Keynotes (50 Minute)
- Sheila Berta - "Your non-connected car is not as safe as you think..."
- Abstract: A few years ago, many attacks targeting connected cars have been published producing a high impact on the community. Today people are aware that their "smart"car might be remotely hacked and that is true. However, believing that non-connected cars (without WiFi, 5G, Bluetooth, etc.) are safe or unhackable is a mistake. Non-connected cars may be backdoored through the OBDII port, letting an attacker control them remotely by injecting malicious CAN frames on the in-vehicle network known as CAN bus. Have you ever imagined the possibility of your non-connected car being attacked remotely to alter its speed, lights status, security systems or any other module? Even more, have you ever imagined the possibility that your non-connected car suddenly stopped working, when you least expected it, due to a remote attack? All of this is possible. Let me introduce you to "The Bicho", a very smart backdoor to remotely control non-connected cars.
- Bio: Sheila Ayelen Berta is an Information Security Specialist and Developer, who started at 12 years-old by herself. At the age of 15, she wrote her first book about Web Hacking, published by RedUSERS Editorial in several countries. Over the years, she has discovered lots of vulnerabilities in popular web applications and software. She also has given courses of Hacking Techniques in universities and private institutes. Sheila currently works as Security Researcher who specializes in offensive techniques, reverse engineering and exploit writing. She is also a developer in ASM (microcontrollers, x32/x64), C/C++ and Python. Sheila is an international speaker who has spoken at important security conferences such as Black Hat EU 2017, DEFCON 26, DEFCON 25 CHV, HITBSecConf, HackInParis, Ekoparty Security Conference, IEEE ArgenCon, Hack.Lu, OWASP Latam Tour and others.
- Ryan D. Clarke (AKA LOSTBOY, 李智上, 1O57) - "Hacking the Hackers: Finding friends and building a career as a hacker since 300 baud"
- Abstract: Let's talk. Let's talk about hacking as a career. Let's talk about how to learn. Let's talk about how to be creative and innovative, and cut through the crap beliefs and why the phrase "think outside the box" is stupid. Let's talk about real penetration testing. No I won't give the "how to build a processor from logic gates in 10 minutes" speech, that's already on YouTube. From Mr. Robot to Classified lab sites, let's talk.
- Bio: In the corporate world, Mr. Clarke draws on his extensive background that spans over 27 years of government, academia, and private industry experience. He currently functions as the CSO for an as of yet undisclosed company. In government circles, Mr. Clarke worked for the Department of Defense while residing in Maryland (do the math). His roles included work at a global scale, and joint efforts included connections with DHS, FBI and other agencies. Upon departure from government service Mr. Clarke worked for Intel in the Advanced Programs Group. Work with the APG included data center validation and intrusion detection and prevention. The APG also functioned as a liaison to various groups and agencies (do the math). Mr. Clarke separated from Intel when an opportunity to work with colleagues at the Department of Energy presented itself. Mr. Clarke conducted cyber and physical intrusion assessments of U.S. DoE facilities, including national science laboratories, U.S. power grid facilities, and *other* facilities under the authority of the DoE (do the math). Previously in academia, Mr. Clarke was the Professor of Robotics and Embedded Systems for the University of Advancing Technology, a National Security Agency Center of Excellence school. Mr. Clarke was recruited to create an embedded systems security degree program for the university. Mr. Clarke's academic background includes degrees and emphasis in Computational Mathematics, Electrical Engineering, Computer Systems Engineering and Physics. He speaks fluent Korean and has proficiency in multiple other languages. Mr. Clarke is a consultant for "Mr. Robot", a hacker based cable television program, and a founding member of the educational group Curious Codes. He regularly presents at cyber conferences around the world. Is that enough of the corporate bio? Ok. I self identify as a hacker. Knowledge of any kind is good. You may have seen my work at Defcon, where I co-created the Hardware Hacking Village, ran the "Mystery Challenge", and for many years created the Defcon badges and cryptographic puzzles. I have multiple Defcon Black Badges, and was awarded a Black Badge for a contest I created (a long story, and a Defcon first). I also hold one of the records for the most times speaking at a single Defcon besides DT, although I've never verified this. You can learn something from anyone, and you can teach something to anyone.
- Josh Corman - "Where Do We Go From Here?"
- Abstract: The world increasingly needs us and needs us to be our best... we live in this world... our loved ones live in this world... and unless we make changes, we will fail them..... Despite incredible accomplishments, we are failing them. Many of you have heard me say this line: "Our dependence on connected technology is growing faster than our ability to secure it." As the world figures this out... as governments and policy makers react... it's becoming clearer to me that we have a different constraint: The demand for our talent pool is growing faster than our willingness or ability to mature or develop the field. What's worse, many of the things we celebrate and reward are keeping us stuck as the divide continues to grow. We need to confront what's at the heart of our resistance and decide: what are we willing and able to change? What will we encourage? "Where do we go from here?"
- Bio: Joshua Corman is a Founder of I am The Cavalry (dot org) and CSO for PTC. Corman previously served as Director of the Cyber Statecraft Initiative for the Atlantic Council, CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research, analyst, & strategy roles. He co-founded RuggedSoftware and IamTheCavalry to encourage new security approaches in response to the world's increasing dependence on digital infrastructure. Josh's unique approach to security in the context of human factors, adversary motivations, and social impact has helped position him as one of the most trusted names in security. He also serves as an adjunct faculty for Carnegie Mellon's Heinz College and on the Congressional Task Force for Healthcare Industry Cybersecurity.
