Podcasts about def 20con

Episode 89: In this episode of Critical Thinking - Bug Bounty Podcast We're joined live by Matt Brown to talk about his journey with hacking in the IoT. We cover the specializations and challenges in hardware hacking, and Matt's personal Methodology. Then we switch over to touch on BGA Reballing, Certificate Pinning and Validation, and some of his own bug stories.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Find the Hackernotes: https://blog.criticalthinkingpodcast.io/Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinderToday's Guess Matt Brown: https://x.com/nmatt0Resources:Decrypting SSL to Chinese Cloud Servershttps://www.youtube.com/watch?v=3qSxxNvuEtgmitmrouterhttps://github.com/nmatt0/mitmroutercertmitm Automatic Exploitation of TLS Certificate Validation Vulnshttps://www.youtube.com/watch?v=w_l2q_Gyqfoandhttps://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Aapo%20Oksman%20-%20certmitm%20automatic%20exploitation%20of%20TLS%20certificate%20validation%20vulnerabilities.pdfhttps://github.com/aapooksman/certmitmHackerOne Detailed Platform Standardshttps://docs.hackerone.com/en/articles/8369826-detailed-platform-standardsTimestamps:(00:00:00) Introduction(00:13:33) Specialization and Challenges of IOT Hacking(00:33:03) Decrypting SSL to Chinese Cloud Servers(00:47:00) General IoT Hacking Methodology(01:26:00) Certificate Pinning and Certificate Validation(01:34:35) BGA Reballing(01:43:26) Bug Stories

Seja membro deste canal e ganhe benefícios: https://www.youtube.com/channel/UCTEAZTTJ69yatuMd70k2Wow/join Adentre um universo de proteção digital sem limites com o SecurityCast! Em nosso último episódio, mergulhamos nas águas profundas da segurança em nuvem e containers, desvendando estratégias infalíveis para resguardar seus dados mais preciosos. Junte-se a nós nessa emocionante jornada tecnológica enquanto exploramos os segredos, desafios e soluções que moldam o cenário da cibersegurança moderna. Prepare-se para fortalecer suas defesas digitais e navegar com confiança na era da computação em nuvem e dos containers. Sintonize no SecurityCast e esteja um passo à frente das ameaças digitais. Sua segurança é nossa prioridade número um! Prepare-se para um debate acalorado, com especialistas de alto nível compartilhando suas perspectivas sobre a segurança em nuvem e seu impacto real na segurança cibernética. Participe conosco no próximo SecurityCast! #SecurityCast #InfoSec #segurancaemnuvem #SegurançaCibernética #ProteçãoReal #cloudsecurity #ViolacõesDeSegurança #Conformidade #DadosDigitais #Cibersegurança #DilemaÉtico #EficáciaEmInfoSec #Regulamentações #DebateAcalorado #SegurançaDigital #CyberSecurity #TechPodcast #SegurançaDeDados #InfoSecPodcast Nossos links - https://linktr.ee/seccast Site - http://securitycast.com.br/ Maior grupo de discussão sobre Segurança em língua portuguesa -https://t.me/SecCastOficial​ Fonte das matérias e notícias: - https://techcrunch.com/2023/08/25/moveit-mass-hack-by-the-numbers/ - https://www.cisoadvisor.com.br/hackers-invadem-app-espiao-brasileiro-e-fazem-76-mil-vitimas/ - https://www.darkreading.com/dr-tech/nist-publishes-first-draft-standards-for-post-quantum-cryptography - https://www.uol.com.br/tilt/noticias/redacao/2023/08/09/ia-consegue-decifrar-senhas-apenas-ouvindo-som-das-teclas-sendo-digitadas.htm Links adicionais: - EDITAL DE CONVOCAÇÃO - TESTE DA URNA 2023 - https://www.justicaeleitoral.jus.br/tps/#edicao-2023 - An Attacker Looks at Docker: Approaching Multi-Container Applications - https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Wesley%20McGrew/DEFCON-26-Wesley-McGrew-An-Attacker-Looks-at-Docker-WP.pdf - Slides da apresentação - https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Wesley%20McGrew/DEFCON-26-Wesley-McGrew-An-Attacker-Looks-at-Docker.pdf - Link para o programa da Cisco https://skillsforall.com/ - Link para o VeraCrypt - https://www.veracrypt.fr/code/VeraCrypt/

This week we've been doing some more toy hacking on a 2017 edition Teddy Ruxpin (https://en.wikipedia.org/wiki/Teddy_Ruxpin) - this toy has a SONIX SN7001 plus an nRF51 module (https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/DEFCON-26-Amir-Etemadieh-Zenofex-Dissecting-Teddy-Ruxpin-Reverse-Engineering-the-Smart%20Bear.pdf) for the Bluetooth LE connectivity to an app. Why not an all-in-one BLE chipset? Well perhaps now-a-days you'd be able to run the whole thing off of an nRF52 or nRF53 but at the time the SONIX chip was probably a well-trod core for many toys, with ready-to-go SDK and a Cortex M4 for audio / graphics handling, and the nRF51 was one of the only reliable BLE chips available. You may also want to add BLE to an existing design, DigiKey has lots of BLE modules that you can use either for standalone or as a 'BLE friend forever' - a.k.a. BFF! Let's check out what's available for your modulating needs. See on DigiKey at https://www.digikey.com/short/bbw04mfh

What is a hacker, exactly? What does it mean to hack something? With all the ransomware attacks and election meddling in the headlines, it's easy to paint all hackers with a broad brush as malicious, self-serving computer criminals. And to be clear, many computer criminals are definitely hackers (some aren't). But the real definition of hacker, the original notion of hacking itself, is something quite different. Nowhere is this more evident than at DEFCON, one of the world's largest hacking conferences. I've been wanting to go to DEFCON for many years, but finally made my pilgrimage to Las Vegas this year for DEFCON 29. My goal was to document first hand, not just the conference, but the culture and the hackers themselves. Because unlike most trade conferences, DEFCON is really about the attendees and the betterment of their craft. Today's show is a non-technical exploration of what it means to be a hacker and why you might aspire to be one yourself. Further Info DEFCON documentary: https://www.youtube.com/watch?v=3ctQOmjQyYg DEFCON 29: https://defcon.org/html/defcon-29/dc-29-index.html DEFCON 29 media: https://media.defcon.org/DEF%20CON%2029/ Making the DEF CON 29 Badge: https://www.youtube.com/watch?v=H3kdq40PY3s Soundtrack https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20music/ Preparing for Hacker Summer Camp: https://theplaceboeffects.wordpress.com/2019/07/13/preparing-for-hacker-summer-camp/ Hack-A-Day badge article: https://hackaday.com/2021/08/05/hands-on-def-con-29-badge-embraces-the-new-normal/ DC Tin Foil Hat: @DC_Tin_Foil_Hat (Twitter)Hackerboxes.com: https://hackerboxes.com/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Generate secure passphrases! https://d20key.com/#/Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker

Welcome to Episode 86 https://youtu.be/AfqNlL4vkhI    Main Topic Defcon with jscar, BiaSciLab and HEAV Have you ever gone to DEFCON? What have you heard about DEFCON?   DEFCON 28 Safe Mode https://www.defcon.org/html/defcon-safemode/dc-safemode-index.html   DEFCON Discord https://discord.com/invite/defcon Linecon   Presentations DEFCON 28 Most Talked about Presentations BiaSciLab “Don’t go Postal over Mail In Ballots”  Biascilab.com/past-talks  DEF CON Safe Mode - James Pavur - Whispers Among the Stars https://www.youtube.com/watch?v=ku0Q_Wey4K0 For $300 in hardware you too can listen in to satellites traffic    A Few Talks from Co-Workers DEF CON Safe Mode Hardware Hacking Village - Federico Lucifredi -Hardware Hacking 101 https://www.youtube.com/watch?v=qAxJBx8GiN0&feature=emb_title Will try to find the videos for CRob 99% the Presentations are online already Available on Youtube   Or a torrent https://media.defcon.org/DEF%20CON%2028/   Contests  Secure Open Vote election reporting system Was LIVE all of DEF CON No one was able to change election results Wrap up Should I be afraid of going to DEF CON? Yes - People will eat you if you don’t wear black What do I need to do to attend DEF CON? “Burner Phone” - HEAV Announcements Patreon Update New Patrons Robert Matt David S0l3mn Erwin Trooper_Ish LinuXsys666 gimpyb Ryan Mark DeMentor PowerShellOnLinux.com Jon Marc Julius Andi J Charles 22532 Get your Iron Sysadmin Merch at Teespring! https://teespring.com/stores/ironsysadmin  More info on live@Manning Rust Conf:  http://mng.bz/8G1w  More info on live@Manning Women in Tech Conf: http://mng.bz/EElO  Reviews   Chat [nate] RHCE8 exam on Monday… Using the following practice exam.   https://www.lisenet.com/2019/ansible-sample-exam-for-ex407/  [unclemarc] The boy goes to Stevens this Saturday. Also, he handed in his Eagle Application today Youngest daughter & chemistry & AWS https://en.wikipedia.org/wiki/GROMACS In a “solo/co-op” boardgame mood lately https://boardgamegeek.com/boardgame/182340/star-trek-frontiers https://photos.app.goo.gl/sNph2TF9F9SU2km77 https://boardgamegeek.com/boardgame/96848/mage-knight-board-game I’m now a dirty dirty hippy using Brave [jscar]  How to use a Raspberry Pi as a Network Sensor - Bill Stearns https://www.youtube.com/watch?v=vja_H59fh1I https://activecountermeasures.com/raspberry_pi_sensor/ [HEAV] SecureOpenVote.com @secureopenvote News If Privacy Dies in VR, It Dies in Real Life https://www.eff.org/deeplinks/2020/08/if-privacy-dies-vr-it-dies-real-life The Sounds a Key Make Can Produce 3D-Printed Replica https://threatpost.com/the-sounds-a-key-make-can-produce-3d-printed-replica/158457/ https://www.computerworld.com/article/3572404/zooms-outage-causes-chaos-especially-for-educators-teachers.html https://www.cnet.com/news/mozilla-firefox-daylight-browser-for-android-is-out-here-are-5-reasons-to-try-it/ https://www.theverge.com/21401280/android-101-location-tracking-history-stop-how-to  https://www.privacytools.io/ https://www.privacytools.io/operating-systems/#mobile_os https://inteltechniques.com/ Andyomail says thanks for the entertainment tonight from Element Watch us live on the 2nd and 4th Thursday of every month! Subscribe and hit the bell! https://www.youtube.com/IronSysadminPodcast  OR https://twitch.tv/IronSysadminPodcast   Matrix Community: https://matrix.to/#/+ironsysadmin:trixie.undrground.org  Find us on Twitter, and Facebook! https://www.facebook.com/ironsysadmin https://www.twitter.com/ironsysadmin Subscribe wherever you find podcasts! And don't forget about our patreon! https://patreon.com/ironsysadmin   Intro and Outro music credit: Tri Tachyon, Digital MK 2http://freemusicarchive.org/music/Tri-Tachyon/     

In 2016 it was reported that the Russian government targeted the US election system, and whilst there wasn’t any evidence that votes were tampered with, they could have changed data or even deleted voters. With the start of the US presidential 2020 election campaigns, we take a look at why you’d want to hack an election and the pros and cons of online voting. Key points: 1’00 Why would you want to hack an election? 4’13 The challenges of online voting 8’34 The ‘public intrusion test’ on the Swiss Government’s voting system 15’02 The benefits of online voting 17’24 Electronic voting machines 22’32 The Mueller Report - Russian interference in the 2016 presidential election 27’29 The pros and cons of paper ballets Useful links: Demystifying Tech Podcast: Will the UK ever get to vote electronically? - https://www.businesscloud.co.uk/podcasts/will-the-uk-ever-get-to-vote-electronically Defcon report on Cyber Vulnerabilities in U.S. Election Equipment, Databases, and Infrastructure - https://www.defcon.org/images/defcon-25/DEF%20CON%2025%20voting%20village%20report.pdf Download on iTunes: apple.co/2Ji61Ek Listening time: 32 minutes For more information, follow us on Twitter @secarma or email us at podcast@secarma.com Hosted by: Holly Grace Williams, Technical Director at Secarma

Producer/Host: Jim Campbell Here are links to two reports discussed on today’s program. Both are really important and worth a read for us all, but especially for those concerned about our democracy – and those concerned about their children: defcon.org/images/defcon-26/DEF%20CON%2026%20voting%20village%20report.pdf www.ic3.gov/media/2018/180913.aspx The post Notes from the Electronic Cottage 10/4/18 first appeared on WERU 89.9 FM Blue Hill, Maine Local News and Public Affairs Archives.

