry will be mapped, from malware authors, to reseller panels, and customers of fake popularity.

The potential profitability of the industry will then be discussed, as well as the revenue division in the chain, demonstrating that the ones making the highest revenue per fake follower sold are not the malware authors, but rather those at the end of the chain.

Olivier Bilodeau
Olivier Bilodeau is leading the Cybersecurity Research team at GoSecure. With more than 10 years of infosec experience, he enjoys attracting malware in honeypots, writing tools for malware research, reverse-engineering all-the-things and vulnerability research. Passionate communicator, Olivier has spoken at several conferences like BlackHat Europe, DefCcon, Botconf, SecTor, Derbycon, HackFest and many more. Invested in his community, he co-organizes MontréHack, a monthly workshop focused on applied information security, and NorthSec, Montreal's community conference and Capture-The-Flag.

Twitter: @obilodeau
Website: https://gosecure.net/blog/

Masarah Paquet-Clouston
Masarah Paquet-Clouston is a security researcher at GoSecure, a PhD student at Simon Fraser University in criminology and one of Canada’s decorated 150 scientific innovators. With her background in economics and criminology, she specializes in the study of markets behind illicit online activities. She published in several peer-reviewed journals, such as Social Networks, Global Crime and the International Journal for the Study of Drug Policy, and presented at various international conferences including Virus Bulletin, Black Hat Europe, Botconf and the American Society of Criminology.

Twitter: @masarahclouston
Website: https://gosecure.net/blog/

Back to top

.NET Malware Threats: Internals And Reversing

Saturday at 15:00 in Track 4
45 minutes

Alexandre Borges Security Researcher at Blackstorm Security

.NET malware is well-known by security analysts, but even existing many tools such as dnSpy,.NET Reflector, de4dot and so on to make the analysis easier, most professionals have used them as a black box tool, without concerning to .NET internals, structures, MSIL coding and details. In critical cases, it is necessary have enough knowledge about internal mechanisms and to debug these .NET threats using WinDbg.

Unfortunately, .NET malware samples have become very challenger because it is so complicated to deobfuscated associated resources, as unpacking and dumping them from memory. Furthermore, most GUI debugging tools does an inside view of mechanisms such as CRL Loader, Managed Heap, Synchronization issues and Garbage Collection.

In the other side, .NET malware threats are incredibly interesting when analyzed from the MSIL instruction code, which allows to see code injections using .MSIL and attempts to compromise .NET Runtime keep being a real concern.

The purpose of this presentation is to help professionals to understand .NET malware threats and techniques by explaining concepts about .NET internals, mechanisms and few reversing techniques.

Alexandre Borges
Alexandre Borges is a Security Researcher, who has been daily working on Reverse Engineering and Digital Forensic Analysis for many years. He has taught training courses about Malware and Memory Analysis, Digital Forensics Analysis and Mobile Forensics around the world. Furthermore, Alexandre is the creator and maintener of Malwoverview triage tool: https://github.com/alexandreborges/malwoverview.

Alexandre has spoken in several conferences such as DEF CON USA (2018), DEF CON CHINA (2019), CONFidence Conference 2019, HITB 2019 Amsterdam, H2HC Conference (2015/2016), BSIDES Sao Paulo (2019/2018/2017/2016) and BHACK Conference (2018).

Finally, it is a referee of Digital Investigation:The International Journal of Digital Forensics & Incident Response (https://www.journals.elsevier.com/digital-investigation/editorial-board)

Twitter: @ale_sp_brazil
LinkedIn: http://www.linkedin.com/in/aleborges
Website: http://www.blackstormsecurity.com/bs/en/en_articles.html, Tool: https://github.com/alexandreborges/malwoverview

Back to top

The JOP ROCKET: A Supremely Wicked Tool for JOP Gadget Discovery, or What to Do If ROP Is Too Easy

Friday at 16:00 in Track 4
20 minutes | Demo, Tool

Dr. Bramwell Brizendine Assistant Professor of Computer and Cyber Sciences, Dakota State University

Dr. Joshua Stroschien Assistant Professor of Cyber Security/Network & Security Administration, Dakota State University

Return-oriented Programming (ROP) has been the predominate code-reuse attack for over a decade, but there are other options. Many mitigations can detect ROP due to heuristics, but these fail to detect Jump-oriented Programming (JOP). The JOP ROCKET is a reverse engineering framework dedicated to facilitating JOP exploits. It allows hackers to discover JOP gadgets. This includes dispatcher gadget's, which helps to subvert and direct the control flow, and functional gadgets, our primitives. This tool provides numerous options to give hackers flexibility on how to find gadgets, to narrow and expand possibilities. Additionally, the tool uses opcode-splitting to discover many unintended gadgets. All gadgets are classified based on operation as well as registers used and affected. Thus, hackers could easily obtain the desired functional gadgets, such as MOV EBX, [VALUE], using simple language commands. Because of JOP's much more complex set up, the tool provides this classification, so time isn’t wasted hunting through results.

JOP is rarely done in the wild. Part of that complexity is in set up, but another part is the lack of dedicated tools. Having to find JOP gadgets manually could be time-consuming and require expertise. JOP ROCKET simplifies that, allowing the JOP gadgets to be found quickly and easily.

This talk will give brief content on ROP, and then it introduces JOP and its history. Then we will dive into JOP ROCKET, discussing its features, how to use it to find JOP gadgets, and how to set up your own JOP exploit. We will then demo the tool.

Dr. Bramwell Brizendine
Dr. Bramwell Brizendine graduated with a Ph.D. in Cyber Operations in May, 2019. He holds master's degrees in Computer Science and Information Assurance. Bramwell is a professor at Dakota State University where he teaches topics such as reverse engineering, software exploitation, and malware analysis. Bramwell is the creator of the the JOP ROCKET, or the Jump-oriented Programming Reversing Open Cyber Knowledge Expert Tool. Bramwell has been interested in code-reuse attacks for several years. Bramwell was overcome by the urge to present a tool that made JOP more practical and useful for hackers who may wish to attempt using this more arcane class of code-reuse attacks. The JOP ROCKET is a by product of his doctoral dissertation.

Dr. Joshua Stroschien
Dr. Josh Stroschien is a professor at Dakota State University. Dr. Josh Stroschein teaches undergraduate and graduate courses in cyber security with a focus on malware analysis, reverse engineering and software exploitation. His research interests include malware analysis and software exploitation. Outside of DSU, you can find Josh providing training at such venues as DerbyCon, Hack-In-The-Box and ToorCon.

Website: https://0xevilc0de.com

Back to top

How Deep Learning Is Revolutionizing Side-Channel Cryptanalysis

Friday at 14:00 in Track 3
45 minutes | Demo, Tool

Elie Bursztein Google

Jean Michel Picod Google

This talk explores how AI is revolutionizing hardware side-channel attacks and what this new wave of attacks mean for the future of hardware cryptography. Based on the lessons learned while successfully attacking many hardware AES implementations using deep-learning this talk discuss why those attacks are fundamentally more efficient and details how to conduct then in practice.

Elie Bursztein
Elie Bursztein leads Google' security & anti-abuse research team. He has authored over fifty research papers in the field for which he was awarded 6 best papers awards and multiple industry distinctions including the Black Hat pwnie award. Born in Paris, he received a Ph.D from ENS-cachan in 2008 before working at Stanford University and ultimately joining Google in 2011.

Twitter @elie
Website: https://elie.net

Jean Michel Picod
Jean-Michel Picod is currently working at Google Switzerland. He holds an engineering degree in computer systems, networks and security. He has contributed on several open source projects (GoodFET, pynids, etc.) and published several open source tools such as DPAPIck, OWADE, scapy-radio, forensic scripts,

Twitter: @jmichel_p
Website: https://www.j-michel.org/

Back to top

SDR Against Smart TVs: URL and Channel Injection Attacks

Sunday at 11:00 in Track 2
45 minutes | Demo, Tool

Pedro Cabrera Camara Founder, Ethon Shield

Software-defined-radio has revolutionized the state of the art in IoT security and especially one of the most widespread devices: Smart TV. This presentation will show in detail the HbbTV platform of Smart TV, to understand and demonstrate two attacks on these televisions using low cost SDR devices: TV channel and HbbTV server impersonation (channel and URL injection). This last attack will allow more sophisticated remote attacks: social engineering, keylogging, crypto-mining, and browser vulnerability assessment.

Pedro Cabrera Camara
Industrial and Electronics Engineer, Pedro is an enthusiast of Software Defined Radio and UAVs, which has worked for 12 years in the main Spanish telecommunications operators, conducting security audits and pentesting in mobile and fixed networks. In addition to working with telecommunications operators, Pedro leads open source projects such as intrusion detection systems for GSM, UMTS and LTE networks, which has led him to study the various fake stations attacks and existing solutions. In recent years he has participated in security events in the United States (RSA, CyberSpectrum, DEF CON DemoLabs), Asia (BlackHat Trainings) and Europe (Rootedcon, Euskalhack, AlligatorCON)

Twitter: @PcabreraCamara
Website: http://www.fakebts.com

Back to top

Defeating Bluetooth Low Energy 5 PRNG for Fun and Jamming

Saturday at 12:00 in Track 2
45 minutes | Demo, Tool

Damien Cauquil (virtualabs) Senior Security Researcher @ Econocom Digital.Security

Bluetooth Low energy version 5 has been published in late 2016, but we still have no sniffer supporting this specific version (and not that much compatible devices as well). The problem is this new version introduces a new channel hopping algorithm that renders previous sniffing tools useless as devices can no longer be attacked and connections analyzed. This new algorithm is based on a brand new pseudo-random number generator (PRNG) to provide better collision avoidance while kicking out all of our good old sniffing tools.

Unless some random hacker manages to break this not-that-strong PRNG and upgrades his BLE sniffing tool to support this algorithm ;). In this talk, we will explain why this PRNG is vulnerable and how it can be easily defeated to sniff and jam communications between two BLE 5 devices. A new version of BtleJack will be released during this talk, providing an efficient way to sniff BLE 5 connections to our fellow IoT hacker family.

Damien Cauquil (virtualabs)
Damien is a senior security researcher who joined Digital Security in 2015 as the head of research and development. He discovered how wireless protocols can be fun to hack and quickly developed BtleJuice, one of the first Bluetooth Low Energy MitM framework, and BtleJack, a BLE swiss-army knife released in 2018.

Damien presented at various security conferences including DEF CON, Hack In Paris, Chaos Communication Camp, Chaos Communication Congress, BruCon, Hack.lu, anda dozen times at Nuit du Hack, one of the oldest French hacking conference.

Twitter: @virtualabs

Back to top

Malproxying: Leave Your Malware at Home

Sunday at 12:00 in Track 2
45 minutes | Demo, Tool

Hila Cohen Security Researcher, XM Cyber

Amit Waisel Senior Technical Leader, XM Cyber

During a classic cyber attack, one of the major offensive goals is to execute code remotely on valuable machines. The purpose of that code varies on the spectrum from information extraction to physical damage. As defenders, our goal is to detect and eliminate any malicious code activity, while hackers continuously find ways to bypass the most advanced detection mechanisms. It’s an endless cat-and-mouse game where new mitigations and features are continuously added to the endpoint protection solutions and even the OS itself in order to protect the users against newly discovered attack techniques. In this talk, we present a new approach for malicious code to bypass most of endpoint protection measures. Our approach covertly proxies the malicious code operations over the network, never deploying the actual malicious code on the victim side. We are going to execute code on an endpoint, without really storing the code on disk or loading it to memory. This technique potentially allows attackers to run malicious code on remote victims, in such a way that the code is undetected by the victim’s security solutions. We denote this technique as “malproxying”.

Hila Cohen
Hila Cohen is a passionate Security Researcher at XM Cyber, where she investigates new attack techniques and develops detection and mitigation capabilities. Hila has a vast knowledge in the fields of malware analysis, reverse engineering and incident response.

Amit Waisel
Amit Waisel is a Senior Technical Leader at XM Cyber. He is a seasoned data security expert with vast experience in cyber offensive projects. Prior to XM Cyber, Amit filled multiple data security positions in the Israeli intelligence community. Amit is well experienced with malware detection and analysis techniques, operating system internals and security-oriented software development. He graduated with honors from Tel Aviv University with a MSc. in Computer Science.

Back to top

Contests Awards Ceremony

Sunday at 14:00 in Track 4
90 minutes

Contests & Events Goons

You've seen the Contests, you've played in a Contest, you've won a Contest and may have lost a Contest! Whatever the outcome was, come join as as we celebrate the winners and contestants of our DEF CON 27 Contests! DEF CON 27 Contests and Events Closing Ceremonies will be August 11th at 14:00 in Track 4. Black Badge winning Contests will still be honored at the main DEF CON 27 Closing Ceremonies on August 11th at 16:00 in the Paris Ballroom!

Back to top

Closing Ceremonies

Sunday at 16:00 in Paris Ballroom
120 minutes

The Dark Tangent & Goons

DEF CON 27 draws to a close. Prizes awarded, Black Badge winners announced, thanks given, future plans revealed.

Back to top

How You Can Buy AT&T, T-Mobile, and Sprint Real-Time Location Data on the Black Market

Saturday at 12:00 in Track 1
45 minutes

Joseph Cox Senior Staff Writer, Motherboard

Major US telecommunications companies AT&T, T-Mobile, and Sprint have been quietly selling access to their customers’ real-time location data, including cell tower information as well as highly precise GPS data. Through a complex network of dodgy data aggregators and middlemen companies, this data access eventually trickled down to a slew of different industries, used car salesman, landlords, and hundreds of bounty hunters, likely without your knowledge or informed consent. In this talk, based on leaked documents, sources, and first hand experience, Joseph will explain how this data industry works, the players involved, and also how the data access is available on the black market, where it can be used in any way an attacker fancies: Joseph paid a source $300 to successfully locate a phone in New York.

Joseph Cox
Joseph is an investigative reporter for Motherboard, the science and technology section of VICE. He covers cybersecurity, the digital underground, and social media platforms.

Twitter: @josephfcox

Back to top

Practical Key Search Attacks Against Modern Symmetric Ciphers

Friday at 14:00 in Track 4
45 minutes | Demo

Daniel "ufurnace" Crowley Research Baron, X-Force Red

Daniel Pagan Student, Georgia Tech

In theory, brute force key recovery attacks against modern ciphers like AES should be impractical with the current state of computer hardware. It's often said that recovering an AES key should take longer than the remainder of the life of the sun. However, this assumes that keys are chosen properly, and that there is no way to determine whether a key is the correct one after a candidate key is used to decrypt a captured ciphertext.

In practice, these conditions do not always hold. In much the same way that hash functions are impossible to reverse but hash cracking is still a practical attack, in the real world it is often possible to perform practical key search attacks. In this talk, we will discuss the common mistakes and common conditions that allow for practical brute force recovery of keys for modern block ciphers such as AES. We will also discuss optimizations to speed up key search efforts, and present our FOSS tool, which implements our approach.

Daniel "ufurnace" Crowley
Daniel Crowley is the head of research and a penetration tester for X-Force Red. Daniel denies all allegations regarding unicorn smuggling and questions your character for even suggesting it. Daniel is the primary author of both the Magical Code Injection Rainbow, a configurable vulnerability testbed, and FeatherDuster, an automated cryptanalysis tool. Daniel enjoys climbing large rocks and is TIME magazine's 2006 person of the year. Daniel has been working in the information security industry since 2004 and is a frequent speaker at conferences including Black Hat, DEF CON, Shmoocon, and SOURCE. Daniel does his own charcuterie and brews his own beer. Daniel's work has been included in books and college courses. Daniel also holds the noble title of Baron in the micronation of Sealand.

Daniel Pagan
Daniel Pagan is a student at Georgia Tech, a DEF CON TV goon, and a Lord in the micronation of Sealand.

Back to top

I Know What You Did Last Summer: 3 Years of Wireless Monitoring at DEF CON

Friday at 16:00 in Track 2
20 minutes | Demo, Tool

d4rkm4tter (Mike Spicer) Hacker

For the past 3 years d4rkm4tter has been obsessed with monitoring the wireless networks at DEF CON. This talk will take you on a journey through the successes and failures that lead to the creation of the WiFiCactus and the over 1 TB of data captured. A history of each capture project including a summary of the most interesting pieces of data will be shown.

Many people spread a lot of fear, uncertainty and doubt about the wireless environments during DEF CON. This presentation aims to bring some clarity to what is really happening in the airwaves during one of the largest hacker conferences in the world. This will include presenting data on the attacks and sensitive information that exists in the airwaves. This presentation will demonstrate the risks of using wireless networks and information leaks that can be captured by anyone who is passively listening. Countermeasures and protection strategies will be provided to help you avoid having your data captured by those who might be listening.

With the number of connected devices around us, there has never been a better time to start wardriving or warwalking. Everyone is capable of profiling wireless data around them thanks to cheap hardware and open source tools. As hackers it is important for us to discover issues and vulnerabilities while validating claims of security by software and hardware vendors. Monitoring wireless communication is a great way to start validating those claims. All of the hardware and methods used will be provided so that anyone can do this type of monitoring on their own. Hack the Planet!

d4rkm4tter (Mike Spicer)
d4rkm4tter is a mad scientist hacker who likes to meddle with hardware and software. He is particularly obsessed with wireless. He has a degree in computer science from Southern Utah University which he has put to use building and breaking a wide array of systems. These include web application pentesting, wireless monitoring and tracking as well as good old fashioned reverse engineering. He is the creator of the #WiFiCactus and has been seen presenting Demolabs at DEF CON and DEF CON China Beta. He is a Kismet cultist and active in the wireless and wardriving communities.

Twitter: @d4rkm4tter
Website: palshack.org

Back to top

D0 N0 H4RM: A Healthcare Security Conversation

Friday at 20:00 in Firesides Lounge
120 minutes

Christian “quaddi” Dameff Medical Director of Security at The University of California San Diego

Jeff “r3plicant” Tully MD Anesthesiologist at The University of California Davis

Suzanne Schwartz MD Associate Director for Science and Strategic Partnerships at the US Food and Drug Administration FDA

Marie Moe PhD Researcher and Hacker

Billy Rios Founder of Whitescope

Jay Radcliffe Security Researcher at Thermo Fisher Scientific

Technology’s promise flows within medicine like blood through veins. With every drip of life-saving medicine given to the smallest babies, with every paced beat of a broken heart, connected tech has changed the way we treat patients and offers near limitless potential to improve our health and wellness. But it’s taken an army of dedicated protectors to ensure that such promise isn’t outweighed by peril- and hackers are fighting on the front lines to safeguard medical devices and infrastructure so they remain worthy of our trust. Join docs quaddi and r3plicant as they once again curate a selection of medicine’s finest hackers and allies for D0 N0 H4RM- the uniquely DEF CON conversation between the unsung heroes in the healthcare space- security researchers and advocates working to protect patients one broken med device at a time. Spun from an off-con hotel room gathering between friends into progressively in demand talks at DC 25 and 26, we’ve returned to bring you insight and inspiration- divorced from the spin and formality of an increasingly industry-saturated landscape- from the people whose primary goal is to kick ass and save lives.

