Keynotes (50 Minute)
- Cory Doctorow - "The war on general purpose computing is an existential threat to infosec
-- and the world"
- Abstract: The world is made out of computers. If we don't secure computers, we're
toast. No one can agree on the best way to secure computers. But everyone can agree on the *worst* way to secure computers: ban independent security investigation; give companies a veto over who can warn their customers about defects in their products; criminalize reconfiguring computers, making users completely dependent on manufacturers' (often inadequate) patches. Unfortunately for the survival of our species, all our infosec policies are the *worst*. The Electronic Frontier Foundation has fought for the rights of coders and security researchers for more than a quarter century, back when no one else could figure out why this stuff mattered. We need your help -- for all our sakes.
- Bio: Cory Doctorow (craphound.com) is a science fiction author, activist, journalist and blogger the co-editor of Boing Boing (boingboing.net) and the author of WALKAWAY, a novel for adults, a YA graphic novel called IN REAL LIFE, the nonfiction business book INFORMATION DOESN'T WANT TO BE FREE, and young adult novels like HOMELAND, PIRATE CINEMA and LITTLE BROTHER and novels for adults like RAPTURE OF THE NERDS and MAKERS. He works for the Electronic Frontier Foundation, is a MIT Media Lab Research Affiliate, is a Visiting Professor of Computer Science at Open University and co-founded the UK Open Rights Group. Born in Toronto, Canada, he now lives in Los Angeles.
- Wendy Nather - "TBA"
- Abstract: TBA
- Bio: Wendy Nather is Principal Security Strategist at Duo Security. She was formerly a CISO in the public and private sectors, led the security practice at independent analyst firm 451 Research, and helped to launch the Retail Cyber Intelligence Sharing Center in the U.S. A co-author of the Cloud Security Rules, she was listed as one of SC Magazine's Women in IT Security "Power Players" in 2014.
- Chris Wysopal - "TBA"
- Abstract: TBA
- Bio: Chris Wysopal is Veracode's CTO and co-founder. He is one of the original vulnerability researchers and an early member of L0pht Heavy Industries, which he joined in 1992. He is the author of netcat for Windows and one of the authors of L0phtCrack. He has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He published his first advisory in 1996 on parameter tampering in Lotus Domino and has been trying to help people not repeat this type of mistake for 15 years. He is also the author of "The Art of Software Security Testing" published by Addison-Wesley.
FULL Length (50 Minute)
- Keren Elazari - "Hackers: Still the Internet's Immune System?"
- Abstract: 4 years after my 2014 TED talk, I will take a fresh look at what has changed, and the many ways hackers (both friendly and malicious) are shaping the world we live in. we all know that cyber security is impacting our way of life - from autonomous cars, to webcams medical devices, to the manipulation of political campaigns and global markets. But who's thinking about what's next? This talk will aim to inspire the audience to take action about the things that require our attention the most. Our future may be defined not just by our efforts to balance technology’s benefits against the risks it brings with it - but also by how we evolve our paradigms and mindset about security, privacy and digital access to information.
- Bio: Keren Elazari, a former hacker turned cyber security expert, is an internationally celebrated speaker, researcher and author on all matters of cyber security. Her 2014 TED talk, viewed by millions, helped shape the global conversation about the role of hackers and the evolution of cyber security in the information age.
- Amit Serper (0xAmit) - "OSX.pirrit part III, or: I picked a fight with an adware company, they threatened to sue and we gave them the finger"
- Abstract: In 2016 I discovered a very aggressive adware/malware for Mac dubbed OSX/Pirrit. Pirrit was unlike any other adware I've seen before - It was escalating privileges to root, taking over your entire machine, abusing AppleScript to inject rogue JS code to browsers and slowing down the machine dramatically. I took it apart completely and even found the actual people behind it (downright to their names) due to some hilarious (no, really, hilarious!) opsec mistakes that they made. Then, in december of 2017 they released a new variant, changed their TTPs and AGAIN made some hilarious opsec mistakes which allowed me to tie it back to them again and write a report about it. Since they follow me on twitter, the cease and desist letters didn't take long to arrive. In this talk I'll share the story of the malware, the hilarious opsec mistakes, and the 'behind the scenes' of what happened in the days before the report was published. If you ever wanted proof that the legal department of your company can be your friend - this is the talk for you.
- Bio: Security researcher doing anything from malware analysis to vulnerability and low-level research on anything with a cpu
- Avishay Zawoznik - "V!4GR4 BotNet: Cyber-Crime, Enlarged"
- Abstract: Trafficking of counterfeit pharmaceuticals is a massive industry, and have been known for its persistent usage of different blackhat techniques in order to maintain its operation. A large part of those attempts are web application attacks, which are used in order to operate a huge network which generates substantial income to its operators. In this session we're going to introduce some of the main Methods of Operation for these groups, estimate the size of this operation, and why it matters.
We will walk through real attack data, to see some of the latest attacks generated by these organizations, and discuss how organizations can be better protected against those attacks.
- Bio: DDoS research TL in Imperva Incapsula's security labs. Utilizing Incapsula's CDN for data analysis of attacks. Researching webapps as well.