Nowości ze świata security w zwięzłej formie. W tym odcinku: atak man in the disk na androida, nowy atak typu object injection w PHP oraz co to jest WAP Billing. Dostępne również na: https://anchor.fm/kacperszurek/ Bazując na: https://zaufanatrzeciastrona.pl/post/weekendowa-lektura-odcinek-276-2018-08-18-bierzcie-i-czytajcie/ 0:38 https://www.bleepingcomputer.com/news/security/mozilla-removes-23-firefox-add-ons-that-snooped-on-users/ 1:43 https://security.googleblog.com/2018/08/expanding-our-vulnerability-reward.html 2:30 https://arstechnica.com/information-technology/2018/08/macos-user-warnings-are-trivial-for-malware-to-suppress-and-bypass/ 3:33 https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/ 4:23 https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Slava%20Makkaveev/DEFCON-26-Slava-Makkaveev-Man-In-The-Disk.pdf Więcej na: https://www.youtube.com/watch?v=lmr1aIHmxA8

Всё что вы хотели узнать о OpenBSD и даже намного больше информации ждёт вас в 69-м выпуске SDCast'а! У меня в гостях Миша Белопухов, разработчик OpenBSD. В начале Миша рассказал про то, как он сам познакомился с OpenBSD, как начал изучать операционные системы и как его интерес неожиданно превратился во вполне оплачиваемую работу :) Миша адаптировал OpenBSD для работы на различном железе и в различном окружении, в том числе и виртуальном, поэтому он портировал разные драйвера устройств. Миша рассказал интересные истории из своего опыта портирования, как работают различные драйверы, механизмы взаимодействия с железом и ядром ОС. Обсудили мы и в целом операционную систему OpenBSD, как она устроена, на каких принципах построена, как работает ядро системы, драйвера и user space код. Обсудили вопросы, связанные с безопасностью и защищенностью, как самой ОС, так и прикладного кода, работающего в системе. OpenBSD известна своим слоганом “Secure by Default” и тем, что вопросам безопасности там уделяется большое внимание. Миша рассказал про различные подсистемы обеспечения безопасности, применяемые в OpenBSD, такие как: * Рандомизация адресного пространства ядра, KARL (Kernel Address Randomized Link) * Рандомизация размещения адресного пространства, ASLR (address space layout randomization) * strlcpy() и strlcat() - нестандартные функции, созданные в качестве замены часто используемых некорректным образом аналогов стандартной библиотеки * fork+exec, PIE, pledge и другие. Отдельно поговорили о криптографических алгоритмах, способах их реализации с использованием возможностей современных процессоров, таких как SIMD, а так же о их применении в SSH и SSL. Ссылки на ресурсы по темам выпуска: * Доклад Михаила “Implementation of Xen PVHVM drivers in OpenBSD” с BSDCan (видео (https://www.youtube.com/watch?v=GWwhgIPdKH0), слайды (https://www.openbsd.org/papers/bsdcan2016-xen.pdf)) * Доклад Тео де Раадта про Pledge с EuroBSDCon 2017 (видео (https://www.youtube.com/watch?v=FzJJbNRErVQ), слайды (https://www.openbsd.org/papers/eurobsdcon2017-pledge.pdf)) * Доклад Тео де Раадта "arc4random - randomization for all occasions" с Hackfest 2014 (видео (https://www.youtube.com/watch?v=aWmLWx8ut20), слайды (https://www.openbsd.org/papers/hackfest2014-arc4random/index.html)) * Доклад Ilja van Sprundel “Are all BSDs created equally? A survey of BSD kernel vulnerabilities” с DEF CON (видео (https://www.youtube.com/watch?v=1j1UaLsPv3k), слайды (https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf)) * Статья про сравнение защищённости OpenBSD и FreeBSD (https://networkfilter.blogspot.ru/2014/12/security-openbsd-vs-freebsd.html) * Слайды “Security features in the OpenBSD operating system (https://homepages.laas.fr/matthieu/talks/min2rien-openbsd.pdf)” от Matthieu Herrb * Описание технологии ASLR от Pax Team (https://pax.grsecurity.net/docs/aslr.txt) * Статья-заметка “KASLR: An Exercise in Cargo Cult Security” (https://forums.grsecurity.net/viewtopic.php?f=7&t=3367&sid=c757c2f8e8db817dabb7b7c501156fc0) от Brad "spender" Spengler * Видео доклада Михаила “OpenBSD: Куда катится крипто?” (https://events.yandex.ru/lib/talks/1489/) * Пост “AES timing attacks on OpenSSL (https://access.redhat.com/blogs/766093/posts/1976303)” от Redhat * Whitepaper “Cache Games – Bringing Access-Based Cache Attacks on AES to Practice (https://eprint.iacr.org/2010/594.pdf)” * 130+ уязвимостей в tcpdump (https://www.cvedetails.com/vulnerability-list/vendor_id-6197/Tcpdump.html) * Книга “The Design and Implementation of the 4.4BSD Operating System” Marshall Kirk McKusick и др. Вторая глава доступна бесплатно (https://www.freebsd.org/doc/en/books/design-44bsd/index.html). Понравился выпуск? — Поддержи подкаст на patreon.com/KSDaemon (https://www.patreon.com/KSDaemon) а так же ретвитом, постом и просто рассказом друзьям!

Axel hat einen neuen Job, in dem er Phisher, Blackhats und so aufzuspüren und zu verfolgen versucht, und erzählt da ein bisschen davon am Hackerfunk, soweit es ihm moeglich ist. Trackliste Dirtyphonics – Anonymous Kepler – Melody Heydevils – AOHell Barcelona – I have the password to your Hav I been pwned :: Check if your account is compromised Geocreepy :: Geolocation OSINT Tool XKCD 936 :: Password strength Report Phishing :: Switch Phishing reporting form MELANI :: Antiphishing Meldestelle des BAKOM KOBIK :: Schweizerische Koordinationsstelle zur Bekämpfung der Internetkriminalität Google Safebrowsing :: Report malicious websites (Malware) to Google APWG :: Report Phishing Phishtank :: Report Phishing WHOIS :: Infos zu Domains abfragen Team CYMRU :: Internet Security Research and Insight Virus Total :: Verdaechtige Dateien zur Analyse melden Virusscan :: Jotti's Malware Scanner Email Headers :: Email Header Analyzer Email Blacklists :: Email Blacklist Checker Email Blacklists :: Mail-Blacklist-Überwachungs Scripte CPAN Modul Net::Abuse :: Perl-Modul Net::Abuse von CPAN Python-Modul :: Python-Modul zum Abuse-Handling DNS Diag :: DNS Diagnostics and Performance Measurement Tools Bruce Schneier :: Stop trying to fix the user! Response policy zone :: Response policy zone File Download (124:40 min / 123 MB)

Axel hat einen neuen Job, in dem er Phisher, Blackhats und so aufzuspüren und zu verfolgen versucht, und erzählt da ein bisschen davon am Hackerfunk, soweit es ihm moeglich ist. Trackliste Dirtyphonics – Anonymous Kepler – Melody Heydevils – AOHell Barcelona – I have the password to your Hav I been pwned :: Check if your account is compromised Geocreepy :: Geolocation OSINT Tool XKCD 936 :: Password strength Report Phishing :: Switch Phishing reporting form MELANI :: Antiphishing Meldestelle des BAKOM KOBIK :: Schweizerische Koordinationsstelle zur Bekämpfung der Internetkriminalität Google Safebrowsing :: Report malicious websites (Malware) to Google APWG :: Report Phishing Phishtank :: Report Phishing WHOIS :: Infos zu Domains abfragen Team CYMRU :: Internet Security Research and Insight Virus Total :: Verdaechtige Dateien zur Analyse melden Virusscan :: Jotti's Malware Scanner Email Headers :: Email Header Analyzer Email Blacklists :: Email Blacklist Checker Email Blacklists :: Mail-Blacklist-Überwachungs Scripte CPAN Modul Net::Abuse :: Perl-Modul Net::Abuse von CPAN Python-Modul :: Python-Modul zum Abuse-Handling DNS Diag :: DNS Diagnostics and Performance Measurement Tools Bruce Schneier :: Stop trying to fix the user! Response policy zone :: Response policy zone File Download (124:40 min / 123 MB)

Hacking Car Anti-collision Systems, August 28, 2016 A group of researchers presenting at this month’s Def Con hacker conference showed how they were able to trick Tesla's sophisticated anti-collision sensors to make a car hit an object it would normally detect in its path. Before we start on the cars – you went to Def Con this year Mike – how was it? So let’s get to the cars now – who did this research? The group consisted of Chen Yan, a PhD student at Zhejiang University, Jianhao Liu, a senior security consultant at Qihoo 360, and Wenyuan Xu, a professor at Zhejiang University and The University of South Carolina. So can you give a quicker overview of what they did? They discovered methods for "quieting" sensors to diminish or hide obstacles in a car's path, "spoofing" them to make an object appear farther or closer than it actually is, and jamming, which, Yan said, renders the sensor useless as it's "overwhelmed by noise." Could this be done now? I mean, if someone is driving a Tesla or any other car with this kind of sensor technology, should they be concerned? It's important to note that the demonstration was a proof-of-concept that did not mimic real-world conditions today. Researchers were working on cars that were usually stationary with what was sometimes very expensive equipment. They noted that the "sky wasn't falling." But the experiment suggests that theoretically, a few years from now, somebody could make a device that could jam certain sensors in a nearby car. Can you talk about these sensors a little more? There are a number of sensors on a Tesla Model S that are used for a variety of functions. It has radar to detect objects in front of it, GPS for location tracking, and cameras to detect speed limit signs and lane markings, for example. As the talk showed, many of these things can be tricked by a determined attacker. Is it just Tesla people need to be concerned about? Much of their presentation focused on the Tesla Model S, but they also successfully jammed sensors on cars from Audi, Volkswagen, and Ford. So what kinds of systems were they jamming? Cars with ultrasonic sensors Cars with parking assistance The Tesla Model S with self-parking and summon Let’s talk a little more about what they were able to demonstrate. In a video demonstrating an attack, the researchers jammed sensors in the rear of the Model S, so the car did not know it was about to hit a person standing behind it. In another, they "spoofed" its Autopilot to trick it into thinking it would drive into something that was not actually there. You mentioned they talked about using lasers – can you give any details? They also used off-the-shelf lasers to defeat the onboard cameras, and, in one of the most low-tech demonstrations, they wrapped objects up in cheap black foam that rendered them invisible to the car's sensors. What kind of feedback did they get from the manufacturers? Yan said after the talk that Tesla reacted positively when they disclosed their research, and it was researching ways to mitigate these types of attacks. "They appreciated our work and are looking into this issue," he said. So, in summary what are the auto makers concerned about after this presentation? Realistic issues of automotive sensor security Big threat to autonomous vehicles (present and future) Attacks on ultrasonic sensors Attacks on Millimeter Wave (MMW) Radars Attacks on cameras Attacks on self-driving cars Where can people get the full Deaf Con presentation? It's available at Def Con’s website https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Liu-Yan-Xu-Can-You-Trust-Autonomous-Vehicles.pdf Reference: http://www.businessinsider.com/defcon-tesla-jamming-spoofing-autopilot-2016-8            

