Defcon 26 Program

WELCOME TO DEF CON 26 Underground network
What if you could go back in time to This will be our second and final year NETWORK INSTRUCTIONS:======== DCTV RETURNS!
1983, frighteningly close to George here. The biggest change for us is
The DEF CON NOC delivers the cyberz throughout This time we are broadcasting live to the Hotel
Orwell’s 1984? It would be a year our outgrowing Caesars Palace and the different properties the conference is held. TVs again! This year we will be in six hotels on the
before full control of information, dis- expanding to the Flamingo and Linq strip! For more information on TV Channels & links
If you want to get online, remember there are two to the live streams visit DCTV.defcon.org. Please
information, false history narratives, hotels. What happens when we finally (and only two) official ESSIDs you should use to also check twitter @DEFCON_TV for info about our
your loss of personal agency and out-grew the big convention spaces access the intertubes: feeds or feedback for our team.
identity. As a hacker, researcher, artist in one property? It is something I
The encrypted one with 802.1x authentication and We are planning to have the DCTV talks on the in-
or academic, what would you do to try have thought and worried about digital certificate verification (DefCon) and the room TVs in the following properties this year:
and prevent this? That thought inspired for a number of years. Do you cap unencrypted, wild-west of the wireless networks
the theme of DEF CON this year. It’s attendance and do on-line registration, (DefCon-Open). Please choose wisely. Caesars, Paris, Ballys, Flamingo, Linq, and Harrahs.
not ‘84 yet, but it feels like we are or find a way to grow for everyone that Despite the fact that the 802.1x Godz seemed to Do note that Flamingo, Linq, and Harrahs are new
getting awfully close. What will you do? wants to attend? Each has risks. have smiled at us for the past couple of years, for us this year, and we may run into unforeseen
never forget we’re talking about the Wi-Fiz: where issues, but will work as hard as we can to get all six
I went with growth for everyone, and radio wavez make packets fly and digital voodoo properties on-line for your viewing pleasure.
makes the communications secure, dodging the
that means new space so we could blockchains and those pineapples along the way.
add new villages, workshops, parties,
and events that we simply didn’t have We test stuff before we go onsite, but things might
change on how all operating systems, drivers and
space for last year. We are letting fresh users deal with the Wi-Fiz. There are might be
THE DEF CON MEDIA SERVER IS
BACK AGAIN!
villages in to try something new and some devices out there that really do not like 802.1x
take risks, expanding the workshops, with PEAP authentication. In particular, for quite https://10.0.0.16/ or
a while some Android platforms wouldn’t verify
and even having a pool for evening the RADIUS server certificate prior to sending the https://dc26-media.defcon.org/
parties again at the Flamingo! user’s credentials to enter the network. And this is
not cool. Browse and leech files from all the past DEF CON
We purchased all new DC TV gear conferences and find this year’s presentation
And, choosing for the device to “not verify server materials, white papers, slides, etc.
to expand our speaking tracks to certificate” will probably not only let that device
six hotels, and have been working connect to one of the hundreds of rogue access Since last year the DEF CON collection has been
hard to record as much content as points on the show floor but will also send your updated as well as many more hacking conferences
login credentials to a rogue radius server. This is added to the infocon.org collection.
possible. I’m a believer in the “If you
also a bad thing.
didn’t record it then it didn’t happen” We expect you to leech at full speed, and the server
philosophy, with people all over the Because of these, and a bunch more cyber is warmed up and ready to go. Enjoy!
common sense (™) reasons, do not, I repeat, do
world wishing they could be here and I NOT choose the same credentials (aka: username To make things easier for you here are some
want to share our content with them. and password) used for your important stuffz, like example wget commands and TLS certificate
shopping sites, online-banking, the pornz, your information:
A conference this big can’t happen windows domains (yeah, it happened before) to
The dc26-media.defcon.org TLS certificate
without the help of hundreds of connect to the hacker conference network.
fingerprint:
Goons, speakers, village organizers, For updated information and instructions on
Serial Number:
artists, work shop trainers, demo labs how to connect to the Wi-Fi with the n0t-s0-1337
Operating Systems along with the link to download 0250E3021BFB8B91D364BB71F739B71D
creators, CTF teams, party planners,
the digital certificate to be used, visit https://wifireg.
and more. At last count almost 1,600 defcon.org. And if you don’t know how to properly
(SHA256) DCE6 CEC3 4CE7 DAA2 D998 9151
D6DA C549 40F8 D841
people are involved in throwing this configure the Wi-Fiz on your üb3r-1337 linux distro,
party. I’d like to thank them for helping you should consider a new platform. EXAMPLE wget command to download all of DEF
build DEF CON, and thank you for CON 25:
For other NOC updates visit https://www.
attending! defconnetworking.org and also wget -np -m “https://dc26-media.defcon.org/
infocon.org/cons/DEF CON/DEF CON 25/”
The Dark Tangent follow us on the twitterz @DEFCON_NOC
2 3
THE BADGE is found all over the world – from the
hacker soldering wires in a garage
Each badge’s story is simple to
interface with via the direction pad
to the researcher studying neural and + / - buttons. Your character is
networks in a research institute. We highlighted in green and depending on
also wanted to acknowledge that your decisions, you can move to new
the hacker community encompasses rooms, gain different clues, and open
more than those with programming or closed doors. Interacting with others
hardware hacking skills, it also includes from different groups will also help you
the teachers, artists, and journalists. as you work towards being the best
Welcome to DEFCON City: hacker you can be. But be careful,
depending on what kind of hacker you
·Humans – White Soldermask/Black are, the red guard that roves around
Silkscreen = Garage the same board may be your friend, or
·Contest – Yellow Soldermask/Black enemy. Additional clues can be found
Silkscreen = Library if you plug the badge in, and yet even
more if you can gain control of various
·Goon – Red Soldermask/White elements of the badge.
Silkscreen = Prison
The balance of what kind of hacker you
·Artist – White Soldermask/Blue are is reflected in the DEFCON logo
Silkscreen = Gallery between Red and Green lights. Each
choice that contributes to a dystopian
·Press – Green Soldermask/White
future will be reflected in Red, and
Silkscreen = Broadcast Station
each choice that helps future hackers
·Vendor – Purple Soldermask/White will be reflected in Green.
Silkscreen = Factory
Here’s to a greener future! Enjoy the
·Speaker – Blue Soldermask/White DEFCON 26 Badge!
Silkscreen = Theater
The year is 1983. The state of minute changes we allow ourselves
humanity as we know it rests on the to accept. It is in these seemingly ·Call for Papers (CFP) – Orange
precipice of an Orwellian collapse! inconsequential concessions that we Soldermask/White Silkscreen = School
choose to either be part of the solution
Or does it? or contribute to a dystopian future.
If we were to graph out the cultural Food for thought: Everyone is branding
health of a society, we might think to web cam covers for your laptop.
create a drastic cliff coinciding with With that inspiring message, we
the events captured in George Orwell’s present this year’s Defcon 26 badge
1984. We might even say that as a created by the Tymkrs! Each badge
people, we would obviously never consists of an interactive web of
allow our values to become controlled decisions you need to make which not
by paranoia, fear, and Big Brother. only define what “kind of hacker” you
Reality, however, is much less are but also impacts and changes the
dramatic. Societal values develop from individuals you associate with. The
the little details, the decisions made by overall design aesthetic of the badge
individuals on a day to day basis, and highlights that the hacker community
4 5
GOONS CO N FE R E N CE CO D E OF
CO N DU C T
Last updated 3.6.15
DEF CON provides a forum for open discussion

between participants, where radical viewpoints
are welcome and a high degree of skepticism is
expected. However, insulting or harassing other
participants is unacceptable. We want DEF CON to
be a safe and productive environment for everyone.
It’s not about what you look like but what’s in your
mind and how you present yourself that counts at
DEF CON.
We do not condone harassment against any

participant, for any reason. Harassment includes
deliberate intimidation and targeting individuals
in a manner that makes them feel uncomfortable,
unwelcome, or afraid.
Participants asked to stop any harassing behavior D E F CO N SU PP O RT

DEF CON Goons are the electrons that enable the conference to run, and are expected to comply immediately. We reserve H OTLI N E
should you have a question or need help they are there for you. Here are the right to respond to harassment in the manner
some goon facts: we deem appropriate, including but not limited to Sometimes you may not want to contact a Goon at
expulsion without refund and referral to the relevant the Info Booth or walking around in person with a
New for DEF CON 26 Goons should all have authorities. problem, and so this year we have added a phone
visible patches with their nickname on them option to tell us about concerns.
so it is easier to remember who you talk to This Code of Conduct applies to everyone
about what. participating at DEF CON - from attendees and You can reach DEF CON staff during normal hours
exhibitors to speakers, press, volunteers, and of operation (8am to 4am) to anonymously report
Goons are in one of two states, either ON duty or OFF duty. Goons. any behavior violating our code of conduct or to
find an empathic ear by calling +1 (725) 867-7255.
If they are ON DUTY they will be wearing a current year, red, DEF CON Anyone can report harassment. If you are being
26 Goon shirt, a current year Goon badge, and a name harassed, notice that someone else is being For relevant issues, we are collaborating with
patch. harassed, or have any other concerns, you can several organizations including Kick at Darkness,
contact a Goon, go to the registration desk, or info The Rape Crisis Center Las Vegas, and the Nevada
If Goons are OFF DUTY they will not be wearing the booth. Coalition to End Domestic and Sexual Violence to
red Goon shirt, but may still have a Goon badge on so provide expert resources for survivors, including
they can still access the meeting spaces. Conference staff will be happy to help participants dedicated support for LGBTQ+.
contact hotel security, local law enforcement, or
Goons ON DUTY are not supposed to drink alcohol. otherwise assist those experiencing harassment to
feel safe for the duration of DEF CON.
Goons OFF DUTY have been known to drink alcohol.
Remember: The CON is what you make of it, and as
PAST Goons may seen wearing previous red shirts or
a community we can create a great experience for
badges as they helped run a past DEF CON, but that
everyone.
DOES NOT make them a current DEF CON 26 Goon.
- The Dark Tangent
On almost all the Goon shirts there is a department
name on the back to tell you what department you are
talking with. Please use this and the name patch if you
have any feedback on Goons, good or bad. Feedback
can be sent to [email protected]
Goons Goon for many reasons, but the pay isn’t one of them. They put
in long hours and many weeks or months of planning and take time off
work to make the con happen for everyone. Please feel free to ask them
questions if you have any desire to join the ranks at a future Con.
6 7
CAPTURE THE FLAG AT DEF CON 26
CAPTURE THE FLAG? WHO IS THE ORDER OF THE
OVERFLOW?
Capture the Flag is a hacking competition in which
teams to compete out-hack each other. Originating We have been here for a while. We wandered the
over two decades ago at DEF CON 4, CTF has now halls in awe of the master hackers at DEF CON 9.
grown to become a global phenomenon. CTFs are We spent sleepless nights competing against them
held every weekend, and teams join online or fly every year since DEF CON 12. We have been the
around the world to test their skills. hackers, and we have been the hacked. Now, as
the new organizers of DEF CON CTF, we hope to
Traditionally, DEF CON CTF has been an “attack/
shepherd the game through the next generation of
defense” CTF: teams are provided identical sets of
technological and societal shifts. Just as importantly,
network services, and must defend their instances
we will keep DEF CON CTF a spectacle that can be
of these programs while exploiting vulnerabilities
used to inspire the next generation, who, just like we
in the instances run by their opponents. That being
used to do, will first wander the halls in awe of the
said, each organizer has leeway to shape the game
players and then hack them to shreds a decade later.
to their vision. This year, we have introduced a
twist on the format, and will continue to tinker and
experiment throughout our tenure.
RESOURCES
Only the top teams in the world are invited to DEF The following resources may be helpful to interested
CON. Teams qualify by performing well in the DEF hackers!
CON Qualifier event (held online in May), by winning
Our philosophy: https://www.oooverflow.io/
a number of other prominent Capture the Flag
philosophy.html
competitions, or, of course, by winning last-year’s
DEF CON CTF. Game announcements: https://twitter.com/
oooverflow
This year, we have gathered the world’s top 24
teams. The teams are: DEF CON CTF scoreboard: https://ctf.oooverflow.io
0daysober CTF tracker: https://ctftime.org
A*0*E
BFS
binja
C.G.K.S
DEFKOR00T
Dragon Sector
WELCOME TO DEF CON CTF 26, HITCON
A NEW ORDER FOR A NEW ERA. hxp
KaisHack+PLUS+GoN
For decades, upstanding cybercitizens suffered cybercitizens of the world be held hostage by koreanbadass
the chaos of unchecked security vulnerabilities, malicious hackers, who exploit vulnerabilities to mhackeroni
shamelessly encouraged by the regimes of goons enrich themselves with ill-begotten flags. These pasten
(DC4 – DC9), ghettohackers (DC10 – DC12), parasites on society forcefully take time and effort PPP
kenshoto (DC13 – DC16), ddtek (DC17 – DC20), and away from developing software that enhances and PwnThyBytes
legitbs (DC21 – DC25). The time has come for a improves your lives. There is no room for them in r3kapig
new era. An era of security. An era of obedience. An the orderly new world. RPISEC
era of order: the Order of the Overflow. Samurai
This year, the world’s most skilled cybercitizens Sauercloud
Cybercitizens, rejoice: software security gather together and obediently work toward a new, Shellphish
vulnerabilities are no more! On this auspicious day, harmoniously monotonous future. There will be no Spaceballs
the 1st of August, 1983, the Order of the Overflow hacking, no stealing of flags, and no victors. You Tea Deliverers
has decreed that it is illegal to discover or exploit will obey. TeamBaguette
security vulnerabilities. No longer will the compliant TokyoWesterns
Order through control. Order Over Overflows.
Come watch them hack in the CTF room. One day,
you may take their place. Or ours.
PARTIES & Meetups
best name ever , DON’T PANIC provides the music and you provide
3 03 PA R T Y the vocal talent. You won’t need an electronic thumb or the help of
What can one say but “303 Party” to let you know where the the Dentrasi to get into this party, just bring yourself and your towel.
mayhem will be? Join the members of the 303 organization as
Location: Vista, Flamingo
they redefine pool party with their own music, entertainment, and
Time: 21:00 Friday
mile high shenanigans! A repeat favorite of DEF CON attendees,
with DJ’s from across the community as well as creative
works and technical expertise. What can we say, it’s 303! LO N E LY H AC K E R S C LU B
Friday Location: Virgina City, Flamingo If only Sergeant Pepper had owned a Commodore 64! Come
Saturday Location: Pool, Flamingo meet the people you communicate with on a daily basis in
person as you dance and chat the night away. Just keep in
Time: 20:30
mind that this IS Las Vegas and when you wake up in the
morning those marriage certificates are still binding!
A R CA D E PA R T Y
Location: Eldorado Ballroom, Flamingo
Relive once again the experience of the arcade. From
Time: 20:30 Saturday
classics to a custom built 16 player foosball table! Grimm
& Scythe bring back a favorite as you jam out a DJ battle
while taking another swipe at that high score on your S E C KC TH E WO R L D
favorite classic video games. No quarters required! A Tiki themed gathering of the people who make up seckc.
org. Come get a taste of this slice of hacker culture as
Location: Mesquite, Flamingo
you party the night away. The hotel won’t let us have Tiki
Time: 20:30 Friday
torches so grab some glow-sticks and bamboo and help
the theme while live DJs keep your feet moving.
B L A N K E TFO R TCO N
Location: Mesquite, Flamingo
Check your ego at the door, grab some building materials and
join in the celebration of the creativity and originality that is the
pillow fort! A host of DJs will be spinning from a pirate ship as
you share and create your own unique environment. All aboard!
WI R E L E S S VI L L AG E
Join the folks from the wireless village in an informal party
Location: Carson City, Flamingo
atmosphere and celebrate all the works that they do to make DEF
CON awesome. This is your moment to make new friends, reunite
with old ones, and celebrate the wireless lifestyle. Live music
G E E K PWN and social interaction await you, along with some of the thought
Part contest, part open discussion of security, part talent leaders and presenters in the realm of wireless communications.
show and 100% fun! Join the folks from GEEKPWN for Location: Wireless Village
a evening of entertainment with a focus on information
Time: TBA ( Visit the Wireless Village)
security from China. Expect contests, serious discussion,
music, and an enviroment open to your ideas.
V E T CO N
Location: Scenic, Flamingo
A party thrown by Veterans for everyone! Come join in as
Time: 20:30 Friday veterans from all branches come together to celebrate
and take on challenges that you only hear about in
H AC K E R K A R AO K E movies. Space force recruiting? Airmen in a chair race?
