DEF CON 22 [Materials] Speeches from the Hacker Convention.

Logging ALL THE THINGS Without All The Cost With Open Source Big Data Tools Zack Fasel Managing Partner, Urbane Security Many struggle in their job with the decision of what events to log in battle against costly increases to their licensing of a commercial SIEM or other logging solution. Leveraging the open source solutions used for "big-data" that have been proven by many can help build a scalable, reliable, and hackable event logging and security intelligence system to address security and (*cringe*) compliance requirements. We’ll walk through the various components and simple steps to building your own logging environment that can extensively grow (or keep sized just right) with just additional hardware cost and show numerous examples you can implement as soon as you get back to work (or home). Zack Fasel is a Founding Partner at Urbane Security, a solutions-focused vendor-agnostic information security services firm focusing on providing innovative defense, sophisticated offense and refined compliance services. Heading up Urbane's Research and Security Services divisions, Zack brings his years of diverse internal and external experience to drive Urbane's technical solutions to organizations top pain points. His previous research and presentations at conferences have spread across numerous domains including Windows authentication flaws, femtocells, open source defensive security solutions and unique network and application attack vectors. When not selling out, he can be found lost in the untz unce wubs, dabbling in instagram food photography, or eating scotch and drinking gummy bears (that's right, right?). More information on him can be found at zfasel.com and on Urbane Security at UrbaneSecurity.com.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Schroeder/DEFCON-22-Will-Schroeder-Veil-Pillage-Post-Exploitation-2.0.pdf Veil-Pillage: Post-exploitation 2.0 Will Schroeder SECURITY RESEARCHER, VERIS GROUP The Veil-Framework is a project that aims to bridge the gap between pentesting and red team toolsets. It began with Veil-Evasion, a tool to generate AV-evading payload executables, expanded into payload delivery with the release of Veil-Catapult, and branched into powershell functionality with the release of Veil-PowerView for domain situational awareness. This talk will unveil the newest additional to the Veil-Framework, Veil-Pillage, a fully-fledged, open-source post-exploitation framework that integrates tightly with the existing framework codebase. We’ll start with a quick survey of the post-exploitation landscape, highlighting the advantages and disadvantages of existing tools. We will cover current toolset gap areas, and how the lack of a single solution with all the options and techniques desired drove the development of Veil-Pillage. Major features of the framework will be quickly detailed, and the underlying primitives that modules build on will be explained. Veil-Pillage, released immediately following this presentation, makes it easy to implement the wealth of existing post-exploitation techniques out there, public or privately developed. Currently developed modules support a breadth of post-exploitation techniques, including enumeration methods, system management, persistence tricks, and more. The integration of various powershell post-exploitation components, assorted methods of hashdumping, and various ways to grab plaintext credentials demonstrate the operational usefulness of Veil-Pillage. The framework utilizes a number of triggering mechanisms with a preference toward stealth, contains complete command line flags for third-party integration, and has comprehensive logging and cleanup script capabilities. Welcome to Veil-Pillage: Post-Exploitation 2.0. Will Schroeder (@harmj0y) is a security researcher and pentester/red-teamer for Veris Group, and is one of the co-founders and active developers of the Veil-Framework, a project aimed at bridging the gap between pentesting and red-team toolsets. Will recently presented at Shmoocon ‘14 on AV-evasion and custom payload delivery methods utilizing tools he developed, Veil-Evasion and Veil-Catapult. He has presented at various BSides events on the Cortana attack scripting language and obfuscated Pyinstaller loaders. He is also the author of Veil-PowerView, a tool for gaining situational awareness on Windows domains, and is an active powershell hacker. A former national lab security researcher, he is happy to finally be in the private sector. twitter: @harmj0y

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Ozavci/DEFCON-22-Fatih-Ozavci-VoIP-Wars-Attack-of-the-Cisco-Phones-UPDATED.pdf VoIP Wars: Attack of the Cisco Phones Fatih Ozavci SENIOR SECURITY CONSULTANT, SENSE OF SECURITY Many hosted VoIP service providers are using Cisco hosted collaboration suite and Cisco VoIP solutions. These Cisco hosted VoIP implementations are very similar; they have Cisco Unified Communication services, SIP protocol for IP Phones of tenants, common conference solutions, Skinny protocol for compliance, generic RTP implementation, VOSS Solutions product family for management services for tenants. Cisco hosted VoIP implementations are vulnerable to many attacks, including: VLAN attacks SIP trust hacking Skinny based signalling attacks Bypassing authentication and authorisation Call spoofing Eavesdropping Attacks against IP Phone management services Web based vulnerabilities of the products The presentation covers Skinny and SIP signalling attacks, 0day bypass technique for call spoofing and billing bypass, LAN attacks against supportive services for IP Phones, practical 0day attacks against IP Phone management and tenant services. Attacking Cisco VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by the presenter). It has a dozen modules to test trust hacking issues, signalling attacks against SIP services and Skinny services, gaining unauthorised access, call spoofing, brute-forcing VoIP accounts and debugging services using as MITM. Furthermore, Viproy provides these attack modules in a penetration testing environment and full integration. The presentation contains live demonstration of practical VoIP attacks and usage of new Viproy modules. Fatih Ozavci is a Security Researcher and Senior Consultant with Sense of Security. He is the author of the Viproy VoIP Penetration and Exploitation Testing Kit and MBFuzzer Mobile Application MITM Fuzzer tool, he has also published a paper about Hacking SIP Trust Relationships. Fatih has discovered many unknown security vulnerabilities and design and protocol flaws in VoIP environments for his customers, and analyses VoIP design and implementation flaws which help to improve VoIP infrastructures. Additionally, he has completed numerous mobile application penetration testing services including but not limited to reverse engineering of mobile applications, exploiting mobile services level vulnerabilities, attacking data transporting and storing features of mobile applications. His current researches are based on attacking mobile VoIP clients, VoIP service level vulnerabilities, web based VoIP and video conference systems, decrypting custom mobile application protocols and MITM attacks for mobile applications. While Fatih is passionate about VoIP penetration testing, mobile application testing and IPTV testing, he is also well versed at network penetration testing, web application testing, reverse engineering, fuzzing and exploit development. Fatih presented his VoIP research and tool in 2013 at DEF CON 21 (USA), Blackhat Arsenal USA 2013, Cluecon 2013 (USA), Athcon 2013 (Greece), and Ruxcon 2013. Also Fatih will present 2 training sessions at Auscert 2014 as well, "Next Generation Attacks and Countermeasures for VoIP" and "Penetration Testing of Mobile Applications and Services". http://viproy.com/fozavci/ http://fozavci.blogspot.com/ http://tr.linkedin.com/pub/fatih-ozavci/54/a71/a94 https://twitter.com/fozavci http://packetstormsecurity.com/files/author/5820 http://www.exploit-db.com/author/?a=5425 http://www.github.com/fozavci

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/White-deVilliers/DEFCON-22-Dominic-White-Ian-de-Villiers-Manna-from-Heaven-Detailed-UPDATED.pdf Manna from Heaven: Improving the state of wireless rogue AP attacks Dominic White CTO, SENSEPOST Ian de Villiers SENIOR ANALYST, SENSEPOST The current state of theoretical attacks against wireless networks should allow this wireless world to be fully subverted for all but some edge cases. Devices can be fooled into connecting to spoofed networks, authentication to wireless networks can either be cracked or intercepted, and our ability to capture credentials at a network level has long been established. Often, the most significant protection users have are hitting the right button on an error message they rarely understand. Worse for the user, these attacks can be repeated per wireless network allowing an attacker to target the weakest link. This combination of vulnerable and heavily used communications should mean that an attacker needs just arrive at a location and setup for credentials and access to start dropping from the sky. However, the reality is far from this; karma attacks work poorly against modern devices, network authentication of the weakest sort defeats rogue APs and interception tools struggle to find useful details. This talk is the result of our efforts to bring rogue AP attacks into the modern age. The talk will provides details of our research into increasing the effectiveness of spoofing wireless networks, and the benefits of doing so (i.e. gaining access). It includes the release of a new rogue access point toolkit implementing this research. Dominic is the CTO of SensePost, an information security company based in South Africa and London. He has worked in the industry for 10 years. He is responsible for SensePost's wireless hacking course, Unplugged. He tweets as @singe. Ian de Villiers is a security analyst at SensePost. Coming from a development background, his areas of expertise are in application and web application assessments. Ian has spent considerable time researching application frameworks, and has published a number of advisories relating to portal platforms. He has also provided security training and spoken at security conferences internationally. Ian previously published numerous tools, such as reDuh http://research.sensepost.com/tools/web/reduh, but more recently, SapProxy http://research.sensepost.com/cms/resources/tools/servers/sapprox/44con_2011_release.pdf

Slides here: https://defcon.org/images/defcon-22/dc-22-presentations/Self/DEFCON-22-Blake-Self-cisc0ninja-Dont-DDOS-me-bro-UPDATED.pdf Don't DDoS Me Bro: Practical DDoS Defense Blake Self SENIOR SECURITY ARCHITECT Shawn "cisc0ninja" Burrell SOLDIERX CREW Layer 7 DDoS attacks have been on the rise since at least 2010, especially attacks that take down websites via resource exhaustion. Using various tools and techniques - it is possible to defend against these attacks on even a shoestring budget. This talk will analyze and discuss the tools, techniques, and technology behind protecting your website from these types of attacks. We will be covering attacks used against soldierx.com as well as attacks seen in Operation Ababil. Source code will be released for SOLDIERX's own DDoS monitoring system, RoboAmp. Blake Self is most widely known for co-authoring the first commercial encrypted instant messenger with Dr. Cyrus Peikari while at VirusMD. He has also worked as a SIPRNET Administrator, Department of Defense Red Team Analyst, and R&D at various corporations. He has been attending Defcon since high school and has given several talks. He currently works in the financial sector and was directly involved in defending against the DDoS attacks of Operation Ababil. Blake holds a M.S. in Computer Science from Purdue University. Shawn "cisc0ninja" Burrell is a long time crew member of SOLDIERX. He was a critical component of projects such as the "Hacker Database" - the largest open source database of individuals involved in the security/hacking scene. He has also worked as a SIPRNET Administrator for the Department of Defense. He currently works in threat intelligence, where he discovers current campaigns and how to defend against them. He once claimed he was the only person at Defcon who could actually dance, although that was before the conference was at its current popularity. Web: https://www.soldierx.com Facebook: https://www.facebook.com/soldierxDOTcom