Christian “quaddi” Dameff
Christian (quaddi) Dameff MD is an emergency medicine doctor, former open capture the flag champion, prior DEF CON/RSA/Blackhat/HIMSS speaker, and security researcher. He is currently the Medical Director of Cybersecurity at The University of California San Diego. Published works include topics such as therapeutic hypothermia after cardiac arrest, novel drug targets for myocardial infarction patients, and other Emergency Medicine related works with an emphasis on CPR optimization. Published security research topics including hacking critical healthcare infrastructure, medical devices and the effects of malware on patient care. This is his fifteenth DEF CON.

Twitter: @CdameffMD

Jeff “r3plicant” Tully MD
Jeff (r3plicant) Tully is an anesthesiologist, pediatrician and security researcher with an interest in understanding the ever-growing intersections between healthcare and technology.

Twitter: @JeffTullyMD

Suzanne Schwartz MD
Dr.Suzanne Schwartz’s programmatic efforts in medical device cybersecurity extend beyond incident response to include raising awareness, educating, outreach, partnering and coalition-building within the Healthcare and Public Health Sector (HPH) as well as fostering collaborations across other government agencies and the private sector. Suzanne has been recognized for Excellence in Innovation at FDA’s Women’s History Month on March 1st 2018 for her work in Medical Device Cybersecurity. Suzanne chairs CDRH’s Cybersecurity Working Group, tasked with formulating FDA’s medical device cybersecurity policy. She also co-chairs the Government Coordinating Council (GCC) for the HPH Critical Infrastructure Sector, focusing on the sector’s healthcare cybersecurity initiatives.

Marie Moe PhD
Dr. Marie Moe cares about public safety and securing systems that may impact human lives, this is why she joined the grassroots organisation “I Am The Cavalry". Marie is a Research Manager at SINTEF, the largest independent research organisation in Scandinavia, and has a PhD in information security. She is also an Associate Professor at the Norwegian University of Science and Technology. She has experience as a team leader at NorCERT, where she did incident handling of cyberattacks against Norway’s critical infrastructure. She is currently doing research on the security of her own personal critical infrastructure, an implanted pacemaker that is generating every single beat of her heart. Marie loves to break crypto protocols, but gets angry when the broken crypto is in her own body.

Twitter: @MarieGMoe

Billy Rios
Billy is the founder of Whitescope LLC, a startup focused on embedded device security. Billy is recognized as one of the world’s most respected experts on emerging threats related to Industrial Control Systems (ICS), Critical Infrastructure (CI), and, medical devices. He discovered thousands of security vulnerabilities in hardware and software supporting ICS and critical infrastructure. Billy provided the research that led to the FDA’s first cybersecurity safety advisory and research which helped spur the FDA’s pre-market cybersecurity guidance. Billy is a contributing author to Hacking: The Next Generation, The Virtual Battlefield, and Inside Cyber Warfare. He currently holds a Master of Science in Information Systems, an MBA, and a Masters of Military Operational Arts and Science.

Twitter: @XSSniper

Jay Radcliffe
Jay Radcliffe (CISSP) has been working in the computer security field for over 20 years. Coming from the managed security services industry as well as the security consultation field, Jay has helped organizations of every size and vertical secure their networks and data. Jay presented ground-breaking research on security vulnerabilities in multiple medical devices and was featured on national television as an expert on medical device cybersecurity. As a Type I diabetic, Jay brings a lifetime of being a patient to helping medical facilities secure their critical data without compromising patient care. Not only is Jay a prolific public speaker, but also works with legal firms on expert witness consultation related to IoT and cybersecurity issues. Jay holds a Master's degree in Information Security Engineering from SANS Technology Institute, as well as a Bachelor's degree in Criminal Justice/Pre-Law from Wayne State University. SC Magazine named him one of the Top Influential IT Security Thinkers in 2013.

Twitter: @JRadcliffe02

Back to top

DEF CON 101 Panel

Thursday at 15:00 in DC101, Paris Theatre
105 minutes

Highwiz

Nikita

Will

n00bz

Shaggy

SecBarbie

Tottenkoph

The DEF CON 101 Panel is the place to go to learn about the many facets of DEF CON and to begin your DEF CONian Adventure. The idea is to help attendees get the best experience out of DEF CON (and also tell them how to survive the weekend!). It is a way for people who have participated in making DEF CON what it is today to share those experiences and, hopefully, inspire attendees to expand their horizons. DEF CON offers so much more than just talks and the DEF CON 101 panel is the perfect place to learn about all things DEF CON so you, dear reader, can get the best experience possible. The panel will end with the time honored tradition of "Name the n00b" where lucky attendees will be brought up on stage to introduce themselves to you and earn the coveted 101 n00b handle. Don't worry if you don't make it on to the stage, you can stick around for the n00b party after the panel and get your handle then!

Highwiz
HighWiz is born of glitter and moon beams and he has all the right moves. He is the things that sweet dreams are made of and nightmares long to be... Years ago, with the help of some very awesome people*, he set about to create an event that would give the n00bs of DEF CON a place to feel welcomed and further their own pursuit of knowledge. For years he has held onto the simple tenet that "You get out of DEF CON what you put into it". HighWiz is the fabled Man on the Mountain whom people seek to gain a taste of his forbidden knowledge. He is a rare sighting at DEF CON only to be glimpsed by those lucky few. HighWiz is a member of the DEF CON CFP Review Board and Security Tribe.

*Some (but not all) of the people HighWiz would like to thank for helping to make 101 into what it is today : Runnerup, Wiseacre, Nikita, Roamer, Shaggy, Lockheed, Pyr0, Zac, V3rtgio, 1o57, Neil, Sethalump, AlxRogan, Jenn, Zant, MalwareUnicorn, Clutch, TheDarkTangent, Siviak, Tuna, Ripshy, Valkyrie, Suggy, Flipper and all the members of Security Tribe. Shout outs to Security Tribe, GH, QC and The LonelyHackersClub

Twitter: @HighWiz

Nikita
DEF CON, Director of Content & Coordination. Wife & Mom. Chicken Soup repairwoman. SecurityTribe. ☠🦄🌈🤓 Into: hacks 💡 snacks 🌮 shellacs 💅🏻

Twitter: @Niki7a

Will
Will was summoned to life through the trials of fire, fueled by the alcohol and excitement of DEF CON 25. He arose from those ashes of his former life into a malware making, maple syrup drinking n00b with a new attitude on life and lots of fury to share. On a path of creation and destruction, Will is on a relentless quest to conquer anyone that doubts him and maybe one day leave a mark that is just nearly as bright as the Phoenix itself.

n00bz
(or his n00bzness or el n00berino if you’re not into the whole brevity thing) pays the bills by working for a Silicon Valley company protecting the F500 doing Compliance and IT Security Globally by way of Wall Street and D&T. He grew up tying up phone lines across South Florida with his Bosun whistle. His love for all things wireless are due to his love of software defined radio and hatred of getting up to change the TV channel when the remote was lost. He has spoken at DEF CON, HackMiami (%27), DerbyCon and when advised of his right to remain silent, plead the fif!

Shaggy
Shaggy is a penetration tester by day and a renaissance man at night. He enjoys mastering new things and breaking anything put in front of him. When he is not messing around with technology he is making things with wood, performing card tricks, and seducing the masses with his warm gently voice.

SecBarbie
Known on the dark web as “l'initiateur du parti” and “не стоит недооценивать ее”, Erin Jacobs (best known as @SecBarbie) has been attending DEF CON for over 15 years. Erin is a member of the DEF CON CFP Review Board, has DJed both DEF CON and DEF CON China, is an organizer of DC 312, and a past DEF CON speaker. Outside of DEF CON, she’s a Founding Partner at Urbane Security, an avid traveler, and a fan of great Champagne, wine, and dining. You can find more about her under @SecBarbie, or, if you’re up for the challenge, dunes hinder sniff huddle auburn meeting arsenic wizard dizzy lipstick spying enmity highway muppet woven woken puffin atlas python iris sprig mouth yellow hexagon hexagon ;)

Tottenkoph
Tottenkoph has been going to DEF CON for over 10 years and has spent the past several cons volunteering as the Workshop department lead as well as serving on the Workshop Review Board. Tottie has spoken on things from security flaws in digital billboards to drunken insights on what random episodes of Babylon 5 *really* meant. She thinks the perfect date is April 25th, overuses exclamation points in text-based comms, and is excited to have a chance to meet/speak with more new attendees!

Back to top

Panel: DEF CON Groups

Friday at 22:15 in Firesides Lounge
45 minutes

Brent White / B1TK1LL3R Global Coordinator

Jayson E. Street Ambassador

Darington Web Master

April Wright Welcoming Committee & Liaison

Tim Roberts (byt3boy) Volunteer

Casey Bourbonnais Volunteer

s0ups Social media

Do you love DEF CON? Do you hate having to wait for it all year? Well, thanks to DEF CON groups, you're able to carry the spirit of DEF CON with you year round, and with local people, transcending borders, languages, and anything else that may separate us!In this fireside chat, your DEF CON groups team who works behind the scenes to make DCG possible will invite group leaders to share how they started their groups, how they found meeting space, how they decide what content to present each meeting, and other topics. Potential new group leaders can find out how to start and run a local group, and existing group leaders and members can share and get operational ideas for running the best group possible. During the Fireside chat, we'll have the ability to keep it an open forum for questions and ideas, as well as a great opportunity to meet other groups.

Brent White / B1TK1LL3R


Twitter: @brentwdesign

Jayson E. Street


Twitter: @jaysonstreet

Darington


Twitter: @darington

April Wright


Twitter: @aprilwright

Tim Roberts (byt3boy)


Twitter: @ZanshinH4x

Casey Bourbonnais


Twitter: @Bourbonnais_c

s0ups


Twitter: @ynots0ups

Back to top

Are Your Child's Records at Risk? The Current State of School Infosec

Friday at 14:00 in Track 2
45 minutes

Bill Demirkapi Independent Security Researcher

From credit reporting agencies to hotel enterprises, major data breaches happen daily. However, when was the last time we considered the data security of children and middle-level education students? The infosec community spends so much time thinking about enterprise security and user privacy, but who looks after those who can't defend themselves? Unknown to most, there are only just a handful of major educational software providers—and flaws in any of them can lead to massive holes which expose the confidential information of our rising generation, this speaker included. Additionally, while many dismiss educational data as “just containing grades”, the reality is that these systems store extremely sensitive information from religious beliefs, health and vaccine-related data, to even information about parental abuse and drug use in the family.

This talk will cover never-before-seen research into the handful of prominent educational software companies, the vulnerabilities that were found, the thousands of schools and millions of students affected, and the personal fallout of such research. Vulnerabilities discussed will range from blind SQL injection to leaked credentials for the entire kingdom. If a high school student can compromise the data of over 5 million students and teachers, what can APT do?

Bill Demirkapi
Bill is a 17-year-old high school student with an intense passion for the information security field. Bill's interests include game hacking, reverse engineering malware, and breaking things. Next year, Bill will be attending the Rochester Institute of Technology where he hopes to grow his career and knowledge in the enormous field of Cybersecurity. In his pursuit to make the world a better place, Bill constantly looks for the next big vulnerability following the motto "break anything and everything".

Twitter: https://twitter.com/BillDemirkapi
Blog: https://d4stiny.github.io

Back to top

Evil eBPF In-Depth: Practical Abuses of an In-Kernel Bytecode Runtime

Friday at 11:00 in Track 4
45 minutes | Demo, Exploit

Jeff Dileo Research Director, NCC Group

eBPF (or "extended" Berkeley Packet Filter) is a bytecode instruction set and virtual machine used as a safe computing environment within the Linux kernel to perform arbitrary programmatic actions. It is a redesign of Linux's original in-kernel BPF bytecode VM used to power features like tcpdump filters. eBPF has an entirely different set of capabilities and instructions, with its primary goal being to serve as a JIT-able virtual machine instruction set that can be targeted by compilers of a memory-safe "restricted C" language. In the Linux kernel, it is actively being applied to anything and everything to provide performant programmatic capabilities to userland that extend traditionally kernel-based functionality.

In this exploit development focused talk, we will first introduce eBPF and discuss several nefarious techniques enabled by the technology. As we do so, we will cover the respective sets of APIs, file descriptor types, and other eBPF machinery that enable such techniques, building up from various forms of hidden IPC channels to full-fledged rootkits. Within this talk, we will walk through the implementations of the techniques we discuss so that attendees will walk away with the knowledge of how to implement their own variants. Along the way we will discuss novel container breakout techniques and interesting "dual-purpose" eBPF features that enable the development of mutative syscall hooks that work for processes that work for processes already attached by a debugger. Finally, we will provide insight on how defenders should begin to attempt to detect and recover from such abuses, when possible at all.

This presentation significantly extends on work we first presented at 35C3, which focused more heavily on the underlying aspects of general eBPF-based kernel tracing. In contrast, this talk will demo new techniques and include substantially improved versions of techniques presented previously as proofs-of-concept.

Jeff Dileo
Jeff Dileo (chaosdata) is a security consultant by day, and sometimes by night. He hacks on embedded systems, mobile apps and devices, web apps, and complicated things that don't have names. He likes candy and arguing about text editors and window managers he doesn't actually use.

Twitter: @chaosdatumz

Back to top

The Tor Censorship Arms Race: The Next Chapter

Friday at 11:00 in Track 2
45 minutes | Tool

Roger Dingledine The Tor Project

Tor is a free-software anonymizing network that helps people around the world use the Internet in safety. But who cares how good Tor's privacy is, if your government prevents you from reaching the Tor network?

In the beginning, some countries filtered torproject.org by DNS (so we made website mirrors and an email autoresponder for downloading Tor), and then some countries blocked Tor relays by IP address (so we developed bridges, which are essentially unlisted relays), and then some countries blocked Tor traffic by Deep Packet Inspection (so we developed pluggable transports to transform Tor flows into benign-looking traffic).

Then things got weird, with China's nationwide active probing infrastructure to enumerate bridges, with Amazon rolling over to Russia's threats when Telegram used "domain fronting" to get around blocking, with Turkey blocking Tor traffic by DPI in more subtle ways, with Venezuela and Ethiopia and Iran trying new tricks, and more.

In this talk I'll get you up to speed on all the ways governments have tried to block Tor, walk through our upcoming steps to stay ahead of the arms race, and give you some new—easier—ways that let you help censored users reach the internet safely.

Roger Dingledine
Roger Dingledine is president and co-founder of the Tor Project, a nonprofit that develops free and open source software to protect people from tracking, censorship, and surveillance online.

Wearing one hat, Roger works with journalists and activists on many continents to help them understand and defend against the threats they face. Wearing another, he is a lead researcher in the online anonymity field, coordinating and mentoring academic researchers working on Tor-related topics. Since 2002 he has helped organize the yearly international Privacy Enhancing Technologies Symposium (PETS).

Among his achievements, Roger was chosen by the MIT Technology Review as one of its top 35 innovators under 35, he co-authored the Tor design paper that won the Usenix Security "Test of Time" award, and he has been recognized by Foreign Policy magazine as one of its top 100 global thinkers.

Twitter: @RogerDingledine

Back to top

Cheating in eSports: How to Cheat at Virtual Cycling Using USB Hacks

Sunday at 14:00 in Track 2
45 minutes | Demo, Tool

Brad Dixon Security Consultant, Carve Systems

Athletes are competing in virtual cycling by riding real bikes on stationary trainers which power the in-game athletic performance. Riders train and compete online against each other. New racing teams are even competing in Union Cycliste Internationale (UCI) sanctioned events. Better at hacking than riding? Me, too. I’ll expand on the dubious achievements of prior cycling cheaters by showing how to use the open source USBQ toolkit to inspect and modify USB communications between the Zwift application and the wireless sensors that monitor and control the stationary trainer. USBQ is a Python module and application that uses standard hardware, such as the Beaglebone Black, to inspect and modify communications between USB devices and the host. You’ll ride away with a lesson on building your own customized USB man-in-the-middle hacking tool, too.

Brad Dixon
Brad once told his parents that if they gave him a Commodore 64 it would be the last computer he’d ever want. He never got that Commodore 64. Nevertheless Brad managed to become a computer nerd at a young age. Brad studied Computer Engineering at Georgia Tech and jumped into embedded software engineering. He worked for many years helping developers to design embedded Linux into telecom, network, and mobile products. Brad also took a turn as a product manager for embedded development tools and a mobile location analytics product. At Carve he hacks IoT, embedded, and Linux systems.

Github: https://github.com/rbdixon

Back to top

State of DNS Rebinding - Attack & Prevention Techniques and the Singularity of Origin

Saturday at 15:00 in Track 3
45 minutes | Demo, Tool

Gerald Doussot Principal Security Consultant, NCC Group

Roger Meyer Principal Security Consultant, NCC Group

Do you want to know how you can exploit DNS rebinding 10x faster, bypass prevention mechanisms, interactively browse the victim's internal network, and automate the whole process during your next red team exercise?

This talk will teach you how and give you an easy-to-use tool to do it.

First, we will cover in detail the subtleties that make DNS rebinding attacks more effective in practice, including techniques and operational conditions that make it faster and more reliable. We'll also explain how to bypass commonly recommended security controls, dispelling attack and defense misconceptions that have been disseminated in blogs and social media posts.

This talk will include a number of demos using Singularity, our open source DNS rebinding attack framework that includes all the parts you need to get started pwning today, including:

  • Remote code execution and exfiltration payloads for common dev tools and software
  • Practical scanning and automation techniques to maximize the chance of controlling targeted services

We'll also show an interesting post-exploitation technique that allows you to browse a victim browser network environment via the attacker's browser without the use of HTTP proxies.

You'll leave this talk with the knowledge and tools to immediately start finding and exploiting DNS rebinding bugs.

Gerald Doussot
Gerald Doussot is a Principal Security Consultant at NCC Group, with over 20 years experience in information technology. Gerald has undertaken defensive and offensive security roles, including the design, implementation and management of security solutions, software development, integration and security Testing.

Roger Meyer
Roger Meyer is a Principal Security Engineer at NCC Group with extensive experience in managing and leading complex engagements. Roger specializes in web application security, network penetration testing, configuration reviews, and secure software development and architecture design.

Back to top

Go NULL Yourself or: How I Learned to Start Worrying While Getting Fined for Other’s Auto Infractions

Saturday at 16:30 in Track 3
20 minutes

droogie Security Consultant at IOActive

Input sanitization issues will always exist, although it’s surprising at how we’re still seeing amateur mistakes being made on everyday applications and systems used by millions. After making some observations against automatic license plate recognition (ALPR) data requested via the freedom of information act (FOIA) while having reminiscent conversations about old hacker tales, it turned on the evil bit, leading to some interesting ideas. We’ll go over this adventure of poking at systems using totally valid user-controlled data that causes unexpected behavior in the real world. It’s always a strange thing when you can “exploit” unexpected attack surface, due to poor specification, especially in government systems.

droogie
droogie is a security researcher, interested in offensive security and hacking of retro and modern video games alike. He makes a living as a security consultant at IOActive, which helps fund his degenerate passion for hardware hacking on old video game console hardware. He’s spoken at conferences like CCC and Ruxcon and helped bring Metal Gear Online back to life, he enjoys international travel to security conferences to kick it with awesome hackers.

Back to top

Meet the EFF - Meetup Panel

Saturday at 20:00 in Firesides Lounge
120 minutes

Kurt Opsahl Deputy Executive Director And General Counsel, EFF

Camille Fischer Frank Stanton Fellow, EFF

Bennett Cyphers Staff Technologist, EFF

Nathan 'nash' Sheard Grassroots Advocacy Organizer, EFF

Shahid Buttar Panel Host and Director of Grassroots Advocacy, EFF

Join staffers at the Electronic Frontier Foundation—the nation's premier digital civil liberties group fighting for freedom and privacy in the computer age—for a candid chat about how the law is racing to catch up with technological change.

