DEF CON 24 [Audio] Speeches from the Hacker Convention

Welcome to DEF CON 24, an introduction to the conference. Badge Talk by L0st.

The DEF CON 24 Closing Ceremonies featuring The Dark Tangent, Lost, and many more.

Materials Available here: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-3alarmlampscoot-DIY-Nukeproofing.pdf DIY Nukeproofing: A New Dig at 'Datamining' 3AlarmLampScooter Hacker Does the thought of nuclear war wiping out your data keep you up at night? Don't trust third party data centers? Few grand burning a hole in your pocket and looking for a new Sunday project to keep you occupied through the fall? If you answered yes to at least two out of three of these questions, then 3AlarmLampscooter's talk on extreme pervasive communications is for you! You'll learn everything from calculating radiation half layer values to approximating soil stability involved in excavating your personal apocalypse-proof underground data fortress. 3AlarmLampScooter is an enigmatic armored mammal of the genus homo sapiens sapiens sapiens troglodyte found in caves and tunnels across the southeastern United States. As moderator of the subreddit /r/Neutron, 3AlarmLampscooter's enunciation espouses pervasive communication via excavation to protect from radiation and conflagration. When above-ground, 3AlarmLampscooter is a vocal transhumanism advocate developing 3D printed construction materials. Reddit: /u/3AlarmLampScooter

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Aaron-Luo-Drones-Hijacking-Multi-Dimensional-Attack-Vectors-And-Countermeasures-UPDATED.pdf Drones Hijacking - multi-dimensional attack vectors and countermeasures Aaron Luo Security Expert, Trend Micro Drone related applications have sprung up in the recent years, and the drone security has also became a hot topic in the security industry. This talk will introduce some general security issues of the drones, including vulnerabilities existing in the radio signals, WiFi, Chipset, FPV system, GPS, App, and SDK. The most famous and popular drone product will be used to demonstrate the security vulnerabilities of each aspects, and recommendation of enforcements. The talk will also demo how to take control of the drone through the vulnerabilities.

The topic of hacking by faking the GPS signals has been shared before in Black Hat and DEF CON in the past, this talk will extend this topic to the drone security. we will demo the real-time hijacking program that we created for various drone, this program can take full control of the Drone’s maneuver by simply keyboard input. In addition, we will also introduce how to detect the fake GPS signals.

An open source tool supporting u-box GPS modules and SDR to detect fake GPS signals will be shared and published in the GitHub. Aaron Luo is the cyber threat expert from Trend Micro Core Technology Group. Prior to joining Trend Micro, Aaron worked as a security consultant in the government cybercrime investigation department focusing on malware analysis, network forensics and protocol analysis.

He has started his security research since 2005 and is active in the information security communities in Taiwan. He was the founder of PHATE hacker group, and a core member of ZUSO Security. Now he is a member of CHROOT/HITCON security research group and is interested in reverse engineering, developing security attack/defense tools (such as Firewall, HIPS system, protocol analysis, RAT, shellcode, vulnerability scanner), network forensics, RF, IoT, and penetration testing.

Aaron has several research papers published in HITCON and SYSCAN360 such as "The Concept of Game Hacking & Bypassing Game Protection (Hackshield)" in HITCON (Hacks in Taiwan Conference) 2009 when he was just eighteen years old. Until today, he is still the youngest speaker ever in HITCON, and "Smashing iOS Apps For Fun And Profit" was also published in the 1st SYSCAN360 (2012).

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Adam-Donenfeld-Stumping-The-Mobile-Chipset-UPDATED.pdf https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Adam-Donenfeld-Stumping-The-Mobile-Chipset-WP-UPDATED.pdf Stumping the Mobile Chipset Adam Donenfeld Senior Security Researcher, Check Point Following recent security issues discovered in Android, Google made a number of changes to tighten security across its fragmented landscape. However, Google is not alone in the struggle to keep Android safe. Qualcomm, a supplier of 80% of the chipsets in the Android ecosystem, has almost as much effect on Android’s security as Google. With this in mind, we decided to examine Qualcomm’s code in Android devices. During our research, we found multiple privilege escalation vulnerabilities in multiple subsystems introduced by Qualcomm to all its Android devices in multiple different subsystems. In this presentation we will review not only the privilege escalation vulnerabilities we found, but also demonstrate and present a detailed exploitation, overcoming all the existing mitigations in Android’s Linux kernel to run kernel-code, elevating privileges and thus gaining root privileges and completely bypassing SELinux. Adam Donenfeld is a lead mobile security researcher at Check Point with vast experience in the mobile research field. From a young age he has been hacking and reverse engineering for fun and profit. Prior to Check Point Adam served in an Israeli elite intelligence unit, as a security researcher. In his free time, Adam studies German.

Materials:https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Chapman-Stone-Toxic-Proxies-Bypassing-HTTPS-and-VPNs-UPDATED.pdf Toxic Proxies - Bypassing HTTPS and VPNs to Pwn Your Online Identity Alex Chapman Principal Researcher, Context Information Security
Paul Stone Principal Researcher, Context Information Security Rogue access points provide attackers with powerful capabilities, but in 2016 modern privacy protections such as HTTPS Everywhere, free TLS certificates and HSTS are de-facto standards. Surely our encrypted traffic is now safe on the local coffee shop network? If not, my VPN will definitely protect me... right? In this talk we'll reveal how recent improvements in online security and privacy can be undermined by decades old design flaws in obscure specifications. These design weakness can be exploited to intercept HTTPS URLs and proxy VPN tunneled traffic. We will demonstrate how a rogue access point or local network attacker can use these new techniques to bypass encryption, monitor your search history and take over your online accounts. No logos, no acronyms; this is not a theoretical crypto attack. We will show our techniques working on $30 hardware in under a minute. Online identity? Compromised. OAuth? Forget about it. Cloud file storage? Now we're talking. Alex Chapman is a Principal Security Researcher at Context Information Security in the UK, where he performs vulnerability discovery, exploit development, bespoke protocol analysis and reverse engineering. He has been credited in security advisories for a number of major software products for vendors such as Citrix, Google, Mozilla and VMware, and has presented his research at security conferences around the world. He has spent the past several months making things (for a change), poking holes in old technologies, and pointing out security flaws which have no place in modern day software.

Twitter: @noxrnet

Paul Stone is a Principal Security Researcher at Context Information Security in the UK where he performs vulnerability research, reverse engineering, and tool development. He has a focus on browser security and has reported a number of vulnerabilities in the major web browsers including Chrome, Internet Explorer, Firefox, and Safari. He has spoken at a number of Black Hat conferences, presenting the well-received 'Pixel-Perfect Timing Attacks' and 'Next Generation Clickjacking' talks. Paul's recent obsession has been Bluetooth LE and has helped create the RaMBLE Android app for collecting and analyzing BLE data.

Twitter: @pdjstone

Materials:https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Allan-Cecil-dwangoAC-Tasbot-The-Perfectionist-UPDATED.pdf Robot Hacks Audio Games: How TASBot Exploits Consoles with Custom Controllers Allan Cecil (dwangoAC) President, North Bay Linux User's Group TASBot is an augmented Nintendo R.O.B. robot that can play Audio games without any of the button mashing limitations us humans have. By pretending to be a controller connected to a game console, TASBot triggers glitches and exploits weaknesses to execute arbitrary opcodes and rewrite games. This talk will cover how these exploits were found and will explore the idea that breaking Audio games using Tool-Assisted emulators can be a fun way to learn the basics of discovering security vulnerabilities. After a brief overview of Audio game emulators and the tools they offer, I'll show a live demo of how the high accuracy of these emulators makes it possible to create a frame-by-frame sequence of button presses accurate enough to produce the same results even on real hardware. After demonstrating beating a game quickly I'll show how the same tools can be used to find exploitable weaknesses in a game's code that can be used to trigger an Arbitrary Code Execution, ultimately treating the combination of buttons being pressed as opcodes. Using this ability, I'll execute a payload that will connect a console directly to the internet and will allow the audience to interact with it. An overview of some of the details that will be described in the talk can be found in an article I coauthored for the PoC||GTFO journal (Pokemon Plays Twitch, page 6 ). Allan Cecil (dwangoAC) is the President of theNorth Bay Linux User's Group. He acts as an ambassador for TasAudios.org, a website devoted to using emulators to complete Audio games as quickly as the hardware allows. He participates in Games Done Quick charity speedrunning marathons using TASBot to entertain viewers with never-before-seen glitches in games. By day, he is a senior engineer at Ciena Corporation working on OpenStack Network Functions Virtualization orchestration and Linux packet performance optimization testing.

Twitter: @MrTASBot
Twitch.TV: dwangoac 
YouTube: dwangoac

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Amro-Abdelgawad-The-Remote-Metamorphic-Engine-UPDATED.pdf https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Amro-Abdelgawad-Extras The Remote Metamorphic Engine: Detecting, Evading, Attacking the AI and Reverse Engineering Amro Abdelgawad Founder, Immuneye As a matter of fact, it is all about time to reverse engineer the most complex piece of code. Code complicity techniques are usually used just to increase the time and effort needed for reverse engineering. The desired effect of code complicity can be magnified using mechanisms that decrease and narrow the allowed time frame for any reverse engineering attempt into few milliseconds. Such approach can be applied using a metamorphic engine that is aware of the time dimension. Beyond metamorphic applications for AV evasion, in this talk, we will present a novel approach to resist and evade reverse engineering using a remote metamorphic engine that generates diversified morphed machine code of a very short expiration lifetime. Our approach is based on a client-server model using challenge-response communication protocol made of morphed machine code rather than data. We will show how any reverse engineering attempt on such model will be forced to execute or emulate the morphed code. Thus the code will always have an upper hand to detect, evade and attack the reverse engineering environment. Our approach is immune to static code analysis as the functionalities and the communication protocol used are dynamically diversified remotely and do not exist in packed executable files. On the other hand, clock synchronized morphed machine code driven by a remote metamorphic engine would trap dynamic RE attempts in the maze of metamorphism. One that is immune to code tampering and reversing by detecting the non-self. We will present the fundamental difference between metamorphic and polymorphic techniques used to evade AV compared to the ones that can be used to resist RE. We will show how a remote diversified metamorphic self-modifying code with a very short expiration lifetime can detect, evade, and resist any code analysis, reverse engineering, machine learning and tampering attempts. Amro Abdelgawad is a security researcher and the founder of Immuneye. He has more than 15 years experience in software security and reverse engineering. He has experienced both sides of software security in vulnerability researching, penetration testing, reverse engineering, exploit development and the defensive side as a chief security officer for software companies running wide infrastructures. Amro is currently working as a security researcher where his main interests are analyzing malware, vulnerability researching and developing artificial software immunity.

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Anch-So-you-want-to-be-a-pentester-DC101.pdf So You Think You Want To Be a Penetration Tester Anch Hacker So, you think you want to be a penetration tester, or you already are and don't understand what the difference between you and all the other "so called" penetration testers out there. Think you know the difference between a Red Team, Penetration Test and a Vulnerability assessment? Know how to write a report your clients will actually read and understand? Can you leverage the strengths of your team mates to get through tough roadblocks, migrate, pivot, pwn and pillage? No? well this talk is probably for you then! We will go through the fascinating, intense and often crazily boring on-site assessment process. Talk about planning and performing Red Teams, how they are different, and why they can be super effective and have some fun along the way. I'll tell you stories that will melt your face, brain and everything in between. Give you the answers to all of your questions you never knew you had, and probably make you question your life choices. By the end of this session you will be ready to take your next steps into the job you've always wanted, or know deep inside that you should probably look for something else. There will be no judgment or shame, only information, laughter and fun. Anch currently works on a Red Team for an agency with a 3 letter acronym. It's not secret squirrel, or hush hush he just doesn't like to talk about himself very much. He has 15 years of experience in penetration testing and cyber security with a background in control systems and security architecture. Twitter: @boneheadsanon

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Robbins-Vazarkar-Schroeder-Six-Degrees-of-Domain-Admin-UPDATED.pdf Six Degrees of Domain Admin - Using Graph Theory to Accelerate Red Team Operations Andy Robbins (@_wald0), Offensive Network Services Team Lead, Veris Group
Rohan Vazarkar (@cptjesus) Penetration Tester, Veris Group
Will Schroeder (@harmj0y) Researcher, Veris Group Active Directory domain privilege escalation is a critical component of most penetration tests and red team assessments, but standard methodology dictates a manual and often tedious process – gather credentials, analyze new systems we now have admin rights on, pivot, and repeat until we reach our objective. Then -- and only then -- we can look back and see the path we took in its entirety. But that may not be the only, nor shortest path we could have taken. By combining our concept of derivative admin (the chaining or linking of administrative rights), existing tools, and graph theory, we can reveal the hidden and unintended relationships in Active Directory domains. 