- Rachel Tobac - "The Human Exploit: Gaining Access Through Principles of Persuasion"
- Abstract: As technical controls advance, so do the human exploits used to circumvent them. Join Rachel for her keynote as she covers the latest academic research in behavior and neuroscience, and explains how human exploits and principles of persuasion are evolving to gain access to money, data and systems. You'll hear social engineering stories from the field, evidence-based persuasion methods applied to human hacking, and examples of how to leverage (and defend against) these attack methods IRL.
- Bio: Rachel is the CEO & Co-founder of SocialProof Security where she helps people and companies keep their data safe by training and pentesting them on social engineering risks. Rachel was also a winner of DEF CON's wild spectator sport, the Social Engineering Capture the Flag contest, 3 years in a row. Rachel has shared her real life social engineering stories with NPR, Huffington Post, Business Insider, TWiT, USA Today and many more. In her remaining spare time, Rachel works as the Chair of the Board for the nonprofit Women in Security and Privacy (WISP) where she works to advance women to lead in the fields.
FULL Length (50 Minute)
- B_meson && RiotDoge - "Open Source Intelligence Techniques for Monitoring the Alt-Right Online"
- Abstract: Following the resurgence of far-right violence since the rise of Trump have been organizations monitoring the alt-right using open source intelligence techniques (OSINT). Many figures central to far-right organizing have been unmasked and their ability to organize has been disrupted by hackers, journalists, and activists digging into their backgrounds. Various far-right groups have been completely disrupted with key members being fired, shunned by their communities and a number of high-profile arrests were made. The presenters worked extensively with Unicorn Riot, an alternative media collective, on their "Discord Leaks" platform, which has analyzed and released over a million leaked chat messages from alt-right groups. They will share several real-life examples of using OSINT techniques combined with this leaked data to identify anonymous racist activists. Previously unreleased chat logs will be made public during this talk to enable direct audience participation in the OSINT process.
- Bio: Freddy Martinez is a security researcher and investigative reporter. Christopher Schiano is a reporter with Unicorn Riot.
- Steve Eisen && Nick Lehman - "Defeating Next-Gen AV and EDR Using Old Tricks On New Dogs"
- Abstract: Next-Gen AV and EDR are the new hotness on the scene this year. They promise to put the bad guys and the red team in their place through increased endpoint detection and response. What they don't do that even traditional AV has had issues with is self-protection. This talk will go into the ways in which next-gen AV such as Cylance Protect and EDR like Windows Defender ATP can be defeated using simple tricks that have worked against AV for decades. Rather than attempt to hide from them, attacking them head on through gaps in self-protection mechanisms seems to be the best bang for the buck.
- Bio: Steve and Nick come from a long line of Steve's and Nick's respectively. They enjoy candlelit dinners, and bios longer than 140 characters.
- Kat Fitzgerald - "When Refrigerators Attack - Defending (and weaponizing) IoT"
- Abstract: "IoT is in the press almost daily. This talk presents 3 abstracts with live examples of weaponizing, defending and securing IoT devices. Relive my encounters of: ""When Refrigerators Attack"" or ""How I beat back the Deadly Dishwasher"". And of course, the all time favorite, ""Killer Webcams from Outer Space!"" This talk opens with brief introduction to IoT types of attacks and vulnerabilities, over the five IoT verticals of wearables, connected car, connected homes, connected cities, industrial. Time to expand on the IoT specifics of how devices are developed, including issues such as reused code, crypto limitations as well as re-used firmware. The talk continues with connecting to how IoT utilizes the cloud for data storage, type of data and how the cloud is overlooked in most IoT security issues. Live (backup recordings, just in case) demos are now shown with several IoT devices, exploring attack methodologies and details of the attack surface presented by most IoT devices. Connect with IoT security development and OWASP methodologies, especially related to APIs and Big Data (in the cloud). Final section of talk expands on IoT honeypots with several examples showing SCADA devices, routers and webcams. A recorded example of ""Iot_Reaper"" was actually caught by a custom honeypot and will be shown in this part of the talk. Conclusions of better methods for development of IoT but at the same time, how to better protect against weaponized IoT devices when your device (or your company) is the target. The key is to think just a bit differently when approaching IoT security, but also using existing skillsets and tools in the world of attacking refrigerators. The talk uses live examples (or recorded video as backup) and shows real-world scenarios with a variety of devices. A win-win for this talk is that attendees not only learn, but they walk away with tools and methods that are practical and can be put into use immediately."
- Bio: You can typically find me sipping Casa Noble Anejo whilst simultaneously defending my systems using OSS, magic spells and Dancing Flamingos.
- G. Mark Hardy && Dave Russell - "Hacker Jeopardy"
- Abstract: Hacker Jeopardy turns 25 this year, and we're inviting the world's best and brightest to a world championship playoff. For our Silver Anniversary, we are conducting qualifying rounds around the world for six of the nine seats for the grand finale in Las Vegas in August 2019, and THOTCON 0xA is our fifth stop. Played by three teams of three, contestants compete on skills and knowledge of security, plus earn 100 points for every beer finished during the round. It's hilarious, stimulating, and more politically correct than most other things you see today. To submit a team, send an e-mail to hackerjeopardy@gmail.com, and follow directions in the autoresponder.
- Bio: G. Mark has probably been hacking longer than you have been alive, and is the voice of Hacker Jeopardy. He knows way too many things.