Then meet representatives from Electronic Frontier Alliance allied community and campus organizations from across the country. These technologists and advocates are working within their communities to educate and empower their neighbors in the fight for data privacy and digital rights.

This discussion will include updates on current EFF issues such as the government's effort to undermine encryption (and add backdoors), the fight for network neutrality, discussion of our technology projects to spread encryption across the Web and emails, updates on cases and legislation affecting security research, and much more.

Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law, surveillance and technology issues that are important to you.

Kurt Opsahl
Kurt Opsahl is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders' Rights Project, and is representing several companies who are challenging National Security Letters. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Groksterand CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Courtappeal. In 2014, Opsahl was elected to the USENIX Board of Directors.

Camille Fischer
Camille Fischer is a Frank Stanton Fellow working on EFF’s free speech and government transparency projects. Camille came to EFF from D.C. where she worked in the Obama White House and in the Department of Commerce advocating for civil, human rights, and due process protections in national security and law enforcement policies. She also ran projects to increase consumer security and privacy, like the move to chip cards (sorry not sorry), and has war stories about ECPA Reform, MLATs, and encryption. Camille graduated from Georgetown University Law Center and the University of Georgia (Go Dawgs). She takes pics and bakes pies.

Bennett Cyphers
Bennett is an engineer on the Tech Projects team, where he works on Privacy Badger and HTTPS Everywhere.

Before EFF, Bennett was at Access Now and MIT, and he has a Master's of Engineering for work on privacy-preserving machine learning. He cares about privacy, transparency, data ownership, and digital equity. He wishes ad companies would kindly stop tracking everyone. Outside of work he has hobbies and likes fun.

Nathan 'nash' Sheard
As EFF's Grassroots Advocacy Organizer, nash works directly with community members and organizations to take advantage of the full range of tools provided by access to tech, while engaging in empowering action toward the maintenance of digital privacy and information security.

Shahid Buttar
Shahid leads EFF's grassroots, student, and community outreach efforts. He's a constitutional lawyer focused on the intersection of community organizing and policy reform as a lever to shift legal norms, with roots in communities across the country resisting mass surveillance. From 2009 to 2015, he led the Bill of Rights Defense Committee as Executive Director.

Outside of his work at EFF, Shahid also DJs and produces electronic music, writes poetry & prose, kicks rhymes, organizes guerilla poetry insurgencies, plays capoeira, speaks truth to power on Truthout, occasionally elucidates legal scholarship, and documents counter-cultural activism for the Burning Man Journal. He also serves on the Boards of Directors of Defending Rights and Dissent, the Center for Media Justice, and the Fund for Constitutional Government.

Back to top

Rise of the Hypebots: Scripting Streetwear

Saturday at 10:00 in Track 2
45 minutes | Demo

finalphoenix Engineer & Hypebae

Buying Supreme is even harder when most of your competitors are AI. The era of bot purchasing has arrived and more often than not, purchasing shoes, shirts, and swag, requires shell scripting. We will look at how simplistic (and how complicated) purchasing bots have become, how to write them, and what companies are trying to do to fight them, and why they’re failing at conquering the machines.

finalphoenix
finalphoenix is a full-stack engineer who has been working on the web since man invented fire gifs. She likes React, Node, and the Unix fortune command. She specializes in web security and optimization, and in the process, discovered the dangerous world of automation to help her shop.

Twitter: @finalphoenix

Back to top

Reverse-Engineering 4g Hotspots for Fun, Bugs and Net Financial Loss

Saturday at 15:00 in Track 2
45 minutes | Demo, Tool

g richter Senior Researcher, Pen Test Partners LLP

“5G is coming” (apparently). That probably means, over the next few years, more and more people are going to be using more and more cellular-connected devices for their day-to-day TCP/IP activities.

The problem is, a lot of existing 4G modems and routers are pretty insecure. We found critical remotely-exploitable flaws in a selection of devices from variety of vendors, without having to do too much work. Plus, there’s only a small pool of OEMs working seriously with cellular technologies, and their hardware (& software dependencies) can be found running in all sorts of places. Their old 4G, 3G and even 2G-era code is going to be running in these 5G-capable devices.

With a small sample of consumer 4G routers as examples, we’re going to talk about how malleable, frustrating, and insecure these devices are. We’ll run through a few examples of existing 4G routers, from low-end bargain-basement end-of-life-never-to-be-fixed to higher-end devices. root is a means to an end, rather than the goal.

g richter
g richter is the single-use pseudonym of a security researcher with a particular interest in embedded devices and cellular. He has done this kind of thing for money and fun for quite a while now, but before that, he also did other things that didn’t involved as many computers. At the moment he's doing this for money at Pen Test Partners.

Back to top

We Hacked Twitter… And the World Lost Their Sh*t Over It!

Saturday at 22:15 in Firesides Lounge
45 minutes

Mike Godfrey Penetration Tester, INSINIA Security

Matthew Carr Penetration Tester, INSINIA Security

In December 2018 INSINIA Security was involved in one of the biggest hacking stories of the year. A number of “celebrities”, including Louis Theroux, Eamon Holmes and more, logged into their Twitter accounts just after Christmas to find a Tweet, from their account, saying:

“This account has been temporarily hijacked by INSINIA SECURITY”.

The tweet immediately directed people to our blog post, and the compromised accounts retweeted INSINIA’s Tweet, saying:

“This account is now under the control of @InsiniaSRT. Luckily, this has been H4CK3D to highlight an important vulnerability. The user of this account has NOT lost access to it, no data compromised and is NOT under attack. See how it was done…”.

What we did was simple. We used spoof texts to Tweet from these accounts. We NEVER had access to these accounts. We could never read DM’s. We simply passively controlled these accounts with no opportunity of getting confidential data in return.

So what did the hacking community, journalists and commentators do?! They LOST THEIR SH*T OVER IT!

“It’s unethical” “It’s a crime” “Computer Misuse Act counts for security researchers too!” “You guys are total f*cking idiots!

These are the types of things we’d heard from our peers. But why was the backlash so bad? In this talk, INSINIA explains why it was done, how it was done, how people reacted and how research can be released quickly and responsibly… Without always getting the warm reception you might expect!

Mike Godfrey
Mike Godfrey, Director of INSINIA Security, started life as a “hacker” before he had hit his teens. With a professional background in Electro-technical / Electro-mechanical Engineering and almost 20 years’ experience in building and breaking computers.

Mike offers a unique perspective when it comes to varied and multi-vector attacks and is regarded as one of the UK’s most capable multi-skilled Cyber Security Specialists, gaining notoriety in the Cyber Security industry for using elements of different skills, both on hard and soft surfaces, to carry out highly technical and often highly intricate electronic attacks. One of these attacks includes hacking Costco’s high security Sentry display safe with nothing more than a magnet and a sock! This research was utilised and referenced by @Plor in his talk at DEF CON 25 – “Popping a Smart Gun”. Mike has also been lucky enough to become a DEF CON speaker in 2018, one of the proudest moments of his life!

Mike works as a Cyber Security contributor for the BBC, LBC, Channel 4 and was the Ethical Hacker who discovered the TalkTalk and O2 data breach stories.

Twitter: @MikeGHacks

Matthew Carr
Matthew's previous roles including Senior Penetration Tester and Researcher at SecureLink, Europe's largest managed security services provider and Operational Security Specialist at Ikea overseeing worldwide Operational Security as part of a Specialist Team.

Matthew regularly speaks at industry events and lectures offensive security at Malmö's Technology University in Sweden.

Matthew spent over 3 years as part of an R&D team building intrusion detection software, a secure cloud platform, SIEM tools and other security software, Matthew is not only a competent red teamer but also a valuable asset to any blue team.

Matthew works as a Cyber Security contributor for the Telegraph, Talk Radio and SVT.

Twitter: @sekuryti

Back to top

Exploiting Qualcomm WLAN and Modem Over The Air

Sunday at 11:00 in Track 3
45 minutes | Demo, Exploit

Xiling Gong Consultant, NCC Group

Peter Pi Senior Security Researcher of Tencent Blade Team

In this talk, we will share our research in which we successfully exploit Qualcomm WLAN in FIRMWARE layer, break down the isolation between WLAN and Modem and then fully control the Modem over the air.

Setup the real-time debugger is the key. Without the debugger, it's difficult to inspect the program flow and runtime status. On Qualcomm platform, subsystems are protected by the Secure Boot and unable to be touched externally. We'll introduce the vulnerability we found in Modem to defeat the Secure Boot and elevate privilege into Modem locally so that we can setup the live debugger for baseband.

The Modem and WLAN firmware is quite complex and reverse engineering is a tough work. Thanks to the debugger, we finally figure out the system architecture, the components, the program flow, the data flow, and the attack surfaces of WLAN firmware. We'll share these techniques in detail, along with the zero-days we found on the attack surfaces.

There are multiple mitigations on Qualcomm baseband, including DEP, stack protection, heap cookie, system call constraint, etc. All the details of the exploitation and mitigation bypassing techniques will be given during the presentation.

Starting from Snapdragon 835, WLAN firmware is integrated into the Modem subsystem as an isolated userspace process. We'll discuss these constraints, and then leverage the weakness we found to fully exploit into Modem.

Xiling Gong
Xiling Gong is a Senior Security Researcher of Tencent Blade Team. He has discovered many vulnerabilities of vendors like Google and Qualcomm. He is the speaker of CanSecWest 2018.

Twitter: @Gxiling

Peter Pi
Peter Pi is a Senior Security Researcher of Tencent Blade Team. He has discovered many vulnerabilities of vendors like Google, Microsoft, Apple, Qualcomm, Adobe and Tesla. He was the #1 researcher of Google Android VRP in year 2016. He has spoken at many famous security conferences such as BlackHat, CanSecWest, HITB GSEC and Hitcon.

Twitter: @tencent_blade

Back to top

MOSE: Using Configuration Management for Evil

Friday at 15:00 in Track 1
45 minutes | Demo, Tool

Jayson Grace Penetration Tester, Splunk

Configuration Management (CM) tools are used to provision systems in a uniform manner. CM servers are prime targets for exploitation because they are connected with key machines. The tools themselves are powerful from a security standpoint: they allow an attacker to run commands on any and every connected system. Unfortunately, many security professionals do not have CM experience, which prevents them from using these tools effectively. MOSE empowers the user to weaponize an organization’s CM tools without having to worry about implementation-specific details.

MOSE first creates a binary based on user input. Once transferred to the CM server and run, this binary dynamically generates code that carries out the desired malicious behavior on specified systems. This behavior can include running arbitrary system commands, creating or deleting files, and introducing backdoors. MOSE puts the generated code in the proper place so that all targeted systems will run it on their next check-in with the server, removing the need for the user to integrate it manually.

CM tools are a powerful resource, but they have a barrier to entry. MOSE aims to remove this barrier and make post exploitation more approachable by providing a tool to translate the attacker's desired task into commands executable by the CM infrastructure.

Jayson Grace
Jayson Grace is a Penetration Tester on the Product Security Team at Splunk. Previously he founded and led the Corporate Red Team at Sandia National Laboratories. He holds a BS in Computer Science from the University of New Mexico, which gave him some great knowledge and also made him fatter and added a bunch of grey hairs. He has also previously worked as a tool developer, system administrator, and DevOps engineer. Jayson is passionate about empowering engineers to create secure applications, as well as coming up with novel automation methods to break things.

Twitter: @Jayson_Grace
Website: https://techvomit.net

Back to top

Behind the Scenes of the DEF CON 27 Badge

Friday at 10:00 in Track 1
45 minutes | Tool

Joe Grand (Kingpin)

Incorporating natural elements, complex fabrication techniques, and components rarely seen by the outside world, the DEF CON 27 Badge brings our community together through Technology's Promise. Join DEF CON's original electronic badge designer Joe Grand on a behind-the-scenes journey of this year's development process and the challenges, risks, and adventures he faced along the way.

Joe Grand (Kingpin)
Joe Grand, also known as Kingpin, is a computer engineer, hardware hacker, DEF CON badge designer (14, 15, 16, 17, 18, China 1, 27), teacher, advisor, runner, daddy, honorary doctor, TV host, member of legendary hacker group L0pht Heavy Industries, and the proprietor of Grand Idea Studio (grandideastudio.com).

Twitter: @joegrand
Website: http://www.grandideastudio.com

Back to top

Unpacking Pkgs: A Look Inside Macos Installer Packages And Common Security Flaws

Saturday at 16:30 in Track 1
20 minutes | Demo

Andy Grant Technical Vice President, NCC Group

We are hackers, we won't do as you expect or play by your rules, and we certainly don't trust you. JAR files are really ZIPs...unzip them! So are Microsoft's DOCX, XLSX, PPTX, etc. Let's open them up! macOS applications (.app "files") are really directories you can browse?! Sweet, let's do that.

Less well known but similarly prevalent are Flat Package Mac OS X Installer (.pkg) files. These are actually XAR archives that, among other things, contain many plaintext files (including shell, Perl, and Python scripts) as cpio files compressed using gzip.

In this presentation I'll walk you through extracting the contents of these installer packages, understanding their structure, and seeing how they work while highlighting where security issues can come up. To drive the point home of what can go wrong, I'll include examples of serious security issues I've seen in the wild and show you how they can be exploited to elevate privileges and gain code/command execution.

After this talk, .pkg files will no longer be opaque blobs to you. You'll walk away knowing tools and techniques to tear them open, understand how to evaluate what they're really doing on your computer, and a methodology for finding bugs in them. As a final bonus, I'll include a subtle trick or two that can be used on red teams.

Andy Grant
Andy Grant is a Technical Vice President for NCC Group. While at NCC Group, Andy has worked on a wide-variety of security assessment and advisory projects. He has performed numerous application assessments on mobile (Android, iOS, WP7), desktop (OS X/macOS, Windows, Linux), and web platforms. He has also performed many internal and external network penetration tests and widget/third-party platform reviews. Andy has worked with small tech start-ups, small and large software development groups, and large financial institutions. Andy has a BS in Computer Science and an Advanced Computer Security Certificate from Stanford University.

Twitter: @andywgrant

Back to top

Duplicating Restricted Mechanical Keys

Friday at 10:00 in Track 4
45 minutes | Exploit

Bill Graydon President and Principal, Physical Security Analytics

Robert Graydon Principal, GGR Security

Secure facilities in North America use lock systems like Medeco, Abloy, Assa and Mul-T-Lock partly to resist lock picking, but also to prevent the duplication and creation of unauthorised keys. Places such as the White House and the Canadian Parliament buildings go so far as to use a key profile exclusive to that facility to ensure that no-one is able to obtain key blanks on which to make a copy. However, there are tens of thousands of unrestricted key blank profiles in existence - many match very closely to these restricted key blanks, and can be used instead of the real blanks to cut keys on. Moreover, keys are just pieces of metal - we will present numerous practical techniques to create restricted keys without authorisation - including new attacks on Medeco, Mul-T-Lock and Abloy key control systems. We will touch on all aspects of key control, including patents and interactive elements, and discuss how to defeat them and how facility managers can fight back against these attacks.

Bill Graydon
Bill Graydon is a principal at GGR Security Consultants, and is active in research in electronic surveillance and alarm systems, human psychology in a secure environment and locking systems analysis. He received a Masters in computer engineering and a certificate in forensic engineering from the University of Toronto, applying this at GGR to develop rigorous computational frameworks to model and improve security in the physical world.

Website: https://ggrsecurity.com/DEFCON

Robert Graydon
Robert is a principal at GGR security. With a strong interest driving him forward, he is researching lock manipulation, picking, bypass, and other vulnerabilities, to discover and evaluate possible flaws or methods of attack. He has well-honed skills such as lock picking, decoding, locksmithing, as well as a thorough understanding of the mechanics and function of many types of high security locks, and electronic security systems and components, allowing him to effectively search for and test methods of cracking high security systems.

Back to top

SELECT code_execution FROM * USING SQLite;—Gaining code execution using a malicious SQLite database

Saturday at 14:00 in Track 1
45 minutes | Demo, Tool, Exploit

Omer Gull Security Researcher at Check Point Software Technologies

Everyone knows that databases are the crown jewels from a hacker's point of view, but what if you could use a database as the hacking tool itself? We discovered that simply querying a malicious SQLite database - can lead to Remote Code Execution. We used undocumented SQLite3 behavior and memory corruption vulnerabilities to take advantage of the assumption that querying a database is safe.

How? We created a rogue SQLite database that exploits the software used to open it.Exploring only a few of the possibilities this presents we’ll pwn password stealer backends while they parse credentials files and achieve iOS persistency by replacing its Contacts database…

The landscape is endless (Hint: Did someone say Windows 10 0-day?). This is extremely terrifying since SQLite3 is now practically built-in to any modern system.

In our talk we also discuss the SQLite internals and our novel approach for abusing them. We had to invent our own ROP chain technique using nothing but SQL CREATE statements. We used JOIN statements for Heap Spray and SELECT subqueries for x64 pointer unpacking and arithmetics. It's a new world of using the familiar Structured Query Language for exploitation primitives,laying the foundations for a generic leverage of memory corruption issues in database engines.

Omer Gull
Omer Gull is a vulnerability researcher in the Malware and Vulnerability Research group at Check Point Software Technologies.

Omer has a diverse background in security research, that includes web application penetration testing, RE and exploitation.

He loves Rum, Old School Hip-Hop and Memory Corruptions.

Twitter: @GullOmer

Back to top

Next Generation Process Emulation with Binee

Saturday at 14:00 in Track 4
45 minutes | Demo, Tool

Kyle Gwinnup Senior Threat Researcher, Carbon Black

John Holowczak Threat Researcher

The capability to emulate x86 and other architectures has been around for some time. Malware analysts have several tools readily available in the public domain. However, most of the tools stop short of full emulation, halting or doing strange things when emulating library functions or system calls not implemented in the emulator. In this talk we introduce a new tool into the public domain, Binee, a Windows Process emulator. Binee creates a nearly identical Windows process memory model inside the emulator, including all dynamically loaded libraries and other Windows process structures. Binee mimics much of the OS kernel and outputs a detailed description of all function calls with human readable parameters through the duration of the process. We've designed Binee with two primary use cases in mind; data extraction at scale with a cost and speed similar to common static analysis tools, and second, for malware analysts that need a custom operating system and framework without the overhead of spinning up various configurations of virtual machines. Currently Binee can run on Windows, OS X, and Linux.

Kyle Gwinnup
Kyle is a Senior Threat Researcher in Carbon Black's TAU team. He has over 10 years of experience in many areas of computer science and IT. Prior to Carbon Black, Kyle worked in finance and with the DoD in various roles ranging from network/systems administrator, software engineer, reverse engineer, penetration tester and offensive tool developer. At Carbon Black, Kyle's focus is on large scale program analysis, primarily static but moving asymptotically toward dynamic analysis.

Twitter: @switchp0rt

John Holowczak
John is a Threat Researcher on Carbon Black's Threat Analysis Unit, focusing on automation of threat detection and building out infrastructure for large scale malware analysis. Within the field of threat detection and analysis, John specializes his research in binary classification, dynamic analysis and reverse engineering.