Michele Fincher - How to you Feel about your Mother.. Psych and The SE

Blinding The Surveillance State Christopher Soghoian Principal Technologist, American Civil Liberties Union We live in a surveillance state. Law enforcement and intelligence agencies have access to a huge amount of data about us, enabling them to learn intimate, private details about our lives. In part, the ease with which they can obtain such information reflects the fact that our laws have failed to keep up with advances in technology. However, privacy enhancing technologies can offer real protections even when the law does not. That intelligence agencies like the NSA are able to collect records about every telephone call made in the United States, or engage in the bulk surveillance of Internet communications is only possible because so much of our data is transmitted in the clear. The privacy enhancing technologies required to make bulk surveillance impossible and targeted surveillance more difficult already exist. We just need to start using them. Christopher Soghoian is a privacy researcher and activist, working at the intersection of technology, law and policy. He is the Principal Technologist with the Speech, Privacy and Technology Project at the American Civil Liberties Union. Soghoian completed his Ph.D. in 2012, which focused on the role that third party service providers play in facilitating law enforcement surveillance of their customers.

Chris Hadnagy - What Your Body Tells Me - Body Language for the SE

A Survey of Remote Automotive Attack Surfaces Charlie Miller Security Engineer, Twitter Chris Valasek Director of Threat Intelligence, IOActive Automotive security concerns have gone from the fringe to the mainstream with security researchers showing the susceptibility of the modern vehicle to local and remote attacks. A malicious attacker leveraging a remote vulnerability could do anything from enabling a microphone for eavesdropping to turning the steering wheel to disabling the brakes. Last year, we discussed 2 particular vehicles. However, since each manufacturer designs their fleets differently; analysis of remote threats must avoid generalities. This talk takes a step back and examines the automotive network of a large number of different manufacturers from a security perspective. From this larger dataset we can begin to answer questions like: Are some cars more secure from remote compromise than others? Has automotive network security changed for the better (or worse) in the last 5 years? What does the future of automotive security hold and how can we protect our vehicles from attack moving forward? Charlie Miller is a security engineer at Twitter. Back when he still had time to research, he was the first with a public remote exploit for both the iPhone and the G1 Android phone. He is a four time winner of the CanSecWest Pwn2Own competition. He has authored three information security books and holds a PhD from the University of Notre Dame. He has hacked browsers, phones, cars, and batteries. Charlie spends his free time trying to get back together with Apple, but sadly they still list their relationship status as "It's complicated". Twitter: @0xcharlie Christopher Valasek is the Director of Security Intelligence at IOActive, an industry leader in comprehensive computer security services. Valasek specializes in offensive research methodologies with a focus in reverse engineering and exploitation. Valasek is known for his extensive research in the automotive field and his exploitation and reverse engineering of Windows. Valasek is also the Chairman of SummerCon, the nation's oldest hacker conference. Twitter: @nudehaberdasher

Brent White - Corporate Espionage - Gathering Actionable Intelligence Via Covert Operations

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Zoz/DEFCON-22-Zoz-Dont-Fuck-It-Up-UPDATED.pdf Don't Fuck It Up! Zoz ROBOTICS ENGINEER Online antics used to be all about the lulz; now they're all about the pervasive surveillance. Whether you're the director of a TLA just trying to make a booty call or an internet entrepreneur struggling to make your marketplace transactions as smooth as silk, getting up to any kind of mischief involving electronic communications now increasingly means going up against a nation-state adversary. And if even the people who most should know better keep fucking it up, what does that mean for the rest of us? What do the revelations about massive government eavesdropping and data ingestion mean for people who feel they have a right if not a duty to occasionally be disobedient? It's time for a rant. Analyzing what is currently known or speculated about the state of online spying through the prism of some spectacular fuckups, this talk offers an amusing introduction to how you can maximize your chances of enduring your freedom while not fucking it up. Learn how not to fuck up covering your tracks on the internet, using burner phones, collaborating with other dissidents and more. If you have anything to hide, and all of us do, pay attention and Don't. Fuck. It. Up! Zoz is a robotics engineer, prankster and general sneaky bastard. He has been pretty successful at pulling some cool subversive shit and not fucking it up and getting caught. He once faked a crop circle for the Discovery Channel and it was all uphill from there.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Balazs/DEFCON-22-Zoltan-Balazs-Bypass-firewalls-application-whitelists-in-20-seconds-UPDATED.pdf Bypass firewalls, application white lists, secure remote desktops under 20 seconds Zoltán Balázs CHIEF TECHNOLOGY OFFICER AT MRG EFFITAS In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation. I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included! Zoltan (@zh4ck) is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing. Before MRG Effitas, he worked for 5 years in the financial industry as an IT Security expert, and for 2 years as a senior IT security consultant at one of the Big Four companies. His main expertise areas are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie browser tool, consisting of POC malicious browser extensions for Firefox, Chrome and Safari. He has been invited to present at information security conferences worldwide including Hacker Halted USA, OHM, Hacktivity, Ethical Hacking, Defcamp. He is a proud member of the gula.sh team, 2nd runner up at global Cyberlympics 2012 hacking competition.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Hecker/DEFCON-22-Weston-Hecker-Burner-Phone-DDOS-UPDATED.pdf Burner Phone DDOS 2 dollars a day : 70 Calls a Minute Weston Hecker SR SYSTEMS SECURITY ANALYST/ NETWORK SECURITY Phone DDOS research. Current proof of concept is dealing with Samsung SCH-U365 QUALCOMM prepaid Verizon phone custom firmware was written that makes it into an anonymous DOS systems It Does PRL list hopping and several other interesting evasion methods. The new firmware allows two features one, you text it a number and it will spam call that number 70 times a min. till battery dies. All for 2 dollars a day. And second feature is that if a number that is in address book calls it, automatically picks up on speaker phone. Also ways to mitigate this attack with load balancing Call manager and Captcha based systems. Weston is a Systems Network Analyst/Penetrations Tester/President of Computer Security Association of North Dakota, Tons of computer security certs, Studied Computer Science/Geophysics, 9 years Computer security experience, Disaster recovery, attended DEF CON since DEF CON 9 Tools. Weston has developed Custom plug ins for Scanning tools that are specific to ISP Gear ex. Calex, brocade more obscure ISP gear. Made custom “iPhone” enclosures for teensy 3.0 that I use on pen tests. Custom Arduino board RFID scanner attachment that mounts under workers chair and scans wallet. twitter: @westonhecker

Slides Here:https://www.defcon.org/images/defcon-22/dc-22-presentations/McGrew/DEFCON-22-Wesley-McGrew-Instrumenting-Point-of-Sale-Malware.pdf Additional Materials available: https://www.defcon.org/images/defcon-22/dc-22-presentations/McGrew/DEFCON-22-Wesley-McGrew-Instrumenting-Point-of-Sale-Malware-WP.pdf Instrumenting Point-of-Sale Malware: A Case Study in Communicating Malware Analysis More Effectively Wesley McGrew ASSISTANT RESEARCH PROFESSOR, MISSISSIPPI STATE UNIVERSITY The purpose of this talk is to promote the adoption of better practices in the publication and demonstration of malware analyses. For various reasons, many popular analyses of malware do not contain information required for a peer analyst to replicate the research and verify results. This hurts analysts that wish to continue to work more in-depth on a sample, and reduces the value of such analyses to those who would otherwise be able to use them to learn reverse engineering and improve themselves personally. This paper and talk proposes that we borrow the concept of “executable research” by supplementing our written analysis with material designed to illustrate our analysis using the malware itself. Taking a step beyond traditional sandboxes to implement bespoke virtual environments and scripted instrumentation with commentary can supplement written reports in a way that makes the analysis of malware more sound and useful to others. As a case-study of this concept, an analysis of the recent high-profile point-of-sale malware, JackPOS is presented with enough information to replicate the analysis on the provided sample. A captured command-and-control server is included and Python-based harnesses are developed and presented that illustrate points of interest from the analysis by instrumenting the execution of the malware itself. Wesley McGrew (@McGrewSecurity) is an assistant research professor at Mississippi State University’s Department of Computer Science and Engineering, where he works with the newly formed Distributed Analytics and Security Institute. He recently earned a Ph.D. in computer science for his research in vulnerability analysis of SCADA HMI systems. He also lectures for the MSU National Forensics Training Center, which provides free digital forensics training to law enforcement and wounded veterans. In the spring 2013 semester, he began teaching a self-designed course on reverse engineering to students at MSU, using real-world, high-profile malware samples, as part of gaining NSA CAE Cyber Ops certification for MSU. Wesley has presented at Black Hat USA and DEF CON, and is the author of penetration testing and forensics tools that he publishes through his personal/consultancy website, McGrewSecurity.com. Twitter: @McGrewSecurity Web: http://mcgrewsecurity.com

