You are on page 1of 35

Rise of

CONTENTS The DEF CON NOC once again brings you the interwebz
DEF CON is possible because of all possible. If you didnt see everything Welcome 2
throughout the Paris and Ballys convention center
the Machines the hard work of over a thousand
people, including the DEF CON goons,
you wanted to, just wait and it will
be released a few months after the
Network/DCTV 3 areas as well as DC TV to the convenience of your
hotel rooms.
speakers, contest organizers, villages, conference. The Badge 4
If you want to connect, remember there are two (and
demo labs, workshops, artists, hotel There is an overwhelming amount to Suites, Swag, & 5 only two) official ESSIDs you should use to access
the intertubes:
staff, and unions. Each working on do at con, and even I only see a small
Media Server
their piece of the puzzle that comes fraction of it. Thats ok. It is a reflection Contests 6-10 The encrypted one with 802.1x authentication and
together once a year, this weekend, digital certificate verification (DefCon) and the
of the hacking spirit and so many Capture the Flag 11 unencrypted, wild-west of the wireless networks
and it will be our largest ever. of the interests it represents. I just (DefCon-Open). Please choose wisely.
Want to see the future of security? encourage you all to make new friends, Rootz Asylum 12-13
And yes, talking about the Wi-Fiz: there are still
Go check out the DARPA Cyber learn something new, and recharge Movie Night 14 some devices out there that really do not like
802.1x with PEAP authentication. In particular,
Grand Challenge Thursday evening yourself. some Android platforms will not verify the RADIUS
Events 15-16
from 5pm to 8pm on the Paris side Finally DEF CON is a hacker con, not server certificate prior to sending the users
and watch amazing visuals and play DARPA CGC 17 credentials to enter the network. This is a bad
an InfoSec conference. I bring this thing.
by play announcing of what the super up because there is a difference, one Entertainment 18
computers are up to. is more focused on joy of discovery,
Choosing for the device to not verify server
Hacker Jeopardy 19 certificate will probably let that device to
To accommodate this ground breaking irreverence, novel, if impractical connect to a rogue access point with a rogue radius
server (or alike) behind it and this will allow
event we had to rearrange the approaches. The other is more focused Villages & Village 20-26
the attacker to see your credentials. This is also
Talks
floor plan from last year, and on enterprise solutions, frameworks, a bad thing.
go from 5 to 4 tracks of and concerns large companies may Skytalks 27
So, regardless of this issue, do not choose
speaking. We have tried to have. DEF CON takes no sponsorships Workshops 28 credentials (aka: username and password) used for
compensate for that by and seeks to remain independent with your important stuffz, like shopping sites, online-
banking, the pornz, your windows domains (yeah, it
adding more villages talks, all of our revenue from badge and Demo Labs 29-31
happened before) and stuff.
workshops, and demo labs. swag sales. There is great value in the DEF CON Groups 33
For updated information and instructions on how to
Next year will will be back to different types of conferences, and if connect to the Wi-Fi with the n0t-s0-1337 Operating
Presentations 32-56
full speaking track power. this con doesnt feel like others it is Systems along with the digital certificate to be
For the past few years we have by design. I hope that by staying true CFP Review Board 41 used, visit https://wifireg.defcon.org. If you
dont know how to properly configure the Wi-Fiz on
been trying to record as much to our hacker roots everyone has a your b3r-1337 linux distro, you should consider a
Book Signings 56
content as possible and that trend memorable time! new platform.
Vendors 57-61
will continue this year with more For other NOC updates visit https://www.
defconnetworking.org and also follow us on the
villages being recorded. Weve Thank you, Schedule 62-65
twitterz @DEFCON_NOC
been working hard behind the Map 66
scenes so these villages talks The Dark Tangent DEF CON TV
are released to the public along Shout outs! 67
Nurse your hangover comfortably watching the
with our speeches. While some presentations in your hotel room.
conferences have no recordings DC TV brings the DEF CON talks to you. Turn on
I want to preserve and share the TV, grab your favorite beverage of choice and
the knowledge as much as aspirin and dont forget to shower.

http://dctv.defcon.org is the spot for all your


2 channel info needs. 3
The DEF CON Media server is back again!
Welcome to DEF CON 24. If youre new to the conference you may
be wondering what some of the theatre of entropy is that is being D C 8 01 - S u i t e s - S at u r d ay - 9 P M https://10.0.0.16/ or https://dc24-
performed all around you. A part of that is the cryptographic puzzle Were baaaaack!! Yeah, we know, even were surprised. media.defcon.org/
challenge, most often referred to as the badge challenge. The focal If you visited the suite last year, you know what
point of the contest being the 1o57 room (you can find it on the youre in for. Well be playing music, having drinks, Browse and leech files from all the past
and providing a space for you to meet other great DEF CON conferences as well as a large
map in this program), a room where individuals and teams associate collection of other hacking cons. We
hackers from all over DEF CON. Well have terrible
with each other, and those interested in the games. As the quest is are including the infocon.org mirror so
robots fighting other terrible robots. Well watch
multi-faceted, there are mini sub-puzzles scattered throughout the ridiculous hacker movies and mock them RiffTrax there is a lot more this year than last.
DEF CON festivities, some are tradition, some are trivial to solve, and style. The ball pit might might make an appearance,
others, well it is a black badge contest that earns the victors free entry because were giant children. And of course well be We expect you to leech at full speed,
into DEF CON for life (not to mention bragging rights!) Still confused? hacking on this years DC801 badge in a suite run by and the server is warmed up and ready to
an ape and an inflatable sheep. See you there! Follow go.
Stop by my 101 talk.
us at @dc801 on the twitter place for updates.
Speaking of badges, this year was less of a dev board, and more a Certificate thumbprint:
07C2B1EFA1EAA2477A0E14E507EBA68858F5DB82
design to put the processor in your hands. x86 compatible, the
chip is great fun, x86 ! I hope to see experimentation after DC503 Suite
the conference is over. More will be revealed after the
DC503 had so much fun with last years 503 Party
conference, as many of the badge secrets are part of the that were expanding to the whole week. The 503
contest. party will be the headline event Friday night at 8,
Meet some new people, try your hand at some of the but well also be sharing the space with TiaraCon
and several lower-key events over the course of
puzzles, and have a good time. the weekend, including showing off some very
-1o57 Portland electronic art and projects. Check out
the full and updated schedule at http://503.party.
TiaraCon - Thursday - 8PM - in the DC503 Suite.
Women in #infosec - Our Time is Now! http://www.
tiaracon.org/ Twitter: @tiarac0n for more info.
Post registration, head across the
hall to Champagne 1 and pick up some
DefDefCon Suite sexy new DEF CON 24 Swag!

Hax. Aint nothing wrong with that. Counter Its the only place to pick up
hax this can be fun though. This would just official DEF CON merchandise!
be a friendly space for people to hack on and
play with mitigations layout randomizers, Open for your convenience:
control flow guards, type systems, langsec, etc.
And hey, well probably have a party or two. Thur: 0600-1800
Fri: 0800-1800
Sat: 0800-1800
Sun 0900-1600,
W HI S K E Y P IR AT E S S UI T E
Need a chill space for hacking hardware/software? Cash only, no refunds.
Want to play games on full-sized arcade machines?
Have a cool project that you want to show people?
Need to call home from a real life payphone?
Feel like watching a robot play Mario? Want to
look at silicon wafers under a big ol microscope?
Well stop by, have a drink and hang out.
Follow us @WhiskeyHackers and check
http://whiskeypirates.com for updates.

4 5
more about the game and how to play, really try this time instead of goofing - Challenges range from exploiting finding bosses hidden throughout the helpers, then shove the resulting chaos Contest hours (PDT) Friday August The DEF CON community is one big,
and check out our site at tinyurl.com/ off and just finish our homework, we common vulnerabilities such as SQL conference. Be sure to keep an eye out incarnate onto a stage? You get the 5, 2016 10am 6pm, Saturday August highly dysfunctional, family and the Scav
0x 2 0 t h A nni v e r s a r y C o r e z2uh8m2 can wash away a few of our regrets. Injection and Cross-Site Scripting (XSS) for one very rare relic! contest known as Crash and Compile. 6, 2016 10am 6pm, Sunday August 7, Hunt celebrates that kinship. Over
This year will see a return of the to more advanced cryptanalysis and 2016 10am 12:00pm. the last year, we have been coming up
Wa r build-a-contraption two tiered format. cipher cracking tests.
New to cryptocurrencies? No Do you think you can code? Do you
with items and actions to engage your
DEFCOIN to play with? Not a problem! think you can code while drinking? We
skills in social engineering, technical
BDYHAX Wearables Encourages friendly competition with Just come visit our booth in the contest are looking for nine teams who think
discovery, dumpster diving, and
H a c k in g C o n t e s t
real-time scoring and reporting: area and we can help get you started. they have the smarts, the concentration, D e f C o n D a r k Ne t p r o je c t perversion.
and the liver to hold up to our gauntlet
- Each challenge/vulnerability has a title, Friday and Saturday, 10am - 6pm, Sunday,
of programming. Teams who can not In order to play, you must register a
point value (10 to 1000) and difficulty 10am - noon in he Contest Area
only code, but do so with style. We set team, at our table, in the contest area;
rating.
you against the clock and the other your team must not exceed five (5)
- Discovered vulnerabilities are teams. And because they think watching members. Each team will receive a list
automatically updated on the Counterfeit Badge people simply code is boring, our with items and their respective point
scoreboard Team Distraction is has taken it upon values. It is up to your team to turn
Contest themselves to be creative in hindering in as many points as possible before
Individual report cards provide a you from programming, much to the Sunday morning when we close the
summary of user activity Its a race against time and competitors
to create the most precise counterfeit enjoyment of the audience. table. For an idea of what the list will be
Ideal for all skill levels: badge and use it to deceive, infiltrate, like, we suggest looking at the previous
Qualifications take place Friday at
and persist! This contest combines lists that are posted on DEF CON
- Got a question? Security Innovation 11am in the contest area. Teams of one Our mission is to secure a safe,
counterfeiting skills with social scavhunt.com.
CoreWar, the ultimate programming Ninjas are readily available to assist or two people. Be ready to code, as independent and self-sustaining
game, is a game in which two or more Contestants can choose to bring a engineering talents. Entrants will this wont be easy. The top nine teams community free from intrusion and Recently, we went dumpster diving and
programs written in an assembly contraption and participate in the - Need help? Grab a cheat sheet to construct a fake badge and perform who showed themselves ostentatious found some nifty looking machines;
infiltration by those who would enslave
language called Redcode battle it out unlimited class or build one at the learn basic attacks or buy hints to social engineering tasks of varying enough to take on our challenge will unfortunately, when we plugged them
us to their own ends. Our adversaries
to be the ruler of a virtual systems The rules for the BDYHAX Wearables convention and compete in the hacked overcome difficult challenges difficulty faster than other competitors compete on the Contest Stage Saturday in, they seem to have nuked our scoring
are many and they grow ever more
memory (called core because, Hacking Contest are simple. class. With *wonderful* prizes to to gain points.You can play this at 5pm. mechanism. Help us find the source,
Interactive and fun: sophisticated spying on us through
originally, it was made up of inductors the winners and the adulation of our game solo or with teammates. The our information streams and controlling bring us a functional geiger counter and
1) Make a commercial wearable do
wound around ferrite cores). The game hydrated fans, who wouldnt want to - As vulnerabilities are found, the winning team will win a black badge us through the messages we are turn in item 12. Teams will fall out of
something it isnt intended to do.
was invented in 1984, 32 (0x20) years compete? Guaranteed to be a blast Web site alerts the user with a popup from Arrakis himself! See http:// subjected to wherever we go. We must contention if they dont act quickly, the
ago, so this is an especially fitting year 2) Bring and show us your project at or your regrets back! For full rules, message and a fun sound badgecontest.info for details and rules. C y b e r Nin j a R a n g e resist. If you join us, you will be sent points decay over time.
for the first ever DEF CON CoreWar DEF CON Biohacking Village between location, and unlimited class sign-up on quests to improve your current
- Easter Eggs hidden throughout the Friday and Saturday, 10am - 6pm, To appease our new ai overlords,
competition. Noon and 4pm Friday or Saturday. please find us on the DEF CON forums. technical knowledge.Youll meet others
sites keep participants enticed and Sunday, 10am - noon we suggest tuning your television to
For those who have never competed 3) Give us a writeup that describes engaged like you and will learn from each other channel 13 in the contest area for
in a Core War before, I (or another what the wearable normally does and and grow stronger. Hidden messages important information.
Friday and Saturday, 10am - 6pm in the you would never have noticed and
volunteer) will be available to teach the describes what you have made it do. C MD + C T R L H a c k at h o n Contest Area C r a s h a nd C o mp il e accomplishments you would never have
REDCODE language and basic game 4) Our judges will choose the top 3
tactics, so you wont start out 32 years achieved alone will be yours to discover.
projects and will announce them on The Cyber Ninja Range is the ultimate You know that you have what it takes D r u nk H a c k e r Hi s t o r y
behind the times. There will be separate Twitter on Saturday night.
virtual arenas set up for beginners, C o ind r o id s DEF CON challenge for both novice to join us.Youll rise through the ranks
Back by popular
intermediate players, and Core War The top three projects will receive and advanced hackers. Once seated as you go and get your chance to take
The Security Innovation CMD+CTRL on the man running the show by using demand, the
veterans, so dont worry about your bodyhacking prize packs, including Core at The Range, participants will need
Hackathon simulates real-world all of the knowledge that you have contest that
level of experience. Also, if John Metcalf passes to BDYHAX, uBiome gut kits, to enter the mindset of an offensive
ecommerce, HR, and banking websites, acquired. isnt, will debut a
attends, he gets his own arena ;) and more to be announced. hacker to complete tasks such as
where users are immersed in a find completely new
owning a box, cracking a password,
Throughout the competition various the vulnerabilities game where visual format for
planting a file on a machine, and
hills will be used, but all will be available they quickly learn and apply hacking The year is 20X5 and humanity has DEF CON 24.
more. Each task completed will earn
ONLY to DEF CON attendees (over B e v e r a g e C hil l in g techniques in a safe environment. fallen: now there are only Coindroids. you points to compete for awesome D e f c o n S c av e n g e r H u n t Last year proved
the LAN or by giving me USB sticks The machines we designed to manage to the planet that
Contraption Contest SecureNinja prizes.
with your warrior in person). To brush - Shred Skateboard and Graffiti Shop, our finances have supplanted and in the game of
up on your skills, or to begin learning In this year, much like every year, the HR Account All Website, and Shadow destroyed the human race by turning The Cyber Ninja Range is designed to glittery nostalgic
from scratch, check out the global beverage is warm. Maybe we have Bank include functionality like add items our own economy against us. Now they hone your skills in cybersecurity by recall, there are
leaderboards at koth.org and the a problem, maybe its how we were to your cart, make a purchase, transfer battle each other in the ruins of our teaching you to better understand the no losers and those who won, lost. The
money, apply for a loan, view pay stubs, What happens when you take an ACM attempts that hackers may make to gain DEF CON community has a history of
learning material at corewar.co.uk raised. I blame our parents. Regardless fallen cities, driven by a single directive:
and request time off. style programming contest, smash access. Learn from our cybersecurity sorts. It is a history filled with mephitic
of our paternal compunctions the money is power. Defcon 24 marks the 19th DEF CON
Official Core Wars will run from noon it head long into a drinking game, pros, your peers, and our machines adventures, quarter-truths, poor life
beverage needs to be cooler then - 160+ vulnerabilities that cover 15 Battle your way to the top of the throw in a mix of our most distracting Scavenger Hunt, the longest consecutive
to 3pm on Friday and Saturday. Come to indulge in a fun and educational choices and angry hotel staff. This year,
cool. Alright? Lets break out those classes of security defects including the leaderboard by attacking rival droids, running contest at Defcon.
around any time on either day to learn experience at DEF CON. we will scrape the thin crust off some
contraptions, dust off our science hats, OWASP Top Ten. upgrading your shiny metal ass and
and chill some fluids! And maybe, if we

6 7
of the most celebrated, exaggerated Example of difficult puzzle: perform attempting to solve a variety of hacking to win the second annual Mission SE interact in a one hour interactive class spotlight on the dangers of vishing, all For information see: http://www.social- DEF CON 24 Tamper-Evident Contest
and veisalgia moments in Hacker investigation of complicated attack challenges. As tasks are completed, Impossible! Runs Thursday only, and sign providing hands-on experience with in a 5x5 glass booth for your viewing engineer.org/social-engineer-village/ now in a King of the Hill format! Spend
History through the interpretation of scenario and explain all the steps of credits in our hackconomy are gained. ups are onsite. live traffic. enjoyment. as little or as much time as you want
a group of pre-selected participants. that attack (what is really happened). These can be used to purchase new and on defeating seals. Master the art of
For information see: http://www.social- Each year the SECTF grows in
Hosted by c7five & jaku - If you like updated effects to help your team or tampering and assert hacker dominance
80s candy, wonder bread sandwiches, hinder your opponents in both hacking
engineer.org/social-engineer-village/ popularity. It was the only contest S O H O p e l e s s ly B r o k e n one perfectly defeated seal at a
and have nothing else going on, you and TF2. S c he m av e r s e in DEF CON history to win a black
time. Only the strong survive! Open
badge in its first year, and every year
wont want to miss the return of Drunk
Friday, 10am - 9pm, Saturday, 10am C h a mp i o n s hip it continues to push the limits and
participation in the Tamper-Evident
Hacker History! Presented in DEF
- 7pm, Sunday, 10am - noon in the By t e P u z z l e s ( f o r me r ly challenge its participants. This year will
Village all weekend. Talk to the TEV staff
CON 4D and -- --- .-. ... . / -.-. --- -.. . to get started.
Contest Area Ne t w o r k F o r e n s i c s be no different, and the SEORG team
is planning an event that will be truly Contest begins in the Tamper Evident
Puzzle Contest) exciting for all! Village on Friday at 10:00. and ends
E F F B a d g e H a c k Pa g e a n t In t e l C T F What will be the twists and turns we
Sunday at 12:00 (Noon).
introduce this year? You will have to
IntelCTF is designed to immerse you The Schemaverse [skee-muh vurs] is a join us to check it out. Either way, you
into the world of threat intelligence by space battleground that lives inside a
creating real-world feeling counter- PostgreSQL database. Mine the hell out
will NOT be disappointed. T D F r a n c i s X-H o ur F il m
SOHOpelessly Broken, presented by
intelligence scenarios. Participants are of resources and build up your fleet of It runs Friday and Saturday in the
Independent Security Evaluators (ISE),
Contest @ DEF CON 24
Tasks/Puzzles can be attempted by briefed on their contract obligations ships, all while trying to protect your SEVillage from 9:30AM to 4:00pm in
contestants as they examine pre- room: . Dont miss it. is back at DEF CON (located in the This could be
and the objectives of their mission. home planet. Once youre ready, head
configured Virtual Machines, log files, IoT Village) for our third year! We the opportunity
Intelligence points (flags) will be out and conquer the map from other The SECTF Scoreboard is: http://www.
disk drive dumps and so on. have expanded the contest to not only thats kicking
submitted to the scoring engine which Ann Dercover is at it again! Youre DEF CON rivals. social-engineer.org/se-ctf-scoreboard/
EFF is proud to present our second include SOHO routers, but other types open the
Forensics CTF lasts 2 days. will track team progress and provide hot on her trail as she travels around
annual Badge Hack Pageant (1337 skills This unique game gives you direct of IoT devices such as network storage door to your
feedback on your mission status.Your the globe hacking systems, stealing For information see: http://www.social-
required, swimsuit optional). Bring At the end of the last day detailed access to the database that governs systems, cameras, and IP enabled toys! filmmaking
team wins by completing the missions intellectual property, launching engineer.org/social-engineer-village/
out your sweetest hacks and sickest answers for all tasks/puzzles will be the rules. Write SQL queries directly greatness
objectives (submitting all the flags) and 0-day attacks and setting up sneaky Track 0: The Zero-Day track is focused
mods in a no-holds-barred battle for published and the winner/-s will be by connecting with any supported
identifying your primary target. Do this backdoors. *You are the forensic on the discovery and demonstration of Assemble your
hardware supremacy. determined. PostgreSQL client or use your favourite
before the other contractors (teams) investigator.* Youve got packet captures real exploits (i.e., 0-day vulnerabilities). team of 5 or
Enter in one of three categories: and you will be recognized for your of Anns network traffic. Can you
language to write AI that plays on your S E C T F4 K id s This track relies on the judging of less (director,
Friday and Saturday, 10am - 7pm in the behalf.This is DEF CON of course so
Contest Area accomplishment! analyze Anns malicious traffic and newly discovered, real attacks against producer, writer, camera/photography,
DEF CON DIGITAL: Circuit board- start working on your SQL Injections -
solve the crime by Sunday? Be the first embedded electronic devices. editor) and make your Rise of the
based badge from DC 1-23 Saturday, 11am - 5pm in the Contest anything goes!
to solve the puzzle and win an Apple Machines inspired/themed cinematic
Area This is an opportunity for contestants
DEF CON ANALOG: Non-electronic Watch! Winners could take home the marvel of short film here at DEFCON.
to bring in their own embedded
badge from DC 1-23 Hack Fortress Friday and Saturday, 10am - 6pm, Sunday,
championship trophy, Bitcoin and other
electronic devices and demonstrate Actors and extras dont count towards
swag.
WILD CARD: Badge from any other Hack Fortress is 10am - noon in the Contest Area exploits to our panel. Contestants the max 5, so teams can use as many
con back! If youve Mi s s i o n S E Imp o s s ib l e Looking to sign up or need a hand? will need to provide proof that they actors and extras as they want.
think youve got Come visit us at our booth in the disclosed the vulnerability to the
Friday and Saturday, 10am - 9pm, Sunday, vendor. Open to all.... (zero experience,
what it takes to Contest Area.
10am - noon in the Contest Area
compete stop OpenCTF students, amateurs, professionals).
The SECTF4Kids has become its own Track 1: This is an at-con capture the
by our area and Team registration starts Thursday
DEF CON event!! What is it? flag style contest where contestants
sign up, either morning. Get the rules, get your official
Forensics CTF with a full team SECTF We have created a series of activities
will be pitted against 15+ off-the-shelf
Im making a movie so watch out
IoT devices, hardened, but with known
or solo. This year new powerful effects and challenges that will involve things orange t-shirt*, deal with the monkey
A CTF contest based on defense vulnerabilities. Contestants must
are available. Be careful not to lose like critical thinking exercises, ciphers, wrenches, and go out and get it all done
and system forensics tools and skills identify weaknesses and exploit these
your humanity while using them. logic puzzles, memory puzzles, verbal by Saturdayafternoon.
to recover lost data, and attempt to devices to gain control. Pop as many as
Hackfortress by the numbers: Teams In OpenCTF, teams compete to solve and nonverbal challenges, pitting kids
understand cause by examination of you can over the weekend to win. Prizes include Human Badges for DEF
of 10 (4 Hackers + 6 TF2 players) will hacking challenges in a wide variety against kids in a test of endurance (and
effect and artifacts left-behind on a compete to score more points than CON 25 , $5000 scholarships to Seattle
of categories, including web, forensics, fun).
system their opponents during each 30 minute Film Institute,VideoMaker Magazine
If you were at DEF CON last year, programming, cryptography and reverse This years theme of RISE OF THE subscriptions (and other cool TBD
Imagine around 20 puzzles of varying match. The goal is simple: score more you saw the first ever Mission SE engineering. There will be challenges MACHINES will surely challenge your
Ta mp e r-E v id e n t C o n t e s t stuff).
levels of difficulty. points than your competitors. How you Impossible. This year, we have made it for all skill levels, and the contest is The flagship social engineering event!
do that is where the challenge comes kids. Ages 5-12. All day Saturday starting Do you have extensive knowledge of
bigger, badder and even harder! If you open to all DEF CON attendees. More The SECTF is a test of bravery AND Extras and actors needed.
Example of simple task: recover a in. The six TF2 players will be frantically at 900AM starting in the SEVillage defeats for tamper-evident devices? Or
dare, we will pit you against the clock information on how to play can be brains. It pits human against corporate
deleted file and determine which user trying to kill, capture and win rounds Room. maybe youve heard about the tamper You dont have to join a team to have
and test your ability to think critically in found at our table and http://openctf. security, in a contest that places the
was responsible. against the opposing TF2 players. At contests and would like to try your some filmmaking fun at DEFCON. You
front of a crowd, use your l33t SE skills, com/, and we will be posting updates on
the same time, the four hackers will be hand at it? The MFP group is hosting the could be an extra, or even an actor, in
and be the first to crack into the safe twitter as @open_ctf.

8 9
one of the films being made here at Waz online CTF so participants can access the first phase, expect to put your
DEFCON. Sign up Thursday morning
@DEFCONFilmConte
it regardless of where they are or what security, wireless and hacking skills to DEF CON Capture The Flag is the ultimate test of hacker
or ask one of the conspicuously clad network they are connected to the test in this challenge. skill. Teams qualify from contests all over the world to face
orange t-shirt wielding teams you may www.xhourfilmcontest.com off in a three day smackdown of never-before-seen binaries,
via laptop, netbook, tablet or phone.
see during the Con.
If you are onsite, stop by and visit us extreme exploits, sophisticated strategies, and caffeine abuse.
to take your turn at physical security W ir e l e s s C T F Only this time, its different. DARPAs all-machine Cyber
T he B ox ( B o mb D e f u s a l through lockpicking challenges.
The Wireless Village is a group of Grand Challenge is one of our qualifying contests, making
Contest) Most challenges will require participants experts in the areas of information this the first CTF with a state-of-the-art computer facing
to download material and solve using security, WiFi, and radio frequency down fourteen teams of utterly ruthless hackers.
The Box is a mini-contest hosted inside whatever tools, techniques or methods with the common purpose to teach
the DEF CON Tamper-Evident Village.
The premise is simple: defuse a bomb!
they have available. the exploration of these technologies
with a focus on security. We focus on
NEW FOR 2016
Make a mistake and get blown up. Dont One participant will become the leader
worry, you can respawn at the back of the board and they control which teaching classes on Wifi and Software The game itself is different this year. Were running a
challenges are available. Being the leader Defined Radio, presenting guest consensus evaluation game for the first time, which has
of the line. The Box is an extremely speakers and panels, and providing the
realistic EOD challenge that will test of the board is a double edge sword.
very best in Wireless Capture the Flag
some important differences from traditional attack-defense.
your skills against a variety of traps, Regular participants may choose to
back out of a challenge if they cannot (WCTF) practice to promote learning. Teams no longer have any control of the OS running
alarms, and tamper-evident sensors.
solve it but once the leader of the The Wireless Village plans to hold a their services: they give us binaries, firewall rules, and
Official Rules: board selects a challenge; they must Wireless Capture the Flag (WCTF) exploits, we schedule them to run in our environment,
* Do not cut any wires or remove answer/ solve it or be passed by a new contest during DEF CON 24. and return results to them. No more hunting for errant
any tape. The Box will instantly kill leader. And just to keep it interesting,
occasionally The Judge challenge We cater to those who are new to this processes, cute virtualization tricks, sandboxing, or
you in 99.9% of these situations and game and those who have been playing superman defenses.
youll force the TEV staff to waste time comes out and is made available to
everyone except the current leader of for a long time. Each WCTF begins
making repairs. with a presentation on How to WCTF. Patched binaries arent just graded on functionality. We
the board.
*ATTENTION ALL DEF CON * If Rule #1 isnt explicit enough, do We also have a resources page on our measure and score them for memory efficiency, speed,
ATTENDEES: not cause any permanent damage or There are a multitude of point gainers website that guides participants in their and size too.
modification to The Box. outside the confines of the board selection of equipment to bring.
Everyone who comes to DEF CON is challenges. Extra point gainers will Patched binaries arent kept secret. Every team can
obliged to abide by DEFCONs photo * Two players form a team; signups start randomly appear on the game board Keep an eye on @wctf_us and @ see, disassemble, exploit, and reuse other teams
and video guidelines/etiquette: let on Friday in the TEV @ 10:00. Only in the form of The Judge, Bonus WIFI_Village for details.
team members can be near The Box
binaries as their own.
people know what youre doing, and be Questions, Free Tokens, One Time LINKS:
during your run.
respectful.
* You are not provided any tools. What
Tokens, Movie Trivia Quotes, Scavenger
Hunts (online and onsite) and Lock Check out our website for tools, what HOW TO COMPETE
The teams/film crews participating in you need, and what to do. Enjoy your
sort of EOD tech doesnt bring tools? Picking (onsite). Be careful of the 50/50 DEF CON CTF has limited space for competitors, and
this contest follow this etiquette, in journey.
The Box can be beat with less than $5 Token which may add or subtract
part, by:
points to your score. teams can be qualified by winning the previous year, placing
of easily acquired equipment. http://wctf.us and http://wirelessvillage.
- being conspicuous, when they are ninja
in previously-approved qualifying competitions online and
* If you blow up, stop what youre doing Events that occur on the game board around the world, or scoring well in our qualification event,
filming in the DEFCONs convention
and step back from the box.Youre are sent to Twitter and include items We have a number of people who
areas, by wearing their bright orange,
such as participants signing up, leader of held in May this year.
official, TD Francis X-Hour Film dead. Please dont make us install the support the Village and staff BIOs are
Contest CREW t-shirts
- letting bystanders know when they
are actually filming by saying ACTION
and CUT, and other filmmakery
sounding thingys and stuff
dye packs and flashbangs (seriously).

wa r l 0 c k g a m3 z
the board changes, scoring updates and
challenge updates.
Friday and Saturday, 10am - 6pm, Sunday,
10am - noon in the Contest Area
shown on our website.
http://www.wirelessvillage.ninja/crew.
html
THE CTF ROOM
Want to see what competing in Capture the Flag is like? Visit
the CTF room, watch players analyze binaries, enjoy game
visualizations, learn how autonomous competitors work, and
ThaNkS
We would not be able to run a successful competition if it wasnt for the
skills, attitudes, and persistence of the CTF and DEF CON communities.
- not filming in designated no-camera check out how your favorite team is doing. Enjoy yourself,
S he e p H u n t Thanks to all CTF competitors and organizers around the world for letting
areas but please be respectful and dont interrupt hackers hard at
us be a part of your community, and thanks to DEF CON organizers and
The Sheep Hunt is a search for devices work. If you have questions about CTF, talk with a member
- obtaining permission when
warl0ck gam3z CTF is a hands-on 24/7; goons for our fourth year in this exceptional venue.
appropriate that transmit signals, RFID, 802.x, and of Legitimate Business Syndicate. Competitors may be willing
throw-down, no-holds-barred hacker much more, you can obtain an official to talk if theyre not engrossed in the game too. Game announcements will be posted to https://twitter.com/legitbs_ctf.
- and being approachable and courteous competition focusing on areas of hunting license from the game warden Scores will be available in the competition room. Final results will be
to all. physical security, digital forensics, hacker at the wifi sheep hunt table. Obtaining
challenges and whatever craziness announced at DEF CON closing ceremonies.
Cheers, codes from transmitting devices is only
our exploit team develops. This is an

10 11
ASYLUM VI
Through Hands-On Workshops, Contests & Talks, Kids Learn
Reverse Engineering, Soldering, Cryptography & How To
Responsibly Disclose Security Bugs.