Twitter: @skipwich

Back to top

Hacking Congress: The Enemy Of My Enemy Is My Friend

Friday at 10:00 in Track 2
45 minutes

Former Rep. Jane Harman President, The Wilson Center, Former Rep. (D-CA), aka Surfer Jane

Rep. James Langevin (D-RI)

Jen Ellis Director of Public Affairs, Rapid 7

Cris Thomas Director, X-Force Red Team, IBM, aka Space Rogue

Rep. Ted Lieu (D-CA)

A SIMULATED crisis is unfolding on a national scale, based loosely on the NotPetya attack of 2017. Triggered by a yet-unknown adversary, what started as a an isolated technical issue has quickly escalated into a society-wide event affecting millions of citizens, several industries, and spanning government jurisdictions. Who is in charge, how do they cooperate with others, and how do they make decisions? The Wilson Center, Hewlett Foundation and I Am The Calvary are teaming up to bring public policymakers together with security researchers and others to discover how our nation might respond to a wide-scale “cyber crisis”. Work in tandem with sitting Members of Congress to understand what levers of power Congress yields and how Members can address policy gaps in the future.

Former Rep. Jane Harman
The Hon. Jane Harman is President of the Wilson Center, a think tank in Washington, DC. She is a former nine-term Member of Congress who served on all the major security committees and represented an aerospace and technology hub in Southern California.

Twitter: @thewilsoncenter
Website: https://www.wilsoncenter.org/person/jane-harman

Rep. James Langevin
The Hon. Jim Langevin represents Rhode Island’s 2nd Congressional district. He is Ranking Member of the Emerging Threats and Capabilities Subcommittee and a senior member of the Cybersecurity and Infrastructure Protection Subcommittee. Rep. Langevin is a member of the House Minority Whip Steny Hoyer’s Senior Whip Team, and is responsible for educating other Democratic Members on key issues.

Twitter: @jimlangevin
Website: https://langevin.house.gov/about-me/full-biography

Jen Ellis
Jen Ellis is the Vice Preident of Community and Public Affairs at Rapid7. She works directly with security researchers, technology providers and operators, and government entities to help them understand and address cybersecurity challenges together.

Twitter: @infosecjen
Website: https://blog.rapid7.com/author/jen-ellis/

Cris Thomas
Cris Thomas works for IBM X-Force Red, and before that worked at Guardent, Trustwave, Tenable and others. Cris created the first security research think tank L0pht Heavy Industries and the video news show The Hacker News Network.

Twitter: @spacerog
Website: https://securityintelligence.com/author/cris-thomas/

Rep. Ted Lieu
The Hon. Ted Lieu represents California’s 33rd Congressional district. Now in his third term in Congress, Rep. Lieu currently sits on the House Judiciary Committee and House Foreign Affairs Committee. He also serves as Co-Chair of the Democratic Policy and Communications Committee and has emerged as a leader in cybersecurity in Congress.

Twitter: @RepTedLieu
Website: https://lieu.house.gov/about/full-biography

Back to top

Don't Red-Team AI Like a Chump

Friday at 11:00 in Track 1
45 minutes | Demo, Tool

Ariel Herbert-Voss PhD student, Harvard University

AI needs no introduction as one of the most overhyped technical fields in the last decade. The subsequent hysteria around building AI-based systems has also made them a tasty target for folks looking to cause major mischief. However, most of the popular proposed attacks specifically targeting AI systems focus on the algorithm rather than the system in which the algorithm is deployed. We’ll begin by talking about why this threat model doesn’t hold up in realistic scenarios, using facial detection and self-driving cars as primary examples. We will also learn how to more effectively red-team AI systems by considering the data processing pipeline as the primary target.

Ariel Herbert-Voss
Ariel Herbert-Voss is a PhD student at Harvard University, where she specializes in adversarial machine learning, cybersecurity, mathematical optimization, and dumb internet memes. She is an affiliate researcher at the MIT Media Lab and at the Vector Institute for Artificial Intelligence. She is a co-founder and co-organizer of the DEF CON AI Village, and loves all things to do with malicious uses and abuses of AI.

Twitter: @adversariel

Back to top

I'm on your phone, listening - Attacking VoIP Configuration Interfaces

Saturday at 14:00 in Track 2
45 minutes | Demo, Tool, Exploit

Stephan Huber Fraunhofer SIT

Philipp Roskosch

If toasters talking to fridges is no joke to you, then you are aware of the big Internet of Things hype these days. While all kind of devices get connected and hacked, one of the oldest class of IoT devices seems to be forgotten even though it is literally everywhere - VoIP phones.

For configuration and management purposes, VoIP phones run a web application locally on the device. We found several critical bugs (reported CVEs) in the web application as well as in the webserver which enabled us to hijack the phones. Starting with simple XSS and CSRF issues, via command injections and memory corruptions right through to remote code executions, all popular vulnerability classes can be found on those devices.

We will present our findings together with the tools and strategies we used, and will enable you to do the same with your own phones and other IoT devices.

Further, we will provide helpful ARM shell code patterns, scripts and tricks which hackers can use to find bugs. We will conclude our talk by showing that automatic tools fail to discover such vulnerabilities. Therefore, manual IoT pentesting is still required.

If you think these management interfaces are not exposed to the internet, you are wrong. In a scan, we found thousands of reachable phones vulnerable to our exploits.

Stephan Huber
Bio Coming Soon

Twitter: @teamsik
Website: www.team-sik.org

Philipp Roskosch
Bio Coming Soon

Back to top

Weaponizing Hypervisors to Fight and Beat Car and Medical Devices Attacks

Saturday at 10:00 in Track 1
45 minutes | Demo, Tool

Ali Islam CEO, Numen Inc.

Dan Regalado (DanuX) CTO, Numen Inc

Historically, hypervisors have existed in the cloud for efficient utilization of resources, space, and money. The isolation feature is one of the reasons hypervisors are heavily moving to other ecosystems, like Automobiles, so that for example, if an Infotainment crashes, it does not affect other sensitive ECUs like ADAS. Blackberry QNX and AGL announced the use of hypervisors in their deployments on Cars.

The trending is real, but there is a big challenge! Most of the systems in Cars and Medical devices run on ARM, plus, protection at the hypervisor level is still limited. So, is it possible to have a framework that runs at the hypervisor level, able to monitor at the OS level and most important, capable to identify and kill threats coming into the monitored devices?

During this talk we will walk you through the steps needed to setup a framework running on Xilinx ZCU102 board able to monitor ARM-based devices and to kill malicious threats identified. Also will discuss challenges on syscall monitoring, single-stepping limitations, techniques to stay stealthy, techniques to detect and kill traditional malware seen in enterprise like Ransomware, Heap Exploits and capabilities on VM Escape attacks and feasibilty to detect Spectre-like exploits.

Ali Islam
Ali Islam Khan is the Chief Executive Officer (CEO) and Co-Founder of Numen Inc. He is also an avid C programmer and has developed the core set of Numen’s Virtual Machine Introspection (VMI) capabilities. Before quitting his job to work full time on Numen, Ali was Director R&D at FireEye where he was leading the R&D efforts for FireEye’s flagship email and network products. He is the founding member of FireEye Labs where he invented & developed some of the key detection technologies used in FireEye products today. Ali has multiple patents to his name and has over 13 years’ experience in a wide range of cyber security disciplines, including cryptography, malware analysis, cyber-espionage and product development. He has successfully created and led global teams from scratch. Ali has spoken at conferences such as RSA and worked with various government agencies such as DHS, KISA on intelligence sharing efforts to counter nation-state level threats.

Khan holds an MBA from UC Berkeley and a Master’s degree in network security from Monash University, Australia. He is an AUSAID scholar and the recipient of the prestigious Golden Key Award.

Twitter: @Ali_Islam_Khan
LinkedIn: https://www.linkedin.com/in/aliislam/

Dan Regalado (DanuX)
Daniel Regalado aka DanuX is the CTO and Co-Founder of Numen Inc. He is a Mexican security researcher with more than 17 years in the scene. He has worked reversing malware and exploits at Symantec Security Response Team and FireEye Labs and lately focused on IoT threats at Zingbox. He is credited with the discovery of most of the ATM malware worldwide. He is the co-author of famous book Gray Hat Hacking and he likes to present his discoveries in major security conferences like RECon, RSA, DEF CON IoT/Car Hacking villages, BSIDES.

Twitter: @danuxx
LinkedIn: https://www.linkedin.com/in/daniel-regalado-200aa414/

Back to top

Say Cheese - How I Ransomwared Your DSLR Camera

Sunday at 11:00 in Track 4
45 minutes | Demo, Exploit

Eyal Itkin Vulnerability Researcher at Check Point Software Technologies

It's a nice sunny day on your vacation, the views are stunning, and like on any other day you take out your DSLR camera and start taking pictures. Sounds magical right? But when you get back to your hotel the real shock hits you: someone infected your camera with ransomware! All your images are encrypted, and the camera is locked. How could that happen?In this talk, we show a live demo of this exact scenario. Join us as we take a deep dive into the world of the Picture Transfer Protocol (PTP). The same protocol that allows you to control your camera from your phone or computer, can also enable any attacker to do that and more. We will describe in detail how we found multiple vulnerabilities in the protocol and how we exploited them remotely(!) to take over this embedded device.But it doesn't end here. While digging into our camera, we found a reliable way to take over most of the DSLR cameras without exploiting any vulnerability at all. We simply had to ask our camera to do that for us, and it worked.

This is the first vulnerability research on the Picture Transfer Protocol, a vendor agnostic logical layer that is common to all modern-day cameras. As DSLR cameras are used by consumers and journalists alike, this opens up the door for future research on these sensitive embedded devices.

Eyal Itkin
Eyal Itkin is a vulnerability researcher in the Malware and Vulnerability Research group at Check Point Software Technologies. Eyal has an extensive background in security research, that includes years of experience in embedded network devices and protocols, bug bounties from all popular interpreter languages, and an award by Microsoft for his CFG enhancement white paper. When not breaking I2P or FAX, he loves bouldering, swimming, and thinking about the next target for his research.

Twitter: @EyalItkin

Back to top

Meticulously Modern Mobile Manipulations

Saturday at 11:00 in Track 4
45 minutes | Demo

Leon Jacobs Researcher - SensePost

Mobile app hacking peaked in 2015 with tools like keychain-dumper & ssl-kill-switch released but requiring jailbroken/rooted devices. Back then, wresting the power to understand & modify apps on our devices from dystopian looking mega corps was our cause. As jailbreaks became infrequent, the hackers’ arsenal was left behind. While this is progress against dark uses of hacking, done to protect our freedom fighters, how can hackers still hold power to account? Can we still find flaws in apps/devices & live up to the protections the technology promises?

Enter runtime binary instrumentation with Frida. It’s possible to analyze apps in their final state when executed on real hardware running the latest iOS/Android with no jailbreaks. This fills a gap between source analysis & debuggers. But, simply enumerating app classes requires studying multiple blogs & a deep read of the docs. We created Objection to simplify this & hide the boilerplate so hackers could focus on unravelling apps. But, many people still rely on simple hacks & automation & rarely use new advanced techniques such as reflectively inspecting live heap objects, canary execution tracing, runtime memory edits and filesystem exploration.

We’ll show hackers, malware researchers & security engineers how to use these advanced mobile hacking techniques.

Leon Jacobs
Leon has been hacking for over a decade. He’s plied his trade at SensePost for the last three having previously worked for a bank and ISP in South Africa. Leon spends most of his daytime hours hacking large networks or web and mobile applications. Leon spends most of his nighttime hours building hacking tools and techniques to contribute back to the community.

Twitter: @leonjza

Back to top

Vacuum Cleaning Security—Pinky and the Brain Edition

Saturday at 16:00 in Track 4
20 minutes | Exploit

jiska TU Darmstadt, Secure Mobile Networking Lab

clou (Fabian Ullrich)

Data collected by vacuum cleaning robot sensors is highly privacy-sensitive, as it includes details and metadata about consumers’ habits, how they live, when they work or invite friends, and more. Connected vacuum robots are not as low-budget as other IoT devices and vendors indeed invest into their security. This makes vacuum cleaning robot ecosystems interesting for further analysis to understand their security mechanisms and derive takeaways.

In this talk we discuss the security of the well-protected Neato and Vorwerk ecosystems. Their robots run the proprietary QNX operating system, are locally protected with secure boot, and use various mechanisms that ensure authentication and encryption in the cloud communication. Nonetheless, we were able to bypass substantial security components and even gain unauthenticated privileged remote execution on arbitrary robots. We present how we dissected ecosystem components including a selection of vacuum robot firmwares and their cloud interactions.

jiska
Jiska has a M.Sc. in IT-Security. She is a PhD student at the Secure Mobile Networking Lab (TU Darmstadt) since May 2014. Her main research interest are wireless physical layer security and reverse engineering. You might also know her embroidery projects or game shows from past CCC events.

Twitter: @seemoolab

clou (Fabian Ullrich)
Fabian has a M.Sc. in IT-Security. He is working as a researcher and analyst at ERNW. His main research interests are full stack IoT and web application security. In his free time, Fabian likes to capture some flags.

Back to top

Your Car is My Car

Saturday at 11:00 in Track 1
45 minutes | Demo, Tool, Exploit

Jmaxxz

For many of us, our cars are one of the largest purchases we will ever make. In an always connected world it is natural that we would want to have the convenience of being able to remotely monitor our vehicles: to do everything from remind ourselves exactly where exactly we parked, verify we locked our vehicle, or even remote start it so it will be warmed up (or cooled down) when we get in. There are a variety of vendors offering aftermarket alarm systems that provide these conveniences and offer a peace of mind. But how much can we trust the vendors of these systems are protecting access to our cars in the digital domain? In this talk, Jmaxxz will tell the story of what he found when he looked into one such system.

Jmaxxz
Jmaxxz works as a software engineer, but is a hacker by passion. He is best known for his work on the August Smart Lock (DEF CON 24 “Backdooring the Frontdoor”). In recent years IoT devices have been the focus of his work. He participated in the IoT village zero day track at DEF CON 24 and DEF CON 25. After enduring several polar vortexes, he decided it was probably time to investigate an IoT remote car starter.

twitter: @jmaxxz Website: jmaxxz.com

Back to top

Surveillance Detection Scout - Your Lookout on Autopilot

Friday at 16:00 in Track 3
20 minutes | Demo, Tool

Truman Kain Sr. Information Security Analyst at Tevora

Surveillance detection routes are a daily occurrence for clandestine operatives and agents all over the world. These mentally taxing counter-surveillance measures often mean the difference between life and death. Surveillance Detection Scout hopes to ease that burden. Scout currently supports Tesla Models S, 3 and X, running license plate recognition on 3 camera feeds to alert you in real time if you're being followed. When you park, Scout remains vigilant, implementing familiar face detection as well. By combining timestamped vehicle location data & video, computer vision and an intuitive web interface, it becomes apparent that Scout has just as many offensive as defensive applications. Over time, SDS captures and reports on observed patterns of life, allowing you to quickly gain an overview of your surroundings (or your target) with minimal effort. Whether you're conducting or evading surveillance, Scout has got your 6.

Truman Kain
Truman Kain has a background in design and marketing, which he utilized to develop Dragnet, an intuitive, AI-powered social engineering framework released at DEF CON 26. This year, he has combined his machine learning and design experience to make Surveillance Detection Scout look and feel as OEM as possible.

Twitter: @trumankain

Back to top

100 Seconds of Solitude: Defeating Cisco Trust Anchor With FPGA Bitstream Shenanigans

Friday at 15:00 in Track 3
45 minutes | Demo, Tool, Exploit

Jatin Kataria Principal Scientist, Red Balloon Security

Rick Housley Research Scientist, Red Balloon Security

Ang Cui Chief Scientist, Red Balloon Security

First commercially introduced in 2013, Cisco Trust Anchor module(TAm) is a proprietary hardware security module that is used in a wide range of Cisco products, including enterprise routers, switches and firewalls. TAm is the foundational root of trust that underpins all other Cisco security and trustworthy computing mechanisms in such devices. We disclose two 0-day vulnerabilities and show a remotely exploitable attack chain that reliably bypasses Cisco Trust Anchor. We present an in-depth analysis of the TAm, from both theoretical and applied perspectives. We present a series of architectural and practical flaws of TAm, describe theoretical methods of attack against such flaws. Next, we enumerate limitations in current state-of-the-art offensive capabilities that made the design of TAm seem secure.

Using Cisco 1001-X series of Trust Anchor enabled routers as a demonstrative platform, we present a detailed analysis of a current implementation of TAm, including results obtained through hardware reverse engineering, Trust Anchor FPGA bitstream analysis, and the reverse engineering of numerous Cisco trustworthy computing mechanisms that depend on TAm. Finally, we present two 0-day vulnerabilities within Cisco IOS and TAm and demonstrate a remotely exploitable attack chain that results in persistent compromise of an up-to-date Cisco router. We discuss the implementation of our TAm bypass, which involves novel methods of reliably manipulating FPGA functionality through bitstream analysis and modification while circumventing the need to perform RTL reconstruction. The use of our methods of manipulation creates numerous possibilities in the exploitation of embedded systems that use FPGAs. While this presentation focuses on the use of our FPGA manipulation techniques in the context of Cisco Trust Anchor, we briefly discuss other uses of our bitstream modification techniques.

Jatin Kataria
Jatin Kataria is the Principal Research Scientist at Red Balloon Security where he architects defensive technologies for embedded systems. Playing both the role of cat and of mouse at Red Balloon has many suggesting that he may be the first real source of perpetual energy. He tires of n-days easily and is always looking for new and exciting ELF shenanigans, caching complications, and the Fedex guy who lost his engagement ring. Prior to his time at Red Balloon Security, Jatin worked at a number of firms as a systems software developer and earned his Master of Engineering at Columbia University.

Twitter: @jatinkataria

Rick Housley
Rick Housley is a Research Scientist at Red Balloon Security and leads their advanced hardware reverse engineering efforts. He often finds himself at the end of a soldering iron hoping he has not bricked another expensive COTs product. His focus at Red Balloon includes the discovery of previously unknown vulnerabilities, novel firmware extraction techniques, and advanced physical reverse engineering using custom tooling. When not designing secure-boot defeating EMPs and interposers, he is building axe handles and baby rattles in his woodshop.

Twitter: @rickyhousley

Ang Cui
Dr. Ang Cui is the Founder and Chief Scientist of Red Balloon Security. Dr. Cui received his PhD from Columbia University in 2015. His doctoral dissertation, titled ”Embedded System Security: A Software-based Approach”, focused exclusively on scientific inquiries concerning the exploitation and defense embedded systems. Ang has focused on developing new technologies to defend embedded systems against exploitation. During the course of his research, he has uncovered a number of serious vulnerabilities within ubiquitous embedded devices like Cisco routers, HP printers and Cisco IP phones. Dr. Cui is also the author of FRAK and the inventor of Software Symbiote technology. Ang has received various awards on his work on reverse engineering commercial devices and is also the recipient of the Symantec Graduate Fellowship and was selected as a DARPA Riser in 2015.

Back to top

Confessions of an Nespresso Money Mule: Free Stuff & Triangulation Fraud

Saturday at 16:00 in Track 3
20 minutes

Nina Kollars Associate Professor Naval War College Strategic and Operational Research Department

Kitty Hegemon

In 2018 I somewhat innocently bought very expensive coffee (Nespresso capsules) online from Ebay. What followed was a series of unexpected additional packages from the manufacturer Nespresso and a lurking suspicion that something had gone terribly--if not criminally--wrong as a result of my purchase. This talk chronicles the obnoxious amounts of obsessive research and tracking that became my new hobby--stalking Nespresso fraudsters and my decidedly non-technical attempts at developing a generic search profile and reporting the fraudsters to anyone who would listen, to include : the persons whose identities had been stolen, Nespresso, Ebay, and the FBI. Ultimately I just ended up with a LOT of coffee; a lingering sense that I had committed several crimes; and no faith left in humanity.