- Michelle Meas - "tDCS: Brain Hacking for the Neuroscience Illiterate"
- Abstract: Things we've learned while creating 50 tDCS "brain-hacking" boards: People like to say that the brain was the first computer. These people know little about either brains or computers. However, the brain *is* a complex, organic computing machine, capable of both immense feats of information processing and hilarious failure in Literally Everything. Like all machines, it can be hacked. Transcranial direct-current stimulation (tDCS) has been gaining popularity in pop science and the biohacking community as a way to improve cognition, expedite learning, improve motor control, augment memory, treat lesions in the brain, and improve mental condition. This talk will explore the basic neuroscience behind tDCS augmentation of the brain as well as the ways it has been applied in current research. Controversy over the perceived effects of tDCS, sensationalization of its idea in media, and the importance of knowing both the technical and physiological aspects of tDCS will also be discussed.
- Bio: Michelle is the Chief Biologist for the Cyphercon BioHacking Village (BHV) and conducts lab work at the University of Illinois.
- Francisco Donoso - "DanderSpritz: How the Equation Group's 2013 tools pwn in 2017"
- Abstract: Everyone has focused on the Equation Group's ""weapons grade"" exploits but no one has focused on their extremely effective post exploitation capabilities. In this talk I will cover the tools, methods, and capabilities built into the DanderSpritz post exploitation framework. We will review how the Equation Group gained and maintained persistence, bypassed auditing and AV, scan, sampled, subdued, and successfully dominated an entire organization ninja-style. We'll dig into the technical details of how the framework gains persistence, performs key logging, captures traffic and screenshots, steals credentials, gathers target information, owns AV and WSUS servers, exfiltrates secrets, and causes general mayhem.
- Bio: Francisco is a passionate security professional with experience in many different areas of infosec from consulting to service architecture
- D.Snezhkov - "Check Your Senses. Software Based Data Transfer In Captive Portals Over Light and Sound."
- Abstract: As offensive Red Team operator have you ever found yourself in a locked down remote terminal session, staring at the data unable to exfiltrate it to the local system. Or maybe you were not able to transfer data into the remote host. It's frustrating, we know. But not all is lost. In this talk we will walk through a few scenarios and create tools to remedy the situation. Together we will look at exfiltration and infiltration opportunities over Light and Sound mediums. We will gradually build a collection of tools created with the goal of overcoming restrictions placed by enterprise captive portals in the form of screen remote sessions, terminal services and kiosks. We will do so following principles of utilization (aka living off the land), avoiding detection, maximizing operational security, all while pushing our bytes in and out of the enterprise. And while we love the hardware, we will do this all entirely in software. Along our journey together there will be failure, there will be success, but most of all - there will be fun. So, Blue Team - prepare to check your senses!
- Bio: Dimitry Snezhkov, X-Force Red @IBM. Offensive security testing, code hacking and tool building.
- Erin Willingham - "All aboard the fail whale!"
- Abstract: Docker and its containerization tools have been extremely popular in the DevOps scene for the past few years. These tools can reduce friction when moving applications from development to production, but can also open up a multitude of vulnerabilities. I will go into depth on a few of these issues and show how they are being exploited in the wild. Some of the tools covered in this talk will include Docker, Apache Mesos, Marathon, and Docker Registries. For the offensive team, working tools and examples will be demonstrated on how to exploit these systems and vulnerabilities. Not to leave out the trusty developers, sys admins, and everyone in-between, I'll also go over what actions you need to take to keep your team out of trouble and how to scan for breaches.
- Bio: Erin Willingham is a Lead Platform Engineer for the Salesforce DMP with over 10 years of experience focusing on DevOps and Security.
- John Bambenek - "I'm All Up in your Blockchain, Hunting Down the Nazis"
- Abstract: In the wake of the white supremacist rally in Charlottesville, Virginia and the car attack in the aftermath, normal people wondered what is behind the resurgence of racial extremism. In looking at some of the figureheads of this movement, it was immediately apparent that several fund their operations with bitcoin with several holding thousands of dollars and a few holding millions (as of today's exchange rate). This talk will cover the research efforts into figuring out the adversaries behind the white supremacist movement, who is funding them, and the results of publishing their transactions on a live twitter feed at @neonaziwallets. We will show how they are getting their big money and what can be done to disrupt their activities. This talk will also cover an open-source twitter bot script that can monitor transactions to defined wallets and demonstrate how various exchanges leak information that allow visibility into other altcoins, particularly monero.
- Bio: John Bambenek is VP of Research and Intelligence at ThreatSTOP where he manages the miscreant punching division of the company. He is also a lecturer at the University of Illinois at Urbana-Champaign. He has developed a variety of open-source tools and feeds that provide surveillance of malicious activity and regularly assists law enforcement and others to track down bad people for prosecution. He hates Illinois Nazis and started posting their financial transactions on twitter. Hilarity ensued.