@ DEF CON

A PLACE WHERE KIDS LEARN TO LOVE


WHITE-HAT HACKING

LATEST SCHEDULE @ rtz.org/2016-schedule WORKSHOPS / CONTESTS / TALKS

Hacking & Robotics Hacking Minecraft


AUGUST 5 - 7, 2016
10:00 - 5:00 Defense/Offense Lab 3D Printing
PARIS
1ST FLOOR UFOs & Biohacking Soldering/Badges/Coding
@r00tzasylum
Social Engineering Hacker Jeopardy

CryptoVillage Junk Yard

Software Defined Radios CTF & Much More!

12 13
6am Friday! @jp_bourget @gdead @ @_DEAFCON_ for information about seeded based upon a ticket given at the
THE MACHINE heidishmoo. Go to cycleoverride.org where our interpreters will be during door to each person agreeing to the
F r ie nd s o f B il l W. Me e t u p for more info. the con. terms below. Participants will compete
In efforts to construct a perfect android killing for prizes such as T-shirts, water bottles
*DEAF CON is not associated with the
and other shwag.
machines in a war against China, UK scientists create a CART services provided in the Speaker
sentient cyborg. B e t he M at c h tracks.* Participants can bring their own
Hubsan X4 or Blade NanoQX drone
(no models over half a pound will be
allowed). Each drone may be modified
DEFCON Shoot in any fashion to include FPV systems.
AUTOMATA Mods to the propellers will be allowed
Jacq Vaucan is an insurance agent who investigates cases (but still, no razor blades or other flesh
Be part of the coolest Bio-hack and slicing upgrades). Hacking the main
of robots violating their primary protocols against Vegas is a lot of fun, but it can also help save lives at the same time! Visit board is encouraged, and batteries may
altering themselves. be just a lot. Too much, even, if youre the Be the Match booth at DEF CON be modified to provide an advantage
trying to keep the horizon level in your and join the registry that helps patients in the race. However, managers of the
windscreen. If youre a friend of Bill in need of a stem cell transplant. space have unequivocal rights to reject
W joining us for DEF CON 24, please The registration drive has been at DEF The DEF CON Shoot is an opportunity any drone entry, either by physical
know that we have meetings at noon CON since 2010, and has resulted in to see, handle, and shoot some of the appearance or by additional weight -
COLOSSUS-THE FORBIN PROJECT and five p.m., Thursday through Sunday matches between DEF CON attendees guns belonging to your friends while although footage from FPV or onboard
at The Office on the 26th floor of the and patients stricken with blood taking pride in showing and firing your cameras will be highly beneficial and
To prevent war, the US government gives a Ballys Tower. Drop by if you need to cancers! Come find out how you can own steel, as well, in a relaxed and social engineering efforts to sway
supercomputer total control over nuclear missiles. touch base or just want a moment of help, and meet with donors that are welcoming atmosphere. management will be recorded for
Things do not go according to plan. serenity. Well be there. (Office on 26th happy to answer any questions you future mocking and/or publication. No
floor is next to Skyview 4, at the end Taking place in the 24 hours leading up attacking the opponents body during
might have regarding the donation
of the hall.) to DEF CON out in the Nevada desert, a battle, by kamikaze-style tactics or
processes.
the Shoot encompasses lots of live fire other intentional kinetic means.
time underneath tent canopies to shield
us from the sun along with mini-talks, All spectators and participants must
THE MATRIX C y c l e o v e r r id e D E F C O N DEAF CON food and drink, and even camping sign a waiver to protect the hotel(s),
overnight. DefCon, and our sponsors. No
A computer hacker learns from mysterious rebels B ik e R id e spectator shall enter the netted arena
about the true nature of his reality and his role in the At 6am on Jump on the DEF CON forums to find during an actual battle. Only operators
war against its controllers. Friday, the out just how easily you can attend and of the actual drone during a race may
@cycle_ be a part of all the high-caliber fun! enter the protective netting, and will
override be required to wear eye protection.
crew will The hotels, DefCon, and sponsors are
be hosting D r o ne C l u b also not responsible for any damage to
APPLESEED EX MACHINA the 6th personal drones due to participating in
With Brialeos convalescing after a mission, Deunan is DEF CON this event.
Bikeride.
assigned a new and remarkably familiar partner as a Well meet DEAF CONs mission is to encourage At least one of the obstacles will be
strange wave of terrorist attacks plague Olympus. many deaf and hard of hearing (HH) Ricky Hills (DC21) DJI Phantom,
at a local
hackers to attend DEF CON, help equipped with carbon fiber blades,
bikeshop, get some rental bicycles, and
provide these hackers with partial or hovering in front of a make-shift goal,
about 7am will make the ride out to
full services, and provide a place for challenging the opponents smaller
Red Rocks. Its about a 15 mile ride,
EX MACHINA all downhill on the return journey. deaf/HH hackers to meet up and hang drone to make it past the churning
rotors of death unscathed.
So, if you are crazy enough to join out. Sequoia is back for a second year
A young programmer is selected to participate in a us, get some water, and head over to presenting Drone Club! These ARE the Hak5 will be joining us again this year,
The meet up is an unofficial DEF CON
ground-breaking experiment in synthetic intelligence cycleoverride.org for more info. See at drones youve been looking for... but this time as a sponsor! Darren,
event and open to everyone who
by evaluating the human qualities of a breath-taking would like to attend. We also provide Come participate in head to head Shannon and crew will be bringing the
humanoid A.I. American Sign Language interpreters drone races between two identically Cube of Death, a 4 foot lucite box
funded by independent donations. If sized Hubsan X4 drones inside of a within which Drones will compete in
you would like to use our interpreting protective arena. Drones race each one-on-one, or four-on-four free for
services please follow us on twitter other through an obstacle course, alls! Four Drones go In, One comes
confronted with multiple size and shape Out!!
challenges. Competition will initially be

14 15
So keep your eyes open for thats no longer on the test. Can you
D
SE
TF
announcements in the official DEF think of a better place to get your CON ST
HE
OS
RT
T DARPAs proving ground for computer security
CON literature or our Twitter feed (@ Amateur Radio license or upgrade than QUEERCON ORY CON DARPAs Cyber Grand Challenge (CGC) is a Capture-
the-Flag competition that pits autonomous computers automation is modeled on traditional CTF contests that
DroneWarzClub). at DEF CON? Neither can we. Mixers: Thursday - Sunday, 4p @ Short Story Contest at DEF CON 24 against one another; no humans allowed. Out of were pioneered by the hacker community right here
Ready to pass the exam? Tests run in Queercon Suite at DEF CON. CGC isnt just modeled on DEF CON
Run entirely online on the https:forums. more than 100 registered participants, seven have
Skyview 2 from: CTF; its built by a community that has been part of
Queercon Pool Party - Friday 8p to 3a defcon.org and completing months created computer systems that placed highest during a
H a c k e r Je o pa r d y T r i a l s Friday 1pm - 6pm @ Ballys Pool BEFORE con begins, to participate you qualification event, then passed a series of trials to earn designing, hosting, playing, and often winning the biggest
Do you have what it takes to be a must have an account on the forums CTF in the world. The CGC architecture team counts
Saturday 10am - 6pm In Vegas 13 is a lucky number and
and follow the contest Twitter account
the right to compete in the CGC Final Event (CFE).
Hacker Jeopardy contestant? Grab two Queercon is back for its 13th year amongst its members several multi-year DEF CON CTF
of your buddies and haul ass down Need just a little more time to study? @dcshortstory. Submission guidelines
promoting diversity among all DEF
are outlined in Da Rules on the champions and contest organizers from 2008-2012. Also,
to the contest stage to experience a Keep an eye on dc408.com/hamradio. CON attendees, Queercon is open
lightning round trial (no daily doubles, html for possible schedule updates. forums. The autonomous participants competing in the CFE are the challenge software that machines must solve has
to anyone LGBTQ and our friends been written by three teams filled with DEF CON CTF
or beer) to validate your skills as a and allies. The QC Suite is open all First place receives (2) Human badges,
known as Cyber Reasoning Systems (CRS). These systems
Meet us at Skyview 2 with $15 cash,
potential team BEFORE we let you on day to lounge and meet other people Second place receives (1) Human badge, are rooted in decades of program analysis, vulnerability winners past, allowing them to write software targeted
your ID, your FRN and a test slot can
the big stage.
be yours with no reservation required. along with other events at 4pm every and by Peoples Choice poll, one author discovery, patch creation, and network intrusion at the cutting edge of reverse engineering competition.
LOCATION: Contest & Event (C&E) If upgrading or have an expired license day of the conference dont miss receives (1)Human badge as well! All detection research and practice. Groups forged from Many participants in the Challenge have coupled cutting-
Area Stage bring a copy of your license. Questions? the Queercon Mixer where you can stories, regardless of placement, are academia, industry, and the hacker community have been edge academic research teams with DEF CON CTF
Email us at hamtest@dc408.com! meet new people, trade stories, and included as a file on the official DEF working tirelessly for more than two years designing players, and the CGC announcing team contains builders
Dates: Friday 5 August and Saturday 6 ARRL VE? Bring your VE ID and come enjoy our staffed cocktail bars. Open CON swag DVD and the winners
August to everyone, no DEF CON badge listed in the official DEF CON schedule and building these reasoning systems to compete of the contest past and present.
help us! We cant wait to give you your
Times: 10:00 a.m. -12:00 p.m.; 2:00 p.m. exclusive DEF CON 24 Ham Radio required. pamphlet. Rules, stories and polls are autonomously in Capture-the-Flag.
- 4:00 p.m. licensee memento for passing your test posted on the forums.defcon.org each
QC13 POOL PARTY: A not to be What does DEF CON CTF make of all this? This year,
at DEF CON. While supplies last, first year!
missed party with some of the best
come first serve. international DJs spinning until 3am. This contest is no joke, so if you Like any CTF, bug hunting is the core of the competition. DEF CONs CTF organizers have challenged the winning
Doors open 8pm at the Ballys Hotel choose to try your luck at pen to paper, Once found, bugs can be fixed, and vulnerabilities in CGC computer to take a seat at the table on the CTF
Hacker Karaoke pool. The bars will be pouring, no DEF take it seriously, and write the best that opponent software can be proven. Of course, this floor and compete against the top hackers in the world.
L aw y e r Me e t up CON badge required, and as usual the you can write to the theme presented process is quite complex, and in CGC, high-performance
pool will be OPEN so be ready to get in the rules. This contest was begun computers will reverse-engineer unknown binary
If youre a lawyer (recently unfrozen Wet. by Nikita, bequeathed to Eris and is
or otherwise), a judge or a law student software, author novel IDS signatures, probe the security The free CGC Final Event is on August 4th in the Paris
introducing FrozenFOXX and Princess
please make a note to join your host Where is the Queercon Suite? What
Leah as event co-planners. of opponent software, and field defended services with Ballroom. From 5-8 PM, live announcers, and never-
Jeff McNamara at 6pm on Friday, August other activities are going on with machine-generated patches and defenses. before-seen visualizations await.
5th for a friendly get-together, followed Queercon check out queercon.org, our We receive high quality writing, more
by dinner/drinks and conversation. mobile app, Facebook or Twitter to get stories every year and the competition
Come in and relax, watch and sing your all the updated details. is fierce and world wide! So pick up
Friday 1800 - Club 22 (22nd floor your quill, your stylus, your typewriter
favorite songs. Do you like music? Do Ballys Indigo Tower)
you like performances? Want to BE or tablet and dazzle our minds eye!!
Submit soon but dont submit often,
the performer? Well trot your happy SE Podcast Live submit perfection instead! Good luck!
ass down to the 8th Annual Hacker
Karaoke, DEFCONs on-site karaoke M o h aw k- C o n The SEPodcast. Going on our 7th DEFCON 24 Creative Writing Short HOW WOULD YOU FARE
experience.You can be a star, or if you year of doing the podcast live from Story Contest winners!
dont want to be a star, you can also
take pride in making an utter fool of
Mohawk-Con
continues this
DEF CON, join us and the cast of the
podcast for another amazing live show. 1st: Consumed by Tyler Rosonke
AGAINST THE MACHINES?
yourself. year, come
early to be 2nd: Alice by Avi Zajac
DEF CON ATTENDEES HAVE
the fashionista Peoples Choice: Backup by Leah A CGC TOOLKIT ON THEIR
Ham Radio Exams -
of the DEF
CON Ball.
Thompson DEF CON DVD THAT ALLOWS
b r o u g h t t o y o u by d c 4 0 8 Charitable
event to
AUDIENCE MEMBERS TO
Do you know support EFF & Hackers For Charity, FOLLOW ALONG AND TEST
your USB from
your LSB?
get a cool new hawk in support of the
causes that matter to you.
THEIR SKILLS AGAINST THE
RACES vs ARES? SEVEN CGC FINALISTS.
Just dont fret if
you cant copy
CW because
16 17
!

HACKER JEOPARDY
XXII
!

FRI 08.05.16SAT 08.06.16


20:00 TRACK
1

DONT FUCK IT UP
18
01000010 01000101 01000101 01000110 00100000 19
01010100 01001000 01001001 01000101 01000110
people. Over the years, it has stuck around and, this year, it continues to bring: community We have a number of people who support the Village and staff BIOs are shown on our
soldering stations for electronic badges and kits, hardware related contests and talks, website.
B i o H a c k in g V il l a g e workshops, hands-on teaching, and the passion to keep the hardware hacking community S o c i a l E n g ine e r V il l a g e http://www.wirelessvillage.ninja/crew.html
thriving. Come to learn, hack, be passionate, and void some warranties with us.
It is adequate that the motto for DEF CON 24 The Social Engineering Village is your stop for all
is Rise of the Machines. The BioHack Village things social engineering.
is created by people interested in the science Thursday we are running Mission SE Impossible.
of do-it-your-self biology. What characterizes I o T V il l a g e Part spy mission, part gringo warrior challenge, part SE - blended, heated and poured into
D ATA D U P L I C AT I O N V il l a g e
biohacking are the end goals and consequent a new mold for this year. Limited space and sign up is onsite. HERE IS HOW IT WILL WORK
optimization of activities to achieve those goals. Organized by security consulting and research firm
An activity is a biohack when it is carried out Independent Security Evaluators (ISE), The IoT The SECTF is back for its 7th year and ready to take on.... you will have to come and see DEF CON will provide a core set of drive
not primarily for its own sake, but instead to Village delivers thought leadership advocating which industry is the target this year. duplicators as well as content. It will be a first
extract from it some enhancement to our for security advancements in Internet of Things come, first served situation. Bring and label your
(IoT) devices. The village consists of workshops The SECTF4Kids is keeping to the DEF CON theme of RISE OF THE MACHINES and
raw abilities, specific skills, overall health, or 6TB SATA blank drives, and put them in the
on hacking numerous off-the-shelf devices (e.g. will challenge your children in ways we never have used in previous years.
well-being. queue for the data you want and 14 hours
medical devices, home appliances, routers, and The official Human Track for DEF CON. Friday and Saturday evenings we convert the
storage devices), live educational talks and a variety later it is ready for pick up.
SECTF room into a place to listen to all SE speeches from 4pm to 9pm.
of contests. START EARLY!
C a r H a c k in g V il l a g e VILLAGE AREA
The SEPodcast. Going on our 7th year of doing the podcast live from DEF CON, join us
and the cast of the podcast for another amazing live show. The first batch will happen Thursday evening, so if you want in come by the event area.
Car Hacking Village will consist of several While it will be closed to everyone for setup there will be a table where you can drop off
At the village, there will be devices that can be connected to wirelessly and wired, where
Hands-On Learning Zones. drives between 6pm and 7pm.
participants can seek guidance and/or advice from ISE security analysts.
Anti-lock Brake Zone will demonstrate
how to get physical access to vehicle
The village will promote a high level of collaboration which could include helping out Ta mp e r-E v id e n t V il l a g e LOCATION
participants or giving tutorials on past and current exploits. This would make for a more The village is in the contest and events area in a room along the wall to your right as you
controllers and wires by removing panels Tamper-evident refers to a physical security technology that provides evidence of
energetic and educational environment. enter the space. Look for the sign.
and bolts. tampering (access, damage, repair, or replacement) to determine authenticity or integrity
WORKSHOP of a container or object(s). In practical terms, this can be a piece of tape that closes an WHAT TO BRING
Buck Hacking Zone will allow visitors to
envelope, a plastic detainer that secures a hasp, or an ink used to identify a legitimate
open hack vehicle controllers and vehicle The workshop will be facilitated by the elite group of security researchers and 6TB SATA3 new drive(s) - If you want a full copy of everything you will need three.
document. Tamper-evident technologies are often confused with tamper resistant or
systems on a Buck (system on a bench). consultants at ISE. The workshop will give live demonstrations on how to hack off-the- Western Digital RED drives are to be AVOIDED. Any data you want to contribute to be
tamper proof technologies which attempt to prevent tampering in the first place.
Hardware and computers will be provided. shelf devices within the Internet of Things. shared, in USB, HDD, or DVD format.
Referred to individually as seals, many tamper technologies are easy to destroy, but a
Turbo Talks Zone aims to teach visitors CROWDSOURCED TALKS destroyed (or missing) seal would provide evidence of tampering! The goal of the TEV is THE DATA DUMP
about specifics of vehicle networks and to teach attendees how these technologies work and how many can be tampered with
hardware. These will be drop-in sessions of 15-30 minutes in length. The talk track will be opened to the all attendees at DEF CON 24; it will be a first come, without leaving evidence. Here is what we are planning to make available:
first serve type of track. Attendees who wish to speak can submit their talks early to
A/C Chill Zone is a great place to meet the Village personnel one-on-one and discuss reserve a timeslot or can simply show up to the village. All talks must be approved by the 6TB drive 1-3: All past hacking convention videos that DT could find, plus video
more specific subjects related to Car Hacking. IoT village committee before an attendee can give their presentation. collections from popular YouTube channels, and other sources.
OEM Zone aims to have an interaction between the OEMs/Suppliers and its users. Talks should be relevant to the Internet of Things, no product or service pitches. Talks W ir e l e s s V il l a g e 6TB drive 2-3: freerainbowtables.com hash tables (1-2) 6TB drive 3-3: GSM A5/1
can range from 20 to 50 minutes, aiming to spark interaction with the audience, provoke The Wireless Village is a group of experts in the hash tables plus remaining freerainbowtables.com
Car Hacking Village Badge Zone where you can hack and learn about the our REALLY
conversation, and solicit questions and feedback. areas of information security, WiFi, and radio
Cool Badge. data (2-2)
frequency with the common purpose to teach the
exploration of these technologies with a focus on WANT TO ADD TO THE DATA DUMP?
security. We focus on teaching classes on Wifi and
C r y p t o a nd P r i va c y V il l a g e L o c k p i c k V il l a g e Software Defined Radio, presenting guest speakers Its not too late. Know of a collection you want included? A repository you want
and panels, and providing the very best in Wireless mirrored? Post here with a link and Ill let you know if it makes it on the drive.
Want to tinker with locks and tools the likes of
At the Crypto & Privacy Village you can learn Capture the Flag (WCTF) practice to promote
which youve only seen in movies featuring police, HOW IT WORKS
how to secure your own systems while also learning.
spies, and secret agents? Then come on by the
picking up some tips and tricks on how to Label your drive(s) with your name, which collection number you want on it, how
Lockpick Village, run by The Open Organisation Of The Wireless Village plans to hold a Wireless Capture the Flag (WCTF) contest during
break classical and modern encryption. The CPV to contact you, and then check it in. It will be put in the queue for duplication on a
Lockpickers, where you will have the opportunity to learn hands-on how the fundamental DEF CON 24.
features workshops and talks on a wide range first come - first served basis. Bring your own drive duplicators and help share the
hardware of physical security operates and how it can be compromised.
of crypto and privacy topics from experts. Well We cater to those who are new to this game and those who have been playing for a long data for more people.
also have an intro to crypto talk for beginners, The Lockpick Village is a physical security demonstration and participation area.Visitors time. Each WCTF begins with a presentation on How to WCTF. We also have a resources
some crypto-related games, a key-signing party, can learn about the vulnerabilities of various locking devices, techniques used to page on our website that guides participants in their selection of equipment to bring. Hang out, make friends!
and other TBD awesomeness. exploit these vulnerabilities, and practice on locks of various levels of difficultly to try it
themselves. Keep an eye on @wctf_us and @WIFI_Village for details. NOTES

Experts will be on hand to demonstrate and plenty of trial locks, pick tools, and other LINKS: Duplicating a 6TB (About 5.46 usable) drive at ~110 Megabytes a second comes
H a r d wa r e H a c k in g devices will be available for you to handle. By exploring the faults and flaws in many
Check out our website for tools, what you need, and what to do. Enjoy your journey. out to about 13.8 hours.
popular lock designs, you can not only learn about the fun hobby of sportpicking, but also
V il l a g e gain a much stronger knowledge about the best methods and practices for protecting http://wctf.us and http://wirelessvillage.ninja
your own property.
The Hardware Hacking
Village was conceived around
DC16 to bring the complexity
20 of hardware hacking to the 21
PACKET HACKING VILLAGE WIFI SHEEP HUNT
Help! Some of our sheep got out
Friday 10:00 a.m. (opening ceremony at 10:10 a.m.) of the barn!!! Do you have the skills
Saturday 9:00 a.m. necessary to track them down and
get them back in?
Sunday 10:00 a.m. (closing ceremony at 2:10 p.m.) This challenge is open to all
Location: Packet Hacking Village 26th Floor!!! skill levels, and has something for
everyone! So swing by, break out
your RF gear, and start looking for
The Packet Hacking Village is where the action is, and where the blue team is boss! Youll find exciting events, live
transmitting signals If it can transmit
music, competitions with awesome prizes, and tons of giveaways. The PHV welcomes all DEF CON attendees and there is
something for every level of security enthusiast from beginners to those seeking a black badge. This village was created to
help enlighten attendees via education and awareness with a slightly more defensive focus. Wall of Sheep gives attendees
RF, it is probably part of the challenge.
Register and obtain contest
OPENING CEREMONY
instructions and preliminary clues at the (Friday, 10:10 - 11 AM)
a friendly reminder to practice safe computing by using strong end-to-end encryption.
Wi-Fi Sheep Hunt table or the Packet
Wall of Sheep Speaker Workshops delivers high quality content for all skill levels. Packet Detective offers hands-on
Hacking Village Info Booth.
exercises to help anyone develop or improve their Packet-Fu. Wi-Fi Sheep Hunt is an exciting wireless competition where
anything wireless goes and catching sheep is the goal. New this year, Sheep City is a collection of everyday devices available PRESECNSTING SECURITAYRD
for you to hack. WoSDJCo has some of the hottest DJs at con spinning live for your enjoyment. Finally... Capture the METRI TO THE BO
Packet, the ultimate cyber defense competition that has been honored by DEF CON as a black badge event for five of the / LEADERSHIP
six years of its run. PACKET Walt Williams
DETECTIVE (Friday, 11:10 AM - 12:00 PM)
Are you interested
WALL OF SHEEP in learning the art of
The board of directors and corporate leadership
An interactive look at what could happen if you let your guard down when network analysis, sniffing, is not interested in how many attacks your firewall
connecting to any public network, Wall of Sheep passively monitors the DEF CON or forensics? has blocked, and frankly, that is not a metric, that
network looking for traffic utilizing insecure protocols. Do you want to understand the is a measure. Difference between metrics and
Drop by, hang out, and see for yourself just how easy it can be! Most importantly, we strive techniques people use to tap into measurements, how metrics are constructed, and
to educate the sheep we catch, and anyone else interested in protecting themselves in the a network, steal passwords and the kinds of metrics the board of directors are
future. We will be hosting several Network Sniffing 101 training sessions using Wireshark, listen to conversations? interested in will be discussed. In other words, how
Ettercap, dsniff, and other traffic analyzers. If you answered yes to any to identify how to align security metrics with business
of those questions, then Packet goals and objectives. The use of frameworks such
WALL OF SHEEP SPEAKER WORKSHOPS Detective is for you! For well over as ISO 27004 to construct metrics, the pragmatic
Back for a fourth year, we continue to accept presentations focusing on practice and process a decade the Wall of Sheep has framework and its uses will also be discussed.
and emphasizing defense. Speakers will present talks and training on research, tools, techniques, shown people how important it is
and design, with a goal of providing skills that can be immediately applied during and after the to use end-to-end encryption to keep sensitive information private (i.e. your DECE IVRE AND SUCCEED:
conference. password). MEAS U I N G T H E
Our audience ranges from those who are new to security, to the most seasoned Using a license of the world famous Capture The Packet engine from EFFICPITEINOCNYEOCFO-A
practitioners in the security industry. Expect talks on a wide variety of topics for all skill levels. Aries Security, we have created a unique way to teach hands-on skills in a DECE SYSTEM
Updated schedule available at: https://wallofsheep.com/pages/dc24 controlled real-time environment. IN P O S T - BRE A CH
Join us in the Packet Hacking Village to start your quest towards
getting a black belt in Packet-Fu.
DETECTION
Omer Zohar
Head of Research at TopSpin Security
CAPTURE THE PACKET CTP
The time for those of hardened mettle is drawing near; are you prepared to battle? (Friday, 12:10 - 1:00 PM)
Compete in the worlds most challenging cyber defense competition with a newly SHEEP CITY Todays networks are undergoing all sorts of sinister
revamped UI and an improved ladder system based on the Aries Security training Come attempt to hack our Sheep attacks from numerous sources and for myriad
simulator. City! Its comprised of the sort of everyday reasons. Security at the perimeter is inadequate for
In order to triumph over your competitors, contestants must be well rounded, like devices found in your home or office, waiting thwarting todays highly intelligent attacks as hackers
the samurai. Tear through the challenges, traverse a hostile enterprise class network, to be turned against you at any moment. routinely breach the perimeter and gain entry. It
and diligently analyze what is found in order to make it out unscathed. Not only All devices have some sort of RF based
glory, but prizes await those that emerge victorious from this upgraded labyrinth.
isnt long before the network is compromised and
communications capability, so bring your arsenal critical information is stolen. We must now assume
The Dark Tangent has asked that we extend your time in the labyrinth and this of tools. And remember you cant spell idiot
has caused the difficulty of challenges to be amplified, so only the best prepared that, despite significant investments in prevention,
without IoT! breaches are going to happen. An additional approach
and battle hardened will escape the crucible. Follow us on Twitter or Facebook Visit the Packet Hacking Village on Ballys
(links below) to get notifications for dates and times your team will compete, is required. Security teams must go on the offensive,
26th floor to enter the challenge and obtain the creating a web of non-stop, real-time detection
as well as what prizes will be awarded. rules.
Teams consist of up to 2 players and can register at the CTP table in the operations using multiple vectors against an ever-
Packet Hacking Village. changing landscape of cyber threats. Deception
technology now plays a critical role. Used as a
strategy for many centuries in actual warfare, the
/wallofsheep @wallofsheep
22 23
concept of deception is becoming various sources and continuously what can happen when a couple of strong sensation of Dj vu with this landscape. The attacks are outside their
VULN E R A BI LTI:TY COSNENNEHCOTW
IONS: C
AR
a significant weapon in network- executing them in order to establish ASWLING FOR dedicated and slightly unbalanced work and our 2014 Black Hat USA network, commonly occur through
MANA G E M EN E
THE INTERNEA
I ER TND
protection schemes. Deception a database of exposed hosts. A PI individuals come together to establish MPTCP research. We find ourselves their employees personal accounts,
technology doesnt rely on known NONE X C U SE S, similar project (SearchDiggity, closed Ryan Mitchell the largest volunteer staffed, donation discussing a similar situation in new and circumvent existing detection
attack patterns and monitoring. A E T W O RK Damon Chef Small source, Windows only) had its Senior Software Engineer At Hedgeserv
funded Cyber Offensive and Defensive protocols with technology stacks technologies. In this presentation
E
Instead, it employs very advanced
PN
EG
RI
SNPEEECRT
ISVE latest release in 2013 and the latest Training facility in the world. Attendees evolving faster than ever before, and well explore the taxonomy of
Technical Project Manager at NCC Group
(Friday, 6:10 - 7:00 PM)
luring techniques to entice attackers (Friday, 3:10 - 4:00 PM)
blog post was published in 2014. will be shown how real hardware and Network Security is largely unaware social media impersonation attacks,
away from valuable company assets Richard Larkins As client machines become more real tools can be used remotely to of the peril already upon it. This talk phishing scams, information leakage,
and into pre-set traps, thus revealing Network Architect at Arizona Cyber Rise of the Machines conjures VEV
RIFRYAIGNEG CILPASIMS: powerful and JavaScript becomes more further increase their Cyber talents. briefly introduces QUIC and HTTP/2, espionage, and more. Well then
their presence. It is able to detect Warfare Range and President of the ISSA thoughts of the evolution of technology CO E ubiquitous, servers are increasingly
HO3W52TOWOFRID
NP
DRESS
covers multiplexing attacks beyond provide a method to categorize these
threats in real time without relying on
any signatures, heuristics or complex
Phoenix Chapter

