Keynotes (50 Minute)
- Christopher Valasek - "The Ghost of Security Past"
- Abstract: Automotive security is now part of public dialog, with researchers continuing to investigate, media outlets reporting, and even United States Senators voicing concern over vehicle security. The first portion of this presentation will give insight into the current state of automotive security by showing how it stacks up against software security of 10+ years ago. The last portion of talk will attempt to convince more researchers to enter the automotive security arena by showing how to get started tools and techniques while fielding questions from the audience. As always, make sure to stay until the end for a special bit of information.
- Bio: Christopher Valasek serves as Director Vehicle Security Research at IOActive, an industry leader in comprehensive computer security services. In this role, Valasek is responsible for guiding IOActive’s vehicle security research efforts. He is also heavily involved in bleeding-edge automotive security research.
Valasek specializes in offensive research methodologies with a focus on reverse engineering and exploitation. Known for his extensive automotive field research, Valasek was one of the first researchers to discuss automotive security issues in detail. His release of a library to physically control vehicles through the CAN bus garnered worldwide media attention. Valasek is also known for his exploitation and reverse engineering of Microsoft® Windows. As a Windows security subject matter expert, he is quoted in several technology publications and has given presentations on the subject at a number of conferences. He is also the Chairman of SummerCon, the oldest US hacker conference.
- Tod Beardsley && egypt - "Wanna Cyber?"
- Abstract: In this talk, Metasploit collaborators Tod Beardsley and James "Egypt" Lee will discuss the practical considerations of "Cyber Warfare." In the wake of the Sony debacle, the mainstream media of late 2014 through today invariably ask the question, "Is this latest breach a crime, or an act of war?" Egypt and Tod will examine this fundamental question in depth, and consider the ramifications of the answers. Does an active cyberwar inform and influence how network defenses are designed and implemented? How is the art of penetration testing advancing the state of wartime preparedness? How do we get a globally shared Internet on a war footing, or is it already? How do the criminal justice systems align with the need for cultivating offensive and defensive expertise? How does anyone "win" a cyberwar?
- Bio0: Tod Beardsley is the Engineering Manager for the Metasploit Project, the world-renowned open source penetration testing platform. He has over twenty years of hands-on security knowledge, reaching back to the halcyon days of 2400 baud textfile BBSes and in-band telephony switching. Since then, he has held IT Ops and IT Security positions in large footprint organizations such as 3Com, Dell, and Westinghouse. Today, he is passionate (some might say militant) about open source software development, open source security research, and data liberation. He can often be found on Freenode IRC and Twitter as "todb."
- Bio1: egypt is a software developer for Rapid7 where he hacks things with the
Metasploit Framework. Before coming to Rapid7, he was a Cybersecurity
researcher for Idaho National Laboratory where he discovered numerous
vulnerabilities in SCADA and Industrial Control Systems. egypt has presented
at Defcon, BSidesLV, Blackhat, Derbycon and other venues. Note that egypt is
not Egypt. The two can be distinguished easily by their relative beards --
Egypt has millions, while egypt only has the one.
- Jack Daniel - "InfoSec: What we know, and what we need to know."
- Abstract: Although a new and continually evolving field, we have learned a lot about securing systems, and we've defined many of the remaining challenges. Unfortunately, we often find ourselves re-learning the same lessons over and over. In this presentation a number of studies and reports from the past 50 years of infosec will be reviewed and the results examined for the things they show us- both the known and unknown. With the goal of growing infosec beyond our seeming eternal state of infancy, this discussions will embrace some common beliefs and eviscerate others. This talk is intended to spur conversations, reflection, and heavy drinking.
- Bio: Jack Daniel, Strategist for Tenable Network Security, has over 20 years’ experience in network and system administration and security, and has worked in a variety of practitioner and management positions. A technology community activist, he supports several information security and technology organizations. Jack is a co-founder of Security BSides, serves on the boards of three Security BSides non-profit corporations, and helps organize Security B-Sides events. An early member of the information security community on Twitter, @jack_daniel is an active and vocal Twitter user. Jack is a reluctant CISSP, holds CCSK, and is a Microsoft MVP for Enterprise Security.
FULL Length (50 Minute)
- Jon Callas - "Everything You Need to Know About Crypto in 50 minutes"
- Abstract: We all know that crypto is hard. It's now a cliché. But thinking about crypto effectively is not hard. Did you pass notes with your friends in elementary school? Keep a secret notebook? Then you have a background appropriate to the task. In this roller coaster of a talk, I'll cover what crypto works, what doesn't work, the basic components and how they're put together. I can't tell you how to build a cryptosystem in fifty minutes, but can give you the basics of how it all works. Think of this as a workshop in high-performance driving, as opposed to mechanical engineering.
- Bio: Jon Callas is a cryptographer, software engineer, and entrepreneur. He is the co-author of many crypto and security systems including OpenPGP, DKIM, ZRTP, Skein, and Threefish. He has co-founded several startups including PGP, Silent Circle, and Blackphone. He has worked on security and crypto for Apple, Tesla, Kroll-O'Gara, Counterpane, and Entrust. He is fond of Leica cameras, Morgan sports cars, and Birman cats.
- Kevin Bong - "Building a Poor Man’s RFID Cloner"
- Abstract: The HID Proxcard continues to be a very popular RFID access card solution, despite its inherent weaknesses. RFID cloners such as the Proxmark and RFIDler are expensive. Kevin will show how an inexpensive RFID lock, an RFID tag, an Arduino and a few electronic components can be used to create an HID Proxcard reader and spoofer. In addition to the “how to” portion, the talk will cover “how it works,” including topics such as RF signals, RFID communications and advanced features of the Arduino’s Atmega processor chip utilized in the project. This will be all new material that builds upon the hardware hacking basics talk Kevin previously presented at THOTCON 0x5.