Bob is an admin on Steve’s system, and Steve is an admin on Mary’s system; therefore, Bob is effectively (and perhaps unintentionally) an admin on Mary’s system. While existing tools such as Nmap, PowerView, CrackMapExec, and others can gather much of the information needed to find these paths, graph theory is the missing link that gives us the power to find hidden relationships in this offensive data. The application of graph theory to an Active Directory domain offers several advantages to attackers and defenders. Otherwise invisible, high-level organizational relationships are exposed. All possible escalation paths can be efficiently and swiftly identified. Simplified data aggregation accelerates blue and red team analysis. Graph theory has the power and the potential to dramatically change the way you think about and approach Active Directory domain security. Andy Robbins is the Offensive Network Services lead for Veris Group's Adaptive Threat Division. He has performed penetration tests and red team assessments for a number of Fortune 500 commercial clients and major U.S. Government agencies. In addition, Andy researched and presented findings related to a business logic flaw with certain processes around handling ACH files affecting thousands of banking institutions around the country at DerbyCon. He has a passion for offensive development and red team tradecraft, and helps to develop and teach the ‘Adaptive Red Team Tactics’ course at BlackHat USA.

Twitter: @_wald0 

Rohan Vazarkar is a penetration tester and red teamer for Veris Group's Adaptive Threat Division, where he helps assess fortune 500 companies and a variety of government agencies. Rohan has a passion for offensive development and tradecraft, contributing heavily to EyeWitness and the EmPyre projects. He has presented at BSides DC, and helps to develop and teach the ‘Adaptive Penetration Testing’ course at BlackHat USA.

Twitter: @cptjesus 

Will Schroeder is security researcher and red teamer for Veris Group's Adaptive Threat Division. He is a co-founder of the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a co-founder and core developer of the PowerShell post-exploitation agent Empire. He has presented at a number of security conferences on topics spanning AV-evasion, post-exploitation, red team tradecraft, and offensive PowerShell. 

Twitter: @harmj0y

Materials:https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Ang-Cui-and-Jatin-Kataria-A-Monitor-Darkly-UPDATED.pdf A Monitor Darkly: Reversing and Exploiting Ubiquitous On-Screen-Display Controllers in Modern Monitors Ang Cui PHD, CEO & Chief Scientist, Red Balloon Security
Jatin Kataria Principal Research Scientist, Red Balloon Security
Francois Charbonneau Research Scientist, Red Balloon Security There are multiple x86 processors in your monitor! OSD, or on-screen-display controllers are ubiquitous components in nearly all modern monitors. OSDs are typically used to generate simple menus on the monitor, allowing the user to change settings like brightness, contrast and input source. However, OSDs are effectively independent general-purpose computers that can: read the content of the screen, change arbitrary pixel values, and execute arbitrary code supplied through numerous control channels. We demonstrate multiple methods of loading and executing arbitrary code in a modern monitor and discuss the security implication of this novel attack vector. 

We also present a thorough analysis of an OSD system used in common Dell monitors and discuss attack scenarios ranging from active screen content manipulation and screen content snooping to active data exfiltration using Funtenna-like techniques. We demonstrate a multi-stage monitor implant capable of loading arbitrary code and data encoded in specially crafted images and documents through active monitor snooping. This code infiltration technique can be implemented through a single pixel, or through subtle variations of a large number of pixels. We discuss a step-by-step walk-through of our hardware and software reverse-analysis process of the Dell monitor. We present three demonstrations of monitoring exploitation to show active screen snooping, active screen content manipulation and covert data exfiltration using Funtenna. 

Lastly, we discuss realistic attack delivery mechanisms, show a prototype implementation of our attack using the USB Armory and outline potential attack mitigation options. We will release sample code related to this attack prior to the presentation date. Dr. Ang Cui is the Founder and Chief Scientist of Red Balloon Security. Dr. Cui received his PhD from Columbia University in 2015. His doctoral dissertation, titled "Embedded System Security: A Software-based Approach", focused exclusively on scientific inquiries concerning the exploitation and defense embedded systems. Ang has focused on developing new technologies to defend embedded systems against exploitation. During the course of his research, he has uncovered a number of serious vulnerabilities within ubiquitous embedded devices like Cisco routers, HP printers and Cisco IP phones. Dr. Cui is also the author of FRAK and the inventor of Software Symbiote technology. Ang has received various awards on his work on reverse engineering commercial devices and is also the recipient of the Symantec Graduate Fellowship and was selected as a DARPA Riser in 2015.

Jatin Kataria is a Principal Research Scientist at Red Balloon Security. His research focus is on the defense and exploitation of embedded devices. Jatin earned his master’s degree from Columbia University and a bachelor’s degree from Delhi College of Engineering. Previously, he has worked as a System Software Developer at NVIDIA and as an Associate Software Engineer at Mcafee.

Francois Charbonneau is a embedded security researcher who spent the better part of his career working for the Canadian government until he got lost and wondered into New York City. He now works as a research scientist for Red Balloon Security where he lives a happy life, trying to make the world a more secure place, one embedded device at a time.

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Rose-Ramsey-Picking-Bluetooth-Low-Energy-Locks-UPDATED.pdf Picking Bluetooth Low Energy Locks from a Quarter Mile Away Anthony Rose Hacker
Ben Ramsey, Hacker Many Bluetooth Low Energy (BLE) enabled deadbolts and padlocks have hit the market recently. These devices promise convenience and security through smartphone control. We investigated sixteen of these products from multiple vendors and discovered wireless vulnerabilities in most of them. Using a $50 antenna, we successfully picked vulnerable locks from over 400 meters away. In this presentation we introduce open source tools to crack each of the vulnerable BLE locks. Furthermore, after surveying the open source Bluetooth hacking tools currently available, we find very little support for BLE. So, to make discovering and range finding to BLE devices easier, we introduce a new open source war-walking tool compatible with both Bluetooth Classic and BLE. Anthony Rose is an electrical engineer with five years of network security experience. His prior work includes traffic and quality optimization for wireless Audio protocols. Currently he focuses on Bluetooth security and wireless penetration testing.

Ben Ramsey, PhD, CISSP, has over a decade of experience in network security research. His work focuses on critical infrastructure protection and low power wireless protocols, such as ZigBee, Z-Wave, and Bluetooth Low Energy. He has published in several academic journals and has presented research at multiple conferences, including GLOBECOM, MILCOM, SenseApp, and ShmooCon.

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Bigezy-Saci-Pinworm-MITM-for-Metadata.pdf An Introduction to Pinworm: Man in the Middle for your Metadata bigezy Hacker saci Hacker What is the root cause of memory and network traffic bloat? Our current research using tools we previously released Badger at Black Hat in 2014 and the Kobra released at BsidesLV 2015 shows a 40 percent increase in outside unique IP traffic destinations and a 400 percent increase in data transmitted towards these destinations. But through the course of the research we found currently used IRP monitoring tools were lacking to help produce enough information to forensically investigate the exfiltration of user metadata. Pinworm is a sniffer that shows all created IRPs created in the kernel in I/O devices. The IRPs are correlated with the processes that created them and the called driver stack. With network traffic data we are off to the races. Using pinworm which we released this week, we will show forensic case studies from cradle to grave of what happens when you do things online in social media sites. Like all of our previously released tools, Pinworm is a framework including server side code you can use to collect and display user metadata inline in browser frames. Does this metadata collection happen in the browser, in userland, or in the kernel? Come to our talk and find out. We will demonstrate the collection of user metadata and collecting this information in a live browser session. Then we will show you how to intercept your personal data before it leaves your computer keeping your privacy, well, private. BYOTFH (Bring your own tin foil hat). bigezy has spent his career defending critical infrastructure hacking it from the inside to keep things from blowing up. Bigezy got his black badge from DEF CON in 2003. Bigezy currently works as a cyber security researcher at a place where these things are done. During the last 25 years, Bigezy has worked at fortune 500 companies in the electric sector, financial sector, and telecom. He has spoke at numerous conferences worldwide including bsidesLV and the DEF CON Crypto and Privacy village last year. Bigezy is also the president of Hackito Ergo Sum in Paris France. @bigezy_ When you are a one legged boogeyman slash system internals hacker, every kick is a flying kick. Twitter: @bigezy saci takes pride in his disdain for hypocrisy. We are sure you have seen him around in the usual places, and maybe you think you know who he is. But, you will never quite know who he is until you come to the talk. Twitter: @itsasstime

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Zhong-Lee-411-A-Framework-For-Managing-Security-Alerts-UPDATED.pdf 411: A framework for managing security alerts Kai Zhong Application Security Engineer, Etsy
Kenneth Lee Senior Security Engineer, Etsy Modern web applications generate a ton of logs. Suites like ELK (Elasticsearch, Logstash, Kibana) exist to help manage these logs, and more people are turning to them for their log analysis needs. These logs contain a treasure trove of information regarding bad actors on your site, but surfacing that information in a timely manner can be difficult. When Etsy moved over from Splunk to ELK in mid-2014, we realized that ELK lacked necessary functionality for real-time alerting. We needed a solution that would provide a robust means of querying ELK and enrich the data with additional context. We ended up creating our own framework to give us this functionality. We’ve named this open-source framework 411. We designed 411 as a solution for detecting and alerting on interesting anomalies and security events. The Security team at Etsy was interested in using this functionality to detect everything from XSS to monitoring for potential account compromises. First, we’ll start off with a discussion of what you should be logging into Elasticsearch. This is important to help you create useful, actionable alerts in 411. We’ll note a number of configuration tips and tricks to help you get the most out of your ELK cluster. From there, we’ll dive into 411’s features and how it allows the Etsy security team to work effectively. We’ll conclude with two demos of 411 in action. This presentation will show you several examples of useful searches you can build in 411 and how this data can be manipulated to generate clear, actionable alerts. We’ll demonstrate the built-in workflow for responding to alerts and how 411 allows you to pull up additional context as you work on an alert. Additionally, while much of our discussion will be centered around ELK, 411 can in fact be used with a variety of data sources (Several of these sources are built into 411). Whether you’re a newbie looking to learn more or a security veteran with an established system, 411 will help change the way you handle security alerts. Kai is a security engineer at Etsy. At work, he fiddles around with security features, works on 411 and responds to the occasional bug bounty report. He went to NYU-Poly and got a degree in Computer Science, with a MS in Computer Security. In his free time, he enjoys reverse engineering, CTFs board games, starting yet another project that he’ll never finish and learning all the things.

Twitter: @sixhundredns

Kenneth Lee is a senior product security engineer at Etsy.com, working on everything from managing the bug bounty program to shattering the site with new vulnerabilities. Previously, Kenneth worked at FactSet Research Systems preventing The Hackers from stealing financial data. He went to Columbia and got an MS in computer science focusing on computer security. Between sweet hacks, Kenneth enjoys drinking tea and force feeding Etsy's operations team with Japanese chocolates.