(Friday, 1:10 - 2:00 PM)


from the exclusive domain of computer
scientists in the early days of our
HERES HOW serving up code for browsers to
execute, rather than the display-ready 1,
MPTCP, discusses how you can use
these techniques over QUIC and within
threats and develop a methodology
to adapting existing incident response
Garett Montgomery
behavioral patterns. But how effective
Vuln Management encompasses 3 out
industry to including everyday people Security Team Lead: Application and
pages of the past. This changes the face XS S PR
LA
UBGIIL
NITIES HTTP/2, and discusses how to make processes to encompass social media
is a deception strategy in detecting
of the top 4 items in the SANS 20 and
using - and often wearing - Internet- Threat Intelligence Research Center of web scraping dramatically, as simply VU LN E sense of and defend against H2/QUIC threats for your organization.
I
RN
EA1
breaches? What method works best?
is a critical item for PCI DSS.Yet, so few
connected devices. With that theme (ATIRC) at Ixia wgeting and parsing the response
from a URL becomes useless without
H)
OUR (NOT traffic on your network. We will also
DYNA MI C
How does it integrate with current
security operations already in place? companies manage to do it correctly.
in mind, the speaker researches the
history of one large, government- (Friday, 5:10 - 6:00 PM) executing bulky JavaScript with third
LLY demonstrate, and release, some tools
POPU L ATR
ION
with these techniques incorporated.
In this talk we will present findings
This presentation will cover the result funded infrastructure and compares it IPS devices are now an accepted, party plugins, reading through code Larry W. Cashdollar
N DISCO V E Y
NO
OW
WYYO
OU
USDE
OE
NTME, F
of the author (a network geek) being Senior Security Intelligence Response
from a first ever research which unceremoniously thrown into one of
to another. Specifically, the Eisenhower integral part of a defense-in-depth logic manually, and/or digging through Team Engineer at Akamai Technologies. OR LEATERAL
measured the efficiency of proactive those situations, and will detail the
Interstate System and the Internet. InfoSec strategy; by strategically piles of browser junk. However, moving
page logic client side can also create
MOVE M NT
deception using mini-traps and decoys lessons learned from it. Tools used:
Connections: Eisenhower and the
Internet explores what the logistical
positioning them on the network,
data vulnerabilities, as companies leave
(Saturday, 11:10 AM - 12:00 PM)
Joseph Muniz DETENCGTION
in real-life threat scenarios. We have NMap, Tripwire, Qualys, and Crayons. challenges of moving vehicles across
attacks can be blocked before they
internal APIs exposed to the world, in Ill discuss my methodology in (USI MACHINE
Architect and Researcher at Cisco

reconstructed a real enterprise the Country can teach us about


ever reach their intended targets. But
with the explosion of public exploits, order for their client side code to make attempting to download all 50,000 Aamir Lakahni LEARNING)
Y
MO
AU
NIPAURLEATBEED
environment complete with endpoints,
servers, network traffic and data
ING cybersecurity. Although these two polymorphic malware and an ever- use of them. Ill show some examples
of this practice on traditionally
WordPress plugins, automated
vulnerability discovery, automated proof
Senior Security Researcher at Fortinet
Rod Soto
Senior Security and Researcher at
topics seem unrelated, the speaker increasing attack surface, how can (Saturday, 1:10 - 2:00 PM)
repositories as well as security tools impossible to scrape pages, and also of concept creation and automated Splunk UBA
GrayRaven will take the audience on a journey IPS devices keep up? They all seem to Many people leave behind bread
such as IDS, firewall, SIEM etc. The some tools Ive developed to crawl proof of concept verification. Ill go Joseph Zadeh
Senior Software Engineer at Cisco that begins with early 20th century have heuristic detection capabilities, crumbs of their personal life on social
deception layer was then integrated domains and discover and document into where I went wrong, what Id Senior Security Data Scientist at
Systems road-building projects, travels through which are supposed to protect you media, within systems they access
into the environment in 2 steps: (a) these hidden APIs in an automated way. change and where I succeeded. Splunk UBA
ARPANET and the commercialization from unknown exploits, and frequent daily, and on other digital sources.
by placing decoys in the network (Friday, 2:10 - 3:00 PM)
of the Internet, and arrives at While many bot prevention measures (Saturday, 3:10 - 4:00 PM)
and (b) by placing mini-traps on the
assets which point to the decoys,
You are being manipulated. There current-day cyberspace. These two
updates to protect against known
vulnerabilities. But just how effective focus on traditional page scraping and H
TT
ET
AP
C/
H2NG
I &GQO
UO
IC
D - Your computer, your smartphone, your
pictures and credit reports all create The focus of this presentation is
is constant pressure coming from massive infrastructures have changed are those defenses? Sure, you can site manipulation, scripts that crawl
P
BR
AO
DTO
TC
set false credentials, trigger silent companies, people, and attackers. the world, and there are important check out the Gartner magic quadrant sites through API calls, rather than in a ON
LG
SSTO DO a information rich profile about you. to describe ways to automate the
alarms and more. We then evaluated
the effectiveness of the mini-traps
Millions are spent researching and lessons that the former can teach or pay for the latest NSS Test report. human like way through URLs, may HI This talk will discuss all the different
threats that leak your information and
discovery of different asset classes and
behavioral profiles within an enterprise
studying your weaknesses. The attack about the latter. The presentation Just because an IPS claims to protect present unique security challenges Catherine (Kate) Pearce
and decoys against both automated, how attackers can use open source network. We will describe data driven
vectors are subtle. Most times we dont concludes with predictions about you from a vulnerability doesnt mean that modern web development Senior Security Consultant at Cisco
machine-based attacks as well as intelligence to find you. We will discuss techniques to derive fingerprints for
realize that manipulation has occurred the future of the the Information thats the case. In this talk, Ill talk about practices do not sufficiently address. Security Services
against sophisticated human attacks: Vyrus techniques used by law enforcement specific types of individual and subgroup
until it is too late. Fear not, we can Superhighway and how information some of the strengths and weakness and private investigators to track behaviors. The goal of these methods
The first stage involved checking harden our defenses. We can put security professionals can prepare. of IPS devices, as well entire classes of THE ARIZAORNFA Senior Security Consultant at Cisco
individuals. Learn how you can protect is to add context to communications
the behavior of a variety of malware
families against the environment
safeguards in place to help avoid being
AUTOMNAGTEF
DOR exploits that cause serious problems CYBER W AN
REBY Security Services
your online footprint, reduce your taking place within an enterprise as
and measuring the deception layers
the victim. For me, the answer came
DORKI for IPS devices. While I happen to work RANGE: L E AR (Saturday, 12:10 - 1:00 PM) digital trail, and securing your privacy. well as being able to identify when
success in detecting their activity.
from an unlikely source: my daughter.
F for a company sells a very expensive DESTRUCTION The meteoric rise of SPDY, HTTP/2, certain asset profiles change there

PU
RN
For the second phase, we invited
Small children are fantastic. Society has ATN^DWSALARY device for testing IPS devices (which Richard Larkins and QUIC has gone largely unremarked ATTACKS OE
N behavioral fingerprint in such a way
red-team professionals and white hat
not yet influenced their development;
therefore, children are relentless in
OFI is where the data and my opinions Network Architect at Arizona Cyber
upon by most of the security field. ENTERPRIS as to indicate compromise. The type
hackers to employ real techniques
and advanced tools with the task of
pursuing their aims. Since they are naive
Filip Reesalu
Security Researcher at Recorded Future
come from), I plan to focus on how
the same testing methodologies can
Warfare Range and President of the ISSA
Phoenix Chapter QUIC is an application-layer UDP-
based protocol that multiplexes
SOCIAL MEDIA of profiles we want to discover can
be tied to human behavior (User
to right and wrong, they will use any be applied and the results can be Anthony Kosednar Mike Raggo
moving laterally in the environment connections between endpoints at Chief Research Scientist at ZeroFOX Fingerprinting) or particular asset
tool available to get their goal. How (Friday, 4:10 - 5:00 PM) duplicated using open-source tools. Chief Software Engineer at AZCWR
classes like WebServers or Databases
and exfiltrate high value data. does this help? My daughter became the application level, rather than
A dork is a specialized search engine (Saturday, 10:10 - 11:00 AM) the kernel level. HTTP/2 (H2) is a (Saturday, 2:10 - 3:00 PM) (Hardware/Software Fingerprinting).
my trainer, and this talk discusses how Finally enriching these profiles with a
query which reveals unintentional successor to SPDY, and multiplexes Current threat vectors show targeted
interacting with her has improved my Want to run all those tools you have small amount of network context lets
data leaks and vulnerable server different HTTP streams within a single attacks on social media accounts
defenses. Comparing her strategies to always heard about, but dont have the us break down the behaviors across
configurations. In order to catalogue connection. More than 10% of the top owned by enterprises and their
real world examples will show how to hardware to do it? Or - does your Boss different parts of the network topology.
vulnerable hosts with minimal manual 1 Million websites are already using employees. Most organizations lack a
build a training framework of your own. want you to learn NMap, but wont
intervention were now introducing some of these technologies, including defense-in-depth strategy to address These techniques become important
Access to small children is not needed. let you run it on any of the corporate
an open-source framework for much of the 10 highest traffic sites. the evolving social media threat when we want to passively monitor for
networks? This presentation will show
grabbing newly published dorks from Whether you multiplex out across
connections with QUIC, or multiplex
into fewer connections with HTTP/2,
24 25
the world has changed. We have a
certain attacks against server hardware
even without visibility into the local MININSGTOTAL FOR BUILDIN GDA LOCAL CLOSINOGNY
logs running on the server. For example VIRU PASSIVE N S CEREM
we will cover the automated discovery OPERA TIOLNALGDA
ATA TOT
OE
LLL
FIOGRENTCHEREAT
and enrichment of DMZ assets and AND A PP YIN IN (Sunday, 2 - 3 PM)

Q
OU
NAL
IITTY CONTROL
how we use these techniques to profile RESEARCH
when a server has been planted with a Kathy Wang
Webshell or when an asset has been Gita Ziabari Security Strategist And Researcher At
used to covertly exfil data. The methods Senior Threat Research Engineer at Splunk, Inc.

we propose should be generic to apply Fidelis Cybersecurity


(Sunday, 11:10 - 12:00 PM)
to a wide variety of any kind of Layer 4/ (Saturday, 5:10 - 6:00 PM)
Layer 7 traffic or just PCAP data alone. Currently, many Security Operations
More than one million samples are capabilities struggle with obtaining
FUZZINSG FOR being submitted and analyzed by more useful passive DNS data post breach.
HUMAN : REAT
LHE than 50 AV engines in VirusTotal on Breaches are often detected months
FUZZIN G IN daily basis. Factors such as filtering, after the attack. Due to the ephemeral
REAL WORLD scaling the detected engines, scaling
the categories in network data, scaling
nature of malicious DNS domains,
existing well-known passive DNS
Joshua Pereyda the HTTP responses are being used collections lack complete visibility to
(Saturday, 4:10 - 5:00 PM) in conjunction of an algorithm for aid in conducting incident response
constructing an operational data. and malware forensics. We will present
Fuzzing tools are frequently seen in big- The filtered data are being clustered a new tool to collect local passive
name conferences, attached to big-name based on their malware type with DNS data, which will enable security
hacks and big-name hackers. Fuzzers indication of their malware names. The operations capabilities to conduct
are an incredibly useful offensive tool, obtained data is also being evaluated more effective defense against malware,
and equally critical for a defensive by another algorithm for removing including APTs, zero days, and targeted
player. But anyone who has tried to use the aged and less scaled data on attacks. Our presentation will consist
these big-name fuzzers to secure their daily basis. The used APIs, algorithms of a demo of the tool, and the tool
own software has seen how ineffective and source code will be presented will be released for public use.
they can be. The fuzzing world is to the audiences. The tool could be
plagued with over-hyped and under-
developed fuzzers that will suck the life
downloaded for immediate use. LTE AND IE
TS
out of anyone who dares try to sort
FIDODFLER ON THE COLLECTIV
through their waterlogged codebase.
RO : A N O- INSECURITY
Meanwhile, commercial players stand Chuck McAuley
by ready to support big businesses, NONF SI
EDNDSLEERLOAONKD Security Researcher at Ixia

but not open source. Commercial AT Communications

fuzzers may be good business, and ITS USAGE Chris Moore,


Engineer at Ixia Communications
their existence is a boon for the Morgan Indrora Gangwere
industry, but they are not sufficient (Sunday, 12:10 - 1:00 PM)
(Saturday, 6:10 - 7:00 PM)
for widespread security. They keep the
power of fuzzing locked up for those Fiddler lives in the same family as The world of LTE is enshrouded in
willing to pay big bucks. And the closed mitmproxy, Burp, and other man in acronym soup, mystery, and technical
source nature stamps out community, the middle tools. Topics covered documents that implement security
leaving each business to develop their in this talk include: scripting the by obscurity. In this talk, we will shed
own practices. In this talk, Joshua will Fiddler proxy, making arbitrary light on the magic that is the evolved
provide a practical perspective on requests, redirection and attacking packet core, otherwise known as the
fuzzing, explore the hurdles confronting Windows 8 and UAP applications. EPC. The EPC is the packet routing
current open source tools and pave engine that connects the tower to
a path forward. Attendees will also the Internet. We will discuss the
receive an introduction to DIY network communication protocols,
fuzzers using modern frameworks. core infrastructure elements, and basic
architecture of this system. In closing,
we will disclose successful crashes and
kills that we have had in this network
and discuss the potential for large
scale communication disruption.

26 27
peer network based on a mobile and
WORKSHOP REGISTRATION! If the workshop that you want has filled up before Workshops are back! WEBSEC: A AUTOMATEDON DERFELCEOSNS desktop app. The tool will be available
you got there, dont worry! Just like last year, if you Theyre on the 3rd floor
of Ballys South tower,
CROSS PLATF ORM PENETRATI WI both as source code and as the actual
LARGE SCAL E TOOKLIT (APT2) C
SO
ELRL ECCETIO
(N
Workshops are free, first come, first come to the workshop area early the day of, you can
The Jubilee Tower. Las application. This node net is used to
V
SU
CL
AN
NE
NR
EA
RBILITY
served, and seats will fill up fast! wait in the standby line. If a seat opens up, it will be
made available to the first person waiting to claim it. Vegas Ballrooms 1-7. Adam Compton VI DCWCS) audit and monitor changes in real-time
To register for a workshop, you will need to go to Thurs, Friday & Saturday, 1200-1350 at Table Four
darkmatter to the global security infrastructure.
the Ballys side in front of the cafe arcade between Please Note:You will be issued a workshop check the schedule below! Dragos Boia This includes DNS records, IP
pass. It will be required for class admission. 1200-1350 at Table Five
Thursday 07:00 to 15:00. We will have goons to pre- Nearly every penetration test begins addresses, domain names, certificate
If you lose it we cant help you, your seat will 1400-1550 at Table Six
register you for the workshop(s) of your choosing. the same way; run a NMAP scan, Lots of information is encoded on IDs, and public roots. The final product
be made available for those in standby. This demo shows the architecture and review the results, choose interesting electromagnetic radiation, especially is an application able to tell a user,
implementation details for WebSec, services to enumerate and attack, and WiFi. The aim of this project is to listen Are you being mitm-ed right now?
a dynamically scalable system that perform post-exploitation activities. to the WiFi bands (2.4gHz/5gHz) and
1 2 3 4 5 6 7 benefits from a modular architecture
that allows scalability to millions
What was once a fairly time consuming
manual process, is now automated!
see if we pick up anything interesting
during DEF CON. This presentation
LAMMA (BETA)
Operation Dark Intro to Memory Writing Your Raspberry Pi The Ins and Outs Hacking Network Pentesting ICS 101 Ajit Hatti
of endpoints that can be receiving will discuss the hardware decisions,
10:00 -14:00

Tangent: The DEF Forensics With First Exploit and Kali Deluxe of Steganography Protocols using Kali Automated Penetration Testing Toolkit
Arnaud Soullie hundreds of tests. WebSec addresses what software is used and how to 10:00 - 11:50 at Table One
CON Messaging Volatility Spy workshop (APT2) is an extendable modular
Rob Olson Chuck Easttom Thomas Wilhelm the need of scaling up to test multiple build and configure your own WiFi LAMMA Framework (beta) aims to be
Protocol (DCMP) framework designed to automate
Miguel Antonio Dallas & Sean & Todd Kendall sites, including some of those with the monitoring devices so you too can a comprehensive suite for Vulnerability
common tasks performed during
Eijah Guirao Aguilera Satterlee (ohm) top traffic and largest attack surfaces begin passive mass surveillance using Assessment & auditing of crypto,
penetration testing. APT2 can chain
on the Internet (like Bing and MSN) WiFi. And yes, we are listening. PKI and related implementations.
C/C++ Boot Camp Windows Breakout Hunting Malware at Raspberry Pi Use Microsoft Intrusion Prevention Open Source data gathered from different modules
and also identifying vulnerabilities in together to build dynamic attack
for Hackers and Privilege Scale with osquery and Kali Deluxe Free Security System (IPS) Evasion Malware Lab
MINIMEGA
15:00-19:00

connected applications that make use Written in Python, LAMMA an


Escalation Workshop Spy workshop Tools as a Ninja Techniques paths. Starting with a NMAP scan of extensible framework and supports
Eijah Sereyvathana Ty, Robert Simmons of online services for their functionality. the target environment, discovered David Fritz
Ruben Boonen & Nick Anderson, Dallas & Sean Simon Roses Thomas Wilhelm John Floren automated assessments at large
ports and services become triggers
Francesco Mifsud Javier Marcos de Satterlee (ohm) & John Spearing BOSCLONO
EN
RE-RFID for the various modules which in turn
scale. LAMMA has 4 different
Prado, Teddy Reed ALL IN can fire additional triggers. Have FTP,
10:00 - 11:50 at Table Four modules to cover major aspects
CLONING TOOLKIT Telnet, or SSH? APT2 will attempt minimega is a tool for setting up
large networks of virtual machines.
of Crpto-Implementations
Phillip Bosco common authentication. Have SMB? REMOTE Module : Tests a Server
1 2 3 4 5 6 7 APT2 determines what OS and looks It simplifies the process of specifying TLS/SSL configurations and Public
1200-1350 at Table Three & launching VMs, connecting them
for shares and other information. Certificate. It Checks for all known
Mobile App Attack : Car Hacking VoIP Wars: The Exploit Development Introduction to Introduction to XSS Remediation:
10:00 -14:00

The Boscloner is an All in One RFID Modules include everything from to networks, and managing the vulnerabilities from CRIME, BEAST
Taming the evil app! Workshop Live Workshop for Beginners - Sam x86 disassembly Penetration Testing virtual machines as your experiment
Mike Fauzy Cloning Toolkit designed to make RFID enumeration, scanning, brute forcing, to OFF by 20. + it has unique checks
Bowne & Dylan with Metasploit progresses. Emulate a full corporate
Sneha Rajguru Robert Leale & Fatih Ozavci Dazzle Cat Duo badge cloning during a penetration and even integration with Metasploit. like certificate timeline analysis
James Smith network complete with Windows
Nathan Hoch Georgia Weidman testing engagement trivial, accessible, Come check out how APT2 will save and detection of weak modulus.
and lightning fast. The Boscloners you time on every engagement. infrastructure, or replicate a portion
of the Internet, including the backbone CRYPTO Module : checks the various
Practical Android You CAN haz fun Analyzing Internet Nmap NSE Pragmatic Cloud Advanced Blind SQL core functionality set revolves around crypto primitives right from Random
O
SW
HA
ES
LP ZD
SE
C
14:00-18:00

Application with with cars! Attacks with development for Security: Hands- Injection Exploitation its ability to capture RFID badges from itself. minimega is faster and easier
Numbers, Private keys, HASHes
Exploitation
Javier Vazquez Vidal &
Honeypots offense and defense On Turbocharged
Edition
David Caissy
three feet away, automatically clone
the captured badge (in seconds!),
LCO than OpenStack and requires
essentially no configuration to set up. generated by any underlying framework
Dinesh Shetty & Ferdinand Noelscher Ioannis Koniaris Paulino Calderon Johanna Curiel It can even self-deploy itself across a (like Openssl, Java KeyTool etc) for
and allow the penetration tester to Ali Razmjoo Qalaei Quality, Backdooring & Sanity.
Aditya Gupta & Tom Sellers Rich Mogull cluster to expand your experiment.
reach into a pocket and pull out a
cloned and fully functioning badge 1600-1750 at Table Five TRUST Module : checks certificates
P
1 2 3 4 5 6 7
providing instantaneous access to
a restricted area. Access granted!
OWASP ZSC is an open source
software in python language which lets PK
EI
OPF
LO
ER THE in the trust stores of TPM, Browser,
Apps to find any pinned, un-trusted
certificates like SuperFish. It also
Guaranteed Security Cyber Deception: Brainwashing Taking a bite Ninja level Embedded Applied Physical With its open source nature, high you generate customized shellcodes Zeev Glozman
10:00 -14:00

(Session 1) Hunting advanced Embedded Systems out of Apple Infrastructure system design Attacks on and convert scripts to an obfuscated looks for stolen, insecurely stored
accessibility, and focus on furthering the 1400-1550 at Table Three private keys to avoid spreading
attacks with Monitoring Embedded Systems, security industry through community script. This software can be run on
Vivek Notani & Craig Young John Poulin RodrigoMaximiano of MASK APT like malware.
MazeRunner Introductory Version collaboration, the Boscloner has Windows/Linux/OSX under python. We are creating a public system
Roberto Giacobazzi Madhu Akula & Antunes de Almeida
become the new golden standard for that will monitor the public SSL SOURCE Module : Helps to
Dean Sysman Riyaz Walikar Joe FitzPatrick
RFID penetration testing engagements. infrastructure from user mobile or enforce Cryptography Review
Guaranteed Security Vulnerability Ready? Your Hands-on Fuzzing Android PCB Design Crash Physical Security desktop endpoints and alert users to Board recommendations of your
(Session 2) Assessment & Network is Being Cryptography Devices Course: A primer for Computing any intervention by a third party, be it
14:00-18:00

organisation. It uncover use of


Exploitation of Pwned NOW! with Python to designing your Systems, a Look state or non-state actor. We will be able weak/backdoored schemes like
Vivek Notani & Anto Joseph to detect and categorize those changes
Crypto-Systems own hacking tools. at Design, Attacks Dual_EC_DRBG in Junipers case.
Roberto Giacobazzi Robin Jackson Sam Bowne & as legitimate or illegitimate. This is
and Defenses
Ajit Hatti & Ed Williams Dylan James Smith Seth Wahle an open source tool using a peer-to- Best thing of LAMMA is, its a command
Steve Weingart line and completely Open Source tool.

28 29
VIRUSTOTALEGO EMO-TOOL/ H
HO
ON
NE
EY
YP
DY
B AND DATASPLOIT CRACKMAPEXEC DISEAPBLDEEBSUIGNGWLIETH CLOALKTIR
FA
YTION VISDUAFL NETWORK
Christian Heinrich OLDYELLE R/ Shubham Mittal @upgoingst Marcello Salvati ST EXFI AN ILE
R
SIMULATORRE-
ANSOMWA XMODE CODE TOOLSET F
Karl Hiramoto
1400-1550 at Table Five
Phillip Maddux
10:00 - 11:50 at Table Six
1200-1350 at Table Two

-Performs automated OSINT


1400-1550 at Table Four

CrackMapExec is your one-stop-


Ke Sun TryCatchHCF RO
URDE
RNASICS USING
Weston Hecker Ya Ou Ankur Tyagi
VirusTotal is a free service that 1400-1550 at Table One
HoneyPy is an extensible low to on a domain / email / username shop for pentesting Windows/
1200-1350 at Table Six 10:00 - 11:50 at Table Three 1600-1750 at Table Four
analyzes suspicious files and URLs medium interaction honeypot written / phone and find out relevant Active Directory environments! The Cloakify Toolset is a data
and facilitates the quick detection of Emo and Old Yeller are tools that in Python. It can be used as research information from different sources. Single step execution is a very exfiltration tool that uses text-based Rudra aims to provide a developer-
viruses, worms, trojans, and all kinds Written in Python and fully concurrent,
make your computer Immune to 26 or production honeypot and can important debug function in modern steganography to hide data in plain friendly framework for exhaustive
of malware. Maltego performs link -Useful for Pen-testers, Cyber it allows you to enumerate logged
different variants of Ransomware easily be integrated with other tools computer programming for effective sight, evade DLP/MLS devices, perform analysis of pcap files (later versions will
analysis of actionable Open Source Investigators, Product companies, etc. on users, spider SMB shares, execute
including SAMSAM Locky Cryptowall for alerting and analysis (e.g. Slack, and efficient trouble shooting. How social engineering of SecOps analysts, support more filetypes). It provides
INTelligence (OSINT) A set of Maltego psexec style attacks, auto-inject
and Cryptolocker. these tools use Twitter, Splunk, Elastic Search, etc). -Correlates and collaborate the results, to stop single step is also a critical and evade AV detection.Very simple features to scan pcaps and generates
Remote/TDS Transforms have been Mimikatz/Shellcode/DLLs into
sandbox evasion methods built into the show them in a consolidated manner. research topic from anti-debug tools, powerful concept, proven in real- reports that include pcaps structural
created which integrate with the HoneyDB is a web site that collects memory using Powershell, dump the
malware against its self Emo makes perspective. During the research of world ops. Too many secure enclaves properties, entropy visualization,
VirusTotals Public and Private APIs. data from HoneyPy sensors on the -Tries to find out credentials, api-keys, NTDS.dit and much much more!
malware kill itself Oldyeller makes you xmode code obfuscation ,we found rely solely on the combination of AV + compression ratio, theoretical minsize,
Internet and publishes this data in an tokens, subdomains, domain history,
a very interesting point that WinDbg Automated Data Inspection + Analyst
ADS
DE
RC
OI
UD
R-
crash your own system upon infection. etc. These help to know type of data
DNS ANALYSE easy to consume format via APIs. legacy portals, etc. related to the target.
IN EBANK is not able to properly carry out Review to prevent data exfiltration. embedded in network flows and when
John Heise DEEB
PAC
LK
OOE
KND BURPSMARTBUSTER -Available as single consolidating single step command under certain This toolset easily defeats them all. combined with flow stats like protocol,
AT tool as well as standalone scripts. Dinesh Shetty situation. We wonder whats the reason Yara and shellcode matches eventually
1400-1550 at Table Two
SYSTEMS OF Patrick Mathieu
-Available in both web 1200-1350 at Table One behind it, is it a WinDbg bug or due help an analyst to quickly decide if a
Want to know who was patient zero THE FUTUREDOF 1600-1750 at Table One GUI and Console. This is a major update to one of my
to something else? We made in-depth test file deserves further investigation.
from that recent phishing campaign? CREDIT CAR Bruteforcing non-indexed data is previous projects - InsecureBank.
investigation to answer these questions.
OXML XXE
FRAUD D
CI
ORMTMSSIVM2PL(EDSC2)
Or what about whats going This open-source project will
through that ssh tunnel? DNS is an often use to discover hidden files This vulnerable Android application is
Weston Hecker and directories which can lead to named InsecureBankv2 and is made demonstrate how to disable single Willis Vandevanter
integral part of all internet traffic both step debugging in WinDbg with xmode
benign and malicious, despite this it 1600-1750 at Table Six information disclosure or even Tyler Oderkirk for security enthusiasts and developers 1600-1750 at Table Two
a system compromise when a Fullstack Computer Security Engineer to learn the Android insecurities by code. We will also reveal the details of
can be ignored as a part of network this issue from system perspective. The tool assists the user in inserting
Taking a deeper look at the future of backup file is found. This bruteforce Scott Carlson testing this vulnerable application. Its
monitoring in favor of more active XML based exploits (e.g. XXE)
credit card fraud platforms including technique is still useful today, but Systems Engineer (Mechatronics) back-end server component is written
protocols such as HTTP. This is a into different file types.The goal is
custom built carder site for sale the tools are lacking the application in python. The client component i.e.
major mistake as a large amount of 10:00-11:50 at Table Five to programmatically test for XML
of live skimmed data, Designing a context and arent using any smart the Android InsecureBank.apk can be
intelligence can be gathered from this based attacks in web applications or
Blockchain style deliver systems behaviour to reduce the bruteforce Secure decentralized wireless text downloaded along with the source.
single source, dns traffic can easily be software that allow for file imports.
for live credit card data to Cash out scanning time or even be stealthier. messaging using the Raspberry
used to determine information about
devices. building a banking and credit BurpSmartBuster, a Burp Suite Plugin Pi Zero and LoRA modulation
hosts and users on a network and an
processor back end from scratch. offers to use the application context in the 900MHz band
essential tool for defending a network.
The DMVPN network design of the and add the smart into the Buster!
Utilizing packet sniffing libraries,
open source queueing and storage
Carder site back end building Lacara
and automating credit card cash out This presentation will reveal this new CUCKOODROID 2.0
projects a flexible monitoring runs the devices behind the attack. open-source plugin and will show Idan Revivo
system can be assembled relatively practical case of how you can use 10:00 - 11:50 at Table Two
easily. With this tool in hand and
some simple RPZs a security
GRAYLOG this new tool to accelerate your Web
pentest to find hidden treasures! To combat the growing problem of
Lennart Koopman The following will be covered: Android malware, we present a new
engineer can have more impact
solution based on the popular open
than most network analysis and 1600-1750 at Table Three
- How to add context to a source framework Cuckoo Sandbox
prevention products on the market. Graylog is a free and open source web bruteforce tool to automate the malware investigation
This presentation will cover a walk log management tool, aiming to be - How we can be stealthier process. Our extension enables the
through of a design for dns monitoring an affordable alternative to many use of Cuckoos features to analyze
system, then how that system can be expensive commercial solutions. - How to limit the number of requests: Android malware and provides new
used to watch for malware traffic, Focus only on what is the most critical functionality for dynamic and static
exfiltrating data on dns, and peering - Show how simple the code is and how analysis. Our framework is an all in
into ssh tunneled traffic, and finally you can help to make it even better. one solution for malware analysis on
how this system can be used to feed Android. It is extensible and modular,
RPZ as a defensive mechanism. allowing the use of new, as well as
existing, tools for custom analysis.