- Marcus Hodges (meta) - "Writing your own Linux Rootkit for fun and profit"
- Abstract: Rootkits, the most pervasive of backdoors, are the final step in post-exploitation, and also the most fun. This talk will explore the anatomy of LKM rootkits, tour the fundamentals of Linux kernel development, and show you how to write your own rootkit from scratch! We will expose the subversive techniques used to bypass kernel protections, hook system calls, and hide from user space. Finally, we'll look at the effectiveness and strategies for rootkit detection and discuss the security implications that bridge user and kernel space.
- Bio: Marcus Hodges (meta) is the Director of Research at Security Innovation, Neg9 CTF team, and enjoys math, Linux, Python, & binary exploits.
- Kurt Kincaid - "When Strong Encryption, Isn't"
- Abstract: It always pays to read the fine print and know what questions to ask. Recently, a very large mobile device vendor released a 17 page specification on their NFC encryption method. Since my employer planned to consume this, I was asked to give the document a pro forma review. Excellent design decisions were made throughout, in many cases going well beyond what might actually be required under the circumstances. At the bottom of page 16 (of 17) was a seemingly innocuous statement that caught my eye, explaining why an obvious security measure (a random initialization [IV] vector) was *not* required. It struck me as odd that such a large vendor would explicitly state why a particular security control was unnecessary, so I started asking questions. After being initially being rebuffed with an explanation that I simply did not understand how it worked, I continued to press, and ultimately I was able to demonstrate that their implementation was deeply flawed. It was flawed to the extent that I was able to decrypt their encrypted traffic without ever having to know their encryption key. It was at this point, the vendor stopped responding to my emails. In the presentation, plan to focus on the analysis of how their implmentation was flawed, describing how their encryption was implemented incorrectly, and the process required to decrypt the data. This will require a brief overview of encryption, digging into the details of the specific methods the vendor used in their implementation.
- Bio: Encryption geek, infosec guy, medieval English literature nerd, artist, author, martial artist. Runs with scissors.
- Karl Koscher (supersat) - "IMSI Catchers Demystified"
- Abstract: IMSI catchers (sometimes known by the popular brand name "Stingrays") are shrouded in mystery. Originally developed for military use, they are now used by law enforcement, foreign intelligence, and spammers. IMSI catchers are unauthorized cell sites designed to coerce phones into providing persistent identifiers (IMSIs) and enable RF direction-finding of particular users, intercept traffic, and/or deliver spam. Unfortunately, due to sketchy legal arrangements around their procurement and deployment, very little is publicly known about IMSI catchers, how they work, and how they are used. Based on leaked documents, 3GPP specifications, and experience detecting (and accidentally deploying) IMSI catchers, this talk infers many previously publicly unknown aspects of IMSI catchers. We will cover how they convince phones to connect, reveal their IMSIs, and capture or release particular phones. We will also talk about how IMSI catchers use RF direction-finding to precisely locate particular users. We will describe how one might identify IMSI catchers based on their abuse of particular cellular standards. We will demonstrate a city-wide passive monitoring system for IMSI catchers and introduce our open-source app to detect IMSI catchers using Calypso-based GSM phones running custom baseband firmware. Finally, we'll talk about how one might build their own IMSI catcher.
- Bio: Karl Koscher is a research scientist working at the University of Washington where he specializes in wireless and embedded systems security.
- Chloe Messdaghi - "How to Fix the Diversity Gap in Cybersecurity"
- Abstract: Women make up just 11 percent and minorities are slightly less than 12 percent of the cybersecurity workforce. Coming from a nonprofit background, which is an industry with a high diversity, to one where it is so unbalanced. It's disheartening and disappointing. I've connected with persons who are underrepresented in the field, and many after spending years in cybersecurity are leaving the field. From their shared experiences as well as my own, it is clear that the cybersecurity space needs to get real about the lack of diversity in the space, and the necessity to make changes as we approach the estimated shortage of 1.5 million cybersecurity professionals in 2019. In this talk, we will discuss our brains and how we label and prejudge, hear experiences of underrepresented people in the space, what can be done to fill the gap, and how to increase and retain the number of qualified candidates in cybersecurity.
- Bio: Security Researcher promoter @Bugcrowd, UN Volunteer advisor, board member for 4 nonprofits, heads WIST, mentors, and Drop Labels founder.
- Priyank Nigam - "What The Frida Gave Me: A Novel Take on E-Ticket Forging and E-Ticket Stealing"
- Abstract: Millions of people rely on mobile e-ticketing applications to get from Point A to Point B every day. These applications serve as vital components for mass transit and essentially power America's major cities. But thanks to Frida - a well-known but not very popular dynamic instrumentation framework - you can easily reverse engineer mobile e-ticketing applications. In this talk, we'll explore new application-specific attack avenues using Frida. We will be leaving the jailbreak bypasses and SSL pinning bypasses of yesteryear by the wayside as we explore a new attack vector. We'll use Frida's code injection and module loading capabilities to demonstrate e-ticket forging and e-ticket "stealing." (And your commute just became that much less of a pain). Expect to learn the analysis of intermediate-level obfuscation measures such as encrypted HTTP body and encrypted application storage in mobile applications, which can be instrumental in uncovering security vulnerabilities.
- Bio: Priyank is a Senior Security Analyst at Bishop Fox and focuses mainly on secure code reviews, (web/mobile) app sec and network sec. Research interests include anything offensive - RE, mobile, IoT. He also contributes to bug bounties/responsible disclosure at regular intervals.