Slides Here:https://www.defcon.org/images/defcon-22/dc-22-presentations/Strazzere-Sawyer/DEFCON-22-Strazzere-and-Sawyer-Android-Hacker-Protection-Level-UPDATED.pdf Android Hacker Protection Level 0 Tim Strazzere LEAD RESEARCH & RESPONSE ENGINEER Jon Sawyer CTO OF APPLIED CYBERSECURITY LLC Obfuscator here, packer there - the Android ecosystem is becoming a bit cramped with different protectors for developers to choose. With such limited resources online about attacking these protectors, what is a new reverse engineer to do? Have no fear, after drinking all the cheap wine two Android hackers have attacked all the protectors currently available for everyones enjoyment! Whether you've never reversed Android before or are a hardened veteran there will be something for you, along with all the glorious PoC tools and plugins for your little heart could ever desire. Tim "diff" Strazzere is a Lead Research and Response Engineer at Lookout Mobile Security. Along with writing security software, he specializes in reverse engineering and malware analysis. Some interesting past projects include having reversing the Android Market protocol, Dalvik decompilers and memory manipulation on mobile devices. Past speaking engagements have included DEFCON, BlackHat, SyScan, HiTCON and EICAR. Jon "Justin Case" Sawyer - 31 yr old father of four, and CTO of Applied Cybersecurity LLC. Jon likes to spend his nights with a fine (cheap) glass of wine, writing exploits for the latest Android devices. When not researching vulnerabilities or writing exploits, he dabbles in dalvik obfuscation.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Schrodinger/DEFCON-22-Tess-Schrodinger-Raxacoricofallapatorius-With-Love-Case-Studies.pdf From Raxacoricofallapatorius With Love: Case Studies In Insider Threat Tess Schrodinger Espionage, honey pots, encryption, and lies. Clandestine meetings in hotels. The naïve girl seduced by a suave businessman. The quiet engineer who was busted by the shredded to do list found in his trash. Encryption the NSA couldn’t crack. What motivates insiders to become threats? How were they caught? What are potential red flags to be aware of? Acquire a new awareness around what makes these people tick. Tess has over twenty years in law enforcement, investigation, forensics (bullets & blood, not 1s & 0s), and industrial security. She holds a Bachelor of Sociology, a Master of Security Management, and a graduate certificate in cybersecurity technology. One of her many current objectives is to bridge the gap between traditional security and cyber security by promoting awareness and education to the technologically ignorant who are often overwhelmed by the potential threats and how they can be targeted and to the technically gifted who are often unfamiliar with the threats, vulnerabilities, and mitigation techniques that lie outside their world of technology.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Petrov-Gaivoronski/DEFCON-22-Ivan-Petrov-Svetlana-Gaivoronski-ShellCodes-for-ARM-Updated.pdf Extra Materials are available here: https://defcon.org/images/defcon-22/dc-22-presentations/Petrov-Gaivoronski/DEFCON-22-Ivan-Petrov-Svetlana-Gaivoronski-ShellCodes-for-ARM.avi Shellcodes for ARM: Your Pills Don't Work on Me, x86 Svetlana Gaivoronski PHD STUDENT, MOSCOW STATE UNIVERSITY, RUSSIA Ivan Petrov MASTERS STUDENT, MOSCOW STATE UNIVERSITY, RUSSIA Despite that it is almost 2014, the problem of shellcode detection, discovered in 1999, is still a challenge for researchers in industry and academia. The significance of remotely exploitable vulnerabilities does not seem to fade away. The number of remotely exploitable vulnerabilities continues to grow despite the significant efforts in improving code quality via code analysis tools, code review, and plethora of testing methods. The other trend of recent years is the rise of variety of ARM-based devices such as mobile phones, tablets, etc. As of now the total number of ARM-based devices exceeds the number of PCs in times. This trend sometimes is terrifying as people trust almost all aspects of their lives to such digital devices. People care much more about convenience than security of the data. For example, mobile phones now knows our financial information, health records, keeps a lot of other private data. That's why ARM-based systems became a cherry pie for attackers. There is a variety of shellcode detection methods that work more or less acceptable with x86-based shellcodes. There are even hybrid solutions that combine capabilities of existing approaches. Unfortunately, almost all of them focus on a fixed set of shellcode features, specific for x86 architecture. This work aims to cover this gap. This work makes the following contributions: • We provide an analysis of existing shellcode detection methods with regards to their applicability to shellcodes developed for ARM architecture. As a result, we show that most of existing algorithms are not applicable for shellcodes written for ARM. Moreover, the methods that work for ARM shellcodes produce too many false positives to be applicable for real-life network channels and 0-day detection. • We analyzed available ARM-based shellcodes from public exploit databases, and identified a set of ARM shellcode features that distinguishes them from x86 shellcodes and benign binaries. • We implemented our detectors of ARM shellcode features as an extension for Demorpheus[1] shellcode detection open-source library. The algorithm used for generation of detectors’ topology guarantees the solution to be optimal in terms of computational complexity and false positive rate. Svetlana Gaivoronski is a PhD student at Computer Systems Lab, Computer Science Dept. of Moscow State University, Russia. Svetlana was a member of the Bushwhackers CTF team. Svetlana worked at Redsecure project (experimental IDS/IPS) at Moscow State University. At summer 2013 Svetlana worked in Microsoft Research on a botnets detection in clouds project. Now Svetlana works on shellcode-detection and DDoS-mitigation projects. Her primary interests are network worm propagation detection and filtering, shellcode detection, static and runtime analysis of malware, DDoS detection and filtering. Twitter: @SadieSv Ivan Petrov is a master student at Computer Systems Lab, Computer Science Dept. of Moscow State University, Russia. Ivan is an active member of Bushwhackers CTF team, which is the winner of iCTF competitions this year. Ivan works on shellcode-detection projects. His primary interests are mobile security and network security, including analysis of ARM-based malware. Twitter: _IvanPetrov_

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Macaulay/DEFCON-22-Shane-Macaulay-Weird-Machine-Motivated-Practical-Page-Table-Shellcode-UPDATED.pdf Weird-Machine Motivated Practical Page Table Shellcode & Finding Out What's Running on Your System Shane Macaulay DIRECTOR OF CLOUD SECURITY, IOACTIVE Windows7 & Server 2008R2 and earlier kernels contain significant executable regions available for abuse. These regions are great hiding places and more; e.g. Using PTE shellcode from ring3 to induce code into ring0. Hiding rootkits with encoded and decoded page table entries. Additional ranges/vectors, Kernel Shim Engine, ACPI/AML, boot-up resources & artifacts will also be shown to be useful for code gadgets. Understanding the state of affairs with the changes between Win7/8 and what exposures were closed and which may remain. APT threats abuse many of these areas to avoid inspection. By the end of this session will also show you how to walk a page table, why Windows8 makes life easier, what to look for and how to obtain a comprehensive understanding of what possible code is hiding/running on your computer. Final thoughts on using a VM memory snapshot to fully describe/understand any possible code running on a Windows system. Shane “K2” Macaulay last DEF CON presentation was an offensive tool ADMmutate during DEF CON 9 but has more recently been focused on defensive techniques and helped develop an APT detection service (http://blockwatch.ioactive.com) used to protect Microsoft OS platforms. Shane has spent time finding ways to fully understand the state of system code to understand “What is actually running on your computer?” to aid in forensic analysis, incident response and enterprise protection capacities. Shane is currently employed by IOActive as Directory of Cloud Security and has presented at many previous security conferences/venues.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Tal/DEFCON-22-Shahar-TaI-I-hunt-TR-069-admins-UPDATED.pdf I Hunt TR-069 Admins: Pwning ISPs Like a Boss Shahar Tal SECURITY & VULNERABILITY RESEARCH TEAM LEADER, CHECK POINT SOFTWARE TECHNOLOGIES Residential gateway (/SOHO router) exploitation is a rising trend in the security landscape - ever so often do we hear of yet another vulnerable device, with the occasional campaign targeted against specific versions of devices through independent scanning or Shodan dorking. We shine a bright light on TR-069/CWMP, the previously under-researched, de-facto CPE device management protocol, and specifically target ACS (Auto Configuration Server) software, whose pwnage can have devastating effects on critical amounts of users. These servers are, by design, in complete control of entire fleets of consumer premises devices, intended for use by ISPs and Telco providers. or nation-state adversaries, of course (sorry NSA, we know it was a cool attack vector with the best research-hours-to-mass-pwnage ratio). We investigate several TR-069 ACS platforms, and demonstrate multiple instances of poorly secured deployments, where we could have gained control over hundreds of thousands of devices. During the talk (pending patch availability), we will release exploits to vulnerabilities we discovered in ACS software, including RCE on a popular package, leading to ACS (and managed fleet) takeover. Shahar Tal leads a team of Security & Vulnerability Researchers at Check Point Software Technologies. Prior to joining Check Point, Shahar held leadership roles in the Israel Defense Force (IDF), where he was trained and served as an officer in elite technology R&D units. Shahar (that's Major Tal, for you) brings over ten years of experience in his game, eager to speak and share in public domain. Shahar is a proud father, husband and a security geek who still can't believe he's getting paid to travel to awesome infosec cons. When you meet him, ask him to show you his hexdump tattoo.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Erven-Merdinger/DEFCON-22-Scott-Erven-and-Shawn-Merdinger-Just-What-The-DR-Ordered-UPDATED.pdf Just What The Doctor Ordered? Scott Erven FOUNDER & PRESIDENT SECMEDIC, INC Shawn Merdinger HEALTHCARE SECURITY RESEARCHER You have already heard the stories of security researchers delivering lethal doses of insulin to a pump, or delivering a lethal shock to a vulnerable defibrillator. But what is the reality of medical device security across the enterprise? Join us for an in-depth presentation about a three-year independent research project, encompassing medical devices across all modalities inside today’s healthcare landscape. Think they are firewalled off? Well think again. Scarier yet, many remain Internet facing and are vulnerable to strategic attack with the potential loss for human life. And yes you will be amazed at what we found in just 1 hour! We will prove that an attacker can access medical devices at thousands of healthcare facilities from anywhere in the world with the potential loss of human life. This discussion will also highlight the fallout from security standards not being a requirement for medical device manufacturers, and our experience in identifying and reporting vulnerabilities. We will provide our insight into what needs to be done for healthcare organizations to respond to the new threat of cyber-attack against medical devices. We are working towards a future where cyber security issues in medical devices are a thing of the past. We will discuss the recent success and traction we have gained with healthcare organizations, federal agencies and device manufacturers in addressing these security issues. The train is now moving, so please join us to find out how you can get involved and make a difference by ensuring patient safety. Scott Erven is a healthcare security visionary and thought leader; with over 15 years’ experience in Information Technology & Security. He is also the Founder and President of SecMedic, Inc. His research on medical device security has been featured in Wired and numerous media outlets worldwide. Mr. Erven has presented his research and expertise in the field internationally. He has been involved in numerous IT certification development efforts as a subject matter expert in Information Security. His current focus is research affecting human life and public safety issues inside today’s healthcare landscape. Shawn Merdinger is a security researcher with 15 years' information security and IT experience. He is founder of MedSec, a LinkedIn group focused on medical device security risks with over 500 members and has worked with Cisco Systems, TippingPoint, an academic medical center, and as a independent security researcher and consultant. He's served as technical editor for 12 security books from Cisco Press, Pearson, Syngress and Wiley. Shawn has presented original security research at DEFCON, DerbyCon, Educause, ShmooCon, CONfidence, NoConName, O’Reilly, IT Underground, InfraGard, ISSA, CarolinaCon and SecurityOpus. He holds a master's from the University of Texas at Austin and two bachelor's from the University of Connecticut.