30 31
system built with deep learning at the gamify the approach? An attackers Lets go beyond the MCSE and take a and optionally ubertooth hardware. If
MA1C:HIP
NW
ENIDNUGPING core, and exploring the difficulties approach, a defenders approach different perspective on the standard you have ever wondered why no one HACKEM
RENTALS DEN
FEL
CON 101 DEF CON than there was in the
10 in attacking systems in the wild. We and a progressive life cycle with a AD recon and attack tactics. released an effective tool to see all FUNDA PA past and it is our goal to help you
D
SE
YESP LSEARNING will introduce a tool that helps deep defenders set of targets built on things the bluetooth in the area then come AND CG
UH
TTING get the best experience possible. In
TEM W THROU Mike Petruzzi (wiseacre) addition to introducing each of the
FE
EAPU
OR
NI
EZE
COY
DO
EU
SR
learning hackers generate adversarial we all know, love and hate: project by, learn a little, and leave with a tool
Clarence Chio content for arbitrary machine learning management. I think we have a game! AT you have always wanted. Blue Hydra ABSTRACTION Ryan Clark (LosT)
CrYpT
different aspects and areas of DEF
CON, we have a panel of speakers
ML Hacker systems, which can help make models Nicholas Rosario (MasterChen) will discover and track bluetooth LosT HighWiz that will talk about how they came
Build out rules, much like real life,
more robust. By discussing defensive and bluetooth low energy devices Jay to be part of DEF CON and their
10:00 in DEF CON 101 Track then bring on the attackers, bring VoIP Administrator 15:00 in DEF CON 101 Track
measures that should be put in in the area, regardless of being in Nikita Kronenberg
personal experiences over the years.
on the defenders and play a little
Deep learning and neural networks place to prevent the class of attacks 13:00 in DEF CON 101 Track discoverable mode, and tracks data Continuing the series of hacker
game to educate, demonstrate and 16:00 in DEF CON 101 Track Oh yeah, there is the time honored
have gained incredible popularity demonstrated, we hope to address Almost everyone is familiar with feature (bluetooth version, services, etc) as foundational skills, YbfG jvyy nqqerff
evangelize. Watch strategies played Name the Noob, lots of laughs and
in recent years. The technology has the hype behind deep learning from codes, also known as star codes, such well as meta-data (signal strength, shaqnzragny fxvyyf gung rirel unpxre DEF CON has changed for the better
by both attackers and defenders. maybe even some prizes. Plus, stay for
grown to be the most talked-about the context of security, and look as *67 to block caller ID or *69 to timestamps) over time. We will be fubhyq xabj. Whfg sbe sha jr jvyy since the days at the Alexis Park. It has
Switch sides and learn to be a Purple the after party. Seriously, there is an
and least well-understood branch towards a more resilient future of find out who called you last. What if going over how bluetooth operates nyfb tb sebz gur guerr onfvp ybtvp evolved from a few speaking tracks to
Teamer! Digitize it and watch the after party. How awesome is that?
of machine learning. Aside from its the technology where developers can the feature codes could be used as a on a high level, and how we were tngrf gb n shapgvbany cebprffbe juvyr an event that still offers the speakers,
game play people or even play itself;
highly publicized victories in playing use it safely in critical deployments. weapon? Caller ID spoofing, tDOSing able to discover and track nearby enpvat n pybpx. Qb lbh xabj ubj n but also Villages, where you can get
the true rise of the machine.
Go, numerous successful applications (Call flooding), and SMS flooding are devices. A deep understanding of cebprffbe ernyyl jbexf? Jul qb lbh hands-on experience and Demo Labs
of deep learning in image and speech MAELSTROM - Wanna Play?! known attacks on phone networks, the bluetooth protocol was not pner? Pbzr svaq bhg. Bu, naq pelcgb. where you can see tools in action. Of
recognition has kickstarted movements ARE YOU P L AYING BE Y ONDRE
TD
HE but what happens when they become needed to develop Blue Hydra (we course, there is still the Entertainment
to integrate it into critical fields like WITH A FU L L MC S E: as easy to launch as dialing *40? stood on the shoulders of giants) and Contest Area, as well as Capture
medical imaging and self-driving cars. DECK?D:EVUESLING A TERAEMC
IN
and will not be required to use Blue The Flag. There is so much more to

TG
In the security field, deep learning NEWLY OPED ACTIVE Weaponize Your Feature Codes will Hydra or understand its output.
has shown good experimental results ATTACK LI F E DI ORY first take the audience through a brief
history of feature codes and common
in malware/anomaly detection, APT
protection, spam/phishing detection,
CYCLE GA MEE, Sean Metcalf usage, and then demonstrate the more
and traffic identification. This DEF CON
TO EDUCA T Founder & Security Principal, Trimarc
nefarious applications. The presentation
D
EE
101 session will guide the audience MN
OG
NE
SL
TI
RZAET.E AND will share the Asterisk code used to
through the theory and motivations VA 12:00 in DEF CON 101 Track

Active Directory (AD) is leveraged by


implement these rogue features, and
behind deep learning systems. We Shane Steiger, Esq. mention possible ways of mitigation.
look at the simplest form of neural CISSP, Chief Endpoint Security 95% of the Fortune 1000 companies While this talk builds upon previous
networks, then explore how variations
Architect for its directory, authentication, and work from the author, referenced in
such as convolutional neural networks management capabilities, so why do past DEF CON presentations, the
11:00 in DEF CON 101 Track
and recurrent neural networks can be red teams barely scratch the surface new code written makes carrying
used to solve real problems with an As a defender, have you ever been when it comes to leveraging the data out such attacks ridiculously easy
unreasonable effectiveness. Then, we asked do they win? How about it contains? This talk skips over the
demonstrate that most deep learning what products or capabilities should standard intro to Active Directory fluff
and dives right into the compelling
RE ALTIOMOETH
systems are not designed with security I buy to even the odds? Mapping
offensive information useful to a Red
BL UET
DETVH
ICE
BLD UEETE
HC
YT
DI
ROAN
and resiliency in mind, and can be the functionality to a standard list
of desired capabilities only gets you Teamer, such as quickly identifying
duped by any patient attacker with
a good understanding of the system. so far. And, many vendors require an target systems and accounts. AD WI
organization to pay for a framework, can yield a wealth of information Zero_Chaos
The efficacy of applications using
machine learning should not only be or for access to a framework, to if you know the right questions to Director of Research and Development,
Pwnie Express
measured with precision and recall, enable tactical and strategic campaigns. ask. This presentation ventures into
areas many didnt know existed and Granolocks
but also by their malleability in an Wouldnt it be great to have an open All the Things, Pwnie Express
adversarial setting. After diving into source way to pick strategies? So leverages capability to quietly identify
popular deep learning software, we what do you do? Build out your own interesting accounts & systems, 14:00 in DEF CON 101 Track
show how it can be tampered with to defensive campaigns based on research, identify organizations the target
company does business with regularly, We are releasing a new tool for
do what you want it do, while avoiding taxonomies and gameification. Building
build target lists without making discovering bluetooth devices and
detection by system administrators. the attackers point of view is our
a sound, abuse misconfigurations/ automatically probing them for
expertise (at a CON). We have plenty
Besides giving a technical existing trusts, and quickly discover information. Effectively we have
of research here to talk about that
demonstration of deep learning and its the most interesting shares and their created a new tool with an airodump-
point of view. How about building out
inherent shortcomings in an adversarial location. PowerShell examples and ng like display for nearby bluetooth
the defenders point of view based on
setting, we will focus on tampering real AD defense evasion techniques are and bluetooth low energy devices.
the attackers life cycle? Defenders can
systems to show weaknesses in critical provided throughout the talk. We will discuss the challenges with
use this as a defensive compliment to
systems built with it. In particular, this finding bluetooth devices, as well as
begin a legitimate defensive campaign.
demo-driven session will be focused how we have overcome them using
Maybe the defender could even
on manipulating an image recognition both standard bluetooth adapters

32 33
which was completed August 4th. program profanity, such as turing PEs non-profit organization to address should use to stay safe (or that large past. In particular, Tors security relies that allows monitoring/altering
FEDS AND 0E
DAYS: Seven high performance computers into ELFs, functional scripting of sshd COMPELLEODN - this issue. This effort, known as CITL, purchase you made for your industrial on the fact that a substantial number of code execution at a high rate
FROM BEFOR will have completed an all-machine in memory, stealing crypto routines DECRYPTI is akin to Consumer Reports in its control systems)? Well, you can of its nodes do not misbehave. with several distinct advantages.
H
AE
FA
TR
ET
RBL
FEE-
DAPTPOLE Capture the Flag contest, reverse without even disassembling them, STATE OF THE methodologies. While the media has finally see if you chose a hard or soft
BI A
PERVERSIONSRINAL
engineering unknown binary software, among other things that were never RT IN DO CT dubbed it a CyberUL, there is no target with the data to back it up.
Previous work showed the existence
of malicious participating Tor relays.
Full context (registers, stack &
system state) hooking can be logged
Jay Healey authoring new IDS signatures, probing supposed to work. All the above focus on certifications or seals of
For example, there are some Exit without needing to know a function
Senior Research Scholar, Columbia
University
the security of opponent software,
and re-mixing defended services
techniques have been implemented
into the Wichcraft Compiler
Ladar Levison
Founder, Lavabit, LLC.
approval, and no opaque evaluation
metrics. Rather, like Consumer Reports,
MEET THE FEDS nodes that actively interfere with prototype and changes to execution
Jonathan Mayer users traffic and carry out man-in-the- flow can be made as desired.
10:00 in Track 1 with machine-generated patches and Collection, to be released as proper the goal is to evaluate software Chief Technologist, Enforcement Bureau,
11:00 in Track 1 middle attacks. In this work we expose
defenses. Come hear about what open source software (MIT/BSD-2 according to metrics and measurements Federal Communications Commission Traditional detours like hooking
Does the FBI have to tell Apple of the another category of misbehaving Tor
transpired at CGC, and learn which licenses) exclusively at DEF CON 24. Get mirandized for an encrypted that allow quantitative comparison Lorrie Cranor requires a length disassembly
vuln it used to break their iPhone? relays (HSDirs), that are integral to
team will be taking home the $2M world. This talk will cover the legal and evaluation by anyone from a Chief Technologist, Federal Trade engine than direct binary .text
the functioning of the hidden services
How many 0days every year go into grand prize, as well as the $1M second BSODS
OC
MH
II
ZE
EV
ROUHSD: doctrines and statues our government layperson, CFO, to security expert. Commission
and the dark web. The HSDirs act as
segment modifications to insert
the NSA arsenal dozens, hundreds place and $750K third place prizes. A MI is perverting to compel individuals
How? A wide range of heuristics
Ed Felten
the DNS directory for the dark web.
an intended hook (no changes to
or thousands? Are there any grown-ups
INT RO DUH
CC
TI ON FPGAFO
AR
NM
DF HO
DR
MI into decrypting their data, or conscript
that attackers use to identify which
Deputy United States Chief Technology
Because of their nature, detecting
binary needed with EhTrace).
in Washington DC watching over FBI
or NSA as they decide what vulns THE WIC RAFT PLAT technology companies into subverting
targets are hard or soft against
Officer, White House Office of Science
and Technology Policy their malicious intent and behavior Block/Branch stepping enables a
to disclose to vendors and which to COM P ILER THE (M)ASSES the security of their own products.
Well survey the arguments being
new exploitation has been codified,
11:00 in 101 Track
is much harder. We introduce, the simplification of analysis code (does not
Joe Grand (Kingpin) refined, and enhanced. Some of these concept of honey onions (honions), need to do a full procedure/function
keep to themselves? These are all
key questions which have dominated
COL L ECTIOSN Grand Idea Studio
advanced by prosecutors, the resulting
techniques are quite straightforward The federal government is increasingly a framework to detect misbehaving graph recognition/traversal). This will
so much of 2016, yet theres been
: T O WARD Zoz
case law, and the ethical dilemmas facing
and even broadly known, while addressing policy issues that intersect Tor relays with HSDir capability. By feature focus on the use of VEH and
U
TN
HI
EVFETRSAL CODE
technology companies. The session will
relatively little reliable information
Hacker others are esoteric tradecraft. with technologyespecially security setting up and deploying a large scale the DR7 backdoor in x64 Windows.
cover the rights and civil liberties weve
for us to go on, to learn what the To date, no one has applied all of and privacy. This session explains how honion over Tor for more than 72 days,
10:00 in 101 Track already lost, and review the current In a nutshell, EhTrace enables very good
Feds are up to and whether it passes Jonathan Brossard (endrazine) these metrics uniformly across the government is responding, including we are able to obtain lower bounds
threats to our collective freedoms. performance, in proc debugging and a
any definition of reasonableness. Master of Darkness, MOABI.com At DEF CON 16 in 2008, we released an entire software ecosystem technology leaders from the Federal on misbehavior among HSDirs.
Well cover what an individual needs to dead simple RoP hook primitive. Some
the original BSODomizer (www. before and shared the results. Communications Commission, the
Based on open-source research and 10:00 in Track 3 know if they want to avoid compelled We propose algorithms to both neat graphics and visualizations will
bsodomizer.com), an open source Federal Trade Commission, and the
interviews with many of the principal decryption, and keep their data private. For the first time, a peek at the Cyber estimate the number of snooping be made some of the early examples
With this presentation, we take a VGA pranking tool and introductory White House Office of Science and
participants, this talk starts with the Well also discuss strategies that third Independent Testing Labs metrics, HSDirs and identify them, using up at https://github.com/K2/EhTrace
new approach to reverse engineering. hacking platform for the multicore Technology. After an overview of recent
pre-history starting in the 1990s before parties (friends, f/oss developers, and methodologies, and preliminary results optimization and feasibility techniques.
Instead of attempting to decompile Propeller micro-controller. Hours of policy initiatives, and an explanation of This novel implementation for
examining the current process and technology companies) can use to from assessing the software quality and Our experimental results indicate
code, we seek to undo the work of productivity were replaced with rage opportunities for public service, this hookers establishes a model for
players (as it turns out, NSA prefers to resist conscription and build trust inherent vulnerability in over 100,000 that during the period of our work at
the linker and produce relocatable and frustration as unwitting computer session will consist of an extended small purpose built block-fighting
discover their own vulns, CIA prefers through transparency. Because knowing binary applications on Windows, least 110 such nodes were snooping
files, the typical output of a compiler. users were confronted with fake Q&A. Its your opportunity to meet primitives to be used in order to
to buy). The current process is run your rights, is only half the battle. Linux, and OS X will be revealed. information about hidden services
The main benefit of the later technique Blue Screens of Death and revolting the feds and ask them anything. analyze & do battle, code vs. code.
from the White House with a bias to All accomplished with binaries only. they host. We reveal that more than
ASCII art. But, the world has changed.
disclose driven by a decision by the
over the former being that it does
work. Once achieved universal code The machines have risen in capability. PROJECT CITL Sometimes the more secure product is
actually the cheaper, and quite often the HONE Y OGNIONS: half of them were hosted on cloud
infrastructure and delayed the use of
As a special bonus round 3 FIGHT!
we will see a hypervisor DoS that
President (in because of the Snowden reuse by relinking those relocatable HDMI is the graphical transmission Mudge Zatko
security product is the most vulnerable. EXPO SIN the learned information to prevent will cause a total lockup for most
S
HN
SOORPIN
RG
ELT
revelations). The entire process was objects as arbitrary shared libraries, protocol of choice and hacking with Director, CITL
OS
R easy traceback. Furthermore, we hypervisors (100%+ utilization
made public when NSA was forced
to deny media reports that it had
well create a form of binary reflection,
add scripting capabilities and in memory
micro-controllers is standard issue.
The as-seen-on-HDTV duo of Joe
Sarah Zatko
CHief Scientist, CITL
There are plenty of surprises like
these that are finally revealed through
DI AY provide the geolocation map of the per CORE). This goes to show
prior knowledge of Heartbleed. Guevara Noubir identified snooping Tor HSDirs. that emulating or even adapting a
debugging using a JIT compiler, to Grand and Zoz return with the next 11:00 in Track 2 quantified measurements. With
generation of mischievous hardware, this information, organizations and
Professor, College of Computer and
hypervisor to a full CPU feature
DARPA CYBER attain automated API prototyping
and annotation, which, we will argue, a device that supplants or captures Many industries, provide consumers consumers can finally make informed
Information Science, Northeastern
BLTOHCKA
FIGHTING set is exceedingly hard and its
G University
WI
AWARD CEREL
RAND CHALME
ON
NG
YE any inline HDMI signal in a discreet, with data about the quality, content, purchasing decisions when it comes unlikely that a sandbox/hypervisor/
constitutes a primary form of binary Amirali Sanatinia
H
BO
LOOKCE
KR
FIG-H-TER2!
pentest-worthy package. BSODomizer and cost of ownership of products, but the security of their products, and emulator will be a comprehensive
code self awareness. Finally, well PhD candidate, College of Computer
HD is an FPGA-based system that the software industry leaves consumers measurably realize more hardened and Information Science, Northeastern solution to evade detection from
Mike Walker see how abusing the dynamic linker
not only improves on the graphics with very little data to act upon. In fact environments. Insurance groups
University adversarial code for some time.
DARPA Program Manager internals shall elegantly solve a number K2
Dr. Arati Prabhakar of complex tasks for us, such as calling interception and triggering features of when it comes to how secure or weak are already engaging CITL, as are 12:00 in Track 1 Director, IOACTIVE
Lets have some fun blockfighting
DARPA Director a given function within a binary without its predecessor, but can now capture a product is from a security perspective, organizations focused on consumer with some loose boxed hookers!
having to craft a valid input to reach it. screenshots of a target system and there is no meaningful consumer facing safety.Vendors will see how much Tor is a widely used anonymity 12:00 in Track 2
network that protects users privacy
C
SA
EN
10:00 in Track 2
The applications in terms of
also provides a fully open design that data. There has long been a call for
the establishment of an independent
better or worse their products are in
and and identity from corporations,
Whats your style of hooking? ITHP
AL
ZZ?
CAR
On Friday morning, August 5th, DARPA
will announce the prize winners and
vulnerability exploitation, functional
you can use for your own experiments
into the mystical world of massive, organization to address this need. Last
comparison to their competitors. Even
exploit developers have demonstrated agencies and governments. However,
My hooking Style? Its like
hooking without hookers.
CRE
testing, static analysis validation and customizable arrays of digital logic. Well year, Mudge (from DARPA, Google, that these results enable bug-bounty Tor remains a practical system with a Javier Vazquez Vidal
recognize the parties responsible for The use cases for hooking code
more generally computer wizardry guide you through the process of going and L0pht fame) announced that arbitrage. That recommendation you variety of limitations, some of which Hardware Security Specialist at Code
building and competing in the Cyber execution are abundant and this White Gmbh
being tremendous, well have fun from lamer zero to hacker hero with after receiving a phone call from the made to your family members last were indeed exploited in the recent
Grand Challenge (CGC), the worlds topic is very expansive. EhTracing
demoing some new exploits in real FPGAs, while savagely fucking with a White House he was leaving his senior holiday about which web browser they
first all-machine hacking tournament, (pronounced ATracing) is technique
life applications, and commit public few unfortunate friends along the way! position inside Google to create a

34 35
mid-2014, we realized that ELK lacked to be data driven. DNS queries are a to broaden its capabilities to protect All the details discussed here Previous research has demonstrated there is no single add-on to designs
Ferdinand Noelscher
necessary functionality for real-time material source of intelligence about CHEAPNGTOHOELASVYFOR consumers. Come learn about the are collected from a sample city, that SSDs do not always behave in an that will fix this case. This talk presents
Information Security Specialist at Code
White Gmbh
alerting. We needed a solution that domainer opportunities and operations, HACKI policy responses to the rise of the but the same methodology and equivalent manner to magnetic hard three very different systems and how
12:00 in Track 3 would provide a robust means of and also help us to understand the TRUCKS machines, the FTCs cases and research concept can be applied to most of drives, however, the scope of these they each handle resilience despite
querying ELK and enrich the data operational constraints around Six_Volts initiatives, and how you can help. the smart cities in the world. differences and the conditions that malicious participants. The problems,
The CAN bus is really mainstream, with additional context. We ended potentially combating domainers, Research Mercenary lead to this behavior are still not well and the solutions, are very different. The
and every now and then there are up creating our own framework to should we want to do so. In this Haystack (ATBI)EUSSINTGHESMDAARRTK HOW TO MAKE understood. This basic, undeniable important message of this talk is that
new tools coming out to deal with it. give us this functionality. Weve named presentation co-authored with Farsight Vehicle Data Ninja
CI : YOUR OWN DEF anomaly regarding file storage there is no one solution, and that this
Everyone wants to control vehicles this open-source framework 411. We Security Scientist Dr. Joe St Sauver, 12:30 in Track 3 AG E O F M ODE R N CON BLACK BADGE and recovery begs one simple, yet case must be considered in designs.
and already knows that you can make
the horn honk by replaying that frame
designed 411 as a solution for detecting
and alerting on interesting anomalies
Farsight Security CEO Dr. Paul Vixie
will scrutinize failed DNS queries There has been much buzz about car
MOBILITY Mickey Shkatov
Intel Advanced Threat Research
critical question: can the data being
mined for evidence be trusted? A MKOLNYI:TOR
Matteo Beccaro
you captured. But is this all that there and security events. The Security (NXDOMAINs), looking for the hacking, but what about the larger
CTO, Opposing Force Michael Leibowitz This talk presents research on the DAR
is on this topic? Reversing OEM and team at Etsy was interested in using same opportunities that a domainer heavy-duty brother, the big rig? Heavy
Matteo Collura Senior Trouble Maker
forensic implications of SSDs from REV E R STIINNGGAND
third party tools, capturing firmware this functionality to detect everything or typo squatter would (although trucks are increasingly networked, Electronic Engineering Student, Joe FitzPatrick one of the most comprehensive EXP L O I
update files on the fly, and hijacking
Security Sessions on a bus are just a
from XSS to monitoring for potential we will not be acting on that data connected and susceptible to attack.
Networks inside trucks frequently
Politecnico di Torino Instructor & Researcher,
studies to date. The goal of this study UBIQEUEINT-ODUISSPON-
few examples of things that can be
account compromises. First, well start by actually registering domains).
use Internet connected devices even
SecuringHardware.com
was to demonstrate and quantify SCR LAYN
done as well. For this and more, we
off with a discussion of what you should
be logging into Elasticsearch. This is
Dr.Vixie will discuss two primary types on safety-critical networks where
13:00 in Track 2
Dean Pierce
differences across a sample pool of CON T R O L L E RS I
will introduce to you the CanBadger! important to help you create useful,
of behavior: 1) Volumetrically-driven
typo-squatting, which Dr.Vixie will
access to brakes and engine control
Since these last few years our world
has been getting smarter and smarter.
Security Researcher, Intel
Jesse Michael
drives in an array of tests conducted
in a controlled environment. These
MODERN MONITORS
Its not just a logger, neither an injector. actionable alerts in 411. Well note a is possible. Unfortunately, tools for We may ask ourselves: what does Security Researcher, Intel Ang Cui
Its a reversing tool for vehicles that measure by computing the volume doing analysis on heavy trucks are tests explored the variations between PHD, CEO & Chief Scientist, Red Balloon
number of configuration tips and tricks smart mean? It is the possibility of Kenny McElroy
allows you to interact in realtime of NXDOMAINs seen by domain expensive and proprietary. Six_Volts drive firmware, controllers, interfaces, Security
to help you get the most out of your building systems which are nodes of
Hacker
with individual components, scan a during a 24 hour period, and the time and Haystack have put together a set operating systems, and TRIM state. Jatin Kataria
ELK cluster. From there, well dive into a more complex network, digitally
bus using several protocols (yup, UDS between popular typos appearing in of tools that include open hardware 13:00 in Track 3 Principal Research Scientist, Red
411s features and how it allows the connected to the internet and to the Further observations revealed Balloon Security
is not the only one) and perform a NXDOMAINs and those same domains and software to make analyzing these
Etsy security team to work effectively. final users. Our cities are becoming Yes, we did, we made our own DEF that some drives behaved nearly Francois Charbonneau
series of tests that no other tool offers. being registered and actually used, beasts easier and more affordable.
Well conclude with two demos of 411 one of those networks and over CON black badges. Why? Because identical to the control drive, while Research Scientist, Red Balloon
The CanBadger is where the real fun and 2) Domainers programmatically
in action. This presentation will show time more and more elements are we didnt want to wait in line ever others showed that the prospects Security
begins when dealing with a vehicle, you several examples of useful searches
exploring permutations of domains
RESEARCH OENS: getting connected to such network: again Not really. We are a bunch of recovering deleted data was
and you can build it under $60USD! you can build in 411 and how this data
around high value domains, probing for
available domains and automatically
THE MACHIN from traffic lights to information of hackers that always look for a significantly reduced. This presentation
14:00 in Track 2
If you are already done with replaying can be manipulated to generate clear,
registering the most promising probed HELP TT
HEPR
FITVCACY signs, from traffic and surveillance challenge, and what better challenge is will demonstrate these differences There are multiple x86 processors
frames on the CAN bus and want to
learn how that fancy chip-tuning tool
actionable alerts. Well demonstrate
the built-in workflow for responding
domains discovered to still be available. PROTEC
& SECURITY cameras to transport systems. there than to try and reverse engineer
from scratch three DEF CON black
and provide a framework to allow
forensics investigators to determine
in your monitor! OSD, or on-screen-
display controllers are ubiquitous
deals with your car, or simply want to Both of these hypothesized behaviors This last element, also called as Smart
to alerts and how 411 allows you to badges? In this talk we will go through the likelihood of successful deleted components in nearly all modern
get Security Access to your vehicle should be externally observable Terrell McSweeny Mobility is the subject of our analysis,
pull up additional context as you work the 2 year long process of making file recovery from an evidence monitors. OSDs are typically used
without caring about the security key and thus able to be confirmed by Commissioner, Federal Trade Commission
divided in three sub-element, each
on an alert. Additionally, while much of Lorrie Cranor the DC14, DC22 and DC23 Black bearing solid state drive. to generate simple menus on the
or algorithm, we are waiting for you! watching a real-time stream of one describing a different method
our discussion will be centered around Chief Technologist, Federal Trade badges which include amazing hacking monitor, allowing the user to change
NXDOMAIN errors, and a real-time
411R
:MAAN
FA
RG
AIMNEGWORK ELK, 411 can in fact be used with a
stream of newly observed, actually-
Commission of transport in our city: Private techniques like social engineering, HOSWTRTIOBUDTEESDIGN settings like brightness, contrast and

FO variety of data sources (Several of these


registered domains, as available from
transport: for this method we analyze patience, reverse engineering, EAGLE DI input source. However, OSDs are

SECURITY ALERTS
sources are built into 411). Whether
the Security Information Exchange.
13:00 in Track 1 the smart alternatives aimed to make
parking activity easy, hassle free and
trickery, head to desk banging and SY STLEIMESNT effectively independent general-purpose
youre a newbie looking to learn Machines are getting smarter so
more convenient Shared transport:
hoping it is passable to a goon and RE SI computers that can: read the content
Kai Zhong more or a security veteran with an Dr. Paul Vixie will experimentally consumer protection enforcers like the
we focus our attention on those
not shameful to DT, 1057, and Joe. DE SPC
IITOEUS of the screen, change arbitrary pixel
Application Security Engineer, Etsy established system, 411 will help change
the way you handle security alerts.
confirm these hypothesized Federal Trade Commission need to get
systems which are sharing transport 101ORS E N TI-ENDTO MA LI values, and execute arbitrary code
Kenneth Lee
Senior Security Engineer, Etsy
relationships and describe examples
of (1) the most commonly observed
smarter too. The FTC is the lead federal
agency for protecting the privacy vehicles. In particular we deal with ST A G E PARTICIPANTS supplied through numerous control
channels. We demonstrate multiple
FRONTRUNNING types of typographical errors, (2) the rights and data security of American bike sharing which seems to be the SSNDDS OHFAVTEHEAIR Radia Perlman methods of loading and executing
12:00 in 101 Track
THE brands apparently most-targeted for consumers. In the last year, it brought most wide spread system in European
MI EMC Fellow
arbitrary code in a modern monitor
Modern web applications generate
a ton of logs. Suites like ELK
FRONTRUNNERS squatting, (3) the distribution of delays
from NXDOMAIN detection to
several enforcement actions against
companies for violating consumer
cities Public transport: object of our
analysis for this section is the bus,
OWN? 14:00 in Track 1 and discuss the security implication
of this novel attack vector.
Dr. Paul Vixie metro and tram network The aim Tom Kopchak Often distributed systems are
(Elasticsearch, Logstash, Kibana) exist CEO and Co-founder, Farsight Security, observed domain use, (4) the potential privacy and data security and launched
relationship between NXDOMAIN of our analysis is understanding the Director of Technical Operations,
considered robust if one of the We also present a thorough analysis of
to help manage these logs, and more Inc. new initiatives PrivacyCon, Start with Hurricane Labs
an OSD system used in common Dell
volume thresholds and TLD cost. ecosystem which each element belongs components halts. But a failure
people are turning to them for their Security, and a new Office of Technology monitors and discuss attack scenarios
12:30 in Track 1 Dr.Vixie will also explain how this to and performing a security evaluation 13:00 in 101 Track mode that is often neglected is
log analysis needs. These logs contain Research and Investigation to improve ranging from active screen content
information illuminates opportunities of such system. In this way the most when a component continues to
a treasure trove of information While some domainers allegedly its capabilities and responsiveness Solid state drives drives are manipulation and screen content
for tackling these types of domain name plausible attack and fraud scenarios operate, but incorrectly. This can
regarding bad actors on your site, but brainstorm ideas for new domains to new threats to consumer privacy fundamentally changing the landscape snooping to active data exfiltration
abuse. Time will be reserved for Q&A. are pointed out and the presence of happen due to malicious intentional
surfacing that information in a timely to register while taking a shower, the and security. But the FTC needs your of the digital forensics industry, using Funtenna-like techniques. We
proper security measures is checked. compromise, or simple hardware faults,
manner can be difficult. When Etsy more successful domain portfolio help. Today it is announcing a call for primarily due to the manner in which demonstrate a multi-stage monitor
misconfiguration, or bugs. Unfortunately,
moved over from Splunk to ELK in managers, working at scale, are believed research on specific topics in order they respond to the deletion of files.