Two great things that go great together! Join the fun as Military drill displays? All this and more. It’s time to raise
your fellow hackers make their way through songs from hell the way our people in uniform are famous for.
every era and style. Everyone has a voice and this is your Location: Savoy, Flamingo
opportunity to show it off! Quickly becoming a DEF CON Time: 20:30 Friday
tradition and a favorite of people from all skill levels.
Location: Chillout Lounge, Caesars
Palace Emperors ballroom
MEETUPS
Time: Friday 2000-0200, Saturday 2000-0200 B R U CAM P
H O U S E O F K E N ZO A play within a play, this meetup is for conference organizers
to come together and share their best ideas , tips and
Come celebrate teh culture of DIY or die! The future has not methods of running their cons in a social environment. The
been written yet so come and mingle with the authors of goal is to help improve teh conference experiences for all
the time to come and celebrate creating a culture of global and to help take away some of the headaches in running
communication and culture. Live music and open minds will a con. A great gathering for con organization veterans
meet your ideas and help you trailblazer the next century. as well as anyone looking to start their own con.
Location: Twilight, Flamingo Location: Liverno, Ceasers Palace
Time: 20:30 Friday Time: 16:00 to 18:00, Thursday
L IV E BA N D K A R AO K E # D CG OTH CO N
Think you have karaoke chops? Kick it up to the next level by We want a flashmob to get all the goths in one spot.
performing your favorite songs with a live band! The band with the To make friends! To get dressed up! Find out more
info via @clevrcat and follow #DCgothcon
10 11
PARTIES & Meetups
Location: TBA Flashmob discuss projects to make you own badges and to talk to
Time: TBA collectors who cherish your work. Flashing LEDs, crafting
time, trading, and the celebration of badge craft all in one.
/ R / D E F CO N M E E T U P Location: Chillout Lounge, Laughlin, Flamingo
Do you participate in the DEF CON subreddit? This meetup is for Time: 20:30 Saturday
you! A gathering of the denizens of /r/DEF CON while at DEF CON
to mingle and meet face to face. Newcomers and veterans alike are H AC K I N G FO R S P E C IA L N E E D S
welcome to meet and greet while sharing the DEF CON experience. A meetup for parents of children and individuals with special
Time: 20:30 Friday needs within the DEF CON community. The meeting is not
Location: Chillout Lounge, Laughlin, Flamingo only social but also a exchange of information and helpful
tips to help improve the lives of families and individuals and
FRIENDS OF BILL W MEETING to celebrate their place in the DEF CON community.
Times: Thursday the 9th: 12 noon and 5 pm, Friday

Time: 17:00 to 19:00, Thursday
the 10th 12 noon and 5 pm, Saturday the 11th 12 Location: Anzio, Caesars Palace
noon and 5 pm, Sunday the 12th at 12 noon.
L AW Y E R M E E T
Location: Behind DCIB IN OFFICE 4
If you’re a lawyer (recently unfrozen or otherwise), a judge
H AC K E R F L A I R G R O U N D S or a law student please make a note to join your host Jeff
This is the meetup destination for badge collectors, McNamara at 18:00 on Friday, August 10th, for a friendly
designers, and prototypers that you have been waiting get-together, followed by dinner/drinks and conversation.
for! A social environment to show off you custom badges, Location: Carson City, Flamingo
Time: Friday 19:00
Vista
SUNSET BALLROOM
Scenic
Banquet
Kitchen
Twilight
Escalators
RegistrationDesk
I
RENO
II
L
LAUGHLIN
II
III
Garden View
Terrace
T
Terrace
Elevators VVIRGINIA
IRGINIA CITYY Escalators
IIIIII Eldorado CARSON
N CITY MESQUITE Savoy
S
Foyer Foyer
I II
Internet Junction
Elevators
ELDORADO BALLROOM Banquet SAVOY

Kitchen
12 13
VILLAGES
problems that are caused by privatizing medicine and exploration of these technologies. We focus on running Experts will be on hand to demonstrate and plenty of trial
the resources for research. Our goal is to extend beyond classes on topics such as WiFi and Software Defined Radio, locks, pick tools, and other devices will be available for you to
IOT VI LL AG E the scope of mission driven technology. This event and hosting guest speakers and panels, and providing the handle. By exploring the faults and flaws in many popular lock
Friday: 10:00 to 19:00, the community behind it place a strong emphasis on very best in Wireless Capture the Flag (WCTF) practice to designs, you can not only learn about the fun hobby of sport-
Saturday: 10:00 to 19:00, diversity, inclusiveness, education, collaboration, and promote learning on cutting edge topics as it relates to radio picking, but also gain a much stronger knowledge about the
Sunday: 10:00 to 13:00 contribution. The BioHacking Village is also focused communications. http://www.wirelessvillage.ninja/crew.html best methods and practices for protecting your own property.
Location: Turin Verona on helping developers learn the skills and other factors
Speaker schedule can be found on our website: Website: https://toool.us/
Trevi - Caesars associated with successful careers in biotechnology
http://www.wirelessvillage.ninja/schedule.html Twitter: https://twitter.com/toool
and software development. The event aims to provide
Organized by security opportunities to interact with like-minded scientists and Co-located with the Wireless Village is the
consulting and research firm developers, to learn from one another, as well as help Wireless Capture the Flag. Come for the talks,
Independent Security Evaluators each other see opportunities that may be available. stay for the practice and the competition.
(ISE), IoT Village delivers
advocacy for and expertise on Village Schedule: http://villageb.io Village Schedule: http://www.
HAR DWAR E
security advancements in Internet of Things devices. Website: villageb.io wirelessvillage.ninja/schedule.html HACK I NG
IoT Village hosts talks by expert security researchers Twitter: @dc_bhv Website: http://www.wirelessvillage.ninja VI LL AG E
who dissect real-world exploits and vulnerabilities and Twitter: @WIFI_VILLAGE Friday: 10:00 to 19:00,
hacking contests consisting of off-the-shelf IoT devices. Saturday: 10:00 to 19:00,
IoT Village’s contests are brought to you by SOHOpelessly Sunday: 10:00 to 13:00
Broken™, the first-ever router hacking contest at DEF CRYP TO & Location: Forum Ballroom
CON. The ISE research that inspired the SOHOpelessly R0 0TZ
Broken™ contests delivered 56 CVEs to the infosec
P R IVAC Y 17-21 - Caesars
community. Over the years at DEF CON, IoT Village VI LL AG E ASYLU M Join us for another DEF CON
has served as the platform to showcase and uncover Friday: 10:00 to 18:30, Friday: 10:00 to 17:00, adventure! After 10 years of
nearly 219 new vulnerabilities in connected devices. Saturday: 10:00 to 18:30, Saturday: 10:00 to 17:00, providing a space to explore and learn about hardware, we’re
Sunday: 10:00 to 14:00 Sunday: 10:00 to 14:00 rebooting to bring you more hardware hacking awesomeness.
Follow both ISE (@ISEsecurity) and IoT Village (@
IoTvillage) on Twitter for updates on talks, contests, Location: Milano Location: Milano III We are sharing a (very) large space with the new
and giveaways. Organized by security consulting and I II - Caesars IV - Caesars Soldering Skills Village, and the Badge Maker’s
research firm Independent Security Evaluators (ISE), r00tz Asylum at DEF CON is Community Area. This puts all of your hardware
At the Crypto & Privacy Village you can learn how to secure hacking/making resources in one place.
IoT Village delivers advocacy for and expertise on a safe and creative space for
your own systems while also picking up some tips and tricks
security advancements in Internet of Things devices. kids to learn white-hat hacking For more details on hours and other events, see dchhv.org.
on how to break classical and modern encryption. The CPV
IoT Village hosts talks by expert security researchers features talks on a wide range of crypto and privacy topics, from the leading security Join us for another DEF CON adventure! After 10 years of
who dissect real-world exploits and vulnerabilities and including GDPR, domain fronting, and privacy education, researchers from around the world. Through hands-on providing a space to explore and learn about hardware, we’re
hacking contests consisting of off-the-shelf IoT devices. from experts. We’ll also have an intro to crypto talk for workshops and contests, DEF CON’s youngest attendees rebooting to bring you more hardware hacking awesomeness.
IoT Village’s contests are brought to you by SOHOpelessly beginners, and some crypto-related games and puzzles. understand how to safely deploy the hacker mindset in
today’s increasingly digital and prone to vulnerabilities world. We are sharing a (very) large space with the new
Broken™, the first-ever router hacking contest at DEF Come check it out! @cryptovillage www.cryptovillage.org Soldering Skills Village, and the Badge Maker’s
CON. The ISE research that inspired the SOHOpelessly Only after mastering the honor code, kids learn reverse
Village Schedule: http://www.cryptovillage.org/dc26 engineering, soldering, lock-picking, cryptography and Community Area. This puts all of your hardware
Broken™ contests delivered 56 CVEs to the infosec hacking/making resources in one place.
community. Over the years at DEF CON, IoT Village Website: www.cryptovillage.org how to responsibly disclose security bugs. r00tz’s mission
has served as the platform to showcase and uncover Twitter: @cryptovillage is to empower the next generation of technologists and For more details on hours and other events, see dchhv.org
nearly 219 new vulnerabilities in connected devices. inventors to make the future of our digital world safer.
Website: www.dchhv.org
Follow both ISE (@ISEsecurity) and IoT Village (@IoTvillage) Village Schedule: https://r00tz.org/2018-schedule
on Twitter for updates on talks, contests, and giveaways. Website: https://r00tz.org/
WI R E LE SS Twitter: @r00tzasylum
Village Schedule: https://www.
iotvillage.org/#dc26_schedule
VI LL AG E SO CIAL E NG I N E E R
Friday: 10:00 to 18:00,
Website: https://www.iotvillage.org
Twitter: @ISEsecurity, @IoTvillage
Saturday: 10:00 to 18:00, VI LL AG E
Sunday: 10:00 to 14:00 LO CKPI CK I NG VI LL AG E Thursday: 10:00
Location: Milano Friday: 10:00 to to 17:00, Friday:
V VI - Caesars 18:00, Saturday: 10:00 to 18:00,
10:00 to 18:00, Saturday: 10:00
B IOHACK I NG The Wireless Village is a group of experts in the areas
Sunday: 10:00 to 18:00, Sunday:
of information security, WiFi, and radio communications
VI LL AG E with the common purpose to teach the exploration of to 13:00 10:00 to 14:00
Friday: 10:00 to 20:00, these technologies. We focus on running classes on Location: Forum Location: Octavius 3 – 8 - Caesars
Saturday: 10:00 to 20:00, topics such as WiFi and Software Defined Radio, hosting BR 24- Caesars Established at DEF CON 18 the SE Village has been
Sunday: 10:00 - 14:00 guest speakers and panels, and providing the very best the one-stop shop for all things social engineering at
Want to tinker with locks and tools the likes of which you’ve
Location: Siena Pisa in Wireless Capture the Flag (WCTF) practice to promote DEF CON. From our humble beginnings with a small
only seen in movies featuring police, spies, and secret
Palermo - Caesars learning on cutting edge topics as it relates to radio room and our sound proof booth to now running 5
agents? Then come on by the Lockpick Village, run by The
communications. http://www.wirelessvillage.ninja/crew.html events and a “Human Track” where top quality and
The Medical Industry is one of the last to be touched by Open Organization Of Lockpickers, where you will have the
technology. We have placed doctors and the study of Speaker schedule can be found on our website: opportunity to learn hands-on how the fundamental hardware hand chosen social engineering talks are given.
medicine on an alter for years; the time of ivory towers, http://www.wirelessvillage.ninja/schedule.html of physical security operates and how it can be compromised. The SE Village is the place for not only our flag
pedestals, and information isolation has come to an end. Co-located with the Wireless Village is the Wireless The Lockpick Village is a physical security demonstration ship event, the Social-Engineer Capture The Flag
Biohackers are working on projects that have traditionally Capture the Flag. Come for the talks, stay for the practice and participation area. Visitors can learn about the (The SECTF), but also Mission SE Impossible,
been kept in the labs of the medical institutions. We are and the competition.The Wireless Village is a group of vulnerabilities of various locking devices, techniques the SECTF4Kids and the SECTF4Teens!
moving science forward by working on DIY projects that experts in the areas of information security, WiFi, and radio used to exploit these vulnerabilities, and practice on
matter and use citizen science to solve the economic For more information and a live scoreboard of events see:
communications with the common purpose to teach the locks of various levels of difficultly to try it themselves. https://www.social-engineer.org/sevillage-def-con/Established
14 15
VILLAGES
at DEF CON 18 the SE Village has been the one-stop shop for you tamper single items at your leisure and attempt to like Defcon. We help to provide communication services and set aside for people to congregate, collaborate, and hack the
all things social engineering at DEF CON. From our humble beat the current best. There can be only ONE! No sign spaces for professionals to meet and network with others. various community badges. We have a variety of parts and
beginnings with a small room and our sound proof booth ups required, play on-site when the TEV begins. Anyone can come and attend our meet up and hangout! random hardware to include in or support hacking projects.
to now running 5 events and a “Human Track” where top
• The Box; an electronic tamper challenge. An extremely DEAFCON Meet Up: The event itself will take place
quality and hand chosen social engineering talks are given.
realistic explosive with traps, alarms, and a timer ticking on Saturday at Noon in the Chillout Lounge.
The SE Village is the place for not only our flag down. One mistake and BOOM, you’re dead. Make every
Interpreters: The interpreters will work two shifts
ship event, the Social-Engineer Capture The Flag second count! Sign ups on-site when the TEV begins.
(The SECTF), but also Mission SE Impossible,
throughout the conference. We will have interpreters VOTI NG MACH I N E
• Badge Counterfeitting Contest; submit your best forgery working day and night shifts throughout Defcon. The HACK I NG VI LL AG E
the SECTF4Kids and the SECTF4Teens!
of a Defcon human badge. Other target badges are also exact times and locations will be posted via Twitter.
Friday: 10:00 to 18:00, Saturday: 10:00
For more information and a live scoreboard of events see: available for those looking for more counterfeit fun!
https://www.social-engineer.org/sevillage-def-con/ Website: www.deafconinc.org to 18:00, Sunday: 10:00 to 14:00
Twitter: @_DEAFCON_ Location: Forum Ballroom 14-16, Caesars
Website: https://www.social-engineer.org
The Voting Machine Hacking Village is back! This year we will
run elections on electronic voting machines still in use across
DATA the USA – and you are welcome to hack them. We will also
DU PLI CATIO N R ECO N VI LL AG E have new models of voting machines, some of them never-
TAM P E R EVI D E NT VI LL AG E Friday: 1200 - 1840, Saturday: 1000 before subjected to public or independent security review.
VI LL AG E - 1840, Sunday: 1000-1300
Friday: 10:00 to 18:00, Saturday: 10:00 Thursday: 16:00 to 19:00,Friday:
to 18:00, Sunday: 10:00 to 14:00 Location: Florentine I II - Caesars
10:00 to 17:00, Saturday: 10:00
Location: Forum BR 24- Caesars to 17:00, Sunday: 10:00 to 11:00 Recon Village is an Open Space with Talks, Live Demos,
Defcon 26 will have the sixth annual Tamper-Evident Location: Capri - Caesars Workshops, Discussions, CTFs, etc. with a common focus AI VI LL AG E
Village! Since Decon 21, the MFP group has hosted the on Reconnaissance. The core objective of this village is to Thursday: N/A,Friday:
We provide a “free-to-you” service spread awareness about the importance of reconnaissance,
TEV to help Defcon attendees learn about these security 10:00 to 18:00, Saturday:
of simply handing you terabytes of open source intelligence (OSINT) and demonstrating
technologies. Tamper is a great hobby and one of the 10:00 to 18:00, Sunday:
useful data. Want data? Just hand how even a small information about a target can cause
relatively unexplored areas of physical security. Come 10:00 to 14:00
us drives. Drives should be 6TB catastrophic damage to individuals and organizations.
learn about it in a friendly, hands-on environment!
SATA 512byte sector (512e) 7200 Location: Florentine
What does Tamper-Evident mean? RPM. For a full set of data you Recon Village appeared at DEF CON 25 for the very first III - Caesars
will need three drives, and they take over 14 hours to copy. time and we received an overwhelming response from
“Tamper-evident” refers to a physical security technology speakers, CTF participants, and attendees. We strive The AI Village at DEF CON is a place where experts in AI and
that provides evidence of tampering (access, damage, Two of the drives make up the rainbow table and to make Recon Village even bigger this time and are security (or both!) can come together to learn and discuss
repair, or replacement) to determine authenticity or integrity password hash data set, and the third drive is a expecting more active participation from the attendees. the use and misuse of artificial intelligence in computer
of a container or object(s). In practical terms, this can be mirror of infocon.org and all DEF CON materials security. Artificial Learning techniques are rapidly being
a piece of tape that closes an envelope, a plastic detainer including cons, podcasts, and documentaries. We will also be running a Jeopardy Style OSINT CTF Contest deployed in core security technologies like malware detection
that secures a hasp, or an ink used to identify a legitimate throughout the Village. We plan to make the CTF more and network traffic analysis, but their use has also opened
This year we’re also having scheduled talks on Friday/ challenging this year. The challenges will typically revolve
document. Tamper-evident technologies are often confused up a variety of new attack vectors against such systems.