Hacking the FBI: How & Why to Liberate Government Records Ryan Noah Shapiro PhD candidate, Massachusetts Institute of Technology After narrowly avoiding a lengthy activism-related prison sentence, I began PhD work at MIT in part to map out the criminalization of political dissent in Post-9/11 America. Especially in trying to obtain records from the FBI, Freedom of Information Act (FOIA) work became an essential component of my research. However, it quickly became apparent that the FBI routinely refused to comply with FOIA. Less clear was how the Bureau was managing to accomplish this systematic violation of federal law. Consequently, I spent years using FOIA and other tools to map out the hidden mechanisms of FBI non-compliance with the Freedom of Information Act. It worked. Using the FOIA methodologies I’d developed, I began receiving tens of thousands of pages from the FBI on its targeting of domestic protest groups. As a result, the FBI is now attempting to shut down my research by arguing in court that my dissertation FOIA research itself is a threat to national security. Such efforts by the FBI are just one component of the ongoing crisis of secrecy we now face. The records of government are the property of the people, but these records are consistently withheld from us. My talk will cover my research into the historical and contemporary use of the rhetoric and apparatus of national security to marginalize political dissent, my work to reveal the hidden mechanisms of FBI FOIA operations, the FBI’s efforts to shut down my research, the ongoing crisis of secrecy and consequent threat to democracy, and the pressing need for additional modes of hacking the FBI and other intelligence agencies to pick up where FOIA leaves off. The records of government belong to us. It’s time to reclaim them. Ryan Shapiro is a transparency activist and PhD candidate in MIT’s Department of Science, Technology, & Society (HASTS). Ryan’s research focuses on the political functioning of national security and the policing of dissent. To this end, he currently has over 700 Freedom of Information Act (FOIA) requests in motion with the FBI, making him the FBI’s “most prolific” FOIA requestor. Ryan also has numerous FOIA requests in motion with the CIA, DIA, and NSA, as well as a host of active lawsuits against these agencies for their routine failure to comply with his FOIA requests. The FBI is even now arguing in court that Ryan’s dissertation FOIA research itself is a threat to national security.

Masquerade: How a Helpful Man-in-the-Middle Can Help You Evade Monitoring. Ryan Lackey Founder, CryptoSeal, Inc. Marc Rogers Principal Security Researcher, Lookout The Grugq Information Security Researcher Sometimes, hiding the existence of a communication is as important as hiding the contents of that communication. While simple network tunneling such as Tor or a VPN can keep the contents of communications confidential, under active network monitoring or a restrictive IDS such tunnels are red flags which can subject the user to extreme scrutiny.Format-Transforming Encryption (FTE) can be used to tunnel traffic within otherwise innocuous protocols, keeping both the contents and existence of the sensitive traffic hidden. However, more advanced automated intrusion detection, or moderately sophisticated manual inspection, raise other red flags when a host reporting to be a laser printer starts browsing the web or opening IM sessions, or when a machine which appears to be a Mac laptop sends network traffic using Windows-specific network settings. We present Masquerade: a system which combines FTE and host OS profile selection to allow the user to emulate a user-selected operating system and application-set in network traffic and settings, evading both automated detection and frustrating after-the-fact analysis. Ryan Lackey, Founder of CryptoSeal, founded HavenCo, the world’s first offshore datahaven, and has worked as a defense contractor in Iraq and Afghanistan, at various technology startups, and is currently working on a secure hardware-based router for business travelers. Marc Rogers is an English hacker, Director of SecOps for DEF CON, and works as Principal Security Researcher for Lookout. The Grugq is a pioneering information security researcher with over a decade of professional experience. He has worked extensively with digital forensic analysis, binary reverse engineering, rootkits, Voice over IP, telecommunications and financial security. The Grugq's professional career has included Fortune 100 companies, leading information security firms and innovative start-ups. Claims to fame: - pioneered anti-forensics - developed "userland exec" - released voip attack software - decade of experience in infosec - long term liaison w/ digital underground - described as "extremely handsome" [by his mom] - 1992 sussex County 3-legged race, 2nd place The Grugq has spoken at dozens of conferences over the last 7 years; provided expert training courses to .gov, .mil, police and businesses; domain expertise on forensics, voip, telecommunications and financial systems.

Slides Here: https://www.defcon.org/images/defcon-22/dc-22-presentations/Kazanciyan-Hastings/DEFCON-22-Ryan-Kazanciyan-Matt-Hastings-Investigating-Powershell-Attacks.pdf Investigating PowerShell Attacks Ryan Kazanciyan TECHNICAL DIRECTOR, MANDIANT Matt Hastings CONSULTANT, MANDIANT Over the past two years, we've seen targeted attackers increasingly utilize PowerShell to conduct command-and-control in compromised Windows environments. If your organization is running Windows 7 or Server 2008 R2, you've got PowerShell 2.0 installed (and on Server 2012, remoting is enabled by default!). This has created a whole new playground of attack techniques for intruders that have already popped a few admin accounts (or an entire domain). Even if you're not legitimately using PowerShell to administer your systems, you need to be aware of how attackers can enable and abuse its features. This presentation will focus on common attack patterns performed through PowerShell - such as lateral movement, remote command execution, reconnaissance, file transfer, etc. - and the sources of evidence they leave behind. We'll demonstrate how to collect and interpret these forensic artifacts, both on individual hosts and at scale across the enterprise. Throughout the presentation, we'll include examples from real-world incidents and recommendations on how to limit exposure to these attacks. Ryan Kazanciyan is a Technical Director with Mandiant and has ten years of experience in incident response, forensic analysis, and penetration testing. Since joining Mandiant in 2009, he has led incident response and remediation efforts for dozens of Fortune 500 organizations, focusing on targeted attacks, industrial espionage, and financial crime. He has also helped develop Mandiant's investigative methodologies, forensic analysis techniques, and technologies to address the challenges posed by skilled intruders in complex environments. Prior to his work in incident response, Ryan led and executed penetration tests for both private and public-sector clients. His background included red-team operations in Windows and Unix environments, web application security assessments, and social engineering. As a lead instructor and content author for Mandiant's incident response training, Ryan also regularly teaches classes for corporate security teams, federal law enforcement, and at industry conferences. Twitter: @ryankaz42 Matt Hastings is a Consultant with Mandiant, a division of FireEye, Inc. Based in the Washington D.C area, Matt focuses on enterprise-wide incident response, high-tech crime investigations, penetration testing, strategic corporate security development, and security control assessments; working with the Federal government, defense industrial base, financial industry, Fortune 500 companies, and global organizations. Twitter: @HastingsVT

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Rowley/DEFCON-22-Robert-Rowley-Detecting-Defending-Against-Surveillance-State.pdf Detecting and Defending Against a Surveillance State Robert RowleySECURITY RESEARCHER, TRUSTWAVE SPIDERLABS This talk is based on semi-recent reported leaks that detail how state-actors could be engaging in surveillance against people they deem as 'threats'. I will cover the basics on what was leaked, and focus the talk on how to detect hardware bugs, implanted radio transceivers, firmware injections, cellular network monitoring, etc... No need to bring your tin-foil hats though, the discussion here is a pragmatical approach to how to detect such threats and identify if you have been targeted. No blind faith approaches, or attempts to sell any privacy snake oil will be found here. Robert is a Security Researcher for Trustwave Spiderlabs as has been an active member of the Southern California hacking scene for over the last 10+ years. Co-Founding Irvine underground and recently presenting on many topics including Juice Jacking, Web Application Security and more… I am presenting on a personal passion this time, Privacy.