36 37
implant capable of loading arbitrary noted privacy and civil liberties We will present the fundamental Assisted emulators can be a fun way to parts means more attack surfaces!
A
AN
FTI-FORENSICS
code and data encoded in specially advocate Jennifer Granick told the THE ROERMPOHTI
EC difference between metamorphic learn the basics of discovering security BRT
EE
ARKI N G TH E Alongside the talk, we are releasing
crafted images and documents story of the Internet utopians, people META M and polymorphic techniques used vulnerabilities. After a brief overview IN N E T O F the Weevil suite of tools to enable
through active monitor snooping. int0x80 (of Dual Core) who believed that Internet technology ENT
GINCET:ING, to evade AV compared to the ones of video game emulators and the tools VIBRG
AT ING you to simulate and control We-Vibe
This code infiltration technique can Hacker
could greatly enhance creative and DE E that can be used to resist RE. We they offer, Ill show a live demo of how THIN S : WRHEAVTERWSEE compatible vibrators. We invite you
be implemented through a single intellectual freedom. Granick argued EVADI N G , will show how a remote diversified the high accuracy of these emulators LEAR N E D to bring your knowledge of mobile
pixel, or through subtle variations of
14:00 in 101 Track
that this Dream of Internet Freedom ATTAC K I NRGEVTEHRESE metamorphic self-modifying code makes it possible to create a frame- ENGINTEOEORTIHN-G app exploits, wireless communication
a large number of pixels. We discuss This presentation is the screaming goat was dying, choked off by market and AI A N D with a very short expiration lifetime by-frame sequence of button presses BLUE hijacking (you already hacked your
a step-by-step walk-through of our anti-forensics version of those Stupid government forces of centralization, ENGINEERING can detect, evade, and resist any code accurate enough to produce the same AND IN T ER N E T- electronic skateboard last year, right?)
hardware and software reverse- Pet Tricks segments on late night US regulation, and globalization. The Amro Abdelgawad analysis, reverse engineering, machine results even on real hardware. After ENAB L E D A D U LT and back-end server vulnerabilities
analysis process of the Dell monitor.
We present three demonstrations
talk shows. Nothing ground-breaking
here, but well cover new (possibly)
speech was extremely popular. Almost
8000 people watched it at Black
Founder, Immuneye learning and tampering attempts. demonstrating beating a game quickly
Ill show how the same tools can be
TOYS to the party. Its time for you to
get to play with your toys more
follower
E
OA
NVE
TS
HD
ERO
MP
AP
CIHNIG
of monitoring exploitation to show and trolly (definitely) techniques Hat. It was retweeted, watched and 15:00 in Track 3 used to find exploitable weaknesses Hacker privately and creatively than before.
active screen snooping, active screen
content manipulation and covert
that forensic investigators havent
considered or encountered. Intended
read by tens of thousands of people.
Boing Boing called it the speech that
As a matter of fact, it is all about time
to reverse engineer the most complex
NES in a games code that can be used to
trigger an Arbitrary Code Execution,
goldfisk
Hacker
Please note: This talk contains content
Tim t0rch Estell related to human sexuality but
data exfiltration using Funtenna. targets cover a variety of OS platforms. won Black Hat (and DEF CON ). piece of code. Code complicity ultimately treating the combination
Solution Architect, BAE Systems
16:00 in Track 3 does not contain sexually explicit
techniques are usually used just to of buttons being pressed as opcodes.
Lastly, we discuss realistic attack
HO W TOOLRA EN
MMOTE This year, Granick revisits the state
increase the time and effort needed for
Katea Murray
Cyber Researcher, Leidos Using this ability, Ill execute a payload The Internet of Things is filled with
material. The presenters endorse
delivery mechanisms, show a prototype
implementation of our attack using
CO N T R of the Internet Dream. This years
crypto war developments in the U.S. reverse engineering. The desired effect that will connect a console directly to vulnerabilities, would you expect the
the DEF CON Code of Conduct
and human decency in relation to
the USB Armory and outline potential AIRCLUIRNIETRY:FLAWSIN and U.K. show governments efforts to of code complicity can be magnified 15:00 in 101 Track the internet and will allow the audience Internet of Vibrating Things to be matters of consentattendees are
attack mitigation options. We will SE control the design of technologies to using mechanisms that decrease and After the Rise of the Machines theyll to interact with it. An overview of some any different? As teledildonics come welcome in the audience if they do
release sample code related to this AVIONICS ensure surveillance. The developments narrow the allowed time frame for
any reverse engineering attempt into
need to communicate. And well of the details that will be described
in the talk can be found in an article I
into the mainstream, human sexual the same. Keep the good vibes. :)\
attack prior to the presentation date. Sebastian Westerhold also show that governments see need to listen in. The problem is that pleasure has become connected
coauthored for the PoC||GTFO journal
DIRECT MEMORY
KF5OBS app stores as a choke point for few milliseconds. Such approach can proprietary protocols are hard to
(Pokemon Plays Twitch, page 6 ).
with the concerns of privacy and 101 WAYS TO
ATTACK THE 15:00 in Track 1
regulation and control, something that be applied using a metamorphic engine
that is aware of the time dimension.
break. If Wireshark barfs then were security already familiar to those who BRICK YOUR
KERNEL This talk is exposing critical flaws
couldnt easily happen with general
purpose computers and laptops but
done. Or can we listen in, break
their Robot Overlord messages SID E - C H AN NEL previously only wanted to turn on
their lights, rather than their lover.
HARDWARE
in navigational aides, secondary which could be quite effective in a
Beyond metamorphic applications
and spill it all to the meat-space AT TA C K S ON Do you care if someone else knows Joe FitzPatrick
Ulf Frisk
surveillance radar, the Traffic Collision world where most people access
for AV evasion, in this talk, we will
present a novel approach to resist rebels? Attend this talk to learn HIGEHC-TSREOCNURITSYAFE if you or your lover is wearing a
SecuringHardware.com
Penetration Tester
Avoidance System (TCAS) and other the network with mobile devices. and evade reverse engineering using techniques for taking network data, EL IC remote control vibrator? Do you care Joe Grand (Kingpin)
14:00 in Track 3 aviation related systems. The audience
Also in the past year, the European a remote metamorphic engine that identifying unknown protocols, and
breaking them down to something
LOCKS if the manufacturer is tracking your
activity, sexual health and to whom
Grand Idea Studio

will gain insight into the inner workings generates diversified morphed machine Plore 16:00 in 101 Track
Inexpensive universal DMA attacking Court of Justice embraced blocking you can exploit. Rebels unite! you give control? How do you really
of these systems and how these code of a very short expiration Hacker
is the new reality of today! In this talk orders and ISP liability in the name of know who is making you squirm with Spend some time hacking hardware
systems can be exploited. Several lifetime. Our approach is based on a and youll eventually render a piece
I will explore and demonstrate how
it is possible to take total control of
practical demonstrations on portable stopping copyright infringement, privacy
client-server model using challenge- RODBEOOT GHAAMCEKSS: HOW 16:00 in Track 2 pleasure? And what happens when
of equipment unusable either by
operating system kernels by DMA
avionics will show just how easy it is violations, and unflattering comments
from ever being published online. response communication protocol VI Electronic locks are becoming your government decides your sex
accident or intentionally. Between
code injection. Once control of the
to execute these exploits in real life.
The effect of these developments made of morphed machine code TA S B OT E XPLOITS increasingly common on consumer- toy is an aid to political dissidents?
us, weve got decades of bricking
kernel has been gained I will execute
SLOUCHINGUTOPIA: is to force Internet companies to rather than data. We will show how CO N S OL E S grade safes, particularly those used Because theres nothing more sexy
experience that wed like to share.
W
CI
OTNHTRCOULSLTEORM
to secure guns. This talk explores than reverse engineering we looked
code and dump gigabytes of memory be global censors on the side of any reverse engineering attempt on Well document the most common
in seconds. Full disk encryption will TOWARDS online civility against the free flow of such model will be forced to execute S vulnerabilities of several UL-listed into one product (the We-Vibe 4
ways of temporarily or permanently
be defeated, authentication will be THE STT
ATE OF information and opinion. If we want or emulate the morphed code. Thus Allan Cecil (dwangoAC) Type 1 High Security electronic Plus from the innocuously named
damaging your hardware and ways
bypassed and shells will be spawned. THE IN E RNET to realize some of the promise of the the code will always have an upper President, North Bay Linux Users Group safe locks. Using side-channel attacks, Standard Innovation Corporation)
to recover, if possible. Well also talk
This will all be made possible using a DREAM Internet utopian vision, we are going hand to detect, evade and attack the
reverse engineering environment. Our 16:00 in Track 1
we recover the owner-configured
keycodes on two models of these
to get answers for you.
Attend our talk to learn the
about tips on how to avoid bricking
$100 piece of hardware together with Jennifer S. Granick to have to make some hard political your projects in the first place. If youre
the easy to use modular PCILeech approach is immune to static code TASBot is an augmented Nintendo locks from outside of locked safes unexpected political and legal getting into hardware hacking and
Director of Civil Liberties, Stanford choices and redesign communications
toolkit - which will be published Center for Internet and Society analysis as the functionalities and the R.O.B. robot that can play video without any damage to the locks or implications of internet connected sex worried about messing something up,
technology accordingly. The future
as open source after this talk. communication protocol used are games without any of the button safes. Discussion includes power-line toys and, perhaps more importantly, our stories will hopefully prevent you
15:00 in Track 2 could look a lot like TV, or we could
dynamically diversified remotely and mashing limitations us humans have. analysis, timing attacks, and lockout- how you can explore and gain more from experiencing the same horrors we
work to ensure our technology
Is the Internet going to live up to do not exist in packed executable files. By pretending to be a controller defeat strategies on embedded devices. control over the intimate devices in did. If youre worried about an uprising
enshrines individual liberties. This talk
its promise as the greatest force for will help attendees join that effort. On the other hand, clock synchronized connected to a game console, your life. Learn the reverse engineering of intelligent machines, the techniques
individual freedom that the world morphed machine code driven by a TASBot triggers glitches and exploits approach we tooksuitable for discussed will help you disable their
has ever known? Or is the hope remote metamorphic engine would weaknesses to execute arbitrary both first timers and the more functionality and keep them down.
for a global community of creative trap dynamic RE attempts in the opcodes and rewrite games. This talk experiencedto analyze a product
intellectual interaction lostfor now? maze of metamorphism. One that will cover how these exploits were that integrates a Bluetooth LE/Smart
is immune to code tampering and found and will explore the idea that wireless hardware device, mobile app
In last years Black Hat keynote reversing by detecting the non-self. breaking video games using Tool- and server-side functionality. More
entitled Lifecycle of a Revolution

38 39
the past with EMV implementations
SAMSUNZGEDPAY: Dark Tangent
and how credit card data of the future MALWARE COMMAND RYAN CLARKE JAY HEALEY LEAH THOMPSON
TOKENI 16:30 in Track 3
will most likely be sold with the new AND CONTROL Handle: LosT, L0stB0y, That Guy, 1057, Twitter: jason_healey Handle: 3n_ion
N
AU
NM
DBERSS,
UEFSLAWS MR. ROBOT is a rare treat - a EMV data having such a short life span. CHANNELS: A 1os7 and any conceivable variation of the Twitter: 3n_ion
IS J
DARKNESS TO
network television show whose hacker
With a rise of the machines theme
OURNEY IN word Lost.
Twitter: 1o57
Favorite Machine: My Ninja 250r
Salvador Mendoza protagonist is a fully realized character Machine Nemesis: Police Speed Traps
demonstration of La-Cara and Favorite Machine: HAL and SAL.
Student & Researcher with a realistically attainable set of Brad Woodberg
automated Cash out machine that
16:30 in Track 2
skills. No hyper-typing, no gibberish
masquerading as tech jargon, no
works on Current EMV and NFC
Group Product Manager - Emerging
Threats, Proofpoint,Inc.
Machine Nemesis: Maximilian from the Black Hole.
HIGH TOM WIZARD ZAXON VANDERMEY
ATMs it is an entire fascia Placed on
Samsung announced many layers of McGuffins to magically paper over plot
the machine to hide the auto PIN 17:00 in 101 Track SANDY CLARK Handle: HighWiz
Handle: Badger
Twitter: zvandermey
security to its Pay app. Without storing holes with hacker dust. MR. ROBOT
keyboard and flash-able EMV card Much of the time and attention Handle: Mouse Twitter: highwiz
or sharing any type of users credit takes the tech as seriously as the drama. Favorite Machine:Vending.
system that is silently withdrawing dedicated to modern network security Twitter: sa3nder Favorite Machine: [REDACTED].
card information, Samsung Pay is Machine Nemesis: Debian on an outdated iMac with broken
One of the main reasons for this money from harvested card data. This focuses on detecting the contemporary Machine Nemesis: Shadow Planet Killer.
trying to become one of the securest video drivers.
verisimilitude is the work of Kor demonstration of the system can cash vulnerabilities and exploits which
approaches offering functionality
Adana, MR. ROBOTs advisor on all out around $20,000/$50,000 in 15 min. JERICHO
and simplicity for its customers.
things hackish. His fingerprints are
power the breaches that make the
headlines. With almost all of the
CRYPT SETH VAN OMMEN
This app is a complex mechanism on every terminal window in the SK3WLDI
BNGG
: ALL emphasis is placed around the endless
Handle: CrYpT Security Curmudgeon, Attrition.org Handle: Beaker
which has some limitations relating show. Another advisor to the show is EMULAT cycle of new entry points, we are Twitter: CrYpT_0x12f Handle: Jericho Twitter: swordofomen
security. Using random tokenize our very own CyberJunkie - known (WELL MNAGNSY)WIOTFH often overlooking what is perhaps one Favorite Machine: coin-toss between: K-9 Twitter: attritionorg Favorite Machine: my CNC.
numbers and implementing Magnetic to the outside world as hacker and THE THI of the most profoundly interesting and ROK.
NIKITA KRONENBERG Machine Nemesis: Win10 update notices.
Secure Transmission (MST) technology,
which do not guarantee that every
raconteur Marc Rogers. Join Dark
Tangent for a panel discussion of MR.
IDA aspects of modern network breaches; Machine Nemesis: separate coin-toss between: Colossus and
HAL 9000.
token generated with Samsung Pay ROBOT: the phenomenon, the hacks
Chris Eagle
sk3wl 0f fucking r00t
the post-exploit communication of a
compromised system to the attacker
Handle: Dont call her la femme. VYRUS
Twitter: niki7a
would be applied to make a purchase
with the same Samsung device. That
and the crazy ways the show seems known as command and control. DARK TANGENT Favorite Machine: Holly
Handle:Vyrus
to pull its storylines from the future. 17:00 in Track 2 Twitter: vyrus001
Once malware has compromised an Handle: Jeff Moss
means that an attacker could steal Bring your questions, and keep an eye Machine Nemesis: Replicators: Creepy, all consuming, self
a token from a Samsung Pay device It is not uncommon that a software end system, the tables are turned Twitter: thedarktangent replicating, bugs of doom, that threaten all known life in the
out for late-breaking special guests.
and use it without restrictions. reverse engineer finds themselves against the attackers; we go from Shout Out: I want to thank the CFP universe. #TeamAsgard
H desiring to execute a bit of code WEASEL
GA
EC
NKI
AN
TG
Inconvenient but practical is that NEF
XR
T- they are studying in order to better
being on defense, to being on offense. Review Team. If you see them wearing
their cool CFP badges, say hello and thank them if you like MIKE PETRUZZI
Samsungs users could utilize the MS OM understand that code or alternatively
Attackers are constantly evolving
the talks!
Handle: Weasel

app in airplane mode. This makes CAPTURE TO to have that code perform some bit
their techniques and have become Handle: Wiseacre Twitter: weasel_nmrc
impossible for Samsung Pay to have a CASHOUT of useful work related to the reverse
incredibly creative in attempting to
hide their tracks, maintain control of DEAD ADDICT Twitter: wiseacre_mike Favorite Machine: Max Cohens Euclid.
Machine Nemesis: William Lees Clark Nova.
full control process of the tokens pile. Weston Hecker engineering task at hand. This generally compromised systems, and exfiltrate Favorite Machine: Talkie Toaster from Red
Favorite Machine: WOPR.
Even when the tokens have their own Senior Security Engineer & Pentester, requires access to an execution sensitive data. This presentation will Dwarf.Yes.Yes, I would like some toast. Machine Nemesis: Fembots with machine gun jubblies.
restrictions, the tokenization process Rapid7
environment capable of supporting explore how command and control Machine Nemesis: Furby. Dark creation of
MAGEN WU
gets weaker after the app generates
the first token relating a specific card.
17:00 in Track 1 the machine code being studied, both
at an architectural level (CPU type)
channels have evolved against traditional he who must not be named. ROAMER WE MISS YOU Handle: Tottenkoph
defenses, where they are today, future Twitter: tottenkoph
MV (Chip & Pin) card ATMs are taking and a packaging level (file container
How random is a Spay tokenized over the industry with the deadlines type). Unfortunately, this is not always a
predictions on their evolution, and most JENNIFER GRANICK CHRIS Favorite Machine: Mechagodzilla.
number? It is really necessary importantly, how you can go on the Machine Nemesis: Zoltar, the fortune teller.
passed and approaching the industry simple matter. The majority of analysts Handle: Consigliere, J.Law Handle: Suggy
to understand how the tokens offense to protect your organization
rushes ATMs to the market. Are do not have a full complement of hosts Twitter: granick Twitter: TheSuggmeister
by identifying and disrupting command
heretically share similarities in the
generation process, and how this
they more secure and hack proof? available to support a wide variety and control channels in your network. Favorite Machine: The Claw, from Toy Story. Favorite Machine: Gunslinger from
ZOZ
Over the past year I have worked at of architectures, and virtualization Westworld. Id like a robot programmed to Handle: Zoz
affect the end users security. understanding and breaking the new
What are the odds to guess methods that ATM manufactures have
opportunities for non-intel platforms
are limited. In this talk we will discuss
GREATSCOTT! instigate Nerf gunfights. Favorite Machine: KITT (Knight Industries
Machine Nemesis: Twiki from Buck Rogers. I had that haircut Two Thousand)
implemented on production Next Handle: GreatScott!
the next tokenized number a light weight emulator framework for as a kid and the mental scars still havent healed. Machine Nemesis: KARR (Knight
knowing the previous one? Generation Secure ATM systems. the IDA Pro disassembler that is based Twitter: GreatScottMusic
Automated Roving Robot)
This includes bypassing Anti-skimming/ on the Unicorn emulation engine. The PETER TEOH
MR. ROBOT PANEL Anti-Shimming methods introduced
to the latest generation ATMs. along
goal of the project is to provide an
embedded multi-architectural emulation GRIFTER Handle: PTzero
Kor Adana Twitter: pteoh
with NFC long range attack that capability to complement IDA Pros
Marc Rogers Twitter: Grifter801
allows real-time card communication multi-architectural disassembly Favorite Machine: Shake Weight for Men.
over 400 miles away. This talk will capability to enhance the versatility Machine Nemesis: None. PTzero has been assimilated into
demonstrate how a $2000-dollar of one of the most common reverse the Borg Collective.
investment criminals can do unattended engineering tools in use today.
cash outs touching also on failures of

40 41
including finance, telecommunications, challenges of developing attack code context to compromise further the A specific example of what we can see through smartphone control. We
HOW TH
OROW A transportation, commercial companies
Erin Jacobs
for the Java runtime while lowering the system, showcasing vulnerabilities. We LIGOHTTO-CWOELI!GHT and do is a home automation system investigated sixteen of these products
OVERT and critical infrastructure such a
Managing Partner, Urbane
bar so that anyone with rudimentary think that comparing Android with PR we discovered. We got a list of every from multiple vendors and discovered
GOVERNMENT power, water and oil.You will learn:
10:00 in Track 2
knowledge of Java can develop a iOS/OSX can be very interesting since SE R IO U S sensor and its status. Furthermore, we wireless vulnerabilities in most of them.
Chris Rock This is not just another I found a managed code rootkit. With Java being their implementation is different, but EQ U IP M ELNT! got exact GPS coordinates from the Using a $50 antenna, we successfully
Founder and CEO, Kustodian Traditional military mercenary
problem in a single IOT device talk. StackOverflows most popular server the goal for attackers and defenders CR IT I C A mobile app used to control the home picked vulnerable locks from over
10:00 in Track 1
coup tactics used by the infamous 32
Battalion in Africa, Executive Order and
Focusing on attacking three major side language of 2015 the Java runtime is the same, so having knowledge of IMPLICATIONS! automation. So in this case, not only 400 meters away. In this presentation
consumer product lines that have environment is a prime target for different sandboxes is very insightful to Lucas Lundgren were we able to control the system, we we introduce open source tools to
Direct from the mind of the guy Sandline that can be directly applied
grown rapidly in the past years, Zack exploitation. JReFrameworker is an highlight the limitations of a particular Senior Security Consultant, FortConsult even knew when the owner was away. crack each of the vulnerable BLE
who bought you the I will kill to a cyber mercenary regime change.
and Erin will review flaws theyve Eclipse plugin that allows an attacker implementation. The sandboxes (Part of NCC Group) locks. Furthermore, after surveying
you presentation at DEF CON Neal Hindocha The talk will move on to show various
How to architect a cyber discovered and weaponized against to write simple Java source to develop, some years ago were related mainly the open source Bluetooth hacking
23, is another mind bending, implementations where webclients
coup using advisors, hackers home Windows installs, DIY security debug, and automatically modify the to our desktop, mobile phone or Principal Consultant, FortConsult (Part
tools currently available, we find very
entertaining talk. This time its of NCC Group) and SQL servers are hooked in. Much
and the general populace, using solutions, personal fitness tracking runtime. Best of all, working at the tablet. But if we look now at the little support for BLE. So, to make
bigger and badder than before. of the communication data is stored
misinformation, professional agitators, devices, and digital notification devices. intended abstraction level of source technology trend, with Automotive 11:00 in Track 2 discovering and range finding to BLE
in various databases, and because we
false information and financing. Well review the security of these code allows the attacker to write and IOT, we can understand that devices easier, we introduce a new open
Are you sick and tired of your The presentation will begin by have access, we can use MQTT to
popular products and services in a once, exploit anywhere. When the sandboxes will be crucial in all those source war-walking tool compatible
government? Cant wait another 4 How to gather intelligence to analyze discussing the protocol (http://mqtt. attack the database and web servers.
consumer reports style walkthrough, messy details of developing attack technologies, since they will run on with both Bluetooth Classic and BLE.
years for an election? Or do you want a governments systemic weaknesses org/) and results from a simple query
the attack methods against the 21 code are removed from the picture the mainstream operating system when Multiple tools have been developed
to be like the CIA and overthrow on financial, societal values and political
a government overseas for profit climates that is leader or country
devices reviewed, release some tools attacker can let his creativity flow to they will become more popular. on shodan, showing the number by us already to support testing the SECURE
or fun? If you answered yes to one specific to structure your attack.
for the lulz, and highlight the threats develop some truly evil attacks, which
JITCTGEYRVYER:
of servers directly available on the
internet. We will then go through
protocol and fuzzing endpoints. we PENETRGATION
or more of these questions than facing similar products. Its time to is just what this talk aims to explore.
MA the protocol specifications which
will show the tools used in various TESTIN
this talk is for you! Why not create How to identify and prioritize Fight for the Users. END OF LINE.
ESCAPINXGBTYHENOT LE S S ON S LDEIANRGNED shows that security is more or less
demos and release them at the end OPERATI ORNAST:ED
your own cyber mercenary unit and government resources, infrastructure
DEVE L O PING SANDBO FR O M B UIL non-existent. We are able to directly
of the talk! These tools are currently DEMONS T
invoke a regime change to get the and commercial companies and
MANA G ETDSCFOODRE BREAKING IT A BIOONFICAHCAONFDFEE connect to many of the servers which
scripts containing various protocol WEAL
KE
NA
ERSNSIENSG
government you want installed? After how to use these compromised
ROOT KI OU T are open to the internet, and following
implementations, that can be used IN
M
TA
OT
OE
LR
SIAL AND
all, if you want the job done right, assets to stage the coup. Marco Grassi to target servers and extract, or
protocol specifications, see what
T
EH
NE
VIRJOAN
sometimes you have to do it yourself. Combine physical and digital VM
AEN
RTUNTIME KEENLAB of Tencent MAKER devices they are communicating with.
inject, data. We also have a small
client that implements all interesting
techniques and have the best Qidan He Evan Booth Wesley McGrew
Find out how over the last 60 years, KEENLAB of Tencent We will show how its possible to areas of the protocol which we
governments and resource companies of both worlds to own a Benjamin Holland Engineer
use for server-to-client testing. Director of Cyber Operations, HORNE
countries infrastructure. ISU Team, DARPAs Space/Time Analysis extract data on all subscriptions Cyber
have been directly involved in for Cybersecurity (STAC)
10:00 in 101 Track 11:00 in Track 1 available on the server using a ruby
architecting regime changes around We believe this talk is going to have
Hot to manipulate the media using The main topic of this technical talk script, which basically gives a detailed a significant impact on MQTT and
11:00 in 101 Track
world using clandestine mercenaries 10:00 in Track 3 In May of 2015, it was estimated that a
propaganda targeting journalists flawed will be sandboxes and how to escape list of the devices. However, it is not anyone who uses it. This is an old
to ensure deniability. This has been pod-based coffee maker could be found Following previous presentations on
multiple source rules for a story. Managed Code Rootkits (MCRs) are them. One of the main component of only the list of devices we are getting. protocol from 1999. Its fast and
achieved by destabilizing the ruling in nearly one in three American homes. the dangers penetration testers face
terrifying post-exploitation attacks the modern operating systems security The data returned by our script also reliable, but its missing security. in using current off-the-shelf tools
government, providing military The Grand finale of a cyber Despite the continued popularity of
that open the doors for cementing is their sandbox implementation. contains things like session tokens (for and practices (Pwn the Pwn Plug and
equipment, assassinations, financing, regime change on a real country these single-cup coffee conjurers at We also be believe this talk will
and expanding a foothold in a target Android for example in recent versions web pages), social security numbers, I Hunt Penetration Testers), this third
training rebel groups and using from beginning to end using the home as well as in the workplace, it has trigger a discussion about light-weight
network. While the concept isnt new, added SELinux to their existing sandbox phone numbers, names and other presentation explores how widely
government agencies like the CIA, above techniques with operational become clear that these devices are IoT protocols and security, which is
practical tools for developing MCRs mechanism, to add an additional layer of sensitive data used for one purpose available learning materials used to
Mossad and MI-5 or using foreign footage. Come to this talk and not impervious to mechanical and/or much needed at this point in time.
dont currently exist. Erez Metula security. As well OS X recently added or another in the communication train penetration testers lead to
private mercenaries such as Executive find out how you too can be electrical failure. It was this intersection
released ReFrameworker in 2010 with System Integrity Protection as a system to and from the devices. inadequate protection of client data
your own dictator, benevolent or of extremely prevalent hardware and
Order and Sandline. Working with
merciless that part is up to you. the ability to inject attack modules level sandbox, in addition to the relatively short lifespan that prompted We will show how messages can
PICUKEITNOGOTH LOW and penetration testing operations.
Simon Mann an elite ex SAS soldier
into the C# runtime, paving the way regular sandbox which is per-process. me to begin exploring the upper be posted into the message queues
BL With widely available books and other
turned coup architect who overthrew
I FIGUHSTERFOR for MCRs, but the tool requires limits of what could be created by and in turn received by the devices EN E R GY LOCKS training resources targeting the smallest
F
MILE AWAY TER
governments in Africa, Chris Rock will
show you how mercenary coup tactics THE S, the attacker to have knowledge of
All modern OS focus on defense in
depth, so an attacker and a defender repurposing one of the most popular that subscribe to the various queues. R O M A QUAR set of prerequisites, in order to attract
directly applied to digital mercenaries EPISO D E I - intermediate languages, does not
support other runtimes, and is no
must know these mechanisms, pod-based machines: the Keurig. In this This means that we are able to issue the largest audience, many penetration
to cause regime changes as the next ATTAC K S AGAIRNST longer maintained. Worse yet, the
to bypass them or make them session, we will walk through some commands targeting the range of Anthony Rose testers adopt the techniques used in
generation of Cyber Dogs of War. TOP C O NSUME write once, run anywhere motto
more secure. We will focus on real-world examples of MacGyver-style devices we have discovered, that Hacker simplified examples to real world tests,

Chris will walk you through a cyber PRODUCTS of managed languages is violated
Android and iOS/OSX to show
the audience the implementations
creative problem-solving, well go hands
on (yes, pun intended) with stuff made
use this protocol. We have however
also discovered that this is not
Ben Ramsey
Hacker
where the network environment can
be much more dangerous. Malicious
regime change from start to finish Zack Fasel when dealing with runtime libraries, from repurposed Keurigs, and finally, Ill limited to messages and commands, threat actors are incentivized to attack
of the sandbox in these operating 11:00 in Track 3
on a real country and show you Managing Partner, Urbane forcing the attacker to write new reflect on lessons learned from looking if supported by the device, we can and compromise penetration testers,
systems, the attack surface from
how to architect a coup achieving exploits for each target platform. for potential in things most people actually issue firmware updated, Many Bluetooth Low Energy (BLE) and given current practices, can do
within interesting sandboxes, like the
the same result as a traditional browser, or applications sandbox. deem common and unremarkable. simply by sending something similar enabled deadbolts and padlocks have so easily and with dramatic impact.
This talk debuts a free and open
mercenary operation without any to FIRMWAREUPDATEHERE:http:// hit the market recently. These devices
source tool called JReFrameworker This presentation will include a
blood spilt. This will include taking Then we will discuss how to attack www.attacker.com/filename.bin. promise convenience and security
aimed at solving the aforementioned live demonstration of techniques
ownership of all facets of government them and escape from our restricted

42 43
for hijacking a penetration testers This allows you to do anything from forward or modify CAN frames on developer youll get a checklist accelerates blue and red team analysis. it possible for an attacker to inject configurations, storing up to 20,000
normal practices, as well as guidance using them as anonymous proxies, the fly, it can do so autonomously with RETWEETLI
TN
OESWIN: that you can use to reduce your Graph theory has the power and the keystrokes directly into a victims USB entries for client and server each.
for examining and securing your conduct reflective scanning, pivoting a set of rules or interactively using HOW 50 vulnerability to this sort of attack. potential to dramatically change the dongle using easily accessible, cheap This makes it forensically relevant
current testing procedures. Tools into the internal network behind it, Ethernet and a packet manipulation OF PYTHON M AEDSET way you think about and approach hardware, in most cases only requiring in cases where other evidence of
shown in this demonstration will and more. In this presentation we framework such as Scapy. ME THE LUCK I SIXMADEGREESNOF Active Directory domain security. that the user has a wireless mouse. connection may have dissipated.
be released along with the talk. will show you exactly what Stargate
It is also worth noting that it was
GUY ON TWITTER DO IN ADMI The majority of affected USB dongles