- Bio: Kevin is a Manager at 403 Labs focusing on information security and compliance issues faced by financial institutions. Kevin is the creator of the MiniPwner, a pocket-size penetration testing device used to get remote access to a network. He’s also an author, instructor and a speaker at conferences like RSA, DerbyCon, Security BSides and WACCI.
- Matias Brutti - "Cartero - Another Social Engineering Framework"
- Abstract: As we keep on reading on the news, Social Engineering remains one of the most important threats for information security. We can build secure systems, keep environments patched and still bypass them by means of tricking people into performing tasks or even bypassing security features for us. Because of this, I still perform research into new attack vector and way to compromise people by means of social engineering and social networks. In this presentation we will discuss a new tool called Cartero. Cartero is a modular Social Engineering Framework divided into simple to use CLI commands that perform independent tasks. During the talk we would introduce the tool, talk about a few commands and how it integrates to other tools.
- Bio: Matias Brutti is a Hacker at a startup, where he brings his hardcore Argentinean love of hacking and applies it with a smooth hand. A man of class, when he’s not using his intimidating mental prowess on the job, he likes to kick back with some Ghost in the Shell, a nice Malbec, and only the finest Argentinean meat or sushi. Matias performs penetration testing, code reviews, social engineering, web applications testing, identifies system vulnerabilities, and designs custom security solutions for clients in cloud, software development, telecommunications, and financial services. Not to toot his own horn, but he’s also been a featured speaker at such prestigious events, such as Microsoft’s Bluehat Security Briefings, Baythreat, Toorcon Seattle, and various BSides conferences, EkoParty, among others.
- Nick Espinoza - "Week to Weak: Weaponization of Vulnerabilities"
- Abstract: We conducted research into how quickly vulnerabilities are turned into detected exploits and and categorized the results by products and technologies. We used 188 vulnerability/exploit pairs as our dataset, based on Open-Source Intelligence (OSINT) information culled from the open web.
- Bio: Nicholas Espinoza is an engineer who works in the defense and information security space. He has spent his time trying to understand the world’s toughest problems, building the next generation of threat analysis platforms, and training analysts at a range of law enforcement, intel, and fortune 500 organizations. Espinoza now tinkers at Recorded Future after time engineering in the IC and at Palantir Technologies.
- FuzzyNop - "Pwning People Personally"
- Abstract: As the meaty corporate network dissipates into the free range organic vegan cloud based tofu that is most silicon valley startups, Red Teaming engagements rely more on attacks that target users in a personal way. In this talk I'll share some tips, tricks, and tales of how high interaction with select users becomes the best way to bypass modern security controls.
- Bio: FuzzyNop is a computer who knows how to computer.
- Rob Havelt - "The Bad, The Worse, and The Ugly - No Hope for POS Security"
- Abstract: This two part presentation provides a detailed overview many of the issues
surrounding Point of Sale system security. The first part of this presentation
hi-lights those implementation problems that make point of sale systems so very
easy to compromise in the first place. This will be done using multiple real
world examples and scenarios involving even supposedly "secure" point of sale
and cashless payment systems at large restaurant chains, retail environments,
grocery chains, and other environments. Once we have established the ease of
compromising these systems, and how these implementation issues can subvert
even the best security controls on the PoS systems themselves, the focus will
shift to malware commonly used in PoS compromises. Using examples found in the
wild, the talk will demo certain malware, and discuss analysis of the same.
- Bio: Rob Havelt is a director in McGladrey's Security and Privacy services division and the national leader for security testing services. Formerly a bourbon-fueled absurdist, raconteur, and man about town, currently a sardonic workaholic occasionally seeking meaning in the finer things in life. I enjoy lifting, carrying, dragging, and throwing impossibly heavy items, and most of the time, breaking electronic things.
- Ryan Linn - "Vomiting Shells: Tracking the Splatter Patterns"
- Abstract: Penetration testers and attackers alike use tools without understanding the impact or what is left behind. This presentation will look at a variety of different methodologies for delivering shells and then track the artifacts that are left behind. For attackers, we will be discussing some additional ways to limit your footprint. For defenders, we will highlight common areas for review and show patterns for a number of the most common ways of achieving shells. Along the way we will highlight the IOCs that will help defenders more easily identify the tools and methodologies used for attacks, as well as ways to limit their impact.
- Bio: Ryan has more than 15 years of experience in Information Security. He has worked as a Technical Team Leader, Database Administrator, Windows and UNIX Systems administrator, Network Engineer, Web Application developer, Systems programmer, Information Security Engineer, and is currently a Principal Consultant at Nuix.
- Brandon Myers && Jonathan Claudius - "Trojaned Gems - You can’t tell you’re using one!"
- Abstract: Dependence on software libraries and frameworks continue to grow in popularity. More scrutiny is being placed on reviewing the source code of these dependencies for security vulnerabilities, but little attention is being placed on software dependencies while in transit. In this talk, we will expose weaknesses in software delivery mechanisms and show how malicious software can be added/injected into popular software libraries during transit. We will also demonstrate the impact of these weaknesses using a newly developed tool and provide advice and guidance on defending against these attacks.
- Bio0: Brandon Myers is a Security Researcher at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has an interest in software development with a large focus on security. Brandon works in the SpiderLabs Research division as a member of the Vulnerability Assessment Team (VAT) where he helps develop the core engine for Trustwave’s Vulnerability Scanning Services.