Using File Entropy to Identify "Ransomwared" Files https://isc.sans.edu/forums/diary/Using+File+Entropy+to+Identify+Ransomwared+Files/21351/ Bypassing Windows Digital Signatures https://www.blackhat.com/docs/us-16/materials/us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digitally-Signed-Executable-wp.pdf Quadrooter Android Vulnerability http://blog.checkpoint.com/2016/08/07/quadrooter/ Defcon Slides Online https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/ Philips Hue Exploit (Video) http://colinoflynn.com/wp-content/uploads/2016/08/us-16-OFlynn-A-Lightbulb-Worm-wp.pdf

Using File Entropy to Identify "Ransomwared" Files https://isc.sans.edu/forums/diary/Using+File+Entropy+to+Identify+Ransomwared+Files/21351/ Bypassing Windows Digital Signatures https://www.blackhat.com/docs/us-16/materials/us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digitally-Signed-Executable-wp.pdf Quadrooter Android Vulnerability http://blog.checkpoint.com/2016/08/07/quadrooter/ Defcon Slides Online https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/ Philips Hue Exploit (Video) http://colinoflynn.com/wp-content/uploads/2016/08/us-16-OFlynn-A-Lightbulb-Worm-wp.pdf

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Evilrob-Xaphan-TLS-Canary-Keeping-Your-Dick-Pics-Safer.pdf Canary: Keeping Your Dick Pics Safe(r) Rob Bathurst (evilrob) Security Engineer and Penetration Tester Jeff Thomas (xaphan) Senior Cyber Security Penetration Testing Specialist The security of SSL/TLS is built on a rickety scaffolding of trust. At the core of this system is an ever growing number of Certificate Authorities that most people (and software) take for granted. Recent attacks have exploited this inherent trust to covertly intercept, monitor and manipulate supposedly secure communications. These types of attack endanger everyone, especially when they remain undetected. Unfortunately, there are few tools that non-technical humans can use to verify that their HTTPS traffic is actually secure. We will present our research into the technical and political problems underlying SSL/TLS. We will also demonstrate a tool, currently called “Canary”, that will allow all types users to validate the digital certificates presented by services on the Internet. Evilrob is a Security Engineer and Penetration Tester with over 14 years of experience with large network architecture and engineering. His current focus is on network security architecture, tool development, and high-assurance encryption devices. He currently spends his days contemplating new and exciting ways to do terrible things to all manner of healthcare related systems in the name of safety. Twitter: @knomes xaphan is a "Senior Cyber Security Penetration Testing Specialist" for a happy, non-threatening US government agency. He has been a penetration tester for 17 years, but maintains his sanity with a variety of distractions. He is the author of several ancient and obsolete security tools and the creator of DEFCOIN. Twitter: @slugbait

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-DaKahuna-Satanlawz-Introduction-to-SDR-and-Wifi-Village.pdf Introduction to SDR and the Wireless Village DaKahuna satanklawz In many circumstances, we all have to wear different hats when pursuing hobbies, jobs and research. This session will discuss the exploration and use of software defined radio from two perspectives; that of a security researcher and Ham Radio operator. We will cover common uses and abuses of hardware to make them work like transceivers that the Ham crowed is use too, as well as extending the same hardware for other research applications. Additionally we will highlight some of the application of this knowledge for use at The Wireless Village! Come and join this interactive session; audience participation is encouraged. By day DaKahuna works for a small defense contractor as a consultant to large government agencies providing critical reviews of customer organizations compliance with Federal Information Systems information Security Act (FISMA) requirements, effectiveness of their implementation of National Institute for Science and Technology (NIST) Special Publication requirements, cyber security policies, cyber security program plans, and governmental standards and guidance. By night he enjoys roaming the airwaves , be it the amateur radio bands or wireless networks. He is a father of two, grandfather to three, 24 year Navy veteran communicator, holder of an amateur radio Extra Class license and a staunch supporter and exerciser of his 2nd Amendment rights who enjoys shooting targets out to 1200 yards. Satanklawz has been in the information security realm for 15 years. He built and sold a wireless ISP, worked info sec in the financial services industry and now is a public servant of sorts. His hobbies and interests have always involved radio in some sort of fashion. When he has spare time, he is completing his PhD, teaches, create mischief, and is working on his dad jokes. Flowers, red and blue, satanklawz loves *SDR*. This is a haiku.

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Tottenkoph-IrishMASMS-Hackers-Hiring-Hacker.pdf Hackers Hiring Hackers - How to Do Things Better Tottenkoph Security Consultant, Rapid7 IrishMASMS Hacker There are a lot of talks about how to be a better pen tester and workshops that show you how to use all of the cool new tools that are available to make our jobs easier, but there are only a few talks that address what some of us consider to be the hardest part of getting a job in security: the hiring process. The information security field is in desperate need of people with the technical skills hackers have to fill a myriad of roles within organizations across the world. However, both sides of the table are doing horribly when it comes to hiring and interviewing for work. Organizations are doing poorly trying to communicate expectations for a job, there are people going to interviews without knowing how to showcase their (limited or vast) experience, and some people posture themselves so poorly that the hiring managers don’t think the candidates are really interested in the job. This talk takes the experiences of the speakers as both interviewers and interviewees as well as from others within the scene in order to help better prepare hackers to enter (or move within) “the industry” as well as let the people making hiring decisions know what they can do to get the people and experience they need for their teams. Tottenkoph has been hacking for the past 10 years and is currently a security consultant for Rapid7. Tottie has spoken at several hacker cons and is currently pursuing her Master’s degree in Industrial and Organizational Psychology, planning to apply its practices to the hacker and infosec communities. Twitter: @Tottenkoph IrishMASMS is an old school hacker, fighting the good fight in Computer Network Defence (CND)/blue team efforts for over 16 years. Been lurking about since DEF CON 10, DJing the B&W ball at DEF CON 18 (with quite a few AP pool shindigs and private parties along the way). Panel member at HOPE 5, presenter at a couple of Notacon’s, and some other conferences that are hard to remember what really happened. Having progressed through the ranks to hiring manager and director level, he has experienced the pain from both sides of the hiring process and desires to improve the situation for the InfoSec community. Is this where we mention cyberderp? Twitter: @IrishMASMS

Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Damon-Small-Beyond-the-Scan.pdf Beyond the Scan: The Value Proposition of Vulnerability Assessment Damon Small Security Researcher Vulnerability Assessment is, by some, regarded as one of the least “sexy” capabilities in information security. However, it is the presenter’s view that it is also a key component of any successful infosec program, and one that is often overlooked. Doing so serves an injustice to the organization and results in many missed opportunities to help ensure success in protecting critical information assets. The presenter will explore how Vulnerability Assessment can be leveraged “Beyond the Scan” and provide tangible value to not only the security team, but the entire business that it supports. Damon Small began his career studying music at Louisiana State University. Pursuing his desire to actually make money, he took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Following the dotcom bust in the early 2000s, Small began focusing on cyber security. This has remained his passion, and over the past 15 years as a security professional he has supported infosec initiatives in the healthcare, defense, and oil and gas industries. In addition to his Bachelor of Arts in Music, Small completed the Master of Science in Information Assurance degree from Norwich University in 2005. Twitter: @damonsmall

Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Phil-Polstra-Hacker-in-the-Wires.pdf Extras here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Phil-Polstra-Extras.rar Hacker in the Wires Dr. Phil Polstra Professor, Bloomsburg University Additional Materials available here: https://media.defcon.org/DEF CON 23/DEF CON 23 presentations/Phil Polstra/Extras/ This talk will show attendees how to use a small ARM-based computer that is connected inline to a wired network for penetration testing. The computer is running a full-featured penetration testing Linux distro. Data may be exfiltrated using the network or via a ZigBee mesh network or GSM modem. The device discussed in this talk is easily integrated into a powerful penetration test that is performed with an army of ARM-based small computer systems connected by XBee or ZigBee mesh networking. Some familiarity with Linux and penetration testing would be helpful, but not required. Phil was born at an early age. He cleaned out his savings at age 8 in order to buy a TI99-4A computer for the sum of $450. Two years later he learned 6502 assembly and has been hacking computers and electronics ever since. Dr. Phil currently works as a professor at Bloomsburg University of Pennsylvania. His research focus over the last few years has been on the use of microcontrollers and small embedded computers for forensics and pentesting. Phil has developed a custom pentesting Linux distro and related hardware to allow an inexpensive army of remote pentesting drones to be built using the BeagleBone Black computer boards. This work is described in detail in Phil's book "Hacking and Penetration Testing With Low Power Devices" (Syngress, 2015). Prior to entering academia, Phil held several high level positions at well-known US companies. He holds a couple of the usual certs one might expect for someone in his position. When not working, he likes to spend time with his family, fly, hack electronics, and has been known to build airplanes. Twitter: @ppolstra http://facebook.com/ppolstra

Materials Available Here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Topher-Timzen-Ryan-Allen-Hijacking-Arbitrary-NET-Application-Control-Flow-UPDATED.pdf Whitepaper here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Topher-Timzen-Ryan-Allen-Hijacking-Arbitrary-NET-Application-Control-Flow-WP.pdf Additional Materials: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Topher-Timzen-Acquiring-NET-Objects-From-The-Managed-Heap.pdf Hijacking Arbitrary .NET Application Control Flow Topher Timzen Security Researcher - Intel White paper available here: https://media.defcon.org/DEF CON 23/DEF CON 23 presentations/Topher Timzen & Ryan Allen - UPDATED/DEFCON-23-Topher-Timzen-Ryan-Allen-Hijacking-Arbitrary-NET-Application-Control-Flow-WP.pdf This speech will demonstrate attacking .NET applications at runtime. I will show how to modify running applications with advanced .NET and assembly level attacks that alter the control flow of any .NET application. New attack techniques and tools will be released to allow penetration testers and attackers to carry out advanced post exploitation attacks. This presentation gives an overview of how to use these tools in a real attack sequence and gives a view into the .NET hacker space. Topher Timzen has had a research emphasis on reverse engineering malware, incident response and exploit development. He has instructed college courses in malware analysis and memory forensics while managing a cybersecurity research lab. Focusing on .NET memory hijacking, he has produced tools that allow for new post exploitation attack sequences. Topher is currently a Security Researcher at Intel. Twitter: @TTimzen

Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Marina-Krotofil-Jason-Larsen-Rocking-the-Pocketbook-Hacking-Chemical-Plants-UPDATED.pdf Whitepaper here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Marina-Krotofil-Jason-Larsen-Rocking-the-Pocketbook-Hacking-Chemical-Plants-WP-UPDATED.pdf Rocking the Pocket Book: Hacking Chemical Plant for Competition and Extortion Marina Krotofil Senior Security Consultant. European Network for Cyber Security Jason Larsen Principal Security Consultant, IOActive The appeal of hacking a physical process is dreaming about physical damage attacks lighting up the sky in a shower of goodness. Let’s face it, after such elite hacking action nobody is going to let one present it even at a conference like DEF CON. As a poor substitute, this presentation will get as close as using a simulated plant for Vinyl Acetate production for demonstrating a complete attack, from start to end, directed at persistent economic damage to a production site while avoiding attribution of production loss to a cyber-event. Such an attack scenario could be useful to a manufacturer aiming at putting competitors out of business or as a strong argument in an extortion attack. Picking up a paper these days it’s easy to find an article on all the “SCADA insecurity” out there associated with an unstoppable attacker with unsophisticated goal of kicking up another apocalypse. Sorry to disappoint excited crowd but formula “Your wish is my command” does not work for control systems. The target plant is not designed in a hacker friendly way. Hopefully by the end of the presentation, the audience will understand the difference between breaking into the system and breaking the system, obtaining control and being in control. An attacker targeting a remote process is not immediately gifted with complete knowledge of the process and the means to manipulate it. In general, an attacker follows a series of stages before getting to the final attack. Designing an attack scenario is a matter of art as much as economic consideration. The cost of attack can quickly exceed damage worth. Also, the attacker has to find the way to compare between competing attack scenarios. In traditional IT hacking, a goal is to go undetected. In OT (operational technologies) hacking this is not an option. An attack will change things in the real world that cannot be removed by simply erasing the log files. If a piece of equipment is damaged or if a plant suddenly becomes less profitable, it will be investigated. The attacker has to create forensic footprint for investigators by manipulating the process and the logs in such a way that the analysts draw the wrong conclusions. Exploiting physical process is an exotic and hard to develop skill which have so far kept a high barrier to entry. Therefore real-world control system exploitation has remained in the hands of a few. To help the community mastering new skills we have developed „Damn Vulnerable Chemical Process“ – first open source framework for cyber-physical experimentation based on two realistic models of chemical plants. Come to the session and take your first master class on complex physical hacking. Marina is Senior Security Consultant at European Network for Cyber Security. Through her life she has accumulated vast hands-on experience in several engineering fields. Most recently she completed her doctoral degree in ICS security at Hamburg University of Technology, Germany. Her research over the last few years has been focused on the bits and peac.hes of the design and implementation of cyber-physical attacks aiming at both physical and economic damage. Marina used her pioneering destructive knowledge for designing process-aware defensive solutions and risk assessment approaches. During her PhD she collaborated with several industrial partners, participated in EU projects and collaborated with cool dudes from the hacking community. She has written more than a dozen papers on the subject of cyber-physical exploitation. Marina gives workshops on cyber-physical exploitation and is a frequent speaker at the leading ICS security and hacking venues around the world. She holds MBA in Technology Management, MSc in Telecommunications and MSc in Information and Communication Systems. Jason Larsen is a professional hacker that specializes in critical infrastructure and process control systems. Over the last several years he has been doing focused research into remote physical damage. Jason graduated from Idaho State University where he worked doing Monte Carlo and pharmacokinetic modeling for Boron-Neutron Capture Therapy. He was one of the founding members of the Cyber-Security department at the Idaho National Labs, which hosts the ICS -CERT and the National SCADA Tested .Jason has audited most of the major process control and SCADA systems as well as having extensive experience doing penetration tests against live systems. His other activities include two years on the Window 7 penetration testing team, designing the anti-malware system for a very large auction site, and building anonymous relay networks. He is currently a Principle Security Consultant for IOActive in Seattle.

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-John-Seymour-Quantum-Classification-of-Malware-UPDATED.pdf Whitepaper here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-John-Seymour-Quantum-Classification-of-Malware-WP-UPDATED.pdf "Quantum" Classification of Malware John Seymour Ph.D. student, University of Maryland, Baltimore County Quantum computation has recently become an important area for security research, with its applications to factoring large numbers and secure communication. In practice, only one company (D-Wave) has claimed to create a quantum computer which can solve relatively hard problems, and that claim has been met with much skepticism. Regardless of whether it is using quantum effects for computation or not, the D-Wave architecture cannot run the standard quantum algorithms, such as Grover’s and Shor’s. The D-Wave architecture is instead purported to be useful for machine learning and for heuristically solving NP-Complete problems. We'll show why the D-Wave and the machine learning problem for malware classification seem especially suited for each other. We also explain how to translate the classification problem for malicious executables into an optimization problem which a D-Wave machine can solve. Specifically, using a 512-qubit D-Wave Two processor, we show that a minimalist malware classifier, with cross-validation accuracy comparable to standard machine learning algorithms, can be created. However, even such a minimalist classifier incurs a surprising level of overhead. John Seymour is a Ph.D. student at the University of Maryland, Baltimore County, where he performs research at the intersection of machine learning and information security. He's mostly interested in avoiding and helping others avoid some of the major pitfalls in machine learning, especially in dataset preparation (seriously, do people still use malware datasets from 1998?) In 2014, he completed his Master’s thesis on the subject of quantum computation applied to malware analysis. He currently works at CyberPoint International, a company which performs network and host-based machine learning, located in Baltimore, MD.

Materials Available Here; https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-ammonRA-How-to-hack-your-way-out-of-home-detention-UPDATED.pdf How to hack your way out of home detention AmmonRa Security Researcher Home detention and criminal tracking systems are used in hostile environments, and because of this, the designers of these trackers incorporate a range of anti-removal and tamper detection features. Software security, however, is an area on which less focus is placed. This talk will cover practical attacks against home detention tracking systems, with a focus on software security. Intercepting and modifying tracking information sent from the device in order to spoof the tracker’s location will be demonstrated. General information about how home detention tracking systems operate will be discussed, including the differences between older proximity based systems which used landlines, and newer models which use GPS and cellular networks. Topics will include how to (legally) get hold of and test a real world device, and how to use cheap software defined radios to spoof GSM cell towers. Focus will be on the details of how one particular device is constructed, how it operates and the vulnerabilities it was found to contain. How these vulnerabilities can be exploited and the challenges of doing so in the wild will also be covered. AmmonRa is a former dev who now works in infosec as a pentester. Both at work and in his spare time AmmonRa hacks things. As well as hacking computers, AmmonRa is a DIY cyborg, designing and implanting in himself a range of devices, including NFC/RFID chips, biometric sensors and subdermal lights. Twitter: @amm0nra

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Patrick-McNeil-Owen-Sorry-Wrong-Number.pdf https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Patrick-McNeil-Guidelines-For-Securing-Your-VoIP-PBX.pdf Sorry, Wrong Number: Mysteries Of The Phone System - Past and Present "Unregistered436" Patrick McNeil Security Architect "Snide" Owen Security Researcher Exploring the phone system was once the new and exciting realm of “phone phreaks,” an ancestor of today’s computer “hackers.” The first phreaks “owned” and explored the vague mysteries of the telephone network for a time until their activities drew too much attention from the phone companies and law enforcement. The phone system evolved, somewhat, in an attempt to shut them out, and phreaking became both difficult and legally dangerous. Such events paralleled a new personal computer “revolution” wherein phone phreaks made the transition from the secret subtleties of telephony to the new and mystical frontier of personal computing. Private BBS(s) and, eventually, the Internet was not only the next logical step forward, but also provided “safer” alternatives that still allowed for the thrill of exploring the mysteries of a new modern age. Telephony, and voice security in general, became, as the years passed, something of a lost art to all but those who remember… In this presentation we begin our adventure with a journey back in time, starting in the post-war Film Noir era of the 40’s and 50’s, when users required an operator at the switchboard to make a call, investigating some of the early roots of phreaking that many have forgotten. We will briefly take a look at the weaknesses of early telephone systems and the emergence of the original phreaks in the 50’s and 60’s who found and exploited them. Our journey will also allow us to demonstrate how some of the same basic phreaking approaches are still applicable to today’s "advanced" VoIP systems. Certainly the initial creation and emergence of VoIP opened a variety of attack vectors that were covered at security conferences at the time. Commercial VoIP adoption, however, remained stagnant until standards and carriers caught up. Some VoIP hacking tools were left unmaintained, and VoIP wasn’t the sexy and mysterious attack vector it once was with the exception of tricksters who found old or insecure systems to be easy targets. Due to increased VoIP adoption over the last few years, however, telephony attacks are provocative once again. As hardboiled VoIP detectives, we’ll unravel the mysteries of the curious, shadowy, and secretive world of phreaks, tricksters, and VoIP hackers. We’ll compare and contrast old school phreaking with new advances in VoIP hacking. We’ll explain how voice systems are targeted, how they are attacked using old and new methods, and how to secure them - with demonstrations along with practical and actionable tips along the way. We may even drop a new VoIP telephony phishing tool to fuse the past and the present.. Patrick spoke about telephony fraud last year at DEF CON Skytalks (“How To Make Money Fast Using A Pwned PBX”), and is a #telephreak at heart. He has over twenty years of experience, mostly with telecom manufacturers, and spent time in charge of product security for the communications security business of a fortune 100 company. When not working you can find him practicing Kung Fu, brewing beer, or picking locks with Oak City Locksport. Twitter: @unregistered436 Owen used to be a professional developer code monkey. He’s worked in various IT fields including Server Administration, DevOps, Application Security and most recently as a penetration tester. He enjoys tinkering with various technologies, and has experimented for prolonged periods with PBXs and the obscure side of VoIP.