- 0penwir3 - "Surf and Turf"
- Abstract: When one in nine users will encounter email-based malware, simple phishing campaigns aren't enough, and annual tests conducted by third parties won't keep you safe. Companies rely too heavily on their annual security assessments and focus too little on internal efforts to identify meaningful gaps in user knowledge. To prepare and defend against highly motivated and capable attackers you must be the attacker. This means using more than built-in phishing tools that come with your next-next-next-next10 gen ATP email system. Your campaigns need to mirror real world attacks. Using real world examples from my experience as a security professional I will demonstrate the impact a well-crafted campaign can have. By using malware not only do users get a better visual as to how an attacker crafts a campaign, you get better user data. Did they click? Did they enter credentials? Did they install malware? Did they forward it? Did they report? Did your next-next-next-next gen antivirus detect it? This is the kind of actionable data security teams need to collect and analyze at regular intervals to not only determine overall risk but reduce it. Using the data collected during these tests I will show how this kind of user awareness has reduced my organization's risk by over 50% through education and compensating controls. My presentation will focus entirely on free and opensource tools to help organizations with little or no budget take their campaigns to the next gen, I mean level. It will also cover the trials and tribulations of interdepartmental conflict, successful campaigns, and winning the good fight for the sake of your company. Tools I will focus on are: GoPhish, Koadic, BeEF, and Empire. My presentation will include sample pages created to look like Office 365 login pages, macro payloads embedded in word documents, BeEF payloads, and Koadic Command and Control. At the end of the presentation all the examples and code will be made available via github."
- Bio: I did the security for healthcare, hedge funds, crypto, and non-profits.
TURBO Talks (25 Minute)
- Eldridge Alexander - "Malicious Devices on Hostile Networks at Home"
- Abstract: 5G mobile technology has begun rolling out in the US, and will soon blanket large swaths of the country and world. I anticipate that the coming generations of wireless technology will be built with the expectation of connecting to 5G networks in addition to or instead of home WiFi connections. As IoT needs relatively little data, the cost of the 5G connection can be built in to the initial purchase cost, a method that has already proved with Amazon's e-ink Kindle line. The IoT space as a whole has had a large amount of compromises due to an array of issues including a lack of initial security design, a lack of updates, and usage of default credentials. The most notable of these was the Mirai botnet that comprised approximately 600,000 devices. Adding these devices to our homes with an Internet connection out of control of the owner will be potentially catastrophic, especially with the increase in IoT in physical security such as motion detectors, door locks, and carbon monoxide detectors. In this talk, I will cover how using Zero Trust principles (as exemplified in Google's BeyondCorp) in the architecture of IoT devices will allow both IoT device designers and consumers to realize most, if not all, of the advantages that 5G will bring to IoT, while avoiding the large scale compromises we have seen with the first generations of these devices.
- Bio: Eldridge is currently a manager of Duo Labs, and is a security and consumer technology enthusiast, with a focus on IoT and home automation.
- Rey Bango (LilBitEvil) - "From Developer to Security: How I Broke into Infosec"
- Abstract: I've spent roughly 18 years building sites and apps for the web and while I always did my best to apply the basics of security, I never truly understood the many ways systems could be hacked. That changed when Wannacry hit and I decided to refocus my career to help secure not only systems, but people. In this talk I'll discuss the impetus for my career change, the challenges I faced as a new person to the community, how I forged relationships that helped me pave a solid path in the right direction and how I eventually broke into this amazing & competitive field. I hope that sharing this will help newcomers better navigate the murky waters of this community.
- Bio: Rey is a security advocate at Microsoft focused on helping the community build secure systems & being a voice for researchers within MS.
- David Bryan (VideoMan) - "Goldilocks and the three ATM attacks"
- Abstract: Automated Teller Machines (ATM) attacks are more sophisticated than ever before. Criminals have upped their game, compromising and manipulating ATM networks, software and other connected infrastructure. Between having a third-party manage these machines, and ATMs deployed on low-bandwidth links, it's an inevitable wild-west environment. In this talk I will review three case studies of ATM attacks, showing how they have become more dangerous than ever before. In this session, I will discuss unknown ATM flaws our pentesting team has uncovered while performing testing, the various ways criminals are attacking ATMs, the many security problems that we have identified with ATM systems, and what can be done to prevent these attacks. I will review three case studies of ATMs. One where the ATM security was extremely poor; One where the security was very good but the ATM still fell victim to an attack because we discovered a zero-day in the management software; And one where the security was just right- but its specific deployment had some major flaws that ultimately led to an ATM compromise. In this last case, the attackers side-loaded an application, and were able to run a criminal ring that led to $7M USD in losses.
- Bio: David works for IBM's Elite Hacking team named X-Force Red. He oversees all of THOTCON A/V setup.