- Bio1: Jonathan Claudius is a Lead Security Researcher at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 13 years of experience in IT with the last 11 years specializing in Security. At Trustwave, Jonathan works in the SpiderLabs Research Division as a member of the Vulnerability Assessment Team (VAT) where he develops the core engine for Trustwave's Vulnerability Scanning Services.
- Steve "nosteve" Ocepek - "Synspotting for Teenagers and Real Swinging Adults"
- Abstract: There are people that watch trains for a hobby, yet we still struggle to track what our own boxes are doing. Don't get me wrong, there's a bunch of great stuff out there to draw pretty pictures of cyberthingies, however most of it is boss entertainment and not suitable for adults and today's happenin' youth. Is it possible to "watch" our networks in some meaningful way, without getting overwhelmed? As a follow up to DC19's Blinkie Lights talk, this foray into the world of human-machine interactivity is focused on showing the entire internet by ASN using high fidelity ASCII art, viewable on any IBM-compatible display*. If you've used ssh-keygen, think of it as a randomart version of internet traffic. Or, if you've ever defragmented a hard drive, think of it as a cylinder map of internet networks. Or, if you don't know what ASCII art is, you don't know 8==D As part of this journey, we'll take hard look at current visualization strategies and why a numeric grid makes sense in a world where GeoIP is a thing. The synspot tool will be released and demoed, its goal to allow users to visualize what ""normal"" is, so that we can detect and research the stuff that seems bananas. Also by comparing synspots, we can see what users have in common and how they differ. It's a new way of looking at data, and the perfect subject to discuss while intoxicated at THOTCON. * Not compatible with Hercules Monochrome
- Bio: nosteve is the leading authority on interactive psychostimulating visual light emitted and character-mode depictions of realtime interconnect activity. His books, "Detecting Cyber Terror using curl", "An Alcoholic's Guide to vim", and the landmark "Erotic ANSI: It's Not Just You" have been downloaded and indexed many times by automated bots. When not at THOTCON, Steve Ocepek works with a bunch of smart folks at at SecureState in his hometown of Cleveland, Ohio.
- Jeremy Richards - "Firmware Vulnerability Analysis"
- Abstract: Bad code is everywhere and the tools to dig it up are maturing at an astonishing rate. The day of reckoning has come device manufacturers who have neglected the adoption of secure development practices. Join us as we dive into firmware updates for many different devices and uncover undocumented 'recovery features' (backdoors), hardcoded accounts, direct url access/permissions issues and buffer overflows.
- Bio: Jeremy is a vulnerability researcher for SAINT Corporation - performing research and uncovering weaknesses in a variety of technologies, and developing security software professionally for nearly a decade. These days he spends his time writing remote unauthenticated vulnerability checks by reverse engineering changes introduced by security patches and identifying the root cause. Jeremy has recently started developing a framework to extract data from firmware images and perform automated analysis. His research in this area has uncovered a compelling number of undocumented risks that impact a large number of devices and user environments.
TURBO Talks (25 Minute)
- Jayson E. Street - "BREAKING in BAD! (I’m the one who doesn’t knock)"
- Abstract: I’ve come to realize that while I may not do a lot of social
engineering engagements I do a quite a few weird ones. I also seem to have
three main roles I play (all adorably) to try to get into my target. I thought it would
be cool to share at least a story from each one of these roles. Some have
pictures, some with just witty comments. Though all three will come more importantly with ways that would have
stopped me from being successful. The goal is not to show how ‘L337’ I am or these attacks
are! Far from it this talk is to show how EASY these attacks were done and how
every single attack has one common thread connecting all of them! Though you’ll
have to see my talk to find out what that is! ;-)
- Bio: Jayson E. Street is an author of “Dissecting the hack: The F0rb1dd3n Network” from Syngress. Also creator of http://dissectingthehack.com He has also spoken at DEFCON, DerbyCon, UCON and at several other ‘CONs and colleges on a variety of Information Security subjects. His life story can be found on Google under “Jayson E. Street” *He is a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time’s persons of the year for 2006.
- admford - "Hacking Citizens United, or How to Influence Elections on a Budget"
- Abstract: Considering voter apathy and the sheer amount of noise from political ads during an election year, does a difference in election spending or donations received really matter all that much in polls between candidates? But other then massive donations, are there any other means to sway voters, and on a budget (with better ROI than Citizens United)? Tools like CryptoLockers hold people’s data hostage for money, but what about using them to defame a candidate, or forcing people to vote for a specific candidate in order to unlock their files? What if news of this type of attack entered mainstream news, how would the polls and candidates react? The cost of distribution and control of the malware over a period of a year, until the election date would be more cost effective in creating a large change in polling values in a limited timespan when activated, possibly deciding a close election. As for prevention, can we stop such an attack before it happens?
- Bio: A simple person with too much free time at hand. Studying IT Sec in my free time, and Computing & Information Systems though the University of London.
- John Bambenek - "We Don't Need Another Damn Whitepaper: Going Kinetic on Cybercrime Networks on a Budget"
- Abstract: Defensive security is a rat race. We detect new threats, we reverse
engineer them and develop defenses while the bad guys just make new
threats. We often just document a new threat and stop when the blog
post is published. This talk will take it a step further on how to
proactively disrupt threats and threat actors, not just from your
organization but completely. As a case study, Operation Tovar and whatever else I take down between now and THOTCON will
be used as examples of how this can be accomplished without a large
legal team and without massive collateral damage (i.e. the No-IP
incident). Tools will be demonstrated that are used for near-time
surveillance of criminal networks.