Twitter: @kennysan

Materials; https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Granolocks-Zero-Chaos-Bluehydra-Realtime-Blutetooth-Detection-UPDATED.pdf Realtime Bluetooth Device Detection with Blue Hydra Zero_Chaos Director of Research and Development, Pwnie Express
Granolocks All the Things, Pwnie Express We are releasing a new tool for discovering bluetooth devices and automatically probing them for information. Effectively we have created a new tool with an airodump-ng like display for nearby bluetooth and bluetooth low energy devices. We will discuss the challenges with finding bluetooth devices, as well as how we have overcome them using both standard bluetooth adapters and optionally ubertooth hardware. If you have ever wondered why no one released an effective tool to see all the bluetooth in the area then come by, learn a little, and leave with a tool you have always wanted. Blue Hydra will discover and track bluetooth and bluetooth low energy devices in the area, regardless of being in discoverable mode, and tracks data (bluetooth version, services, etc) as well as meta-data (signal strength, timestamps) over time. We will be going over how bluetooth operates on a high level, and how we were able to discover and track nearby devices. A deep understanding of the bluetooth protocol was not needed to develop Blue Hydra (we stood on the shoulders of giants) and will not be required to use Blue Hydra or understand it's output. Zero_Chaos is a well known wireless hacker who helps to run the Wireless Village at DEF CON and the Wireless Capture the Flag at numerous conventions (including DEF CON ). Always quick to open his mouth when he probably shouldn't, Zero enjoys talking to people about wireless hacking and teaching anyone with an interest.

Twitter: @Zero_ChaosX

Granolocks is a long time experimenter and developer at Pwnie Express. He has a broad set of interests including long walks in the woods, travel to exotic locations and hacking the planet. Known far and wide for his dry wit and backrubbing skills, the Q&A session is not to be missed.

Twitter: @granolocks

Project CITL Mudge Zatko Director, CITL
Sarah Zatko CHief Scientist, CITL Many industries, provide consumers with data about the quality, content, and cost of ownership of products, but the software industry leaves consumers with very little data to act upon. In fact when it comes to how secure or weak a product is from a security perspective, there is no meaningful consumer facing data. There has long been a call for the establishment of an independent organization to address this need. Last year, Mudge (from DARPA, Google, and L0pht fame) announced that after receiving a phone call from the White House he was leaving his senior position inside Google to create a non-profit organization to address this issue. This effort, known as CITL, is akin to Consumer Reports in its methodologies. While the media has dubbed it a "CyberUL", there is no focus on certifications or seals of approval, and no opaque evaluation metrics. Rather, like Consumer Reports, the goal is to evaluate software according to metrics and measurements that allow quantitative comparison and evaluation by anyone from a layperson, CFO, to security expert. 

How? A wide range of heuristics that attackers use to identify which targets are hard or soft against new exploitation has been codified, refined, and enhanced. Some of these techniques are quite straightforward and even broadly known, while others are esoteric tradecraft. To date, no one has applied all of these metrics uniformly across an entire software ecosystem before and shared the results. 

For the first time, a peek at the Cyber Independent Testing Lab’s metrics, methodologies, and preliminary results from assessing the software quality and inherent vulnerability in over 100,000 binary applications on Windows, Linux, and OS X will be revealed. All accomplished with binaries only. Sometimes the more secure product is actually the cheaper, and quite often the security product is the most vulnerable.

There are plenty of surprises like these that are finally revealed through quantified measurements. With this information, organizations and consumers can finally make informed purchasing decisions when it comes the security of their products, and measurably realize more hardened environments. Insurance groups are already engaging CITL, as are organizations focused on consumer safety. Vendors will see how much better or worse their products are in comparison to their competitors. Even exploit developers have demonstrated that these results enable bug-bounty arbitrage. That recommendation you made to your family members last holiday about which web browser they should use to stay safe (or that large purchase you made for your industrial control systems)? Well, you can finally see if you chose a hard or soft target… with the data to back it up. Mudge Zatko is the Director of CITL. He has contributed significantly to disclosure and education on information and security vulnerabilities. In addition to pioneering buffer overflow work, the security work he has released contained early examples of flaws in the following areas: code injection, race conditions, side-channel attacks, exploitation of embedded systems, and cryptanalysis of commercial systems. He was the original author of the password cracking software L0phtCrack, Anti-Sniff, and L0phtWatch. In 2010 Mudge accepted a position as a program manager at DARPA where he oversaw cyber security R&D, and re-built the Agency’s approach to cyber security research. In 2013 Mudge went to work for Google where he was the Deputy Director of their Advanced Technology & Projects division. Most recently, after conversations with the White House, Mudge stood up the non-profit Cyber Independent Testing Laboratory inspired by efforts such as Consumer’s Union. He is the recipient of the Secretary of Defense Exceptional Civilian Service Award medal, an honorary Plank Owner of the US Navy Destroyer DDG-85, was inducted into the Order of Thor, the US Army’s Association of Cyber Military Professionals, recognized as a vital contributor to the creation of the US Cyber Corps (SfS PDD-63), and has received other commendations from the CIA and from the Executive Office of the President of the United States

Sarah Zatko s the Chief Scientist at CITL, a partner at L0pht Holdings, LLC, and a member of the US Army’s Order of Thor. She has presented her research on the integration of security into CS curriculum at Shmoocon and Hope. That work is also published in IEEE Security & Privacy. She holds a degree in mathematics from MIT and a Master's in computer science from Boston University.

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Bryant-Zadegan-Ryan-Lester-Abusing-Bleeding-Edge-Web-Standards-For-Appsec-Glory-UPDATED.pdf Abusing Bleeding Edge Web Standards for AppSec Glory Bryant Zadegan Application Security Advisor & Mentor, Mach37
Ryan Lester CEO & Chief Software Architect, Cyph Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose. In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day). Bryant Zadegan is an application security advisor and mentor at Mach37, a security accelerator focused on pouring substantial dollars into new security technologies. When not driving developers to embrace AppSec in continuous integration, Bryant punches holes in Amazon, Google, Reddit, etc. On days when he'd rather not touch computers, he's usually nowhere to be found near DC.

Twitter: @eganist
Keybase.io/bryant 

Ryan Lester is the CEO and chief software architect for Cyph, a web-based one-click end-to-end-encrypted communications service funded in part by Mach37, Virginia's Center for Innovative Technology, and the Goel Fund. Since departing SpaceX, Ryan has dedicated the better part of a year and a half to the vision of accessible encrypted communication. Unsurprisingly, when he isn't working on building the logic for Cyph, he's usually looking for ways to break it. 

Twitter: @theryanlester

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Luke-Young-The-4TbS-Ddos-For-5-bucks.pdf Attacking Network Infrastructure to Generate a 4 Tb/s DDoS for $5 Luke Young Information Security Engineer, Hydrant Labs LLC As bandwidth, computing power, and software advancements have improved over the years, we've begun to see larger and larger DDoS attacks against organizations. Often times these attacks employ techniques such as DNS Amplification to take advantage of servers with very large uplinks. This talk explores a similar technique targeting commonly used throughput testing software typically running on very large uplinks. We will explore the process of attacking this software, eventually compromising it and gaining root access. Then we'll explore some of these servers in the real world determining the size of their uplinks and calculating the total available bandwidth at our fingertips all from a $5 VPS. We will finish up the presentation with a live demo exploiting an instance and launching a DoS. Luke Young is a security researcher from the frozen plains of Minnesota who has spent his last three summers escaping to the much warmer Bay Area as a security intern for various tech companies, most recently as part of the Uber product security team. He presented at DEF CON 23 on the topic of exploiting bitflips in memory and has investigated a variety of well-known products and network protocols resulting in numerous CVE assignments and recognition in security Hall of Fames. He is currently attempting to balance earning his undergraduate degree with maintaining his position as one of the top 10 researchers on Bugcrowd.

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Brad-Woodberg-Malware-Command-And-Control-Channels-A-Journey-Into-Darkness-UPDATED.pdf Malware Command and Control Channels: A journey into darkness Brad Woodberg Group Product Manager - Emerging Threats, Proofpoint,Inc. Much of the time and attention dedicated to modern network security focuses on detecting the contemporary vulnerabilities and exploits which power the breaches that make the headlines. With almost all of the emphasis is placed around the endless cycle of new entry points, we are often overlooking what is perhaps one of the most profoundly interesting aspects of modern network breaches; the post-exploit communication of a compromised system to the attacker—known as command and control. 

Once malware has compromised an end system, the tables are turned against the attackers; we go from being on defense, to being on offense. Attackers are constantly evolving their techniques and have become incredibly creative in attempting to hide their tracks, maintain control of compromised systems, and exfiltrate sensitive data. This presentation will explore how command and control channels have evolved against traditional defenses, where they are today, future predictions on their evolution, and most importantly, how you can go on the offense to protect your organization by identifying and disrupting command and control channels in your network. Brad Woodberg is a Group Product Manager at Proofpoint Inc, leading the Emerging Threats product line. Prior to his current role at Proofpoint, he spent six years at Juniper Networks as a layer 7 security product manager and product line engineer. Prior to Juniper he worked for a security consulting company in Ann Arbor Michigan for four years delivering a variety of network security technologies and services. He is a four-time published author of network security books through O’Reilly and Syngress. He has spoken at several security conferences including DEF CON 19, CanSecWest 2011, SEMAPHOR and other regional talks. Brad is also an active mentor to up and coming security engineers who share a similar interest and passion in all things network security. 

Twitter: @bradmatic517

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Patrick-Wardle-99-Problems-Little-Snitch-UPDATED.pdf I've got 99 Problems, but Little Snitch ain't one Patrick Wardle Director of Research, Synack Security products should make our computers more secure, not less. Little Snitch is the de facto personal firewall for OS X that aims to secure a Mac by blocking unauthorized network traffic. Unfortunately bypassing this firewall's network monitoring mechanisms is trivial...and worse yet, the firewall's kernel core was found to contain an exploitable ring-0 heap-overflow. #fail Though briefly touching on generic firewall bypass techniques, this talk will largely focus on the kernel-mode vulnerability. Specifically, I’ll discuss bypassing OS X specific anti-debugging mechanisms employed by the product, reverse-engineering the firewall's I/O Kit kernel interfaces and 'authentication' mechanisms, and the discovery of the exploitable heap-overflow.