- Gabriel Ryan (solstice) - "5Ghz Electronic Warfare"
- Abstract: In this presentation we will introduce a new feature to eaphammer: the ability to easily and reliably perform rogue AP attacks against 802.11n/802.11ac networks that operate on the 5Ghz spectrum. Although most hostapd-based tools for performing rogue AP attacks do support the creation of 5Ghz 802.11n/802.11ac access points, we are the first tool to do so reliably and without extensive manual configuration. We then developed a set of unified configs for hostapd that could be used to reliably perform rogue access point attacks using 802.11n/802.11ac on the 5Ghz spectrum. For added lulz, we even went so far as to implement the DFS and TPC features of 802.11h, making our rogue APs FCC and ETSI compliant by giving them the ability to detect and avoid interfering with aircraft radar. In this presentation we will describe how we did all of this, and demonstrate how these features have been implemented in the latest version of eaphammer.
- Bio: Gabriel is a senior security assessment manager at Digital Silence. He is a dedicated purveyor of dank lulz and the finest of keks.
- Mike Kelly && Chris Carlis - "Inside The Wire: Network Attacks Against Physical Access Controls"
- Abstract: We rely on physical defenses to protect our safety and the security of critical assets. Whether in a dedicated engagement or in the scope of a broader Red Team exercise, traditional assessments of physical security often focus on leveraging physical access to obtain network access. That methodology not only overlooks the broader impact of unauthorized physical access, but ignores the networked technologies that enable modern physical security defenses. In this talk we'll expand on that methodology by exploring multiple field-tested methods of leveraging basic network access to gain persistent, repeatable, and privileged physical access to critical assets and personnel. We will discuss several network level attacks against physical access control systems and demonstrate two remote exploits against two common door controllers. The exploits result in the full control of device functionality, ultimately allowing for the creation physical access backdoors. Finally, we will cover some potential remediation/mitigation strategies and take a look towards the future with possible areas of continued research."
- Bio: Red teamers at Secureworks w/ a combined 14+ years of experience performing network, physical, and embedded device attacks.
TURBO Talks (25 Minute)
- Sheila A. Berta && Claudio Caracciolo - "The Bicho: An Advanced Car Backdoor Maker"
- Abstract: Attacks targeting connected cars have already been presented in several conferences, as well as different tools to spy on CAN buses. However, there have been only a few attempts to create something similar to a useful backdoor for the CAN bus. Moreover, some of those proofs of concept were built upon Bluetooth technology, limiting the attack range and therefore tampering its effects. Those things are old! Throughout our research we have successfully developed a hardware backdoor for the CAN bus, called "The Bicho". Its powerful capabilities render it a very smart backdoor. Have you ever imagined the possibility of your car being automatically attacked based on its GPS coordinates, its current speed or any other set of parameters? The Bicho makes it all possible. All the "magic" is in the assembler-coded firmware we developed for a PIC18F2480 microcontroller. Aditionally our hardware backdoor has an intuitive graphical interface, called "Car Backdoor Maker", which is open-sourced and allows payload customization. The Bicho supports multiple attack payloads and it can be used against any vehicle that supports CAN, without limitations regarding manufacturer or model. Each one of the payloads is associated to a command that can be delivered via SMS, allowing remote execution from any geographical point. Furthermore, as an advanced feature, the attack payload can be configured to be automatically executed once the victim's vehicle is proximate to a given GPS location. The execution can also be triggered by detecting the transmission of a particular CAN frame, which can be associated with the speed of the vehicle, its fuel level, and some other factors, providing the means to design highly sophisticated attacks and execute them remotely.
- Bio0: Sheila A. Berta is a Security Researcher at Eleven Paths
- Bio1: Claudio Caracciolo is the Chief Security Ambassador at Eleven Paths
- Spencer McIntyre - "Reflective PE Unloading"
- Abstract: "Many in memory payload and implants utilize the tried and true technique
pioneered by Stephen Fewer for ""reflectively"" loading a PR file into memory.
This technique is fantastic and allows tools to take a blob in memory and load
it as if it were a PE file existing on disk. What will be outlined in this talk is a technique to reverse this process and go from having an image loaded in memory to having a PE blob in memory suitable for writing to disk. This creates an exact byte for byte copy of an image suitable for being loaded back into memory (either reflectively or through the Windows system loader) and repeating the process. This could be used, for example to have a payload which is running in memory copy itself out and write itself to an arbitrary location for persistence without having to download a fresh copy from the network or keep an original in memory. The talk will focus on the technical challenges that were present while developing the technique, and provide a description of the differences of a PE
file as it exists on disk and loaded in memory. Proof of concept code for the
the x86 and x86-64 architectures will be released and demonstrated.
- Bio: Spencer McIntyre works for SecureState consulting doing R&D. He is an avid open source contributor and Python enthusiast.
- Peanuter - "IP You P, We All P on UPnP"
- Abstract: Never fear, I is here. Enter a nation state worthy cyber war weapon.
There is no right and wrong. There's only fun and boring. In 25 minutes
you are about to go from being a Hapless Technoweenie to a Spartan ready
to take the internet by storm. This UPnP tool will let you change the
DNS settings, set port forwarding, become the DHCP Relay, force
terminations, on millions of devices, pre-scanned just for you baby.
Just select the country. Scada, home routers, and IoT are all vulnerable
to this. The UI is made to please with an anyone can do it mindset. Come
be a nation state threat actor! Celebratory free beers for me are
- Bio: APT cyberwar tool. check. Audience to deliver it to. Check. Finding friends with the same mental disorder, priceless. Welcome to thotcon 0x9.