- Bio: John Bambenek is a handler with the SANS Internet Storm
Center and President of Bambenek Consulting and has 15 years experience in information security. He has participated in investigations and takedowns around the world, most recently with Operation Tovar and
develops custom threat intelligence tools to monitor and disrupt cyber
crime. He has spoken at conferences around the world.
- Grant Bugher - "Detecting Bluetooth Surveillance Systems"
- Abstract: Departments of Transportation around the country have deployed "little white boxes" -- Bluetooth detectors used to monitor traffic speeds and activity. While they're supposedly anonymous, they detect a unique ID from every car and phone that passes by. In this presentation explore the documentation on these surveillance systems and their capabilities, then build a Bluetooth detector and recorder out of less than $200 of open-source hardware and software, as well as turn it on the surveillance system and try to detect and map the detectors as well.
- Bio: Grant Bugher has been hacking things since the early 90's and working in information security for the last 10 years. He is currently a security architect for a cloud computing company, and has previously been a program manager and software engineer on a variety of developer tools and platforms. He is a prior speaker at BlackHat and DefCon. Most of his work and research is on cloud computing and storage platforms, application security, and defending web-scale applications.
- David Bryan - "Card skimming using a RaspberryPi"
- Abstract: I will be showing how you can do credit card skimming using a RaspberyPi.
I have created code that will display the cards on a TFT screen connected to the Raspbeery Pi. I will be presenting a long range antenna design that can be used to read cards from up to 6” away.
- Bio: David has over 14 years of experience in the computer security industry. As an active participant he volunteers at DEFCON to support the NOC, and many other security conferences. In his spare time he co-runs the local DEFCON group, DC612, and helps run THOTCON as a board member and OPER. David’s day job mostly consists of breaking the computer security around networks and operating systems.
- Anthony Czarnik - "Being a Victim can be a Crime [Ain’t Losin’ Data a Breach?]"
- Abstract: Data scientists, heuristic analysis, APTs, ransomware; no doubt information security intrigues us with sexy wrapping. The unfortunate reality is that the bulk of a security engineer’s laborious task of protecting sensitive information is spent on basic blocking and tackling, while being bound by governmental and regulatory rules. Regardless of the lens through which you view your work, reducing information systems risk to an acceptable level is your job. That risk includes a legal aspect. My THOTCON session will prepare you for the challenges (and too often, the surprises) of legal risk. The most troubling legal challenge for Information Security and Risk Management teams has its roots in privacy law. Privacy law addresses both data protection and data breach notifications. Jurisdiction complexity compounds the legal challenge. I’ll elaborate using an extreme case such as a law firm with healthcare, banking and intellectual property practices. As their attorney, the law firm will be storing their clients’ customer/client/patient data [including personal identification information, financial information and healthcare information].
In the Information Age, doing business on the Internet results in customers that may well be geographically dispersed, sometimes even globally. From a governmental perspective, the law firm may have unique data breach notification requirements that encompass all 50 United States, Europe and the Pacific Rim. Privacy legislation is evolving beyond data breach notifications. As an example, Kentucky's new data protection law will also provide protection on how student data that is stored in the cloud may be used. Almost all of the United States have more than one new privacy law pending and to further complicate your legal responsibilities, government is only one-side of the jurisdictional complexity equation. An IT organization may also be scrutinized by one or more regulatory standards such as PCI, GLBA, HIPAA, CJIS or others, which are also on a trend towards stricter requirements. Once you’ve gained comprehensive knowledge of privacy law, you’ll need to integrate those legal requirements into your Incident Response Plan. On that note, after all you have invested in protecting sensitive data, I expect you will want to go for the throat of the guilty culprit. Just like our real world, “CSI cyber-space” must adhere to the legal requirements of the judicial system. Event logs are an excellent form of evidence during prosecution, but only if you’ve documented the chain of custody, including hash files that can prove your electronic evidence was not tampered with. Legal battles aren’t always us versus them. Employer – employee relationships include a legal perspective that cannot be overlooked. Providing employees with internet access is a double-edge sword. A lack of internet access is a huge turn off for most young employment candidates. Unfortunately, employers who open up their internet connection to employees, may well be opening up Pandora’s Box. Consider the potential for productivity to tank when an employee’s workspace becomes a virtual hang out with friends on Facebook. What legislation [if any] addresses employees posting sensitive corporate data or negative comments pointed at their employer on social networking sites? Freedom of speech? What is legally acceptable in a work contract? How can corporate policy prevent employee initiated corporate damage? Now consider that it’s a two way street: employers are beginning to demand candidate employees’ social networking credentials. Is this legal? GPS on your mobile device? Are you being tracked? Stalked? It is important that both employers and employees be aware of the legal aspect of internet activity and protection of sensitive data, while concurrently respecting privacy. What will the future hold? Is it possible that someday the company will be held liable if an employee doing personal banking on a corporate workstation over the company’s internet connection becomes the victim of fraud? Can an employee’s perception of the company’s “secure internet connection” result in the employer’s responsibility? If we still have time and the audience has interest, I will be prepared to address the significant increase in cybersquatting due to ICANN [The Internet’s governing body] promoting an influx of new top level domains. There are laws to protect your Web trademark [aka domain name]. Know them so your company can protect their hard earned, marketing investment. The legal vector intersects our information security endeavor at numerous touch points. During my THOTCON session I will address each point, while connecting the dots and thereby arming you with a holistic picture of the legal aspect of information security.