- Celeste - "Hacking Stressed: Frustration, burnout, and the pursuit of happiness"
- Abstract: Anyone in this business knows how fun and exciting hacking can be, but also the emotional and physical toll it can take. Mental health is a longstanding dirty secret in the infosec community, and we are just now learning how to talk about it. The wear and tear of everyday stress combined with an 'always on' aspect of an operational environment creates a perfect storm for burning out. While stress can have a negative impact on job performance, my primary concern is on the health and safety of infosec professionals themselves. Not only does stress have short term effects on cognitive abilities and performance, but recurrent acute stress can have long term effects on health (mental and physical) as well as burnout and turnover. There are many sources of stress in infosec operations, some of which can be managed while others are simply the nature of the job. Activities that require long periods of vigilance and creativity will deplete cognitive resources and increase fatigue. Some of these activities have unpredictable results that can increase frustration. Other times, external factors unrelated to the activity itself may introduce new sources of stress that are not normally present. A certain level of stress is to be expected in these operations because they are considerably difficult, have a high risk vs. reward trade-off, and require a significant amount of knowledge and skill. But, how much stress can you take on and still be a happy hacker? In this talk I will discuss why infosec is so stressful, how this stress affects you and your network, and some things you can do about it. I will also discuss lessons learned from my research study of tactical cyber operations that studied fatigue, frustration, and cognitive workload in operators.
- Bio: Celeste is a cybersecurity researcher, has a Ph.D. in Human-centered Computing, and works for the government.
- Julian Cohen - "Adversary-Based Risk Analysis"
- Abstract: "The security industry has been talking about powerful concepts like adversary intelligence and attacker cost for a long time now, but most organizations are not using these concepts in their security programs, causing teams to make poor defensive decisions and waste resources on efforts that do not stop real adversaries. Adversary-Based Risk Analysis uses these concepts to prioritize more accurately and execute more efficiently than traditional security programs. These new risk profiles, attacker playbooks, and attacker cost models inform more effective controls, strategies, and policies than traditional security risk frameworks. In this talk, we build a security program around reliable adversary intelligence. We build risk profiles, attacker playbooks, and attacker cost models using adversary-based risk analysis. We then use these datasets to inform better controls, strategies, and policies in our security program. We focus on picking the controls that are most effective at reducing the risk of successful execution of the playbooks that our adversaries use every day. This is only possible with a security program built around reliable adversary intelligence. We take a deep dive into the practicalities of implementing these concepts within your organization, including what metrics matter to show to management, how this impacts hiring, and how this modifies core workflows within the security team."
- Bio: Current: Risk philosopher, Building thoughtful/effective defensive teams. Past: Vulnerability researcher, CTF organizer and competitor, DoD.
- Daniel "unicornfurnace" Crowley - "Extending Archive-Based Path Traversal Attacks"
- Abstract: While recent research has shown that many archive utilities and libraries do not properly neutralize path traversal sequences (i.e. ../) in file paths while extracting archives like ZIP and TAR files, the research missed several long-known attack vectors in path traversal, some generally applicable to path traversal attacks and some dependent on quirky features of the archive formats themselves. For instance, did you know that a number of archive formats have support for symbolic links? This presentation will discuss the variety of path traversal attacks that are applicable to archive formats, the particulars of certain archive formats that can be useful in attacks both within and without the context of path traversal, and the results of the application of these techniques to real libraries and utilities."
- Bio: Daniel has worked in infosec since 2004, is the author of FeatherDuster, and denies all allegations of unicorn smuggling.
- Rebecca Deck - "Of CORS it's Exploitable! What's Possible with Cross-Origin Resource Sharing?"
- Abstract: Cross-origin resource sharing (CORS) is extremely common on modern web apps, but scanning tools are terrible at analyzing CORS policy. If testers really understand CORS policy, a damaging exploit is often not far away. Is it possible to force a user to do something significant? Does using a GUID offer any protection? Does the authentication mechanism really protect against cross-origin attacks? Is it really risky to allow all origins? Do pre-flight requests always help? CORS requests get tricky very quickly and scanning tools do not have a good understanding of the intricacies that surface during actual application testing. A quick and dirty JavaScript exploit will put the issue to rest and eliminate hours of theoretical debate. This presentation covers how to find specific CORS misconfigurations and will not address the basics of CORS. Dozens of actual applications are distilled into examples that demonstrate CORS protections and JavaScript code to bypass them. Knowledge of the available CORS headers, RESTful APIs, and the ability to read JavaScript are necessary to completely understand the techniques in this presentation.
- Bio: Rebecca is an AppSec consultant at DirectDefense. She tests software, writes app exploits, and works on fixing SDLC issues.
- effffn - "IR-dventures from the vendors basements, Circa early 2000s"
- Abstract: This presentation will cover four real Incident Response stories from a hardware vendor's perspective in the early-mid 2000s. These are not stories for the modern life where all organizations are prepared with solid security programs and ready to respond to anything *smirk*. These are adventures for when organizations were (way) less prepared to respond to security related incidents and developers would ask ""why would someone ever do this?"" once they found out people were either messing with packets or reversing firmware images. Other than old story-telling, the objective of the talk is to get attendees to see what we all have (not) learned for over a decade, and really, reflect on how prepared are we these days to deal with certain types of incidents. Not only from a vendor perspective, but for any organization. From fighting DDoS with ACLs and talking to maybe ISPs, to putting your rep on the line when 1337 hackers get a hold of one of your products and do what 1337 hackers do.
- Bio: Security Enthusiast, Con organizer, Beer lover https://about.me/effffn
- EvilMog - "Hashcat Blender - Cool Stuff for Fast Hashes"
- Abstract: EvilMog takes us through his methods of expanding wordlists, and hashcat pot files to perform better password splicing, fingerprinting, raking, purple rain barrel and more to maximize success with fast hashes. This talk will also release a python tool to automate the execution of potfile and wordlist prep called wordlist blender.