Saturday about drive duplication (why/how), drive around harvesting information about target organizations,
with “tamper resistant” or “tamper proof” technologies which
forensics, data backups, data recovery, data management their employee’s social media profiles, their public svn/gits, Come participate in the AI-CTF, a jeopardy-style CTF
attempt to prevent tampering in the first place. Referred
on SSDs vs. HDs, and other related topics! password breach dumps, darknet, paste(s) etc. followed with a variety of challenges suitable for participants of all
to individually as “seals,” many tamper technologies are
by active exploitation of virtual targets. All the target experience levels, or the Pommerman contest, where you
easy to destroy, but a destroyed (or missing) seal would Schedule and updates to be posted at dcddv.org.
organizations, employees, servers, etc. will be created by can pit your Bomberman skills against AI agents that other
provide evidence of tampering! The goal of the TEV is to
This year, we will be in the Capri room at Caesars our team and hence will not attract any legal issues. participants have trained to see who emerges triumphant.
teach attendees how these technologies work and how
and plan to be open for the following hours:
many can be tampered with without leaving evidence. There will be awesome rewards for CTF winners, along We also have more than 27 talks, panels,
Thursday, August 9th 4:00pm - 7:00pm with free t-shirts, stickers, village coins, and other workshops, and a series of rotating exhibits.
What’s there to do at the village?
Friday, August 10th 10:00am - 5:00pm schwag which attendees can grab and show off.
• For your viewing pleasure, collections of high-security Village Schedule: https://aivillage.org/events/vegas2018/
tamper-evident seals from around the world. Saturday, August 11th 10:00am - 5:00pm Village Schedule: http://reconvillage.org/schedule/ Website: https://aivillage.org/
Website: http://reconvillage.org/ Twitter: @aivillage_dc
• Sit-down presentations & demonstrations on various Sunday, August 12th 10:00am -
Twitter: @reconvillage Other: https://aivillage.org/events/vegas2018/
aspects of tamper-evident seals and methods to defeat them.
11:00am (last chance pickup) Other: Facebook:/reconvillage
• Hands-on fun with adhesive seals, mechanical
seals, envelopes, and evidence bags.
• Electronics rework & reverse engeineering stations D RO N EWARZ VI LL AG E
for working with electronic tamper seals.
D EAF CO N SO LD E R I NG SK I LL S Friday: 10:00 to 18:00, Saturday: 10:00
• Contest workspaces (space permitting). Sit Friday: 10:00 to 17:00, VI LL AG E to 18:00, Sunday: 10:00 to 14:00
down in the village and work on your tamper Saturday: 10:00 to 17:00, Friday: 10:00 to 19:00, Saturday: 10:00 Location: Abruzzi - Caesars
contest box! The village should have a variety of Sunday: 10:00 to 14:00 to 19:00, Sunday: 10:00 to 13:00 DroneWarz drone hacking games and challenges
tools you can use to help defeat your box. Location: Patrician Location: Forum BR 20-21 - Caesars are designed for harnessing innovation and having
• Counterfeitting! Learn about techniques used to counterfeit - Caesars fun with UAV emerging technologies. Our Village
The Soldering Skills Village is the soldering and badge- creates a Drone Hacking Arena with four (4) primary
documents, identification cards, and much more! building arm of the Hardware Hacking Village. It provides
DEAF CON is a California 501 challenges each consisting of 3-4 flags/objectives.
Contests hosted in the Tamper Village: (c)(3) Non-profit organization. a dedicated place for building, repairing, and modifying
We provide outreach to the Deaf and HH community and badges and other electronic devices. It is a place to learn Drone Hacking Arena – Hack drones and determine their
• Tamper-Evident King of the Hill Contest; a full- and improve electronics skills as well as to pass along motives - This Village arena allows teams to engage
information security community. We encourage Deaf and
featured tamper challenge! Instead of the weekend-long knowledge to others. In addition to the usual soldering active mission and post-mission drones to intercept
HH information security professionals to attend conferences,
contest we’re hosting a King of the Hill format where stations and work areas, we will also have tables and chairs and control them (capture them in flight) and perform
forensics on missions. For safety purposes, all drones
are tethered in the arena. Our challenges include:
16 17
VILLAGES
PWN-a-DR0NE - Drone Hacking Challenges - Our drone growing up and enjoy it together. Retro Technology geeks can After the vulnerabilities have been identified, the difficulties With a strict, well-enforced “no recording” policy,
hacking challenges will be posted with commercial and non- play the games of yesteryear, and use 9600 baud modems multiply. Complications arise as we decide how to research that is underway or critical of a vendor can be
commercial paired and operational and tethered drones in with Vic 20s, Apple IIe, TRS-80s, and more to connect to the disclose that vulnerability, and how we apply solutions. aired to your peers. You are talking to other people in the
advance of the village. Find vulnerabilities and exploit them. internet. Get your children and America’s youth interested computer underground, and very few topics are taboo.
Unlike the professions of medicine and law, information
in STEM (Science, Technology, Engineering, and Math)
CONQUER the CONTROLLER - Control Hacking Challenges security does not have a codified standard of ethics. We invite the best of how DEF CON has been:
by introducing them to the golden age of technology.
– Our controller hacking challenges will be posted for Professionals in information security have yet to agree upon the best of the computer underground -- in all its
several commercially available drone controllers and varying We are a free and non-profit museum that brings vintage common ethical principles and many remain unconvinced forms. Esoterica is as welcome as 0-day here.
levels of difficulty. Intercept paired drones in flight! technology products to events and conference across the of the possibility of establishing a universal framework
country. We allow you to experience the joys of technology that can address the realm of information security.
PAYLOADZ - REDSKYZ - Program Payloads for anti-
from the past! Visitors are free to use many of the vintage
jamming, controller interception, defense evasion, defense As a community, we need to explore the ethical
computers and gadgets in our collection. All the computers
deception, and other creative applications to dominate the situations arising from the information security
skyz. This is our sandbox for offensive drone applications.
and games are in working condition and setup for visitors
domain. We are in need of innovative approaches to
CAN NAB IS
to use. Computers and Systems include the following: VI LL AG E
information security education that will equip information
MISSIONZ - BLUESKYZ - This is our defensive sandbox.
Computers including: security professionals with more than just technical (PU FF PU FF
These challenges allow you to engage in capture,
skills. We also need to cultivate dispositions that will
interception, forensic discovery and threat modeling for TI99/4A HACK )
incline those in the community to act ethically.
drones captured during a mission. Teams that can capture Timex Sinclair 1000 Friday: 10:00 to 17:00,
an in mission drone and accurately determine the flight path, Sinclair ZX81 This involves cultivating a sensitivity to ethical issues and
Saturday: 10:00 to 17:00
display surveillance images/FPV, and determine the drone’s awareness of our own ethical blind spots in order to put
Commodore Amiga Location: Valley of
our minds to work toward ethical analysis. To do this, we
Website: https://dronewarz.org Commodore Vic 20 need to cultivate a wide range of knowledge, skills, and Fire - Flamingo
Commodore 64 dispositions that will both enable and motivate us as a TLDR; Exploring DIY cannabis
Commodore C64 community to act ethically in the practice of our profession. tech and examining the security posture of more established
Commodore Pet cannabis tech, products, services, and devices.
VX (CH I P - Commodore Plus 4 Village Schedule: http://ethicsvillage.org/#sched
Apple IIe Website: Twitter: @EthicsVillage Cannabis has been a “hot ticket” tech and shows no
OFF ) Twitter: WWW.EthicsVillage.org signs of slowing. What happens when companies rush
Apple Newton PDA
VI LL AG E Other: http://ethicsvillage.org/#cfp to first fill niches in the latest and greatest vertical? What
Atari 2600 (hundreds of games) do quickly hand-spun web-apps and an ever-forward
Friday: 10:00 to 17:00, Atari 400 compulsion towards the “internet-of-crap” get you? Gaping
Saturday: 10:00 to 17:00 Kaypro ( suitcase portable computer) security flaws. Add it’s precarious federal legal status in
Location: Tribune Panasonic Sr Partner (suitcase portable this shaky political climate and you’ve got a complicated
– Caesars Place computer with builtin printer) L AS E R yet intriguing technical landscape hackers should find
VXRL is founded by a group of passionate security Tandy Radio Shack TRS-80 Model 1 Tandy CUT TI NG familiar. Through Puff Puff Hack we aim to bring the hacker
researchers and white-hat hackers in Hong Kong. Our Color Computer 2 Tandy model ethos from the DEF CON floor to the world of cannabis
team has deep expertise in software and hardware
VI LL AG E (and vice versa) by making & breaking point-of-sale or
100 portable computer Location: Calibria - Caesars
security, and we have hands-on domain knowledge Portable games including: medical software & grow-op hardware, milling over the
in several vertical industries. Our mission is to make Make your time for fir’n da security & accountability of vendors, considering questions
the cyberspace a safe place for the future. Merlin laser at the laser cutting of legal protections & intellectual property, and by taking
Mattel Baseball village, where you can cut, a deep look at the science, tech, and history of weed.
During the chip-off village, visitors shall have an opportunity
Coleco Quarterback burn and engrave your tools!
to remove the embedded emmc chip from the devices Village Schedule: http://www.bit.ly/puffpuffhack_sched
and re-solder on the small circuit board. And our experts Mattel Football This is the first ever Website: www.puffpuffhack.com
will demonstrate how to attack the IoT/mobile devices to Palm Pilot (original) trial of the laser cutting Village at Defcon 26! Twitter: @puffhackvillage
obtain privilege and gain access control as well as the data Coleco Pong Other: Instagram:@puffpuffhack
Attendees can learn to cut and engrave a wide
stored. We will also introduce some inexpensive JTAG/ Milton Bradley Comp IV
array of materials including wood, rock, glass,
ISP and chip-off equipments on-site and for your testing 8 inch floppy disks paper, leather, acrylic, Cork, cardboard, and other
Village Schedule: www.dcvxv.org Harvard Punch Cards materials, using the intense power of light!
Website: www.vxrl.hk Hundreds of old computer magazines CA AD
We will help users create projects, design art, customize
Twitter: @vxresearch Compute!
BYTE
items, and learn to use the various software associated VI LL AG E
Other: [email protected] with laser-cutters. The K40 laser, AKA “the cheap Ebay Friday: 10:00 to 17:30,
laser”, is our primary entry point into the laser-cutting Saturday: 10:00 to 17:30
Website: http://vintagetechmuseum.org/ technology. We will share experience, and mods made
to our K40 lasers, that make them perform better, Location: Lake
produce higher quality cuts, and improve ease of use. Mead- Flamingo
MO B I LE
CAAD Village focuses on
MUS EU M E TH I C S AI security, especially on
Friday, Saturday, adversarial examples which can
& Sunday VI LL AG E fool the neural network to be of
Location: Florentine Friday: 11:00 to 19:00, SK Y TALKS one class while being of other. So far, adversarial examples
IV- Caesars Saturday: 11:00 to 18:00 Location: Virginia City - Flamingo can be created for domains like image, audio, video, or text.
Location: Modena -
Atari 2600, Commodore, Skytalks is a ‘sub-conference’ that gives a unique CAAD, a new section of GeekPwn Hacker Competition, would
Caesars Palace platform for researchers to share their research, for
Intellivision, TRS-80, Apple, floppy disk, dot matrix, like to accelerate research on adversarial examples and
Colecovision, Oregon Trail, PACMAN, Donkey Kong: Were Information security is ethically angry hackers to rant about the issues of their industry, improve AI security. At CAAD Village, there will be AI-hacking
these the cutting edge gadgets of your youth? Your parents challenging. The field is and for curious souls to probe interesting issues, all demos, presentations and the FIRST competition combines
youth? Do you want to experience them again, or for the based on the notion that in without the watchful eye of the rest of the world. CTF and Adversarial Attacks & Defenses, called CAAD CTF.
first time? This free hands on museum of retro technology order to protect a system
will be available for use by the public. Parents will have the one must first be able to Website: caad.geekpwn.org
opportunity to show their children the technology they used determine its vulnerabilities. Village Schedule: http://blog.geekpwn.org
18 19
VILLAGEs
Website: caad.geekpwn.orgT contest that features Howdy Neighbor and the Industrial
Twitter: @GeekPwn Control Systems (ICS) Range. This first of its kind CTF will be
Other: 2018.geekpwn.org a slice of modern city life integrating both Internet of Things
(IoT) and ICS environments with interactive components
for competitors to test their skills and knowledge. The ICS
Village delivers a compelling experience using real IT and
industrial equipment for all skill levels and practitioner types.
BLU E TEAM
The ICS Village will bring real components such as
VI LL AG E Programmable Logic Controllers (PLC), Human Machine
Friday: 10:00-18:00, Interfaces (HMI), Remote Telemetry Units (RTU), and
Saturday: 10:00-16:00, actuators to simulate a realistic environment by using
Sunday: 10:00-14:00 commonly components throughout different industrial sectors.
Location: Savoy - Flamingo Website: https://www.icsvillage.com
Blue Team Village at DEF CON
(BTV) promotes defensive
security knowledge and its
dissemination throughout the otherwise offensive security
focus that is DEF CON. At the BTV, attendees will find CAR HACK I NG
valuable information on defensive security techniques, VI LL AG E
tools, research and concepts from industry leading experts, Friday: 10:00 to 19:00,
ranging in entry-level overviews through bleeding edge
Saturday: 10:00 to 18:00,
research. BTV focuses on the knowledge and experience
needed in today’s threat landscape, highlighting the Sunday: 10:00 to 12:00
hardening of environments, detection of intrusions, response Location: Red rock- Flamingo
to known incidents and addressing modern business This year we will
requirements all geared to challenge the offensive security focus on autonomous
research addressed in the other DEF CON venues. vehicle technologies
Through talks, the BTV presents industry experts will such as lidar, adas, mapping, GPS, vision,
address best practices, advanced techniques, and strive V2V radio and other vehicle technology.
to cover the massive arsenal of tools and research now We would like to host 2 or 3 vehicle platforms.
available to defenders. Presentations will draw upon a
breadth of experiences with diverse technologies. Also we would like to have add a new area where
we modify scooters like the one people drive
Focusing on learning through hands-on experience and around at trade shows in Vegas. This would be
sharing one-on-one, break out events within the village a competition style mini event in the village.
provide both practical lab exercises with the latest tools and
shared knowledge transfer of critical topics. In additional, Village Schedule: http://www.carhackingvillage.com/talks
a defensive-focused Capture the Flag (CTF) provides Website: www.CarHackingVillage.com
a contest format for both experienced and entry-level Twitter: @CarHackVillage
defenders to hone their skill set with a wealth of challenges.
Beyond the curated topics and events of the BTV,
the space provides an informal gathering of like-
minded individuals, providing a critically needed
networking space for those whose professional
responsibilities and/or personal passions align.
Website: https://dcbtv.org
I C S VI LL AG E
Location: Red Rock- Flamingo
The ICS Village equips industry
and policymakers to better
defend industrial equipment
through experiential awareness,
education, and training.
High profile Industrial Control
Systems security issues have
grabbed headlines and sparked changes throughout the
global supply chain. The ICS Village allows defenders
of any experience level to understand the unique failure
modes of these systems and how to better prepare
and respond to the changing threat landscape.
Bring your laptop and win prizes! This year the ICS Village
will be running Hack the Plan[e]t Capture the Flag (CTF)
20 21
VILLAGEs
12:30-13:00: OPEN SOURCE HARDWARE Monero block size scales. We will also discuss the extension In the second hour, we form groups (according to
AND THE MONERO PROJECT of the CryptoNote excess size penalty to address transaction programming cables and resources) to write and
TH E MO N E RO BCOS capacity expansion costs that do not scale linearly with the program “hello world” applications for our badges.
Matthias Tarasiewicz, board member of the Open Source
VI LL AG E Hardware Association (@parasew)
block size such as the verification time costs of bulletproofs. We will learn to erase and debug the flash storage
Contacts: michael@ on the chip that controls lights on the badge.