- Dan Crowley - "How to Pen Test an ATM"
- Abstract: Automated Teller Machines (ATMs) are uniquely interesting targets. They are computer-based systems connected to global financial networks, meant to be unattended and open to the public 24 hours a day, and on top of all that, contain boxes of cold hard cash, sometimes totaling in the tens of thousands of dollars in a single machine. This talk will discuss the challenges in securing ATMs, the areas you should focus on when assessing the security of an ATM, various common flaws found when assessing ATMs, and some successful real-life attacks against ATMs.
- Bio: Daniel directs research at X-Force Red, has been working in infosec since 2004, makes his own beer, and is a baron in Sealand.
- johnnysunshine - "Aww Ship! Navigating the vulnerabilities of the maritime industry"
- Abstract: The majority of the modern economy's logistics is implemented via shipping vessels controlled through systems that embody a combination of the worst parts of a corporate network, ICS, and embedded systems. These systems were largely designed decades ago and are rarely, if ever, updated - yet are exposed to a large number of attack surfaces on the internet and via radio-frequency attacks. This talk will cover the protocols used by the commonly implemented systems found in both commercial and private maritime vessels - including large capacity tankers and container ships - and the shoreside infrastructure used to communicate with, and issue commands to, the shipboard systems. We will see how this infrastructure can be attacked, and how it in turn can be used to carry out significant attacks that could cause major disruption to the world's economy.
- Bio: mostly harmless
- Jay Margalus && Rudy Ristich - "Creating the THOTCON Badges"
- Abstract: This talk will cover the development of the THOTCON 0x9 badge and explore various challenges, opportunities, and design considerations faced when creating a game experience for custom-built embedded, interconnected systems. It will explore these topics through the use of the THOTCON 0x9 and 0x8 game badges as case studies in hardware and software development, as well as human-computer interaction and game design. We'll touch on the design of these systems, and highlight material differences between both software design, and the design of physical artifacts. We'll also talk about making games!
- Bio0: Jay is Faculty Director at DePaul, HCI and Game Designer
- Bio1: Rudy is a Security Professional and Co-Founder of Workshop 88
- Ernest "Cozy Panda" Wong - "A Taoist Approach to Cybersecurity and Cyberwarfare-The Path to Understanding How Cyber Offense Bolsters Cyber Defense"
- Abstract: Since the origins of the Republic, the American people have shown a strong speculative knack that lead to novel ideas for tackling tough problems. From the first American colonists who made do with limited resources, to NASA astronauts who boldly explored space with minimal supplies in order to break free of gravity, Americans have a proud history of advancing new and effective ways of getting the job done. However, the Internet's rapid growth has meant that the tools for operating in cyberspace are constantly changing. In such a fluid environment, does America still have the capacity to gain the advantages necessary to out-hack those who attack us in the cyber domain? This talk analyzes what innovation really means and highlights differences between revolutionary, breakthrough, sustaining, and incremental innovations. Through this framework, we gain tremendous insights that help to progress how our nation can develop more effective tactics, techniques, and procedures for defending (as well as attacking) in the cyber domain. From understanding the four types of innovation (revolutionary, breakthrough, sustaining, and incremental), we acquire the First Level (Base) of Tao-Cyber (The Way of Cyber). By comprehending that cyberattacks originate mostly as revolutionary, sustaining, and incremental innovations while cyber defends come about through breakthrough, sustaining, and incremental innovations, we then acquire the Second Level (Rigid) of Tao-Cyber. We master the Third Level (Fluid) of Tao-Cyber when we can bridge the gap between cyber offense and cyber defense and are able to contemplate new and surprisingly simple ways to defeat cyberattacks.
- Bio: Ernest "Cozy Panda" Wong works with the ACI. He has a Master of Military Science from Kuwait, and a MS in mgmt and a MA in ed from Stanford.
- Adam Everspaugh - "Protecting Passwords with Oblivious Cryptography"
- Abstract: Current schemes to protect user passwords like bcrypt, scrypt, and iterative hashing are insufficient to resist attacks when password digests are stolen. We present a modern cloud service, called Pythia, which protects passwords using a cryptographically keyed pseudorandom function (PRF). Unlike existing schemes like HMAC, Pythia permits key updates as a response to compromises. Key updates nullify stolen password digests, enable digests to be updated to the new key, and don't require users to change their passwords. The keystone of is a new cryptographic construction called a partially-oblivious PRF that provides these new features.
- Bio: Dr Adam Everspaugh is a principal engineer and cryptographer for Uptake Technologies, an industrial predictive analytics company in Chicago.
- Brannon Dorsey (braxxox) - "Browser as Botnet"
- Bio: Artist | Programmer | Researcher | H4k3r. Chicago, IL && www.
- Caleb Madrigal - "Inferring wireless camera motion detection without being connected and other 802.11 IoT hacks"
- Abstract: A surprising amount of information can be intercepted by listening to raw 802.11 WiFi signals. WiFi devices are continuously broadcasting information that can be use to track people's movements and even to infer things like when wireless security cameras have detected motion. And this data can be intercepted from blocks away, without even being connected to any WiFi network. Come learn about some of the techniques that are almost certainly already being used by governments and corporations to track us all, and what can be done to help prevent it... or how to do it yourself, if you are so inclined... for non-malicious purposes only, of course. I'll also be presenting a new tool I've developed to help.