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Daniel-Selifonov-Drinking-from-LETHE.pdf Drinking from LETHE: New methods of exploiting and mitigating memory corruption vulnerabilities Daniel Selifonov Engineer, Skyport Systems Inc Memory corruption vulnerabilities have plagued computer systems since we started programming software. Techniques for transforming memory corruption primitives into arbitrary code execution exploits have evolved significantly over the past two decades, from "smashing the stack for fun and profit" to the current apex of "just in time code reuse" while playing a cat and mouse game with similarly evolving defensive mitigations: from PaX/NX-bit to fine-grained ASLR and beyond. By contextualizing this battle between attack and defense, I will demonstrate new defense strategies based on augmenting fine-grained ASLR with memory disclosure mitigations to render existing exploitation techniques unreliable. Modifications to the Xen hypervisor exploiting hardware accelerated virtualization extensions on the modern Intel platform enable realizing these new defense strategies without imposing significant runtime CPU overhead. Daniel Selifonov is currently an engineer focused on information security, and in prior consultancies has built systems for information technology where security was considered throughout design and implementation, rather than as an afterthought. His research interests in security include reverse engineering, applied cryptography, client side security, and user acceptable information system design. Social media names/links: * GitHub: https://github.com/thyth/ * Personal Website: http://thyth.com/

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Marte-L0ge-I-will-Tell-you-your-Lock-Pattern-UPDATED.pdf Tell me who you are and I will tell you your lock pattern Marte Løge Security Researcher You are predictable. Your passwords are predictable, and so are your PINs. This fact is being used by the hackers, as well as the agencies watching you. But what about your Android lock patterns? Can who you are reveal what patterns you create? This presentation will present the result from an analysis of 3400 user-selected patterns. The interesting part is that we collected additional information about the respondents, not just the patterns themselves. Will being left-handed and having experience with security affect the way you create your lock patterns? There are 389,112 possible patterns. Your full device encryption won't save you if your lock pattern is L - as in "looser". Marte has just finished her master degree in computer science at the Norwegian University of Technology and Science (...NUTS

Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Ryan-Mitchell-Separating-Bots-from-Humans.pdf Separating Bots from the Humans Ryan Mitchell Software Engineer, LinkeDrive Inc There’s an escalating arms race between bots and the people who protect sites from them. Bots, or web scrapers, can be used to gather valuable data, probe large collections of sites for vulnerabilities, exploit found weaknesses, and are often unfazed by traditional solutions like robots.txt files, Ajax loading, and even CAPTCHAs. I’ll give an overview of both sides of the battle and explain what what really separates the bots from the humans. I’ll also demonstrate and easy new tool that can be used to crack CAPTCHAs with high rates of success, some creative approaches to honeypots, and demonstrate how to scrape many “bot-proof” sites. Ryan Mitchell is Software Engineer at LinkeDrive in Boston, where she develops their API and data analysis tools. She is a graduate of Olin College of Engineering, and is a masters degree student at Harvard University School of Extension Studies. Prior to joining LinkeDrive, she was a Software Engineer building web scrapers and bots at Abine Inc, and regularly does freelance work, building web scrapers for clients, primarily in the financial and retail industries. Ryan is also the author of two books: “Instant Web Scraping with Java” (Packt Publishing, 2013) and “Web Scraping with Python” (O’Reilly Media, 2015) Twitter: @Kludgist Amazon Author Page: http://www.amazon.com/Ryan-Mitchell/e/B00MQI8TVQ Website: http://ryanemitchell.com

Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Bart-Kulach-Hack-the-Legacy-IBMi-revealed.pdf Hack the Legacy! IBM i (aka AS/400) Revealed. Bart Kulach (Bartlomiej Jakub Kulach) Security Researcher Have you ever heard about the famous "green screen"? No, it's not a screensaver... Believe me, it still does exist! In many industries, although the front-end systems are all new and shiny, in the back-end they still rely on well-known, proven IBM i (aka AS/400) technology for their back-office, core systems. Surprisingly, nobody truly seems to care about the security. Even if these nice IBM heavy black boxes are directly connected to the Internet... The aim of the talk is to give you more insight in a number of techniques for performing a security test of / securing an IBM i system from perspective of an external and internal intruder. Methods like privilege escalation by nested user switching, getting full system access via JDBC or bypassing the "green screen" (5250) limitations will be presented. Last but not least: I will also show a undocumented output format of the built-in password transfer API, giving you direct access to all password hashes. Even IBM engineers may wonder... Bart Kulach: Aged 31, with 14 years of work experience within IT security, risk management and IT operations. Security specialist and experienced supervisor for IT audits, CISA, CISM. Working currently for NN Group in the Netherlands as coordinator for IT audits within Investment and Insurance business units in Europe and Asia. The past 7 years he held various security and risk management related positions. Focused on security of IBM i (aka AS/400, iSeries), website security as well as lean IT processes and architecture. Facebook: (bart.kulach)

Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Jose-Selvi-Breaking-SSL-Using-Time-Synchronisation-Attacks.pdf Breaking SSL Using Time Synchronisation Attacks Jose Selvi Senior Security Consultant, NCC Group What time? When? Who is first? Obviously, Time is strongly present in our daily life. We use time in almost everything we do, and computers are not an exception to this rule. Our computers and devices use time in a wide variety of ways such as cache expiration, scheduling tasks or even security technologies. Some of those technologies completely relies on the local clock, and they can be affected by a clock misconfiguration. However, since most operating system providers do not offer secure time synchronisation protocols by default, an attacker could manipulate those protocols and control the local clock. In this presentation, we review how different operating systems synchronise their local clocks and how an attacker could exploit some of them in order to bypass different well-known security protections. Jose Selvi is a Senior Penetration Tester at NCC Group. His 11 years of expertise performing advanced security services and solutions in various industries (government, telecom, retail, manufacturing, healthcare, financial, technology...) include mainly penetration tests and information security research in new technologies. He is also a SANS Institute community instructor for penetration testing courses and a regular speaker at security conferences (mostly in Spain)

Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Phillip-Aumasson-Quantum-Computers-vs-Computers-Security.pdf Quantum Computers vs. Computers Security Jean-Philippe Aumasson Principal Cryptographer, Kudelski Security, Switzerland We've heard about hypothetical quantum computers breaking most of the public-key crypto in use—RSA, elliptic curves, etc.—and we've heard about "post-quantum" systems that resist quantum computers. We also heard about quantum computers' potential to solve other problems considerably faster than classical computers, such as discrete optimization, machine learning, or code verification problems. And we heard about a commercial quantum computer, and we heard vendors of quantum key distribution or quantum random number generators promise us security as solid as the laws of physics. Still, most of us are clueless regarding: How quantum computers work and why they could solve certain problems faster than classical computers? What are the actual facts and what is FUD, hype, or journalistic exaggeration? Could quantum computers help in defending classical computers and networks against intrusions? Is it worth spending money in post-quantum systems, quantum key distribution, or in purchasing or developing of a quantum computer? Will usable quantum computers be built in the foreseeable future? This talk gives honest answers to those questions, based on the latest research, on analyses of the researchers' and vendors' claims, and on a cost-benefit-risk analyses. We'll expose the fundamental principles of quantum computing in a way comprehensible by anyone, and we'll skip the technical details that require math and physics knowledge. Yet after this talk you'll best be able to assess the risk of quantum computers, to debunk misleading claims, and to ask the right questions. Jean-Philippe (JP) Aumasson is Principal Cryptographer at Kudelski Security, in Switzerland. He is known for designing the cryptographic functions BLAKE, BLAKE2, SipHash, and NORX. He has spoken at conferences such as Black Hat, RSA, and CCC, and initiated the Crypto Coding Standard and the Password Hashing Competition projects. He co-wrote the 2015 book "The Hash Function BLAKE". He is member of the technical advisory board of the Open Crypto Audit Project and of the Underhanded Crypto Contest. JP tweets as @veorq. Twitter: @veorq

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Yan-Shoshitaishvili-Fish-Wang-Angry-Hacking.pdf Angry Hacking - the next generation of binary analysis Yan Shoshitaishvili PhD Student, UC Santa Barbara Fish Wang PhD Student, UC Santa Barbara Security has gone from a curiosity to a phenomenon in the last decade. Fortunately for us, despite the rise of memory-safe, interpreted, lame languages, the security of binaries is as relevant as ever. On top of that, (computer security) Capture the Flag competitions have skyrocketed in popularity, with new and exciting binaries on offer for hacking every weekend. This all sounds great, and it is. Unfortunately, the more time goes by, the older we get, and the more our skills fade. Whereas we were happy to stare at objdump a decade ago, today, we find the menial parts of reversing and pwning more and more tiring and more and more difficult. Worse, while security analysis tools have been evolving to make life easier for us hackers, the core tools that we use (like IDA Pro) have remained mostly stagnant. And on top of that, the term "binaries" have expanded to regularly include ARM, MIPS, PPC, MSP430, and every other crazy architecture you can think of, rather than the nice, comfortable x86 of yesteryear. New tools are required, and we're here to deliver. Over the last two years, we have been working on a next-generation binary analysis framework in an attempt to turn back the tide and reduce our mounting noobness. The result is called angr. angr assists in binary analysis by providing extremely powerful, state-of-the-art analyses, and making them as straightforward to use as possible. Ever wanted to know *what freaking value* some variable could take on in a function (say, can the target of a computed write point to the return address)? angr can tell you! Want to know what input you need to trigger a certain code path and export a flag? Ask angr! In the talk, we'll cover three of the analyses that angr provides: a powerful static analysis engine (able to, among other things, automatically identify potential memory corruption in binaries through the use of Value-Set Analysis), its symbolic execution engine, and dynamic emulation of various architectures (*super* useful for debugging shellcode). On top of that, angr is designed to make the life of a hacker as easy as possible -- for example, the whole system is 98% Python, and is designed to be a breeze to interact with through iPython. Plus, it comes with a nifty GUI with nice visualizations for symbolically exploring a program, tracking differences between different program paths, and understanding value ranges of variables and registers. Finally, angr is designed to be easily extensible and embeddable in other applications. We'll show off a semantic-aware ROP gadget finder ("are there any gadgets that write to a positive offset of rax but don't clobber rbx" or "given this program state, what are the gadgets that won't cause a segfault") and a binary diffing engine, both built on angr. We've used angr to solve CTF binaries, analyze embedded devices, debug shellcode, and even dabble in the DARPA Cyber Grand Challenge. We'll talk about our experiences with all of that and will release angr to the world, hopefully revolutionizing binary analysis and making everyone ANGRY! Yan and Fish are two members of Shellphish, a pretty badass hacking team famous for low SLA and getting the freaking exploit JUST A FREAKING MINUTE LATE. Their secret identities are those of PhD students in the security lab of UC Santa Barbara. When they're not CTFing or surfing, they're doing next-generation (what does that even mean?) security research. Their works have been published in numerous academic venues. For example, in 2013, they created an automatic tool, called MovieStealer, a tool to automatically break the DRM of streaming media services [1]. After taking 2014 to work on angr, in 2015, they followed this up with an analysis of backdoors in embedded devices [2]. Now, they've set their sights on helping the world analyze binaries faster, better, stronger, by revolutionizing the analysis tool landscape! [1] https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/wang_ruoyu [2] http://www.internetsociety.org/doc/firmalice-automatic-detection-authentication-bypass-vulnerabilities-binary-firmware Twitter: @zardus

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Walker-Wiens-Machine-vs-Machine-DARPA-Fully-Automated-CTF.pdf Machine vs. Machine: Inside DARPA’s Fully Automated CTF Michael Walker Program Manager, DARPA/I2O Jordan Wiens CTF A(p|nthro)pologist @vector35.com For 22 years, the best binary ninjas in the world have gathered at DEF CON to play the world’s most competitive Capture-the-Flag. At DEF CON 24, DARPA will challenge machines to play this game for the first time, with the winner taking home a $2 million prize. This talk will include a first public look at the machines, teams, technology, and visualization behind Cyber Grand Challenge. The technology: machines that discover bugs and build patches? We’re bringing our qualifier results to show just how real this is. The teams: we’ll talk about the finalists who prevailed to make it to the CGC final round. Visualization: the product of CTF players working with game designers, this talk will include a live interactive demo of a graphical debugger for everyone that will let an audience follow along in real time. The machines: we’re bringing high performance computing to the DEF CON stage. The event: In 2016, machines will Capture the Flag! Follow DARPA Cyber Grand Challenge on Twitter: #DARPACGC Mike Walker joined DARPA as a program manager in January 2013. His research interests include machine reasoning about software in situ and the automation of application security lifecycles. Prior to joining DARPA, Mr. Walker worked in industry as a security software developer, Red Team analyst, enterprise security architect and research lab leader. As part of the Computer Science Corporation "Strikeforce" Red Team, Mr. Walker helped develop the HEAT Vulnerability Scanner and performed Red Team engagements. Serving as a principal at the Intrepidus Group, Mr. Walker worked on Red Teams that tested America's financial and energy infrastructure for security weaknesses. Also, on the DARPA SAFER Red Team, Mr. Walker discovered flaws in prototype communications technologies. Mr. Walker has participated in various roles in numerous applied computer security competitions. He contributed challenges to DEF CON Capture the Flag (CTF) and competed on and led CTF teams at the highest levels of international competition. Mr. Walker was formerly a mentor of the Computer Security Competition Club at Thomas Jefferson High School for Science and Technology (TJHSST). Jordan started his professional career at the University of Florida where he got to do a little bit of everything security related. His love of CTFs, however, drove him to a job at a government contractor where he honed his reverse engineering and vulnerability research skills. Now, his goal in life is to become a professional CTF e-sports caster so he founded a startup Vector 35 to try to get paid to do stuff with CTFs and gaming.