- Bio: Currently, Anthony Czarnik leads CzarTek [www.czartekinfosec.com], an information security and compliance firm, which he founded at the beginning of 2014. For SMB clients, CzarTek provides vCISO services, which includes addressing clients’ legal IT risk. Major services include risk assessments and formal information security program development. Relevant to his proposed THOTCON presentation, Anthony develops incident response plans which address data breach notifications, FBI involvement and court-admissible electronic forensic evidence. For municipalities, CzarTek also provide CJIS [Criminal Justice Information Systems] compliance services. The CzarTek team includes security engineers and GRC consultants / auditors. They provide security controls testing [pen testing, etc.] and compliance services [ISO 27001/2 Certification Readiness Assessments, etc.]. Prior to CzarTek, Anthony led the security practice at Savid Technologies for five years. Mr. Czarnik recently completed a course on Cyber Law at John Marshall Law School. His thesis addressed the legal risk associated with information systems and sensitive data, including the effect of a data breach. The geographical scope comprehensively covered global personal information including government jurisdiction internationally down through each U.S. state. Data breach notifications, regulatory non-compliance fines and legal requirements for court admissible forensics evidence were also addressed. Anthony’s unique blend of education, experience, insight, professionalism [balanced with a dark side] makes him a natural fit for the THOTCON stage.
- Scott Erven && Adam Brand - "Medical Device Security: An Infectious Disease"
- Abstract: There is no question that medical devices save countless lives, but is insecure design or deployment of these devices putting patients at risk? Join us for an in-depth presentation on a three year research project that shows numerous medical devices and healthcare organizations are vulnerable to direct attack vectors that can impact patient safety and human life.
- Bio0: Scott Erven is a healthcare security visionary and thought leader with more than 15 years’ experience in information technology and security. He is currently an Associate Director with Protiviti, where he focuses on medical device and healthcare security. His research on medical device security has been featured in Wired and numerous media outlets worldwide. Mr. Erven has presented his research and expertise in the field internationally. He has been involved in numerous IT certification development efforts as a subject matter expert in information security. His current focus is on research that affects human life and public safety issues inside today’s healthcare landscape.
- Bio1: Adam Brand has more than 12 years’ experience in information technology and security. He is an Associate Director with Protiviti, where he has assisted companies in resolving major security incidents and maturing their information security programs. Adam has been heavily involved with the "I am The Cavalry" movement, a group of researchers focused on information security issues that can affect human life and safety. He has recently focused on medical device security and is actively engaging with healthcare organizations on this issue.
- Michael Goetzman - "GATTACA - Final Warning!"
- Abstract: You were warned in 1997 that a not-too-distant future was approaching. This dystopian future is here now due to rapid technological advances, much quicker than we initially imagined. These breakthrough DNA technologies are exposing your deepest darkest secrets. Who can see this information? What will they do with this information? Little does anyone know they are only one data breach away from public exposure.
- Bio: Michael Goetzman is an Information Security Specialist for Wheaton Franciscan Healthcare, a nonprofit collection of 18 hospitals employing over 22,000 associates. His responsibilities include the confidentially of electronic medical records and general protection of sensitive data. [Quisque Aliquid Habet quod occultet] Michael earned his CISSP and holds a masters of science in management involving international studies in Havana, Cuba of healthcare related technologies. On his free time, Michael enjoys exotic rides in zeppelins, soaring in experimental planes, or piloting colorful hot air balloons. Michael believes in freedom of non-harmful information, the advancement of scientific research, and the individual imperative.
- Matthew Jakubowski && Jonathan Tomek - "Explore that which can not be explored"
- Abstract: "The world around you is not what it seems. (Of course it's not, we are hackers...) Our future is at stake and you must choose a side. (Green or Blue) Join our faction in Ingress - a global game of mystery, intrigue and conquest. (Why choose a side when you can dominate the globe?) Niantic's Ingress is a captivating game, over a million people globally play it on both android and iPhone. Let's take a peek into how it works, let's see what we can do with it. Wow, I am now a Level 16 Resistance player and a master of all. But wait, theres more... Watch as we show ways to bend time and space to appear in places we physical don't exist. Let's see what possibilities XM truly has for us to unlock.
- Bio0: Matthew Jakubowsli is allergic to sharks and bears, The wild Jaku roams the earth as a free soul (oh wait). One of the founders of MobileDisco and THOTCON.
- Bio1: Jonathan Tomek is figuring things out as he goes. Member of Mobiledisco and oh yeah, one of the founders of THOTCON.
- JP Smith - "Curry and TARTS: A new technique for avoiding side-channel attacks on cryptosystems"
- Abstract: Timing attacks are a huge problem for modern cryptosystems, having been successfully employed against AES, SSL, RSA, and many other cryptosystems we depend on to be secure. This talk presents a new method for writing code that is provably resistant to timing attacks using concepts from functional programming and type theory. This talk will go over some interesting pieces of math, crypto, and type theory and end up with a proof-of-concept provably constant-time program.
- Bio: JP is a student from Normal, Illinois. He is interested in the intersection of math, computer science, and security, especially areas like machine learning, cryptography, and functional programming. JP is heavily involved with Illinois State University's campus security club, ISUSEC, and is passionate about helping both learning and teaching new things, in security and otherwise. In his free time, he enjoys camping, biking, reading, and general adventures.