Finally, methods of exploitation will be briefly discussed, including how an Apple kernel-fix made this previously un-exploitable bug, exploitable on OS X 10.11

So if you simply want to see yet another 'security' product fall, or more generically, learn methods of OS X kernel extension reversing in a practical manner, then this talk is for you :) Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes free OS X security tools. Both can be found on his website; www.Objective-See.com

Twitter: @patrickwardle

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Mcsweeny-Cranor-Research-On-The-Machines-UPDATED.pdf Research on the Machines: Help the FTC Protect Privacy & Security Terrell McSweeny Commissioner, Federal Trade Commission Lorrie Cranor Chief Technologist, Federal Trade Commission Machines are getting smarter – so consumer protection enforcers like the Federal Trade Commission need to get smarter too. The FTC is the lead federal agency for protecting the privacy rights and data security of American consumers. In the last year, it brought several enforcement actions against companies for violating consumer privacy and data security and launched new initiatives – PrivacyCon, Start with Security, and a new Office of Technology Research and Investigation– to improve its capabilities and responsiveness to new threats to consumer privacy and security. But the FTC needs your help. Today it is announcing a call for research on specific topics in order to broaden its capabilities to protect consumers. Come learn about the policy responses to the rise of the machines, the FTC’s cases and research initiatives, and how you can help. Terrell McSweeny serves as a Commissioner of the Federal Trade Commission. This year marks her third time at DEF CON . When it comes to tech issues, Commissioner McSweeny has focused on the valuable role researchers and hackers can play protecting consumer data security and privacy. She opposes bad policy and legislative proposals like mandatory backdoors and the criminalization of hacking and believes that enforcers like the FTC should work with the researcher community to protect consumers. She wants companies to implement security by design, privacy by design and data ethics by design –but recognizes that, in the absence of regulation, enforcement and research are the only means of holding companies accountable for the choices they make in the ways that they hold and use consumer data. Twitter: @TMcSweenyFTC Lorrie Cranor joined the Federal Trade Commission as Chief Technologist in January 2016. She is on leave from Carnegie Mellon University where she is a Professor of Computer Science and of Engineering and Public Policy, Director of the CyLab Usable Privacy and Security Laboratory (CUPS), and Co-director of the MSIT-Privacy Engineering masters program. She also co-founded Wombat Security Technologies, an information security awareness training company. Cranor has authored over 150 research papers on online privacy and usable security, and has played a central role in establishing the usable privacy and security research community, including her founding of the Symposium on Usable Privacy and Security. She is a Fellow of the ACM and IEEE. Twitter: @TechFTC

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Bursztein-Picod-Cheating-at-Poker-James-Bond-Style-UPDATED.pdf Cheating at Poker. Ripping Off People at Poker, James Bond Style Elie Bursztein Celine Bursztein Ever dreamed of cleaning up at poker, but afraid that you are not good enough to do it on your own? Fear not! The chinese underground got you covered with high-tech concealed cheating devices that automatically read marked cards and whisper them in your ear through an ear-piece. Seems too good to be true? Well those James Bond devices are the real deal: we were able to get our hands onto one of those pricey gadget and they really work. They even come with additional gizmos, like a camera hidden in a key car, that would have made Q proud. Come to our talk to get an in-depth analysis of how those high tech devices work, see it in action and learn which techniques and tools we built to detect them so you don’t end up being the whale at your next poker game. Elie leads Google's anti-abuse research, where he invents new ways to protect the company's users against cyber-criminal activities and Internet threats. He recently worked on improving Gmail security, and made Chrome safer and faster by implementing better cryptography. Games hacking has been a long time hobby for Elie, who spends far too much time playing Hearthstone and Starcraft. He managed to turn his passion for games to Defcon talks and award winning academic papers. Born in Paris, France, Elie wears berets and love to do cards tricks when in good company. Celine Bursztein is the founder of PetSquare, a startup dedicated to pet owners and animal lovers. She's crazy about animals and building a product about them was a great way to combine her biology and engineering skills (she holds a PhD in biology and a master's degree in computer science). When Celine is not busy visiting every zoo on the planet or playing WoW, she picks every lock she can. She discovered this lock picking passion when she successfully cracked her father's safe at the tender age of 7. - Twitter: @elie: - Facebook: https://www.facebook.com/elieblog - Blog: http://www.elie.net/blog

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Eric-Escobar-Rogue-Cell-Towers-UPDATED.pdf Discovering and Triangulating Rogue Cell Towers JusticeBeaver (Eric Escobar) Security Engineer, Barracuda Networks Inc The number of IMSI-catchers (rogue cell towers) has been steadily increasing in use by hackers and governments around the world. Rogue cell towers, which can be as small as your home router, pose a large security risk to anyone with a phone. If in range, your phone will automatically connect to the rogue tower with no indication to you that anything has happened. At that point, your information passes through the rogue tower and can leak sensitive information about you and your device. Currently, there are no easy ways to protect your phone from connecting to a rogue tower (aside from some Android apps which are phone specific and require root access). In this talk I'll demonstrate how you can create a rogue cell tower detector using generic hardware available from Amazon. The detector can identify rogue towers and triangulate their location. The demonstration uses a software defined radio (SDR) to fingerprint each cell tower and determine the signal strength of each tower relative to the detector. With a handful of these detectors working together, you can identify when a rogue cell tower enters your airspace, as well as identify the signal strength relative to each detector. This makes it possible to triangulate the source of the new rogue cell tower. JusticeBeaver (Eric Escobar) is a Security Engineer at Barracuda Networks. His interests are broad and generally include putting computers in places you wouldn't expect. From chicken coops to rockets and even bee hives. Before being called to the dark side, Eric procured a Bachelor's and Master's degree in Civil Engineering. He now enjoys all things wireless, from WiFi, to SDR, and Ham Radio. Last year his team placed 1st in DEF CON 23's Wireless CTF.

DARPA Cyber Grand Challenge Award Ceremony Mike Walker DARPA Program Manager
Dr. Arati Prabhakar DARPA Director On Friday morning, August 5th, DARPA will announce the prize winners and recognize the parties responsible for building and competing in the Cyber Grand Challenge (CGC), the world's first all-machine hacking tournament, which was completed August 4th. Seven high performance computers will have completed an all-machine Capture the Flag contest, reverse engineering unknown binary software, authoring new IDS signatures, probing the security of opponent software, and re-mixing defended services with machine-generated patches and defenses. Come hear about what transpired at CGC, and learn which team will be taking home the $2M grand prize, as well as the $1M second place and $750K third place prizes Mike Walker is the DARPA program manager for the Cyber Grand Challenge. His research interests include machine reasoning about software in situ and the automation of application security lifecycles. Prior to joining DARPA, Mr. Walker worked in industry as a security software developer, Red Team analyst, enterprise security architect and research lab leader. As part of the Computer Science Corporation ‘Strikeforce’ Red Team, Mr. Walker helped develop the HEAT Vulnerability Scanner and performed Red Team engagements. Serving as a principal at the Intrepidus Group, Mr. Walker worked on Red Teams that tested America's financial and energy infrastructure for security weaknesses. Also, on the DARPA SAFER Red Team, Mr. Walker discovered flaws in prototype communications technologies. Mr. Walker has participated in various roles in numerous applied computer security competitions. He contributed challenges to DEF CON Capture the Flag (CTF) and competed on and led CTF teams at the highest levels of international competition. Mr. Walker was formerly a mentor of the Computer Security Competition Club at Thomas Jefferson High School for Science and Technology (TJHSST).

Arati Prabhakar, Ph.D., is director of the Defense Advanced Research Projects Agency (DARPA). Serving in this position since July 2012, she has focused the agency's efforts on rethinking complex military systems in fundamental ways; harnessing the information explosion to address national security challenges; and planting new seeds of technological surprise in fields as diverse as mathematics, synthetic biology, and neurotechnology.

Dr. Prabhakar has spent her career investing in world-class engineers and scientists to create new technologies and businesses. Her first service to national security started in 1986 when she joined DARPA as a program manager. She initiated and managed programs in advanced semiconductor technology and flexible manufacturing, as well as demonstration projects to insert new semiconductor technologies into military systems. As the founding director of DARPA's Microelectronics Technology Office, she led a team of program managers whose efforts spanned these areas, as well as optoelectronics, infrared imaging and nanoelectronics.

In 1993, President William Clinton appointed Dr. Prabhakar director of the National Institute of Standards and Technology, where she led the 3,000-person organization in its work with companies across multiple industries.

Dr. Prabhakar moved to Silicon Valley in 1997, first as chief technology officer and senior vice president at Raychem, and later vice president and then president of Interval Research. From 2001 to 2011, she was a partner with U.S. Venture Partners, an early-stage venture capital firm. Dr. Prabhakar identified and served as a director for startup companies with the promise of significant growth. She worked with entrepreneurs focused on energy and efficiency technologies, consumer electronics components, and semiconductor process and design technologies.

Dr. Prabhakar received her Doctor of Philosophy in applied physics and Master of Science in electrical engineering from the California Institute of Technology. She received her Bachelor of Science in electrical engineering from Texas Tech University. She began her career as a Congressional Fellow at the Office of Technology Assessment.

Dr. Prabhakar has served in recent years on the National Academies' Science Technology and Economic Policy Board, the College of Engineering Advisory Board at the University of California, Berkeley, and the red team of DARPA's Defense Sciences Research Council. In addition, she chaired the Efficiency and Renewables Advisory Committee for the U.S. Department of Energy. Dr. Prabhakar is a Fellow of the Institute of Electrical and Electronics Engineers, a Member of the National Academy of Engineering, a Texas Tech Distinguished Engineer, and a Caltech Distinguished Alumna.

Twitter: @DARPA, 
#DARPACGC

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Dr-Phil-Polstra-Mouse-Jigglers.pdf Mouse Jiggler Offense and Defense Dr. PhilProfessor, Bloomsburg University of Pennsylvania A group of highly-armed individuals has just stormed into your office. They are looking to pull data from your computers which are protected with full disk encryption. In order to prevent your screen saver from activating they will likely immediately insert a mouse jiggler to prevent your screensaver lock from activating. This talk will present ways of detecting and defending against such assaults on your system by mouse jiggler wielding individuals. It will also show you how to build your own simple mouse jiggler. Nothing beyond basic Linux usage is required to understand this talk. Attendees will leave with several ways to defend against mouse jigglers and the knowledge of how to create their own mouse jigglers. Phil was born at an early age. He cleaned out his savings as a boy in order to buy a TI99-4A computer for the sum of $450. Two years later he learned 6502 assembly and has been hacking computers and electronics ever since.

Dr. Phil currently works as a professor at Bloomsburg University of Pennsylvania. His research focus over the last few years has been on the use of microcontrollers and small embedded computers for forensics and pentesting. Phil has developed a custom pentesting Linux distro and related hardware to allow an inexpensive army of remote pentesting drones to be built using the BeagleBone Black computer boards. This work is described in detail in Phil's book "Hacking and Penetration Testing With Low Power Devices" (Syngress, 2015). Phil has also published books on Linux Forensics (Pentester Academy, 2015), USB Forensics (Pentester Academy, 2016), and Windows Forensics (Pentester Academy, 2016).

Prior to entering academia, Phil held several high level positions at well-known US companies. He holds a couple of the usual certs one might expect for someone in his position. When not working, he likes to spend time with his family, fly, hack electronics (find his Daddy and Daughter Electronics show on YouTube), and has been known to build airplanes.

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Paul-Vixie-Frontrunning-the-Frontrunners-UPDATED.pdf Frontrunning the Frontrunners Dr. Paul Vixie CEO and Co-founder, Farsight Security, Inc. -While some domainers allegedly brainstorm ideas for new domains to register while taking a shower, the more successful domain portfolio managers, working at scale, are believed to be ‘data driven.’ DNS queries are a material source of intelligence about domainer opportunities and operations, and also help us to understand the operational constraints around potentially combating domainers, should we want to do so. In this presentation co-authored with Farsight Security Scientist Dr. Joe St Sauver, Farsight Security CEO Dr. Paul Vixie will scrutinize failed DNS queries (‘NXDOMAINs’), looking for the same ‘opportunities’ that a domainer or typo squatter would (although we will not be acting on that data by actually registering domains). 

Dr. Vixie will discuss two primary types of behavior: 1) Volumetrically-driven typo-squatting, which Dr. Vixie will measure by computing the volume of NXDOMAINs seen by domain during a 24 hour period, and the time between popular typos appearing in NXDOMAINs and those same domains being registered and actually used, and 2) Domainers programmatically exploring permutations of domains around high value domains, probing for available domains and automatically registering the most promising probed domains discovered to still be available. Both of these hypothesized behaviors should be externally observable and thus able to be confirmed by watching a real-time stream of NXDOMAIN errors, and a real-time stream of newly observed, actually-registered domains, as available from the Security Information Exchange.