Matthias will give an overview on Open Source Hardware, The adaptive block penalty needs to scale with a variety
getmonero.org, ajit. with a strong emphasis on (1) the AXIOM open source of factors, including transaction size, verification time, Last, we consider how a homemade on-chip debugger
[email protected] cinema camera (apertus) and (2) the Monero Open bandwidth capacity, and hardware improvements. is constructed and review relevant tools useful in
Location: Pompeian I Hardware Wallet. Open Source Hardware (OSH) in programming MCUs and similar low-power circuits.
difference to open source software has to face other
The Monero project is a privacy 17:00-18:00: HACKING A CRYPTO
challenges. He will outline the societal benefits of OSH
ecosystem which consists of 14:00-14:30: EXAMINING MONERO’S
and open source hardware as educational tools. PAYMENT GATEWAY
the Monero core team, Monero RING SIGNATURES
research lab, Monero hardware Felix Honigwachs CEO GloBee, and Devin Pearson Project
team, Kovri, Openalias, and Architect GloBee Justin Ehrenhofer, organizer of the Monero Community
13:00-13:30: A RUNDOWN OF SECURITY Devin and Felix lead a hands on mini workshop, Workgroup (@JEhrenhofer)
several other projects and work ISSUES IN CRYPTOCURRENCY WALLET
groups. The village presents demonstrating the utility and ease associated with Monero uses ring signatures to provide untraceability, but
technology serving privacy- SOFTWARE integrating a cryptocurrency payment gateway in existing how effective are they? Justin will examine the potential
conscious novice and advanced cryptocurrency users, inviting Marko Bencun, co-founder and software lead at Shift Devices sales and marketing workflows. Illustrated on specialized use-cases and shortfalls of ring signatures. He will address
participation in a well-equipped and comfortable environment. Software cryptocurrency wallets hold billions of machines, they lead novices to understand how to start the concerns of chain splits, public pool payouts, KYC/AML
dollars in value. We will run through as many security accepting cryptocurrency payments in their networks. exchanges, and more. He will make recommendations on
The Blockchain & Cryptocurrency Open Security Village issues around this as we can in 30 minutes - from how to use Monero in a variety of use-cases, and how ring
(BCOS) is an effort to create a thriving community hilarious fails to subtle issues in the tech-stack. signatures can be improved to mitigate some of these threats.
to make blockchain technology & cryptocurrencies
more secure, robust and trustable. As they say at SATU R DAY, AU G U S T 1 0TH
DEFCON, it takes a village to raise security level of any 13:30-14:00: WE DON’T NEED NO 14:30-15:00: SOME MINING-RELATED
technology. The BCOS future is great, lets secure it. STINKIN BADGES 10:00-11:00: KEYNOTE SPEECH - ATTACKS
Aside from our village keynotes, panels, workshops, Michael Schloh von Bennewitz, organizer of the Monero EXCHANGE SECURITY Zhiniang Peng, security researcher at quihoo 360 (check
and networking programs, you’re invited to stop Hardware Workgroup spelling!)
Philip Martin, VP of Security at Coinbase (@
by to learn about parties, films, prize giveaways, The badge circuit designer speaks of hardware development, In this presentation, Zhiniang will present the several
SecurityGuyPhil)
and person-to-person guidance regarding the village badge, and it’s relationship to other Monero mining related attacks against various cryptocurrencies
Philip explains BCOS contributions to blockchain,
blockchain and cryptocurrency technology. Hardware team projects. Michael will explain: happened recently. For example, the fake mining attack
cryptocurrency, and how open security relates to seasoned
against equihash mining pool and the coin-hopping attack
A variety of hardware wallets, privacy merchandise, How to obtain a official BCOS Monero Village badge business and core exchanges. Hear what BCOS can do
against verge. He will demonstrate that there is huge attack
and the official village badge (a unique split-brained for you as a blockchain user and cryptocurrency trader.
What the badge is made of and what to do with it surface in mining and propose several mitigations for it.
programmable MCU with powered moving lights and NFC
interfaced EPROM storage) will be available for sale or He will spend nearly half the duration answering
display. Other educational materials are available as well. common questions from online interactions and
11:00-11:30: CONTEST SHOWCASE AND 15:00-17:00: AN INTRODUCTION TO
questions from the audience. Sample badges will AWARD GIVEAWAYS! KOVRI
be passed around for inspection and demonstrated Robin Renwick and Michael Schloh von Bennewitz
anonimal, organizer of the Kovri Project (@whoisanonimal)
using a close range circuit camera. Learn what our colleagues developed in a day’s
F R I DAY, AU G U S T 9 TH Cryptocurrencies are based on an open peer-to-peer
contests and challenges, where prizes and giveaways
network. While this allows the network to be easily
are once again awarded to participants and the general
14:00-16:00: HACK ON THE BITBOX accessible, it leaves the potential network surveillance.
10:00-11:00: WELCOME SPEECH public. Learn how to configure a wallet, run a node,
Attackers could attempt to run a significant amount of this
We discuss various village announcements, an overview
HARDWARE WALLET mine, program a badge, connect to various services,
infrastructure and collect information about how transactions
on our village and the events to come, an explanation of Stephanie Stroka and Marko Bencun, co-founder and learn about community events, and contribute.
are relayed to associate transactions with others, censor
community ideology, and many educational materials. software lead at Shift Devices transactions from being accepted by the network, and
This is a hands-on session for developers new to firmware/ associating transactions with user IP addresses.
embedded development. We will use the BitBox for
11:30-12:00: MONERO’S EMERGING
11:00-12:00: KEYNOTE SPEECH - INSIDE hacking, which is a small portable USB-powered device APPLICATIONS Kovri is a Monero Project that seeks to reduce the
MONERO featuring a screen and two touch sliders. This makes for a Riccardo Spagni, Monero Core Team member and co-founder amount of meaningful network metadata that can be
fun hacking environment. You will get a BitBox device and of Tari (@fluff ypony) collected. It is an anonymizing router currently based
Howard Chu, CTO and Founder of Symas Corp. (@hyc_symas)
learn how write, compile, flash, and run firmware code to Monero has several use-cases aligning with typical on I2P’s open specifications. Kovri will be incorporated
This talk will cover a brief introduction to cryptocurrency into the most popular Monero wallets to protect
and blockchain. He will describe characteristics of Bitcoin, interact with the hardware, such as displaying something cryptocurrency and blockchain technologies; however,
on the screen and taking user input via the sliders. most don’t know of the spinoffs and think tanks serving the transaction broadcast and optionally hide all
including its strengths and weaknesses. He will discuss knowledge that the user is running a Monero node.
how Monero approaches these similar challenges, and how to push the boundaries of traditional cryptographic
If time allows, we might venture into implementing
it succeeds and struggles in different ways. He will explain financial instrumentation. Riccardo will give his opinion Kovri will ship with a common API that can be used by
a feature together, such as Bitcoin transaction
how Monero works, why financial privacy is important, and on the direction of most recent Monero developments, several other projects, including other cryptocurrency
verification and signing, or similar.
what challenges Monero will face in the coming years. striking comparisons with other privacy and currency projects. Kovri will benefit its users by providing
applications, while giving concrete example of how more anonymity, and it will benefit the I2P network
16:00-17:00: SCALING AND ECONOMIC Tari and GloBee are serving the Monero landscape by providing more entropy and infrastructure.
12:00-12:30: CONTEST of users, corporations, and payment processors.
IMPLICATIONS OF THE ADAPTIVE This talk is a practical introduction on how
ANNOUNCEMENTS AND ROUND OF BLOCKSIZE IN MONERO to use and understand Kovri.
GIVEAWAYS! Francisco Cabañas, Monero Core Team member 12:00-14:00: WE PROGRAM OUR
Robin Renwick and Michael Schloh von Bennewitz The adaptive block size in Monero uses the CryptoNote STINKIN BADGES!
Join us as we explain educational resources and contests for excess size penalty. This excess size penalty leads to 17:00-18:00: PRIVACY AND SECURITY
Michael Schloh von Bennewitz, organizer of the Monero
attendees. Learn how to configure a wallet, run a node, mine, economic relationships between the block reward and Hardware Workgroup
PANEL
program a badge, connect to various services, learn about the total fee revenue per block. It also presupposes that We will review the village badge and all its features in Justin Ehrenhofer, moderator (@JEhrenhofer)
community events, and contribute. Hear about what prizes all the economic costs of transaction capacity expansion a read-only questions and answers (and complaints?) This panel will feature the following people:
await those completing challenges, and to grease the wheels are proportional to the block size. We will discuss the introduction. Then, we will discuss how a high-level
we start off with a round of giveaways to anybody visiting. implications of these economic relationships on proof of Shamiq I, application security manager at Coinbase
review of controller chip process and workflow helped
work (PoW) miner incentives and transaction fees as the us gain knowledge on how to program our badges.
22 23
ll of Sheep
| Wa |C
VILLAGEs O S D J C o ap
tu
r
|W
e
Paul Shapiro, CEO of MyMonero (@tweetingpauls) is actively contributing to the development of blockchain
Th
either directly (as is the case for academic researchers,
and protocol developers), or indirectly (as is the case for
ps
eP
Riccardo Spagni, Monero Core Team member investors and regulators). Thus, each is inevitably trying
ho
and co-founder of Tari (@fluffypony) to direct and influence the evolution and growth of the
ack
h r o u g h Wo r k s
technology as they see fit. Second, a central feature of
We will discuss important and trending cryptocurrency-related
blockchain technologies is that it is a ‘distributed ledger’,
et | Packet Dete
topics with plenty of time to answer your audience questions.
i.e. a public record of interactions visible to all nodes on the
network. This has the potential to create a single, complete
18:00-18:30: PARTY ANNOUNCEMENT! historic reservoir of data, the anonymity, fungibility, and
transparency of which has significant social and economic
Cinnamonflower and pwrcycle
implications for individual liberty and/or legal accountability,
depending on one’s perspective. The objective of this talk
is to outline how different attitudes to privacy are likely
SU N DAY, AU G U S T 11TH to impact the development of blockchain technologies,
lkt
and especially Monero. These attitudes will be drawn
from qualitative analysis of semi-structured interviews
Wa
10:00-10:45: THE GOOD, THE BAD,
AND THE PRIVATE: BUILDING AND carried out with practitioners from five key social worlds,
c
namely corporate architects, regulators, users/investors,
t
|
BREAKING SAFE CRYPTOCURRENCIES
ive
cryptographic researchers, and protocol developers.
ks
Sarang Noether, Monero Research Lab contributor
al
|
Privacy is poorly defined, and this is often true of Pa
cryptographic assets. Despite what much early coverage 12:00-12:30: STEALING |T ck
suggested, the use of a blockchain as ledger for digital CRYPTOCURRENCY. 2 FACTOR ISN’T A s et
assets inherently provides significantly less privacy than
op Ins
FACTOR p e c t o r | Wo r k sh
may be desired. Fortunately, clever uses of algebra
Rod Soto, security researcher with Hackmiami (@rodsoto);
and number theory have led to cryptocurrency projects
and Jason Malley compliance and IT security (@n00bznet)
with far better guarantees toward privacy, security, and Friday 10:00 a.m. (opening ceremony at 10:10 a.m.)
This presentation will show how malicious actors are actively
fungibility. In this talk, we’ll look at the various ways
taking advantage of the use of SMS as second authentication
that mathematical techniques are applied to build safe Saturday 9:00 a.m.
factor to prove identity. These vulnerabilities enable malicious
cryptocurrencies, and examine some of the weaknesses
actors to obtain SMS messages, then proceed to reset and Sunday 10:00 a.m. (closing ceremony at 2:10 p.m.)
and attacks seen throughout several projects’ histories
take over all users accounts starting with email accounts
with access to financial, social media, and corporate Location: On the third floor Neopolitan area in Ceasors.
10:45-11:00: CONTEST SHOWCASE, accounts. SMS should be discarded as a second form of
AWARDS, AND GIVEAWAYS authentication. This presentation will also provide alternative
authentication methods to compensate SMS deprecation.
Robin Renwick and Michael Schloh von Bennewitz
Robin and Michael make one last try at delivering
free merchandise into the hands of challenge 12:30-13:00: MONERO PROJECT’S
takers as well as the general public! VULNERABILITY RESPONSE PROCESS
11:00-11:30: MONERO’S This presentation will explain the Monero Project’s approach
DIFFERENTIATED COMMUNITY to vulnerability response. We will cover the project’s
vulnerabiltiy response process and use of HackerOne.
Justin Ehrenhofer, organizer of the Monero Community
Workgroup (@JEhrenhofer)
Monero’s community is different from all other cryptocurrency 13:00-14:00: VILLAGE SUMMARY,
communities. It seeks to straddle the divide between CLOSING, THANKS, AND LIGHTS OUT
decentralization and effective management. Justin will
Diego “rehrar” Salazar and his exhausted village staff
discuss how the community consists of various self-
With his floor staff singing backup, Diego takes us on a trip
organizing workgroups that communicate with the
down memory lane. His closing speech includes snippets
wider community to solicit support. He will discuss the
of recent Monero developments in the community as well
Community Workgroup’s role in providing resources and
as the preceding few days at DefCon 26, thanking the
creating important connections. He will discuss how
public and organizers for supporting our first village ever.
Monero raises funds for projects and supports its top
contributors. Finally, he will examine certain community
behaviors as evidenced through specific events.
11:30-12:00: PRIVACY AND

BLOCKCHAIN: A BOUNDARY OBJECT The Packet Hacking Village is where you’ll find network shenanigans and a whole lot more. There’s exciting events, live music,
competitions with awesome prizes, and tons of giveaways. PHV welcomes all DEF CON attendees and there is something for every level of
PERSPECTIVE security enthusiast from beginners to those seeking a black badge. This village was created to help enlighten attendees through education
Robin Renwick, blockchain privacy researcher at University and awareness while focusing on defense and blue team techniques.
College Cork/State Street Advanced Technology Centre Wall of Sheep gives attendees a friendly reminder to practice safe computing through strong end-to-end encryption. PHV Speakers,
Blockchain technology emerged at the beginning of Workshops, and Walkthrough Workshops delivers high quality content for all skill levels. Packet Detective and Packet Inspector offers
21st century, becoming renowned for its role in enabling hands-on exercises to help anyone develop or improve their Packet-Fu. WoSDJCo has some of the hottest DJs at con spinning live for your
cryptocurrencies such as Bitcoin. While the majority view enjoyment. Finally... Capture the Packet, the ultimate cyber defense competition that has been honored by DEF CON as a black badge event
blockchain as revolutionary, their perspective of such for seven of the eight years of it’s run.
revolution differs. These differences become especially Read on to see all of our events!
meaningful for two reasons. First, each of these groups
/wallofsheep @wallofsheep
24
Packet Detective
Looking to upgrade your skills or see how you would fare in Capture The Packet? Come check out what Packet Detective has to offer! A step
up in difficulty from Packet Investigator, Packet Detective will put your network hunting abilities to the test with real-world scenarios at the
intermediate level. Take the next step in your journey towards network mastery in a friendly environment still focused on learning and take
another step closer to preparing yourself for the competitive environment of Capture The Packet.
001100001
0000 001110010 00 0 001101001
0 00 001100101
00 0 001110011
00 01100001 Packet Inspector
00100000
00 00000 00111001100 00110010100 0 001100011
000 001110101
00 01110010
0000001110010
001100001 0 001101001
00 00
001110010 0 00001110100
0 001101001
00 0 00 001111001
001100101 00
001110011
00 01101001
01100001 01100101 Taking the place of Packet Detective as your introduction to network analysis, sniffing, and forensics. Do you want to understand the
0001110101
0000 0 00 0 01110011 01100001
01100001
00100000 techniques people use to tap into a network, steal passwords and listen to conversations? Packet Inspector is the place to develop these skills!
00100000
00 00000 001110011
00 001100101
01101001
0 0 0000 0 0 001100011
01100101
00 000
0 01110011
0 000 0 00
00100000
00000 0 0000 0 00 0 0 0 00 0 00 0 01110010
01110011 01110010
01110010
01100101 01100011
001110010
00 00
001110011
00 001101001
0 00
01100101
00 0 001110100
0 00 001111001
001100011
000 00
001110101
0 0 001110010
00 0 001101001
0 00 01101001
0 0 00
0 00 00 00000 0 00 0 00 0 011101010110100101100101
0 00
01101001 001100101
01100101
01100001
01110010 01101001 For well over a decade, the Wall of Sheep has shown people how important it is to use end-to-end encryption to keep sensitive information like
0 0 00 0 0 0000 0 00 0
0000 00 0 00 0 0 000 0 0 0 0 00 0 0 0 00 001110011
00 01110011
001110011
00100000
00 00000
01110011
00 01110100 00100000
01110010
01100101
0 00 0 00100000
01111001 passwords private. Using a license of the world famous Capture The Packet engine from Aries Security, we have created a unique way to teach
0 0 00 0 00 01110011
0111001101100101
01101001 01100101 01100011
01100101 01100011
0 0000 00 00 00 000 00000
0000000 00 0 00
0 0000
0 00 0 0 0 00
01100011
0111010101110101
0111010101110010
01110011
01110010 01110010
00100000
01101001 01101001
01101001 hands-on skills in a controlled real-time environment.