Nina Kollars
Nina Kollars is writing a book about the ways in which hackers contribute to national security. She is a political scientist whose main research is in technological adaptation by users. Kollars is Associate Professor for the Naval War College in the Strategic and Operational Research Department. She conducts research on military weapons and the humans who use them. Largely unsatisfied with sitting still, Kollars has also worked for the Library of Congress' Federal Research Division, the Department of Afro-American Studies at Harvard University, the World Bank, an anti-glare coating factory on the third shift, and volunteers for BSides. She is the former viceroy of the DC strategy group Cigars, Scotch, and Strategy. She is also a certified bourbon steward.

Twitter: @nianasavage

Back to top

Process Injection Techniques - Gotta Catch Them All

Friday at 12:00 in Track 1
45 minutes | Tool

Itzik Kotler Co-Founder & CTO at SafeBreach

Amit Klein VP Security Research at SafeBreach

When it comes to process injection in Windows, there are only 6-7 fundamental techniques, right? Wrong. In this talk, we provide the most comprehensive to-date “Windows process injection” collection of techniques. We focus on Windows 10 x64, and on injections from running 64-bit medium integrity process to another running 64-bit medium integrity process, without privilege elevation. We pay special attention to the new Windows protection technologies, e.g. CFG and CIG. We differentiate between memory write primitives and execution techniques, and discuss memory allocation strategies. Our collection is curated, analyzed, tabulated, with straight-forward, research-grade PoCs. We tested each technique against Windows 10 x64 with and without protections, and we report on the requirements, limitations, and quirks of each technique. And of course – no decent DEF CON presentation is complete without new attacks. We describe a new memory writing primitive which is CFG-agnostic. We describe a new “stack bombing” execution method (based on the memory write primitive above) that is inherently safe (even though overwriting the stack is a-priori a dangerous and destabilizing action). Finally, we release a library of all write primitives and execution methods, so users can generate “tailor-made” process injections.

Itzik Kotler
Itzik Kotler is CTO and Co-Founder of SafeBreach. Itzik has more than a decade of experience researching and working in the computer security space. He is a recognized industry speaker, having spoken at DEF CON, Black Hat USA, Hack In The Box, RSA, CCC and H2HC. Prior to founding SafeBreach, Itzik served as CTO at Security-Art, an information security consulting firm, and before that he was SOC Team Leader at Radware. (NASDQ: RDWR).

Website: http://www.ikotler.org
Twitter: @itzikkotler

Amit Klein
Amit Klein is a world renowned information security expert, with 28 years in information security and over 30 published technical and academic papers on this topic. Amit is the VP Security Research at SafeBreach, responsible for researching various infiltration, exfiltration and lateral movement attacks. Before SafeBreach, Amit was the CTO for Trusteer (acquired by IBM) for 8.5 years. Prior to Trusteer, Amit was chief scientist for Cyota (acquired by RSA) for 2 years, and prior to that, director of Security and Research for Sanctum (acquired by Watchfire, now part of IBM security division) for 7 years. Amit has a B.Sc. from the Hebrew University in Mathematics and Physics (magna cum laude, Talpiot program), recognized by InfoWorld as a CTO of the year 2010 , and has presented at BlackHat USA, DEF CON, NDSS, OWASP Global (keynote), InfoCom, DSN, HITB, RSA, OWASP EU, CertConf, BlueHat, CyberTech, APWG and AusCERT (keynote).

Website: http://www.securitygalore.com/

Back to top

Intro to Embedded Hacking—How you too can find a decade old bug in widely deployed devices. [REDACTED] Deskphones, a case study.

Thursday at 13:00 in DC101, Paris Theatre
45 minutes | Demo, Exploit

Philippe Laulheret Senior Security Researcher @ McAfee Advanced Threat Research

From small business to large enterprise, VOIP phones can be found on nearly every desk. But how secure are they? What if your phone was spying on every conversation you have?

This talk is an introduction to hardware hacking and as a case study I’ll use the [REDACTED] Deskphone, a device frequently deployed in corporate environments. I’ll use it to introduce the tools and methodology needed to answer these questions.

During this talk, attendees will get a close up look at the operations of a hardware hacker, including ARM disassembly, firmware extraction using binwalk, micro-soldering to patch an EEPROM and get a root shell over UART, and ultimately uncover an already known decade-old bug that somehow remained unnoticed in the device’s firmware.

Beyond the case study I will also address alternative tactics; some did not work, others may have but were not the lowest-hanging fruit. When it comes to hardware hacking, the process is as important as the result; knowing that there are multiple ways to reach the end goal helps researchers remain confident when hurdles arise. After the talk, attendees will have an increased distrust towards always-on devices; however, they will have the background knowledge to investigate the products and systems they encounter daily.

Philippe Laulheret
Philippe Laulheret is a Senior Security Researcher on the McAfee Advanced Threat Research team. With a focus on Reverse Engineering and Vulnerability Research, Philippe uses his background in Embedded Security and Software Engineering to poke at complex system and get them to behave in interesting ways. He previously talked about Reverse Engineering PSX game at Bsides PDX, created & contributed to some Hardware Hacking CTF when working at Red Balloon Security and shared the love of tearing apart VOIP phones during ad-hoc workshops at multiple conferences (Summer Con, Hardware Hacking Village, etc.)

Twitter: @phLaul

Back to top

EDR Is Coming; Hide Yo Sh!t

Saturday at 10:00 in Track 4
45 minutes | Demo, Tool

Michael Leibowitz Principal Troublemaker

Topher Timzen (@TTimzen), Principal Vulnerability Enthusiast

There’s a new, largely unaddressed threat in the security industry today, Endpoint Detection and Response (EDR), which aims to stop threat actors in their tracks. The scenario plays out like this... At first your campaign is going well and your attacker objectives are being met. Then, your lovingly crafted payloads become analyst samples, you’re evicted from the environment and you lose your persistence. You and the analyst are now having a bad time. You may feel this is just fear mongering, but we assure you, the risk is real.Fortunately, we have a few new tricks up our sleeves to keep this nightmare scenario at bay. While many would have you believe that we live in a measured and signed boot Utopia on modern systems, we will show you the seedy underbelly of this Brave New World. By abusing early boot mechanisms and UEFI platform firmware, we are able to evade common detection. By showing up early to the fight, we sucker punch EDR, leaving it in a daze unable to see our malicious activities. We put a new twist on old code injection techniques and maintain persistence in UEFI firmware, making an effective invisibility cloak. By leveraging these two techniques, you and the analyst can have a happy and relaxing evening. From that point on - the good ol’ days are back again! Plunder away!

Michael Leibowitz
Michael (@r00tkillah) has done hard-time in real-time. An old-school computer engineer by education, he spends his days hacking the mothership for a fortune 100 company. Previously, he developed and tested embedded hardware and software, fooled around with strap-on boot roms, mobile apps, office suites, and written some secure software. On nights and weekends he hacks on electronics, writes CFPs, and contributes to the NSA Playset.

Twitter: @r00tkillah

Topher Timzen
Topher Timzen (@TTimzen) is currently a Principal Vulnerability Enthusiast and enjoys causing constructive mischief. Topher has spoken at conferences such as DEF CON, SecTor and BSidesPDX on offensive security research. Enjoying teaching, particularly about exploitation, he has been running the CTF at BSidesPDX for the past few years. Topher is located in the woods hiking or mountain biking when not computing. Collectively they have pretended to be bears, slayed a dragon or two, and have managed to not bring down a production server (for long). In reality, they just want to write malware.

Twitter: @Ttimzen

Back to top

API-Induced SSRF: How Apple Pay Scattered Vulnerabilities Across the Web

Friday at 12:00 in Track 4
45 minutes | Demo, Exploit

Joshua Maddux Security Researcher / Software Engineer, PKC Security

The 2016 WWDC saw the dawn of Apple Pay Web, an API that lets websites embed an Apple Pay button within their web-facing stores. Supporting it required a complex request flow, complete with client certificates and a custom session server. This proved detrimental, since Apple failed to caution against important side effects of taking in untrusted URLs. As a result, many new SSRF vulnerabilities entered the world. Worse yet, while they were exploitable and discoverable in similar ways, they were spread across distinct codebases in several programming languages, so could not be patched in any generic way.

Apple is not alone - in the process of gluing the web together, Twilio, Salesforce, and others have all created similarly broad attack surfaces. When companies fail to take an honest, empathetic look at how clients will use a product, they shove along hidden security burdens. Those who integrate with an API have less context than those who create it, so are in a worse position to recognize these risks.

Engineers have been talking about defensive programming for decades, but top companies still have trouble practicing it. In this talk we explore these mistakes with demos of affected software, and introduce a powerful model for finding broad classes of bugs.

Joshua Maddux
Joshua Maddux started out as a software engineer. After a few years, having introduced his share of problems to the world, he turned his life around and started hunting for vulnerabilities. Now at PKC Security he does a mix of software development and white-box penetration testing, with a focus on helping startups move fast without breaking too many things.

Aside from pentesting for clients, Joshua is also active in the bug bounty world. His past research has led to security updates in Java, Gitlab, United Airlines, Zapier, and others.

Twitter: @joshmdx

Back to top

HVACking: Understand the Difference Between Security and Reality!

Friday at 13:00 in Track 2
45 minutes | Demo

Douglas McKee Senior Security Researcher, McAfee Advanced Threat Research

Mark Bereza Security Researcher, McAfee Advanced Threat Research

Like most modern devices, building controllers have increasingly become network connected, exposing them to a wider range of threats. If malicious actors could manipulate access control systems, boiler rooms, or temperature control for critical industrial systems, the potential for catastrophic damage is extreme.

McAfee's ATR team has discovered a 0-day vulnerability in a major building controller. This controller is a fully programmable native BACnet™ device designed to manage a wide range of building systems. By modifying BACnet broadcast traffic, a buffer overflow can be leveraged into a write-what-where (WWW) condition. This WWW leads to execution control, providing the attacker with a root shell and complete control over the device remotely. Because this attack vector is through BACnet broadcast traffic, there is no authentication mechanism for the target device, allowing anyone on the same network to communicate with it directly and exploit the vulnerability without authentication. Currently, there are over 500 of these devices connected to the internet running in BACnet/IP Broadcast Management Device (BBMD) mode. Utilizing this mode, broadcast traffic can travel over the internet, increasing the potentially devastating impact of this vulnerability.

This presentation will include a deep technical analysis of the vulnerability discovery process and demos illustrating an attack in a critical scenario. Finally, we will discuss the steps taken by the vendor to patch this vulnerability and demonstrate its effectiveness.

Douglas McKee
Douglas McKee is a senior security researcher for the McAfee Advanced Threat Research team, focused on finding new vulnerabilities in both software and hardware. Douglas has an extensive background in penetration testing, reverse engineering, malware analysis and forensics and throughout his career has provided software exploitation training to many audiences, including law enforcement. Douglas recently presented his research focused on hacking medical devices at DEF CON 26.

Twitter: @fulmetalpackets

Mark Bereza
Mark Bereza is a security researcher and new addition to McAfee's Advanced Threat Research team. A recent alumnus of Oregon State's CS systems program, Mark's work has focused primarily on vulnerability discovery and exploit development for embedded systems.

Back to top

Change the World, cDc Style: Cow tips from the first 35 years

Friday at 15:00 in Track 2
45 minutes

Joseph Menn Author, Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World (PublicAffairs, June 2019)

Peiter Mudge Zatko

Chris Dildog Rioux

Deth Vegetable

Omega

The Cult of the Dead Cow changed the culture of the entire security industry, the attitude of companies who had ignored risks, and even how the feds dealt with hackers. In this session, four key figures from the group’s first 35 years will cover their greatest hits and screw-ups, highlighting the lessons for other hackers out to make a difference.

They will be questioned by Joseph Menn, whose new book on the group shows how it evolved from a network of bulletin board operators to the standard-bearers of hacker culture. cDc Minister of Propaganda Deth Vegetable and long serving text-file editor Omega will appear for the first time under their real names, covering the group’s formative years and how it handled such recent controversies as WikiLeaks, neo-Nazis, and the presidential candidacy of cDc alum Beto O’Rourke.

cDc tech luminaries Zatko and Rioux will discuss the release of Back Orifice at Def Con in 1998, which allowed non-hackers to hijack Windows machines, drawing worldwide attention to the insecurity of Microsoft’s operating system, and Rioux’s pathbreaking sequel, Back Orifice 2K, which prompted Microsoft to hire hackers as security consultants, including those from Zatko and Rioux’s @stake. Zatko will share insights from leading inside the government, where he ran cybersecurity grantmaking at DARPA, the people who brought you the internet. And Rioux will explain what’s possible in the private sector, where he co-founded unicorn Veracode, which dramatically improved code review by major software buyers.

Joseph Menn
Joseph Menn has just published Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World. He is an investigative reporter on security, and has covered the issue since 1999 at the Los Angeles Times, Financial Times and most recently Reuters. His previous books include Fatal System Error: The Hunt for the New Crime Lords who are Bringing Down the Internet and All the Rave: The Rise and Fall of Shawn Fanning’s Napster.

Twitter: @josephmenn Website: https://www.facebook.com/Joseph-Menn-author-of-Cult-of-the-Dead-Cow-and-Fatal-System-Error-178879563940/

Peiter Mudge Zatko
Mudge fronted the pioneer hacker space the L0pht and turned it into a venture-backed security business @Stake. He led sensitive government work at BBN and cybersecurity at DARPA before joining Google to work on special projects. He also led security at Stripe and founded Cyber-ITL, an independent testing lab for software security.

Twitter: @dotMudge

Chris Dildog Rioux
Rioux was the first employee of the L0pht, updated password cracker L0phtcrack, stayed with @stake through its acquisition by Symantec and founded Veracode.

Twitter: @dildog

Deth Vegetable
Veggie took a break to go to graduate school in archaeology. He’s back now.

Twitter: @dethveggie

Omega
Omega has been very quietly working in security for a long time.

Back to top

Get off the Kernel if you can’t Drive

Saturday at 15:00 in Track 1
45 minutes | Demo. Tool, Exploit

Jesse Michael

Mickey Shkatov

For software to communicate with hardware, it needs to talk to a kernel-mode driver that serves as a middle-man between the two, helping to make sure everything operates as it should. In Windows that is done using the Kernel-Mode Driver Framework (KMDF).

These drivers are used to control everything in your computer, from small things like CPU fan speed, color of your motherboard LED lights, up to flashing a new BIOS.

However, as the code in these drivers runs with the same privileges as the rest of the kernel, malicious drivers can be used to compromise the security of the platform. To that end, Microsoft relies on WHQL, code signing, and EV Signing to prevent drivers which have not been approved by Microsoft from being loaded into the kernel.

Unfortunately, security vulnerabilities in signed drivers can be used to as a proxy to read and write hardware resources such as kernel memory, internal CPU configuration registers, PCI devices, and more. These helpful driver capabilities can even be misused to bypass and disable Windows protection mechanisms.

Let us teach you how these drivers work, show you the unbelievable risk they pose, and enjoy our walk of shame as we parade all the silly and irresponsible things we discovered in our research.

Jesse Michael
Jesse Michael is an experienced security researcher focused on vulnerability detection and mitigation who has worked at all layers of modern computing environments from exploiting worldwide corporate network infrastructure down to hunting vulnerabilities inside processors at the hardware design level. His primary areas of expertise include reverse engineering embedded firmware and exploit development. He has also presented research at DEF CON, Black Hat, PacSec, Hackito Ergo Sum, Ekoparty, and BSides Portland.

Twitter: @JesseMichael

Mickey Shkatov
Mickey Shkatov, a principal researcher at Eclypsium, has been performing security research and product security validation since 2010, He has also presented multiple times at DEF CON, Black Hat, PacSec, CanSecWest, BruCon, Hackito Ergo Sum, and BSides Portland.

Twitter: @HackingThings

Back to top

RACE - Minimal Rights and ACE for Active Directory Dominance

Saturday at 13:00 in Track 1
45 minutes | Demo, Tool

Nikhil Mittal PentesterAcademy

User rights and privileges are a part of the access control model in Active Directory. Applicable only at the local computer level, a user generally has different rights (through access tokens) on different machines in a domain. Another part of the access control model is security descriptors (ACLs) that protects a securable object. At the domain level, ACL abuse is well known and adversaries have used it for persistence. For user rights, the abuse is mostly with the help of groups (memberships, SID History etc.) or misconfigured delegated rights.

A lesser-known area of abuse and offensive research is a combination of minimal Rights and ACE (hence the term RACE). Often overlooked in audits and assessments, using minimal rights along with favourable ACEs provides a very interesting technique of persistence and on-demand privilege escalation on a Windows machine with much desired stealth.

This talk covers interesting domain privilege escalation, persistence and backdoor techniques with the help of ACLs, minimal user rights and combinations of both. We will discuss how these techniques can be applied using open source tools and scripts. The talk also covers how to detect and mitigate such attacks. The talk will be full of live demonstrations.

Nikhil Mittal
Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, active directory security, attack research, defense strategies and post exploitation research. He has 10+ years of experience in red teaming. He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Active Directory attacks, defense and bypassing detection mechanisms and Offensive PowerShell for red teaming. He is creator of multiple tools like Nishang, a post exploitation framework in PowerShell and Deploy-Deception a framework for deploying Active Directory deception. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks.

Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world's top information security conferences. He has spoken/trained at conferences like DEF CON, BlackHat, CanSecWest, BruCON, 44CON and more. He blogs at https://www.labofapenetrationtester.com/

Twitter: @nikhil_mitt
Blog: https://labofapenetrationtester.com/

Back to top

I'm In Your Cloud... Pwning Your Azure Environement

Sunday at 12:00 in Track 1
45 minutes | Demo, Tool, Exploit

Dirk-jan Mollema Security Expert - Fox-IT

After having compromised on-premise for many years, there is now also the cloud! Now your configuration mistakes can be accessed by anyone on the internet, without that fancy next-gen firewall saving you. With this talk I’ll share my current research on Azure privileges, vulnerabilities and what attackers can do once they gain access to your cloud, or how they can abuse your on-premise cloud components. We start with becoming Domain Admin by compromising Azure AD Sync, sync vulnerabilities that allow for Azure admin account takeover and insecure Single Sign On configurations. Up next is cloud roles and privileges, backdooring Azure AD with service accounts, escalating privileges as limited admin and getting past MFA without touching someone's phone. Then we finish with cloud integrations, also known as "how a developer can destroy your whole infrastructure with a single commit": Exploring Azure DevOps, backdooring build pipelines, dumping credentials and compromising Azure Resource Manager through connected services. Besides all the fun we'll also look into how this translates into the questions you should ask yourself before moving things to the cloud and how this differs from on-premise.