Dr. Paul Vixie will experimentally confirm these hypothesized relationships and describe examples of (1) the most commonly observed types of typographical errors, (2) the brands apparently most-targeted for squatting, (3) the distribution of delays from NXDOMAIN detection to observed domain use, (4) the potential relationship between NXDOMAIN volume thresholds and TLD cost. Dr. Vixie will also explain how this information illuminates opportunities for tackling these types of domain name abuse. Time will be reserved for Q&A. Dr. Paul Vixie is the CEO and Co-founder of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the boards of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, as ARIN Chairman in 2008 and 2009, and was a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC). He operated the ISC's F-Root name server for many years, and is a member of Cogent's C-Root team. He is a sysadmin for Op-Sec-Trust. Dr. Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He wrote Cron (for BSD and Linux), and is considered the primary author and technical architect of BIND 4.9 and BIND 8, and he hired many of the people who wrote BIND 9. He has authored or co-authored a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). His technical contributions include DNS Response Rate Limiting (RRL), DNS Response Policy Zones (RPZ), and Network Telemetry Capture (NCAP). He earned his Ph.D. from Keio University for work related to DNS and DNSSEC, and was named to the Internet Hall of Fame in 2014.

Twitter: @paulvixie

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Javier-Vazquez-You-CAN-haz-car-Secretz-UPDATED.pdf CAN i haz car secret plz? Javier Vazquez Vidal Hardware Security Specialist at Code White Gmbh
Ferdinand Noelscher Information Security Specialist at Code White Gmbh The CAN bus is really mainstream, and every now and then there are new tools coming out to deal with it. Everyone wants to control vehicles and already knows that you can make the horn honk by replaying that frame you captured. But is this all that there is on this topic? Reversing OEM and third party tools, capturing firmware update files on the fly, and hijacking Security Sessions on a bus are just a few examples of things that can be done as well. For this and more, we will introduce to you the CanBadger! It's not just a logger, neither an injector. It's a reversing tool for vehicles that allows you to interact in realtime with individual components, scan a bus using several protocols (yup, UDS is not the only one) and perform a series of tests that no other tool offers. The CanBadger is where the real fun begins when dealing with a vehicle, and you can build it under $60USD! If you are already done with replaying frames on the CAN bus and want to learn how that fancy chip-tuning tool deals with your car, or simply want to get Security Access to your vehicle without caring about the security key or algorithm, we are waiting for you! Javier Vazquez Vidal is passionate about technology and specializes in hardware and embedded systems security. He studied Electromechanics and Telecommunications, developing a passion for electronics and technology since his youth. He has been part of several projects that involved well-known hardware, but his first public work was presented at DEF CON 21, the ECU tool. He developed the CHT, a tool to take over the CAN network, and had some fun with the ‘paella country’ smart meters. He is currently working as a Product Security Engineer at Code White GmbH, and has worked at companies such as Tesla, Daimler, Airbus Military and Visteon.

Ferdinand Noelscher is an information security researcher from Germany. He has been working in Information Security for several years now. Ferdinand is very passionate about Offensive Security research and has been working on numerous embedded security projects, and some lasers too. Furthermore, he gave a training together with Javier at hardwear.io. He is currently a Security Researcher at Code White.

Playing Through the Pain? - The Impact of Secrets and Dark Knowledge on Security and Intelligence Professionals Richard Thieme ThiemeWorks Dismissing or laughing off concerns about what it does to a person to know critical secrets does not lessen the impact when those secrets build a different map of reality than "normals" use and one has to calibrate narratives to what another believes. The cognitive dissonance that inevitably causes is managed by some with denial who live as if refusing to feel the pain makes it disappear. But as Philip K. Dick said, reality is that which, when you no longer believe in it, refuses to go away. And when cognitive dissonance evolves into symptoms of traumatic stress, one ignores those symptoms at one's peril. But the constraints of one's work often make it impossible to speak aloud about those symptoms, because that might threaten one's clearances, work, and career. The real cost of security work and professional intelligence goes beyond dollars. It is measured in family life, relationships, and mental and physical well-being. 

The divorce rate is as high among intelligence professionals as it is among medical professionals, for good reason - how can relationships be based on openness and trust when one's primary commitments make truth-telling and disclosure impossible?

Richard Thieme has been around that space for years. He has listened to people in pain because of the compelling necessities of their work, the consequences of their actions, the misfiring of imperfect plans, and the burdens of - for example - listening to terrorists slit someone's throat in real time, then having to act as if they had a normal day at the office. Thieme touched on some of this impact in his story, "Northward into the Night," published in the Ranfurly Review, Big City Lit, Wanderings and Bewildering Stories before collection in "Mind Games." The story illuminates the emotional toll of managing multiple personas and ultimately forgetting who you are in the first place. 

The bottom line is, trauma and secondary trauma have identifiable symptoms and they are everywhere in the "industry." The "hyper-real" space which the national security state creates by its very nature extends to normals, too, now, but it's more intense for professionals. Living as "social engineers," always trying to understand the other's POV so one can manipulate and exploit it, erodes the core self. The challenge is not abstract or philosophical, it's existential, fired into our faces every day at point blank range, and it constitutes an assault on authenticity and integrity. Sometimes sanity is at stake, too, and sometimes, life itself. In one week, two different people linked to the CIA told Thieme that going into that agency was like becoming a scientologist. Think about what that analogy means. For his own sake and sanity, Thieme has thought about it a lot and that's what this talk is about - the real facts of the matter and strategies for effective life-serving responses. Richard Thieme is an author and professional speaker focused on the challenges posed by new technologies and the future, how to redesign ourselves to meet these challenges, and creativity in response to radical change. His column, ‘Islands in the Clickstream,’ was distributed to subscribers in sixty countries before collection as a book in 2004. When a friend at the National Security Agency said after they worked together on ethics and intelligence issues, ‘The only way you can tell the truth is through fiction,’ he returned to writing short stories, 19 of which are collected in "Mind Games." 

His latest work is the stunning novel "FOAM," published by Exurban Press September 2015. He is also co-author of the critically extolled "UFOs and Government: A Historical Inquiry," a 5-year research project using material exclusively from government documents and other primary sources, now in 65 university libraries His work has been taught at universities in Europe, Australia, Canada, and the United States, and he has guest lectured at numerous universities, including Purdue University (CERIAS), the Technology, Literacy and Culture Distinguished Speakers Series of the University of Texas, the "Design Matters" lecture series at the University of Calgary, and as a Distinguished Lecturer in Telecommunications Systems at Murray State University. 

He addressed the reinvention of "Europe" as a "cognitive artifact" for curators and artists at Museum Sztuki in Lodz, Poland, keynoted CONFidence in Krakow 2015, and keynoted "The Real Truth: A World’s Fair" at Raven Row Gallery, London, He recently keynoted Code Blue in Tokyo. He loved Tokyo. He has spoken for the National Security Agency, the FBI, the Secret Service, the US Department of the Treasury, and Los Alamos National Labs and has keynoted "hacker,"security, and technology conferences around the world. He keynoted the first two Black Hats and he is speaking at DEF CON for the 21st year.

Twitter: @neuralcowboy

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Tamas-Szakaly-Help-I-got-ANTS.pdf Help, I've got ANTs!!! Tamas Szakaly Lead Security Researcher, PR-Audit Ltd., Hungary As stated in my bio, besides computer security I also love fligh simulators and mountain biking. Last year I gave a talk about hacking a flight simulator (among other games), it was only fitting to research something related to my other hobby too. Old day's bike speedometers have evolved quite a bit, and nowadays a lot of bikers (swimmers, runners, ers) do their sport with tiny computers attached to them. These computers do much more than measuring speed: they have GPS, they can store your activities, can be your training buddy, and they can communicate with various sensors (cadence, power meter, heart rate monitors, you name it), mobile phones, each other, and with PCs. One of the communication protocols used by these devices is ANT. Never heard of it? Not surprising, it is not very well known despite being utilized by a lot of gadgets including, but not limited to sport watches, mobile phones, weight scales, some medical devices, and even bicycle lights and radars. When I bought my first bike computer I rationalized it with thoughts like ‘this will help me navigate on the mountain’, or ‘I can track how much I've developed’, but deep down I knew the real reason was my curiosity about this lesser known, lesser researched protocol. 

One of my favorite kind of weaknesses are the ones caused by questionable design decisions, and can be spotted without actual hands-on experience with the product itself, just by reading the documentation. Well this is exactly what happened here, I had some attack vectors ready and waiting well before I received the actual device. To top it all, I've also found some implementation bugs after getting my hands on various Garmin devices. 

After a brief introduction to the ANT, ANT+ and ANT-FS protocols, I'll explain and demo both the implementation and the protocol weaknesses and reach the already suspected conclusion that ANT and the devices that use it are absolutely insecure: anybody can access your information, turn off your bike light, or even replace the firmware on your sport watch over the air. Tamas is the lead IT security researcher at PR-Audit Ltd., a company focusing mainly on penetration testing and SIEM software developing. Previously he participated in a cooperation between ELTE Department of Meteorology and the Paks Nuclear Power Plant Ltd. which goal was to develop TREX, a toxic waste emission simulator using CUDA. The scene from RoboCop where the kid defeats the evil robot with just a laptop and a serial cable made a huge impression on him, and after seeing the movie, his path was set: he was bound to be a hacker. His first experiences in this field involved poking around various copy protection schemes, and for this day his favorite areas of expertise are the ones that require some mangling of binary files. Besides computer security he also loves mountain biking and flight simulators.

Twitter: @sghctoma 
Facebook: sghctoma

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Shane-Steiger-Maelstrom-Are-You-Playing-With-A-Full-Deck-UPDATED.pdf https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Shane-Steiger-Maelstrom-Are-You-Playing-With-A-Full-Deck-V14-Back.pdf https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Shane-Steiger-Maelstrom-Rules-V10.pdf Maelstrom - Are You Playing with a Full Deck? : Using a Newly Developed Attack Life Cycle Game to Educate, Demonstrate and Evangelize. Shane Steiger, Esq. CISSP, Chief Endpoint Security Architect As a defender, have you ever been asked ‘do they win?’ How about ‘what products or capabilities should I buy to even the odds?’ Mapping the functionality to a standard list of desired capabilities only gets you so far. And, many vendors require an organization to pay for a framework, or for access to a framework, to enable tactical and strategic campaigns. Wouldn’t it be great to have an open source way to pick strategies? So what do you do? Build out your own defensive campaigns based on research, taxonomies and gameification. Building the attacker’s point of view is our expertise (at a CON). We have plenty of research here to talk about that point of view. How about building out the defender’s point of view based on the attacker’s life cycle? Defenders can use this as a defensive ‘compliment’ to begin a legitimate defensive campaign. Maybe the defender could even ‘gamify’ the approach? An attacker’s approach, a defender’s approach and a progressive life cycle with a defender’s set of targets built on things we all know, love and hate: project management. I think we have a game! 

Build out rules, much like real life, then bring on the attackers, bring on the defenders and play a little game to educate, demonstrate and evangelize. Watch strategies played by both attackers and defenders. Switch sides and learn to be a Purple Teamer! Digitize it and watch the game play people or even play itself; the true rise of the machine.

Wanna Play?! Shane began his professional career with a large food manufacturer where he helped build and secure SCADA/ICS systems across 90+ food manufacturing plants in the US. From there he spent 6 years helping to develop and build the functionality of a security team for a large pharmaceutical distributor. Currently, he is the Chief Endpoint Security Architect for a Fortune 50 technology company. His interests reside in cyber resiliency techniques, internet of things, building/breaking things and muscle cars. To think, his 25+ year passion for all things geeky started with hacking the school library computer and getting detention. Shane is also a licensed attorney. Please don't hold this against him.