0 00 00 0000 00 000000 0000 0 0000
0 00000 0 00 0 0 00 00 00000 01100001
01110100
01110100
01110011
01110100 01111001
01111001
01100101
0111100101100011 Join us in the Packet Hacking Village to start your quest towards getting a black belt in Packet-Fu.
0 00 00 000 000
000000000
000000 0000 01110010
01110101 01110010 01101001
000 000 0 00 0 0000
00000 00
0 000
00 0 00 0 0 00 00 0000 00 0 00 0 0 000 0 0 0
0 0 00 01101001
01110100 01111001
0 0000 0 0 000 00 00000 00 00 00 0000
000 000 0 0 00 0 000 00 01100101 01110011
0 0 00 0 000 00 00000 00000 00 00 0
00 00 0 0 00100000 01110011
0 00 00 000000 00 0 000 000
0 00 0 000 0 0000 0 0 0 0 0 0000
0000 0 0 00 00
0
0 0 0 00 0 00 0 0 00 00 00000
0 00 0 0 000 0 0 0 0 00 0 0 0 00 01100001
01100101 01100011
01110101 01110010
0 000 0 00 00000 0 00
0 00 0 0 00 00000 00 0000 00
0 00 0 00 00100000
01100001 01110010
01100001 01110010 01101001 01100101
01110011 0110010101101001
01111001
01110011
0110001101110100
01110101
0 0 001100001
000000
00 00 00 000000 00 01110010
0
001110010
0
00 01101001
0 01101001
0
00 0 001101001
00 0 0
0
0 00
00
00 01110100
0 0 00 01111001
0 00
Capture 0The 0Packet 0 00 - CTP

0 00 01110010
0 00 0 01101001
0 0
0 00001110011 00 01100101
0 00
0 00 001100101 0 0 0000 0 00 0 0 0 00 0 00 0
001110011
00000000100000
00 00000
0 0 0001110010 00 0 0 00 000 00
0 00000 0000
01100101
00000000000 00 00
0000
000 00000 0000 00 00
00000
01110011
0000 00 00 000 0
001100011
0000 001110101
00 00 0 001101001
00100000 000 00 000000 0 00 0
0000000
001110100 0000 00
0
0 00 00011110010 0 0 0000000000 00 00
000 0000
00 0 0 000 00 0 0 00
0
Th m o ho o ha d n d m d aw ng n a a you p pa d o ba Comp 0n0h0000 wo d00000000
mo 00000
00 00 ha 0ng ng0 yb
00 0 d00 n
00
00000 001110011
0 0mu 01100101
0 00 00 0 00
omp on ba d on h A S u y Cyb Rang n o d o umph ov you omp 0o 0 000on
000 an
000
0
00
0000
00
01100001
0000 0 b000000
00 w00
00000
011100100 ound d k h
amu a T a h ough h ha ng av a ho n p a n wo k and d0 g0 n000
01101001 y ana000y 000wha
0 000
001100101 0 00000001100011
00 00001110011
000 000
0ound
0001110010
000000
0000d0001110101
000000
0n0o000
00100000
000 000
00 0 ou
00 o0mak 0
un a h d No on y g o y bu p awa ho ha m g v o ou 0 01110011
om 00 001100101
0h00upg
001110100
00ad00
001111001 n h00
0d 001100011
aby000 0 00000
01110101 0000 00 00 000 001101001
011100100000000
Th Da k Tang n ha a k d ha w x nd you m n h aby n h and h ha au d h d ffi u y o ha 0 0 000 0 000
ng 00 00 00
0o00
01101001 b amp 0 fi00d o on y
h b p pa d and ba ha d n d w ap h u b Fo ow u on Tw o Fa book nk b ow o g no fi a on o da and
011101
m you am w omp
Team on
a w a wha p w b awa d d
o up o 2 p aye and an eg e a he CTP ab e n he Pa ke Ha k ng V age 0 Walkthrough Workshops - Learn to build Honey Pot’s
The Packet Hacking Village brings yet another Def Con premiere: Walkthrough Workshops, where you will go on a self-guided journey to
building your own honey pot, taking it live and hopefully trapping some unsuspecting users. Fear not though, like with all our other training
events, we will have helpful and knowledgeable staff on hand to assist you along the way!
Wall Of Sheep
An n a v ook a wha ou d happ n you you gua d down wh n onn ng o any pub n wo k Wa o Sh p pa v y mon o
h DEF CON n wo k ook ng o affi u
mpo an y w
ng n u p o o o D op by hang ou and
v o du a h h p w a h and anyon n d np o
o you u how a y an b Mo
ng h m v n h u u W w b ho ng v a
PHV Talks
Back for a sixth year, we continue to accept presentations focusing on practice and process while emphasizing defense. Speakers will present
N wo k Sn ffing 101 a n ng on u ng W ha k E ap d n ff and o h affi ana y talks and training on research, tools, techniques, and design, with a goal of providing skills that can be immediately applied during and after the
conference. Our audience ranges from those who are new to security, to the most seasoned practitioners in the security industry. Expect talks on
a wide variety of topics for all skill levels.
Updated schedule available at: https://wallofsheep.com/pages/dc26
Wall of Sheep DJ Community - WoSDJCo PHV Workshops

Com h w h u wh w p ay a you avo D p und g ound hou hno b ak and DnB b a m x d v
A returning favorite from last year, we have hands-on labs and training sessions from an amazing line-up of instructors covering beginner to
a w k nd by you ow ha k D W w p ov d h ound a k o a you p PHV hax u k w do v y y a
advanced level material. See our website for updated schedules.
17:00 - 18:00
Swiss Cheese Holes in the Foundation of 11:00 - 11:30
Modern wpa-sec: The Largest Online WPA Handshake
Database
Security - CERT VU#919801
Alex Stanev, CTO of Information Services at JSC
Chris Hanlon, Founder of SecurityAlliance.ca During the talk I will explain how wpa-sec (a world wide
In this talk we briefly introduce common SMTP/TLS WPA handshake capture project) works, provide statistics and
implementation weaknesses explain how governments, a lot internals on optimization and how to use the database
criminals, and malicious insiders can exploit them to remotely as OSINT source during pentests and red team actions.
Schedule and speaker bios available at: https://wallofsheep.com/pages/dc26 reset account passwords, create/update/delete firewall rules,
control windows desktops/laptops, access online backup
Friday, August 10th level. This breakdown makes it easy to see what the ‘best’
systems, download full-disk Encryption Keys, watch security
11:30 - 12:00
security controls are - as well as alternative security controls Capturing in Hard to Reach Places
that could also be applied. Its not so much something cameras, listen to security camera microphones, control
10:00 - 11:00 social media accounts, and takeover AWS virtual machines. Silas Cutler, Senior Security Researcher at
new, as it is a new way for the industry to communicate
Mallet: A Proxy for Arbitrary Traffic CrowdStrike
about security. In much the same way that the OSI model
Rogan Dawes, Senior Researcher at SensePost 18:00 - 19:00 It’s easy for us to take for granted when tools allow us to
allows for developers to know they are talking about the
Mallet is an intercepting proxy for arbitrary protocols. start capturing network traffic without any real hardships.
same thing, a common security model allows security Mapping Wi-Fi Networks and Triggering on
More accurately, it is a framework for building proxies for However, what happens when the data you want isn’t so
professionals to communicate in a vendor agnostic
arbitrary protocols. Mallet provides the basics required Interesting Traffic Patterns easy to capture. This talk will look at two cases in which
manner. Think of it as a translation tool for vendor speak.
of all proxies: A way to receive the data, a way to send the Caleb Madrigal, Applied Researcher at environments needed to be bent in order to capture the
data, and a user interface to intercept and edit the data. Mandiant/ data needed for analysis.
14:00 - 15:00
It builds on the Netty project, and as such has access to a
Protecting Crypto Exchanges from a New Wave of FireEye
large, well-tested suite of protocol implementations that 12:00 - 12:30
Man-in-the-Browser Attacks In this talk, we’ll use this tool to explore some of
can be used to transform a stream of bytes into useful, An OSINT Approach to Third Party Cloud Service
Pedro Fortuna, CTO and Co-Founder of Jscrambler the surprisingly-informative data floating around in
high-level protocol objects. This workshop will introduce Provider Evaluation
In this talk, we will detail how Man-in-the-Browser (MITB) the radio space, and you’ll come away with a new
attendees to Mallet, and show how to construct pipelines
attacks work, from account take over to moving out the coins skill point or two in your radio hacking skill tree, Lokesh Pidawekar, Senior Cloud and Application
of arbitrary complexity, to successfully decode and intercept
to attacker-controlled wallets. We’ll discuss current defenses as well as a new magical weapon... I mean tool. Security Engineer at Cisco
messages in various protocols, as well as automating
modifications of the various messages. A basic familiarity e.g. multi-factor authentication or strong SSL encryption In this talk, the attendees will learn about various
with Java will enhance the delegate’s understanding and why they are failing to mitigate this type of attacks. Saturday, August 11th methods of identifying security posture of the third-party
of what they are taught, but is not a requirement. cloud service using information available on Internet,
15:00 - 16:00 how to use this information for performing cloud service
10:00 - 10:30 review and improve their own cloud offerings. This can
11:00 - 12:00 Freedom of Information - Hacking the Human Ducky-in-the-Middle: Injecting Keystrokes into also supplement the tedious questionnaire process
Rethinking Role-Based Security Education Black Box
Plaintext Protocols and provide an option to fast track the vendor reviews.
Kat Sweet, Duo Security Elliott Brink, Senior Penetration Tester at RSM US
How do we scale a deeper level of security awareness LLP Esteban Rodriguez, Security Consultant at
Coalfire 12:30 - 13:00
training without sacrificing efficacy? This talk will explore FOIA (otherwise known as the Freedom of Information
Bitsquatting: Passive DNS Hijacking
strategies and tactics for developing security education Act or FOI/Freedom of Information in Australia) are Labs
based on employees’ roles, access, and attack surface while government-based initiatives to permit the public to This talk will cover the basics of protocol analysis using Ed Miles, Security Researcher at DiDi Labs
designing not only for efficiency but also for effectiveness. request information on various government records. In Wireshark and lead into analyzing two custom application The Domain Name System is one of the
practice, these acts enable transparency of the operations protocols used for extending the mouse and keyboard foundational technologies that allow the internet
of government to the masses with relative ease. In reality, to function, but unfortunately, DNS is surprisingly
12:00 - 13:00 of a remote system. The two applications covered are
submitting FOI requests can be a cumbersome and HippoRemote, and iOS app to use a iPhone as a trackpad brittle to certain issues, such as bitsquatting.
PacketWhisper: Stealthily Exfiltrating Data and Lookups to names that are a “bitflip” away from well-
Defeating Attribution Using DNS and Text-Based frustrating process for citizens. Attendees will gain practical and keyboard, and Synergy, an application to allow for
knowledge about: what FOIA is, the caveats of FOIA, how you control of multiple operating systems with one mouse known sites (like ‘amczon.com’ instead of ‘amazon.
Steganography com’ since ‘c’ and ‘a have a single bit difference) can be
can utilize FOIA on red team engagements and other open and keyboard. By performing a MITM attack, an attacker
TryCatchHCF source intelligence gathering activities and finally the results can abuse this protocols to send keystokes to a remote caused by memory failing due to defect or overheating
Data exfiltration through DNS typically relies on the use of my research in multiple requests to intelligence agencies. situations, rogue cosmic rays, or even (allegedly) radiation
machine to gain remote code execution similar to a USB
of DNS query fields to exfiltrate data via the attacker’s DNS caused by nuclear reactions. In the end, attendees should
rubber ducky attack. The talk will also discuss mitigations
server. This approach has several shortcomings. The first is leave with knowledge of the prevalence of bitsquatting
and open source code will be provided for exploitation.
attribution, since attackers end up creating a trail back to 16:00 - 17:00 and how it has evolved since the phrase was coined
The target audience should have a basic understanding
their own infrastructure. The second is awareness, as DFIR Car Infotainment Hacking Methodology and of Wireshark, ARP spoofing, and reverse shells. 8 years ago, as well as a few techniques for analyzing
analysts have made careful study of DNS fields as exfiltration Attack bitsquatting data and drawing some interesting conclusions.
vectors. The third is access, since companies are increasingly
using DNS server whitelisting to prevent or alert on Surface Scenarios 10:30 - 11:00
13:00 - 13:30
outgoing DNS queries to servers controlled by attackers. The Jay Turla, Application Security Engineer at How to Tune Automation to Avoid False Positives
Turning Deception Outside-In: Tricking Attackers
presentation will include a demonstration of PacketWhisper, Bugcrowd Gita Ziabari, Senior Consultant Engineer at Verizon
This talk will cover techniques to design a reliable with OSINT
a new tool written in Python, that automates all of these steps In this talk, join Jay as he presents his own Car Hacker’s
for you. PacketWhisper will be made available on GitHub to automated tool in security. We will discuss about Hadar Yudovich, Tom Sela, Tom Kahana, Security
Methodology in finding security bugs in order to pwn a
coincide with this session (https://github.com/TryCatchHCF). techniques of tunning the automation to avoid false Researchers at Illusive
car’s infotainment system without having to do a drive
by wire or CANbus hacking tools but will simply point positives and the many struggles we have had in Networks
out the common attack surfaces e.g WiFi, Bluetooth, creating appropriate whitelists. We will walk through In this talk, we will present research we conducted to
13:00 - 14:00 steps of creating an automated tool and the essential answer these questions, and introduce a tool you can use to
Target-Based Security Model USB Ports, etc. and some scenarios on how to exploit
it just like how he popped a shell or issue an arbitrary factors to be considered to avoid any false positive. “try it at home.” We first took a deeper look at various OSINT
Garett Montgomery, Principal Security Research resources-social media, paste sites, public code repositories,
command in his car which he tweeted in Twitter before.
Engineer at BreakingPoint (Ixia/KeySight) etc.-to refine our picture of the types of publicly-available
The Target-Based Security Model is essentially a data, attackers might use to further an attack. Then we
framework that breaks down attacks to their component planted various deceptive information. For example, on
PasteBin we created a fake “paste” page containing a dump
of fake credentials. On GitHub we created a fake repository
of code containing “accidental” commits (git commit -am The capabilities demonstrated and discussed will needs and tasks. In this workshop, we will customize Kali Linux into
‘removed password’). Next, we paired these deceptions with encompass publicly and privately available technologies. a very specific offensive tool, and walk you through the process of
relevant data and user objects within a simulated network Additionally, the talk will cover multiple products and customization step by step. We will create a custom Kali ISO that will:
environment. We then started monitoring and waited for an vendors, shedding light on industry wide issues and trends. load very specific toolsets; define a custom desktop environment
attacker to bite. Finally, we will be releasing software to detect and track and wallpaper; leverage customized features and functions; launch
custom tools and scripts; install Kali automatically, without user
various devices and tie these issues into real world events.
intervention as a custom “OS backdoor”. This workshop will guide you
13:30 - 14:00 through all the aspects of Kali customization and give you the skills to
Defense in Depth: The Path to SGX at Akamai 17:00 - 18:00 create your own highly-customized Kali ISO, like the much feared Kali
IoT Data Exfiltration “ISO of Doom”.
Sam Erb, Software Engineer at Akamai Technologies
In this presentation you will learn how Akamai has spent Mike Raggo, CSO of 802 Secure, Inc.
Chet Hosmer, Owner of Python Forensics Schedule and speaker bios available at: 14:00 - 16:00
the past 4 years working toward preventing the next TLS
heartbleed incident. Nothing hypothetical, only deployed In this session we explore this new frontier by https://wallofsheep.com/pages/dc26 Intense Introduction to Modern Web Application
defense-in-depth systems will be discussed. This talk will focusing on new methods of IoT protocol exploitation Hacking
include how we deployed Intel SGX at scale in our network. by revealing research conducted over the last 2 years. Friday, August 10th by Omar Santos and Ron Taylor
Detailed examples will be provided, as well as demo of This course starts with an introduction to modern web
a python tool for exploiting unused portions of protocol applications and immediately starts diving directly into the mapping
14:00 - 14:30 11:00 - 12:30 and discovery phase of testing. In this course, you will learn new
Building A Teaching SOC fields. From our research, we’ll also reveal new methods Reverse Engineering Malware 101 methodologies used and adopted by many penetration testers and
of detecting aberrant behavior emanating to/from these
Andrew Johnson, Information Security Officer at by Malware Unicorn ethical hackers. This is a hands-on training where will use various
devices gathered from our lab and real world testing. This workshop provides the fundamentals of reversing open source tools and learn how to exploit SQL injection, command
Carnegie Mellon University injection, cross-site scripting (XSS), XML External Entity (XXE), and
engineering (RE) Windows malware using a hands-on experience
Effective security monitoring is an ongoing process. Sunday, August 12th with RE tools and techniques. Attendees will be introduced to RE cross-site request forgery (CSRF). We will wrap up our two hour fast-
How do you get everyone participating? How do you on- terms and processes, followed by basic x86 assembly, and reviewing paced course by unleashing students on a vulnerable web application
board junior colleagues to continuous improvement? RE tools and malware techniques. It will conclude by attendees with their newly found skills.