Dirk-jan Mollema
Dirk-jan is one of the core researchers of Active Directory and Azure AD at Fox-IT. Amongst the open source tools published to advance the state of AD research are aclpwn, krbrelayx, mitm6, ldapdomaindump and a Python port of BloodHound. He blogs at dirkjanm.io, where he publishes about new Active Directory attack chains, which included the discovery of the PrivExchange vulnerability. He is also co-author of ntlmrelayx and contributor to several other open source tools and libraries. After discovering that breaking stuff is a lot of fun he never looked back at his freelance web developer days, but is still thankful for the knowledge and experience that those days provided him.

Twitter: @_dirkjan
Website: dirkjanm.io

Back to top

More Keys Than A Piano: Finding Secrets In Publicly Exposed Ebs Volumes

Friday at 13:00 in Track 4
45 minutes | Demo, Tool

xBen "benmap" Morris Security Associate, Bishop Fox

Did you know that Elastic Block Storage (Amazon EBS) has a "public" mode that makes your virtual hard disk available to anyone on the internet? Apparently hundreds of thousands of others didn't either, because they're out there exposing secrets for everyone to see.

I tore apart the petabytes of data for you and have some dirty laundry to air: encryption keys, passwords, authentication tokens, PII, you name it and it's here. Whole (virtual) hard drives to live sites and apps, just sitting there for anyone to read. So much data in fact that I had to invent a custom system to process it all.

There's a massive Wall of Sheep out there on the internet, and you might not have even noticed that you're on it. Actually, you should stop reading and go check that out right now.

xBen "benmap" Morris
Ben Morris is a Security Associate at Bishop Fox, a consulting firm providing cybersecurity services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing, network penetration testing, and red-teaming.

Ben also enjoys performing drive-by pull requests on security tools and bumbling his way into vulnerabilities in widely used PHP and .NET frameworks and plugins. Ben has also contributed to Root the Box, a capture the flag security competition.

Back to top

The Ether Wars: Exploits, counter-exploits and honeypots on Ethereum

Sunday at 14:00 in Track 3
45 minutes | Demo, Tool

Bernhard Mueller ConsenSys Diligence

Daniel Luca

Ethereum smart contracts are Turing-complete programs that mediate transfers of money. It doesn't come as a surprise that all hell is breaking loose on the Ethereum blockchain.

In this talk, we'll introduce Karl, an Ethereum blockchain monitor, and Scrooge McEtherface, an auto-exploitation bot that extracts Ether from vulnerable smart contracts. Scrooge uses symbolic execution to detect vulnerable states that live up to three transactions deep and constructs exploit payloads using the Z3 constraint solver.

We'll also examine the game-theoretic consequences of Scrooge's existence. What if multiple bots compete for exploiting the same contracts? How about honeypots that counter-exploit bots? Is it possible to cheat those honeypots? When all is said and done, who is going to end up stealing money from whom?

During the talk, we'll show many examples for vulnerable contracts, honeypots, and counter-honeypots, explain the role of transaction ordering and frontrunning, and launch a little challenge for the audience.

Bernhard Mueller
Bernhard Mueller is an OG security engineer and researcher with experience in a variety of fields including Internet protocols, web apps, operating systems, server software and blockchain technology. His work in mobile and blockchain security has earned him two "Best Research" Pwnie Award nominations (and one win). In the Ethereum community he is known for creating the Mythril symbolic analyzer.

Twitter: @muellerberndt
LinkedIn: https://www.linkedin.com/in/bernhardm/

Daniel Luca
Daniel is a self-taught developer with experience in multiple programming languages. Having a hacker mindset he always tests the limits of software or hardware he interacts with. He likes to experiment with new technologies, always trying to develop his available toolchain. When he isn't glued to a computer screen, he likes to snowboard, read and meditate. He currently does security audits and builds tools for ConsenSys Diligence and the Ethereum ecosystem.

Twitter: @cleanunicorn
LinkedIn: https://www.linkedin.com/in/luca-daniel-5227267/

Back to top

SSO Wars: The Token Menace

Saturday at 13:00 in Track 4
45 minutes | Demo, Tool, Exploit

Alvaro Muñoz Software Security Researcher @ Fortify (Micro Focus)

Oleksandr Mirosh Software Security Researcher @ Fortify (Micro Focus)

It is the year 2019. Humanity has almost won its long-standing war against Single-Sign On (SSO) bugs. The last of them were discovered and eradicated some time ago and the world is now living in an era of prosperity while the Auth Federation enjoys peaceful CVE-free times. However, while things seem to be running smoothly, new bugs are brewing at the core of major implementation libraries. This is probably the last chance for the evil empire to launch a world scale attack against the Auth Federation.

In this talk, we will present two new techniques:

  • 1) A new breed of SAML implementation flaws that break XML signature validation and enable arbitrary modification of the SAML assertion, which enables attackers to authenticate as arbitrary users or grant themselves arbitrary authorization claims. Although any implementation may be affected by this flaw, we will show how it affects Microsoft Windows Identity Framework (WIF) applications, Windows Communication Foundation (WCF) web services, and flagship products such as SharePoint and Exchange Servers.
  • 2) A bug in the .NET crypto library, which may allow attackers to gain Remote Code Execution (RCE) or Denial of Service (DoS) depending on the availability of code gadgets in the target server.

A new tool to detect this type of vulnerability will also be discussed and released.

Alvaro Muñoz
Alvaro Muñoz (@pwntester) is Principal Security Researcher at Micro Focus Fortify where he researches new software vulnerabilities and implement systems to detect them. His research focuses on web application frameworks where he looks for vulnerabilities or unsafe uses of APIs. Before joining the research team, he worked as an Application Security Consultant helping enterprises to deploy application security programs. Muñoz has presented at many Security conferences including BlackHat, DEF CON, RSA, OWASP AppSec US & EU, JavaOne, etc and holds several infosec certifications, including OSCP, GWAPT and CISSP. He plays CTFs with Spanish int3pids team and blogs at http://www.pwntester.com.

Twitter: @pwntester
Website: http://www.pwntester.com

Oleksandr Mirosh
Oleksandr Mirosh has over 11 years of computer security experience, including vulnerability research, penetration testing, reverse engineering, fuzzing, developing exploits and consulting. He is working for Fortify Software Security Research team in Micro Focus investigating and analyzing new threats, vulnerabilities, security weaknesses, new techniques of exploiting security issues and development vulnerability detection, protection and remediation rules. In the past, he has performed a wide variety of security assessments, including design and code reviews, threat modelling, testing and fuzzing in order to identify and remove any existing or potentially emerging security defects in the software of various customers.

Twitter: @olekmirosh

Back to top

Re: What's up Johnny? – Covert Content Attacks on Email End-to-End Encryption

Friday at 16:30 in Track 4
20 minutes | Demo, Exploit

Jens Müller Ruhr University Bochum

We show practical attacks against OpenPGP and S/MIME encryption and digital signatures in the context of email. Instead of targeting the underlying cryptographic primitives, our attacks abuse legitimate features of the MIME standard and HTML, as supported by email clients, to deceive the user regarding the actual message content. We demonstrate how the attacker can unknowingly abuse the user as a decryption oracle by replying to an unsuspicious looking email. Using this technique, the plaintext of hundreds of encrypted emails can be leaked at once. Furthermore, we show how users could be tricked into signing arbitrary text by replying to emails containing CSS conditional rules. An evaluation shows that 17 out of 19 OpenPGP-capable email clients, as well as 21 out of 22 clients supporting S/MIME, are vulnerable to at least one attack. We provide different countermeasures and discuss their advantages and disadvantages

Jens Müller
Jens Müller is a PhD student at the Chair for Network and Data Security, Ruhr University Bochum, Germany. His research interests are legacy protocols and data formats, for which he loves to investigate what could possibly go wrong in a modern world. He has experience as a speaker on international security conferences (BlackHat, IEEE S&P, OWASP) and as a freelancer in network penetration testing and security auditing. Besides breaking thinks, he develops free open source software, for example, tools related to network printer exploit^H^H^H^H^H^H^H, um, "debugging".

Twitter: @jensvoid
Websites: https://www.nds.ruhr-uni-bochum.de/chair/people/jmueller/
https://hacking-printers.net/

Back to top

GSM: We Can Hear Everyone Now!

Saturday at 13:00 in Track 2
45 minutes | Demo, Exploit

Campbell Murray Global Head Cybersecurity Delivery, BlackBerry

Eoin Buckley Senior Cybersecurity Consultant

James Kulikowski Senior Cybersecurity Consultant

The presentation demonstrates that the security of the A5/1 and A5/3 ciphers used to protect cellular calls are vulnerable to compromise leading to full decryption of GSM communications, using freely available open source solutions along with our tools we developed for this task.

The flaw being exploited lies in the heart of the design of GSM. In all implementations the standard requires GSM messages to first be error control encoded using a convolutional code and then encrypted. In the vast majority of implementations used today, encryption is performed using the A5/1 or A5/3 cipher. The convolutional code adds redundancy to the transmitted message, which can act like a fingerprint to identify the key used to encrypt the GSM message.

To exploit the vulnerability an attacker simply needs to capture a transmission and identify the GSM channel used. The standard defines the convolutional code and therefore how the redundancy may be interpreted to recover the encryption key.

This presentation considers passively capturing GSM traffic using A5/3 encryption and demonstrates a novel solution to cracking the key used without interacting with the mobile or network.

Campbell Murray
Campbell Murray is the global head of BlackBerry Cybersecurity Delivery and joined the organization through the acquisition of Encription Ltd, of which he was a founder and director. He has over 20 years’ cybersecurity experience with an emphasis on offensive security techniques and security engineering in the IoT, industrial and transport arenas. Campbell is a founding director of both the TigerScheme and the CyberScheme.

Twitter: @zyx2k

Eoin Buckley
Michael Eoin Buckley is a senior cybersecurity consultant at BlackBerry with over 20 years’ experience spanning cybersecurity consultancy, product security and both security and physical layer aspects of 3GPP cellular, Zigbee and IETF standards. In his role he leads the cybersecurity engineering effort and specializes in product security assessments of several areas such as automotive, healthcare and aerospace. Eoin holds a Ph.D. from Cornell University with a thesis focus on error control coding.

James Kulikowski
James Kulikowski is a senior cybersecurity consultant at Blackberry and an active member at Unallocated Space in Baltimore Maryland. In his 15 years, James has worked with clients from the DoD and Intel community to companies in finance, healthcare and transportation. James previously specialized in risk management and policy development before transitioning to hardware and software security assessments.

Back to top

NOC NOC. Who's there? All. All who? All the things you wanted to know about the DEF CON NOC and we won't tell you about

Saturday at 16:00 in Track 2
105 minutes

The DEF CON NOC

It's been a while, something like DEF CON 19, since we had the chance to have more than a few minutes at closing ceremonies to talk to everyone about the DEF CON NOC. It is not uncommon for people during the show or throughout the year to come to us asking things here and there about the DEF CON network. Come see all the DEF CON NOC team on stage, yes, those you usually don't see anywhere during the show, because, well, we're making sure packets are flowing and people are interneting. Come learn what we do, how we do it and possibly answer any questions that you might have about the "most hostile network in the planet".

The DEF CON NOC
@DEFCON_NOC, @effffn, @macmceniry, @Mike_Moore, @mansimusa, @c7five, @_CRV, @jaredbird, all the other NOC members who refuse to share their twitter handles and our very special guest Lord Raytheon

Back to top

Poking the S in SD cards

Friday at 16:30 in Track 1
20 minutes | Demo, Tool, Exploit

Nicolas Oberli Cybersecurity Expert, Kudelski security

Ever wonder why the S in SD cards stands for Secure? Well, it turns out that it is possible to read and/or write protect these cards by software using specific commands. As you might expect, this process isn’t as "secure" as the name implies leading to multiple issues. This talk will present some of these features and the vulnerabilities discovered while poking at cards from various manufacturers. The equipment used in this talk is quite easily attainable allowing for easy replication and learning about these attacks.

Nicolas Oberli
Nicolas works as a security researcher for Kudelski Security in Switzerland. His research focuses on embedded devices and communication protocols. In his spare time, he now spends more time designing CTF challenges than solving them. He is also one of the main developers of the Hydrabus hardware hacking tool and part of the BlackAlps security conference committee.

Twitter: @Baldanos

Back to top

No Mas – How One Side-Channel Flaw Opens Atm, Pharmacies and Government Secrets Up to Attack

Friday at 13:00 in Track 3
45 minutes | Demo, Exploit

phar ioactive

Hacking ‘high security’ electronic locks has become a bit of a hobby, but what if you identify an unpatchable design pattern that unlocks buckets of cash and government secrets? How long do wait before telling ‘people’? let’s talk about how these locks are designed, where they fail and we can rip this band-aid off together.

phar
Mike Davis is a hardware security researcher and consultant with IOActive, and for some reason still responds to ‘phar’.

Back to top

Breaking The Back End! It Is Not Always A Bug. Sometimes, It Is Just Bad Design!

Friday at 16:30 in Track 3
20 minutes | Demo, Exploit

Gregory Pickett Cybersecurity Operations, Hellfire Security

Reverse engineering is critical to exploitation. However, going through the process of reverse engineering can often lead to a great deal more than just uncovering a bug. So much so that you might find what you need for exploitation even if you don't find a bug.

That’s right. If you go through object data, object representation, object states, and state changes enough you can find out quite a lot. Yes. Poor application logic is a bitch. Just ask any application penetration tester. This time it is not the magstripe. It’s appsec and you will get to see how application attacks can be used against a hardware platform.

In this talk, I will go through the journey that I took in reverse engineering the public transportation system of an east asian mega-city, the questions that I asked as I wondered “How does this work?”, the experiments that I ran to answers those questions, what I learned that lead me to an exploit capable of generating millions of dollars in fake tickets for that very same system, and how other designers can avoid the same fate. Not without risk, this research was done under a junta so I will also be telling you how I kept myself out of jail while doing it. Please join me. You won’t want to miss it.

Gregory Pickett
Gregory Pickett CISSP, GCIA, GPEN has a background in intrusion analysis for Fortune 100 companies but now heads up Hellfire Security’s Managed Security Services efforts and participates in their assessment practice as a network security subject matter expert. As a security professional, his primary area of focus and occasional research is networks with an interest in using network traffic to better understand, to better defend, and sometimes to better exploit the hosts that live on them. He holds a B.S. in Psychology which is completely unrelated but interesting to know. While it does nothing to contribute to how he makes a living, it does demonstrate how screwed up he actually is.

Twitter: @shogun7273
Website: https://sourceforge.net/u/shogun7273/profile/

Back to top

Hacking Your Thoughts - Batman Forever meets Black Mirror

Saturday at 11:00 in Track 3
45 minutes

Katherine Pratt/GattaKat NSF Graduate Research Fellow, University of Washington - Seattle

Companies are coming for your brains. The electricity in your brains, to be more precise. Valve, Facebook, Elon Musk and more are funding research into technologies that will translate neural signals into controls for devices like computers, smartphones, and VR/AR environments. While this would be super exciting, it represents some serious data privacy issues. First: what kind of private information can be elicited from your neural signals? It’s possible to use a specific kind of neural response to visual and audio stimuli to deduce information about the user… like where you bank, who you know, your real identity, etc (Edward Nygma in Batman Forever, anyone?)

More broadly, there is also the issue of what happens when you provide your neural signals to a company. If you’re worried about what Facebook is doing with your information now, imagine what they can do when they have hours of information straight from your brain. If neural data is treated the same as your DNA, commercial companies become the owners of your thoughts (as electrical signals). Will they readily share it with the FBI without probable cause? These kinds of questions, and many more, are starting to surface with neurally-controlled devices and other emerging technologies. This talk will cover all of this and more.

Katherine Pratt/GattaKat
Dr Katherine Pratt received her B.S. in aerospace engineering from MIT in 2008, and her PhD in Electrical and Computer Engineering (ECE) from the University of Washington (UW) in 2019. During undergrad she completed several internships with the private space venture Blue Origin, working in systems and propulsion engineering. She has served four years in the United States Air Force, working primarily as an operational flight test engineer on the F-35 Joint Strike Fighter. Her doctoral dissertation focused on the privacy, ethics, and policy of information derived from elicited neural signals. She was the recipient of a National Science Foundation Graduate Research Fellowship and the 2018-19 UW ECE Irene Peden Endowed Fellowship. During graduate school she interned with the ACLU of Washington through the Speech, Privacy, and Technology Project. She also completed a six month fellowship as the first Congressional Innovation Scholar through Tech Congress where she crafted technology policy and legislation in the office of a member of the House of Representatives.

Twitter: @GattaKat
Website: https://kaipratt.site/web

Back to top

Breaking Google Home: Exploit It with SQLite(Magellan)

Thursday at 11:00 in DC101, Paris Theatre
45 minutes | Demo, Exploit

Wenxiang Qian Senior security researcher at Tencent Blade Team

YuXiang Li Senior security researcher at Tencent Blade Team

HuiYu Wu Senior security researcher at Tencent Blade Team

Over the past years, our team has used several new approaches to identify multiple critical vulnerabilities in SQLite and Curl, two of the most widely used basic software libraries. These two sets of vulnerabilities, which we named "Magellan" and "Dias" respectively, affect many devices and software. We exploited these vulnerabilities to break into some of the most popular Internet of things devices, such as Google Home with Chrome. We also exploited them on one of the most widely used Web server (Apache+PHP) and one of the most commonly used developer tool (Git).

In this presentation, we will share how we try to crack the Google Home from both hardware and software aspects, get and analyze the newest firmware, solve the problem, and introduce new methods to discover vulnerabilities in SQLite and Curl through Fuzz and manual auditing. Through these methods, we found "Magellan", a set of three heap buffer overflow and heap data disclosure vulnerabilities in SQLite ( CVE-2018-20346, CVE-2018-20505 CVE-2018-20506 ) We also found "Dias", two remote memory leak and stack buffer overflow vulnerabilities in Curl ( CVE-2018-16890 and CVE-2019-3822 ). Considering the fact that these vulnerabilities affect many systems and software, we have issued a vulnerability alert to notify the vulnerable vendor to fix it.

We will disclose the details of "Magellan" and "Dias" for the first time and highlight some of our new vulnerability exploitation techniques. In the first part, we will introduce the results of our analysis on hardware, how to get the newest firmware from simulating an update request, and attack surface of Google Home. We will show how to use Magellan to complete the remote exploit of Google Home, we will also give a brefing talk about how to use Dias to complete the remote attack on Apache+PHP and Git. Finally, we will summarize our research and provide some security development advice to the basic software library developers.

Wenxiang Qian
Wenxiang Qian is a senior security researcher at the Tencent Blade Team. He is focusing on security research of IoT devices. He also do security audits for web browsers. He was on the top 100 of annual MSRC list (2016 & 2017 ). He published a book called "Whitehat Talk About Web Browser Security ".

Twitter: @leonwxqian

YuXiang Li
YuXiang Li is a senior security researcher at Tencent Blade Team, specialized in the study of Mobile Security and IoT Security. He has reported multiple vulnerabilities of Android and received acknowledgments from vendors(Google/Huawei). He was a speaker of HITB AMS 2018 and XCON 2018.

Twitter: @Xbalien29

HuiYu Wu
HuiYu Wu is a senior security researcher at Tencent Blade Team. Now his job is mainly focus on IoT security research and mobile security research. He was also a bug hunter, winner of GeekPwn 2015, and speaker of DEF CON 26 , HITB 2018 AMS and POC 2017.