- Aamir Lakhani - "Killing them Softly – Hunting on DarkNet"
- Abstract: Researcher and Security strategist, Aamir Lakhani (known as Doctor Chaos) will dive in the hidden and shadowy world of the Deep Web. He will demonstrate how easy it is to get Deep Web thru proxies and the Tor network. He will explore that despite recent takedowns by law-enforcement, how easy it is to find service brokers weapons, drugs, and other questionable services. The talk will showcase interaction with real attackers using techniques around malware, zero-day attacks, and social engineering to attack organizations. Learn how attackers plan sophisticated attacks to infiltrate organizations and steal intellectual property. Aamir Lakhani will conclude by showcasing cutting research in cyber security that may be able to mitigate some of these risks. This includes advances in threat research, open intelligence, and big data.
- Bio: Aamir Lakhani is a cyber security researcher and practitioner, with over 10 years of experience in the security industry. He is responsible to provide IT security solutions to major commercial and federal enterprise organizations. Lakhani has designed cyber solutions for defense and intelligence agencies, and has assisted organizations in defending themselves from active strike back attacks perpetrated by underground cyber groups. Lakhani is considered an industry leader in support of detailed architectural engagements and projects on topics related to cyber defense, mobile application threats, malware and advanced persistent threat (APT) research.
- Pat Litke - "Giving a LUKS. Learning to encrypt your data properly."
- Abstract: LUKS and strong passwords are staples in many users security tool-kits, and they’re excellent starts for the average security user. But, these simply aren’t adequate when faced with a potentially advanced adversary. Many tools and technologies exist that, when combined properly, can provide a very strong defense against these threats (spoiler alert: your encryption keys should never reside in ram). This talk will be an exploration of disk and file encryption utilities, demonstrations of reasons to lose sleep at night, and an analysis of a myriad of tools and concepts to help the paranoid security freak rest easy.
- Bio: Pat Litke is a security researcher with Lookingglass. Litke most recently co-wrote, with Joe Stewart (Dell SecureWorks), the research paper: BGP Hijacking for Cryptocurrency Profit, which they released during the 2014 BlackHat Security Conference. Litke also co-authored with Joe Stewart, the research papers: Cryptocurrency-Stealing Malware Landscape and Enterprise Best Practices for Cryptocurrency Adoption. He co-authored with Network Security Engineer David Shear a research blog focused on the hijack of Synology NAS boxes for Dogecoin mining. While attending Champlain College, Litke was a part of their CCDC (Collegiate Cyber Defense Competition) team.
- Freddy Martinez - "GSM Sucks: Detecting IMSI Catchers"
- Abstract: Reverse engineering IMSI Catchers remains a daunting task due to the
overall secrecy surrounding them. In order to detect their presence,
its necessary understand how GSM works and how IMSI Catchers exploit
GSM weaknesses. I'll describe what a disruption to network topography looks like and how to detect them. This talk will focus mostly on an introduction to IMSI Catchers with discussion of open legal questions related to our FOIA work. Finally we'll see hardware and software solutions for detecting the presence of IMSI Catchers.
- Bio: Freddy has a background in physics and works as a SysAdmin. His current focus is on privacy issues, free and open source projects, FOIA and technical consultation to journalists.
- Whitney Merrill - "Hacking the CFAA: What You Need to Know, What’s Happening, and Where It’s Going."
- Abstract: Over the past few years, prosecutors used the Computer Fraud and Abuse Act (CFAA) to indict individuals who exposed security vulnerabilities or used the Internet to engage in activism. This presentation will explain and discuss the CFAA in three parts. First, it will look at what the CFAA is, why it was passed into law, and where the problematic language of the statute lies. Second, it will look at the major CFAA cases from the past few years to examine how the courts and the government interpret the CFAA. Finally, the talk will discuss possible reforms to the CFAA presented by various organizations and individuals.
- Bio: Whitney Merrill (@wbm312) is an attorney and graduate student in computer science at the University of Illinois Urbana-Champaign specializing in information security, privacy, and Internet law. Her research focuses on Android privacy and the legal and usability issues surrounding encryption and information security. In 2014, Whitney co-founded and co-organized the Crypto & Privacy Village at DEF CON, and previously she interned at the Electronic Frontier Foundation.
- nkryptr - "MMORPG (Massively Multiplayer Online Real-world Political Gamechanging)"
- Abstract: Tired of watching clueless Washington insiders run roughshod over your industry? Had enough of seeing the same internet censorship battles fought over and over again? Suffering from outrage fatigue? Join us for a concise explanation of our (U.S.) public policy system without jargon or legalese. We will identify the players, objectives, vulnerabilities and exploits relevant to recent policy battles. Discover Boss-Level, practical strategies for MAKING THINGS HAPPEN. Level-Up with tools, tactics and techniques for effecting MAXIMUM CHANGE. CO-OP MODE! Learn to forge effective coalitions and execute AWESOME COMBO MOVES. PLAY ONLINE! Start a Revolution, or join one already in progress. Remember, you may not take an interest in politics, but politics takes an interest in YOU. (Recent legislative priorities expressed by the current administration may render your industry illegal. FYI.) (Void where prohibited by law. Actual change may require effort and potentially even cooperation. some freedom of assembly required.)
- Bio: nkryptr is a seasoned veteran of grass-roots politics and an enthusiastic proponent of civic participation (for self-defense purposes). He is also a contract voice and data architect, a cypherpunk, and Director of Directory Services for Ninja Networks.