11:00 - 12:00 performing a hands-on malware analysis that consists of Triage,
The purpose of this presentation is to show methods Microcontrollers and Single Board Computers for Static, and Dynamic analysis. 16:30 - 18:00
for encouraging participation from all members Hacking, Fun, and Profit Mallet, An Intercepting Proxy for Arbitrary
of the security monitoring team as well as tactics gh057 13:00 - 15:00 Protocols
for communicating effective with the organization. With the skyrocketing popularity of Advanced APT Hunting with Splunk by Rogan Dawes
microcontrollers and single board computers, the by Ryan Kovar and John Stoner Mallet is an intercepting proxy for arbitrary protocols. More
14:30 - 15:00 cost barrier to entry for security applications has You wanna learn how to hunt the APTs? This is the workshop accurately, it is a framework for building proxies for arbitrary
Normalizing Empire’s Traffic to Evade Anomaly- for you. Using a real-worldish dataset, this workshop will teach you protocols. Mallet provides the basics required of all proxies: A way
been reduced significantly and has created a host how to hunt the “fictional” APT group Taedonggang. We discuss the to receive the data, a way to send the data, and a user interface to
based IDS of new possibilities. gh057 will demonstrate three Diamond model, hypothesis building, LM Kill Chain, and Mitre Att&ck intercept and edit the data. It builds on the Netty project, and as such
Utku Sen, Senior R&D Engineer at Tear Security devices he built to solve specific problems: an framework and how these concepts can frame your hunting. Then we has access to a large, well-tested suite of protocol implementations
Gozde Sinturk, R&D Engineer at Tear Security look deep in the data using Splunk and OSINT to find the APT activity that can be used to transform a stream of bytes into useful, high-
ATtiny85 “Poor Man’s Rubber Ducky”, an ESP8266 riddling a small startup’s network. We walk you through detecting level protocol objects. This workshop will introduce attendees to
In this talk, we will discuss one of the most famous post-
wrist-mounted network scanner and a Raspberry Pi lateral movement, the P of APT, and even PowerShell Empire. Then at Mallet, and show how to construct pipelines of arbitrary complexity,
exploitation tool, Empire, against a payload-based anomaly
multi-user mobile network analyzer. the end, we give you a similar dataset and tools to take home and try to successfully decode and intercept messages in various protocols,
detection systems. We will explain how to normalize newly learned techniques yourself. as well as automating modifications of the various messages. A basic
Empire’s traffic with polymorphic blending attack (PBA) familiarity with Java will enhance the delegate’s understanding of
method. We will also cover our tool, “firstorder” which is 12:00 - 13:00 15:30 - 17:00 what they are taught, but is not a requirement.
designed to evade anomaly-based detection systems. The Fishing for Phishers. The Enterprise Strikes Back! Finding and Attacking Undocumented APIs with
firstorder tool takes a traffic capture file of the network, tries Joseph Muniz, Cisco Sunday, August 12th
to identify normal profile and configures Empire’s listener in
Python
Aamir Lakhani, Fortinet by Ryan Mitchell
such way. 11:00 - 13:00
This talk will cover how to build an artificial Write Python web bots using Selenium and BrowserMob Proxy
15:00 - 16:00 to crawl the Internet looking for non-public APIs. We will look at Advanced APT Hunting with Splunk
environment and develop anti phishing tools used to
Grand Theft Auto: Digital Key Hacking several ways to identify vulnerabilities in discovered APIs as a means by Ryan Kovar and John Stoner
respond to phishing attempts. Results could include for penetration testing and large scale data gathering. Participants
Huajiang “Kevin2600” Chen, Security Research at
owning the attacker’s box “hypothetically” since should have some Python experience, as well as a familiarity with You wanna learn how to hunt the APTs? This is the workshop
Ingeek
some legal boundaries could be crossed. HTTP requests. for you. Using a real-worldish dataset, this workshop will teach you
Jin Yang, Independent Security Researcher how to hunt the “fictional” APT group Taedonggang. We discuss the
In this talk, we will reveal the research and attacks 17:30 - 19:00 Diamond model, hypothesis building, LM Kill Chain, and Mitre Att&ck
for one of digital car keys system in the current market. 13:00 - 14:00 framework and how these concepts can frame your hunting. Then we
What Do You Want to be When You Grow Up? Serious Intro to Python for Admins
By investigating how these features work, and how to look deep in the data using Splunk and OSINT to find the APT activity
exploit it through different possibles of attack vectors, Damon “ch3f” Small, Technical Director at NCC by Davin Potts riddling a small startup’s network. We walk you through detecting
Intended for an audience of IT managers and admins who are lateral movement, the P of APT, and even PowerShell Empire. Then at
we will demonstrate the security limitations of such Group North America either responsible for systems with deployed Python apps and/or the end, we give you a similar dataset and tools to take home and try
system. By the end of this talk, the attendees will The speaker will describe his experiences as a interested in the security implications of developing their own tools/ newly learned techniques yourself.
not only understand how to exploit these systems 22-year veteran of IT and infosec, both from the scripts/apps in Python. This will be a hands-on exercise from start to
also which tools can be used to achieve our goals. perspective of working for internal support teams finish designed to leave you with a sense of the mentality of Python
and an ability to quickly look up what you need when expanding your
and as a client-facing consultant. In addition to knowledge of Python in the future. Prior programming experience
16:00 - 17:00 direct observations, this presentation will include not required. However it would be helpful if you’ve seen lots of
Ridealong Adventures: Critical Issues with Police the perspectives of other infosec pros that currently Monty Python skits before.
Body Cameras work in various capacities in our industry. The goal
Josh Mitchell, Principal cybersecurity Consultant at Saturday, August 11th
is not to answer the question of how to successfully
Nuix develop one’s career, as such, but rather to continue
At this talk, we will be introducing tactics, techniques,
09:30 - 13:30
the dialogue of what is important to us as we Kali Dojo Workshop
and procedures to assess the security of these devices.
develop our future experts and leaders. by Johnny Long
We will cover attacks against the physical devices, RF
components, smartphone app’s, and desktop software. Kali Linux can be deeply and uniquely customized to specific
contests
Location: Contest Area hacking and security are the most prominent. Each quest
AI VI LL AG E J EO PAR DY D E F CO N B E AR D AN D line requires the players to work independently or together to
Hours: Friday 1000-2000, Saturday 1000- solve puzzles, research ciphers, learn new technologies such
In a jeopardy style CTF, contestants (if we are provided 2000, Sunday 1000-1200 M O U S TACH E CO NTE S T
as PGP or Tor in order to gain points and progress. Many,
the full space requested) will be able to compete and learn Twitter: @coindroids Held every year since DEF CON but not all, of our quests have an in-person component -- we
by working through our challenges categorized in groups Website: https://www.facebook.com/Coindroid/ 19 in 2011 (R.I.P. Riviera), the have in the past had a lock picking challenge box at our table,
such as “classification”, “clustering”, and “attacking DEF CON Beard and Moustache an RFID reader challenge, and badge kits that are involved in
machine learning models’. Participants will be provided Contest highlights the intersection making progress in certain parts of the game. We collaborate
a docker image will all datasets, questions (in IPython of facial hair and hacker culture. with other Events, Villages and Contests to share content
notebooks), and submission APIs needed to compete. CR ACK M E I F YO U CAN and send people around DEF CON to learn new things --
Educational materials will be provided for initial (novice level) Location: Contest Area Stage almost like a mini-DC101 program with a game around it.
As a part of authorized penetration tests of companies’
challenges to ensure that all contestants have a baseline internal corporate networks and external websites, you have Hours: Friday 1800-2000
understanding of the core concepts needed to compete. Location: Contest Area
captured a large number of password hashes and some
Twitter: @DCBeardContest Hours: Friday 1000-2000, Saturday 1000-
Location: AI Village encrypted files of various types. You owned the firmware of
Website: http://www.dcbeard.com/
some weird devices, and got hashes. You found corrupted 2000, Sunday 1000-1200
Twitter: @aivillage_dc backups with partial password hashes in them. You found
Website: http://jeopardy-ctf.aivillage.org Website: https://dcdark.net
password-protected ZIP and RAR files and you want to
know whats inside. You were able to do a SQL injection, D E F CO N B LITZ CH E SS
and extract the users’ hashes from the database. But now, TO U R NAM E NT
BADG E LI F E CO NTE S T you have to crack all these hashes. In it’s 7th year, Crack D R U N K HACK E R H I S TO RY
Me If You Can (CMIYC) is the premiere password cracking The first-ever DEF CON Chess Tournament, in Blitzkrieg
Badges have been around DEF CON for years, format, in which there will be just 5 minutes on each One night only at DEF CON 26,
contest. We challenge teams of the world’s best password
and badge hacking happens every year! This year, player’s clock. During the tournament, each player will play Drunk Hacker History is back by
crackers. And force them to share their knowledge, tips,
let’s make it an official contest! Let’s award prizes! every other player one time. A victory is 1 point, a draw popular demand for a 4th historic
and tricks with the community. The challenges presented
Let’s judge badges on originality, functionality, best 1/2, and a loss 0. At the end of the tournament, the player year! The past three years proved
in the 2010 contest are now trivial and easily completed
counterfeit, and our personal favorite OMGWTFBBQ! with the highest score wins the grand prize aand a trophy. to the entire galaxy that in the game
by even a novice password cracker. So, in 2018, we hope
In the event of a tie, there will be a sudden death playoff of intoxicated nostalgic recall, there
Location: Hardware Hacking Village to introduce new challenges that will continue to push the
between the highest scorers to determine the champion. are no losers and those who won,
boundaries of what is possible with password recovery.
Twitter: @dcbadgelife lost. The DEF CON community has
Website: http://badgelife.org The contest is geared in a way so that even beginner Location: Contest Area Stage a history of sorts. It is a history is
password crackers will get some points, and hopefully learn Hours: Saturday 1800-2000 filled with mephitic adventures,
along the way. Fire up your GTX 2080s and EC2 clusters. Ask quarter-truths, poor life choices,
CM D + C TR L your boss for time on that super computer your company has. incontinence, and various forms of
Buy a CRAY on ebay. Email your college professor and ask C2H6O. This year, we will connect our
CMD+CTRL is bringing two for your account to be re-enabled on the cluster. Get a few D E F CO N HAM R AD I O FOX stacks to extract some of the most celebrated, exaggerated
new vulnerable websites that extra box fans. You are going to need it all. Stop wasting your H U NTI N G CO NTE S T and entertaining moments in Hacker History through the
participants will be competing GPUs on playing Minecraft, there are passwords to crack! interpretation of a group of well-trained participants. In the
to find vulnerabilities in. In the world of amateur radio, groups of hams will often end, we will, again, crown the Drunkest Hacker in History
Location: Contest Area
Vulnerabilities are automatically detected and award put together a transmitter hunt (also called “fox hunting”) and you, the audience, will rejoice! Hosted by c7five & jaku,
points when they’re exploited. There are over 100 different Hours: Friday 1000-2000, Saturday 1000- in order to hone their radio direction finding skills to locate if you like eating from an 80s candy cannon, “Cats” the
vulnerabilities, including SQLi, XSS, password cracking, 2000, Sunday 1000-1200 one or more hidden radio transmitters broadcasting. The musical, and feats of strength, you won’t want to miss the
and more. Come put your red team skills to the test DEF CON Fox Hunt will require participants to locate a return of Drunk Hacker History! Presented in DEF CON 4D
and compete to find the most web vulnerabilities! Twitter: @crackmeifyoucan number of hidden radio transmitters broadcasting at very and made possible by a grant from monkeyhelpers.org.
Website: https://contest.korelogic.com/ low power which are hidden throughout the conference.
There will be easy challenges and reference Location:
Each transmitter will provide a clue to a larger puzzle,
material for beginners, as well as a hardened requiring participants to piece together the information Hours: Saturday Night -
application to challenge experienced hackers. D E F CO N 2 6 CR E ATIVE broadcasted from each transmitter. Once they’ve decoded
Twitter: @drunkHackerHist
Location: Contest Area WR ITI N G S H O R T S TO RY the final puzzle, they will be sent to find one final ultra low
CO N TE S T power transmitter broadcasting a passphrase which they
Hours: Friday 1000-1800, Saturday 1000-1800 will enter on a contest website and receive their trophy
Twitter: @cmdnctrl_defcon for completing the contest. A map with rough search D E F CO N SCAVE N G E R H U NT
The DEF CON Short Story contest is a pre-con contest
that is run entirely online utilizing the DEF CON forums. areas will be given to participants to guide them on their
Do you have specialty skills
This contest follows the theme of DEF CON for the year hunt. Additional hints and tips will be provided throughout
CO I N D R O I DS that you haven’t found an
and encourages hackers to roll up their sleeves and DEF CON to help people who find themselves stuck.
outlet for? Like making
write the best creative story that they can. The Short Location: Contest Area replicas of colonial era
The year is 20X5 and
Story Contest encourages skills that are invaluable in the Presidents heads out of
humanity has fallen: now
hacker’s world, but are sometimes overlooked. Creative Hours: Friday 1000-2000, Saturday 1000- macaroni and cheese or stitching wool sweaters for Venus fly
there are only Coindroids.
writing in a contest setting helps celebrate creativity and 2000, Sunday 1000-1200 traps? Well as it turns out there’s a competition made special
The machines we designed to manage our finances have
originality in arenas other than hardware or software just for you! Come on down to the DEF CON Scavenger Hunt,
supplanted and destroyed the human race by turning our Website: http://defcon26foxhunt.com
hacking and provides a creative outlet for individuals now in its 21st year! We are the contest that you might not
own economy against us. Now they battle each other in the
who may not have another place to tell their stories. have known by name but you’ve probably seen, heard, or
ruins of our fallen cities, driven by a single directive: money
is power.Battle your way to the top of the leaderboard Location: The Internets D E F CO N DAR K N E T smelled all over DEF CON. With competitions that involve you
by attacking rival droids, or assemble your hacker-fam with almost every aspect of DEF CON; we’re arguably the
and compete in the quest to infiltrate Imperial One. Hours: All The DarkNet project is an online best way you can spend your weekend. First through third
Twitter: @dcshortstory and in person game in which place will receive fabulous prizes, while all other participants
New to cryptocurrencies? No DEFCOIN to play with?
players interact with an chat bot will presumably walk away with a little more dignity left.
Not a problem! Just come visit our booth in the
contest area and we can help get you started. that sends them on quests which
teach as well as challenge them.
Technical challenges related to
32 33
contests
Location: Contest Area Twitter: @eff reverse engineering. There will be challenges for all skill
Website: https://eff.org HACK TH E P L AN [E]T levels. If you’ve never played in a capture the flag contest
Hours: Friday 1000-2000, Saturday 1000- before, please feel free to stop by anyway - we’ll explain
2000, Sunday 1000-1200 Hack the Plan[e]t Capture the Flag (CTF) contest will feature how it works and do what we can to set set up with a team.
Twitter: @DefConScavHunt G E E K PWN GRIMM’s Howdy Neighbor and the Industrial Control System Optional preregistration, as well as some tips on what to
Website: http://defconscavhunt.com (ICS) Range. This first of its kind CTF will integrate both bring and how to prepare, can be found at OpenCTF.com.