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-SixVolts-and-Haystack-Cheap-Tools-For-Hacking-Heavy-Trucks.pdf https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-SixVolts-and-Haystack-Extras Cheap Tools for Hacking Heavy Trucks Six_Volts Research Mercenary
Haystack Vehicle Data Ninja There has been much buzz about car hacking, but what about the larger heavy-duty brother, the big rig? Heavy trucks are increasingly networked, connected and susceptible to attack. Networks inside trucks frequently use Internet connected devices even on safety-critical networks where access to brakes and engine control is possible. Unfortunately, tools for doing analysis on heavy trucks are expensive and proprietary. Six_Volts and Haystack have put together a set of tools that include open hardware and software to make analyzing these beasts easier and more affordable. Six_Volts is a "research mercenary" and has worked on High Performance Computing, embedded systems, vehicle networking and forensics, electronics prototyping and design, among other things. He's crashed cars for science, done digital forensics on a tangled mess of wires that used to be a semi truck, built HPC clusters out of old (and new) hardware, designed tools to extract data from vehicle EDRs, and in his spare time trains teams of students to defend enterprise networks.

Twitter: @Six_Volts

Haystack Haystack was a computer science student researching process control security, when one day he was recruited by a nefarious mechanical engineering professor hell-bent on dominating the field of accident reconstruction. After a series of dangerous training missions to various accident sites and junkyards, Haystack can now cut electronic control modules from wrecked trucks with surgical precision and extract crash data from them that was previously thought to be unrecoverable.

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Shellphish-Cyber Grand Shellphish-Tool-Links.txt https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Shellphish-Cyber Grand Shellphish-UPDATED.pdf Cyber Grand Shellphish Yan Shoshitaishvili PhD Student, UC Santa Barbara
Antonio Bianchi UC Santa Barbara
Kevin Borgolte UC Santa Barbara
Jacopo Corbetta UC Santa Barbara
Francesco Disperati UC Santa Barbara
Andrew Dutcher UC Santa Barbara
Giovanni Vigna UC Santa Barbarae
Aravind Machiry UC Santa Barbara
Chris Salls UC Santa Barbara
Nick Stephens UC Santa Barbara
Fish Wang UC Santa Barbara
John Grosen UC Santa Barbara
 Last year, DARPA ran the qualifying event for the Cyber Grand Challenge to usher in the era of automated hacking. Shellphish, a rag-tag team of disorganized hackers mostly from UC Santa Barbara, decided to join the competition about ten minutes before the signups closed.

Characteristically, we proceeded to put everything off until the last minute, and spent 3 sleepless weeks preparing our Cyber Reasoning System for the contest. Our efforts paid off and, as we talked about last DEF CON , against all expectations, we qualified and became one of the 7 finalist teams. The finals of the CGC will be held the day before DEF CON. 

If we win, this talk will be about how we won, or, in the overwhelmingly likely scenario of something going horribly wrong, this talk will be about butterflies. 

In all seriousness, we've spent the last year working hard on building a really kickass Cyber Reasoning System, and there are tons of interesting aspects of it that we will talk about. Much of the process of building the CRS involved inventing new approaches to automated program analysis, exploitation, and patching. We'll talk about those, and try to convey how hackers new to the field can make their own innovations.

Other aspects of the CRS involved extreme amounts of engineering efforts to make sure that the system optimally used its computing power and was properly fault-tolerant. We'll talk about how automated hacking systems should be built to best handle this. Critically, our CRS needed to be able to adapt to the strategies of the systems fielded by the other competitors. We'll talk about the AI that we built to strategize throughout the game and decide what actions should be taken.

At the end of this talk, you will know how to go about building your own autonomous hacking system! Or you might know a lot about butterflies. Shellphish is a mysterious hacking collective famous for being great partiers and questionable hackers. The secret identities of the Shellphish CGC team are those of researchers in the security lab of UC Santa Barbara. When they're not CTFing or surfing, they're doing hard-hitting security research. Their works have been published in numerous academic venues and featured in many conferences. In 2015, they unleashed angr, the next (current?) generation of binary analysis, and have been working hard on it ever since!

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Panel-How-To-Make-A-DEFCON-Black-Badge.pdf How to Make Your Own DEF CON Black Badge Mickey Shkatov (@Laplinker) Intel Advanced Threat Research Michael Leibowitz (@r00tkillah)Senior Trouble Maker Joe FitzPatrick (@securelyfitz)Instructor & Researcher, SecuringHardware.com Dean Pierce (@deanpierce) Security Researcher, Intel Jesse Michael (@jessemichael) Security Researcher, Intel Kenny McElroy (@octosavvi) Hacker Yes, we did, we made our own DEF CON black badges. Why? Because we didn't want to wait in line ever again-- Not really. We are a bunch of hackers that always look for a challenge, and what better challenge is there than to try and reverse engineer from scratch three DEF CON black badges? In this talk we will go through the 2 year long process of making the DC14, DC22 and DC23 Black badges which include amazing hacking techniques like social engineering, patience, reverse engineering, EAGLE trickery, head to desk banging and hoping it is passable to a goon and not shameful to DT, 1057, and Joe. Speaker Name Mickey (@laplinker) is a security researcher and a member of the Advanced Threat Research team. His areas of expertise include vulnerability research, hardware and firmware security, and embedded device security. Mickey has presented some of his past research at DEF CON , Black Hat, BruCON, Bsides PDX, PacSec, and HES. Twitter: @laplinker Michael has done hard-time in real-time. An old-school computer engineer by education, he spends his days championing product security for a large semiconductor company. Previously, he developed and tested embedded hardware and software, dicked around with strap-on boot roms, mobile apps, office suites, and written some secure software. On nights and weekends he hacks on electronics, writes DEF CON CFPs, and contributes to the NSA Playset. Twitter: @rootkillah Joe FitzPatrick is an Instructor and Researcher at https://SecuringHardware.com. Joe has spent over a decade working on low-level silicon debug, security validation, and hardware penetration testing, and hardware security training. In between training and bricking hardware, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects Twitter: @sefcurelyfitz Dean Pierce is a computer security researcher from Portland, Oregon. Dean has 15 years of experience in the field, with former DEF CON talks on breaking WiFi, WiMAX, and GSM networks. Author of many silly tools, creator of many silly websites. Security researcher by night, and security researcher that gets paid by day, Dean is currently doing tool development and attack modeling on Intel Corporation’s internal penetration testing team. Twitter: @deanpierce Jesse Michael spends his time annoying Mickey and finding low-level hardware security vulnerabilities in modern computing platforms. Twitter: @jessemichael Kenny McElroy is a Security Researcher, Lock picker, Tinkerer, Embedded hacker, Jam Skater, SMT solderer, SDR twiddler, Space Geek and Bluewire Artist. Twitter: @octosavvi

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Zhang-Shan-Forcing-Targeted-Lte-Cellphone-Into-Unsafe-Network.pdf Forcing a Targeted LTE Cellphone into an Unsafe Network Haoqi Shan Hardware/Wireless security researcher, Qihoo 360
Wanqiao Zhang Communication security researcher, Qihoo 360 LTE is a more advanced mobile network but not absolutely secure. Recently there already some papers those exposed the vulnerabilities of LTE network. In this presentation, we will introduce one method which jointly exploits the vulnerabilities in tracking area update procedure, attach procedure, and RRC redirection procedure, and finally can force a targeted LTE cellphone to downgrade into a malicious GSM network, then consequently can eavesdrop its data traffic or even voice call. This attack is not a simple DoS attack. It can select the targeted cellphone by filtering the IMSI number (IMSI catcher function), so it will not influence the other cellphones and keep them still in the real network. Further more, it can force the cellphone into the malicious network that we setup (a fake network) or we assign (operator’s network), therefore the cellphone has no chance to choose other secure network. This is the danger point of this attack. Haiqi Shan, currently a wireless/hardware security researcher in Unicorn Team. He focuses on GSM system, router/switcher hacking etc. Other research interests include reverse engineering on embedded devices such as femto-cell base station. He has gave presentations about GSM devices hacking and wireless hacking suit on DEF CON, Cansecwest, Syscan

Wanqiao Zhang, is a communication security researcher, from Unicorn Team of Qihoo 360 China. She received her master degree in electronic information engineering form Nanjing University of Aeronautics and Astronautics in 2015. Fascinated by the world of wireless security, she is currently focus on the security research of the GPS system and the cellular network

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Hunter-Scott-Rt2Win-The-Luckiest-Guy-On-Twitter.pdf Retweet to Win: How 50 lines of Python made me the luckiest guy on Twitter Hunter Scott Hacker In this talk, I'll share how I won 4 Twitter contests per day, every day, for 9 months straight. I'll discuss the methods I used, the delightfully random and surprising things I won, and how to run a Twitter contest to prevent people like me from winning. Hunter Scott is an electrical and computer engineer with over 7 years of experience designing and implementing hardware systems. He has lead electrical development on a variety of projects, from robotics to communication systems. He has experience in improvising and quickly building prototype and proof of concept designs as well as implementing mission critical, high reliability designs. He has a degree in computer engineering from Georgia Tech and is currently working at a startup you've never heard of (yet!). His work has been featured in publications such as Gizmodo, Quartz, Engadget, CNN, The Chicago Tribune, The Guardian, and NPR. His other projects can be seen at hscott.net.

Twiter: @hunterscott

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Hendrik-Schmidt-Brian-Butter-Attacking-BaseStations-UPDATED Attacking BaseStations - an Odyssey through a Telco's Network Henrik Schmidt, IT Security Researcher, ERNW GmbH
Brian Butterly T Security Researcher, ERNW GmbH As introduced in our former series of talks ‘LTE vs. Darwin‘ there are quite a few of holes in the LTE specs. Now, having our own Macro BaseStation (an eNodeB) on the desk, we will demonstrate practical approaches to and attacks on real life devices. More and more devices are using mobile radio networks such as GSM, UMTS and LTE and there has already been quite a bit of research on (in)securities on the radio part, but only few people have had a look behind the scenes. Luckily, we had the chance to have just this look and now we would like to raise the curtain for the community. Initially we will quickly cover our complete odyssey from starting up an eNodeB for the first time, checking out the available interfaces and emulating the core network through to starting attacks. In the main part of the talk we will give a rather practical insight into the (in-)security features of basestations. We will start with valid backend connections and how these connections can be abused to reconfigure both a single eNodeB and a complete subnet on a telco network. We will then continue with the ‘official’ maintenance approach with the vendor's tools and webinterfaces giving an attacker both local and remote access to the device. All in all the talk will cover general and specific vulnerabilities in both basestations and the backend network. Hendrik Schmidt and Brian Butterly are seasoned security researchers with vast experiences in large and complex enterprise networks. Over the years they focused on evaluating and reviewing all kinds of network protocols and applications. They love to play with packets and use them for their own purposes. In this context they learned how to play around with telecommunication networks, wrote protocol fuzzers and spoofers for testing their implementation and security architecture. Both are pentesters and consultants at the German based ERNW GmbH and will happily share their knowledge with the audience.

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-the-bob-ross-fan-club-Propaganda-and-you.pdf Propaganda and You (and your devices) - How media devices can be used to coerce, and how the same devices can be used to fight back. The Bob Ross Fan Club Security Software Engineer Any novice in the security field can tell you the importance of sanitizing input that is being read into computer systems. But what steps do most of us take in sanitizing the input that is read into the computer systems known as our brains? This presentation will go over the attack vector that is known as Propaganda. By studying works such as Manufacturing Consent (by Noam Chomsky and Ed Herman) we can learn of the various manipulations that happen to media before it reaches the end reader. 

Armed with the knowledge of how propaganda works, a person could attempt a more healthy diet of media consumption. Computer and data networks are heavily utilized by those wishing to push agendas, but who is to say these same technologies can not be utilized to fight back? Developers have access to all sorts of tools that help accomplish this feat, such as web scrapers, natural language tool kits, or even the reddit source code repository. This talk will walk the audience through some different techniques that can be used for better media consumption. The Bob Ross Fan Club is currently working as a security software engineer for embedded linux systems. Has previously been apart of published research efforts on the topics of user privacy and the threats posed by the tracking practices employed by internet companies.