Slides Here:https://defcon.org/images/defcon-22/dc-22-presentations/Theime/DEFCON-22-Theime-Truth-Through-Fiction-Updated.pdf The Only Way to Tell the Truth is in Fiction: The Dynamics of Life in the National Security State Richard Thieme THIEMEWORKS Over a decade ago, a friend at the National Security Agency told Richard Thieme that he could address the core issues they discussed in a context of "ethical considerations for intelligence and security professionals" only if he wrote fiction. "It's the only way you can tell the truth," he said. Three dozen published short stories and one novel-in-progress (FOAM) later, one result is "Mind Games," published in 2010 by Duncan Long Publishing, a collection of stories that illuminates “non-consensual realities:” the world of hackers; the worlds of intelligence professionals; encounters with other intelligent life forms; and deeper states of consciousness. A recent scholarly study of “The Covert Sphere” by Timothy Melley documents the way the growth and influence of the intelligence community since World War 2 has created precisely the reality to which that NSA veteran pointed. The source of much of what “outsiders” believe is communicated through novels, movies, and television programs. But even IC “insiders” rely on those sources as compartmentalization prevents the big picture from coming together because few inside have a “need to know.” Thieme asked a historian at the NSA what historical events they could discuss with a reasonable expectation that their words denoted the same details. “Anything up to 1945,” the historian said with a laugh – but he wasn’t kidding. Point taken. This fascinating presentation illuminates the mobius strip on which all of us walk as we make our way through the labyrinth of security and intelligence worlds we inhabit of necessity, all of us some of the time and some of us all of the time. It discloses why “post-modernism” is not an affectation but a necessary condition of modern life. It addresses the words of an NSA intelligence analyst who responded to one of Thieme’s stories by saying, “most of this isn’t fiction, but you have to know which part to have the key to the code.” This talk does not provide that key, but it does provide the key to the key. It also throws into relief everything else you hear – whether from the platform or in the hallways – inside this conference. And out there in the “real world.” “Nothing is what it seems.” Richard Thieme is an author and professional speaker focused on the challenges posed by new technologies and the future, how to redesign ourselves to meet these challenges, and creativity in response to radical change and identify shift. His column, "Islands in the Clickstream," was distributed to subscribers in sixty countries before collection as a book in 2004. When a friend at the NSA said, "The only way you can tell the truth is through fiction," he returned to writing stories, 19 of which are collected in “Mind Games.” He is co-author of the critically acclaimed “UFOs and Government: A Historical Inquiry,” a 5-year research project using material exclusively from government documents and other primary sources, now in 50 university libraries. Speeches based on the book have been given for HITB-KL, an FBI/Infragard “superconference,” the Ryerson Astronomical Society at the University of Chicago, the Chicago Astronomical Society at Adler Planetarium, and dozens of libraries. A novel, FOAM, is in progress and “A Richard Thieme Reader” will be published soon. His work has been taught at universities in Europe, Australia, Canada, and the United States, and he has guest lectured at numerous universities, including Purdue University (CERIAS), the Technology, Literacy and Culture Distinguished Speakers Series of the University of Texas, the “Design Matters” lecture series at the University of Calgary, “The Real Truth: A World’s Fair” at Raven Row Gallery, London, and as a Distinguished Lecturer in Telecommunications Systems Management at Murray State University. He addressed the reinvention of “Europe” as a “cognitive artifact” for curators and artists at Museum Sztuki in Lodz, Poland. A full bio is at: http://www.thiemeworks.com/about/fuller-bio-of-richard-thieme/ www.thiemeworks.com twitter and skype: neuralcowboy linkedIn: Richard Thieme Facebook: Richard Thieme author page

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Klafter-Swanson/DEFCON-22-Richard-Klafter-and-Eric-Swanson-Check-Your-Fingerprints-Cloning-the-Strong-Set.pdf Check Your Fingerprints: Cloning the Strong Set Richard Klafter (Free) SENIOR SOFTWARE ENGINEER, OPTIMIZELY Eric Swanson (Lachesis) SOFTWARE DEVELOPER The web of trust has grown steadily over the last 20 years and yet the tooling that supports it has remained stagnant despite staggering hardware advancement. Choices that seemed reasonable 20 years ago (32bit key ids or even 64bit key ids) are obsolete. Using modern GPUs, we have found collisions for every 32bit key id in the strong set, with matching signatures and key-sizes (e.g. RSA 2048). Although this does not break the encryption the web of trust is built on, it further erodes the usability of the web of trust and increases the chance of human error. We will be releasing the tool we developed to find fingerprint collisions. Vanity GPG key anyone? Richard Klafter is a senior software engineer at Optimizely specializing in web security. In his free time you’ll find him writing new software or breaking existing software. He coauthored scallion (https://github.com/lachesis/scallion), a vanity address generator for Tor’s hidden services. Eric Swanson is a freelance software developer with a passion for netsec. He coauthored scallion, a vanity address generator for Tor’s hidden services.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Pierce-Loki/DEFCON-22-Pierce-Loki-NSA-PLAYSET-GSM.pdf NSA Playset : GSM Sniffing Pierce SECURITY RESEARCHER Loki SECURITY RESEARCHER A5/1, as implemented in GSM, was broken wide open in 2003, yet GSM is still the most widely used mobile communications protocol in the world. Introducing TWILIGHTVEGETABLE, our attempt to pull together the past decade of GSM attacks into a single, coherent toolset, and finally make real, practical, GSM sniffing to the masses. Loki and Pierce are security researchers in Portland, Oregon who operate out of the BrainSilo hackerspace. They each have a decade of experience breaking various forms of wireless and telecom networks, and a passion for empowering the security community.

How To Get Phone Companies To Just Say No To Wiretapping Phil Zimmermann President & Co-Founder Silent Circle Phil is going to talk about his latest projects, which are helping several mobile carriers to provide their customers with wiretap-free phone services. These carriers are breaking ranks with the rest of their industry's century-long culture of wiretapping. When you can get actual phone companies to join in the struggle, you know change is afoot. And yes, Navy SEALS are involved. Phil Zimmermann is the creator of both PGP, the most widely used email encryption software in the world, and the Zfone/ZRTP secure VoIP standard, and is now co-founder of Silent Circle. Earlier in 2012 Phil was honored as an inductee into the 'Internet Hall of Fame.' PC World named him one of the 'Top 50 Tech Visionaries' of the last 50 years and InfoWorld named him one of the 'Top 10 Innovators in E-business.' He has received Privacy International's 'Louis Brandeis Award,' CPSR's 'Norbert Weiner Award,' the 'EFF Pioneer Award,' and the Chrysler Award for 'Innovation in Design.'

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Young/DEFCON-22-Philip-Young-From-root-to-SPECIAL-Hacking-IBM-Mainframes-Updated.pdf From root to SPECIAL: Pwning IBM Mainframes Philip “Soldier of Fortran” Young 1.1 million transactions are run through mainframes every second worldwide. From your flight to your ATM withdrawal a mainframe was involved. These critical, mainstays of the corporate IT world aren’t going anywhere. But while the hacker community has evolved over the decades, the world of the mainframe security has not. This talk will demonstrate how to go from meeting an IBM, zSeries z/OS mainframe, getting root and eventually getting system SPECIAL, using tools that exist currently and newly written scripts. It will also show you how you can get access to a mainframe to help develop your own tools and techniques. This talk will teach you the ‘now what’ after you've encountered a mainframe, returning the balance from the ‘computing mystics’ who run the mainframe back to the community. Phil “Soldier of Fortran” Young is a mainframe security researcher at a large corporation where he develops audit and security requirements guidelines for the various ‘legacy‘ mainframe systems. In polite company he is referred as a ‘Mainframe Security Enthusiast’ and amongst mainframers “that f***ing guy making my life harder”. He has given talks about mainframe security at various security conferences including BlackHat, BSidesLV and Shmoocon. While at work and at home he devotes his time to researching z/OS design and implementation flaws, developing tools and writing articles and resources for other security experts to leverage as they “discover” the mainframe. twitter: @mainframed767

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Such/DEFCON-22-Paul-Such-0x222-Playing-with-Car-Firmware.pdf Playing with Car Firmware or How to Brick your Car Paul Such 0x222 FOUNDER OF SCRT Agix SCRT A lot of papers have already been done/produced on hacking cars through ODB2/CanBus. Looking at the car firmware could also be something really fun :) How to access the firmware, hidden menus & functionalities, hardcoded SSID, users and passwords (yes, you read right), are some of the subjects we will cover during this short presentation. Paul Such 0x222 is a security engineer and the founder of SCRT, a Swiss company specialized in ethical hacking / penetration test and digital forensic since 2002. He is also the organizer of the Insomni'hack event (CTF and security conference in Switzerland) Twitter: @0x222 Website: http://www.scrt.ch Florian Gaultier (Agix) is a security enthusiast working for SCRT France since 2012. He is also the founder of StHack security conference in Bordeaux (FRANCE) and member of w3stormz CTF team. Loving reverse engineering he was happy to work on this project. Twitter: @agixid