BYPASV
SE
ING
is, how we encountered it, the fun
designed to be cheap and easy
Hunter Scott - UO
SINGTGRAPH MOJUESCETJIANCGK: are unpatchable, making it likely that NG9-1-G1E
:NE
TR
HA
ETION
CAPTI PEODRTALS
things you can do with the Stargates all
to build as it is mostly made of
Hacker
TH E RY O IN vulnerable computers will be common NEXT
KERYESLTERSOSKEMSICIENTO O
PF
A EA
MGEERGENCY
TC
ECAE
MLE
OR
PA
ET
RE
AND LIMIT
around the globe and we will release
inexpensive COTS. Last but not 12:30 in Track 1 ROENDS WI
in the wild for the foreseeable future.
H0N
NETWORKS
the Stargate tool which anyone can
use to talk to/through these devices.
least, we demonstrate its versatility
In this talk, Ill share how I won 4
ATI This talk will explain the research
by turning around a security Andy Robbins (@_wald0) Marc Newlin process that lead to the discovery of CINCVolFLT (Trey Forgety)
Twitter contests per day, every day,
issue usually considered when it these vulnerabilities, covering specific
Grant Bugher
Perimeter Grid CANSPY: A comes to cars: instead of auditing
for 9 months straight. Ill discuss
Offensive Network Services Team Lead,
Veris Group
Security Researcher, Bastille Networks

tools and techniques. Results of the


Director of Government Affairs & IT
Ninja, NENA: The 9-1-1 Association
FRAMEWO RKCAFNOR an electronic control unit (ECU)
the methods I used, the delightfully Rohan Vazarkar (@cptjesus) 13:00 in Track 2
research will be detailed, including AK3R303 (Alex Kreilein)
12:00 in Track 1 AUDITING through the OBD-II connector,
random and surprising things I won, Penetration Tester, Veris Group What if your wireless mouse was protocol behavior, packet formats, and CTO & Co-Founder, SecureSet

Common hotspot software like DEVICES we are going to partially emulate


and how to run a Twitter contest to
prevent people like me from winning.
Will Schroeder (@harmj0y)
Researcher, Veris Group
an effective attack vector? Research technical specifics of each vulnerability. 13:00 in 101 Track
Chilispot and Sputnik allow anyone Jonathan-Christofer ECUs in order to audit a device that reveals this to be the case for mice Additional vulnerabilities affecting 14
to set up a restricted WiFi router connects to this very connector. from Logitech, Microsoft, Dell, Lenovo, vendors are currently in disclosure, For 48 years, 9-1-1 has been /the/
or Ethernet network with a captive
Demay Airbus Defence and Space
Arnaud Lebrun PIN2RPOWONT:AHNOW 13:00 in Track 1
Hewlett-Packard, Gigabyte, and Amazon. and will be revealed during this talk. emergency telephone number in the
portal, asking for money, advertising, Airbus Defence and Space
ATTACKIKNG TO Active Directory domain privilege Dubbed MouseJack, this class of United States. Its also been mired in
or personal information in exchange NETWOR EMB ED DTEH
DA LINUX escalation is a critical component of security vulnerabilities allows keystroke CUNNING WITHING 48-year-old technology. So lets just put
for access to the Internet. In this
12:00 in Track 3
INFRAS TR UCTURE4 BOX W I most penetration tests and red team injection into non-Bluetooth wireless CNG: SOLICIT that on the internet, right? What could
SEWING NEEDLE S
SE
CC
HR
AE
NT
NS
ELFROM
possibly go wrong? Without the radical
talk I take a look at how these and In the past few years, several tools TO GEN E RATE A assessments, but standard methodology
dictates a manual and often tedious
mice. Imagine you are catching up on
segmentation of the PSTN, the move to
T
$B/
5 S DDOS FOR
similar restrictive networks work, have been released allowing hobbyists Brad Dixon some work at the airport, and you
how they identify and restrict users, to connect to CAN buses found in Hacker process gather credentials, analyze reach into your laptop bag to pull out IP networks (even the private, managed
new systems we now have admin rights Jake Kambic kind) will bring new 9-1-1 capabilities
and how with a little preparation we cars. This is welcomed as the CAN your phone charger. As you glance back Hacker
can reach the Internet regardless protocol is becoming the backbone Luke Young 12:30 in Track 2 on, pivot, and repeat until we reach our at your screen, you see the tail end AND new vulnerabilities. This talk
of what barriers they throw up. for embedded computers found in
Information Security Engineer, Hydrant
Security assessments of embedded objective. Then and only then we of an ASCII art progress bar followed 13:00 in Track 3 builds on the work of quaddi, r3plicant,
Labs LLC
smartcars. Its use is now even spreading and IoT devices often begin with can look back and see the path we took by your shell history getting cleared. and Peter Hefley (see &lquo;Hacking
Secure Channel (Schannel) is
S
PTV
IAO
RT
GIANTGE: outside the car through the OBD-II
connector: usage-based policies from
12:00 in 101 Track testing how an attacker could
recover firmware from the device.
in its entirety. But that may not be the
only, nor shortest path we could have Before you realize what has happened, Microsofts standard SSL/TLS Library
911: Adventures in Destruction,
Disruption, and Death,&rquo; DEF
As bandwidth, computing power, an attacker has already installed underpinning services like RDP,
THROU GTHERVN
NA
CLTO insurance companies, air-pollution
and software advancements have When developers have done their taken. By combining our concept of
malware on your laptop. Or maybe Outlook, Internet Explorer, Windows
CON 22, http://ow.ly/10AvZh). It
provides an overview of NG9-1-1
OWN I N control from law enforcement or
improved over the years, weve begun job well youll find JTAG locked-up, derivative admin (the chaining or linking
of administrative rights), existing tools, they just exfiltrated a git repository Update, SQL Server, LDAPS, Skype and architecture and security concerns, and
NETWORKS engine diagnostics from smartphones
for instance. Nonetheless, these tools
to see larger and larger DDoS attacks non-responsive serial ports, locked-
down uboot, and perhaps even a and graph theory, we can reveal the and your SSH keys. In the time it took many third party applications. Schannel identifies critical attack surfaces that
Yonathan Klijnsma against organizations. Often times hidden and unintended relationships you to plug in your phone, you got has been the subject of scrutiny Public Safety Answering Points need to
will do no more than what professional home brewed secure-boot solution.
Senior Threat Intelligence Analyst, these attacks employ techniques in Active Directory domains. MouseJacked. The attacker is camped in the past several years from an monitor and secure. Familiarity with
tools from automobile manufacturers In this session youll learn details of a
Fox-IT such as DNS Amplification to take out at the other end of the terminal, external perspective due to reported NENAs i3 and NG-SEC standards
Dan Tentler (Viss) can do. In fact, they will do less as they useful hardware/software penetration Bob is an admin on Steves system, and
advantage of servers with very large equipped with a commodity USB radio vulnerabilities, including a RCE. may be helpful, but is not required.
do not have knowledge of upper-layer technique to attempt when youve run Steve is an admin on Marys system;
Founder, Phobos Group
uplinks. This talk explores a similar dongle and a directional patch antenna
protocols. Security auditors are used out of easier options. Weve used this therefore, Bob is effectively (and What about the internals? How does
12:00 in Track 2 to deal with this kind of situation:
technique targeting commonly used
technique on two commercial device perhaps unintentionally) an admin
hidden in a backpack, and boards her
Schannel guard its secrets? This talk WET
AA
POS NC
II
ZEIN G
VNC is a great tool to use if you need they reverse-engineer protocols
throughput testing software typically
running on very large uplinks. We will security assessments successfully on Marys system. While existing
plane as soon as the deed is done.
looks at how Schannel leverages DA NCE
to get to a box youre not physically before implementing them on top
explore the process of attacking this and have refined the technique on a tools such as Nmap, PowerView,
The reality of MouseJack is that an
attacker can inject keystrokes into your
Microsofts CryptoAPI-NG (CNG) to FOR S OC IA L
near. The trouble with VNC is that it of their tool of choice. However, to
software, eventually compromising series of test devices in the lab. This CrackMapExec, and others can gather wireless mouse dongle from over 200
cache the master keys, session keys, ENGINMEAER IDNGE:2E
was invented 15+ years ago and hasnt be efficient at this, they need more
it and gaining root access. Then well session will cover the prerequisites for much of the information needed to meters away, at a rate of up to 7500
private and ephemeral keys, and session AUTO T E
S
OP
NEA
TRWITPTHE
been improved upon in any significant than just being able to listen to or
interact with what they are auditing.
explore some of these servers in the successful application of the technique
and give you helpful hints to help
find these paths, graph theory is the keystrokes per minute (one every 8ms).
tickets used in TLS/SSL connections.
It discusses the underlying data
IR
SHING
way. Besides the internet of things real world determining the size of missing link that gives us the power
being sprinkled with VNC endpoints, Precisely, they need to be able to your hack! Best of all this technique, to find hidden relationships in this Most wireless keyboards encrypt the structures, and how to extract both
their uplinks and calculating the total Delta Zero (John Seymour)
there are companies which use VNC intercept communications and block while a bit risky to the hardware, offensive data. The application of graph data going between the keyboard and the keys and other useful information
available bandwidth at our fingertips Data Scientist, ZeroFOX
to such a large degree they need a them, forward them or modify them is easy to try and doesnt require theory to an Active Directory domain computer in order to deter sniffing, that provides forensic context about
all from a $5 VPS. We will finish up the
VNC proxy on their perimeter to get on the fly. This is why, for example, specialized equipment or hardware offers several advantages to attackers but wireless mouse traffic is generally connection. This information is then
presentation with a live demo exploiting
to all the internal VNC hosts - some a framework such as Burp Suite is modification. We are going to take and defenders. Otherwise invisible, unencrypted. The result is that leveraged to decrypt session that use
an instance and launching a DoS.
of which are ICS/SCADA devices. popular when it comes to auditing web pieces of metal and stab them at the high-level organizational relationships wireless mice and keyboards ship with ephemeral cipher suites, which dont
Stargate is the result of discovering a applications. In this paper, we present heart of the hardware and see what are exposed. All possible escalation USB dongles that can support both rely on the private key for decryption.
vulnerability in these VNC proxies that CANSPY, a framework giving security happens. For the hardware/firmware paths can be efficiently and swiftly encrypted and unencrypted RF packets. Information in the cache lives for at
allows you to proxy basically anything. auditors such capabilities when auditing identified. Simplified data aggregation A series of implementation flaws makes least 10 hours by default on modern
CAN devices. Not only can it block,

44 45
its not your computer anymore. payload and the hosts networks for [1] 10 Immutable Laws of [16] Facedancer2 http:// the rest of the software industry. Finally, different map of reality than normals
KingPhish3r (Philip Tully)
This has been robustly demonstrated any advanced remote access. Thus, Security https://technet.microsoft. goodfet.sourceforge.net/ using the data presented, additional FOR
RG
CING ALTE use and one has to calibrate narratives
Senior Data Scientist, ZeroFOX
over the years. Examples include these payloads can leave a significant com/library/cc722487.aspx hardware/facedancer21/ guidance will be provided to SCADA TA ETED to what another believes. The cognitive
14:00 in Track 1
numerous DMA-access attacks forensic footprint in the form of researchers along with a prediction on CELLPHONE INTO dissonance that inevitably causes is
Historically, machine learning for against interfaces such as firewire [2], network communications and on-host
[2] Physical memory attacks via [17] The Shikra http://int3.
what we expect next in attacks that AN UNSAFE managed by some with denial who live
information security has prioritized PCMCIA and thunderbolt [3] as well behaviours, and leave them vulnerable
Firewire/DMA - Part 1: Overview
and Mitigation https://web.archive.
cc/products/the-shikra
leverage SCADA HMI vulnerabilities. NETWORK as if refusing to feel the pain makes
defense: think intrusion detection as USB-based attacks including simple to anti-malware controls. Numerous it disappear. But as Philip K. Dick
systems, malware classification and in-line keyloggers, evil maid attacks companies are improving toolsets to
org/web/20160304055745/http:// HAT
CE
KR
EF
RA
-C
ME
AC-HINE SITCH -
Haoqi Shan
Hardware/Wireless security researcher, said, reality is that which, when you
botnet traffic identification. Offense [4] and malicious firmware [5]. detect such attacks [13][14]. Lastly,
www.hermann-uwe.de/blog/physical- IN INEXPENA
STIV E, Qihoo 360
no longer believe in it, refuses to go
can benefit from data just as well. these attacks are often spray and pray,
memory-attacks-via-firewire-dma- STAO
TN
EFOO
FRTHE COORDIN ED Wanqiao Zhang away. And when cognitive dissonance
Despite these warnings, groups such as part-1-overview-and-mitigation UNI G
DS
EM
Social networks, especially Twitter unable to account for variations in the
S AT
NI
OOMNALY Communication security researcher,
evolves into symptoms of traumatic

VC
UA
LD
NA
ERH
AM
BI
the NSA were still able to use physical Qihoo 360
with its access to extensive personal
data, bot-friendly API, colloquial syntax
access to bypass software controls with
users behaviour or computer setup. [3] Thunderstrike 2 https://
trmm.net/Thunderstrike_2 ILITIES TEC 15:00 in Track 1
stress, one ignores those symptoms
at ones peril. But the constraints of
toolsets such as COTTONMOUTH Our approach is to create a stealthy ashmastaflash
and prevalence of shortened links, Brian Gorenc ones work often make it impossible
[6]. Likewise, criminals have been able bi-directional channel between the host [4] Evil Maid goes after TrueCrypt! Hacker LTE is a more advanced mobile
are the perfect venues for spreading Senior Manager, Trend Micro Zero Day to speak aloud about those symptoms,
to defraud banks with a handful of and device, with remote connectivity http://theinvisiblethings.blogspot. network but not absolutely secure.
machine-generated malicious content. Initiative 14:00 in 101 Track because that might threaten ones
simple hardware tricks [7]. While some via 3G/Wi-Fi/Bluetooth and offload the co.za/2009/10/evil-maid-goes- Recently there already some papers
We present a recurrent neural network Fritz Sands clearances, work, and career. The real
progress has been made to secure complexity to our hardware, leaving a after-truecrypt.html Its recently become easier and those exposed the vulnerabilities of
that learns to tweet phishing posts Security Researcher, Trend Micro Zero cost of security work and professional
some devices against some threats, such small simple stub to run on the host. Day Initiative less expensive to create malicious LTE network. In this presentation,
targeting specific users. The model is [5] Turning USB peripherals into intelligence goes beyond dollars. It is
as the use of full disc encryption, or the This talk will discuss the process of GSM Base Transceiver Station (BTS) we will introduce one method which
trained using spear phishing pen-testing BadUSB https://srlabs.de/badusb/ 14:00 in Track 3 measured in family life, relationships,
impact of Apples secure enclave in the creating a set of malicious USB devices devices, capable of intercepting and jointly exploits the vulnerabilities
data, and in order to make a click- and mental and physical well-being.
physical security of the iPhone [8], most using low cost hardware. The design and [6] Your USB cable, the spy: Inside the Over the last year, synchronized and recording phone and sms traffic. in tracking area update procedure,
through more likely, it is dynamically
laptops and desktops remain vulnerable toolkit will be released during the talk. NSAs catalog of surveillance magic coordinated attacks against critical Detection methods havent evolved attach procedure, and RRC redirection The divorce rate is as high among
seeded with topics extracted from
to attacks via physical interfaces. http://arstechnica.com/information- infrastructure have taken center stage. to be as fast and easy to implement. procedure, and finally can force a intelligence professionals as it is
timeline posts of both the target and Our toolkit provides three significant
technology/2013/12/inside-the-nsas- Remote cyber intrusions at three Wireless situational awareness has a targeted LTE cellphone to downgrade among medical professionals, for good
the users they retweet or follow. We In our experience, organisations improvements over existing work. The
leaked-catalog-of-surveillance-magic/ Ukrainian regional electric power number of challenges. Categorically, into a malicious GSM network, then reason - how can relationships be
augment the model with clustering to merely view USB devices as a first is the ability to gain a stealthy
distribution companies in December these challenges are usually classified consequently can eavesdrop its data based on openness and trust when
identify high value targets based on channel for malware or unsanctioned bi-directional channel with the host [7] How bank hackers stole 1.25
2015 left approximately 225,000 under Time, Money, or a lot of both. traffic or even voice call. This attack is ones primary commitments make
their level of social engagement such as communications, and rely on via the device. No traffic is generated million with a simple piece of computer
customers without power. Malware, Provisioning sensors takes time, not a simple DoS attack. It can select truth-telling and disclosure impossible?
their number of followers and retweets, protections placed elsewhere in their on the target network (i.e it would hardware https://www.grahamcluley.
like BlackEnergy, is being specially and the fast stuff usually isnt cheap. the targeted cellphone by filtering the
and measure success using click-rates defensive stack to deal with them, work against air-gapped hosts). This is com/2014/04/bank-hackers-hardware/ Richard Thieme has been around
developed to target supervisory Iterative improvements compound IMSI number (IMSI catcher function),
of IP-tracked links. Taken together, these but few deal with the risk the USB done via the use of either a raw HID that space for years. He has listened
[8] Apple vs FBI https://www. control and data acquisition (SCADA) the problem when you need to get so it will not influence the other
techniques enable the worlds first interface presents directly. There device or standard USB class printer to people in pain because of the
apple.com/customer-letter/ systems. Specifically, adversaries are software updates to multiple devices cellphones and keep them still in the
automated end-to-end spear phishing are many scenarios where gaining driver linked to our device, with the compelling necessities of their work,
focusing their efforts on obtaining in the field. Ill present a prototype real network. Further more, it can
campaign generator for Twitter. physical access to hosts is plausible stub merely wrapping commands and [9] Users Really Do Plug in the consequences of their actions, the
access to the human-machine interface platform for GSM anomaly detection force the cellphone into the malicious
[9], and having done so can provide their output to our device. The second USB Drives They Find https:// misfiring of imperfect plans, and the
(called SITCH) which uses cloud- network that we setup (a fake network)
UNIVSEERSAL SERIAL access to chewy internal networks is the ability to communicate with zakird.com/papers/usb.pdf
(HMI) solutions that act as the main
delivered services to elegantly deploy, or we assign (operators network),
burdens of - for example - listening
ABU : REMOTE [10] ripe for lateral movement. the device remotely via Wi-Fi/3G/ hub for managing the operation of
the control system.Vulnerabilities in manage, and coordinate the information therefore the cellphone has no chance
to terrorists slit someones throat in
PHT
YASCIC
KA
SL ACCESS
Bluetooth, allowing for updates to the [10] The Design of a Secure Internet real time, then having to act as if they
While most people are familiar with Gateway http://www.cheswick. these SCADA HMI solutions are, and from many independent wireless to choose other secure network. This
AT USB devices, many dont realise the
payloads, exfiltration of data, real-time
interaction with the host and an ability com/ches/papers/gateway.pdf will continue to be, highly valuable as telemetry sensors (IoT FTW). Well is the danger point of this attack.
had a normal day at the office. Thieme
touched on some of this impact in his
Rogan Dawes extent to which the USB standard we usher in this new era of software talk about options and trade-offs when
to debug problems. This also has the story, Northward into the Night,
Researcher, Sensepost allows seemingly innocuous devices to
advantage that any network controls
[11] USB Rubber Ducky Wiki
exploitation. This talk covers an in- selecting sensor hardware, securing PLAYIPNAG THROUGH published in the Ranfurly Review, Big
Dominic White have multiple personalities. There has
are bypassed. Finally, the stub running
http://usbrubberducky.com/
depth analysis performed on a corpus your sensors, using cloud services for THE I N ? - City Lit, Wanderings and Bewildering
CTO, SensePost been an extensive amount of research
on the host will leave a minimal forensic [12] USBDriveBy http:// of 200+ confirmed SCADA HMI orchestrating firmware, and how to THE IM P ACT OF Stories before collection in Mind
14:00 in Track 2
into malicious USB devices, such as
trail, making detection of the attack, samy.pl/usbdriveby/ vulnerabilities. It details out the popular collect and make sense of the data SECR E T S AND Games. The story illuminates the
In this talk, well cover some novel
TURNIPSCHOOL [15], GoodFET/
or analysis of it later, difficult. For [13] Cylance, Math vs Malware
vulnerability types discovered in HMI youve amassed. Source code for the DARK K N OWT
LY
EDA
GN
ED emotional toll of managing multiple
USB-level attacks, that can provide
Facedancer [16], Shikra [17], Rubber
completeness sake, a new transport https://cdn2.hubspot.net/
solutions developed by the biggest prototype will be released as well.
The target audience for this lecture is
ON S E C U RI personas and ultimately forgetting
I
PN
RT
OE
FLELSISGIE
ON
NC
AE
Ducky [11], USBdriveby [12] and SCADA vendors, including Schneider
remote command and control of, for metasploit was developed to allow hubfs/270968/All_Web_Assets/ who you are in the first place.
BadUSB [5]. However, none of these the hacker/tinkerer type with strong
even air-gapped machines, with implement an end-to-end attack either
metasploit payloads to be used instead. White_Papers/MathvsMalware.pdf
Electric, Siemens, General Electric, and
Advantech. It studies the weaknesses systems and network experience. LS The bottom line is, trauma and
a minimal forensic footprint, and because that was not their intention, Our hope is that the tools will provide [14] Carbon Black, Next Generation in the technologies used to develop A very basic understanding of GSM Richard Thieme secondary trauma have identifiable
release an open-source toolset they only focus on a part of the attack a method of demonstrating the risk of Endpoint Security https://www. HMI solutions and describes how networks is a plus, but not required. ThiemeWorks
symptoms and they are everywhere
using freely available hardware. or the project was never completed. physical bypasses of software security carbonblack.com/wp-content/ critical vulnerabilities manifest in the 15:00 in Track 2 in the industry. The hyper-real
In 2000, Microsoft published its without an NSA budget, and encourage uploads/2016/03/2016_cb_wp_next_ underlying code. The talk will compare space which the national security state
Additionally, existing attacks are Dismissing or laughing off concerns
10 Immutable laws of security [1]. defences to be built in this area. gen_endpoint_security_small.pdf the time-to-patch performance of creates by its very nature extends
predominantly send only with no about what it does to a person to
One of which was if a bad guy has various SCADA vendors along with a to normals, too, now, but its more
built-in bidirectional communications. [15] NSA Playset, TURNIPSCHOOL know critical secrets does not lessen
unrestricted access to your computer, comparison of the SCADA industry to intense for professionals. Living as
They usually rely on the executed http://www.nsaplayset.org/turnipschool the impact when those secrets build a

46 47
social engineers, always trying to Battery (1 year lifetime) Apollo server hardened organizations at the likely to be arrested? How many employed by the product, reverse- down free speech and halt innovation, implementing proactive controls, each
understand the others POV so one (MAIN acquisition core server) These human layer, and started to screw arrests lead to assisting authorities engineering the firewalls I/O Kit ALN
LEL
YS
OUA
RRE
SOLAR discussion of our technology project new standard adds another layer of
can manipulate and exploit it, erodes vulnerabilities affect the Modem which things up for the bad actors. to arrest others? How many work kernel interfaces and authentication PA to protect privacy and speech online, defense for attack patterns previously
the core self. The challenge is not is directly connected to the sensor , by themselves versus part of a mechanisms, and the discovery of BELONG TO ME updates on cases and legislation accepted as risks. With the most basic
abstract or philosophical, its existential, a remote connection to the modem CYBER?!WHO group? These observations, and a lot the exploitable heap-overflow. Fred Bret-Mounet affecting security research, and much controls complete, attention is shifting
fired into our faces every day at point its all that you need to compromise DONE IT more, paint an interesting picture
Finally, methods of exploitation
Hacker more. Half the session will be given toward mitigating more complex
blank range, and it constitutes an the whole seismograph network. ATTRIBUTION of the computer crime landscape.
will be briefly discussed, including 16:30 in Track 2
over to question-and-answer, so its threats. As a result of the drive to
A
ARREST HISH
NALYSIS T TR
OO
RU
YGH D
assault on authenticity and integrity. After got the root shell our goal is your chance to ask EFF questions control for these threats client-side,
how an Apple kernel-fix made
Sometimes sanity is at stake, too, and execute a post exploitation attack , IYKEPROOFING: this previously un-exploitable bug,
I got myself a new toy: A solar array... about the law and technology standards such as SubResource Integrity
sometimes, life itself. In one week, two This specific attack corrupts/modifies
Jake Kouns NU exploitable on OS X 10.11
With it, a little device by a top issues that are important to you. (SRI), Content Security Policy (CSP),
different people linked to the CIA told the whole seismological research data A NT
EA
WMIDNIIGNGAT tier manufacturer that manages its
E
and HTTP Public Key Pinning (HPKP)

ES
XO
Thieme that going into that agency of a country/ area in real time. We are
CISO, Risk Based Security
DA So if you simply want to see yet performance and reports SLAs to TLETRRIA
CTION carry larger implementation risks than
was like becoming a scientologist.
Think about what that analogy means.
going to propose recommendations
and best practices based on how to
16:00 in Track 1
3AlarmLampScooter
another security product fall, or more
generically, learn methods of OS X
the cloud. After spending a little time
describing why it tickled me pink, Ill
FI others such as HTTP Strict Transport
Security (HSTS). Builders supporting
There have been over 20,000 data Hacker WIlla Cassandra
For his own sake and sanity, Thieme deploy a seismological network in kernel extension reversing in a practical walk you through my research and Riggins(abyssknight) legacy applications actively make trade-
has thought about it a lot and thats order to avoid this nasty attacks. breaches disclosed exposing over yes, root is involved! Armed with the offs between implementing the latest
16:00 in Track 2 manner, then this talk is for you :) Penetration Tester, Veracode
what this talk is about - the real 4.8 billion records, with over 4,000 results of this pen test, we will cover standards versus accepting risks simply
breaches in 2015 alone. It is clear there Does the thought of nuclear war wiping
facts of the matter and strategies PHI
IL
SU
HINGAWIDTHOUT is no slowdown at all and the state out your data keep you up at night? A JO
OU
UGRH
NEY the vendors reaction to the bee sting: 16:30 in 101 Track because of the increased risks newer
for effective life-serving responses. FA RE N of security is embarrassing. The total Dont trust third party data centers? THR EXPLOIT ostrich strategy, denial, panic, shooting When the machines rise up and take web standards pose. In this talk, well

EXP LO IT I NCGKING FRUSTRATION cybercrime cost estimates have been Few grand burning a hole in your MITIGATION the messenger and more. Finally, not away our freedom to communicate strictly explore the risks posed by SRI,

AND A T TA Jay Beale astronomical and law enforcement has pocket and looking for a new Sunday TES
CHNIQUES IN because I know you get it, but because were going to need a way out. CSP, and HPKP; demonstrate effective

SEISWMOORLKOSG I.CAL CTO InGuardians Inc.


been struggling to track down even project to keep you occupied through IO the rest of the world doesnt, well
cover the actual threats associated
Exfiltration of data across trust
boundaries will be our only means of
mitigation strategies and compromises
which may make these standards more
Larry Pesce a fraction of the criminals, as usual. the fall? If you answered yes to at least Max Bazaliy
NET .. Director of Research, InGuardians two out of three of these questions, Staff Engineer, Lookout
with something bound to become communication. How do we do that accessible to builders and defenders
REMOTELY 15:00 in 101 Track
Attribution in computer compromises
continues to be a surprisingly complex
then 3AlarmLampscooters talk on
16:00 in 101 Track
part of our critical infrastructure.Yes,
in this Shodan world, one could turn
when the infrastructure we built to
defend ourselves is the very boundary
supporting legacy applications; as well
as examine emergent properties of
Bertin Bervis Bonilla extreme pervasive communications is off a 1.3MW solar array but is that
You want to phish your company or task that ultimately isnt definitive in we must defeat? We use the same standards such as HPKP to cover
Founder, NETDB.IO for you! Youll learn everything from Over the past year, Apple has as valuable as using that device to
your client.Youve never done this for most cases. Rather than focusing on pathways we used to, but bend the previously unforeseen scenarios. As a
James Jara calculating radiation half layer values to consistently added features to prevent infiltrate a celebritys home network?
work before, youve got a week to do learning from security issues and how rules to meet our needs. Whether its bonus for the breakers, well explore
Founder & CTO, NETDB.IO approximating soil stability involved in exploitation of the iOS kernel. These
it, and you figure thats plenty of time. companies can avoid these sorts of data breaking protocol, attaching payloads, and demonstrate exploitations of
excavating your personal apocalypse-
15:00 in Track 3
Then someone objects to the pretext breaches in the future, for most media proof underground data fortress.
features, while largely misunderstood,
provide a path for understanding of the
ASK THE EFF or pirating the airwaves well find a the emergent risks in these more
volatile standards, to include multiple
In this presentation we are going to at the last minute. Or spam filters outlets the main topic after a breach Kurt Opsahl way. Well cover using a custom server
iOS security model going forward. This vulnerabilities uncovered quite literally
continues to be attribution. And if we
explain and demonstrate step by step block everything. Or you decide to
are honest, the media have painted
IVOEBLGEOMTS,99 talk will examine the history of iOSs
Deputy Executive Director, General application to accept benign traffic,
during our research for this talk (which
in a real attack scenario how a remote send slowly, to avoid detection, but
an interesting and varied picture PR BCUHT exploit mitigations from iOS 8 to iOS
Counsel, EFF
Nate Cardozo
using social and file sharing to hide
will hopefully be mitigated by d-day).
attacker could elevate privileges in the third recipient alerts the entire
of hackers over the years, many of LIT T LE S NIT 9.3 in order to teach important features Senior Staff Attorney, EFF
messages, as well as demo some long
order to take control remotely in a company. Or you can only find 5 target AINT ONE range mesh RF hardware you can drop
C
OR
FYP
TT
HO
E:LS
AT
WATE
of the architecture. This talk will Andrew Crocker
production seismological network addresses. Weve all been there on our which have caused collective groans at a target for maximum covert ops.
cover various enhancements that stop
located at 183mts under the sea. first professional phishing exercise. or outright rage from the community. Patrick Wardle Staff attorney, EFF
attackers from dynamically modifying
We found several seismographs in What should be as easy as building a The Arrest Tracker project was started
Director of Research, Synack
the functionality of system services, but
Dr. Jeremy Giliula
ABUSINWGEBBLEEDING Nate Cardozo
production connected to the public two page web site and writing a clever in 2011 as a way to track arrests from 16:00 in Track 3 also resulted in the defeat of all known
Staff Technologist, EFF
Eva Galperin EDGE Senior Staff Attorney, Electronic