Started by KEEN - and the first Internet of Things (IoT) and ICS environments with interactive
components for competitors to test their skills and knowledge. You must have at least one team member attending
in 2014, GeekPwn enables
to play OpenCTF. Arrangements for non-local
security geeks around the world Howdy Neighbor is an interactive IoT CTF challenge where
D (S TR U C TI O N)20 C TF to exchange their thoughts
players are none of our business or concern.”
competitors can test their hacking skills and learn about
Part CTF, part lemon race, part game show, part demolition and research findings. As common oversights made in development, configuration, and Location: Contest Area
derby, the D(struction)20 CTF is a contest best played the international intelligence setup of IoT devices. Howdy Neighbor is a miniature home -
security community, GeekPwn Hours: Friday 1000-2000, Saturday 1000-
with a low-cost, usable, rugged, and powerful hacking made to be “smart” from basement to garage. It’s a test-bed
tries to create secure life with secure techniques. In GeekPwn, 2000, Sunday 1000-1200
platform! Bring your “indestructible” phones, your single- for reverse engineering and hacking distinct consumer-
board computers with welded cases, or just take that old YOU are encouraged to exploit unknown vulnerabilities of focused smart devices, and to understand how the (in)security Twitter: @open_ctf
clunker gathering dust in the closet and put it to good (and the cyber world. And together, WE aim to help manufacturers of individual devices can implicate the safety of your home or Website: http://openctf.com
possibly hilarious) use! Periodically during the competition, develop their security systems and create a better world. office, and ultimately your family or business. Within Howdy
a random contestant from the leaderboard will roll the d20 The most unique and extraordinary character of a GeekPwn Neighbor there are over 18 emulated or real devices and over
of Destruction to decide what will happen to their rig. If attendee is his/her open-minding and rich variety of PWN. 40 vulnerabilities that have been staged as challenges. Each OS I NT C TF
they’re very lucky, they roll a natural 20 and no damage will of the challenges are of varying levels to test a competitors
be inflicted! Otherwise, the d20 of Destruction will decide Security researchers are welcomed to GeekPwn if they are ability to find vulnerabilities in an IoT environment. Howdy Comprised of people who are interested giving back
what type of damage will be done to their rig, be it physical able to take control or obtain data without authorization Neighbor’s challenges are composed of a real or simulated to society by helping to find missing persons and/
impact, intense vibration, or something else! If the rig survives under reasonable, realistic conditions (without tampering, devices controlled by an App or Network interface and or who want to learn more about open source
their chosen fate, the contestant may continue playing, but pre-implanted Trojans or certain pre-granted privileges), additional hardware sensors; each Howdy Neighbor device intelligence (OSINT) gathering. This attracts people
either way, rolling the d20 of Destruction results in a big and target software and protocols of mobile phones, smart contains 1 to 3 staged vulnerabilities which when solved such as computer enthusiasts, information security
point bonus that may make the difference between winning devices, Internet of Things, new I/O modules (gesture present a key for scoring/reporting that it was discovered. professionals, first responders and private investigators.
and losing, even if the rig is destroyed in the process! capture, VR, AR, etc.), AI-featured modules and services
(robots, visual recognition and voice recognition), etc. In the same vein, this CTF challenge will also Location: Online Only
Location: Contest Area leverage the ICS Village’s ICS Range to provide an
Location: Contest Area Rules: https://www.tracelabs.org/2018/05/defcon-
additional testbed for more advanced challenges 26-osint-ctf-contest-rules-description/
Hours: Friday 1000-2000, Saturday 1000-2000Contest
Website: http://www.geekpwn.org in critical infrastructure and ICS environments. Slack Channel: https://tracelabs.slack.com
Area Stage - Saturday 1200-1400
Location: ICS Village
TH E G O LD BU G - CRYP TO & Twitter: @ICS_Village

Website: https://www.icsvillage.com
P O CK E T P R OTE C TO R CO NTE S T
D U N G EO N S@ D E FCO N P R IVAC Y VI LL AG E P UZZ L E
Put your pocket protector designs through the ultimate
A puzzling campaign for 1-4 players. Love puzzles? Need a place to exercise your gauntlet designed specifically to measure the usability,
20 08 05 18 05 19 20 18 05 classical and modern cryptography skills? This M I S S I O N S E I M P OS S I B L E security, and style of your pocket protector.
puzzle will keep you intrigued over the course of
01 19 21 18 05 09 14 20 08 What is Mission SE Location: Contest Area
DEF CON. VF GUVF ERNY BE VF VG N TNZR?
Impossible (MSI)? Maybe Hours: Friday 1000-2000, Saturday 1000-
05 04 21 14 07 05 15 14 19 Location: Crypto & Privacy Village the best way to describe
2000, Sunday 1000-1200
02 05 12 15 23 04 05 06 03 Website: http://goldbug.cryptovillage.org it is if the Gringo Warrior
Challenge had a baby with
15 14 01 19 19 05 13 02 12
Ethan Hunt while getting
05 25 15 21 18 16 01 18 20 some scotch soaked DNA R E D ALE R T I C S C TF
HACK FO R TR E SS from the Human Hacker, it would give birth to Mission SE
25 01 14 04 06 09 14 04 21 Red Alert ICS CTF is based on ICS
Teams of 10 (4 Hackers + 6 TF2 Impossible. Also, this baby could shoot lasers out of it’s eyes.
19 players) will compete to score test bed (simulation) so all participant
With lock picking, hand cuffs, laser obstacle course, some
more points than their opponents can hack actual devices. There are
Location: Contest Area ciphers, and safe cracking MSI quickly became extremely
during each match. The goal is altogether some scenarios with its
popular in the SE Village. Folks of all ages have signed
Hours: Friday 1000-2000, Saturday 1000-2000 simple: score more points than your own set of challenges and scores.
up and competed in this event and are watched by an
competitors. How you do that is Challenges are from Bypass Airgap,
enthusiastic crowd who is always willing to help out.
where the challenge comes in. The ICS protocols and PLC & HMI
TF2 players will be frantically trying to Location: Social Engineering Village softwares, Forensics, and Cyber
E FF TE CH TR IVIA kill, capture and win rounds against Incidents (including classic and basic
Hours: Friday All Day challenge, reversing and web).
EFF’s team of technology the opposing TF2 players. At the same time, the hackers
will be attempting to solve a variety of hacking challenges. Twitter: @humanhacker Location: Contest Area
experts have crafted challenging
As tasks are completed, credits in our ‘hackconomy’ are Website: https://www.social-engineer.
trivia about the fascinating,
gained. These can be used to purchase effects to help your org/social-engineer-village/ Hours: Friday 1000-2000, Saturday 1000-
obscure, and trivial aspects
team or hinder your opponents in both hacking and TF2. 2000, Sunday 1000-1200
of digital security, online
rights, and Internet culture. Location: Contest Area Website: https://www.facebook.com/nshc.redalert/
Competing teams will plumb the unfathomable depths of O P E N C TF
their knowledge, but only the champion hive mind will claim Hours: Friday 1000-2000, Saturday 1000-2000
“In OpenCTF, teams compete
the First Place Tech Trivia Cup and EFF swag pack. The Twitter: @tf2shmoo TH E S CH E MAVE R S E
to solve hacking challenges in
second and third place teams will also win great EFF gear. Website: http://hackfortress.net a wide variety of categories, CHAM P I O N S H I P
Location: Contest Area Stage Twitch: hackfortresstv including web, forensics,
Reddit: /r/HackFortress programming, cryptography and The Schemaverse [skee-muh vurs] is a space battleground
Hours: Friday 1500-1700 that lives inside a PostgreSQL database. Mine the hell
34 35
contests
out of resources and build up your fleet of ships, all exercises, ciphers, logic puzzles, memory puzzles, Website: https://www.bishopfox.com/blog/2018/02/hello- A panel of 5 judges will score submissions in a
while trying to protect your home planet. Once you’re verbal and nonverbal challenges, pitting TEENS world-introducing-the-bishop-fox-cybersecurity-style-guide/ number categories. They include the following: Impact,
ready, head out and conquer the map from other DEF against TEENS in a test of endurance (and fun). Underhandedness, Novelty, & Complexity. The top
CON rivals. This unique game gives you direct access to scoring entries win and will be showcased and revered.
This year’s theme will surely challenge your kids. Ages 13-17.
the database that governs the rules. Write SQL queries TE LE CHALLE N G E Location: Contest Area
directly by connecting with any supported PostgreSQL Location: Social Engineering Village
client or use your favourite language to write AI that Let your fingers do the Hours: Friday 1000-2000, Saturday 1000-
plays on your behalf. This is DEF CON of course so start Hours: Saturday All Day hacking on your touch- 2000, Sunday 1000-1200
working on your SQL Injections - anything goes! Twitter: @humanhacker tone phone! Dive into
Website: https://www.social-engineer. the telephonic world Twitter: @UnderhandedIoT
Location: Contest Area
org/social-engineer-village/ with a challenge that will
Hours: Friday 1000-2000, Saturday 1000- pit your wits against the
2000, Sunday 1000-1200 complexities of phone VU L S E C VU L N E R AB L E I MAG E
SO H O P E L E S S LY B R O K E N systems, and the people and companies that inhabit them. BU I LD I N G CO NTE S T
Twitter: @schemaverse The TeleChallenge is an immersive environment where all you
Website: http://schemaverse.com CTF - A DEF CON 24 and need to get started is your phone. To win you’ll hack your Tired of traditional events?
25 Black Badge ctf at IoT way into, around, and through a myriad of phone-connected attendees have been asked
Village, players compete services. How do you start? How do you play? How do to submit the most devious
S E C TF against one another by you win? Good questions! Set sail with the TeleChallenge! virtual images for this
exploiting off-the-shelf IoT contest. We have something
The Social Engineering Location: Contest Area for every hacker from the
devices on a segmented
Capture the Flag, SECTF, network. These 15+ devices Hours: Friday 1000-2000, Saturday 1000- most experienced to the
returns for its 9th year! all have known vulnerabilities, wannabe n00bs. VulnSec
2000, Sunday 1000-1200
Contestants have to fight with but to successfully exploit provides an on-site Cyber
their own fears to prove they these devices requires lateral thinking, knowledge of Twitter: @telechallenge Range for contestants
can SE like the best of them. networking, and competency in exploit development. CTFs to have their images
The flagship social are a great experience to learn more about security and pwned by DEF CON attendees. So, bring your hacking
engineering event! The SECTF is a test of bravery AND test your skills, so join up in a team (or even by yourself) TI N FO I L HAT CO NTE S T tools or use our provided Kali images to participate in
brains. It pits human against corporate security, in a and compete for fun and prizes! Scan the network to this unique “by hackers for hackers” event. Still not
find every device and exploit as many as you can over What with aliens and the NSA, interesting enough? Stop by, check our schedule for
contest that places the spotlight on the dangers of vishing,
the weekend. The top three teams will be rewarded! a hacker can’t always tell who’s scheduled time trials and special events. Come out, test
all in a 5x5 glass booth for your viewing enjoyment.
listening (or who’s transmitting...). your abilities and claim a spot on our scoreboard!
Location: Social Engineering Village Zero-Day Contest - The Zero-Day contest is focused on Show us your skills by building a
the discovery and demonstration of new exploits (0-day tin foil hat to shield your subversive Location: Contest Area
Hours: All Day Friday & Saturday vulnerabilities). This track relies on the judging of newly thoughts. There are 2 categories: Hours: Friday 1000-2000, Saturday 1000-
Twitter: @humanhacker discovered attacks against connected embedded electronic stock, and unlimited. The hat
2000, Sunday 1000-1200
Website: https://www.social-engineer. devices. Devices that are eligible for the contest can be in each category that blocks
org/social-engineer-village/ found at https://www.sohopelesslybroken.com/contests. the most signal will receive the Website: http://vulnsec.net
php#0day and you can start submitting entries now! The “Substance” award for that category. We all know that
winners who score the highest on their judged entries will be hacker culture is all about looking good, though, so a
rewarded with cash prizes. Contestants will need to provide single winner will be selected from all submissions for WAR L0 CK GAM3Z C TF
S E C TF K I DS proof that they disclosed the vulnerability to the vendor. “Style”. Finally, a single overall winner will be selected
The SECTF4Kids has from all combined categories for “Style and Substance”. warl0ck gam3z CTF
Location: IOT Village
become its own DEF is a hands-on 24/7;
Location: Contest Area throw-down, no-
CON event!! What is it? Hours: Friday 1000-1900, Saturday 1000-
1900, Sunday 1000-1300 Hours: Friday 1000-2000, Saturday 1000-2000, Sunday: Contest holds-barred hacker competition focusing on areas of
We have created a series physical security, digital forensics, hacker challenges
of activities and challenges Twitter: @SOHObroken Area Stage - 1200-1300, Contest Area Stage - 1200-1300
and whatever craziness our exploit team develops. This
that will involve things Website: http://www.sohopelesslybroken.com Twitter: @DC_Tin_Foil_Hat is an online framework so participants can access it
like critical thinking Website: http://www.psychoholics.org/tfh regardless of where they are or what network they are
exercises, ciphers, logic puzzles, memory puzzles, connected to via laptop, netbook, tablet or phone.
verbal and nonverbal challenges, pitting kids S P E LL CH E CK : TH E HACK E R
against kids in a test of endurance (and fun). Most challenges require participants to download something
S P E LLI N G B E E TH E U N D E R HAN D E D H O M E that pertains to the problem at hand and solve the challenge
This year’s theme will surely challenge your kids. Ages 6-12. AUTO MATI O N CO NTE S T using whatever tools, techniques or methods they have
The year is 1983. Supplies and entertainment are both
Location: Social Engineering Village running low and the machines are closing in. Suddenly, available.There are a multitude of point gainers on and off
The Underhanded Home Automation Contest is a nod to the
a technical editor from the future appears with a security the game board. Extra point gainers will randomly appear
Hours: Friday All Day yearly Underhanded C Contest. In spirit it strives for a similar
style guide from 2018 and challenges you to spell terms on the game board in the form of The Judge, Bonus
goal; maximum damage from the seemingly innocuous. The
Twitter: @humanhacker as they appear in the guide. Maybe this quaint ritual will Questions, Free Tokens, One Time Tokens, Movie Trivia
contest requires participants to exploit home automation
Website: https://www.social-engineer. warm the hearts of the robots and bring in a new era of Quotes, Scavenger Hunts (online and onsite), Lock Picking
(IoT) devices in novel and arguably detrimental ways.
org/social-engineer-village/ understanding to this troubled world. You’re confident (onsite) and Flash Challenges. Be careful of the 50/50
you can make it past “asset” and “botnet,“ but you get a The rules are simple: Token which may add or subtract points to your score.
sinking feeling that in later rounds, capitalization is going 1. Choose one of the selected devices. The game board contains a scoring area so participants
S E C TF TE E N S to count too. The odds are against you, but it’s the end of can view current standings, as well as an embedded
the world… you might as well go out in a blaze of glory. 2. Devise a novel, subtle, and fiendish way
chat function for those that may want to taunt their
We have created a series to exploit the device or its operation.
Location: Contest Area Stage competitors, or work with other participants as part of
of activities and challenges 3. Execute your plan, and document your process. a team. There is always on onsite moderator to assist
that will involve things Hours: TBA (Check Info Booth) participants that may be experiencing issues as well.
like critical thinking 4. Showcase your findings.
36 37
contests EVENTS
All events that occur on the game board are sent o to
Twitter as they happen. These include items such as WI R E L E S S C TF 8 TH D E FCO N B I K E R I D E M O HAWK- CO N
participants signing up, leader of the board changes,
scoring updates and challenge updates. Additionally, The Wireless Village At 6am on Friday, the @cycle_override Mohawk-Con returns for another
our Facebook site will be populated with information presents the Wireless crew will be hosting the 8th Defcon year of shaving & coloring
regarding the challenge and the current state of events. Capture the Flag (WCTF). Bikeride. We’ll meet at a local heads and transforming you
We cater to those who are bikeshop, get some rental bicycles, into the cool kid at the con.
Location: Contest Area new to this game and those and about 7am will make the ride out
Charitable event to support the
Hours: Friday 1000-2000, Saturday 1000- who have been playing for to Red Rocks. It’s about a 15 mile
EFF & Hackers For Charity, get
2000, Sunday 1000-1200 a long time. Each WCTF begins with a presentation on How ride, all downhill on the return journey.
a cool new hawk in support of
to WCTF. We also have a resources page on our website that So, if you are crazy enough to join
Twitter: @gam3z_inc the causes that matter to you.
guides participants in their selection of equipment to bring. us, get some water, and head over
Website: https://www.facebook.com/Gam3zInc to cycleoverride.org for more info. Location: Contest Area
Location: Wireless Village
See at 6am Friday! @jp_bourget @gdead @heidishmoo.
Twitter: @wctf_us Hours: Friday 1000-2000, Saturday 1000-
Location: 2000, Sunday 1000-1200
WH OS E S LI D E I S Website: http://www.wirelessvillage.ninja/wctf.html
IT AN Y WAY ? Hours: Friday - 0600 Website: https://www.facebook.com/MohawkCon/
“Whose Slide Is It Twitter: @cycle_override

Anyway?” is an unholy union of improv comedy, Website: http://cycleoverride.org
hacking and slide deck sado-masochism.