- Bruno Oliveira && Marcio Almeida de Macedo - "Bypassing the Secure Desktop Protections"
- Abstract: The Secure Desktop is a feature of Windows API that creates a separated desktop to run programs/processes. This feature doesn't allow processes or programs running in other desktops to capture keystrokes or screen. The Secure Desktop's primary difference from the User Desktop is that only trusted processes running as SYSTEM are allowed to run here (i.e. nothing running at the user's privilege level) and the path to get to the Secure Desktop from the User Desktop must also be trusted through the entire chain. Because of the main feature provided by the Secure Desktop, a lot of applications are developed using this protection, trying to avoid malware to interact with the user input (KeyLoggers) or screen (ScreenLoggers) and that way providing a secure environment for that application, where the main objective is protecting the final user from those well-known attacks. Like every feature, if it isn't well implemented, it can provide a fake security sensation. If an application is running in a secure desktop, using some tricks, an attacker is able to "escape the sandbox" and run malicious programs into the secure desktop where this approach will bypass the "Desktop Isolation Protection," allowing those malicious programs to capture the keystrokes or screen. The main goal of this talk is to present some real world examples that use secure desktop and show how to sniff the keystrokes or screen capture in the secured desktops, bypassing the main feature of Windows secure desktop. We will also discuss some possible solutions/workarounds that developers can apply into their software to avoid our attack.
- Bio0: Bruno Gonçalves de Oliveira is a MSc candidate at UTFPR, computer engineer and senior security consultant at Trustwave’s SpiderLabs where his duties are mostly focused in offensive security, doing hundreds of penetration tests from common systems and environments to embedded and uncommon devices. Bruno loves german fast cars (a.k.a BMWs), good ol' Jack and also stout/ale beers. Previously spoken at Black Hat SP, Ekoparty, PasswordCon, AppSec USA, THOTCON, SOURCE Boston, Black Hat DC, SOURCE Barcelona, DEFCON, Hack In The Box, ToorCon, You Sh0t the Sheriff and H2HC.
- Bio1: Marcio Almeida is a Security Consultant within the Application Security practice at Trustwave's SpiderLabs. He has a Master Degree (UFPE) focusing in Web Application Security and has more than seven years of experience hacking stuff in app & net penetration tests. Marcio also is a Crypto Geek, E-Music Lover and a little bit crazy (who isn't?! :-P). He has previously spoken at BlackHat Regional Summit, You Sh0t the Sheriff, PasswordsCon Las Vegas, Ekoparty and Alligator Security Conference.
- Jim Rennie - "The Right to be Forgotten - Now the EU, Tomorrow the World?"
- Abstract: The Right to be Forgotten has grabbed headlines around the world. The EU has required Google to delete search results in order to protect the privacy of its citizens. What, exactly, is the Right to be Forgotten? Why does the right exist in the EU? Could a similar right be coming soon to the US? Learn all about this hot topic, and why the EU and US can't seem to agree about privacy.
- Bio: Jim Rennie is an attorney specializing in online privacy law. He has helped firms from start-ups to Fortune 500 companies with US, EU, and APAC privacy compliance issues. He has spoken on technology and law issues at many popular hacker conferences.
- Parker Schmitt && David Jordan - "Wireless Drone Strikes Episode II: Attack of the Drones!"
- Abstract: By popular demand, the drones are back and in force for Episode II: Attack of the Drones! This time with bigger payloads and better “payloads.” No longer limited to a cheap phantom with a pineapple, we’re also bringing custom drones built specifically for wifi hacking. So get out your gimbal-mounted directional antennas and get ready!
We will present new ideas on hacking wifi from drones in addition to the attacks from last year including the 301 redirect attack (to defeat hsts) and radius attacks. But it’s time to go beyond ordinary wifi attacks with drones and try some fun remote exploits from this past year like shellshock and windshock. And we’ll take the coffee-shop flyover from last year and combine it with state of the art aerial mapping technology to perform wireless surveys of a city. (Turns out these drones can get some serious range!) We’ll talk about how we ended up making these drones around open source hardware and software, securing drone control and communications, as well as easy ways to set up wifi attacks and creating autonomous survey missions.
- Bio0: Parker Schmitt is currently working as a penetration tester and is working on some Network/Virtualization Management on the side along with the soon to be released Glassdoor Exfiltration Toolkit. He has made various contributions to Gentoo and the Gentoo-Hardened project (mostly in SELinux) and submitted some ebuilds (including Samba 4). In Gentoo he specializes in hardening layers (SELinux, PaX, GRSecurity), Virtualization, and Networking. He also loves mathematics, mathematical modeling, and is a serious crypto nerd. In the realm of security his interests include wifi attacks from drones, data exfiltration, and Linux hardening. Outside of security he loves flying airplanes and playing the piano.
- Bio1: By day David Jordan works on the brains of flying robots for fun and profit. By night he builds open source tools for filmmakers with the Novacut and Apertus projects. He enjoys hacking on collaborative systems, cameras, embedded systems, and computer vision. When he's not building robots, writing software, or indulging his read/write passion for cinema, David writes "slightly" nerdy books. His current series, ZHackers, follows engineers hacking their way through the zombie apocalypse.
- David Shaw - "How to Grow a Hacker"
- Abstract: It's hard to break into information security, and it can be even harder to improve your skills once you do. Despite being a competitive field, the infosec community is a very nurturing group -- if you know who to ask. This talk introduces the Information Security Growth Initiative (SecGrowth), a community-based effort to mentor new hackers, and master more difficult topics from advanced colleagues. The talk will cover why a program like SecGrowth is necessary, how it’s being implemented, and how you can get involved.
- Bio: David has extensive experience in many areas of information security. His career began in the trenches of perimeter analysis, and conducting external threat research for large financial institutions. After switching to offensive security, David joined Redspin to conduct application security assessments and network penetration tests. David is currently the Chief Technology Officer and Vice President of Professional Services at Redspin, specializing in Network and Application Security assessments, and managing a team of highly skilled engineers. David has particular interests in complex threat modeling and unconventional attack vectors, and has been a speaker at THOTCON, NolaCon, ToorCon, LayerOne, DEF CON, BSides Las Vegas, BSides Los Angeles and BSides Seattle.