- Bio: EvilMog is a member of Team Hashcat and Bishop of the Church of Wifi, doer of things yada yada certifications and stuff
- Agnes Klus - "The 'No, Duh!' Principle - Why InfoSec Needs Governance and the dreaded Audit"
- Abstract: In last year's THOTCON, Keren Elazari and Chris Wysopal touched upon bridging the gap between blue and red teams, business units, as well as other professions to create a comprehensive cyber-shield for world at large. However, the question becomes how do IT Security professionals do that? Simply involving different business units and teams to be part of email chains or in meetings is not enough. The IT Security landscape is complex, specialized, and with its own language, which most people outside of the realm will not understand. One of the keys to collaboration is in simplifying the information achieved by creating governance controls that are easily understood, but also satisfy regulatory and legal requirements. In lay speak, it answers the questions "Do you know what is happening in your sphere of control?" and "Can you show me that is the case (aka Prove it)?" Incidentally, these are the two main questions that auditors ask when performing assessments. Assessments, which based on my experience, are not happily seen by InfoSec and SecOps folks. Audit is a different beast altogether. Auditors gauge the temperature of different business areas and the results drive decisions and it is where common folks go to get their answers. By having good governance controls, InfoSec can give the best picture of the IT security landscape, provide clear and easily understood information, improve decision making, and decrease time spent doing audits, especially if teams work with audit to understand the risks needed to be addressed, what frameworks and regulations require, and what upper management wants. Good governance is easy to talk about, but practicing requires legwork upfront and continuous tinkering. In this talk, I will touch on how to understand audit and on the concept of governance as it relates to business and how to translate that when creating governance controls. Also I will speak on uses of governance in Security and how to go about designing controls.
- Bio: Agnes has been part of the IT Audit/governance, IT, and Security world over 10 years in various industries. She got here by stroke of luck.
- Ben Lampere (Fl0rbu5) - "3D printed picks: The next step in lock picking"
- Abstract: The majority of lock picks that are used by your average lock picker enthusiast are flat pieces of metal with various shapes to manipulate the pins. 3D printers allow for high precision with a wide variety filaments with various strength and durability. Because of this we will explore the possibility of using 3D printers to create our tools for lock picking. We will be looking at three major areas during this talk. Comparing the stability and durability of picks that are 3D printed. Look at what limitations we have from 3D printed picks and if they are a viable alternative to expensive picks. Creating custom tools for picking high security locks.
The first thing we realize when we 3D print picks is that they are made of filaments and not metal. We can begin by looking at the different filaments strengths and the effects of them while picking. Is ABS strong enough to withstand the bending and grinding of a standard metal pick? We will venture out to alternative filaments types such as nylon and Amphora 3D Printer Filament, some of the strongest materials on the market.
The real power of the 3D printers is in creativity. We will try and create some tools that can be customized for our specific locks. This includes picking high security locks such as a Abloy Classic that require precision that we will see if our 3D printer will be able to handle. Outside of the locks themselves we will explore useful items that may also be printed to make your life easier when picking locks such as key decoders, pinning trays and vice lock holders for easier picking.
This talk will be done using a consumer level 3D printer specifically the Ender 3. The tools used in the talk can be given to the lock picking area of the conference for the attendees to try out for themselves. I would also be happy to setup the 3D printer at the conference as well. I will also provide any .STL files at the end of the talk for attendees to download.
- Bio: Android developer professionally. Computer Security hobbyist. B0tchsec CTF member. Lock sport athlete and addict. Avid conference attendee.
- Jason Martinsen - "MIYK - Man in your keyboard"
- Abstract: I will be discussing a new MITM device, which I have called (at least in the short term), man in your keyboard (MIYK). MIYK would be positioned between the keyboard and the target computer. This device is a combination of hardware and software that allows for the relaying and capture of keystrokes, as well as the injection of keystrokes to the target. It also leverages a few evasion techniques to avoid detection, such as mirroring the original keyboards configuration to the target computer as a means to remain hidden. This is in contrast to other HID gadgets that present a NEW keyboard to the target computer. I will be showcasing the above features and discussing the hardware and software requirements to deploy such a device.
As this device has a direct connection, via USB to the target, it can also emulate other device types, such as a flash drive or network connection. These are not the primary focus of my talk, however, they are definitely capabilities of the device. Other tools have explored some of these attack vectors, including p4wnpi and bash bunny. These vectors allow for some interesting means of data extraction, which will be discussed.
Finally, I will discuss how the platform this tool leverages allows for some type of remote access (via WLAN or cellular). This means these devices could be used to gain network access without having a new discover-able device on the network.
- Bio: My kids call me the fixer. I like to understand how things work so that I can either fix it or tear it apart (those are closely related).
- Anita Nikolich - "Why Can't the FCC Tell the Truth?"
- Abstract: User experiences of broadband availability and speeds and industry metrics differ wildly, even for services in the same square mile. How is this still the case? Accurate physical maps at the street level remain contentious. Self-reported, voluntary data from providers is taken by the FCC at face value, despite actual experiences proving the contrary. Consumers often see maps that claim coverage of their area, while the reality is that one home in an entire census block has connectivity. FCC data is released infrequently, based on questionable methods and has been shown to be false and favorable towards carriers, who receive enormous amounts of subsidies to build out infrastructure but are rarely audited. Resilient infrastructure is important in a crisis or natural disaster in which communications needs to be available, quickly re-routed and repaired. The recent disaster in Puerto Rico was eye opening to responders who were unable to find accurate telecom maps. What can be done? We propose the creation of an Internet Nutrition Label combining qualitative and quantitative metrics, overseen by an independent, watchdog organization like an NTSB (for airline disasters). One example label field is privacy. Personal data collection is ubiquitous by broadband providers, which sell the information to data brokers. Were an ISP to offer consumers an obvious and free "Opt Out" of data collection, stop throttling certain browsers and resist cooperation with government surveillance programs via data capture on the backbone, their score would be higher. Another field is bandwidth caps. No tangible metrics have proven a negative impact to carrier systems or infrastructure from lifting the caps. The label sheds light on questionable FCC and FTC practices and educate consumers about their limited choices, with an ideal outcome of enacting large scale change by public pressure.