Twitter: @DroidSec_cn

Back to top

Firmware Slap: Automating Discovery of Exploitable Vulnerabilities in Firmware

Sunday at 14:00 in Track 1
45 minutes | Demo, Tool

Christopher Roberts

DARPA’s Grand Cyber Challenge foretold an ominous future stricken with machines exploiting our code and automatically compromising our systems. Today, we have the chance to steel ourselves by creating new hope through stronger tools and techniques to find our bugs before our big-brother nation-states can take advantage. The firmware holding our phones, our routers, and our cars is our weakest link and it demands new methods of finding exploitable vulnerabilities. This talk will present Firmware Slap, the culmination of concolic analysis and semi-supervised firmware function learning. Each binary or library in a given firmware provides slices of information to accelerate and enable fault-resistant concolic analysis. These techniques provide a method of knowing where our vulnerabilities are and how we can trigger them.

Christopher Roberts
Christopher Roberts is a security researcher at REDLattice Inc. He has extensive vulnerability research experience in embedded systems and program analysis frameworks. He competes and speaks in George Mason’s competitive cyber club. He’s known for building several tools which automatically solve and produce flags from pwnable and reversing CTF problems. (Zeratool) (PinCTF)

Github: https://github.com/ChrisTheCoolHut

Back to top

Why You Should Fear Your “mundane” Office Equipment

Saturday at 12:00 in Track 3
45 minutes | Demo, Tool, Exploit

Daniel Romero Managing Security Consultant, NCC Group

Mario Rivas Senior Security Consultant, NCC Group

The security of common enterprise infrastructure devices such as desktops and laptops has advanced over the years through incremental improvements in operating system and endpoint security. However, security controls for network devices such as enterprise printers are often ignored and thus present a greater potential for exploitation and compromise by threat actors seeking to gain a persistent foothold on target organisations.

In order to assess the current state of mainstream enterprise printer product security and to challenge common assumptions made about the security of these devices, which sit on key parts of enterprise networks and process sensitive data, we set out on a vulnerability and exploitation research project of six known vendors. We were able to find remote vulnerabilities in all printers tested through various attack vectors, revealing a large number of 0-day vulnerabilities in the process.

In this talk we walk through the entire research engagement, from initial phases such as threat modelling to understand printer attack surfaces to the development of attack methodologies and fuzzing tools used to target printer-specific protocols and functions. Besides of remarking important vulnerabilities found and their respective CVE’s, proof of concept exploits showing how it is possible to gain full control of printers and all of the data they manage will be presented. This will show how to use enterprise printers as a method of persistence on a network, perhaps to exfiltrate sensitive data or support C2 persistence on Red Team engagements.

We also address a number of challenges that researchers can face when performing vulnerability research on devices such as printers and how we used different techniques to overcome these challenges, working with limited to no debugging and triage capabilities. We also present mitigations that printer manufacturers can implement in order to reduce printer attack surfaces and render exploitation more difficult.

Daniel Romero
Daniel is currently a security consultant and researcher at NCC Group. During his career he has worked in interesting security projects, always trying to “break” as much as possible. In the last years Daniel has mostly been focused on embedded devices / IoT and all what surrounds it such as hardware, code review, reverse engineering, fuzzing or exploiting.

Twitter: @daniel_rome

Mario Rivas
Mario is a penetration tester and security consultant at NCC Group in Madrid. His interests revolve around all areas of computer security, always trying to learn new things, and specially enjoying writing tools during the process to make his life a bit easier.

Twitter: @Grifo

Back to top

Owning The Clout Through Server-Side Request Forgery

Sunday at 13:00 in Track 3
45 minutes | Demo, Tool

Ben Sadeghipour Nahamsec

Cody Brocious (Daeken)

With how many apps are running in the cloud, hacking these instances becomes easier with a simple vulnerability due to an unsanitized user input. In this talk, we’ll discuss a number of different methods that helped us exfil data from different applications using Server-Side Request Forgery (SSRF). Using these methods, we were able to hack some of the major transportation, hospitality, and social media companies and make $50,000 in rewards in 3 months.

Ben Sadeghipour
Ben is the Hacker Operations Lead at HackerOne by day, and a hacker by night. He has helped identify and exploit over 500 security vulnerabilities across 100s of web and mobile applications for companies such as Yahoo, Airbnb, Snapchat, The US Department of Defense, Yelp, and more. He also invested time in the security community, by creating a community of 200+ active hackers who share ideas and their experiences. He has also held free workshops and trainings to teach others about security and web application hacking.

Twitter: @nahamsec
Website: nahamsec.com

Cody Brocious (Daeken)
Cody is the Head of Hacker Education at HackerOne where he dedicates his time to teaching hackers to be more effective and empowered. A reverse engineer and software developer with well over a decade of experience. Cody is also the lead instructor for Hacker101, a free course for web security.

Twitter: @daeken
Website: daeken.svbtle.com

Back to top

Information Security in the Public Interest

Saturday at 10:00 in Track 3
45 minutes

Bruce Schneier

Computer security is now a public policy issue. Election security, blockchain, "going dark," the vulnerabilities equities debate, IoT safety , data privacy, algorithmic security and fairness, critical infrastructure: these are all important public policy issues with a strong Internet security component. But while an understanding of the technology involved is fundamental to crafting good policy, there is little involvement of technologists in policy discussions. This is not sustainable. We need public-interest technologists: people from our fields helping craft policy, and working to provide security to agencies and groups working in the broader public interest. We need these people in government, at NGOs, teaching at universities, as part of the press, and inside private companies. This is increasingly critical to both public safety and overall social welfare. This talk both describes the current state of public-interest technology, and offers a way forward for us individually and collectively for our field. The defining policy question of the Internet age is this: How much of our lives should be governed by technology, and under what terms? We need to be involved in that debate.

Bruce Schneier
Bruce Schneier is an internationally renowned security technologist, called a "security guru" by the Economist. He is the author of 14 books—including the New York Times best-seller "Click Here to Kill Everybody"—as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and blog "Schneier on Security" are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet and Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an advisory board member of EPIC and VerifiedVoting.org. He is also a special advisor to IBM Security.

Twitter: @schneierblog
Website: https://www.schneier.com

Back to top

Zero bugs found? Hold my Beer AFL! How To Improve Coverage-Guided Fuzzing and Find New 0days in Tough Targets

Saturday at 14:00 in Track 3
45 minutes | Demo, Tool, Exploit

Maksim Shudrak Security Researcher

Fuzzing remains to be the most effective technique for bugs hunting in memory-unsafe programs. Last year, hundreds of security papers and talks on fuzzing have been published and dozens of them were focused on adapting or improving American Fuzzy Lop in some way. Attracting with its simplicity and efficiency, AFL is the number one choice for the vast majority of security researchers. This high popularity means that hunting for bugs with AFL or a similar tool is becoming less and less fruitful since many projects are already covered by other researchers. It is especially hard when we talk about a project participating in Google OSS-Fuzz program which utilizes AFL to generate a half-trillion test cases per day.

In practice, this means that we can not blindly rely on AFL anymore and should search for better fuzzing techniques. In order to overcome this challenge, we need to understand how AFL and similar fuzzers work and be able to use their weaknesses to find new 0days. This talk is aimed to discuss these weaknesses on real examples, explain how we can do fuzzing better and release a new open-source fuzzer called Manul.

Manul is a high-scalable coverage-guided parallel fuzzer with the ability to search for bugs in open source and black box binaries on Windows and Linux. Manul was able to find 10 0-days in 4 widely-used projects that have been extensively tested by AFL. These vulnerabilities were not found by chance, but by analyzing and addressing issues exist in AFL. Authors will show several of the most critical vulnerabilities and explain why AFL overlooked them.

This talk will be interested for experienced hackers, who are willing to improve their bug hunting capabilities, as well as for new researchers, who are making their first steps on the thorny trail of bug hunting.

Maksim Shudrak
Maksim is a security researcher and vulnerability hunter in open-source and blackbox applications. In the past, he had experience working on dynamic binary instrumentation framework DynamoRIO, developing extremely abstract Windows OS emulator for malware analysis at IBM Research as well as writing sophisticated fuzzer to search for vulnerabilities in machine code. The latter was so exciting that he defended PhD on this topic. Today, he works on Red Team side at large cloud-based software company.

Maksim has spoken at various security conferences around the world such as DEF CON, Positive Hack Days, Virus Bulletin and BSides SF.

Twitter: @Mshudrak
LinkedIn: https://www.linkedin.com/in/mshudrak

Back to top

Relaying Credentials Has Never Been Easier: How to Easily Bypass the Latest NTLM Relay Mitigations

Friday at 15:00 in Track 4
45 minutes | Demo, Tool, Exploit

Marina Simakov Senior Security Researcher @Preempt

Yaron Zinar Senior Security Researcher Lead @Preempt

Active Directory has always been a popular target for attackers, with a constant rise in attack tools attempting to compromise and abuse the main secrets storage of the organization. One of the weakest spots in Active Directory environments lies in the design of one of the oldest authentication protocols – NTLM, which is a constant source of newly discovered vulnerabilities. From CVE-2015-0005, to the recent LDAPS Relay vulnerability, it is clear why this protocol is one of the attackers’ favorites.

Although there are offered mitigations such as server signing, protecting the entire domain from NTLM relay is virtually impossible. If it weren’t bad enough already, we will present several new ways to abuse this infamous authentication protocol, including a new critical zero-day vulnerability we have discovered which enables to perform NTLM Relay and take over any machine in the domain, even with the strictest security configuration, while bypassing all of today's offered mitigations. Furthermore, we will present why the risks of this protocol are not limited to the boundaries of the on-premises environment and show another vulnerability which allows to bypass various AD-FS restrictions in order to take over cloud resources as well.

Marina Simakov
Marina Simakov is a security researcher at Preempt, with a special interest in network security and authentication protocols. Prior to Preempt, Marina served as a Security Researcher at Microsoft for several years. She holds an M.Sc. in computer science, with several published articles, with a main area of expertise in graph theory. Marina previously spoke at various security conferences such as Black Hat, BlueHat IL and DEF CON.

Yaron Zinar
Yaron Zinar is a Lead Security Researcher at Preempt, delivering the industry’s first Identity and Access Threat Prevention. Previously, Yaron spent over 12 years at leading companies such as Google and Microsoft where he held various positions researching and leading big data, machine learning and cyber security projects. Yaron is an expert on Windows Authentication protocols, among his team latest finding are CVE-2017-8563 and CVE-2018-0886, which he presented in Black Hat last year. Yaron holds an M.Sc. in Computer Science with focus on statistical analysis.

Back to top

Adventures In Smart Buttplug Penetration (testing)

Sunday at 10:00 in Track 2
45 minutes | Demo, Tool

smea

Analysts believe there are currently on the order of 10 billions Internet of Things (IoT) devices out in the wild. Sometimes, these devices find their way up people's butts: as it turns out, cheap and low-power radio-connected chips aren't just great for home automation - they're also changing the way we interact with sex toys. In this talk, we'll dive into the world of teledildonics and see how connected buttplugs' security holds up against a vaguely motivated attacker, finding and exploiting vulnerabilities at every level of the stack, ultimately allowing us to compromise these toys and the devices they connect to.

smea
smea got his start making video games for closed consoles like the Nintendo DS using whatever hacks were available at the time. At some point consoles started getting actual security features and he transitioned from just making homebrew software to actually making the jailbreaks that let people run it. He's best known for his work on the Nintendo 3DS and Wii U but has also done exploitation work against high profile web browsers and virtualization stacks. Now he hacks buttplugs, apparently.

Twitter: @smealum
Github: https://github.com/smealum

Back to top

Zombie Ant Farm: Practical Tips for Playing Hide and Seek with Linux EDRs

Saturday at 12:00 in Track 4
45 minutes | Demo, Tool

Dimitry Snezhkov Sr. Security Consultant, X-Force Red

EDR solutions have landed in Linux. With the ever increasing footprint of Linux machines deployed in data centers, offensive operators have to answer the call.

In the first part of the talk we will share practical tips and techniques hackers can use to slide under the EDR radar, and expand post-exploitation capabilities.

We will see how approved executables could be used as decoys to execute foreign functionality. We will walk through the process of using well known capabilities of the dynamic loader. We will take lessons from user-land root-kits in evasion choices.

Part two will focus on weaponizing the capabilities. We will show how to create custom preloaders, and use mimicry to hide modular malware in memory. We will create a "Preloader-as-a-Service" capability of sorts by abstracting storage of modular malware from its executing cradles. This PaaS is free to you though!

We fully believe the ability to retool in the field matters, so we have packaged the techniques into reusable code patterns in a toolkit you will be able to use (or base your own code on) after it is released.

This talk is for hackers, offensive operators, malware analysts and system defenders. We sincerely hope defensive hackers can attend and also have fun.

Dimitry Snezhkov
Dimitry Snezhkov is a Sr. Security Consultant for X-Force Red. In this role he hacks code, tools, networks, apps and sometimes subverts human behavior too. Dimitry has spoken at DEF CON, THOTCON, DerbyCon, CircleCityCon, NorthSec, and presented tools at BlackHat Arsenal.

Twitter: @Op_Nomad

Back to top

Apache Solr Injection

Saturday at 16:30 in Track 4
20 minutes | Demo, Exploit

Michael Stepankin Security Researcher at Veracode

Apache Solr is a search platform used by many enterprise companies to add a full text search functionality to their websites. Often hidden behind firewalls, it provides a rich API to search across large datasets. If this API is used by web applications in a wrong way, it may open a possibility for injection attacks to completely modify the query logic.

In this talk we’ll shed some light on the new type of vulnerabilities for web applications - Solr parameter injection, and provide some useful ways how to achieve remote code execution through it. We also provide exploits for almost all known vulnerabilities for Apache Solr, including the two new RCEs we reported this year.

Michael Stepankin
Michael Stepankin is a Security Researcher at Veracode. He works on bringing new detection features to Veracode’s dynamic and static scanner engines. As a passionate hacker, he loves to hack enterprise java applications by day and write beautiful JavaScript code by night. Listed in Halls of Fame of various bug bounty programs, Michael has also worked as a penetration tester for many years.

Twitter: @artsploit

Back to top

Reverse Engineering 17+ Cars in Less Than 10 Minutes

Saturday at 16:00 in Track 1
20 minutes | Demo, Tool

Brent Stone

Brent provides a live demonstration reversing engineering 17 or more unknown passenger vehicle CAN networks in under 10 minutes using new automated techniques. These unsupervised techniques are over 90% accurate and consistent when tested using production CAN networks and different driving conditions. He then introduces the Python and R code used for the demo and posted to his public GitHub repository at https://github.com/brent-stone/CAN_Reverse_Engineering. The Dissertation explaining how the code works is also posted.

Brent Stone
Dr. Brent Stone is a Cyber officer with the U.S. Military. His professional experience includes 10 years of IT and cyber work in North America, the Middle East, and Asia. The focus of his PhD research was developing AI methods to help security researchers overcome the 'security through obscurity' used in the automotive industry. He presented initial findings at the 2018 IEEE Connected and Automated Vehicles Symposium and is an active member of the Open Garage's car hacking group. He holds a B.S. in Computer Science from West Point, M.S. in IT security from Carnegie-Mellon, and PhD in Computer Science from the Air Force Institute of Technology.

Github: https://github.com/brent-stone

Back to top

HAKC THE POLICE

Saturday at 11:00 in Track 2
45 minutes | Demo, Tool

Bill Swearingen World’s #23 Best Hacker

PULL OVER!
No, it is a cardigan, but thanks for noticing! After getting a nasty speeding ticket, OG SecKC HA/KC/ER hevnsnt decided enough was enough, and set out to fully understand police speed measurement devices, and develop homebrew countermeasures that are legal in some states (and some that are not). Come learn how police RF (X, K, KA) and Laser speed detection systems work and how to implement your own homebrew jamming countermeasures on the cheap, essentially making your vehicle invisible to law enforcement. HOP IN and BUCKLE UP, this talk is going to FUEL your hardware hacking desires! You better be able to think fast to keep up with this talk and prepare to get home in record time.

Bill Swearingen
Bill Swearingen (hevnsnt) has been in the hacking scene for decades, which is odd because his twitter profile says he is only 23 years old. Having spent his life dedicated to understanding how how things work, he is has focused this curiosity and knowledge to take advantage of our world in any way possible. His interests have always been focused on hardware hacking and loves releasing easy to replicate projects using cheap computing platforms such as Arduino and RaspberryPi.

Twitter: @hevnsnt

Back to top

[ MI CASA-SU CASA ] My 192.168.1.1 is Your 192.168.1.1

Sunday at 13:00 in Track 1
45 minutes | Demo, Tool

Elliott Thompson Senior Security Consultant, SureCloud Ltd

Your browser thinks my 192.168.1.1 is the same as your 192.168.1.1. Using a novel combination of redirects, Karma, JavaScript and caching we demonstrate that it’s viable to attack internal management interfaces without ever connecting to your network. Using the MICASA-SUCASA tool it’s possible to automate the exploitation of hundreds of interfaces at once. This presentation will introduce the attack vector and demonstration, but also the public release of the MICASA-SUCASA tool.

Elliott Thompson
The alphabet soup: OSCP, CTL/CCT-APP Senior pentester and researcher for the last 3 years, with hundreds of successful engagements behind me. Passionate about security and involved in various article pieces for infosec magazine, the BBC and the UK consumer watchdog Which?. Last year I discovered and disclosed an exploit on some Android tablets that allowed RCE through the tag. [ CVE-2018-16618 ]

Back to top

Infiltrating Corporate Intranet Like NSA ̶Pre-auth RCE on Leading SSL VPNs

Friday at 12:00 in Track 3
45 minutes | Demo, Exploit

Orange Tsai
Principal Security Researcher from DEVCORE
Member of HITCON(Hacks in Taiwan Conference)
Member of CHROOT Security Group
Captain of HITCON CTF team

Meh Chang Security Researcher from DEVCORE Member of HITCON CTF team

Computer security is now a public policy issue. Election security, blockchain, "going dark," the vulnerabilities equities debate, IoT safety , data privacy, algorithmic security and fairness, critical infrastructure: these are all important public policy issues with a strong Internet security component. But while an understanding of the technology involved is fundamental to crafting good policy, there is little involvement of technologists in policy discussions. This is not sustainable. We need public-interest technologists: people from our fields helping craft policy, and working to provide security to agencies and groups working in the broader public interest. We need these people in government, at NGOs, teaching at universities, as part of the press, and inside private companies. This is increasingly critical to both public safety and overall social welfare. This talk both describes the current state of public-interest technology, and offers a way forward for us individually and collectively for our field. The defining policy question of the Internet age is this: How much of our lives should be governed by technology, and under what terms? We need to be involved in that debate.SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? They’re exposed to the Internet, trusted to reliably guard the only way to intranet. However, we found pre-auth RCEs on multiple leading SSL VPNs, used by nearly half of the Fortune 500 companies and many government organizations. To make things worse, a “magic” backdoor was found to allow changing any user’s password with no credentials required! To show how bad things can go, we will demonstrate gaining root shell from the only exposed HTTPS port, covertly weaponizing the server against their owner, and abusing a hidden feature to take over all VPN clients!

In such complicated closed-source systems, gaining root shell from outside the box certainly ain’t easy. It takes advanced web and binary exploitation techniques to struggle for a way to root shell, which involves abusing defects in web architectures, hard-core Apache jemalloc exploitation and more. We will cover every detail of all the dirty tricks, crazy bug chains, and the built-in backdoor. After gaining root shell into the box, we then elaborate on post exploitation and how we hack back the clients. In addition, we will share the attack vectors against SSL VPNs to kick start researches on similar targets. On the other hand, from our previous experience, we derive general hardening actions that mitigate not only all the above attacks, but any other potential 0days.