- Johannes Stillig - "Compliance kills the security star - Why security standards kill security!"
- Abstract: Everyone is talking about security at the moment Poodle, Sandworm, Heartbleed etc... But still most companies only invest into security for the sake of being compliant to standard X, framework y or regulation z... Of course compliance is a big issue in regulated markets. But many breaches during the last two years show us that being compliant will make most of the bad guys out there laugh about you and your organization. By analysing some high-profile breaches down to a technical level this speech wants to show how often the hunger for being compliant to certain standards leaves complete organizations expose to attackers. This speech is supposed to be a sermon to return to the roots of security, to forget about fancy tools and buzzwords in security for a while and to understand:
Being compliant does not equal being secure, but being secure often equals being compliant!
- Bio: Johannes Stillig is addicted to IT Security since he is fifteen, but has his first heart attack about TCP/IP when he screwed up the TCP/IP settings of his mum’s Windows 3.11 for Workgroups by accident (a book from the library saved him from house arrest.).
He is currently managing red teaming / penetration testing and digital forensic engagement, while he is still enjoying to make his hands dirty using /bin/bash.
- Rob Weiss && John Eberhardt - "One Step Closer to the Matrix: Machine Learning and Augmented Reality in Networking Defense"
- Abstract: Network operations are constrained by three fundamental issues: i) shortage of qualified personnel; ii) a complex operational environment, and iii) a sparse pattern recognition problem. Addressing these challenges requires technologies, tools, and methods that revisit how we look at network data and how we allow much broader groups of users to interact with this data intuitively in “cyber time.” Our goal is to allow any user – technical or otherwise – to interact with their network and network data just like they interact with the physical world. To achieve this, we combined streaming analytics and an immersive, intuitive user interface to show continuous real-time network data, allowing broad groups of personnel to do real-time anomaly discovery. Humans can “walk through” a network and its traffic to see “real” patterns in the network. By taking advantage of fundamental strengths in the human brain for sparse pattern recognition, we go beyond analytics and intrusion detection systems, allowing the human to be the final analytics engine.0 This opens the way to gamification of network operations, including concepts such as the crowdsourcing of network defense. Our approach uses four open-source components: i) an ingestion layer that uses a custom built pluggable Python library, ii) a platform that consists of a data streaming layer (Apache Storm) for data processing and application layers that host parallel streaming analytics (Trident-ML), iii) a construct that creates a visual language of networking and supports interfacing between the platform and other services, such as the user interface, and iv) a streaming virtual world that provides users with an immersive, intuitive user experience. We will discuss and demonstrate our project on network service usage patterns in the context of network topology and user roles (e.g., is this user accessing applications and services in a pattern and manner consistent with their role in the organization?) and we will present and demonstrate the following: 1) A conceptual overview of our approach: machine learning, streaming analytics, augmented reality, the idea of crowd sourcing innovative solutions to network defense problems, and why this concept has the potential to radically alter how we look at networks. 2) A review of our system architecture, tools used, methods for developing the system and references to code repositories and resources (so you can build your own!). We will explain how network data flows real time through the streaming analytics (Storm), gets scored by pattern mining algorithms (Trident-ML), flows through the construct and gets rendered in the 3D immersive environment via a visual language. 3) An online demonstration of the platform, showing how users can interact directly with network data and concepts in an immersive environment to identify anomalous behavior. We would also like to make system access available to conference attendees throughout the conference."
- Bio0: Rob Weiss is a senior systems engineer with over 24 years of experience in government and commercial markets. He started with Legos and is now a tool builder and problem solver. Currently runs the Altamira Red Team and performs information security research, looking for hard problems to solve.
- Bio1: John Eberhardt is a Data Scientist with 20 years of quantitative problem solving and a penchant for trying to decipher symbolism in obscure 16th century literature. John has experience in analytical problem solving in healthcare, life sciences, security, financial services, consumer products, and transportation.
- Robert Wood - "Threat Modeling in the Gaming Industry"
- Abstract: Modern games are complex pieces of software, running on multiple platforms across many different genres, and with a variety of player goals dependent on the game. Despite the complexity of modern games, many common security issues exist that we can identify and expand upon during the planning, development, and testing phases of the development process. Threat modeling is a security activity that maps threats and their respective attack vectors, assets, and controls to a system to help identify vulnerabilities and assist with secure system design. If you’re working with games then this talk will help you understand how issues around client-side logic, proprietary network protocols, user account management, and playing on an untrusted platform can impact the overall security and user’s experience. By addressing security issues during the design and development stages and then reinforcing them during testing, we can move the industry towards creating a more secure gaming experience.
- Bio: Robert Wood is a Technical Manager and the Red Team Practice Director at Cigital, with over 5 years of experience in a variety of roles including application security consultant, network penetration tester, red teamer, and digital forensics analyst. Robert has worked with organizations across a variety of verticals including gaming and entertainment, financial services, healthcare, ISVs, military, and defense. Specific to the gaming industry, Robert has performed comprehensive assessments on gaming consoles, mobile games, PC-based MMORPGs, online multiplayer console games, and a variety of game development frameworks. Robert’s experience in the gaming industry focuses on security from a holistic perspective, bridging his system design, embedded systems development, reverse engineering, and network security experience together. As a Technical Manager at Cigital, Robert has lead and performed assessments that span across the software development lifecycle and security operations, including but not limited to: secure code reviews, architecture risk analysis, penetration tests, and red team assessments.