Twitter: @bobross_fc

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Nick-Rosario-Weaponize-Your-Feature-Codes.pdf Weaponize Your Feature Codes Nicholas Rosario (MasterChen), VoIP Administrator Almost everyone is familiar with feature codes, also known as star codes, such as *67 to block caller ID or *69 to find out who called you last. What if the feature codes could be used as a weapon? Caller ID spoofing, tDOSing (Call flooding), and SMS flooding are known attacks on phone networks, but what happens when they become as easy to launch as dialing *40? 

Weaponize Your Feature Codes will first take the audience through a brief history of feature codes and common usage, and then demonstrate the more nefarious applications. The presentation will share the Asterisk code used to implement these "rogue" features, and mention possible ways of mitigation. While this talk builds upon previous work from the author, referenced in past DEF CON presentations, the new code written makes carrying out such attacks ridiculously easy Nicholas RosarioMasterChen, is currently a VoIP Administrator. He has been published in 2600: The Hacker Quarterly twice for his research on the Asterisk PBX system and has given presentations at BSides Las Vegas and the DEF CON 303 Skytalks. His most recent research blends technology with psychological principles. MasterChen is an active member of the SYNShop hacker space in Las Vegas, NV and a co-founder and host of the weekly GREYNOISE infosec podcast.

Twitter: @chenb0x
Instagram: @chenb0x

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Chris-Rock-How-to-overthrow-a-Government.pdf https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Chris-Rock-How-to-overthrow-a-Government-Kuwait-Coup-WP.pdf How to Overthrow a Government Chris Rock Founder and CEO, Kustodian Direct from the mind of the guy who bought you the "I will kill you" presentation at DEF CON 23, is another mind bending, entertaining talk. This time it’s bigger and badder than before. Are you sick and tired of your government? Can’t wait another 4 years for an election? Or do you want to be like the CIA and overthrow a government overseas for profit or fun? If you answered yes to one or more of these questions than this talk is for you! Why not create your own cyber mercenary unit and invoke a regime change to get the government you want installed? After all, if you want the job done right, sometimes you have to do it yourself. Find out how over the last 60 years, governments and resource companies have been directly involved in architecting regime changes around world using clandestine mercenaries to ensure deniability. This has been achieved by destabilizing the ruling government, providing military equipment, assassinations, financing, training rebel groups and using government agencies like the CIA, Mossad and MI-5 or using foreign private mercenaries such as Executive Order and Sandline. Working with Simon Mann an elite ex SAS soldier turned coup architect who overthrew governments in Africa, Chris Rock will show you how mercenary coup tactics directly applied to digital mercenaries to cause regime changes as the next generation of "Cyber Dogs of War". Chris will walk you through a cyber regime change from start to finish on a real country and show you how to architect a coup achieving the same result as a traditional mercenary operation without any blood spilt. This will include taking ownership of all facets of government including finance, telecommunications, transportation, commercial companies and critical infrastructure such a power, water and oil. You will learn: • Traditional military mercenary coup tactics used by the infamous 32 Battalion in Africa, Executive Order and Sandline that can be directly applied to a cyber mercenary regime change. • How to architect a cyber coup using advisor’s, hackers and the general populace, using misinformation, professional agitators, false information and financing. • How to gather intelligence to analyze a government’s systemic weaknesses on financial, societal values and political climates that is leader or country specific to structure your attack. • How to identify and prioritize government resources, infrastructure and commercial companies and how to use these compromised assets to stage the coup. • Combine physical and digital techniques and have the best of both worlds to own a countries infrastructure. • Hot to manipulate the media using propaganda targeting journalists flawed multiple "source" rules for a story. • The Grand finale of a cyber regime change on a real country from beginning to end using the above techniques with operational footage. Come to this talk and find out how you too can be your own dictator, benevolent or merciless that part is up to you. Chris Rock presented "I will kill you" at DEF CON 23 has been active in the security industry for the last 20 years and is the founder and CEO of Kustodian, a specialized security company that specializes in Security Operations Centres, Penetration testing and independent research. Kustodian is an Australian, Middle East and Hong Kong registered company that has been operational for over 10 years. Chris has also spent 12 years in the banking sector and provides security services around the world for small, medium and large companies. Chris Rock also created SIEMonster, an open source, scalable, free Security Incident and Event Management (SIEM) as a commercial alternative to Splunk, ArcSight and AlienVault. SIEMonster can be run on Amazon AWS or Virtual machines and details can be found on www.siemonster.com Twitter: @_kustodian_ Facebook

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Willa-Riggins-Esoteric-Exfiltration-UPDATED.pdf Esoteric Exfiltration WIlla Cassandra Riggins(abyssknight) Penetration Tester, Veracode When the machines rise up and take away our freedom to communicate we're going to need a way out. Exfiltration of data across trust boundaries will be our only means of communication. How do we do that when the infrastructure we built to defend ourselves is the very boundary we must defeat? We use the same pathways we used to, but bend the rules to meet our needs. Whether its breaking protocol, attaching payloads, or pirating the airwaves we'll find a way. We'll cover using a custom server application to accept 'benign' traffic, using social and file sharing to hide messages, as well as demo some long range mesh RF hardware you can drop at a target for maximum covert ops. Willa Cassandra Riggins is a penetration tester at Veracode, and was previously part of the Lockheed Martin CIS Red Team. She started her career as a developer and pivoted into security to help fight the pandemic that is developer apathy. Her background spans the software development lifecycle, but her heart is in root shells and crown jewels. She can be found making things at FamiLAB in Orlando, hacking at the local DC407 meet-ups, staffing the socials at BSides Orlando, and marketing all the things at OWASP Orlando.

Twitter: @willasaywhat

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Regilero-Extras https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Regilero-Hiding-Wookiees-In-Http.pdf Hiding Wookiees in HTTP - HTTP smuggling is a thing we should know better and care about regilero DevOp, Makina Corpus HTTP is everywhere, everybody wants to write an HTTP server. So I wrote mine :-) But mine not fast, and come with an HTTP client which sends very bad HTTP queries. My tool is a stress tester for HTTP servers and proxies, and I wrote it because I found flaws in all HTTP agents that I have checked in the last year i.e. nodejs, golang, Apache httpd, FreeBSD http, Nginx, Varnish and even Haproxy. This presentation will try to explain how flaws in HTTP parsers can be exploited for bad things; we'll play with HTTP to inject unexpected content in the user browser, or perform actions in his name. 

If you know nothing about HTTP it should be understandable, but you'll have to trust me blindly at the end. If you think you know HTTP, you have no reason to avoid this talk. Then, the short part, I will show you this new Open Source stress tool that I wrote and hope that you will remember it when you'll write your own HTTP parser for you new f** language. regilero is a DevOp, and this started far before this term. Twenty years in open Source as web developer, sysadmin, web security training, database performance, tuning, audits. Took some time to be on the apache top responder in Stack Overflow, some stuff on SaltStack, made two daughters also. HTTP was the missing piece, like everyone he use it every day, but never took the time to really test the HTTP tools. Last year he started checking... and found some interesting issues. 

Twitter: @regilero 
Stack Overflow

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Plore-Side-Channell-Attacks-High-Security-Locks-UPDATED.pdf Side-channel Attacks on High-security Electronic Safe Locks Plore Hacker Electronic locks are becoming increasingly common on consumer-grade safes, particularly those used to secure guns. This talk explores vulnerabilities of several UL-listed Type 1 "High Security" electronic safe locks. Using side-channel attacks, we recover the owner-configured keycodes on two models of these locks from outside of locked safes without any damage to the locks or safes. Discussion includes power-line analysis, timing attacks, and lockout-defeat strategies on embedded devices. An embedded software developer with a background in electrical engineering, Plore has long been fascinated by computer security and locks. One day he found himself wondering if the trust bestowed on electronic locks was actually misplaced. He decided to investigate.

Ask the EFF Kurt Opsahl Deputy Executive Director, General Counsel, EFF
Nate Cardozo Senior Staff Attorney, EFF
Andrew Crocker Staff attorney, EFF
Dr. Jeremy Giliula Staff Technologist, EFF
Eva Galperin GlobalPolicy Analyst, EFF
Katitza Rodriguez International rights director, EFF Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation’s premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as surveillance online, encryption (and backdoors), and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, discussion of our technology project to protect privacy and speech online, updates on cases and legislation affecting security research, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you. KURT OPSAHL is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders' Rights Project. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal. In 2014, Opsahl was elected to the USENIX Board of Directors.

NATE CARDOZO is a Senior Staff Attorney on the Electronic Frontier Foundation’s digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF's Who Has Your Back? report and Coders' Rights Project. Nate has projects involving cryptography and the law, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate spent two years in private practice before returning to his senses and to EFF in 2012. Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings where he has taught first-year legal writing and moot court. He brews his own beer, has been to India four times, and watches too much Bollywood.

ANDREW CROCKER is a staff attorney on the Electronic Frontier Foundation’s civil liberties team. He focuses on EFF’s national security and privacy docket, as well as the Coders' Rights Project. While in law school, Andrew worked at the Berkman Center for Internet and Society, the American Civil Liberties Union’s Speech, Privacy, and Technology Project, and the Center for Democracy and Technology. He received his undergraduate and law degrees from Harvard University and an M.F.A. in creative writing from New York University. His interests include Boggle and donuts.

DR. JEREMY GILIULA is a Staff Technologist at the Electronic Frontier Foundation where he focuses on a wide variety of tech policy topics including net neutrality, big data, mobile privacy, and privacy issues associated with drones and autonomous vehicles. At a young age Jeremy was sidetracked from his ultimate goal of protecting digital civil liberties by the allure of building and programming robots. He went to Caltech for undergrad, where he spent four years participating in the DARPA Grand Challenge, a competition to create a vehicle capable of traversing the desert autonomously. He then got his PhD in computer science from Stanford University, where his research focused on the design and analysis of algorithms for guaranteeing the safety of systems that employ machine learning and other AI techniques in an online fashion.

EVA GALPERIN is EFFs Global Policy Analyst, and has been instrumental in highlighting government malware designed to spy upon activists around the world. A lifelong geek, Eva misspent her youth working as a Systems Administrator all over Silicon Valley. Since then, she has seen the error of her ways and earned degrees in Political Science and International Relations from SFSU. She comes to EFF from the US-China Policy Institute, where she researched Chinese energy policy, helped to organize conferences, and attempted to make use of her rudimentary Mandarin skills.

KATITZA RODRIGUEZ is EFF's international rights director. She concentrates on comparative policy of international privacy issues, with special emphasis on law enforcement, government surveillance, and cross border data flows. Her work in EFF's International Program also focuses on cybersecurity at the intersection of human rights. Katitza also manages EFF's growing Latin American programs. She is an advisor to the UN Internet Governance Forum (2009-2010), and a member of the Advisory Board of Privacy International. Before joining EFF, Katitza was director of the international privacy program at the Electronic Privacy Information Center in Washington D.C., where amongst other things, she worked on The Privacy and Human Rights Report, an international survey of privacy law and developments. Katitza is well known to many in global civil society and in international policy venues for her work at the U.N. Internet Governance Forum and her pivotal role in the creation and ongoing success of the Civil Society Information Society Advisory Council at the Organisation for Economic Co-operation and Development, for which she served as the civil society liaison while at EPIC from 2008 to March 2010. Katitza holds a Bachelor of Law degree from the University of Lima, Peru. Katitza's twitter handle is @txitua.