- Bio: Caleb is a programmer who likes hacking, mathing, and writing. I'm mostly focused on security and machine learning.
- Graph-X - "Gaming Your Kid's: The Hustle of Teaching Kids to Learn How To Hack"
- Abstract: Making hacking fun for kids requires gamification and relating the lessons to topics that interest them. This talk will provide an overview of a game that did just that which was initially developed for Hak4Kidz and will be open sourced along with some cool NFC tags to those who put up with me for the entire time.
- Bio: Graph-X - Level 70 Troll Dad, Destination Imagination team manager, Girl Scout leader, tinkerer, breaker, red teamer, coder of horrible programming languages, and brewer of mostly not undrinkable beers. Overextends himself with CCDC, Milsec, SEWI-Locksport and many other community focused security shiny objects.
- Jake Heath - "Tracy: because tracing user input through JS is for tools"
- Bio: Jake Heath is a penetration tester with NCC Group, familiar with performing web application, network, and hardware penetration tests.
- Sandra Escandor-O'Keefe - "Climb the infosec skill tree by revisiting past CVEs"
- Abstract: In order to improve our skills, we can revisit past CVEs and create our own exploits, and compare with existing exploits. By practicing in this manner, we can eventually contribute to the wider security community. The part of this exercise that is the most useful is when we find a difference with our own developed exploit compared against a current existing exploit. We must practice our critical thinking skills to determine the discrepancies, and determine if any unstated assumptions exist. This talk will consist of looking at a specific CVE (CVE-2013-5576) to explain: The general strategy and thought process for practicing by revisiting past CVEs; The vulnerability, its context, and why the code that is responsible for the functionality produces the vulnerability.; A technique for determining the code responsible for the vulnerability.; The differences found when running a current known exploit against the vulnerability, and the debugging methods used.; The differences between our developed exploit and a current known exploit.
- Bio: Security Engineer ~ 2 yrs. Software Dev - 5 yrs. Likes: Anything about software, English Bulldogs
- Trey Underwood - "Red Teaming Newbies - A look into CCDC"
- Abstract: CCDC (Collegiate Cyber Defense Competition) competitions ask student teams to assume administrative and protective duties for an existing "commercial" network - typically a small company with 50+ users, 7 to 10 servers, and common Internet services such as a web server, mail server, and e-commerce site. Each team is scored on their ability to protect their network, keep services running, and handle business requests while balancing security needs with business needs. This presentation goes over the journey of joining the 'other side' of these competitions: the red team. This team consists of industry professionals volunteering their time for the sake of security education and maybe have a little fun on the side too. We'll discuss the challenges faced hacking college students and the tools created as a response along with funny stories and incident reports filled out by students. We'll discuss zero day vulnerabilities found during the competition because of good blue teams and stubborn vendors. At the end you'll learn some red team antics and why CCDC is important to improving security education.
- Bio: I am an abstract artist, a concrete analyst, and a ruthless bookie. Children trust me.
- Dan Houser && Mick Douglas - "Hacking & Protecting Advanced Authentication"
- Abstract: Many organizations have implemented Multi-Factor and Advanced Authentication Solutions. But, are they really secure? Do they solve the problem statement, or just waste capital? Can they deliver on the promises? We will attack multiple MFA solutions, revealing brittle edges that permit attacks like bypass, exploit, man-in-the-middle and compromise. We will break down the attacks and what permitted the exploit, and then demonstrate critical steps where MFA not "the answer", but one important step to armoring credentials and protect the firm. The principles of a credential firewall will be introduced, and a holistic approach to identity that is required to achieve truly advanced authentication. Warning, packets may be harmed. Not for the squeamish.
- Bio0: Dan Houser uses science, creativity & caring to solve big security problems.
- Bio1: Mick Douglas is...
- Josh Skorich (JoSko) && John Mocuta (atucom) - "Not Your Daddy's Winexe"
- Abstract: Everyone knows about winexe and RDP, but what about all the others? In this talk we'll dive into 13 different remote administration techniques for Windows and Linux, including some obscure but very useful ones. We'll talk about how they work, how to find them, and the tools at your disposal to use/abuse them. We'll also dig into the signatures left behind, and demo some new hotness to assist Red Teams in evasion and Blue Teams in detection.
- Bio: JoSko and Atucom wrote a pretty fantastic bio about their professional InfoSec experience but were ultimately circumvented by the 140 charac
- David Bryan (VideoMan) && Dustin Heywood (evilmog) - "Reverseing NTLMv1 using GPUs and cracking Passw0rds"
- Abstract: Last year we built a password cracking rig for our team, and did some fun demos at BlackHat, SecTor, and several events and conferences. Having access to hardware, we have also had some time to do research. Do people still use bad passwords? Of course. But now we have some evidence behind it, and want to present our research, and things that we have found in the last year. Including how we are reversing NTLMv1 challenge hashes to NTLM hashes in under 12 hours.