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Mcmillan/DEFCON-22-Paul-Mcmillan-Attacking-the-IOT-Using-timing-attacks.pdf Attacking the Internet of Things using Time Paul McMillan SECURITY ENGINEER, NEBULA Internet of Things devices are often slow and resource constrained. This makes them the perfect target for network-based timing attacks, which allow an attacker to brute-force credentials one character at a time, rather than guessing the entire string at once. We will discuss how timing attacks work, how to optimize them, and how to handle the many factors which can prevent successful exploitation. We will also demonstrate attacks on at least one popular device. After this presentation, you will have the foundation necessary to attack your own devices, and a set of scripts to help you get started. Paul McMillan is a security engineer at Nebula. He also works on the security teams for several open source projects. When he's not building or breaking the internet, he enjoys, cocktails and photography.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Drapeau-Dukes/DEFCON-22-Drapeau-Dukes-Steganography-in-Commonly-Used-HF-Radio-Protocols-UPDATED.pdf Additional Extra Materials are available here: https://defcon.org/images/defcon-22/dc-22-presentations/Drapeau-Dukes/Paul%20Drapeau%20and%20Brent%20Dukes%20-%20Extras.zip Steganography in Commonly Used HF Radio Protocols Paul Drapeau PRINCIPAL SECURITY RESEARCHER, CONFER TECHNOLOGIES INC. Brent Dukes Imagine having the capability to covertly send messages to an individual or a larger audience, without the need for large centralized infrastructure where your message could be observed, intercepted, or tampered with by oppressive governments or other third parties. We will discuss the opportunities and challenges with steganography implementations in widely used amateur radio digital modes, and present a proof of concept implementation of hiding messages within innocuous transmissions using the JT65 protocol. This technique could theoretically be used to implement a low cost, low infrastructure, covert, world wide short message broadcasting or point to point protocol. No messages in codes or ciphers intended to obscure the meaning thereof were actually transmitted over the amateur bands during the creation of this talk. Paul Drapeau is currently the Principal Security Researcher for Confer Technologies Inc. He has held senior level IT security roles and consulted on information security topics for various organizations for over 15 years. Paul has a bachelor's degree in computer science from the University of Rhode Island and has been licensed as an amateur radio operator since 1986. Brent Dukes has a decade of experience working in software and systems engineering roles. He spends his nights tied to various hardware hacking projects sitting in pieces all over his lab, and participating in CTFs. His idea of fun is reverse engineering and modifying toys and consumer electronics for the purposes of good. Brent has been a licensed amateur radio operator since 2006. Paul Drapeau - Twitter: @pdogg77 Brent Dukes - Twitter: @TheDukeZip

Slides Here; https://defcon.org/images/defcon-22/dc-22-presentations/Moore-Wardle/DEFCON-22-Colby-Moore-Patrick-Wardle-Synack-DropCam-Updated.pdf Optical Surgery; Implanting a DropCam Patrick Wardle DIRECTOR OF RESEARCH, SYNACK Colby Moore SECURITY RESEARCH ENGINEER, SYNACK Video Monitoring solutions such as DropCam aim to provide remote monitoring, protection and security. But what if they could be maliciously subverted? This presentation details a reverse-engineering effort that resulted in the full compromise of a DropCam. Specifically, given physical access and some creative hardware and software hacks, any malicious software may be persistently installed upon the device. Implanting a wireless video monitoring solution presents some unique opportunities, such as intercepting the video stream, ‘hot-micing’, or even acting as persistent access/attack point within a network. This presentation will describe such an implant and well as revealing a method of infecting either Windows or OS X hosts that are used to configure a subverted DropCam. Patrick Wardle is Director of Research at Synack, where he leads Research and Development efforts. His current focus is on identifying emerging threats in OSX and mobile malware. In addition, Patrick is an experienced vulnerability and exploitation analyst and has found multiple exploitable 0days in major operating systems and popular client applications. In his limited spare time he writes iOS apps for fun (and hopefully one day, for profit). Patrick’s prior roles include security research work with VRL and the NSA. Colby Moore is Security Research Engineer at Synack where he focuses on identifying critical vulnerabilities in various products and services. Ever since setting eyes on a computer he has had a burning desire to hack anything in sight, but prefers to focus on where hardware and software meet. He has been involved in the computer security community for as long as he can remember and has identified countless 0-day vulnerabilities in embedded systems, major social networks, and consumer devices. Some might say Colby has an unhealthy obsession for spontaneous adventure, things that go fast, and the occasional mischief.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Bulygin-Bazhaniul-Furtak-Loucaides/DEFCON-22-Bulygin-Bazhaniul-Furtak-Loucaides-Summary-of-attacks-against-BIOS-UPDATED.pdf Summary of Attacks Against BIOS and Secure Boot Yuriy Bulygin CHIEF THREAT ARCHITECT, INTEL SECURITY Oleksandr Bazhaniuk SECURITY RESEARCHER, INTEL SECURITY Andrew Furtak SECURITY RESEARCHER, INTEL SECURITY John Loucaides SECURITY RESEARCHER, INTEL SECURITY A variety of attacks targeting platform firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as secure boot, OS loaders, and SMM. Windows 8 Secure Boot provides an important protection against bootkits by enforcing a signature check on each boot component. This talk will detail and organize some of the attacks and how they work. We will demonstrate a full software bypass of secure boot. In addition, we will describe underlying vulnerabilities and how to assess systems for these issues using chipsec (https://github.com/chipsec/chipsec), an open source framework for platform security assessment. We will cover BIOS write protection, forensics on platform firmware, attacks against SMM, attacks against secure boot, and various other issues. After watching, you should understand how these attacks work, how they are mitigated, and how to test a system for the vulnerability. Yuriy Bulygin is a Chief Threat Architect. Over the past 8 years he has enjoyed analyzing the security of everything from OS to CPU microcode and hardware. He is now leading a security threat research team, advancing research in security threats to modern PC, mobile, and embedded platforms and protections. Twitter: @c7zero Oleksandr Bazhaniuk is a security researcher and reverse engineer with background in automation of binary vulnerability analysis. He is also a co-founder of DCUA, the first DEF CON group in Ukraine. Twitter: @ABazhaniuk Andrew Furtak is a security researcher focusing on security analysis of firmware and hardware of modern computing platforms and a security software engineer in the past. Andrew holds a MS in Applied Mathematics and Physics from the Moscow Institute of Physics and Technology. John Loucaides is a security researcher who is currently focusing on responding to platform security issues. He has performed security analysis for a wide variety of targets from embedded systems to enterprise networks, developing repeatable methods for improving assurance.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Bathurst-Rogers-Carey-Clarke/DEFCON-22-Bathurst-Rogers-Carey-Clarke-PROPLANE.pdf PropLANE: Kind of keeping the NSA from watching you pee Rob Bathurst (EVILROB) Russ Rogers (RUSSR) Mark Carey (PHORKUS) Ryan Clarke (L0STBOY) No one likes to be watched, especially on the Internet. Your Internet…habits are only for you to know, not ISPs, hotels, government agencies, your neighbor, that creepy guy down the street with the cantenna, or anyone else. With your privacy in mind; we’ve combined two things every good hacker should have, a Propeller powered DEF CON badge (DC XX in our case) and a somewhat sober brain to turn the DC badge (with some modifications) into an inline network encryption device. This modified badge, loving called the PropLANE, will allow you to keep your peer-to-peer network traffic away from the prying eyes of the aforementioned creepy guy down the street and impress all the cool hacker peoples of the gender you prefer. Evilrob is a Security Engineer with over 13 years of experience with large network architecture and security engineering. His current focus is on network security architecture, tool development, and high-assurance encryption devices. He spends his waking moments contemplating new and terrible ways to make and break things as the Overlord of Engineering at Peak Security. Phorkus is the starry eyed Chief Scientist of Peak Security, and a long time goon at DEF CON. He bends bits to his will, and dismays audiences with his whimsical narrations of physics, organic nutrition, and what it means to be god. He will amaze and astound. He's also very likely to confuse. Russr is a security expert with over 20 years of experience, and has been an active member of the DEF CON community and staff for the past 17 years. He's the CEO and co-founder of Peak Security. LosTboY is the puzzle master and badge lord for DEF CON. He's a coder, a hacker, and a fancy dresser. LosT is well known for his exploits, including the popular Mystery Box Challenge, and the amazing DEF CON badges. site: www.peaksec.com FB: https://www.facebook.com/pages/Peak-Security-Inc/195202587160074 Twitter: @PeakSec

Panel: Ephemeral Communications: Why and How? Ryan Lackey Founder, CryptoSeal, Inc. Jon Callas Silent Circle Elissa Shevinsky Glimpse Possibly more to come..... Ephemeral communications applications are increasingly popular ways, especially among younger users, to communicate online. In contrast to “once it’s on the Internet, it’s forever”, these applications promise to delete information rapidly, or to maintain anonymity indefinitely, lowering inhibitions to share sensitive or personal content. There are several types of these applications, as well as ephemeral or anonymous publication use of mainstream tools, with unique security features and general utility. Key people from the major ephemeral applications will debate where the market is, where it’s going, and how these systems can best balance user desires with technical and legal requirements. Ryan Lackey, Founder of CryptoSeal, founded HavenCo, the world’s first offshore datahaven, and has worked as a defense contractor in Iraq and Afghanistan, at various technology startups, and is currently working on a secure hardware-based router for business travelers. Jon Callas, CTO of SilentCircle, is co-founder of PGP Corporation and Silent Circle. Elissa Shevinsky, Founder of Glimpse.