In summary, we disclose practical attacks capable of compromising millions of targets, including tech giants and many industry leaders. These techniques and methodologies are published in the hope that it can inspire more security researchers to think out-of-the-box; enterprises can apply immediate mitigation, and realize that SSL VPN is not merely Virtual Private Network, but also a “Vulnerable Point of your Network”.

Orange Tsai
Cheng-Da Tsai, also as known as Orange Tsai, is the principal security research of DEVCORE and the member of CHROOT security group from Taiwan. He has spoken at conferences such as Black Hat USA/ASIA, DEF CON, HITCON, HITB, Hack.lu and CODEBLUE. He participates in numerous Capture-the-Flags (CTF), and also the team captain of HITCON, which won 2nd place in DEF CON 22/25. Currently, he is focusing on application security and 0day research. Orange enjoys finding vulnerabilities and participating in Bug Bounty Programs. He is enthusiastic about Remote Code Execution (RCE), and uncovered RCEs in several vendors, such as Facebook, Uber, Apple, GitHub, Amazon, Yahoo, Netflix and Imgur.

Twitter: @orange_8361
Website: http://blog.orange.tw/

Meh Chang
Tingyi Chang, also known as Meh Chang, is a security researcher at DEVCORE. She focuses on binary program analysis and exploitation. She is a member of HITCON and 217 CTF team and has won the second place of DEF CON 25.

Twitter: @mehqq_

Back to top

Tag-side attacks against NFC

Saturday at 13:00 in Track 3
45 minutes | Demo, Tool

Christopher Wade

This talk covers tag-side attacks against NFC communication protocols, including cracking of Mifare encryption keys and performing targeted attacks against NFC readers. In addition, it will cover the design and creation of devices capable of emulating NFC tags down to the raw protocol using standard components and tools, with no abstraction to dedicated hardware, covering and expanding on the capabilities of available products. This talk will contain how 13.56MHz NFC works at a raw level, how tools can be built for analysing it, how the protocol can be implemented in full on standard Microcontrollers, and the security weaknesses present in its design.

Christopher Wade
Chris is a seasoned security researcher and testing consultant. His main focuses are in reverse engineering hardware, fingerprinting USB vulnerabilities and playing with Software Defined Radios, with his key strength lying in firmware analysis, which he utilises as part of the hardware testing team at Pen Test Partners.

Twitter: @Iskuri1
Github: https://github.com/Iskuri

Back to top

Harnessing Weapons of Mac Destruction

Friday at 14:00 in Track 1
45 minutes | Demo, Exploit

Patrick Wardle Chief Research Officer, Digita Security

Whenever a new Mac malware specimen is uncovered, it provides a unique insight into the offensive Mac capabilities of hackers or nation-state adversaries. Better yet, such discoveries provide fully-functional capabilities that may be weaponized for our own surreptitious purposes! I mean, life is short, why write your own?

We'll begin this talk by discussing the methodology of subverting existing malware for "personal use", highlighting both the challenges and benefits of such an approach.

Next, we'll walk-thru the weaponization of various Mac malware specimens, including an interactive backdoor, a file-exfiltration implant, ransomware, and yes, even adware. Customizations include various runtime binary modifications that will coerce such malware to accept tasking from our own C&C servers, and/or automatically perform actions on our behalf.

Of course, in their pristine state, such samples are currently detected by AV products. As such we'll also walk-thru subtle modifications that will ensure our modified tools remains undetected by traditional detection approaches.

In conclusion, we'll highlight novel heuristic methods that can generically detect such threats to ensure Mac users remain protected even from such weaponized threats.

Patrick Wardle
Patrick Wardle is the Chief Research Officer at Digita Security and founder of Objective-See. Having worked at NASA and the NSA, as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware and writing free open-source security tools to protect Mac users.

http://twitch.com/patrickwardle

Back to top

Please Inject Me, a x64 Code Injection

Friday at 16:00 in Track 1
20 minutes | Demo

Alon Weinberg Security Researcher, Deep Instinct

Malware authors are always looking for new ways to achieve code injection, thereby allowing them to run their code in remote processes. Code Injection allows hackers to better hide their presence, gain persistence and leverage other processes’ data and privileges.

Finding and implementing new, stable methods for code injection is becoming more and more challenging as traditional techniques are now widely detected by various security solutions or limited by native OS protections.

Inject-Me is a new method to inject code to a remote process in x64. Inject-Me is in fact “injection-less” – the remote (target) process is manipulated to read data from the injecting process, copy and execute it. The manipulation is mainly based on abusing ReadProcessMemory and calling conventions in X64. In addition to presenting Inject-Me, the talk will mention a generalized approach to copying data in remote processes to recreate shellcode from the injecting process.

Alon Weinberg
Alon Weinberg is a security researcher at Deep Instinct. Prior to joining Deep Instinct two years ago, Alon served in the IDF for 4.5 years in an elite cyber unit as a security researcher.

As part of his role in Deep Instinct, Alon is in charge of finding new ways to enhance and develop protection and defense mechanisms. Alon leverages his experience in offensive operations, OS internals and programming to explore attack surfaces in Windows and macOS, analyze malware and research attack vectors and evasion techniques. Alon is a cross-fit junky and enjoys riding his motorcycle whenever his training routine allows it.

LinkedIn: https://www.linkedin.com/in/alon-weinberg-2a7742142/

Back to top

Phreaking Elevators

Friday at 12:00 in Track 2
45 minutes | Demo

WillC

This is a comprehensive dive into the current emergency phones with an in-depth look at the phones used in elevators. This talk will provide unique insight into a topic that hasn't been covered before: Elevator Phones. During this talk, I will discuss the commonality between elevator phone brands. I will cover a new, never before released, set of default passwords these system use. I will show a tool kit and how to use it to access elevator phones locally, as well as remotely. In addition, I will show how to reprogram a phone , how to make the elevator state its location, and how to alert the passenger that help is on the way. Finally, I will demonstrate some attacks, including how you can use elevator phones as listening devices to silently listen to conversations of people inside an elevator. I’m WillC, your elevator operator, let's go for a ride!

WillC
Will has grown up with a passion for making things. He has done a number of high voltage projects and recently been taking in interest in information security competing in a number of different CTFs across the country. Will also helps run the Car Hacking Village. He works bringing in the infosec and maker community to Macchina.

Twitter: @Willcaruana

Back to top

Sound Effects: Exploring Acoustic Cyber-weapons

Sunday at 13:00 in Track 2
45 minutes | Tool

Matt Wixey Cyber Security Research Lead, PwC UK

While recent research has explored the capability of attacks to cause harm by targeting devices – e.g., SCADA systems, vehicles, medical implant devices - little consideration has been given to the concept of attacks affecting psychological and physiological health by targeting humans themselves.

In a first-of-its-kind study, we assessed the capability of several consumer devices to produce sound at high and low frequencies which may be imperceptible to many people, as a result of remote and local attacks, and compared the resulting sound levels to maximum recommended levels. In doing so, we tested their viability as localised acoustic weapons which could cause temporary/permanent hearing damage and/or adverse psychological effects. We examined a number of countermeasures, including a tool to detect specified frequencies above specified thresholds.

In this talk, I will cover the background of malware which has, intentionally or not, caused physical or psychological harm. I will explore previous research on the harmful effects of sound, focusing particularly on high and low frequencies, and some of the guidance which has been proposed to limit exposure to such sound. I will examine the use of imperceptible sound as applied to security research (covert channels, ultrasonic tracking beacons, etc), and will present our experiments and findings, including threat models, methodology, the attacks we developed, and the implications of our results. Finally, I will suggest a number of countermeasures and outline some possible areas for future research.

Matt Wixey
Matt is a PhD candidate at the Dawes Centre for Future Crimes, University College London, and leads technical research for the PwC Cyber Security practice in the UK. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.

Twitter: @darkartlab

Back to top

Can You Track Me Now? Why The Phone Companies Are Such A Privacy Disaster

Friday at 16:30 in Track 2
20 minutes

U.S. Senator Ron Wyden U.S. Senator from Oregon. Senate Finance Ranking Member

Amidst the current public outcry about privacy abuses by corporate america, one sector has received far less scrutiny than it deserves: phone companies. America’s phone companies have a hideous track record on privacy. During the past two decades, these descendants of “Ma Bell” have been caught, repeatedly, selling (or giving away) their customers’ sensitive data to the government, bounty hunters, private investigators, data brokers, and stalkers.

The DEFCON community is familiar with the phone companies’ role in the Bush-era “warrantless wiretapping” program and the NSA’s surveillance of telephone metadata, revealed by Edward Snowden. Far fewer people know that the carriers were also willing participants in a massive Drug Enforcement Administration (DEA) spying program, which the government quietly shut down after two decades in 2013.

Even less well-understood is how these corporations reap profits by selling our information to the private sector. As just one example, the carriers for years used shady middlemen to provide nearly unlimited access to Americans’ location data to anyone with a credit card.

Join Oregon Senator Ron Wyden to learn why the phone companies have gotten one free pass after another, and what he’s doing to hold them accountable.

U.S. Senator Ron Wyden
Sen. Ron Wyden is the foremost defender of Americans’ civil liberties in the U.S. Senate, and a tireless advocate for smart tech policies. Years before Edward Snowden blew the whistle on the dragnet surveillance of Americans, Wyden warned that the Patriot Act was being used in ways that would leave Americans shocked and angry, and his questioning of NSA Director James Clapper in 2013 served as a turning point in the secret surveillance of Americans’ communications.

Since then, Wyden has fought to protect Americans’ privacy and security against unwanted intrusion from the government, criminals and foreign hackers alike. He has opposed the government’s efforts to undermine strong encryption, proposed legislation to hold companies accountable for protecting their users’ data, and authored legislation with Rand Paul to protect Americans’ Fourth Amendment rights at the border.

Wyden is a senior member of the Senate Select Committee on Intelligence and the top Democrat on the Senate Finance Committee. He lives in Portland, Oregon.

Twitter: @RonWyden
Website: https://www.wyden.senate.gov/meet-ron

Back to top

All the 4G modules Could be Hacked

Friday at 11:00 in Track 3
45 minutes | Exploit

XiaoHuiHui Senior Security Researcher, Baidu

Ye Zhang Security Researcher, Baidu

ZhengHuang Leader of Baidu Security Lab X-Team, Baidu

Nowadays more and more 4G modules are built into IoT devices around the world, such as vending machines, car entertainment systems, laptops, advertising screens, and urban cameras etc. But no one has conducted a comprehensive security research on the 4G modules. We carried out this initiative and tested all the major brand 4G modules in the market (more than 15 different types). The results show all of them have similar vulnerabilities, including remote access with weak passwords, command injection of AT Command/listening services, OTA upgrade spoofing, command injection by SMS, and web vulnerability. Through these vulnerabilities we were able to get to the shell of these devices. In addition to using wifi to exploit these vulnerabilities, we created a new way to attack through fake base station system, triggered by accessing the intranet of cellular network, and successfully run remote command execution without any requisites. In this talk, we will first give an overview on the hardware structure of these modules. Then we will present the specific methods we use in vulnerability probe. In the final section we will demonstrate how to use these vulnerabilities to attack car entertainment systems of various brands and get remote control of cars.

XiaoHuiHui
Shupeng (xiaohuihui) is a member of Baidu Security Lab. He is an expert on IoT security, AI security, penetration testing, etc. He was invited to talk on multiple security conferences, and successfully pwned IOT equipments on XPwn 2016/2017/2018, GeekPwn May/October 2017,the biggest pwn competitions in China.

Twitter: @xi4ohuihui

Ye Zhang
Ye Zhang is a security researcher of Baidu Security Lab X-Team. He's good at reverse engineering and malware analysis, now he focuses on finding IoT vulnerabilities.

ZhengHuang
Zheng Huang is the head of Baidu Security Lab X-Team. He is a prolific finder of vulnerabilities in the browser security area, has contributed a lot of vulnerabilities in Microsoft browsers, Chrome, and Safari. Previously, he mainly focused on malicious URL detection and defense of APT attacks, he is now responsible for the research of autonomous driving security.

Back to top

Exploiting Windows Exploit Mitigation for ROP Exploits

Thursday at 10:00 in DC101, Paris Theatre
45 minutes | Demo

Omer Yair Endpoint Team Lead at Symantec

“A concept is a brick. It can be used to build a courthouse of reason. Or it can be thrown through the window.” ― Gilles Deleuze

Ever since Smashing the Stack For Fun And Profit was published by Aleph One almost a quarter century ago the security world has completely changed the way it defends exploitation. Canary stack, DEP, ASLR, CFI and various other mitigation techniques were developed to address various exploit techniques. Yet, ROP remains a prominent practice employed by many exploits even today.

ROP is the most common exploitation method for attackers to mutate memory bugs on target process into malicious executable code. “Next Gen” endpoint security products try to address ROP and other exploitation methods. Windows embraces many mitigation techniques as well. However, these mitigation features such as CFG can in fact be leveraged and increase ROP’s attack surface and allow it to even bypass exploit protections!

If you are intrigued by ROP, want to learn about methods in Windows that protect against ROP and how to bypass them - this talk is for you! On top of that a novel method of bypassing ROP mitigation of most products will also be revealed.

Omer Yair
Omer is End-Point team lead at Symantec (formerly Javelin Networks). His team focuses on methods to covertly manipulate OS internals. Before Symantec he was a malware researcher at IBM Trusteer for two years focusing on financial malware families. In the past he has worked at Algotec for six years developing medical imaging software and at IDF's technology unit for three years as dev team lead. Omer lectured on DerbyCon 8, Virus Bulletin and Zero Nights conferences. In his free time he revives historical photographic processes.

Twitter: @yair_omer

Back to top

Your Secret Files Are Mine: Bug Finding And Exploit Techniques On File Transfer App Of All Top Android Vendors

Sunday at 10:00 in Track 4
45 minutes | Demo, Tool, Exploit

Xiangqian Zhang

Huiming Liu

Nearby sharing apps are very convenient and fast when you want to transfer files and have been pre-installed on billions of devices. However, we found that most of them will also open a door for attackers to steal your files and even more.

First, we did a comprehensive research about all top mobile vendors' pre-installed nearby sharing apps by reverse engineering. Many serious vulnerabilities are found on most of them and reported to vendors. Algorithm and design flaws in these apps can lead to file leaking and tampering, privacy leaks, arbitrary file downloads and even remote code execution. We will present all the related vulnerabilities' details and exploit techniques. Next, we conducted the same research on lots of third-party file sharing apps and found that they are even worse about security and are used by surprising more than 1 billion users. Files transferred between them are nearly naked when our MITM attack devices are nearby. Finally, we will summarize all the attack vectors and two common attack models. We will also present the attack demos and related tools.

Besides, we will present our practical mitigations. Currently, we are working with most of the top vendors to mitigate these vulnerabilities. Through this talk, we want to notify users and mobile vendors to pay more attention to this serious situation and fix it better and sooner.

Xiangqian Zhang
Xiangqian Zhang is a security researcher at Tencent Security Xuanwu Lab and his research focuses on Mobile Security and IOT Security. Xiangqian found multiple Android kernel and system security vulnerabilities.

Twitter: @h3rb0x

Huiming Liu
Huiming Liu is a security researcher at Tencent Security Xuanwu Lab and his research focuses on Mobile Security and IOT Security. Huiming has spoken at several security conferences including CanSecWest and BlackHat Asia.

Twitter: @liuhm09

Back to top

Web2Own: Attacking Desktop Apps From Web Security's Perspective

Thursday at 14:00 in DC101, Paris Theatre
45 minutes

Junyu Zhou Security Researcher in Tencent Security Xuanwu Lab

Ce Qin Security Researcher in Tencent Security Xuanwu Lab

Jianing Wang Security Researcher in Tencent Security Xuanwu Lab

People are always talking about binary vulnerabilities when attacking desktop applications. Memory corruptions are always costly to find. Meanwhile, mitigations introduced by operating systems make them harder to be exploited. More and more applications are using hybrid technologies, so we can try web security tricks to pwn them reliably with less effort.

Our presentation will summarize attack surfaces and methods to find security issues in desktop applications. In particular, we will explicate some real-world cases, such as chaining multiple vulnerabilities (information leaking, CSP bypass, opened debugging port) to achieve RCE in a specialized IDE, sensitive file leaking in famous editors, privileged APIs abusing in many IM applications and so on. During our research, we find some issues actually reside in popular libraries. These flaws may affect more applications than we will demonstrate in this talk.

Web security knowledge is usually unfamiliar to desktop application developers. Attacking desktop apps using web security tricks is a non-competitive "blue ocean". Our presentation will focus on many design misconceptions and implementation mistakes in desktop applications. By sharing these representative lessons, we hope to help desktop application developers improve the security of their products.

Junyu Zhou
Junyu Zhou, Security Researcher in Tencent Security Xuanwu Lab, CTF player from 0ops/A*0*E, is focusing on vulnerability research and web application security. Speaker of HITB2018Dubai and ZeroNights2018.

Ce Qin
Ce Qin, Security Researcher in Tencent Security Xuanwu Lab for 3 years, focus on software security, mainly on browser and Desktop software.

Jianing Wang
Jianing Wang, Security Researcher in Tencent Security Xuanwu Lab, member of Syclover, is focusing on vulnerability research and web application security.

Back to top


Backup Speaker Presentation(s)



"First-try" DNS Cache Poisoning with IPv4 and IPv6 Fragmentation


45 minutes | Demo, Exploit

Travis (Travco) Palmer Security Research Engineer, Cisco

Brian Somers Site Reliability Engineer

DNS fragmentation attacks are a more recent series of attacks that take advantage of the consistent composition of fragmented DNS responses by sending a crafted (malicious) second fragment to be reassembled with a legitimate first fragment at the IP layer. Even if DNSSEC is fully implemented, an attacker can still poison unsigned "glue" records.

These types of attacks are difficult, and have really only been considered remotely feasible over IPv4. Most nameservers use "per-destination" IP-layer ID (IPID) counters, and the IPID in the IPv6 Fragment Extension Header cannot be easily guessed blindly, as the number of bits in the field has been comparatively doubled to 32 bits (making blind-guessing even in ideal conditions take an average 34 million iterations).

Unfortunately, as part of optimizations made to Linux. The IPID counter is no longer truly "per-destination" and the IPID for a given destination can be inferred consistently enough to facilitate an attack. This allows DNS poisoning on IPv4 and IPv6 with equal consistency and precision, and makes poisoning on the first attempt "thousands" of times easier.

This talk will cover how this attack is carried out, how consistent it really can be, and mitigations that can be put in place by operators of both DNS nameservers and resolvers to limit its effectiveness.

Travis (Travco) Palmer
Travis (Travco) Palmer is a Security Research Engineer at Cisco. Travis is a certified OSCP and OSCE who has been getting paid to either fix or break something for over seven years. He is a fan (and sometimes-contributer) of a number of simulator/sandbox video games, and keeper of too many unfinished hardware projects.

LinkedIn: https://www.linkedin.com/in/travco1

Brian Somers
Brian Somers is a Site Reliability Engineer for Cisco Umbrella (formerly OpenDNS). He specializes in large scale development on Unix-like platforms, software design & architecture, low level C development, and FreeBSD development.

Back to top