- Bio: David Bryan (@_VideoMan_) and Dustin Heywood (@evil_mog) are pentesters and crack passwords with GPUs. #hashcat #123456
- Rhett Greenhagen (V1psta) - "The Spies Who Didn't Love Me"
- Abstract: Cyber espionage is both a small and large playing field. There is a limited number of highly specialized Intelligence operatives and an abundance of potential targets in both heterosexual and homosexual sexualities that can be blackmailed. Everyone lies about sex. A foreign agent is more likely to be able to find information that can be exploited in order to compromise an otherwise loyal individual. While conducting an investigation on multiple mobile dating applications, we found large numbers of false identities in the areas surrounding classified locations including military bases where intelligence agencies, brigades, and law enforcement operate. We came across multiple suspect profiles that were attempting to authenticate the information we were feeding them to determine if we had access to sensitive information and to ascertain our real identities. By following the "Actionable Intelligence Lifecycle", we were able to document, capture, and analyze patterns to help identify these false identities, both current and future. By developing criteria to detect false identities we were able to develop metrics and a reporting process to assist with countering their intelligence gathering operations against U.S. and allied nation personnel.
- Bio: I am a hacker who wants to do good things for himself and others. Anything else check my LinkedIn, even though most of its false anyways.
- r3pl1cant && quaddi - "I Need a Hacker Consult, Stat"
- Abstract: Doctors learn about Ebola and influenza in med school, but not about WannaCry or Petya. That's a problem. Clinicians- and more importantly, their patients- increasingly depend upon an incredibly complex network of connected medical devices and vulnerable hospital infrastructure. And while medicine has never been more promising, it's also never been more insecure. Healthcare needs help- and it needs it from you. Join Jeff "r3plicant" Tully and Christian "quaddi" Dameff, practicing physicians and white hats, as they give you a unique perspective into the challenges facing the champions of healthcare infosec, show why hackers are the missing piece of the patient care team and finally, take you behind the scenes of the first ever clinical simulations depicting patients with hacked medical devices. This talk is not for the faint of heart. Literally.
- Bio: Jeff Tully, MD is an anesthesiologist, pediatrician, and security researcher working to protect patients in an era of medical IoT insecurity
- Swapnil - "Pack your Android: Everything you need to know about Android Boxing"
- Abstract: Android malware authors may enforce one or a combination of protection techniques like obfuscators, packers and protectors. This additional step just before publishing the app adds complexity for Android Bouncers and various static, and dynamic code analysis tools. Along with these protection techniques a combination of features such as emulation detection, anti debugging, root detection, tampering detection, anti runtime injection enables malicious application practically makes malicious app go undetected. As a result we have seen a steady increase in the malicious apps published in various Android app stores. ZDNet reported around 1000 spyware mobile apps are published in the official Google Play Store this year alone. These apps may have the capability to monitor almost every action on an infected device. Actions such as taking photos, recording calls, monitoring information about Wi-Fi access point and inspecting user's web traffic. Talk would focus on all three commonly used Apk protection techniques and how they operate under the hood. For obfuscation, we will demo a tool designed to remove switch case injection, dead code injection, and string encryption and get a readable code. In case of packer talk will showcase avenues to unpack the packer by first finding the algorithm, hooking into libc before packer opens DEX file, dumping DEX from memory. Protectors such as DexProtector mangles code by modifying entry point to loader stub and perform anti-emulation, anti-debug and anti-tampering checks. Protector are easy to patch, one can by attaching cloned process or dump odex and get readable code. By adding these techniques an ethical hacker or Android bouncer can identify many a malicious application published in app store.
- Bio: Swapnil Deshmukh has over a decade of information technology and information security experience, including technical expertise.
- Josh Grunzweig - "Rise of the Miners"
- Abstract: Over the past year, we've witnessed a shift in malware used by both the common criminal, and targeted actor alike. While ransomware was the bell of the ball in the past, it has been replaced with the up and coming cryptocurrency miner. This talk will explore the trends witnessed in the past year as they pertain to the rise in popularity of cryptocurrency miners being used and deployed by criminals. We'll talk about how and why this transition has occurred, as well as a number of interesting case studies about how this malware winds up on a victim's machine. Finally, we'll also discuss the most popular cryptocurrencies being mined today, and strategies you can take to mitigate this threat.
- Bio: Josh enjoys reversing malware by a crackling fire with a nice cup of coffee. Sometimes he drinks tea instead.
- Judy Towers - "SAEDY: Subversion and Espionage Directed Against You"
- Abstract: Frequently, people who go along a treasonous path do not know they are on a treasonous path until it is too late, as per testimony from former CIA Director John Brennan, May 2017. The definition of social engineering (SE) is: "any act that influences a person to take an action that may or may not be in their best interest". Using an old US Army acronym called SAEDA, Subversion and Espionage Directed Against the Army, will discuss how today's use of SE is essentially trade craft of espionage, commonly known as spying. There is no patch for an untrained user or even an experienced security professional who forgets, in the heat of the moment, to follow what they have been taught."" Espionage is the practice of secretly gathering information about a foreign government or a competing industry, with the objective of placing one's own government or corporation at a strategic or financial advantage. Presenting case examples of military and industrial espionage will illustrate how tricks of the spy trade are parleyed against ordinary individuals every day. The ultimate goal is for individuals to become self-aware as today's cyber threat landscape is essentially 'them against you'.