- Bio: Security and privacy researcher who spent a fair amount of time in operations.
- rob rehr - "Hacking Con Badges for Fun and Profit"
- Abstract: Electronic conference and indie badges are becoming increasingly popular. The creators of these badges often unintentionally release details about their designs before the event starts. This can often be enough information to start crafting a hack for the badge, leading to a large advantage if the conference holds a badge hacking competition. In this talk I'll go over my techniques for hacking badges pre-con, including the original Bender Badge and the BSides PDX Badge. I'll also show off a man-in-the-middle tool for badge add-ons, allowing for the monitoring and manipulation of i2c traffic on the badge. I'll recount my adventure hacking the Thotcon 0x9 badge and repurposing it as a morse code repeater to win second place in the Thotcon 0x9 CTF.
- Bio: Hardware hacker by day, design deliriant by night. Senior Electrical Engineer at IDEO.
- Hannah Robbins (robbinbs) && Scott Brink (sandw1ch) - "When a Stranger Comes to Visit: Hacking Visitor Management Systems"
- Abstract: Visitor management systems (VMS) simplify the process of admitting trusted outsiders into a campus. Unfortunately, anything you attach to a computer can be hacked, and VMS are no exception. We set out to find out how vulnerable the systems companies use to admit visitors are, and what we found was surprising--an industry with little focus on security. This talk will focus on the vulnerabilities found while analyzing several visitor management systems and demonstrate how to exploit those vulnerabilities and other misconfigurations to become a trusted visitor--without an appointment.
- Bio: Hannah is a junior at University of Tulsa and Scott is a senior at RIT. They'll work with X-Force Red again this summer.
- Kelley Robinson - "Contact Center Authentication"
- Abstract: You've built login for your application-maybe you even have 2FA-but what happens when a customer calls the support number listed on your website or product? Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone. At Twilio, product and engineering teams have spent the last year thinking about this problem and how to make the experience better for both the customer and the call center agent. In that time, I've called dozens of contact centers to learn about how everyone from startups to Fortune 50 companies attempt to identify and authenticate the end user. This talk will take a look at that research and outline best practices you can use in your own call centers. You'll leave the session understanding what information should be made available to the agent and what kind of product features you can build into your web or mobile application that can facilitate phone authentication.
- Bio: Kelley is a developer, educator, and advocate for secure software development. She currently works on the Account Security team at Twilio.
- Guillaume Ross - "Detecting new malware with osquery"
- Abstract: Osquery is a very popular tool, especially on Mac and Linux systems. While it is perhaps more mature on those platforms, it is still extremely useful in Windows environments, and we know workstations get attacked by malware often. In this talk, we will look at ways osquery can let us detect new malware, on Mac, but also on Windows, and in Docker environments. Specifically, we will look at: monitoring startup items and processes, identifying suspicious files, carving those files, monitoring lateral movement, detecting suspicious PowerShell keywords, extracting information from weird crashes, using osquery to ship only relevant Windows Event Logs from workstations, and bringing it all back together to detect situations that might be caused by malware. In order to ensure bingo cards get filled, the words MACHINE and LEARNING will most likely be yelled at some point.
- Bio: Guillaume has been a consultant helping companies secure their stuff, managed blue teams, and researches IT defense problems.
- Dimitry Snezhkov - "Zombie Ant Farm: Manipulation of Whitelisted Executables in Linux for EDR Evasion"
- Abstract: Endpoint Detection and Response solutions have landed in Linux. With the ever increasing footprint of Linux machines deployed in data centers, threat actors have been forced to move cross platform in the presence of new defensive capabilities. EDRs have their challenges in covering Linux landscape, and as such they come in various designs and address defense differently. Some focus on sandboxing, others place more effort on execution heuristics, yet others provide facilities to create restricted shells and exist in support of an enterprise policy, augmenting already existing solutions with whitelisting executables on systems. On a recent Red Team engagement our team was faced with overcoming a commercial EDR on Linux. In this talk we wanted to share a few techniques we used to slide under the EDR radar, and expand offensive post-exploitation capabilities on a farm of hardened Linux machines. As they say, when EDRs give you lemons ... you turn them into oranges, and let EDRs make lemonade ;) Specifically, we will see how pristine (often approved) executables could be subverted to execute foreign functionality avoiding runtime injection or common anti-debugging signatures the defense is looking for. We will walk through the process of using well known capabilities of a dynamic loader, take lessons from user-land root-kits in evasion choices, and attempt to lead DFIR teams on a wild goose chase after the artifacts of a compromise. Many of the details that went into such evasion could be generalized and possibly reused against other EDRs. We fully believe that the ability to retool in the field matters, so we distilled the techniques into reusable code patterns and a small toolkit which will be used as a basis for our discussion. Compelling known good executables to misbehave is so much fun (and profit)!