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Wesley-McGrew-I-Hunt-Penetration-Testers.pdf I Hunt Penetration Testers: More Weaknesses in Tools and Procedures Wesley McGrew Assistant Research Professor Distributed Analytics and Security Institute, Mississippi State University When we lack the capability to understand our tools, we operate at the mercy of those that do. Penetration testers make excellent targets for bad actors, as the average tester’s awareness and understanding of the potential risks and vulnerabilities in their tools and processes is low, and the value of the information they gather and gain access to among their client base is very high. As demonstrated by Wesley’s DEF CON 21 talk on vulnerabilities in penetration testing devices, and last year’s compromise of WiFi Pineapple devices, the tools of offensive security professionals often represent a soft target. In this talk, operational security issues facing penetration testers will be discussed, including communication and data security (not just “bugs”), which impact both testers and clients. A classification system for illustrating the risks of various tools is presented, and vulnerabilities in specific hardware and software use cases are presented. Recommendations are made for improving penetration testing practices and training. This talk is intended to be valuable to penetration testers wanting to protect themselves and their clients, and for those who are interesting in profiling weaknesses of opposing forces that may use similar tools and techniques. Wesley McGrew (@McGrewSecurity) is an assistant research professor at Mississippi State University's Distributed Analytics and Security Institute. At DASI, he is involved in malware and vulnerability research. In the spring 2013 semester, he began teaching a self-designed course on reverse engineering to students at MSU, using real-world, high-profile malware samples, as part of gaining NSA CAE Cyber Ops certification for MSU. Wesley has presented at Black Hat USA and DEF CON on forensics, malware, and penetration testing topics, and is the author of security and forensics tools that he publishes through his personal/consultancy website, McGrewSecurity.com. Twitter: @mcgrewsecurity

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Panel-Comedy-Inception-Amanda-Berlin-Blue-Team-Hell.pdf DEF CON Comedy Inception: How many levels deep can we go? Larry Pesce Senior Security Analyst, InGuardians Chris Sistrunk Mandiant/FireEye Will "illwill" Genovese Chris Blow Rook Security Dan Tentler Carbon Dynamics Amanda Berlin Hurricane Labs This year at DEF CON a former FAIL PANEL panelist attempts to keep the spirit alive by playing moderator. Less poetry, more roasting. A new cast of characters, more lulz, and no rules. Nothing is sacred, not the industry, not the audience, not even each other. Our cast of characters will bring you all sorts of technical fail, ROFLCOPTER to back it up. No waffles, but we have other tricks up our sleeve to punish, er, um, show love to our audience, all while raising money of the EFF and HFC. The FAIL PANEL may be dead, but the “giving” goes on. Larry Pesce is a Senior Security Analyst with InGuardians. His recent experience includes providing penetration assessment, architecture review, hardware security assessment, wireless/radio analysis, and policy and procedure development for a wide range of industries including those in the financial, retail, and healthcare verticals. Larry is an accomplished speaker, having presented numerous times at industry conferences as well as the co-host of the long running multi-award winning Security Podcast, Paul's Security Weekly. and is a certified instructor with the SANS Institute. Larry is a graduate of Roger Williams University. In his spare time he likes to tinker with all things electronic and wireless. Larry is an amateur radio operator holding his Extra class license and is regularly involved in emergency communications activities. In 1972 a crack commando unit was sent to prison by a military court for a crime they didn't commit. These men promptly escaped from a maximum security stockade.... making the decision to leave Amanda behind. Ms. Berlin is now rumored to have illegitimate children by Saudi Oil barons hidden all over the world in at least 27 countries but this can neither be confirmed nor denied. Amanda Berlin is a Network Security Engineer at Hurricane Labs. She is most well known for being a breaker of hearts, knees, and SJW's. Bringing "Jack of All Trades" back to being sexy, she has worked her fingers to the bone securing ISPs, Healthcare facilities, Artificial Insemination factories, and brothels. Amanda managed the internal phishing campaign at a medium size healthcare facility to promote user education about phishing and hacking through an awards based reporting program. She is a lead organizer for CircleCityCon, volunteers at many other conferences, and enjoys writing and teaching others. Twitter: @InfoSystir Chris Blow is a Senior Technical Advisor with Rook Security. His most recent experience includes: penetration testing, social engineering, red team exercises, policy and procedure guidance focused on HIPAA and PCI DSS, developing security awareness programs, performing HIPAA assessments and serving as a Qualified Security Assessor for the Payment Card Industry. @b10w In reality, his primary duties are to be told by various clients that “security is hard” and to just “accept the risk.” He’s also well-versed in being told to keep vulnerable assets and people “out of scope.” Chris is a graduate of Purdue University in West Lafayette, IN. Besides trying to keep up with all-things-InfoSec, Chris enjoys playing guitar, singing, and DJing. Twitter: @b10w illwill is a rogue blackhat as fuck subcontractor for top secret global governments. He spends his off time enjoying bubble baths, recovering from a debilitating injury as infosystir's former bean fluffer and hand carves realistic thrones made from discarded dildos found dumpster diving behind a porn store in Los Angeles. Dan Tentler likes to break things. He's also an expert on failure. Ask him about it. But ask with scotch. Twitter: @viss @chrissistrunk

Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Patrick-Wardle-Stick-that-in-your-(Root)Pipe-and-Smoke-it-UPDATED.pdf Stick That In Your (root)Pipe & Smoke It Patrick Wardle Director of R&D, Synack You may ask; "why would Apple add an XPC service that can create setuid files anywhere on the system - and then blindly allow any local user to leverage this service?" Honestly, I have no idea! The undocumented 'writeconfig' XPC service was recently uncovered by Emil Kvarnhammar, who determined its lax controls could be abused to escalate one's privileges to root. Dubbed ‘rootpipe,' this bug was patched in OS X 10.10.3. End of story, right? Nope, instead things then got quite interesting. First, Apple decided to leave older versions of OS X un-patched. Then, an astute researcher discovered that the OSX/XSLCmd malware which pre-dated the disclosure, exploited this same vulnerability as a 0day! Finally, yours truly, found a simple way to side-step Apple's patch to re-exploit the core vulnerability on a fully-patched system. So come attend (but maybe leave your MacBooks at home), as we dive into the technical details XPC and the rootpipe vulnerability, explore how malware exploited this flaw, and then fully detail the process of completely bypassing Apple's patch. The talk will conclude by examining Apple’s response, a second patch, that appears to squash ‘rootpipe’…for now. Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes OS X security tools. Both can be found on his website Objective-See.com

Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Daniel-Crowley-Damon-Smith-Bugged-Files.pdf Bugged Files: Is Your Document Telling on You? Daniel “unicornFurnace” Crowley Security Consultant, NCC Group Damon Smith Associate Security Consultant, NCC Group Certain file formats, like Microsoft Word and PDF, are known to have features that allow for outbound requests to be made when the file opens. Other file formats allow for similar interactions but are not well-known for allowing such functionality. In this talk, we explore various file formats and their ability to make outbound requests, as well as what that means from a security and privacy perspective. Most interestingly, these techniques are not built on mistakes, but intentional design decisions, meaning that they will not be fixed as bugs. From data loss prevention to de-anonymization to request forgery to NTLM credential capture, this presentation will explore what it means to have files that communicate to various endpoints when opened. Daniel (aka "unicornFurnace") is a Security Consultant for NCC Group. Daniel denies all allegations regarding unicorn smuggling and questions your character for even suggesting it. Daniel has developed configurable testbeds such as SQLol and XMLmao for training and research regarding specific vulnerabilities. Daniel enjoys climbing large rocks. Daniel has been working in the information security industry since 2004 and is a frequent speaker at conferences including Black Hat, DEF CON, Shmoocon, and SOURCE. Daniel does his own charcuterie. Daniel also holds the title of Baron in the micronation of Sealand. Damon Smith is an Associate Security Engineer with NCC Group, an information security firm specializing in application, network, and mobile security. Damon specializes in web application assessments, embedded device/point of sale assessments, network penetration testing, and mobile testing. Damon graduated with a BS is Computer Science from the University of Texas, with a focus on Information Security. He has experience working as an IT consultant in the legal and retail industries and further as a security consultant focusing on application assessments.

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Weston-Hecker-Goodbye-Memory-Scraping-Malware.pdf Goodbye Memory Scraping Malware: Hold Out Till "Chip And Pin” Weston Hecker SR Pentester, Sr Systems Security Analyst at "KLJ Security” Proof of concept for stopping credit card theft in memory skimming operations . Alternative methods of stopping credit card skimming I am leading project on Free Open Source software that attacks POS skimming malware. Launching platform and concept for stores to not be low hanging fruit In effect making it no longer possible to sell credit card numbers from skim breaches. Better collection of forensic data with cannery features (such as putting flagged card into memory so if it is skimmed it will be flagged at processor and catch the breaches much faster)Injects 1-500 false random CC numbers for every one legitimate CC number that is entered. In effect making stolen credit card batches harder to sell. I will go in detail of how criminals Steal and sell credit cards at this time. This is a software for making credit cards numbers harder to steal in the methods that have been happening in larger breaches Target, Home Depot. 10 Years Pen-testing, 11 years security research and programming experience. Working for a security Company in the Midwest, Weston has recently Spoken at DEF CON 22 and over 40 other speaking engagements from telecom regional events to Universitys on security subject matter. Working with A major University's research project with Department of Homeland Security on 911 emergency systems and attack mitigation. Attended school in Minneapolis Minnesota. Computer Science and Geophysics. Co-Author of "SkimBad" Anti-malware framework Found several vulnerability's in very popular software and firmware. Including Microsoft, Qualcomm, Samsung, HTC, Verizon.