Panel - Diversity in Information Security Jennifer Imhoff-Dousharm Informatics student, co-organizer of theSummit, NCWIT affiliate member Sandy “Mouse” Clark Security Researcher and part-time Phd. candidate Kristin Paget Jolly Full time hacker Vyrus Independent Security Consultant Scott Martin CIO Spikes Security Discussion from the point of view of a diverse panel of leading representatives currently in or thinking of becoming part of the Information Security industry. This panel will give you insight to the evolutionary landscape of diversity in the hacking community. We will present statistical evidence showing the lack of sub-culture representation in the hacking community and while these numbers have been decreasing we can still work to encourage cultural variance. By analyzing how diversity is critical to improving the information security industry we will explore positive approaches to encourage recruiting and retention of deficient subcultures, removing of unconscious bias’ and discouraging inclusiveness, and introduce the audience to a wide variety of existing support structures. There will be no witch hunt here, there will be no judgement, only information. All of this and more will be answered with open and honest dialogue into one of the most controversial issues currently within our community. Jennifer Imhoff-Dousharm - Lil Jinni is currently a student of informatics and network security. She is a primary coordinator for Vegas 2.0 and co-founder/principal of the Cuckoo's Nest hacker space. She is an affiliate member of NCWIT and avid participant in many local women in tech groups. When not studying, planning theSummit fundraiser, or herding hackers, she spends her free cycles as a Curiosity Hacked guild leader and Kitchen OverLord contributor. Twitter: @lil_jinni Sandy Clark (Mouse) is a security researcher and part-time Phd. candidate in the Distributed Systems Lab at the University of Pennsylvania and is advised by Matt Blaze and co-advised by Jonathan Smith. Her research focuses on understanding the mechanisms involved in the computer security Arms Race, and in modeling the cyber-security eco-system. Early in her career, she wrote the back-up flight control computer for the US Air Force F-16 aircraft, and a gate-level software simulator for NASA), after several years as a sys-admin for Princeton University, she ended up in the hacker community. It was at a hackercon that someone introduced her to Matt Blaze and he invited her to come hang around his lab at Penn. Her first project was breaking wiretap systems and with its success and after much encouragement and mentoring, she got the courage to enroll as a student. It is taking much longer for her to get her degree than she thought (going back to school is hard as a grownup), but definitely worth it! Her broad experience, excessive curiosity and ability to make connections from many different areas is leading to some interesting new ways to think about systems security. She's still an active member of the hacker community and considers it one of her missions in life to bridge the gap between hackers and academia. Sandy can be reached at clarks@cis.upenn.edu or saender@cis.upenn.edu Kristin Paget - Princess Kristin hacks hardware, software, networks, radios, people, the law, herself, and society - and she’s still getting warmed up. She’s been hacking things ever since she heard that POKE 35136,0 gave her infinite lives in Manic Miner, and she's truly thrilled to be returning to Def Con after taking a couple of years off the speaking circuit to de-anonymize her brain. Twitter: @KristinPaget Jolly - Hacker, Photographer and conference addict. Jolly has previously been a back to back winner of Hacker Fortress. In the past 2 years he has not stayed in any one place more than 11 days. His team, Jolly and Friends, has won Capture the Flag. Avid health nut. Loves taking advantage of vendors easy contests to win prizes at conferences. Twitter: @Jolly Carl "Vyrus" Vincent is a self-proclaimed nerd who learned to build radios from his grandfather, a fellow nerd who worked in the aerospace industry. Carl first attended Def Con as a teenager and earned money doing small IT projects while still in high school. Today he his an independent security consultant. Twitter: @vyrus001 Scott Martin is currently CIO of Spikes Security and formerly the Director of Firewall Operations for Symantec Corporation. He works throughout the Silicon Valley advising various startups and is the Committee Chair for Donations and Community Outreach for Vegas 2.0

DEF CON the Mystery, Myth and Legend Panel It's hard to throw a stone these days without hitting a security/hacking conference. But, when every year the Las Vegas Metro SWAT Team stages for an interdiction of your convention, you know you have something "different". From crawling through Air Ducts to surreptitiously "acquiring" telco equipment, these are the stories of DEF CON you don't often hear about. The stories of yesteryear that not only helped shape defcon but also the people who make up today's hacker and infosec communities at large. DEF CON is the event that helped spawn a generation of hackers and changed the landscape of information security. So come join us for a trip down memory lane as we reveal some of the secrets and stories of what architected the mystery, myth and legend of the hacker community you see today... Now that the statues of limitation have passed. Panel classified until further notice

Panel — Surveillance on the Silver Screen- Fact or Fiction? Nicole Ozer Technology and Civil Liberties Policy Director, ACLU of California Kevin Bankston Policy Director, New America Foundation's Open Technology Institute Timothy Edgar Fellow, Watson Institute for International Studies, Brown University Join ACLU and others for a fun-filled surveillance tour of the movies - from Brazil to Bourne - to talk about what is still fiction and what is now fact. What is technologically possible? What is legal? And what is happening in the courts, Congress, and in companies and communities to reset the balance between government surveillance and individual liberties. Kevin Bankston is the Policy Director of the New America Foundation's Open Technology Institute, where he works in the public interest to promote policy and regulatory reforms to strengthen communities by supporting open communications networks, platforms, and technologies, with a focus on issues of Internet surveillance and censorship. Prior to leading OTI's policy team, Kevin was a Senior Counsel and the Director of the Free Expression Project at the Center for Democracy & Technology. From that position, he spent two years advocating on a wide range of Internet and technology policy issues both international and domestic, most recently organizing a broad coalition of companies and civil society organizations to demand greater transparency around the US government's surveillance practices. Prior to joining CDT, he worked for nearly a decade at the Electronic Frontier Foundation, specializing in free speech and privacy law with a focus on government surveillance, Internet privacy, and location privacy. As a Senior Staff Attorney at EFF, he regularly litigated issues surrounding free expression and electronic surveillance, and was a lead counsel in EFF's lawsuits against the National Security Agency and AT&T, challenging the legality of the NSA warrantless wiretapping program first revealed in 2005. He received his JD at the University of Southern California Law School after receiving his BA at the University of Texas at Austin. Timothy H. Edgar is a visiting fellow at the Institute and adjunct professor of law at the Georgetown University Law Center. His work focuses on the unique policy challenges posed by growing global cyber conflict, particularly in reconciling security interests with fundamental values, including privacy and Internet freedom. Mr. Edgar served under President Obama as the first director of privacy and civil liberties for the White House National Security Staff, focusing on cybersecurity, open government, and data privacy initiatives. From 2006 to 2009, he was the first deputy for civil liberties for the director of national intelligence, reviewing new surveillance authorities, the terrorist watchlist, and other sensitive programs. He has also been counsel for the information sharing environment, which facilitates the secure sharing of terrorism-related information. He has a JD from Harvard Law School, where he served on the Harvard Law Review, and an AB from Dartmouth College. Nicole Ozer developed and has led the technology and civil liberties work for the ACLU in California since 2004. Nicole is a nationally recognized expert on issues at the intersection of consumer privacy and government surveillance and free speech and the Internet. Nicole developed Demand Your dotRights, ACLU's national online privacy campaign and spearheaded the passage of both the first RFID and digital book privacy laws in the nation. Nicole is the author of numerous legal and policy publications, including Losing the Spotlight: A Study of California's Shine the Light Law, Privacy & Free Speech: It's Good for Business, a primer of dozens of case studies and tips for baking safeguards into the business development process. Her most recent law review article, Putting Online Privacy Above the Fold: Building a Social Movement and Creating Corporate Change, was published by the NYU Review Law & Social Change in 2012. Nicole graduated magna cum laude from Amherst College, studied comparative civil rights history at the University of Cape Town, South Africa, and earned her J.D. with a Certificate in Law and Technology from Boalt Hall School of Law, University of California Berkeley. Nicole blogs at www.aclunc.org/tech and tweets @nicoleozer.

Slides Here: https://www.defcon.org/images/defcon-22/dc-22-presentations/Nemus/DEFCON-22-Lance-Buttars-Nemus-Intro-to-backdooring-OS.pdf An Introduction to Back Dooring Operating Systems for Fun and Trolling Nemus SECURITY RESEARCHER So you want to setup a back door? Have you ever wondered how its done and what you can do to detect back doors on your network and operating systems? Ever wanted to setup a back door to prank a friend?. This presentations will do just that. We will go over the basics of back doors using SSH, NET CAT, Meterpreter and embedding back doors into custom binaries along with the logistics of accessing them after they are in place. Nemus is a security enthusiast at night and spends his days working in the payment card industry developing RESTFul APIs for bill pay using cash payments. Lance works with open source systems, and enjoys setting up and hardening Linux systems. He has over 11 years of experience working in information technology focusing on system administration and software development and has begun to focus his career on information security. He developed a love for security at Salt Lake Community College after being immersed into it by his professors. Nemus help found the Defcon 801 hackerspace and currently holds the position on the board of directors for 801 Labs, which is the corporation that runs the DC801 hackerspace located in downtown Salt Lake City. Twitter: @Lost_Nemus

David Kennedy - Destroying Education and Awareness Programs

The Dark Tangent and Ryan Clarke "LosT" Welcome to DEF CON and discuss the making of the DEF CON 22 Badge.

Secure Random By Default Dan Kaminsky Chief Scientist, White Ops As a general rule in security, we have learned that the best way to achieve security is to enable it by default. However, across operating systems and languages, random number generation is always exposed via two separate and most assuredly unequal APIs -- insecure and default, and secure but obscure. Why not fix this? Why not make JavaScript and PHP and Java and Python and even libc rand() return strong entropy? What are the issues stopping us? Should we just shell back to /dev/urandom, or is there merit to userspace entropy gathering? How does fork() and virtualization impact the question? What of performance, and memory consumption, and headless machines? Turns out the above questions are not actually rhetorical. Just because a change might be a good idea doesn't mean it's a simple one. This will be a deep dive, but one that I believe will actually yield a fix for the repeated *real world* failures of random number generation systems. Dan Kaminsky has been a noted security researcher for over a decade, and has spent his career advising Fortune 500 companies such as Cisco, Avaya, and Microsoft.Dan spent three years working with Microsoft on their Vista, Server 2008, and Windows 7 releases. Dan is best known for his work finding a critical flaw in the Internet’s Domain Name System (DNS), and for leading what became the largest synchronized fix to the Internet’s infrastructure of all time. Of the seven Recovery Key Shareholders who possess the ability to restore the DNS root keys, Dan is the American representative. Dan is presently developing systems to reduce the cost and complexity of securing critical infrastructure.