- Bio: X-Force Red @IBM. Offensive security testing, code hacking and tool building
- Caleb Tennis - "A year's worth of hacks and exploits"
- Abstract: Reverb.com is an ecommerce site for musical gear, with over two million users, transacting over half a billion dollars a year. This presentation will look at the past twelve months of exploits, security issues, reports, vulnerabilities, and everything else we've come across that we've patched. This includes: 1) Actual reports of OWASP top 10 issues, how the vulnerabilities were found, why they were exploitable in the first place, and how we remediated them 2) API endpoints that 3rd parties found ways to abuse and game the system, and how we detected and mitigated them 3) Non public data storage endpoints that were found, what was at risk, and how we resolved the issues 4) Brute force password login attempts, how we detect and analyze, keeping users safe while not aggressively limiting legitimate users access to the marketplace. This presentation will be a view from the trenches. We'll look at what happened behind the scenes, the ways in which the issues were brought to light (some good, some not so good), the risk involved, and the ways we've changed other parts of the infrastructure and development organizations to adapt to these threats. There will be useful and engaging content, with real data and examples to back it up. Those responsible for securing public web assets should be able to gain insight into the types of exploits hitting a highly traffic'd site (US Alexa ranking of 306). Those on red teams may benefit from seeing the ways in which a high profile site has been hit and the creative ways hackers have been able to try and game the system to their benefits.
- Bio: Caleb is the Security Lead for Chicago based Reverb.com, an online marketplace for musical gear.
Track X - Mini Workshops (120 Minute)
- Jon Gear - "MindCraft: Controlling Drones With Your Mind"
- Abstract: This session focuses on leveraging Brain-Computer Interface (BCI) devices and JavaScript to fly a retail drone. We will delve into the wealth of interaction models that BCI devices can offer for piloting drones as well as their limitations. This session aims to give a broad overview of the state of the BCI industry as we know. It is the goal of this session to empower participants to think outside the box of what it means to interact with an object and foster a desire in the participants to go out into the world and create impactful tools that will help grow our understanding of mind-controlled devices and interfaces. It is not required to have a deep understanding of how BCI devices work or a technical understanding beyond basic programming constructs.
- Bio: Jon Gear is a Solutions Architect for JDK Technologies. Jon's core passions are serverless development, machine learning, and robotics.
- Jay Margalus && Rudy Ristich - "Hacking the Thotcon 0xA Badge"
- Abstract: In this workshop, attendees will learn the ins and outs of the Thotcon 0xA board. We'll cover the board's layout, components, and (some of the) code on the badge. We'll also teach you how to hack the badge to make a small toy. There will be no badge puzzle spoilers revealed in this workshop, though you may learn some interesting skills to help you overcome challenges. Bring your own laptops, cables, badges, etc.
- Bio: Jay: Faculty Director at DePaul, Designer Rudy: Vice President at Workshop 88
- Price McDonald && Justin Berry - "Fun with SDRs, sorry no Profit"
- Abstract: Hands on workshop teaching attendees how to get started using SDRs in a low cost fashion. The hands on labs pertain to using an RTL-SDR to receive and process signals. Attendees will also be walked through some of the more popular SDR options for transmitting in addition to some of the most common applications for Personal, Research and Security Testing purposes.
- Bio: Price is a perpetually curious person with interests in Hardware Hacking, Penetration Testing, Digital Forensics and Reverse Engineering.
- David Pearson - "Thinking in Reverse to Move Your Network Security Forward: Using PCAP to Break Down Application-Layer Protocols"
- Abstract: As networks become increasingly complex, the ability to break an unknown protocol down and understand its base components and how they interact is a critical element of network security. Protocol reverse engineering allows security analysts to understand not just how the protocol works, but the ways it can leave your enterprise vulnerable. This is especially true at the application level, where insecure or poorly managed applications can leak sensitive data. In this hands-on, interactive workshop, attendees will learn how to reverse engineer real application-layer protocols. During our time together, we'll start at the surface and do a deep technical dive into the network traffic of a common remote access application.
- Bio: David has spent most of his career understanding how networks & apps work, currently as Head of Threat Research for Awake Security.
- Edgar Pek - "Hanging with Dangling Pointers in Linux Kernel"
- Abstract: This presentation aims to serve as a primer on Linux kernel
exploitation. Specifically, we will show how to go from a
use-after-free vulnerability (UAF) to arbitrary code execution. In
the presentation we first introduce fundamentals behind Linux
kernel to understand the flaw, how it was fixed, and then validate
the vulnerability using kernel-level functionality. Next, we
explore how to trigger the UAF vulnerability from user space and
construct a proof-of-concept code that reliably leads to a kernel
crash. In the second part of the talk we show how to exploit the
vulnerability through an object under our control (in place of the
freed object) and introduce a general UAF exploit strategy of
probabilistic memory overwriting. Finally, we demonstrate how to
achieve code execution and bypass some hardware protection
mechanisms (e.g., SMAP / SMEP). While we focus on exploitation of
UAF vulnerabilities in Linux kernel the scope of the presentation
is pertinent to fundamental functionality present in systems
software such as processing (scheduler, threads, synchronization),
memory allocators, storage (virtual file system) and networking
(sockets). Our hope is that the presented concepts will spur new
ideas in offensive research of systems software.
- Bio: Edgar Pek is a security researcher working on application security. During his PhD he worked on correctness of systems software.
|