- Bio: As an active duty US Army CounterIntelligence Agent (6yrs), Judy Towers provided weekly SAEDA briefings..this should be words not characters
- Tom Hegel - "Hancitor Malware Operation Monitoring"
- Abstract: Hancitor, a commodity malware downloader, continues to be an active threat to the average user and enterprise network. During the primary 2017 campaigns of the hancitor downloader, a particular focus was placed on attempting to track and monitor the operations behind the actor and malware deployment. This includes tracking the hancitor delivery approach, victim details, and potential leads of attribution with the help of OPSEC negligence. In this talk, we will discuss and share the findings of the research with the community in an effort to facilitate collaboration. Specifically we will review shifts in tooling, an understanding of the attacker approach, infrastructure, in addition to providing recommendations for limiting attacker benefit via public exposure of analyst findings.
- Bio: Sr. Threat Researcher at ProtectWise 401TRG. Focused on network traffic analysis and IR with a particular speciality in threat intelligence.
- Kelly Villanueva - "Hacking GDPR"
- Abstract: To avoid the cost of non-compliance with GDPR, companies have invested heavily in security program development, but what does that mean for pen testers? During this talk, I'll give an overview of GDPR security requirements and outline 2017's most expensive security enforcement actions. From there, I'll give examples of how pen testers can leverage GDPR to highlight areas of risk to non-technical business units and relate the GDPR Guidelines on Personal data breach notification to specific purple team activities. Expect tips for the red team, blue team, and legal team.
- Bio: Cybersecurity and Privacy Associate at PwC
- Price McDOnald && Hans B. Petersen - "Why I don't dial 911 - A pragmatic look at Public Safety Security"
- Abstract: As technology advances and we begin to pull our nations 911 infrastructure out of the Stone Age the need to add practical security measures only increases. This talk gives a brief look back at the history of 911 including some recent breaches and outage along with what we are/aren't/should be doing to fix it going forward.
- Bio0: Price is a perpetually curious person with interests in Hardware Hacking, Penetration Testing, Digital Forensics and Reverse Engineering.
- Bio1: Hans has been rummaging around the Internet since before there was such a thing as the World Wide Web. His areas of expertise include Unix, Digital Forensics, Reverse Engineering, Penetration Testing ... and partaking of the odd dram of whiskey.
- D. Snezhkov - "Foxtrot. Proxy, let's dance."
- Abstract: Execution of an offensive payload may begin with a safe delivery of the payload to the endpoint itself. When most secure connections in the enterprise are inspected, reliance on transmission level security may not be enough to accomplish that goal. Foxtrot C2 serves one goal: safe delivery of payloads and commands between the external network and the internal point of presence, traversing intercepting proxies, with the end-to-end application level encryption. While the idea of end-to-end application encryption is certainly not new, the exact mechanism of Foxtrot's delivery implementation has advantages to Red Teams as it relies on a well known third party site, enjoying elevated ranking and above average domain fronting features. Payload delivery involves several OpSec defenses: sensible protection from direct attribution, active link expiration to help with the interception, tracking and replay activities by the defenders. And if your standalone Foxtrot agent is caught, the delivery mechanism may live on, you could still manually bring the agent back into the environment via the browser."
- Bio: Dimitry Snezhkov, X-Force Red @IBM. Offensive security testing, code hacking and tool building.
- Mikhail Sosonkin - "Best travel buddy 3vaaar!"
- Abstract: Travel routers are the portable devices that are meant to bring convenience and security to the savvy traveler or a digital nomad. However, they have a dark side. In this talk, I will detail the process of analysis for a selection of such devices and discuss their impact on enterprise networks. In this analysis, I will illustrate my process for discovering vulnerabilities and engineering malware to build a full attack. The talk will go through firmware teardown and reverse engineering of the MIPS binaries associated with the devices' web server. In addition to binary exploitation, this talk will cover attack scenarios that make these vulnerabilities useful and, of course, explore how an attacker could leverage innocent users to gain beachheads in enterprise networks to spread even more malware. On the defensive side, the audience will see the defenses that are employed by the devices and those that are missing. Some of these defenses could have prevented the successful exploitation of the presented vulnerability. Finally, this talk will go through attack scenarios, that uniquely leverage travel routers, that a network defender will need to consider when building a defense strategy. Finally, we'll see how the vendor has patched the zero-day vulnerabilities to prevent their customers from getting hacked!
- Bio: Mikhail is the Director of R&D at Synack where he enjoys reversing of low level systems and speaking at conferences like THOTCON.