S
AT
PA
PN
SD
EACRDGS
LOF
RO
YR
Frontier Foundation
internet providing graphs and data to e-mail turns into a massively frustrating all types of cyber (drink!) and hacking exploitation through function hooking. GlobalPolicy Analyst, EFF
exercise with a centi-scaled corpus Security products should make our
anyone who connects to the embed related incidents. This project aims to Additionally, we will explore how the Katitza Rodriguez 17:00 in Track 3
of captured credentials. In this talk, computers more secure, not less. Little
web server running at port 80. The track computer intrusion incidents ability to use PLT interception and International rights director, EFF Bryant Zadegan
well tell you how to win at phishing, Snitch is the de facto personal firewall Strong end-to-end encryption is legal in
seismographs provide real time data resulting in an arrest, detaining of a the use of direct memory overwrite Application Security Advisor & Mentor,
from start to finish, particularly in for OS X that aims to secure a Mac 16:30 in Track 3 the United States today, thanks to our
based in the perturbations from earth person or persons, seizure of goods, are no longer options for exploit Mach37
hacking Layer 8, the Politics layer by blocking unauthorized network victory in whats come to be known as
and surroundings, we consider this as or other related activities that are writers because of recent changes. Get the latest information about how Ryan Lester
of the OSI stack thats part of any traffic. Unfortunately bypassing the Crypto Wars of the 1990s. But in
a critical infrastructure and is clear the directly linked to computer crimes. Finally, we will cover the code-signing the law is racing to catch up with CEO & Chief Software Architect, Cyph
professional phishing engagement. this firewalls network monitoring the wake of Paris and San Bernardino,
lack of protection and implementation mechanism in depth, userland and technological change from staffers at
Well share stories of many of our The Arrest Tracker project currently mechanisms is trivial...and worse yet, 17:00 in Track 2 there is increasing pressure from law
by the technicians in charge. kernel implementations and possible the Electronic Frontier Foundation, the
experiences, which recently included has 936 arrests collected as of the firewalls kernel core was found enforcement and policy makers, both
We are going to present 3 ways to to contain an exploitable ring-0 ways to bypass code-sign enforcement. nations premiere digital civil liberties Through cooperation between browser
an investigation opened with the US 4/23/2016. How does tracking this here and abroad, to mandate so-called
exploit the seismograph which is heap-overflow. #fail Though briefly group fighting for freedom and privacy vendors and standards bodies in the
Security and Exchange Commission information help and what does backdoors in encryption products. In
segmented in 3 parts: Modem (GSM, touching on generic firewall bypass in the computer age. This session will recent past, numerous standards have
(SEC). Finally, well tell you how we the data tell us? A lot actually! Who this presentation, I will discuss in brief
Wi-Fi, Satellite, GPS,Com serial) techniques, this talk will largely focus include updates on current EFF issues been created to enforce stronger
stopped feeling frustrated, learned is behind these data breaches and the history of the first Crypto Wars,
{web server running at port 80 , ssh on the kernel-mode vulnerability. such as surveillance online, encryption client-side control for web applications.
to handle the politics, and produced what are the demographics such as and the state of the law coming into
daemon} Sensor (Device collecting the Specifically, Ill discuss bypassing OS (and backdoors), and fighting efforts to As web appsec practitioners continue
successful phishing campaigns that average age, gender, and nationality? 2016. I will then discuss what happened
data from ground or ocean bottom) X specific anti-debugging mechanisms use intellectual property claims to shut to shift from mitigating vulnerabilities to
Which day of the week are you most in the fight between Apple and the

48 49
FBI in San Bernardino and the current new super 1337 exploit and no this is Consent (by Noam Chomsky and Ed data by exploiting broken SSL then, not only security problems have
proposals to weaken or ban encryption, not even a new technique. No super PROPA G AN DA AND Herman) we can learn of the various HOWWRTOONG D:O communication, broken self-developed EXT
AE
MINIENTGSTHE not been solved, but boarding passes
covering proposed and recently fancy website with poorly designed YOU ( A ND Y OUR manipulations that happen to media IT advanced crypto implementations IN RN have become almost entirely bar-coded.
enacted laws in New York, California, logo is necessary, there is nothing new DEVICES ) -CEHSOW before it reaches the end reader. SMARVTIPRHUOSNE or through SQL-injections? POLLUTION And they are increasingly often checked
Australia, India, and the UK. Finally, I here. Tim and Dennis have discovered MEDIA D EV I ANTI Karyn Benson by machines rather than humans.
will discuss possible realistic outcomes that something only stupid sysadmins CANCB E UES,EDAND Armed with the knowledge of how AND SCEACTUIRINTSY Yes, we can. On top, we were able Graduate Student Effectively, were dealing with simple
to the Second Crypto Wars, and give would do turns out to be much more TO O E RC propaganda works, a person could APPLI O to bypass the secure browsing
unencrypted strings of characters
my predictions on what the State of prevalent than expected. What starts HOW TEHSE CSAANMEBE attempt a more healthy diet of media UNDER FIRE protection and abuse it for code 10:00 in Track 3
containing all the information needed
the Law will be at the end of 2016. off as a sysadmins innocent attempt DEVIC consumption. Computer and data
networks are heavily utilized by those Stephan Huber
execution. The most alarming findings,
however, were security applications
Network telescopes are collections to decide on our eligibility for fast lane
U
BS
AE
CD
K.TO FIGHT
to fix an issue, turns into complete Fraunhofer SIT of unused but BGP-announced access, duty-free shopping, and more...
wishing to push agendas, but who is to that we were able to actually turn
STICKKY KEYS TO compromise of entire servers/
say these same technologies can not Siegfried Rasthofer
into a remote access trojan (RAT)
IP addresses. They collect the
With a set of easily available tools,
THE INGDOM: workstations with no effort needed The Bob Ross Fan Club be utilized to fight back? Developers
Fraunhofer SIT & TU Darmstadt
or into ransomware. In light of all
pollution of the Internet: scanning,
boarding pass hacking is easier than
PREM
-OAR
UE
THCO
RM
CM
EON from the attacker. Tim and Dennis will Security Software Engineer
have access to all sorts of tools that those findings, one must seriously
misconfigurations, backscatter from
ever, and the checks are mostly a
IS discuss how we came to this realization
help accomplish this feat, such as web
10:00 in Track 1
question whether the advice to install
DoS attacks, bugs, etc. For example,
security theater. In my talk, I will
THAN YOU THINK and explain how we automated looking
for these issues in order to find
17:30 in Track 1

Any novice in the security field can


scrapers, natural language tool kits, or Todays evil often comes in the form of
ransomware, keyloggers, or spyware,
a security app onto ones smartphone
several historical studies used network
telescopes to examine worm outbreaks. discuss in depth how the boarding
Dennis Maldonado (AKA Linuz) even the reddit source code repository. is a wise one. In this talk, we will not pass information is created, encoded
hundreds of vulnerable machines over tell you the importance of sanitizing against which AntiVirus applications
Security Consultant - LARES Consulting This talk will walk the audience through only explain our findings in detail but In this talk I will discuss phenomena and validated. I will demonstrate
the internet. Tim and Dennis explain input that is being read into computer are usually an end users only means of
Medic (Tim McGuffin) some different techniques that can be also propose possible security fixes. that have recently induced many how easy it is to craft own boarding
the tool developed for automation, systems. But what steps do most of protection. But current security apps
Security Consultant - LARES Consulting used for better media consumption. sources to send traffic to network pass that works perfectly at most
provide statistics discovered from our not only scan for malware, they also
research, and go over ways to protect
us take in sanitizing the input that
aid end users by detecting malicious
HACKINGKEYS telescopes. By examining this pollution checkpoints (and explain why it
17:00 in 101 Track
yourself from falling victim to the issue.
is read into the computer systems
URLs, scams or phishing attacks. HOTEL we find a wealth of security-related doesnt work at other ones).
With minimal to no effort, we can known as our brains? This presentation AND PO INSTTEOF data. Specifically, Ill touch on scanning
I will also discuss IATA
gain SYSTEM level access to hundreds, will go over the attack vector that
is known as Propaganda. By studying
Generally, security apps appear so SALE S Y MS: trends, DoS attacks that leverage
recommendations, security measures
if not, thousands of machines on the
works such as Manufacturing
self-evidently useful that institutions ATTACKI N G open DNS resolvers to overwhelm
implemented in boarding passes (such
internet [remotely]. No, this is not a such as online-banking providers SYSTEM SCUSSEING authoritative name servers, BitTorrent
index poisoning attacks (which as digital signatures) and their (in)
M
TRANSMISSIONURE
even require users to install anti-virus
programs. In this talk, however, we
AGNETI C targeted torrents with China in their effectiveness, as well as responses
name), a byte order bug in Qihoo I got from different institutions
show that the installation of security involved in handling boarding passes.
applications, at least in the context Weston Hecker 360 (while updating, this security
Senior Security Engineer & Pentester,
software sent acknowledgements There will be some fun, as well as
of smartphones, can sometimes open Rapid7 some serious questions that I dont
the phone to a number of attack to wrong IP addresses... for 5 years),
and the consequence of an error necessarily have good answers to.
vectors, making the system more 10:00 in Track 2
instead of less vulnerable to attacks. in Salitys distributed hash table.
Take a look at weaknesses in Point HIDIHNTGTPWO-OKHIT
ET
EPS
In a recent research we conducted on of sale systems and the foundation
HOW TO GT
ES
T IN IN
Android security apps from renowned of hotel key data and the Property
GOOD SEA SMUNGGGLWIN GSI S A
vendors such as Kaspersky, McAfee, management systems that manage the
THE SE
ER
C?
URITY THI E H OULNDD
Androhelm, Eset, Malwarebytes or keys. Using a modified MST injection
THEAT KNO W BE TT ER A
Avira. When conducting a study of
the apps security features (Antivirus
method Weston will demonstrate
several attacks on POS and Hotel keys HAS
CS
KINGFBOAR DINNG CARE ABOUT
and Privacy Protection, Device including brute forcing other guests PA ES OR FU regilero
Protection, Secure Web Browsing, etc.) keys from your card information as a AND PROFIT. DevOp, Makina Corpus

it came as a shock to us that every start point. And methods of injecting Przemek Jaroszewski 11:00 in Track 1
inspected application contained critical keystrokes into POS systems just as CERT Polska/NASK
if you had a keyboard plugged into HTTP is everywhere, everybody wants
vulnerabilities, and that in the end no
the system. This includes injecting
10:00 in 101 Track to write an HTTP server. So I wrote
single of the promoted security features
keystrokes to open cash drawer and mine :-) But mine not fast, and come
proved to be sufficiently secure. In a While traveling through airports, we
abusing Magstripe based rewards with an HTTP client which sends very
simple case, we would have been able usually dont give a second thought
programs that are used a variety of bad HTTP queries. My tool is a stress
to harm the app vendors business about why our boarding passes are
environments from retail down to tester for HTTP servers and proxies,
model by upgrading a trial version scanned at various places. After all, its
rewards programs in Slot Machines. and I wrote it because I found flaws in
into a premium one at no charge. all for the sake of passengers security.
all HTTP agents that I have checked in
Or is it? The fact that boarding pass
In other instances, attackers would the last year i.e. nodejs, golang, Apache
security is broken has been proven
be able to harm the end user by httpd, FreeBSD http, Nginx,Varnish and
many times by researchers who
completely disabling the malware- even Haproxy. This presentation will try
easily crafted their passes, effectively
scanning engine remotely. Or to explain how flaws in HTTP parsers
bypassing not just passenger only
how about accessing confidential can be exploited for bad things; well
screening, but also no-fly lists. Since

50 51
play with HTTP to inject unexpected signal strength relative to each detector. this talk, maybe youll have a better the cult classic video game Smash Bros answers to all of your questions you potentially lead to crashes and greatly
content in the user browser, or VU1L:NEHROAWBIT
LOITIES
This makes it possible to triangulate the sense of whether its right for you, LETS GLE:
T optimally. It cant be bargained with. It never knew you had, and probably impair the safety of self-driving cars. To
perform actions in his name. 10
source of the new rogue cell tower. and what to expect going forward. PHYS IC A cant be reasoned with. It doesnt feel make you question your life choices. alleviate the issues, at the end of the
LAPURNO
CVHEOY ROUR NETWNOSRTK PAH
TY
TS
AI
CCKASL pity, remorse, or fear. This final boss By the end of this session you will talk we propose software and hardware
If you know nothing about HTTP it
USE T HEIR IM ATTACKINTG AGAI wont stop until all your lives are gone. be ready to take your next steps countermeasures that will improve
should be understandable, but youll
have to trust me blindly at the end. If MACHINE S AGAINST V
RU
ELSNEE
ARRACBHILGIATMYE BASEST A ISOSNESY S
SE
YC
SU
TREIMTSY What started as a fun coding project
into the job youve always wanted, sensor resilience against these attacks.
you think you know HTTP, you have THEM: LOADING - AN O DY in response to a simple dare grew into
or know deep inside that you should
DRONESI-HIJACKING
C
CO
ODEERWITH A T
TH
ER
LO
CU
OG
SH NAETWORK
Joshua Drake Ricky HeadlessZeke Lawshae probably look for something else.
no reason to avoid this talk. Then, the an obsession that encompassed the
short part, I will show you this new PI VP of Platform Research and Hacker
wombo-combo of hacking disciplines
There will be no judgment or shame, - MULT
Open Source stress tool that I wrote Mike
Exploitation, Zimperium
Henrik Schmidt including binary reverse engineering,
only information, laughter and fun. DIMENSIONAL
and hope that you will remember it Principal Cyber Security Engineer, The
Steve Christey Coley
IT Security Researcher, ERNW GmbH
12:00 in Track 2
AI research, and programming. When
CAN YO
OM
UOUTS
RUST ATTACK
V
CE
OC
UT
NO
TR
ES
when youll write your own HTTP MITRE Corporation
Principal INFOSEC Engineer, MITRE
Brian Butterly
With the rise of the Internet of not used to create a killer doomsday
AUTO N AA
NS
DURES
parser for you new f** language. 11:00 in Track 3
11:00 in 101 Track IT Security Researcher, ERNW GmbH Things, the line between the physical
and the digital is growing ever more
machine, these same skills translate
VEHIC LES:ESS RME
to hacking Internet of Things (IoT) Aaron Luo
DISCN
OG
VERING AND Weve all worked on closed systems
If youre interested in vulnerability 12:00 in Track 1 hazy. Devices that once only existed devices, developing shellcode, and more. CONTA CTL Security Expert, Trend Micro

TRIA ULATING with little to no direct Internet


research for fun or profit, or if youre
a beginner and youre not sure how As introduced in our former series of in the tangible world are now Forget about Internet ending zero-day ATTAC KS AF
GAS
INST
S
DRIVING VEHICLEF-
R accessible by anyone with a network ENS ORS O EL
TO
OG
WU
EE
RSCELL
access. And weve all struggled with 13:00 in Track 2
to progress, it can be difficult to sift talks LTE vs. Darwin there are quite releases and new exploit kits. Come
the limitations those systems put on a few of holes in the LTE specs. Now, connection. Even physical security on down and get wrecked at a beloved
through the firehose of technical Drone related applications have
us in the form of available tools or having our own Macro BaseStation systems, a significant part of any large old video game. Line up and take your
information thats out there. Plus Jianhao Liu sprung up in the recent years, and
JusticeBeaver (Eric Escobar) software we want to use. I didnt like (an eNodeB) on the desk, we will organizations overall security posture, turn trying to beat the AI yourself,
there are all sorts of non-technical Director of ADLAB, Qihoo 360 the drone security has also became
Security Engineer, Barracuda Networks
struggling, so I came up with a method demonstrate practical approaches to are being given network interfaces to live on the projectors for everyone to
Inc things that established researchers Chen Yan a hot topic in the security industry.
to load whatever I wanted on to a and attacks on real life devices. More make management and access more see. When you lose though, dont run
seem to just know. There are many PhD student, Zhejiang University This talk will introduce some general
11:00 in Track 2 closed system without triggering any and more devices are using mobile convenient. But that convenience home and go crying to yo Momma.
different things to learn, but nobody Wenyuan Xu security issues of the drones, including
common security alerts. To do this I radio networks such as GSM, UMTS also significantly increases the risk
The number of IMSI-catchers (rogue really talks about the different paths
Professor, Electrical Engineering, vulnerabilities existing in the radio
of attack, and hacks that were once
cell towers) has been steadily increasing
had to avoid accessing the Internet or
you can take on your journey. We will and LTE and there has already been
thought to only exist in movies, like
SO YOU THINOKBE Zhejiang University
signals, WiFi, Chipset, FPV system, GPS,
in use by hackers and governments
using mag media. In the end all I needed
provide an overview of key concepts quite a bit of research on (in)securities
opening a buildings doors from a YOU WANT T 13:00 in Track 1 App, and SDK. The most famous and
around the world. Rogue cell towers,
was an office multi-function machine
in vulnerability research, then cover on the radio part, but only few people
laptop or modifying a camera feed A PT
EE
NR
ETRATION popular drone product will be used to
which can be as small as your home
router, pose a large security risk to
and Excel. Its all any insider needs.
where you can go to learn more - and
what to look for. Well suggest ways for
have had a look behind the scenes.
Luckily, we had the chance to have just live, are now possible and even TES To improve road safety and driving
experiences, autonomous vehicles
demonstrate the security vulnerabilities
of each aspects, and recommendation
For my presentation and demo, Ill easy to pull off. In this talk, we will Anch
this look and now we would like to have emerged recently, and they can of enforcements. The talk will also
anyone with a phone. If in range, your show you how I delivered a select you to choose what you analyze and discuss this new attack surface and Hacker
raise the curtain for the community. sense their surroundings and navigate demo how to take control of the
phone will automatically connect to group of PowerSploit tools to a provide tools and techniques you might demonstrate various ways an attacker
Initially we will quickly cover our 12:00 in 101 Track without human inputs. Although drone through the vulnerabilities.
the rogue tower with no indication to clean, isolated machine. Of course, want to use. Well discuss different can circumvent and compromise
complete odyssey from starting up an promising and proving safety features,
you that anything has happened. At that Excel has been known as vector for disclosure models (only briefly, we devices such as door controllers, So, you think you want to be a The topic of hacking by faking the
eNodeB for the first time, checking the trustworthiness of these cars has to
point, your information passes through macro viruses for quite some time promise!), talk about the different kinds security cameras, and motion sensors penetration tester, or you already GPS signals has been shared before
out the available interfaces and be examined before they can be widely
the rogue tower and can leak sensitive and some of the techniquessuch of responses to expect from vendors, over the network, as well as ways to are and dont understand what in Black Hat and DEF CON in the
emulating the core network through adopted on the road. Unlike traditional
information about you and your device. as hex-encoding binary data and re- and give some advice on how to write protect yourself from such attacks. the difference between you and all past, this talk will extend this topic to
to starting attacks. In the main part network security, autonomous
Currently, there are no easy ways to encoding it on a target machineare useful advisories and how to go about the other so called penetration the drone security. we will demo the
of the talk we will give a rather vehicles rely heavily on their sensory
protect your phone from connecting known binary insertion vectors but publishing them. Then, well finish up
practical insight into the (in-)security GAME OI
VNEGR,VIMDAENO!: testers out there. Think you know ability of their surroundings to make real-time hijacking program that we
to a rogue tower (aside from some I have not found any prior work on by covering some of the mindset of
features of basestations. We will REVERS the difference between a Red Team, driving decision, which opens a new created for various drone, this program
Android apps which are phone specific
and require root access). In this talk
an insider using these techniques to vulnerability research, including skills
and personality traits that contribute to start with valid backend connections GAMES T O CB
RLEEATE Penetration Test and a Vulnerability security risk. Thus, in this talk we can take full control of the Drones
Ill demonstrate how you can create a
deliver payloads to closed systems.
Youll leave my presentation knowing success, the different stages of growth and how these connections can be AN UNBE A TA assessment? Know how to write a examine the security of the sensors of maneuver by simply keyboard input.
rogue cell tower detector using generic why Excel, umm, excels as an insider that many researchers follow, and the abused to reconfigure both a single AI PLAYER report your clients will actually read
and understand? Can you leverage
autonomous vehicles, and investigate
the trustworthiness of the eyes of the
In addition, we will also introduce
how to detect the fake GPS signals.
hardware available from Amazon. attack tool, how to leverage Excel different feelings (yes, FEELINGS) that eNodeB and a complete subnet Dan AltF4 Petro the strengths of your team mates cars. In this talk, we investigate sensors
The detector can identify rogue features to load and extract arbitrary researchers can face along the way. Our on a telco network. We will then Security Associate, Bishop Fox An open source tool supporting
to get through tough roadblocks, whose measurements are used to guide
towers and triangulate their location. binary data from a closed network, and end goal is to help you improve your continue with the official maintenance u-box GPS modules and SDR to
12:00 in Track 3 migrate, pivot, pwn and pillage? No? driving, i.e., millimeter-wave radars,
The demonstration uses a software what to do if this really frightens you. chances of career success, so you can approach with the vendors tools and detect fake GPS signals will be shared
well this talk is probably for you then! ultrasonic sensors, forward-looking
defined radio (SDR) to fingerprint each get a sense of where you are, where webinterfaces giving an attacker both Super Smash Bros: Melee. - Furrowed and published in the GitHub.
We will go through the fascinating, cameras. In particular, we present
cell tower and determine the signal you want to go, and what you might local and remote access to the device. brows, pain in your thumbs, trash talk intense and often crazily boring on- contactless attacks on these sensors
strength of each tower relative to want to do to get there. We will not dig All in all the talk will cover general your Mom would blush to hear. That site assessment process. Talk about and show our results collected both in
the detector. With a handful of these too deeply into technical details, and and specific vulnerabilities in both sweet rush of power you once knew as planning and performing Red Teams, the lab and outdoors on a Tesla Model
detectors working together, you can wed go so far as to say that some kinds basestations and the backend network. you beat all the kids on your block will how they are different, and why they S automobile. We show that using
identify when a rogue cell tower enters of vulnerability research do not require be but a distant memory as SmashBot can be super effective and have some
challenges you to a duel for your off-the-shelf hardware, we are able to
your airspace, as well as identify the deep knowledge anyway.Vulnerability fun along the way. Ill tell you stories
pride live on stage. SmashBot is the perform jamming and spoofing attacks,
research isnt for everyone, but after that will melt your face, brain and
Artificial Intelligence I created that plays which caused the Teslas blindness
everything in between. Give you the and malfunction, all of which could

52 53
and the protocol weaknesses and reach data before it leaves your computer security as Google. With this in mind, as we talked about last DEF CON , This presentation will outline the
B
FA
RC
OK
ND
TO
DO
OR
OI
RNG THE H
AE
NL
TP
S,
!!!IVE GOT the already suspected conclusion that keeping your privacy, well, private. TOXIC P RG
OXI ES - we decided to examine Qualcomms against all expectations, we qualified research which has occurred in order
ANT and the devices that use it are BYOTFH (Bring your own tin foil hat). BYPAS S IN HTTPS code in Android devices. During and became one of the 7 finalist to find exploitable bugs across both
Jmaxxz Tamas Szakaly absolutely insecure: anybody can access AND V P N S TO our research, we found multiple teams. The finals of the CGC will be Windows and POSIX kernels, focusing
Hacker Lead Security Researcher, PR-Audit
your information, turn off your bike VL ANPH OSPOPN
II
NNGG
, PWE
NNT
YIOTUYR ONLINE privilege escalation vulnerabilities in held the day before DEF CON. on fuzzing system calls and library calls
13:00 in Track 3
Ltd., Hungary
light, or even replace the firmware AR P OI ID multiple subsystems introduced by
If we win, this talk will be about how
in the Windows environment. System
14:00 in Track 1 on your sport watch over the air. ANDDDLMEANA-TIT
NA
-CTK
HS
E- Alex Chapman Qualcomm to all its Android devices
we won, or, in the overwhelmingly likely
calls will be briefly explained, how they
As our homes become smarter and
As stated in my bio, besides computer AN I NTW
RO
OR
DM
U:CTION MI Principal Researcher, Context in multiple different subsystems. In
scenario of something going horribly
work and how these can be fuzzed in
I
EN VR
IROTNU
MAELNI
TZSED
more connected we come up with Information Security
this presentation we will review order to find bugs. The presentation
wrong, this talk will be about butterflies.
new ways of reasoning about our security I also love fligh simulators and
mountain biking. Last year I gave a talk
TO P IN NVI Paul Stone not only the privilege escalation will then move on to explaining core
privacy and security.Vendors promise
about hacking a flight simulator (among
MADNDLIE
NFTO
HR
E YOUR Ronny Bull
Principal Researcher, Context
Information Security
vulnerabilities we found, but also In all seriousness, weve spent the last libraries in the Windows environment
security, but provide little technical
other games), it was only fitting to MI Assistant Professor of Computer
demonstrate and present a detailed year working hard on building a really and how to fuzz these effectively.
information to back up their claims.
Further complicating the matter, many research something related to my other METADATA Science, Utica College & Ph.D.
Candidate, Clarkson University
14:00 in 101 Track exploitation, overcoming all the existing
mitigations in Androids Linux kernel
kickass Cyber Reasoning System, and
there are tons of interesting aspects of
Other issues with creating a kernel
of these devices are closed systems hobby too. Old days bike speedometers bigezy Rogue access points provide attackers fuzzing environment will be discussed,
Dr. Jeanna N. Matthews to run kernel-code, elevating privileges it that we will talk about. Much of the
which can be difficult to assess. This talk have evolved quite a bit, and nowadays Hacker with powerful capabilities, but in such as effective logging of calls in
Associate Professor of Computer and thus gaining root privileges and process of building the CRS involved
will explore the validity of claims made a lot of bikers (swimmers, runners, ers) saci 2016 modern privacy protections which the machine could BSOD and
Science, Clarkson University completely bypassing SELinux. inventing new approaches to automated
by one smart lock manufacturer about do their sport with tiny computers Hacker such as HTTPS Everywhere, free TLS kernel panic, and how to correctly
Ms. Kaitlin A. Trumbull program analysis, exploitation, and
reproduce vulnerabilities that have
C
SY
HB
EE
LR
the security of their product. The entire attached to them. These computers 14:00 in Track 2 Undergraduate CS Research Assistant, certificates and HSTS are de-facto
standards. Surely our encrypted traffic
GI
RSAHND patching. Well talk about those, and
been identified by the fuzzer. We will
solution will be deconstructed and
examined all the way from web services
do much more than measuring speed:
they have GPS, they can store your What is the root cause of memory
Utica College
is now safe on the local coffee shop
LPH try to convey how hackers new to the
field can make their own innovations.
also cover efficient scaling of a kernel
and network traffic bloat? Our current 14:00 in Track 3 network? If not, my VPN will definitely Yan Shoshitaishvili fuzzer so that a number of virtual
to the lock itself. By exploiting multiple activities, can be your training buddy,
vulnerabilities Jmaxxz will demonstrate and they can communicate with various research using tools we previously Cloud service providers offer their protect me... right? In this talk well PhD Student, UC Santa Barbara
Other aspects of the CRS involved machines are in operation that can
sensors (cadence, power meter, heart released Badger at Black Hat in 2014 reveal how recent improvements in Antonio Bianchi extreme amounts of engineering generate a large number of crashes.
not only how to backdoor a front door, customers the ability to deploy virtual UC Santa Barbara
but also how to utilize these same rate monitors, you name it), mobile and the Kobra released at BsidesLV machines in a multi-tenant environment. online security and privacy can be efforts to make sure that the system
Kevin Borgolte Finally, a brief summary of the
techniques to protect your privacy. phones, each other, and with PCs. One 2015 shows a 40 percent increase in These virtual machines are typically undermined by decades old design optimally used its computing power and
UC Santa Barbara vulnerabilities that have been
of the communication protocols used outside unique IP traffic destinations connected to the physical network via flaws in obscure specifications. These was properly fault-tolerant. Well talk
Jacopo Corbetta identified will be provided.
MOUSE JIGAGNLDER by these devices is ANT. Never heard and a 400 percent increase in data
transmitted towards these destinations.
a virtualized network configuration. design weakness can be exploited to UC Santa Barbara
about how automated hacking systems
OFFENSE of it? Not surprising, it is not very well
But through the course of the
This could be as simple as a bridged intercept HTTPS URLs and proxy VPN
Francesco Disperati
should be built to best handle this.
AUD ITOIRNKGS6LOWPAN
DEFENSE known despite being utilized by a lot
of gadgets including, but not limited to research we found currently used
interface to each virtual machine or tunneled traffic. We will demonstrate
how a rogue access point or local
UC Santa Barbara
Critically, our CRS needed to be able to
adapt to the strategies of the systems NET W
Dr. Phil
Professor, Bloomsburg University of
sport watches, mobile phones, weight IRP monitoring tools were lacking to
as complicated as a virtual switch
providing more robust networking network attacker can use these new
Andrew Dutcher
UC Santa Barbara
fielded by the other competitors. U
PS
EI
NNEGTRS A T
TA
INN
ODARD
scales, some medical devices, and even help produce enough information to features such as VLANs, QoS, and techniques to bypass encryption, Well talk about the AI that we built
Pennsylvania
bicycle lights and radars. When I bought forensically investigate the exfiltration monitoring. At DEF CON 23, we monitor your search history and take
Giovanni Vigna
UC Santa Barbarae to strategize throughout the game and TESTING TOOLS
13:00 in 101 Track my first bike computer I rationalized of user metadata. Pinworm is a sniffer presented how attacks known to be over your online accounts. No logos, decide what actions should be taken. Jonathan-Christofer Demay
Aravind Machiry
it with thoughts like this will help me that shows all created IRPs created successful on physical switches apply no acronyms; this is not a theoretical Airbus Defence and Space
A group of highly-armed individuals in the kernel in I/O devices. The IRPs
UC Santa Barbara At the end of this talk, you will know
navigate on the mountain, or I can to their virtualized counterparts. Here, crypto attack. We will show our Chris Salls Adam Reziouk
has just stormed into your office. are correlated with the processes that how to go about building your own
track how much Ive developed, but we present new results demonstrating techniques working on $30 hardware UC Santa Barbara
Arnaud Lebrun
They are looking to pull data from created them and the called driver autonomous hacking system! Or you
deep down I knew the real reason successful attacks on more complicated in under a minute. Online identity? Nick Stephens
your computers which are protected stack. With network traffic data we might know a lot about butterflies. 15:00 in 101 Track
was my curiosity about this lesser virtual switch configurations such as Compromised. OAuth? Forget about it. UC Santa Barbara
with full disk encryption. In order are off to the races. Using pinworm The Internet of Things is expected to
known, lesser researched protocol. Cloud file storage? Now were talking.
to prevent your screen saver from which we released this week, we will
VLANs. In particular, we demonstrate Fish Wang PLATFORC
M KERNEL be involved in the near future in all
activating they will likely immediately One of my favorite kind of weaknesses VLAN hopping, ARP poisoning and
S
UC Santa Barbara
AGNOSTI
MT
OU
insert a mouse jiggler to prevent your are the ones caused by questionable
show forensic case studies from cradle Man-in-the-Middle attacks across every MLPE
ING TPHSEET FUZZING major aspects of our modern society.
screensaver lock from activating. This design decisions, and can be spotted
to grave of what happens when you
do things online in social media sites.
major hypervisor platform. We have
added more hypervisor environments
BI CHI 15:00 in Track 2

Last year, DARPA ran the qualifying James Loureiro


On that front, we argue that 6LoWPAN
is a protocol that will be a dominant
talk will present ways of detecting without actual hands-on experience Adam Donenfeld Researcher, MWR InfoSecurity player as it is the only IoT-capable
and defending against such assaults with the product itself, just by reading Like all of our previously released tools, and virtual switch configurations since Senior Security Researcher, Check Point event for the Cyber Grand Challenge
our last disclosure, and have included to usher in the era of automated Georgi Geshev protocol that brings a full IP stack
on your system by mouse jiggler the documentation. Well this is exactly Pinworm is a framework including
results of attacks originating from the 15:00 in Track 1 hacking. Shellphish, a rag-tag team
Security Researcher, MWR InfoSecurity to the smallest devices. As evidence
wielding individuals. It will also show what happened here, I had some server side code you can use to collect
physical network as well as attacks of disorganized hackers mostly of this, we can highlight the fact that
you how to build your own simple attack vectors ready and waiting well and display user metadata inline in Following recent security issues 15:00 in Track 3
originating in the virtual network. from UC Santa Barbara, decided even the latest ZigBee Smart Energy
mouse jiggler. Nothing beyond basic before I received the actual device. browser frames. Does this metadata discovered in Android, Google made a
to join the competition about ten A number of toolsets have been standard is based on ZigBee IP which
Linux usage is required to understand To top it all, Ive also found some collection happen in the browser, in number of changes to tighten security
minutes before the signups closed. around for a while which propose itself relies on 6LoWPAN, a competitor
this talk. Attendees will leave with implementation bugs after getting my userland, or in the kernel? Come to our across its fragmented landscape.
methods for identifying vulnerabilities of the initial ZigBee protocol. Efficient
several ways to defend against mouse hands on various Garmin devices. talk and find out. We will demonstrate However, Google is not alone in Characteristically, we proceeded to in kernels, in particular POSIX kernels. IP-based penetration testing tools have
jigglers and the knowledge of how the collection of user metadata and the struggle to keep Android safe. put everything off until the last minute,
After a brief introduction to the ANT, However, none of these identified a been available to security auditors
to create their own mouse jigglers. collecting this information in a live Qualcomm, a supplier of 80% of the and spent 3 sleepless weeks preparing
ANT+ and ANT-FS protocols, Ill explain method for generic fuzzing across for years now. However, it is not that
browser session. Then we will show chipsets in the Android ecosystem, has our Cyber Reasoning System for
and demo both the implementation Windows and POSIX kernels and have easy to use them in the context of a
you how to intercept your personal almost as much effect on Androids the contest. Our efforts paid off and, not been updated for some time.