Slides here: https://defcon.org/images/defcon-22/dc-22-presentations/Heres-Etemadieh-Baker-Nielsen/DEFCON-22-Heres-Etemadieh-Baker-Nielsen-Hack-All-The-Things.pdf Hack All The Things: 20 Devices in 45 Minutes CJ Heres SECURITY CONSULTANT Amir Etemadieh SECURITY RESEARCHER AT ACCUVANT LABS Mike Baker CO-FOUNDER OPENWRT Hans Nielsen SENIOR SECURITY CONSULTANT AT MATASANO When we heard “Hack All The Things,” we took it as a challenge. So at DEF CON this year we’re doing exactly that, we’re hacking everything. We’ve taken all of our previous experience exploiting embedded devices and used it to bring you a presentation filled with more exploits than ever before™. This presentation will feature exploits for over 20 devices including but not limited to TVs, baby monitors, media streamers, network cameras, home automation devices, and VoIP gateways. Gain root on your devices, run unsigned kernels; it’s your hardware, it’s internet connected, and it’s horribly insecure. We will also be following last year’s tradition of handing out free hardware to assist the community in rooting their devices. This year we will have a select number of eMMC adapters for presentation attendees. Amir Etemadieh (@zenofex) is a Research Scientist on the R&D team at Accuvant LABS. Amir founded the GTVHacker group which has released public exploits for every device within the Google TV platform as well as multiple other non-Google TV devices including The Roku Media Player and The Google Chromecast. Prior to starting GTVHacker, Amir conducted independent research on a long list of consumer devices and is currently listed on multiple "Security Hall of Fame" pages for successfully completing bug bounties. CJ Heres (@cj_000) is an IT systems manager and security consultant who works with a simple philosophy: using a simple approach, one can solve most complex problems. CJ's recent work has been heavily focused on consumer electronics including Blu-Ray players, thermostats, Smart TVs, media streaming devices such as the Roku and Google TV, DVR's, and everything inbetween. CJ has previously spoken at DEF CON 20 and 21, as well as B-Sides Boston 2013. Mike Baker (@gtvhacker) (AKA [mbm]) is a firmware developer, better known as the Co-Founder behind OpenWrt. He hacks stuff. Hans Nielsen (@n0nst1ck) is a security wizard at Matasano Security. When he isn't busy protecting your in-house and external applications from evil, he enjoys writing software, hacking apart consumer electronics, designing prototype boards. Hans is a tinkerer at heart with an ability to quickly reverse and/or design hardware and software through whatever means necessary.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Mortman/DEFCON-22-Fail-Panel-Defcon-Comedy-Jam-VII.pdf DEF CON Comedy Jam Part VII, Is This The One With The Whales? David Mortman @MORTMAN Rich Mogull @RMOGULL Chris Hoff @BEAKER Dave Maynor @ERRATADAVE Larry Pesce @HAXORTHEMATRIX James Arlen @MYRCURIAL Rob Graham @ERRATAROB Alex Rothman Shostack @ARS_INFOSECTICA Weeeeeeeeee're baaaaaack. Bring out your FAIL. It's the most talked about panel at DEF CON! A standing room only event with a wait list at the door. Nothing is sacred, not the industry, not the audience, not even each other. Last year we raised over $2000 for the EFF and over $5000 over the last 5 years, let's see how much we can raise this year.... David Mortman is the Chief Security Architect and Distinguished Engineer at Dell Enstratius and is a Contributing Analyst at Securosis. Before enStratus, he ran operations and security for C3. Formerly the Chief Information Security Officer for Siebel Systems, Inc., Previously, Mr. Mortman was Manager of IT Security at Network Associates. Mr. Mortman has also been a regular panelist and speaker at RSA, Blackhat, DEF CON and BruCon as well. Mr.Mortman sits on a variety of advisoryboards including Qualys, Lookout and Virtuosi. He holds a BS in Chemistry from the University of Chicago. David writes for Securosis, Emergent Chaos and the New School blogs. James Arlen, CISA, is a senior consultant at Leviathan Security Group providing security consulting services to the utility, healthcare and financial verticals. He has been involved with implementing a practical level of information security in Fortune 500, TSE 100, and major public-sector corporations for over 20 years. James is also a contributing analyst with Securosis, faculty at IANS and a contributor to the Liquidmatrix Security Digest. Best described as: "Infosec geek, hacker, social activist, author, speaker, and parent." His areas of interest include organizational change, social engineering, blinky lights and shiny things. Larry is a Senior Security Analyst with InGuardians performing penetration testing, wireless assessments, and hardware hacking. He also diverts a significant portion of his attention co-hosting the Paul's Security Weekly podcast and likes to tinker with all things electronic and wireless, much to the disappointment of his family, friends, warranties, and his second Leatherman Multi-tool. Larry is an Extra Class Amateur Radio operator (KB1TNF) and enjoys developing hardware and real-world challenges for the Mid-Atlantic Collegiate Cyber Defense Challenge.

DEF CON 22 Contests Award Ceremony

DEF CON 22 Closing ceremonies.

Slides Here; https://www.defcon.org/images/defcon-22/dc-22-presentations/Valtman/DEFCON-22-Nir-Valtman-Bug-Bounty-Programs-Evolution.pdf Extra Materials are available here: https://www.defcon.org/images/defcon-22/dc-22-presentations/Valtman/DEFCON-22-Nir-Valtman-Extras-Bug-Bounty-Programs-Evolution.zip Bug Bounty Programs Evolution Nir Valtman ENTERPRISE SECURITY ARCHITECT Bug bounty programs have been hyped in the past 3 years, but this concept was actually widely implemented in the past. Nowadays, we can see big companies spending a lot of money on these programs, while understanding that this is the right way to secure software. However, there are lots of black spots in these programs which most of you are not aware of, such as handling with black hat hackers, ability to control the testers, etc. Henceforth, this presentation explains the current behaviors around these programs and predicts what we should see in the future. Nir is employed by NCR Corporation as Enterprise Security Architect of NCR Retail, and also works as co-founder and CTO in his start-up company, Crowdome. Before the acquisition of Retalix by NCR, Nir was the Chief Security Officer of R&D in the company. As part of his previous positions in the last decade, he has worked as Chief Security Architect, Senior Technology Consultant, Application Security Consultant, Systems Infrastructure Security Consultant and a Technological Trainer. While in these positions, Nir was not only consulting, but also performing hands-on activities in various fields, i.e. hardening, penetration testing, and development for personalinternal applications. In addition, Nir released an open source anti-defacement tool called AntiDef and has written a publication about QRbot, an iPhone QR botnet POC he developed. Nir has a BSc in computer science, but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Valtman/DEFCON-22-Nir-Valtman-A-Journey-To-Protect-POS-UPDATED.pdf A Journey to Protect Points-of-sale Nir Valtman ENTERPRISE SECURITY ARCHITECT, NCR RETAIL Many point-of-sale breaches occurred in the past year and many organizations are still vulnerable against the simplest exploits. In this presentation, I explain about how points-of-sale get compromised from both retailer’s and software-vendor’s perspective. One of the most common threats is memory scraping, which is a difficult issue to solve. Hence, I would like to share with you a demonstration of how it works and what can be done in order to minimize this threat. During this presentation, I will explain the long journey took me to understand how to mitigate it, while walking through the concepts (not exposing vendor names) that don’t work and those that can work. Nir is employed in NCR Corporation as Enterprise Security Architect of NCR Retail, and also works as co-founder and CTO in his start-up company, Crowdome. Before the acquisition of Retalix by NCR, he was Chief Security Officer of R&D in the company. As part of his previous positions in the last decade, he was working as Chief Security Architect, Senior Technology Consultant, Application Security Consultant, Systems Infrastructure Security Consultant and a Technological Trainer. During these positions, Nir was not only consulting, but also performing hands-on activities in various fields, i.e. hardening, penetration testing and development for personalinternal applications. In addition, Nir released an open source anti-defacement tool called AntiDef and written a publication about QRbot, an iPhone QR botnet POC he developed. Nir have a BSc in computer science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Schrenk/DEFCON-22-Mike-Schrenk-Youre-Leaking-Trade-Secrets-UPDATED.pdf You're Leaking Trade Secrets Michael Schrenk BUSINESS INTELLIGENCE SPECIALIST Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet. Michael Schrenk is an online Business Intelligence Specialist, who has developed industrial webbots and botnets for the past twenty years. He is a five-time DEFCON speaker, including last year's talk, “How my Botnet Purchased Millions of Dollars in Cars and defeated the Russian Hackers”. Mike is also the author of “Webbots, Spiders, and Screen Scrapers”, 2nd Edition (2012, No Starch Press, San Francisco).

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Ossman/DEFCON-22-Michael-Ossmann-Pierce-Toorcamp.pdf Extra materials available here: https://defcon.org/images/defcon-22/dc-22-presentations/Ossman/DEFCON-22-Michael-Ossmann-CONGAFLOCK-schematic.pdf The NSA Playset: RF Retroreflectors Michael Ossmann GREAT SCOTT GADGETS Of all the technologies revealed in the NSA ANT catalog, perhaps the most exotic is the use of RF retroreflectors for over-the-air surveillance. These tiny implants, without any power supply, transmit information intercepted from digital or analog communications when irradiated by radio signals from an outside source. This modern class of radar eavesdropping technology has never been demonstrated in public before today. I've constructed and tested my own RF retroreflectors, and I'll show you how they work and how easy they are to build with modest soldering skills. I'll even bring along some fully assembled units to give away. Now you can add RF retroreflectors to your own NSA Playset and play along with the NSA! Michael Ossmann is a wireless security researcher who makes hardware for hackers. Best known for the open source HackRF, Ubertooth, and Daisho projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.