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Ken-Westin-Confessions-of-a-Cyberstalker.pdf Confessions of a Professional Cyber Stalker Ken Westin Sr. Security Analyst with Tripwire Inc. For several years I developed and utilized various technologies and methods to track criminals leading to at least two dozen convictions. In the process of recovering stolen devices, larger crimes would be uncovered including drugs, theft rings, stolen cars, even a violent car jacking. Much of the evidence in these cases would be collected by stolen devices themselves, such as network information, photos captured from laptops and cell phones, but often times there was additional data that would need to be gathered for a conviction. In this presentation I will walk through actual real cases and discuss in depth the technologies used and additional processes I went through utilizing open source data and other methods to target criminals. I will also discuss how these same tools and methods can be used against the innocent and steps users and developers can take to better protect privacy. In this presentation here are a few examples of cases I worked on which I will reveal details of: How a theft ring targeting Portland, Oregon schools was unveiled leading to multiple convictions How I tracked and recovered $9K worth of stolen camera equipment sold multiple times a year after it was stolen based on data extracted from images online How mobile phones stolen from a wireless store were tracked leading to the arrest of a theft ring, leading to the conviction of six people and the recovery of a stolen car Embedding of custom designed trojan for thermal imaging devices for theft tracking and export controls Tracking of a stolen flash drive to a university computer lab and correlation of security camera and student access ID cards Tracking a stolen laptop across state lines and how I gathered mountains of evidence in another theft ring case Several other cases…. Ken is a security analyst and "creative technologist" with 15 years experience building and breaking things through the use/misuse of technology. His technology exploits and endeavors have been featured in Forbes, Good Morning America, Dateline, the New York Times and others. He has worked with law enforcement and journalists utilizing various technologies to unveil organized crime rings, recover stolen cars, even a car jacking amongst other crimes.

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Colin-O%27Flynn-Dont-Whisper-My-Chips.pdf Don't Whisper my Chips: Sidechannel and Glitching for Fun and Profit Colin O'Flynn Dalhousie University If you thought the security practices of regular software was bad, just wait until you start learning about the security of embedded hardware systems. Recent open-source hardware tools have made this field accessible to a wider range of researchers, and this presentation will show you how to perform these attacks for equipment costing $200. Attacks against a variety of real systems will be presented: AES-256 bootloaders, internet of things devices, hardware crypto tokens, and more. All of the attacks can be replicated by the attendees, using either their own tools if such equipped (such as oscilloscopes and pulse generators), the open-hardware ChipWhisperer-Lite, or an FPGA board of their own design. The hands-on nature of this talk is designed to introduce you to the field, and give you the confidence to pick up some online tutorials or books and work through them. Even if you've never tried hardware hacking before, the availability of open-source hardware makes it possible to follow published tutorials and learn all about side-channel power analysis and glitching attacks for yourself. Colin O'Flynn has been working with security on embedded systems for several years. He has designed the open-source ChipWhisperer project which won 2nd place in the 2014 Hackaday Prize, and developed an even lower-cost version called the ChipWhisperer-Lite, which was the focus of a Kickstarter in 2015. Twitter: @colinoflynn

Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Ballenthin-Graeber-Teodorescu-WMI-Attacks-Defense-Forensics.pdf WhyMI so Sexy? WMI Attacks, Real-Time Defense, and Advanced Forensic Analysis Matt Graeber Reverse Engineer, FireEye Inc. Willi Ballenthin Reverse Engineer, FireEye Inc. Claudiu Teodorescu Reverse Engineer, FireEye Inc. Windows Management Instrumentation (WMI) is a remote management framework that enables the collection of host information, execution of code, and provides an eventing system that can respond to operating system events in real time. FireEye has recently seen a surge in attacker use of WMI to carry out objectives such as system reconnaissance, remote code execution, persistence, lateral movement, covert data storage, and VM detection. Defenders and forensic analysts have largely remained unaware of the value of WMI due to its relative obscurity and completely undocumented file format. After extensive reverse engineering, our team has documented the WMI repository file format in detail, developed libraries to parse it, and formed a methodology for finding evil in the repository. In this talk, we will take a deep dive into the architecture of WMI, reveal a case study in attacker use of WMI in the wild, describe WMI attack mitigation strategies, show how to mine its repository for forensic artifacts, and demonstrate how to detect attacker activity in real-time by tapping into the WMI eventing system. By the end of this talk, we will have convinced the audience that WMI is a valuable asset not just for system administrators and attackers, but equally so for defenders and forensic analysts. Matt Graeber is a reverse engineer in the FireEye Labs Advanced Reverse Engineering (FLARE) team with a varied background in reverse engineering, red teaming, and offensive tool development. Since joining FireEye, Matt has reversed a vast quantity of targeted and commodity malware samples and served as an instructor of Mandiant's Advanced Malware Analysis course. Matt is the author of various PowerShell modules used for pentesting and reverse engineering including PowerSploit and PowerShellArsenal. He has also been designated a Microsoft "Most Valuable Professional" in PowerShell. Twitter: @mattifestation Willi Ballenthin is a reverse engineer in the FLARE team who specializes in incident response and computer forensics. He can typically be found investigating intrusions at Fortune 500 companies and enjoys reverse engineering malware, developing forensic techniques, and exploring the cutting edge. Willi is the author of a number of cross-platform Python libraries including python-registry, python-evtx, and INDXParse.py. Twitter: @williballenthin Claudiu Teodorescu is a reverse engineer in the FLARE team. Prior to joining FireEye, Claudiu worked for Guidance Software, writing forensic parsers for different file formats to support the EnCase forensic tool. Also, as the Cryptographic Officer of the company, he supported EnCase integration with different disk/volume/file based encryption products including Bitlocker, McAfee EEPC, Checkpoint FDE, Symantec EEPC, etc.

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Patrick-Wardle-DLL-Hijacking-on-OSX-UPDATED.pdf 'DLL Hijacking' on OS X? #@%& Yeah! Patrick Wardle, Director of R&D, Synack Remember DLL hijacking on Windows? Well, turns out that OS X is fundamentally vulnerable to a similar attack (independent of the user's environment). By abusing various 'features' and undocumented aspects of OS X's dynamic loader, this talk will reveal how attackers need only to plant specially-crafted dynamic libraries to have their malicious code automatically loaded into vulnerable applications. Through this attack, adversaries can perform a wide range of malicious actions, including stealthy persistence, process injection, security software circumvention, and even 'remote' infection. So come watch as applications fall, Gatekeeper crumbles (allowing downloaded unsigned code to execute), and 'hijacker malware' arises - capable of bypassing all top security and anti-virus products! And since "sharing is caring" leave with code and tools that can automatically uncover vulnerable binaries, generate compatible hijacker libraries, or detect if you've been hijacked. Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes OS X security tools. Both can be found on his website Objective-See.com

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Andres-Blanco-802.11-Massive-Monitoring-UPDATED.pdf 802.11 Massive Monitoring Andres Blanco Sr Researcher, Core Security Andres Gazzoli Sr Developer, Core Security Wireless traffic analysis has been commonplace for quite a while now, frequently used in penetration testing and various areas of research. But what happens when channel hopping just doesn't cut it anymore -- can we monitor all 802.11 channels? In this presentation we describe the analysis, different approaches and the development of a system to monitor and inject frames using routers running OpenWRT as wireless workers. At the end of this presentation we will release the tool we used to solve this problem. Andrés Blanco is a researcher at CoreLabs, the research arm of Core Security. His research is mainly focused on wireless, network security and privacy. He has presented at Black Hat USA Arsenal, Hacklu and Ekoparty, and has published several security advisories. Twitter: @6e726d Andrés Gazzoli works at Core Security and is part of the Core Impact Pro developer team. He is a C++ developer with extensive experience in UI development. He enjoys everything related to wireless technologies and privacy.

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Collin-Anderson-Tom-Cross-Export-Controls-on-Intrusion-Software.pdf Do Export Controls on “Intrusion Software” Threaten Vulnerability Research? Tom Cross aka Decius CTO, Drawbridge Networks Collin Anderson Independent Researcher At the end of 2013, an international export control regime known as the Wassenaar Arrangement was updated to include controls on technology related to “Intrusion Software" and “IP Network Surveillance Systems." Earlier this year, the US Government announced a draft interpretation of these new controls, which has kicked off a firestorm of controversy within the information security community. Questions abound regarding what the exact scope of the proposed rules is, and what impact the rules might have on security researchers. Is it now illegal to share exploit code across borders, or to disclose a vulnerability to a software vendor in another country? Can export controls really keep surveillance technology developed in the west out of the hands of repressive regimes? This presentation will provide a deep dive on the text of the new controls and discuss what they are meant to cover, how the US Government has indicated that it may interpret them, and what those interpretations potentially mean for computer security researchers, and for the Internet as a whole. Tom Cross is the CTO of Drawbridge Networks. He is credited with discovering a number of critical security vulnerabilities in enterprise class software and has written papers on collateral damage in cyber conflict, vulnerability disclosure ethics, security issues in internet routers, encrypting open wireless networks, and protecting Wikipedia from vandalism. Tom was previously Director of Security Research at Lancope, and Manager of the IBM Internet Security Systems X-Force Advanced Research team. He has spoken at numerous security conferences, including DEF CON, Blackhat Briefings, CyCon, HOPE, Source Boston, FIRST, and Security B-Sides. Twitter: @_decius_ Collin Anderson is a Washington D.C.-based researcher focused on measurement and control of the Internet, including network ownership and access restrictions, with an emphasis on countries that restrict the free flow of information. Through open research and cross-organizational collaboration, these efforts have included monitoring the international sale of surveillance equipment, identifying consumer harm in disputes between core network operators, exploring alternative means of communications that bypass normal channels of control, and applying big data to shed new light on increasingly sophisticated restrictions by repressive governments. These involvements extend into the role of public policy toward promoting online expression and accountability, including regulation of the sale of surveillance technologies and reduction of online barriers to the public of countries under sanctions restrictions. Twitter: @cda

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-xntrik-Hooked-Browser-Meshed-Networks-with-webRTC-and-BeEF.pdf Hooked Browser Meshed-Networks with WebRTC and BeEF Christian (@xntrik) Frichot Principal Security Consultant at Asterisk Information Security One of the biggest issues with BeEF is that each hooked browser has to talk to your BeEF server. To try and avoid detection, you often want to try and obfuscate or hide your browsers, particularly if you're heavily targeting a single organization. Don’t worry Internet-friends, those crazy pioneers at Google, Mozilla and Opera have solved this problem for you with the introduction of Web Real-Time Communications (WebRTC). Initially designed to allow browsers to stream multimedia to each other, the spec has made its way into most Chrome and Firefox browsers, not to mention it’s enabled by default. Using this bleeding-edge web technology, we can now mesh all those hooked browsers, funnelling all your BeEF comms through a single sacrificial beach-head. Leveraging WebRTC technologies (such as STUN/TURN and even the fact the RTC-enabled browsers on local subnets can simply UDP each other), meshing browsers together can really throw a spanner into an incident-responders work. The possibilities for a browser-attacker are fairly endless, channeling comms through a single browser, or, making all the browsers communicate with each other in round-robin. This is just another tool tucked into your belt to try and initiate and maintain control over browsers. This presentation will present a background into WebRTC, and then demonstrate the WebRTC BeEF extension. (Bloody JavaScript...) Christian is an Australian security professional and founder of Asterisk Information Security based in Perth. He is one of the co-authors of the recently published Browser Hacker’s Handbook (by Wiley), and long-term code-funkerer of the BeEF project. When not performing application security or penetration testing gigs, Christian spends his time either ranting about appsec or pining to get behind his drumkit. He has a deep love/hate relationship with web browsers and JavaScript. Christian has presented at numerous Australian security conferences, including OWASP AppSec APAC, the Australian Information Security Association's Perth Con, ISACA's Perth Con, OWASP Melbourne, and Ruxmon. In addition, Christian was fortunate to present at Kiwicon 8 in New Zealand at the end of 2014. s that Christian has been involved with include BeEF, OWASP's SAMM Self Assessment Tool, Prenus (the pretty Nessus thing), Burpdot (graphing connectivity between URLs from Burp), and the Devise Google Authenticator extension. Christian has been blogging on un-excogitate.org and labs.asteriskinfosec.com.aufor ages now, and is often found on twitter (@xntrik) raging about various security topics. Twitter: @xntrik

Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Ionut-Popescu-NetRipper.pdf Whitepaper Here: DEFCON-23-Ionut-Popescu-NetRipper-WP.pdf NetRipper - Smart traffic sniffing for penetration testers Ionut Popescu Senior Security Consultant at KPMG Romania The post-exploitation activities in a penetration test can be challenging if the tester has low-privileges on a fully patched, well configured Windows machine. This work presents a technique for helping the tester to find useful information by sniffing network traffic of the applications on the compromised machine, despite his low-privileged rights. Furthermore, the encrypted traffic is also captured before being sent to the encryption layer, thus all traffic (clear-text and encrypted) can be sniffed. The implementation of this technique is a tool called NetRipper which uses API hooking to do the actions mentioned above and which has been especially designed to be used in penetration tests, but the concept can also be used to monitor network traffic of employees or to analyze a malicious application. Ionut works as a Senior Security Consultant at KPMG in Romania. He is passionate about ASM, reverse engineering, shellcode and exploit development and he has a MCTS Windows Internals certification. He spoke at various security conferences in Romania like: Defcamp, OWASP local meetings and others and also at the yearly Hacknet KPMG international conference in Helsinki and Berlin. Ionut is also the main administrator of the biggest Romanian IT security community: rstforums.com and he writes technical articles on a blog initiated by a passionate team: securitycafe.ro. Twitter: @NytroRST

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-David-An-When-the-Secretary-of-State-says-Stop-Hacking-us.pdf When the Secretary of State says: “Please Stop Hacking Us…” David An Former U.S. State Department Senior American officials routinely hold dialogues with foreign officials to discuss cyber espionage. However, if a cyber attack can be performed through proxy servers jumping several countries before reaching the U.S., then can anyone ever be sure of who is really behind the attack? Yet we often see newspaper headlines clearly identifying that one country is hacking another country through state-sponsored, cyber criminal, or hacktivist means. Even if government cyber analysts with TS/SCI security clearances have high confidence in the identity of an attacker based on forensics and human intelligence, what are the challenges in effectively addressing the topic in a diplomatic or military dialogue with the attacker country? Two major roadblocks in cyber diplomacy are the "attribution problem," and the related "disclosure dilemma." If there is indeed an attribution problem--when a country cannot be sure which other state is hacking it because a third country could be using it as a proxy--then a country could never accuse another countries of state-sponsored cyber attacks. Yet, countries routinely accuse others of cyber attacks, the public sees this in newspapers almost every day, and it is often an important topic in bilateral dialogues. Furthermore, the disclosure dilemma occurs when a country has both incentives and disincentives to disclose details on how it was hacked. On one hand, evidence will prove its case, but on another hand, evidence will make the attacker more savvy and careful not to repeat the same mistakes next time. Disclosure could create a stronger adversary. These are major concerns in the practice of cyber diplomacy today. My presentation identifies how government-to-government cyber diplomacy works, examines the attribution problem and disclosure dilemma more fully, and shows how the U.S. approaches this topic differently with partners versus potential adversaries. This is not a technical presentation, but rather it is a policy presentation on cyber diplomacy drawing from political science and my diplomatic experience. David was a tenured U.S. diplomat before leaving the U.S. government to consult for the private sector, and to write policy and academic papers. At the State Department, he was the senior political-military affairs officer covering the East Asia region and his responsibilities included coordinating diplomatic dialogues, formulating plans with the Pentagon, notifying Congress of U.S. arms sales, writing the Secretary of State’s talking points, and traveling overseas with the Secretary of State and Secretary of Defense for bilateral dialogues. His other assignments included the U.S. embassies in Beijing, Tokyo, Wellington; U.S. consulates in Sydney and Perth; American Institute in Taiwan; and U.S. Pacific Command. He completed his B.A. at UC Berkeley; M.A. in international affairs and business management, and political science Ph.D. courses at UC San Diego. Obligatory disclaimer: The comments are his own, and do not represent the U.S. government. Since Jeff Moss famously said in 2013: “Feds, we need some time apart,” David emphasizes that he is no longer a fed.

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Jeremy-Dorrough-USB-Attack-to-Decrypt-Wi-Fi-Communications.pdf USB Attack to Decrypt Wi-Fi Communications Jeremy Dorrough Senior Network Security Architect / Genworth Financial The term “Bad USB” has gotten some much needed press in last few months. There have been talks that have identified the risks that are caused by the inherent trust between the OS and any device attached by USB. I found in my research that most of the available payloads for the USB rubber ducky would be stopped by common enterprise security solutions. I then set out to create a new exploit that would force the victim to trust my Man-In-The-Middle access point. After my payload is deployed, all Wi-Fi communications will be readable, including usernames, passwords and authentication cookies. The attack will work without the need of elevating privileges, which makes it ideal for corporate environments. Jeremy has built his career around protecting assets in the most critical IT sectors. He started his career working in a Network Operations Security Center for the US Army. He then went on to work as a Network Security Engineer defending Dominion’s North Anna Nuclear Power Station. He is currently a Senior Network Security Engineer/Architect at Genworth Financial. He is a MBA, CISSP, CEH, GIAC GPPA, CSA CCSK, ABCDEFG… Blah Blah Blah. Jeremy has spent over 10 years researching and implementing new ways to defend against the latest attacks. He enjoys creating new exploits and feels it makes him a more well-rounded defensive Security Engineer. He is happily married and a father to two soon to be hackers. When he’s not staring at a command prompt, he is busy building and driving demolition derby cars. Twitter: @jdorrough1

Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Rickey-Lawshae-Lets-Talk-About-SOAP.pdf Extras here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Rickey-Lawshae-Extras.rar Let's Talk About SOAP, Baby. Let's Talk About UPNP Ricky "HeadlessZeke" Lawshae Security Researcher, HP TippingPoint Whether we want it to be or not, the Internet of Things is upon us. Network interfaces are the racing stripes of today's consumer device market. And if you put a network interface on a device, you have to make it do something right? That's where a Simple Object Access Protocol (SOAP) service comes in. SOAP services are designed with ease-of-access in mind, many times at the expense of security. Ludicrous amounts of control over device functionality, just about every category of vulnerability you can think of, and an all-around lack of good security practice about sums it up. In this talk, I will discuss this growing attack surface, demonstrate different methods for attacking/fuzzing it, and provide plenty of examples of the many dangers of insecure SOAP/ UPnP interfaces on embedded and "smart" devices along the way. Ricky "HeadlessZeke" Lawshae is a Security Researcher for DVLabs at HP TippingPoint with a medium-sized number of years' experience in professionally voiding warranties. He has spoken at the DEF CON, Recon, Insomni'hack, and Ruxcon security conferences, and is an active participant in the extensive Austin, TX hacker community. In his meager spare time, he enjoys picking locks, reading comic books, and drinking expensive beers. Twitter: @HeadlessZeke

Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Phil-Young-Chad-Rikansrud-Security-Necromancy-Further-Adventures-in-Mainframe-Hacking.pdf Extras: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Phil-Young-Chad-Rikansrud-Extras.rar Security Necromancy: Further Adventures in Mainframe Hacking Philip Young aka Soldier of Fortran, Chief Mainframe Hacker Chad "Bigendian Smalls” Rikansrud President of Mainframe Hacking You thought they were dead didn't you? You thought "I haven't seen a mainframe since the 90s, no one uses those anymore." Well you're wrong. Dead wrong. If you flew or drove to DEF CON your information was hitting a mainframe. Did you use credit or cash at the hotel? Doesn't matter, still a mainframe. Did you pay taxes, or perhaps call 911? What about going to the doctor? All using mainframes. At multiple points throughout the day, even if you don't do anything, your data is going through some mainframe, somewhere. 1984? Yeah right, man. That's a typo. Orwell is here now. He's livin' large. So why is no one talking about them? SoF & Bigendian Smalls, aka 'the insane chown posse', will dazzle and amaze with feats of hackery never before seen on the mainframe. From fully breaking network job entry (NJE) and their concept of trusted nodes, to showing you what happens when you design security in the 80s and never update your frameworks. We'll demonstrate that, yes Charlie Brown, you can in fact overflow a buffer on the mainframe. New tools will be released! Things like SET'n'3270 (SET, but for mainframes!) and VTAM walker (profiling VTAM applications). Updates to current tools will be released (nmap script galore!) everything from accurate version profiling to application ID brute forcing and beyond. You'll also learn how to navigate IBM so you can get access to your very own mainframe and help continue the research that we've started! All of your paychecks rely on mainframes in one form or another, so maybe we should be talking about it. Soldier of Fortran: Protect ya REXX! Soldier of Fortran has an unhealthy relationship with mainframes. Being a hacker from way back in the day (BBS and X.25 networks) he was always enamored by the idea of hacking mainframes. Always too expensive and mysterious he settled on hacking windows and linux machines. However, despite not having his own he conducted numerous security engagements against mainframes, slowly developing his skills, until 2010 when he finally got his very own. Not having to worry about system uptime or affecting users he dove in head first and was surprised by what he found. Ever since he has been telling anyone who will listen to him the importance of mainframe security, hacking and research. He’s spoken both domestically and internationallyon the topic, been a guest speaker at multiple conferences, developed tools for mainframe penetration testing and has even keynoted at large mainframe conferences about this topic. Bigendian Smalls: BS ain't no chump, takin' apart everything as a child just to see how it works invariable led him to security. From BBSin' back in the day to placing second in the network forensics challenge last year he knows what he's doing. At work and at home he does vulnerability research, forensics and disassembly of all things both on hardware and software. Knowing no system is secure and seeing how closed the source, community and information around the mainframe is he got worried. Worried that the code was as secure as they said it was. Worried that because no one is looking, developers are getting away with murder. Sure, IBM says they got their shit together, but then again so does Oracle, CISCO, Fireeye etc . Having worked on mainframes for more than a decade he knows how frustrating this is. With books from the 80s and forum posts from the 90s being of very little value, he aims to help drive the future of mainframe security research.

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Miaubiz-Put-on-Your-Tinfo_t-Hat.pdf Put on your tinfo_t hat if you're my type miaubiz Senior Dr. at Azimuth Security The IDA Pro APIs for interacting with type information are full of opportunities (horrible problems). I will show you how to create unparseable types, how to apply these types to functions and variables and how to transfer these types from one IDB to another. miaubiz is a senior doctor of security at Azimuth Security. he has previously found bugs in web browsers and has spoken at SyScan, Infiltrate, T2. his interests are bad APIs and sniffing ARMpits.