54 55
6LoWPAN network since you need First, a radio scanner capable As well as doctoral programs in cybersecurity
to be able to join it first. In fact, the of identifying IEEE 802.15.4 and management and decision sciences. Capitol is
At the No Starch ACLU B u mp M y L o c k
difficult part is to associate with the infrastructures and for each one of regionally accredited by Middle States Association of
Press Table in the
underlying IEEE 802.15.4 infrastructure. them their specificities, including several Colleges.
Vendor Area!
deviations from the standard that we
Indeed, this standard already has two
encountered in actual security audits.
iterations since its release in 2003 and
it provides with several possibilities Secondly, a border router capable 8/5 C a r H a c k in g V il l a g e
regarding network topology, data of routing IPv6 datagrams between 1:00pm
Craig Smith http://www.carhackingvillage.com
transfer model and security suite. Ethernet and 6LoWPAN networks
http://bumpmylock.com/
Unfortunately, there is no off-the- while adapting to the specificities The Car Hacker's
shelf component that provides, out identified by the scanner. As a result, Handbook Bump keys, lock picks and training tools. Bump My
https://www.aclu.org
Lock has served thousands of customers worldwide
of the box, with such a wide range of the combination of both effectively
For nearly 100 years, the ACLU has been our nations since 2007. If we dont have it at the booth, go C a r ne g ie Me l l o n U ni v e r s i t y
capabilities. Worst still, some of them allows security auditors to use available 8/5
deviate from the standard and can IP-based penetration testing tools 3:00pm guardian of liberty, working in courts, legislatures, and to our site http://www.bumpmylock.com. Free https://ini.cmu.edu
only communicate with components on different 6LoWPAN networks. Georgia Weidman communities to defend and preserve the individual demonstrations and training at our booth. The Information
from the same manufacturer. In this Penetration rights and liberties that the Constitution and the Bump My Lock is celebrating our 6th year at DEF Networking Institute
paper, we present the ARSEN project: Testing laws of the United States guarantee everyone in this CON by showcasing our own line of lock picks!! This (INI) offers full-time
Advanced Routing for 6LoWPAN country. year, we will feature our Black Diamond sets and our masters degrees in
and Ethernet Networks. It provides 8/5 Whether its achieving full equality for lesbians, gays, Ruby sets. So come see us for all your Lock Pick Sets, information security
security auditors with two new tools. 4:00pm bisexuals and transgender people; establishing new Bump Keys, Clear Practice Locks, Jackknife Pick Sets, at Carnegie Mellon
Michael Schrenk privacy protections for our digital age of widespread Hackware, and more. University. We are the
Webbots, Spiders, government surveillance; ending mass incarceration; Need more help? We have a vast number of articles educational partner
and Screen or preserving the right to vote or the right to have and videos on lock picking on our blog or your tube of Carnegie Mellon
Scrapers, 2nd an abortion; the ACLU takes up the toughest civil channel. If you are a beginner or a master locksmith CyLab, a world leader
Edition liberties cases and issues to defend all people from we have the tools for you. in both technological
government abuse and overreach. research and the
As always, a percentage of our proceeds will go to the
With more than a million members, activists, and education of professionals in information assurance,
Miracle Match Foundation.
8/6 supporters, the ACLU is a nationwide organization security technology, business and policy. Our technical,
1:00pm that fights tirelessly in all 50 states, Puerto Rico, and Long live Barcode! interdisciplinary curriculum allows you to customize
Nick Cano Washington, D.C. to safeguard everyones rights. the degree to explore your individual career goals and
Game Hacking interests.

8/6
Brian Stop by to chat with Kari, our admissions director.
She can tell you all about how our students routinely
2:00pm B r e a k p o in t B r u s h w o o ds dominate CTFs, pursue research with leaders in the
Jon Erickson B o o ks
Hacking: The Art Scam School field and nab competitive jobs everywhere from
Silicon Valley to Wall Street.
of Exploitation, http:// https://www.youtube.
2nd Edition breakpointbooks.com com/user/scamschool
Full scholarships are available for U.S. citizens.
Stop by and browse From lock picks and magic
8/6 the wide selection of tricks to clever novelty
3:00pm security-related books on items, if its designed to get C o b a lt S t r ik e
Violet Blue display this weekend. The you ahead in life, youll find it at Scam Stuff look for
The Smart Girl's latest and greatest books
Guide to Privacy available in the industry us at the Hak5 booth!
also include books
authored by DEF CON https://www.cobaltstrike.com
presenters. Check out the wide selection of games C a p i t o l T e c hn o l o g y U ni v e r s i t y
available strategy, card, dice, and deck-building. Buy a Cobalt Strike is a platform for Adversary Simulations
game and start playing today. https://captechu.edu and Red Team Operations.
Capitol Technology
University, located
in Laurel Maryland, Duo Security
offers degrees in
engineering, computer http://www.duosecurity.com
science, cybersecurity, Duo Security is a cloud-based trusted access provider
and business. Offering protecting the worlds fastest-growing companies
online certificates, bachelors and masters degrees, and thousands of organizations worldwide, including
which includes a masters in astronautical engineering. Dresser-Rand Group, Etsy, NASA, Facebook, K-Swiss,
56 57
The Mens Wearhouse, Paramount Pictures, Random LAN Turtle. The Hak5 crew, including hosts Darren Their main offering, the bladeRF, is a versatile USB 3.0
House, SuddenLink, Toyota, Twitter,Yelp, Zillow, and Kitchen, Shannon Morse and Patrick Norton, are device that provides a 300 MHz to 3.8 GHz tuning
more. Duo Securitys innovative and easy-to-use G he t t o G e e ks Hacker Stickers VENDING ALL THE THINGS and celebrating 10 Keyport range, full duplex operation, 12-bit samples at up to 40
technology can be quickly deployed to protect users, year of Hak5! Come say EHLO and check out our MSPS, and an instantaneous bandwidth up to 28 MHz.
data, and applications from breaches, credential theft sweet new tactical hacking gear! Everything from WiFi This device has found a home in application domains
and account takeover. Duo Security is backed by Hot-Spot Honey-Pots to Keystroke Injection tools, including GSM and LTE base stations, digital television,
Benchmark, Google Ventures, Software Defined Radios and Covert LAN Hijackers GPS simulation, medical imaging research, and wireless
Radar Partners, Redpoint are available at the Hak5 booth. security. Check out their booth to see demos and
Ventures and True Ventures. Duo http://ghettogeeks.com learn more!
Security is a cloud-based trusted Well were back at it again, and have been working
access provider protecting hard all year to bring you the freshest awesome that http://mykeyport.com
the worlds fastest-growing we can. If you have been to DEF CON, layerone,
H a c k e r s t r ip Keyport combines keys, pocket tools, & smart tech
companies and thousands toorcon, phreaknic, or other conferences we have into one everyday multi-tool. This year we are bringing
P w nie E x p r e s s
of organizations worldwide, been at, you definitely know what so of shenanigans our brand new modular product line including the https://www.
including Dresser-Rand Group, Etsy, NASA, Facebook, http://hackerstickers.com
we are up to. If you have never seen us, feel free to Keyport Slide 3.0 & Keyport Pivot (holds your existing pwnieexpress.com
K-Swiss, The Mens Wearhouse, Paramount Pictures, come by and take a look at what we have to offer. HackerStickers.com offers unique t-shirts, stickers, keys), along with our new tech & tool modules which Pwnie Express
Random House, SuddenLink, Toyota, Twitter,Yelp, hardware, hacks and lock picks for hackers, whitehats includes a Pocketknife, Bluetooth Locator, and Mini- provides the
Zillow, and more. Always fun, always contemporary, GhettoGeeks has and nerds alike. Follow us on Facebook and Twitter
some for the tech enthusiast (or if you prefer, hacker) Flashlight. Sign up for our new Maker Program and industrys only
Duo Securitys innovative and easy-to-use technology (@HackerStickers) for sneak peaks on new designs design/hack/build youre own compatible Keyport solution for
can be quickly deployed to protect users, data, and special offers. HackerStickers has partnered with modules. Dont forget to bring your keys to the continuous detection, identification and classification
and applications from breaches, credential theft LockPicking101.com offering a great collection of lock vendor area! of wireless, wired and Bluetooth devices putting
and account takeover. Duo Security is backed G u nn a r O p t iks pick and also a lock pick board on site with hands-on
http://hackerstrip.com organizations at risk. Connected devices in the
by Benchmark, Google Ventures, Radar Partners, demonstrations. enterprise represent one of the fastest growing
Hackerstrip is a comics website that publishes comics
Redpoint Ventures and True Ventures. threats, unaddressed by existing security solutions. The
about hackers and their real life stories. These comics N o S ta r c h P r e s s Pwnie Express SaaS platform, Pulse, provides complete
Try it for free at www.duosecurity.com. are aimed at providing work based entertainment
http://www.gunnars.com H a c k e r Wa r e h o u s e to security professionals and all kinds of information
http://www.nostarch. device coverage, including employee owned (BYOx),
com rogue and company-owned devices across the entire
GUNNAR Optiks is the only patented computer security enthusiasts.
Thanks to you, weve enterprise, including remote sites. To learn more about
EFF eyewear recommended by doctors to protect and Hackerstrip was started by Raak aka Ravi Kiran from
been publishing great Pwnie Express visit www.pwnieexpress.com.
enhance your vision. Our premium computer eyewear India who works as an IT Security consultant. The
defends eyes from the effects of digital eye strain books for hackers since Founded in Vermont in 2010 to leverage and build
team includes Amer Almadani, Larry Suto, SantaPlix
which can include; dry eyes, headaches, blurry vision, 1994; each one still upon the power of open source security projects,
eye fatigue, altered Circadian Rhythms, and insomnia. handcrafted like a good Pwnie Express monitoring software and pentesting
End the pain of DIGITAL EYE STRAIN. bottle of bourbon. Our sensors are in use by more than 1,500 companies
J o hn S und m a n titles have personality, globally. From Fortune 500 companies to government
our authors are agencies and security service providers, Pwnie Express
http://johnsundman. passionate, and our bolsters their security programs, while also help
Hackers for Charity com
books tackle topics that people care about. We read companies meet compliance requirements. Pwnie
http://hackerwarehouse.com Sundman is a master and edit everything we publishtitles like The Car remains dedicated to creating game-changing products
HACKER WAREHOUSE is your one stop shop for of machines Hackers Handbook, Hacking: The Art of Exploitation, and services for our customers and the global InfoSec
https://www.eff.org computing, biological
hacking equipment. We understand the importance of Automate the Boring Stuff with Python, Black Hat community to improve the security of our Internet-
The Electronic Frontier Foundation (EFF) is the tools and gear which is why we carry only the highest and political and his Python, Teach Your Kids to Code, and more. Everything connected world.
leading organization defending civil liberties in the quality gear from the best brands in the industry. From books include details in our booth is 30% off (maybe a little more) and all
digital world. We defend free speech on the Internet, WiFi Hacking to Hardware Hacking to Lock Picks, we that will convince an print purchases include DRM-free ebooks. Weve got
fight illegal surveillance, support freedom-enhancing carry equipment that all hackers need. Check us out expert, and yet enchant new swag and samples of forthcoming titles like Game
technologies, promote the rights of digital innovators, at HackerWarehouse.com. a distant outsider Hacking, Gray Hat C#, and Rootkits and Bootkits. R a p id7
and work to ensure that the rights and freedoms we with a compelling
enjoy are enhanced, rather than eroded, as our use of http://www.hackersforcharity.org page-turner plot. Not just plot and mechanisms, but
technology grows. Stop by our table to find out more, Hackers for Charity is a non-profit organization unforgettable personalities that haunt us long after the
pick up some gear, or even support EFF as an official that leverages the skills of technologists. We solve Hak5 pages stop. N u a nd
member. technology challenges for various non-profits and George Church, synthetic biologist, Harvard and http://nuand.com/ http://www.rapid7.com
http://hak5.org
provide equipment, job training and computer MIT Nuand develops Rapid7 cybersecurity analytics software and services
Complete your
education to the worlds poorest citizens. Software Defined reduce threat exposure and detect compromise for
Hacking Arsenal
with tools from Radio (SDR) 4,150 organizations, including 34% of the Fortune
Hak5 - makers of platforms for 1000. From the endpoint to cloud, we provide
the infamous WiFi students, hobbyists, comprehensive real-time data collection, advanced
Pineapple, USB Rubber Ducky, and newly released and professionals.

58 59
correlation, and unique insight into attacker With the largest Ethernet wireless high power cards and devices, other their computers
techniques to fix critical vulnerabilities, stop attacks, selection of lock picks, interesting goodies to be seen only at the table! And and networks.
and advance security programs. covert entry and SERE new design T-shirts. 3 6 0 U ni c o r n T e a m Untangle is W o me n in S e c u r i t y a nd P r i va c y
tools available at DEF committed
CON its guaranteed to putting its
we will have gear you transparently
S e c u r e Nin j a have not seen before. TOOOL priced software
https://secureninja. New tools and classics directly in the
com will be on display and hands of its users for evaluation via free download.
SecureNinja provides available for sale in a http://www.360safe.com With this try-before-you-buy approach, Untangle
specialized cybersecurity hands on environment. Qihoo360s UnicornTeam consists of a group of enables organizations to take control of their
training and consulting Our Product range brilliant security researchers. We focus on the security systems within minutes and at no risk. Untangle
services. In addition, covers Custom Titanium toolsets, Entry Tools, of anything that uses radio technologies, from small is headquartered in San Jose, California. For more
SecureNinjaTV produces Practice locks, Bypass tools, Urban Escape & Evasion things like RFID, NFC and WSN to big things like information, visitwww.untangle.com.
hardware and items that until recently were sales https://www.wisporg.com
cybersecurity video http://toool.us/
GPS, UAV, Smart Cars, Telecom and SATCOM. Our
tutorials and coverage restricted. SPARROWS LOCK PICKS and TOOLS primary mission is to guarantee that Qihoo360 Women in Security and Privacy (WISP) is a nonprofit
will be displaying a full range of gear including their The Open Organisation Of Lockpickers is back is not vulnerable to any wireless attack. In other organization that promotes the development,
of hacker events from
newly released Core Shims., Sandman and Lock Outs. as always, offering a wide selection of tasty lock words, Qihoo360 protects its users and we protect
W i c k r F o u nd at i o n advancement, and inclusion of women in security and
around the world-
found at YouTube.com/SecureNinja. For our annual The WOLF will also be available to the public for the goodies for both the novice and master lockpicker! A Qihoo360. H u m a n R i g h t s F o u nd at i o n privacy. We have five main objectives:
participation as a DEF CON vendor, SecureNinja first time in limited quantities. All products will be variety of commercial picks, handmade picks, custom Education: help women identify and achieve the level
designs, practice locks, handcuffs, cutaways, and other During our research, we create and produce various
creates an exclusive batch of NinjaGear for ninjas of demonstrated at various times and can be personally of education and skills required to succeed in security
neat tools will be available for your perusing and devices and systems, for both attack and defence
all ages. tested for use and efficacy. and privacy positions across multiple industries
enjoyment! Stop by our table for interactive demos purposes.
For the first time this year, we will offer a membership For example: Mentoring & Networking: foster a community for
of this fine lockpicking gear or just to pick up a T-shirt
package to our new Online SenseiSeries training knowledge-sharing, collaboration, mentoring, and
and show your support for locksport. SkyScan: An enterprise scale wireless intrusion
portal- complete with gear to transform participants shadowvex All sales exclusively benefit TOOOL, a 501(c)3 non- prevention system originally designed to protect
networking
into true cybersecurity ninjas! Qihoo360s internal WiFi network but has now been Advancement: support the career advancement of
profit organization.You can purchase picks from many
made available as a commercial wireless security women in security and privacy
fine vendors, but ours is the only table where you
know that 100% of your money goes directly back to solution. Leadership: increase thought leadership by women in
Security Snobs the hacker community. HackID: A RFID entry badge spoofer. security and privacy
SecUSB: A USB cable bridge that is used to protect Research: conduct independent research related to
mobile devices when users connect them to malicious recruitment, retention, and advancement of women in
https://www.wickr.org/ security and privacy
http://store.shadowvexindustries.com U ni v e r s i t y o f A d va n c in g charger.
https://humanrightsfoundation.org/
Shadowvex Industries (SVX) - more than 20 years To facilitate the work of you fellow security
of pouring blood, sweat & gears into hacker-relevant,
T e c hn o l o g y researchers or hackers if you prefer, we bring our Wickr Foundation is a global initiative focused
limited edition clothing, DJ mixes, stickers, buttons, art http://uat.edu whole arsenal to DEF CON 24. on building the Private Web by advancing private
prints and more. Miss DJ Jackalope, aka DEFCONs communication and uncensored information. Wickr
The University of
resident DJ mixtress, has been teaming up with us Foundations mission is to provide security and
https://SecuritySnobs.com Advancing Technology
for more than a decade with her own DJ mixes and privacy tools and education to at-risk populations
Security Snobs offers High Security Mechanical Locks
awesome swag. Follow the music in the vending area
(UAT) is a private Uni x S ur p l u s underserved by commercial markets, including human
and Physical Security Products including door locks, university located in
to find our booth! If you want to bring home your rights activists, journalists, and children. Among
padlocks, cutaways, security devices, and more. We Tempe, Arizona, offering http://UnixSurplus.
piece of DEF CON history, you need to get here com the Foundations first security-centric investments
feature the latest in security items including top academic degrees
early - our year-specific designs are only available @ is Whistler, a secure communications and education
brands like Abloy, BiLock, EVVA, KeyPort, Mobeye, focused on new and Home of the $99 1U Server
DEFCON and only while supplies last! hub for human rights activists and citizen reporters
Anchor Las, and Sargent and Greenleaf.Visit https:// emerging technology 1260 La Avenida St Mountain View, CA 94043 living under authoritarian regimes.
SecuritySnobs.com for our complete range of disciplines. UAT offers
Toll Free: 877-UNIX-123 (877-864-9123) Human Rights Foundation (HRF) is a nonpartisan
products. Stop by to see the new and coming soon a robust suite of regionally accredited graduate and
undergraduate courses ranging from Computer nonprofit organization that promotes and protects
products in high security and con specials! S imp l e W iF i Science and Information Security to Gaming and human rights globally, with a focus on closed societies.
HRF unites people in the common cause of defending
http:// New Media. UAT has been designated as a Center for U n ta n g l e human rights and promoting liberal democracy. Its
simplewifi.com Academic Excellence in Information Systems Security
Serepick For PenTesting and Education by the US National Security Agency. www.untangle.com mission is to ensure that freedom is both preserved
unwired Internet Programs are available online and on-campus. Untangle makes an integrated suite of security and promoted around the world.
http://www.serepick.com
Security Specialists: software and appliances with enterprise-grade
Manufacturer of Lock Picks & COVERT ENTRY Wireless, WiFi antennas, cables, connectors, USB and capabilities and consumer-oriented simplicity.
TOOLS Untangles award-winning software is trusted by over
400,000 customers, protecting nearly 5 million people,

60 61
DEF CON 101 Track 1 Track 2 Track 3 DEF CON 101
Machine Duping 101: Pwning Deep Introduction the Wichcraft Compiler BSODomizer HD: A mischievous
Feds and 0Days: From Before DARPA Cyber Grand Challenge
10:00

Collection : Towards universal code FPGA and HDMI platform for the (m)

10:00
Learning Systems Heartbleed to After FBI-Apple Award Ceremony
theft asses
Clarence Chio Jay Healey Mike Walker & Dr. Arati Prabhakar
Jonathan Brossard (endrazine) Joe Grand (Kingpin)&Zoz
Maelstrom - Are You Playing with a
11:00

Compelled Decryption - State of the

11:00
Full Deck?... Project CITL DEF CON Welcome & Badge Talk Meet the Feds
Art in Doctrinal Perversions
Shane Steiger Mudge Zatko &Sarah Zatko L0sT & The Dark Tangent Jonathan Mayer & Panel
Ladar Levison

Beyond the MCSE: Red Teaming Active Honey Onions: Exposing Snooping Tor CAN i haz car secret plz?

12:00
Directory HSDir Relays Javier Vazquez Vidal &Ferdinand
12:00

Sean Metcalf Guevara Noubir & Amirali Sanatinia BlockFighting with a Hooker Noelsche 411: A framework for managing
BlockfFghter2! security alerts
K2 Cheap Tools for Hacking Heavy Trucks Kai Zhong

12:30
Frontrunning The Frontrunners
13:00

Weaponize Your Feature Codes Six_Volts &Haystack


Dr. Paul Vixi
Nicholas Rosario (MasterChen)

Research on the Machines: Help the (Ab)using Smart Cities: the dark age of How to Make Your Own DEF CON Sentient Storage - Do SSDs Have a

13:00
Realtime bluetooth device detection FTC Protect Privacy & Security modern mobility Black Badge Mind of Their Own?
14:00

with Blue Hydra


Terrell McSweeny & Lorrie Cranor Matteo Beccaro & Matteo Collura Badge Hacker Panel Tom Kopchak
Zero_Chaos & Granolocks
A Monitor Darkly: Reversing and
How to design distributed systems Direct Memory Attack the Kernel Anti-Forensics AF
Hacker Fundamentals and Cutting Exploiting Ubiquitous...

14:00
15:00

Through Abstraction resilient despite malicious participants Ulf Frisk int0x80


Ang Cui
LosT Radia Perlman

The Remote Metamorphic Engine:


16:00

DEFCON 101 Panel How To Remote Control An Airliner: Slouching Towards Utopia: The State of
Detecting, Evading, Attacking the AI 101 Ways to Brick your Hardware

15:00
( Until 17:45 ) Security Flaws in Avionics the Internet Dream
and Reverse Engineering Joe FitzPatrick & Joe Grand
Sebastian Westerhold Jennifer S. Granick
Amro Abdelgawad

Side-channel attacks on high-security Breaking the Internet of Vibrating

16:00
electronic safe locks Things...
Robot Hacks Video Games: How
TASBot Exploits Consoles with Plore follower & goldfisk 101 Ways to Brick your Hardware
Custom Controllers Joe FitzPatrick & Joe Grand
Samsung Pay: Tokenized Numbers,

16:30
Allan Cecil (dwangoAC) Flaws and Issues
Salvador Mendoza

17:00
Mr. Robot Panel
Hacking Next-Gen ATMs From Sk3wlDbg: Emulating all (well many) of Malware Command and Control
Capture to Cashout. the things with Ida Channels: A journey into darkness
Weston Hecker Chris Eagle Brad Woodberg

17:30
62 63
Track 1 Track 2 Track 3 DEF CON 101 Track 1 Track 2 Track 3 DEF CON 101
I Fight For The Users, Episode Escaping The Sandbox By Not How to do it Wrong: Smartphone How to get good seats in the security
Developing Managed Code Rootkits Hacking Hotel Keys and Point of Sale
How to overthrow a Government I - Attacks Against Top Consumer Breaking It Antivirus and Security Applications Examining the Internets pollution theater? Hacking boarding passes for

10:00
10:00

for the Java Runtime Environment systems ...


Chris Rock Products Marco Grassi & Qidan He Under Fire Karyn Benson fun & profit.
Benjamin Holland (daedared) Weston Hecker
Zack Fasel & Erin Jacobs Stephan Huber & Siegfried Rasthofer Przemek Jaroszewski

Jittery MacGyver: Lessons Learned Secure Penetration Testing Operations: Vulnerabilities 101: How to Launch or
Light-Weight Protocol! Serious Picking Bluetooth Low Energy Locks Hiding Wookiees in HTTP - HTTP Discovering and Triangulating Rogue Use Their Machines Against Them:
Improve Your Vulnerability Research

11:00
from Building a Bionic Hand out of a Demonstrated Weaknesses in
11:00

Equipment! Critical Implications! from a Quarter Mile Away smuggling... Cell Towers Loading Code with a Copier
Coffee Maker Learning Material and Tools Game
Lucas Lundgren & Neal Hindocha Anthony Rose & Ben Ramsey regilero JusticeBeaver Mike
Evan Booth (Fort) Wesley McGrew Joshua Drake & Steve Christey Coley
Game over, man! - Reversing Video
Bypassing Captive Portals and Limited Stargate: Pivoting Through VNC To Attacking BaseStations - an Odyssey Lets Get Physical: Network Attacks Games to Create an Unbeatable AI So you think you want to be a
Networks Own Internal Networks through a Telcos Network Against Physical Security Systems Player penetration tester

12:00
12:00

Grant Bugher Yonathan Klijnsma & Dan Tentler Hendrik Schmidt & Brian Butterly Ricky HeadlessZeke Lawshae Dan AltF4 Petro Anch
CANSPY: A Framework for Auditing
Attacking Network Infrastructure to
CAN Devices
Generate a 4 Tb/s DDoS for $5
Jonathan-Christofer Demay & Arnaud Can You Trust Autonomous Vehicles: Drones Hijacking - multi-dimensional
Luke Young

13:00
Retweet to win: How 50 lines of Lebrun Backdooring the Frontdoor Mouse Jiggler Offense and Defense
pin2pwn: How to Root an Embedded Contactless Attacks ... attack vectors & countermeasures
Python made me the luckiest guy on Jmaxxz Dr. Phil
Linux Box with a Sewing Needle
12:30

Twitter Jianhao Liu,Wenyuan Xu,Chen Yan Aaron Luo


Brad Dixon
Hunter Scott VLAN hopping, ARP poisoning
An introduction to Pinworm: man in & MITM Attacks in Virtualized Toxic Proxies - Bypassing HTTPS &
Help, Ive got ANTs!!!
Six Degrees of Domain Admin ... MouseJack: Injecting Keystrokes into Cunning with CNG: Soliciting Secrets NG9-1-1: The Next Generation of the middle for your metadata Environments VPNs to pwn your online identity

14:00
13:00

Wireless Mice from Schannel Emergency Ph0nage Tamas Szakaly


Andy Robbins, Rohan Vazarkar, Will bigezy & saci Ronny Bull, Dr. Jeanna N. Matthews, Alex Chapman & Paul Stone
Schroeder Marc Newlin Jake Kambic CINCVolFLT & AK3R303