Game over, man! – Reversing Audio Games to Create an Unbeatable AI Player Dan ‘AltF4’ Petro Security Associate, Bishop Fox "Super Smash Bros: Melee." - Furrowed brows, pain in your thumbs, trash talk your Mom would blush to hear. That sweet rush of power you once knew as you beat all the kids on your block will be but a distant memory as SmashBot challenges you to a duel for your pride — live on stage. SmashBot is the Artificial Intelligence I created that plays the cult classic Audio game Smash Bros optimally. It can't be bargained with. It can't be reasoned with. It doesn't feel pity, remorse, or fear. This final boss won't stop until all your lives are gone. What started as a fun coding project in response to a simple dare grew into an obsession that encompassed the wombo-combo of hacking disciplines including binary reverse engineering, AI research, and programming. When not used to create a killer doomsday machine, these same skills translate to hacking Internet of Things (IoT) devices, developing shellcode, and more. Forget about Internet ending zero-day releases and new exploit kits. Come on down and get wrecked at a beloved old Audio game. Line up and take your turn trying to beat the AI yourself, live on the projectors for everyone to see. When you lose though, don't run home and go crying to yo Momma. Dan Petro is a Security Associate at Bishop Fox, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application and network penetration testing. He has presented at numerous conferences, including Black Hat USA, DEF CON , HOPE, BSides, and ToorCon. He has also been a featured guest speaker at Arizona State University, South Mountain Community College, and the Dark Reading University series. Dan has been quoted in various industry and mainstream publications such as Business Insider, Wired, The Guardian, and Mashable among others. He is widely known for the tools he has created: the Chromecast-hacking device, the RickMote ContRoller, and Untwister, a tool used for breaking pseudorandom number generators. He also organizes Root the Box, a capture the flag security competition. Additionally, Dan often appears on local and national news to discuss topical security issues. Dan holds a Master’s Degree in Computer Science from Arizona State University and doesn’t regret it.

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Radia-Perlman-Resilience-Despite-Malicious-Pariticpants.pdf How to Design Distributed Systems Resilient Despite Malicious Participants Radia Perlman EMC Fellow Often distributed systems are considered robust if one of the components halts. But a failure mode that is often neglected is when a component continues to operate, but incorrectly. This can happen due to malicious intentional compromise, or simple hardware faults, misconfiguration, or bugs. Unfortunately, there is no single add-on to designs that will fix this case. This talk presents three very different systems and how they each handle resilience despite malicious participants. The problems, and the solutions, are very different. The important message of this talk is that there is no one solution, and that this case must be considered in designs. Radia Perlman is a Fellow at EMC. She has made many contributions to the fields of network routing and security protocols including robust and scalable network routing, spanning tree bridging, storage systems with assured delete, and distributed computation resilient to malicious participants. She wrote the textbook Interconnections , and cowrote the textbook Network Security. She holds over 100 issued patents. She has received numerous awards including lifetime achievement awards from ACM's SIGCOMM and Usenix, election to National Academy of Engineering, induction into the Internet Hall of Fame, and induction into the Inventor Hall of Fame. She has a PhD from MIT.

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Guevara-Noubir-Amirali-Sanatinia-Honey-Onions-Exposing-Snooping-Tor-Hsdir-Relays-WP.pdf https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Guevara-Noubir-Amirali-Sanatinia-Honey-Onions-Exposing-Snooping-Tor-Hsdir-Relays.pdf Honey Onions: Exposing Snooping Tor HSDir Relays Guevara Noubir Professor, College of Computer and Information Science, Northeastern University
Amirali Sanatinia PhD candidate, College of Computer and Information Science, Northeastern University Tor is a widely used anonymity network that protects users' privacy and and identity from corporations, agencies and governments. However, Tor remains a practical system with a variety of limitations, some of which were indeed exploited in the recent past. In particular, Tor's security relies on the fact that a substantial number of its nodes do not misbehave. 

Previous work showed the existence of malicious participating Tor relays. For example, there are some Exit nodes that actively interfere with users' traffic and carry out man-in-the-middle attacks. In this work we expose another category of misbehaving Tor relays (HSDirs), that are integral to the functioning of the hidden services and the dark web. The HSDirs act as the DNS directory for the dark web. Because of their nature, detecting their malicious intent and behavior is much harder. We introduce, the concept of honey onions (honions), a framework to detect misbehaving Tor relays with HSDir capability. By setting up and deploying a large scale honion over Tor for more than 72 days, we are able to obtain lower bounds on misbehavior among HSDirs. 

We propose algorithms to both estimate the number of snooping HSDirs and identify them, using optimization and feasibility techniques. Our experimental results indicate that during the period of our work at least 110 such nodes were snooping information about hidden services they host. We reveal that more than half of them were hosted on cloud infrastructure and delayed the use of the learned information to prevent easy traceback. Furthermore, we provide the geolocation map of the identified snooping Tor HSDirs Guevera Noubir holds a PhD in Computer Science from EPFL and is currently a Professor at Northeastern University. His research focuses on privacy, and security. He is a recipient of the National Science Foundation CAREER Award (2005). He led the winning team of the 2013 DARPA Spectrum Cooperative Challenge. Dr. Noubir held visiting research positions at Eurecom, MIT, and UNL. He served as program co-chair of several conferences in his areas of expertise such as the ACM Conference on Security and Privacy in Wireless and Mobile Networks, and IEEE Conference on Communications and Network Security. He serves on the editorial board of the ACM Transaction on Information and Systems Security, and IEEE Transaction on Mobile Computing.

Amirali Sanatinia is a Computer Science PhD candidate at Northeastern advised by Professor Guevara Noubir, and holds a Bachelors degree in CS from St Andrews University. His research focuses on cyber security and privacy, and was covered by venues such as MIT Technology Review and ACM Tech News. He is also the OWASP Boston NEU Student chapter founder and leader

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Marc-Newlin-MouseJack-Injecting-Keystrokes-Into-Wireless-Mice-UPDATED.pd.pdf https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Marc-Newlin-MouseJack-Injecting-Keystrokes-Into-Wireless-Mice-WP-UPDATED.pdf MouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin Security Researcher, Bastille Networks What if your wireless mouse was an effective attack vector? Research reveals this to be the case for mice from Logitech, Microsoft, Dell, Lenovo, Hewlett-Packard, Gigabyte, and Amazon. Dubbed 'MouseJack', this class of security vulnerabilities allows keystroke injection into non-Bluetooth wireless mice. Imagine you are catching up on some work at the airport, and you reach into your laptop bag to pull out your phone charger. As you glance back at your screen, you see the tail end of an ASCII art progress bar followed by your shell history getting cleared.

Before you realize what has happened, an attacker has already installed malware on your laptop. Or maybe they just exfiltrated a git repository and your SSH keys. In the time it took you to plug in your phone, you got MouseJacked. The attacker is camped out at the other end of the terminal, equipped with a commodity USB radio dongle and a directional patch antenna hidden in a backpack, and boards her plane as soon as the deed is done. The reality of MouseJack is that an attacker can inject keystrokes into your wireless mouse dongle from over 200 meters away, at a rate of up to 7500 keystrokes per minute (one every 8ms). 

Most wireless keyboards encrypt the data going between the keyboard and computer in order to deter sniffing, but wireless mouse traffic is generally unencrypted. The result is that wireless mice and keyboards ship with USB dongles that can support both encrypted and unencrypted RF packets. A series of implementation flaws makes it possible for an attacker to inject keystrokes directly into a victim's USB dongle using easily accessible, cheap hardware, in most cases only requiring that the user has a wireless mouse. The majority of affected USB dongles are unpatchable, making it likely that vulnerable computers will be common in the wild for the foreseeable future. 

This talk will explain the research process that lead to the discovery of these vulnerabilities, covering specific tools and techniques. Results of the research will be detailed, including protocol behavior, packet formats, and technical specifics of each vulnerability. Additional vulnerabilities affecting 14 vendors are currently in disclosure, and will be revealed during this talk. Marc is a security researcher and software engineer at Bastille Networks, where he focuses on RF/IoT threats present in enterprise environments. He has been hacking on software defined radios since 2013, when he competed as a finalist in the DARPA Spectrum Challenge. In 2011, he wrote software to reassemble shredded documents for the DARPA Shredder Challenge, finishing the competition in third place out of 9000 teams.

Twitter: @marcnewlin

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Mike-Rich-Extras https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Mike-Rich-Use-Their-Machines-Against-Them-WP.pdf https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Mike-Rich-Use-Their-Machines-Against-Them.pdf Use Their Machines Against Them: Loading Code with a Copier Mike Principal Cyber Security Engineer, The MITRE Corporation We've all worked on ‘closed systems’ with little to no direct Internet access. And we've all struggled with the limitations those systems put on us in the form of available tools or software we want to use. I didn't like struggling, so I came up with a method to load whatever I wanted on to a closed system without triggering any common security alerts. To do this I had to avoid accessing the Internet or using mag media. In the end all I needed was an office multi-function machine and Excel. It's all any insider needs. 

For my presentation and demo, I'll show you how I delivered a select group of PowerSploit tools to a clean, isolated machine. Of course, Excel has been known as vector for macro viruses for quite some time and some of the techniques--such as hex-encoding binary data and re-encoding it on a target machine--are known binary insertion vectors but I have not found any prior work on an insider using these techniques to deliver payloads to closed systems. You'll leave my presentation knowing why Excel, umm, excels as an insider attack tool, how to leverage Excel features to load and extract arbitrary binary data from a closed network, and what to do if this really frightens you. Mike has over 20 years experience in the military. He has been part of everything from systems acquisition, to tactical intelligence collection, to staff work, to leading a unit dedicated to data loss prevention. He recently retired from active military service and is now working as a systems security engineer. This is Mike's first security conference presentation and will also be the first public release of a tool he has written. Mike has previously published twice in 2600 magazine. Mike is super proud of his OSCP certification. He's also a CISSP.

Twitter: @miketofet

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Sean-Metcalf-Beyond-The-MCSE-Red-Teaming-Active-Directory-UPDATED.pdf Beyond the MCSE: Red Teaming Active Directory Sean Metcalf Founder & Security Principal, Trimarc Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities, so why do red teams barely scratch the surface when it comes to leveraging the data it contains? This talk skips over the standard intro to Active Directory fluff and dives right into the compelling offensive information useful to a Red Teamer, such as quickly identifying target systems and accounts. AD can yield a wealth of information if you know the right questions to ask. This presentation ventures into areas many didn't know existed and leverages capability to quietly identify interesting accounts & systems, identify organizations the target company does business with regularly, build target lists without making a sound, abuse misconfigurations/existing trusts, and quickly discover the most interesting shares and their location. PowerShell examples and AD defense evasion techniques are provided throughout the talk. 

Let's go beyond the MCSE and take a different perspective on the standard AD recon and attack tactics. Sean Metcalf is founder and principal security consultant at Trimarc (www.TrimarcSecurity.com), an information security consulting firm focused on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON , and DerbyCon security conferences. Sean has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog, ADSecurity.org.

Twitter: @PyroTek3

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Salvador-Mendoza-Samsung-Pay-Tokenized-Numbers-WP.pdf https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Salvador-Mendoza-Samsung-Pay-Tokenized-Numbers.pdf Samsung Pay: Tokenized Numbers, Flaws and Issues Salvador Mendoza Student & Researcher Samsung announced many layers of security to its Pay app. Without storing or sharing any type of user's credit card information, Samsung Pay is trying to become one of the securest approaches offering functionality and simplicity for its customers. This app is a complex mechanism which has some limitations relating security. Using random tokenize numbers and implementing Magnetic Secure Transmission (MST) technology, which do not guarantee that every token generated with Samsung Pay would be applied to make a purchase with the same Samsung device. That means that an attacker could steal a token from a Samsung Pay device and use it without restrictions. Inconvenient but practical is that Samsung's users could utilize the app in airplane mode. This makes impossible for Samsung Pay to have a full control process of the tokens pile. Even when the tokens have their own restrictions, the tokenization process gets weaker after the app generates the first token relating a specific card. How random is a Spay tokenized number? It is really necessary to understand how the tokens heretically share similarities in the generation process, and how this affect the end users' security. What are the odds to guess the next tokenized number knowing the previous one? Salvador Mendoza is a college student & researcher.

@netxing
Keybase.io: http://keybase.io/salvador