Track X - Mini Workshops (100 Minute)
- Jack Cable - "Leveling up: Bug Bounty Methodologies in a Maturing System"
- Abstract: Bug bounties are evolving faster than ever. With a surge in new researchers and a maturation in existing programs, new methodologies are needed to further strengthen the security of companies. In this presentation, I will give an overview of recent bug bounty innovations and present my own strategies for continuing to find bugs in long-running bug bounty programs. I will stress the need for comprehensive testing and familiarity with a company's systems. As a demonstration, I will show a tool I am currently developing (planning to release mid-December) that further aids reconnaissance by continuously monitoring changes in websites. Additionally, I will present several lesser-known vulnerability types that have been overlooked by researchers. As an introduction, I plan to explain the origin of bug bounties and their significance (as well as shortcomings) in improving a company's security. Finally, I will give insight as to where I see the bug bounty field evolving in the future, and how researchers can get a leg up. Specifically, I see high potential in the automation of insecure direct object references (IDOR's), as these are relatively easy to test for, but currently no tools exist to automatically identify these. (I may develop a tool in the time between now and the presentation addressing this)"
- Bio: Jack Cable is a 17-year-old coder turned white-hat hacker. Cable is active in the bug bounty scene and won the Hack the Air Force challenge.
- Marcelle - "Detecting Evil with Network Traffic Analysis"
- Abstract: Network traffic analysis is pretty awesome and can provide a wealth of forensic information. This hands-on workshop starts with a quick overview of the the basics of how traffic flows and progresses to file carving and other advanced activities. I build my own packet captures to demonstrate a variety of protocols and network activity, both benign and malicious. Participants only need their laptop, Wireshark, and packet captures that will be provided via a Google Drive link. For those without devices, there is still value in watching the walk-throughs. I have given similar workshops in the past but always have new captures to keep it fresh.
- Bio: Marcelle has a fancy bio but mostly wants you to know that she loves analysis and spends most of her time in shiny cyber rabbit holes.
- Shawn Webb - "Writing FreeBSD Malware"
- Abstract: Without exploit mitigations and with an insecure-by-default design, writing malware for FreeBSD is a fun task, taking us back to 1999-era Linux exploit authorship. Several members of FreeBSD's development team have claimed that Capsicum, a capabilities/sandboxing framework, prevents exploitation of applications. Our in-depth analysis of the topics below will show that in order to be effective, applying Capsicum to existing complex codebases lends itself to wrapper-style sandboxing. Wrapper-style sandbox is a technique whereby privileged operations get wrapped and passed to a child process, which performs the operation on behalf of the capsicumized parent process. The child process passes its result back to the parent. Tying into the wrapper-style Capsicum defeat, we'll talk about advances being made with libhijack, a tool announced at Thotcon 0x4. The payload developed in the Capsicum discussion will be used with libhijack, thus making it easy to extend. By utilizing libhijack, we will demonstrate that wrapper-style sandboxing requires ASLR and CFI for effectiveness. FreeBSD supports neither ASLR nor CFI. We will also learn the Mandatory Access Control (MAC) framework in FreeBSD. The MAC framework places hooks into several key places in the kernel. We'll learn how to abuse the MAC framework for writing efficient rootkits. Attendees of this presentation should walk away with the knowledge to skillfully and artfully write offensive code targeting both the FreeBSD userland and the kernel.
- Bio: HardenedBSD Cofounder. OPNsense core team. SoldierX High Counsel. Emerald Onion advisory board. Offensive and defensive infosec researcher.
- Ronnie Flathers - "Fun with LDAP and Kerberos in AD environments"
- Abstract: This workshop will walk through some lesser known reconnaissance and lateral movement techniques when performing penetration tests in Active Directory environments. While tools like Bloodhound and Death Star have automated paths to DA, it's always important to have other tricks in your book and understand how to do things manually. This demo heavy workshop will include: manual LDAP and DNS reconnaissance, practical usage of Kerberos for password guessing and lateral movement, different techniques for code exec with admin privileges, effective relay techniques for unprivileged users, as well as other tips/tricks/one-liners for pentesting AD.
- Bio: Ronnie is a member of the Hacker/Hunter team at Uptake. Prior to that, he was a pentester and team lead at Cisco and Neohapsis.
- Alexei Bulazel && Jeremy Blackthorne && Sophia d'Antoine - "An Introduction To Modern Binary Exploitation"
- Abstract: Ever wondered what really goes on when you use an "exploit"? This workshop will demistify binary exploitation, and teach you how to discover your own vulnerabilities and write exploits for them. We'll begin by covering the basics of binaries work - the stack vs the heap, a brief primer on x86 assembly, and how syscalls work. Then, we'll talk about memory corruption, and how attackers can use it take control of programs and bend them to do their bidding. By the end of the workshop, you'll understand 1980s and 90s style stack based buffer overflows, and should even be able to write a few basic ones yourself. A provided VM will allow attendees to follow along and work through exploitation challenges with the presenter. A whole semester-long college course's worth of slides and challeges will provide you with the material to keep studying exploitation after the workshop, covering all the way up to DEP/ASLR bypasses and Linux local privesc exploits.
- Bio0: Alexei Bulazel is a security researcher and an alumnus of RPI/RPISEC. A frequent conference speaker, he has presented all over the world.
- Bio1: Jeremy Blackthorne is the cofounder and president of the Boston Cybernetics Institute where he provides cybersecurity training in support of national security.
- Bio2: Sophia d'Antoine is working in Cyber Security at Trail of Bits, out of NYC. She received her Master's in Computer Security at Rensselaer Polytechnic Institute. She spends time speaking at conferences, participating in CTF's and other challenges, teaching at RPI and writing Program Analysis tooling.