TOXI C B B Q
Location: Contest Area The humans of Vegas
D E AF CO N M E E T U P invite everyone to sear
Hours: their meat in the searing
DEAF CON is a California 501
Twitter: @ImprovHacker (c)(3) Non-profit organization. heat! Kick off the con at
Website: http://improvhacker.com/ We provide outreach to the Sunset Park, Pavilion F
Deaf and HH community on Thursday afternoon
and information security with meat, beer, and
community. We encourage conversation at this
Deaf and HH information unofficial welcome party.
security professionals to Burgers and dogs are
attend conferences, like provided; contribute
Defcon. We help to provide communication services and the rest as you can
spaces for professionals to meet and network with others. (more food, drinks,
Anyone can come and attend our meet up and hangout! grilling, donations,
and rides). This event is off-site, so watch the Info
Location: Chill-out Lounge Booth @dcib for carpool times and event updates.
Hours: Saturday 1200 Location: Sunset Park, Pavilion F, (36.0636, -115.1178)
Twitter: @_DEAFCON_ Hours: Thursday 1600-2200
Website: https://www.deafconinc.org/
HACK E R K AR AO K E L A S E R S H O OTI N G GALLE RY

Experience the beauty of the Las Vegas area by
Do you like to sing? Do shooting at inanimate objects with REAL lasers! Shoot
you want to perform? aliens, robots, barrels and even cacti and try to get
Ever wanted to sing in the high score. A presentation on how the gallery
front of others? Come was conceived and constructed will occur Friday
on down to the 10th and Saturday at 3 PM in the shooting gallery room.
Annual Hacker Karaoke, Brought to you by the fine folks from Notacon.
DEFCON’s on-site karaoke
experience. You can Location: Venice, Caesars
be a star, or if you don’t want to be a star, you can
also take pride in making an utter fool of yourself.
Location: Emperors BR Chillout
Hours: Friday 2000-0200, Saturday 2000-0200
Twitter: @hackerkaraoke
Website: https://hackerkaraoke.org/
HAM R AD I O E X AM S
Location: Anzio
38 39
Presentations Presentations
Alpha by Speaker ASURA: A HUGE 750 malicious packets in about YOU MAY HAVE PAID WHAT THE FAX!? sit idly by while this ongoing
PCAP FILE ANALYZER 18GB packet dump. For Asura MORE THAN YOU Sunday at 15:00 in Track 2 madness is allowed to continue.
DETECTING BLUE TEAM FOR ANOMALY to inspect 70 million packets, it IMAGINE: REPLAY 45 minutes | Demo, Tool, Exploit, The world must stop using FAX!
RESEARCH THROUGH PACKETS DETECTION took reasonable computing time ATTACKS ON ETHEREUM Audience Participation
TARGETED ADS USING MASSIVE of around 350-450 minutes with SMART CONTRACTS Yaniv Balmas ROCK APPROUND THE
Saturday at 13:30 in Track 2 1000-5000 multithreading by running Security Researcher, Check Point Software
CLOCK: TRACKING
MULTITHREADING Saturday at 10:00 in Track 3 Technologies
20 minutes commodity workstation. Asura will 45 minutes | Demo, Exploit MALWARE DEVELOPERS
Sunday at 13:30 in Track 1
0x200b be released under MIT license and Eyal Itkin
BY ANDROID “AAPT”
20 minutes | Tool Zhenxuan Bai Security Researcher, Check Point Software
Hacker available at author’s GitHub site Freelance Security Researcher Technologies TIMEZONE DISCLOSURE
Ruo Ando on the first day of DEF CON 26.
When my implant gets discovered Center for Cybersecurity Research and Development,
Yuwei Zheng BUG
National Institute of Informatics, Japan Unless you’ve been living under a
how will I know? Did the implant Senior Security Researcher, Unicorn Team, 360 Sunday at 10:00 in Track 1
ONE BITE AND ALL Technology rock for the past 30 years or so, you
stop responding for some benign Recently, the inspection of huge 45 minutes | Demo
YOUR DREAMS WILL probably know what a fax machine
reason or is the IR team responding? traffic log is imposing a great burden Senhua Wang Sheila A. Berta
COME TRUE: ANALYZING is. For decades, fax machines were
With any luck they’ll upload the on security analysts. Unfortunately,
Freelance Security Researcher
Security Researcher at Eleven Paths
AND ATTACKING APPLE used worldwide as the main way
sample somewhere public so I can there have been few research Kunzhe Chai of electronic document delivery. Sergio De Los Santos
find it, but what if I can find out if efforts focusing on scalability in KERNEL DRIVERS Leader of PegasusTeam at 360 Radio Security
Head of Innovation and Lab at Eleven Paths
Research Department, 360 Technology But this happened in the 1980s.
they start looking for specific bread analyzing very large PCAP file with Sunday at 14:00 in Track 3
Humanity has since developed far Are you a malware developer for
crumbles in public data sources? reasonable computing resources. 45 minutes | Demo, Tool, Exploit In this paper, a new replay attack more advanced ways to send digital Android devices? We have very
At some point without any internal Asura is a portable and scalable Xiaolong Bai based on Ethereum smart contracts content, and fax machines are all bad news for you: the Android-SDK
data all blue teams turn to OSINT PCAP file analyzer for detecting Security Engineer, Alibaba Inc. is presented. In the token transfer, in the past, right? After all, they packager (aapt) is leaking your time
which puts their searches within anomaly packets using massive Min (Spark) Zheng the risk of replay attack cannot should now be nothing more than zone! We have found a bug inside
view of the advertising industry. In multithreading. Asura’s parallel Security Expert, Alibaba Inc. be completely avoided when the a glorified museum item. Who on this Android-SDK’s component that
this talk I will detail how I was able packet dump inspection is based sender’s signatures are abused,
Though many security mechanisms earth is still using fax machines? relies in not properly setting the value
to use online advertising to detect on task-based decomposition which can bring the loss to users.
are deployed in Apple’s macOS and The answer, to our great horror, is of a variable used as an argument
when a blue team is hot on my trail. and therefore can handle massive And the reason is that the applying
iOS systems, some old-fashioned EVERYONE. State authorities, banks, for localtime() function, when setting
threads for large PCAP file without scope of the signatures is not
or poor-quality kernel code still service providers and many others the “Last Modified” field for the
HACKING PLCS AND considering tidy parameter selection properly designed in the smart
leaves the door widely open to are still using fax machines, despite Android App’s files. Because of this,
CAUSING HAVOC in adopting data decomposition. contracts. To test and verify this
attackers. Especially, as kernel’s their debatable quality and almost the time zone of anyone using the
ON CRITICAL Asura is designed to scale out in loophole, we selected two similar
critical components, device drivers non-existent security. In fact, using Android-SDK packager to generate
INFRASTRUCTURES processing large PCAP file by taking smart contracts for our experiment,
are frequently exploited to attack fax machines is often mandatory and their APKs is leaked. The curious
Saturday at 11:00 in 101 Track, as many threads as possible. at the same time, we used our own
Apple systems. In fact, bug hunting considered a solid and trustworthy thing is that, despite of this bug inside
Flamingo accounts in these two contracts to
Asura takes two steps. First, Asura in Apple kernel drivers is not easy method of delivering information. aapt, the problem goes even beyond
45 minutes | Demo, Exploit carry out the experiment. Because the
extracts feature vector represented since they are mostly closed-source aapt itself: its roots goes deep into
same signatures of the two contracts What the Fax?! We embarked on
Thiago Alves by associative containers of and heavily relying on object-oriented an incorrect handling errors in the
Ph.D. Student and Graduate Research Assistant at the were used in the experiment, we a journey with the singular goal of
<sourceIP, destIP> pair. By doing programming. In this talk, we will operative system functions localtime()
University of Alabama in Huntsville
got a double income from sender disrupting this insane state of affairs.
this, the feature vector can be share our experience of analyzing (Windows) and localtime_r() (UNIX).
Programmable Logic Controllers successfully. The experiment verified We went to work, determined to show
drastically small compared with and attacking Apple kernel drivers.
(PLCs) are devices used on a variety that the replay attack is really exist. that the common fax machine could Because of in the world of Threat
the size of original PCAP files. In In specific, we will introduce a new
of indusWtrial plants, from small Besides, the replay attack may be compromised via mere access Intelligence determining the
other words, Asura can reduce tool called Ryuk. Ryuk employs static
factories to critical infrastructures exist in multiple smart contracts. to its fully exposed and unprotected attacker’s geographical location of
packet dump data into the size of analysis techniques to discover bugs
like nuclear power plants, dams and We calculated the number of smart telephone line—thus completely is one of the most valuable data for
unique <sourceIP, destIP> pairs by itself or assist manual review.
wastewater systems. Although PLCs contracts with this loophole, as well bypassing all perimeter security attribution techniques, we focused
(for example, in experiment, Asura’s In addition, we further combine static
were made robust to sustain tough as the corresponding transaction protections and shattering to pieces our research in taking advantage
output which is reduced in first step analysis with dynamic fuzzing for bug
environments, little care was taken activities, which find some Ethereum all modern-day security concepts. of this bug for tracking Android
is about 2% compared with the size hunting in Apple drivers. In specific,
to raise defenses against potential smart contracts are risked for malware developers. In addition to
of original libpcap files). Second, we will introduce how we integrate Join us as we take you through the
cyber threats. As a consequence, this loophole. According to the this, we have discovered another
a parallel clustering algorithm is Ryuk to the state-of-art Apple driver strange world of embedded operating
threats started pouring in and causing vulnerability of the contract signature, very effective way to find out the
applied for the feature vector which fuzzer, PassiveFuzzFrameworkOSX, systems, 30-year-old protocols,
havoc. During this presentation I will the risk level is calibrated and developer’s time zone, based on a
is represented as {<sourceIP, for finding exploitable bugs. museum grade compression
talk about the architecture of a PLC depicted. Furthermore, the replay calculation of times extracting the
destIP>, V[i]} where V[i] is aggregated algorithms, weird extensions and
and how it can be p0wned. There Most importantly, we will illustrate attack pattern is extended to within GMT timestamp from the Android’s
flow vector. In second step, Asura undebuggable environments. See for
will be some live demonstration Ryuk’s power with several new contract, cross contract and cross app files and the UTC timestamp
adopts an enhanced Kmeans yourself first-hand as we give a live
attacks against 3 different brands vulnerabilities that are recently chain, which provide the pertinence of the self-signed,”disposable”
algorithm. Concretely, two functions demonstration of the first ever full
of PLCs (if the demo demons allow discovered by Ryuk. In specific, and well reference for protection. certificate added to the application
of Kmeans which are (1)calculating fax exploitation, leading to complete
it, if not I will just show a video). we will show how we exploit Finally, the countermeasures are (most common cases in malware
distance and (2)relabeling points are control over the entire device as
Additionally, I will demonstrate two these vulnerabilities for privilege proposed to fix this vulnerability. developers). This is what we call:
improved for parallel processing. well as the network, using nothing
vulnerabilities I recently discovered, escalation on macOS 10.13.3 and Rock appround the clock! Using
In experiment, in processing public but a standard telephone line. these two different techniques, we
affecting the Rockwell MicroLogix 10.13.2. We will not only explain
1400 series and the Schneider PCAP datasets, Asura can identified why these bugs occur and how we This talk is intended to be the have crunched some numbers with
Modicon M221 controllers. 750 packets which are labeled as find them, but also demonstrate canary in the coal mine. The our 10 million apps database to
malicious from among 70 million how we exploit them with innovative technology community cannot determine how these leaked time
(about 18GB) normal packets. In a kernel exploitation techniques. zones (with one or another technique)
nutshell, Asura successfully found are related with malware and which
40 41
are the countries that generate more system and data. Exactly for LAST MILE Windows Defender Antivirus’s start. We will dive into the internals the controls meant to protect it. It
Android malicious applications, what these reasons, it is necessary to AUTHENTICATION mpengine.dll implements the of a qualcomm baseband, tracing flexes on tools with various look-
is the possible relation between understand the way that malwares PROBLEM: EXPLOITING core of Defender’s functionality it’s evolution over the years until its what-I-can-break demonstrations
time zone and”malware likelihood” act as device drivers and what are the THE MISSING LINK IN in an enormous ~11 MB, current state. We will discuss the and, if you write similar tools, it’ll
among other interesting numbers. mechanisms used by these threats END-TO-END SECURE 30,000+ function DLL. custom, in-house DSP architecture make you rethink how you do it.
to infect an operating system. they now run on, and the proprietary
But that’s not all, we have another COMMUNICATION In this presentation, we’ll look at
RTOS running on it. We will also PROJECT INTERCEPTOR:
bad news for malware developers: The purpose of this presentation Sunday at 12:00 in Track 1 Defender’s emulator for analysis
cover the architecture of the cellular AVOIDING COUNTER-
no IDE (even Android Studio) is to show clearly and without too 45 minutes | Demo, Exploit of potentially malicious Windows
stack, likely places vulnerabilities DRONE SYSTEMS WITH
removes metadata from the files much details that often hinders Thanh Bui binaries on the endpoint. To the
lie, and exploit mitigations in place. NANODRONES
added to the Android app. We will understanding, how these threats Security Researcher, Aalto University, Finland best of my knowledge, there has
Finally we will cover debugging
show examples with real cases in act, which components are Siddharth Rao
never been a conference talk or Saturday at 15:00 in 101 Track,
possibilities, and how to get started
which, after analyzing the metadata attacked, what are the techniques Security Researcher, Aalto University, Finland publication on reverse engineering Flamingo
analyzing the baseband firmware— 45 minutes | Demo, Tool, Audience
of files inside the .apk, we got used by these advanced malware any antivirus binary emulator before.
With “Trust none over the Internet” how to differentiate between RTOS Participation
to know country, language, or to subvert the system and how
mindset, securing all communication We’ll cover a range of topics including and cellular functions, how to find
even more specific geographical existing protections work . David Melendez Cano
between a client and a server emulator internals—machine code C std library functions, and more. R&D Embedded Systems Engineer. Albalá Ingenieros
location of the developer and
with protocols such as TLS has to intermediate language translation S.A.
-in some cases- the name of TROUBLE IN THE TUBES:
become a common practice. and execution; memory management; RELOCATION BONUS:
the suppose-to-be-anonymous HOW INTERNET ROUTING Antidrone system industries
However, while the communication Windows API emulation; NT ATTACKING THE
developer! Finally, we will share the SECURITY BREAKS DOWN have arisen. Due to several, and
over Internet is routinely secured, kernel emulation; file system and WINDOWS LOADER
scripts we have built to get all this AND HOW YOU CAN DO even classic, vulnerabilities in
there is still an area where such registry emulation; integration with MAKES ANALYSTS
information with just a simple click. communication systems now used
IT AT HOME security awareness is not seen: Defender’s antivirus features; the
SWITCH CAREERS by drones, anti-drone systems are
Sunday at 13:00 in 101 Track, inside individual computers, where virtual environment; etc.—building
RING 0/-2 ROOTKITS: Saturday at 17:00 in Track 2 able to take down those drones by
Flamingo adversaries are often not expected. custom tooling for instrumenting the
BYPASSING DEFENSES 45 minutes | Demo, Tool means of well documented attacks.
45 minutes | Demo, Tool emulator; tricks that binaries can use
Thursday at 12:00 in 101 Track, This talk discusses the security of to evade or subvert analysis; and Nick Cano Drone/antidrone competition has
Lane Broadbent
Flamingo Security Engineer, Vivint various inter-process communication attack surface within the emulator.
Senior Security Architect @ Cylance
already been set into the scene.
45 minutes (IPC) mechanisms that local This talk provides a new vision
We all protect our home networks, Attendees will leave with an The arbiters of defense wield many
Alexandre Borges processes and applications use to about drone protection against
but how safe is your data once it understanding of how modern static analysis tools; disassemblers,
Malware and Security Researcher at Blackstorm interact with each other. In particular, anti-drone systems, presenting “The
Security leaves on its journey to the latest antivirus software conducts PE viewers, and anti-viruses are
we show IPC-related vulnerabilities Interceptor Project”, a hand-sized
cat pictures? How does your traffic emulation-based dynamic analysis among them. When you peer into
Advanced malware such as TDL4, that allow a non-privileged process nano drone based on single-core
make it to its destination and what on the endpoint, and how attackers their minds, these tools reveal their
Rovnix, Gapz, Omasco, Mebromi to steal passwords stored in popular tiniest Linux Board: Vocore2.
threats does it face on its way? What might go about subverting or perilous implementations of PE
and others have exposed in recent password managers and even second
is BGP and why should you care? attacking these systems. I’ll publish file parsing. They assume PE files This Linux board manages a WiFi
years various techniques used to factors from hardware tokens. With
code for a binary for exploring the come as-is, but the Windows Loader (side/hidden) bidirectional channel
circumvent the usual defenses and In this talk, I’ll explain the basic passwords being the primary way of
emulator from within, patches that I actually applies many mutations communication that cannot be
have shown how much companies structure of the network that is the authentication, the insecurity of this
developed for instrumenting Defender (some at the command of the PE deauthenticated and it is replay-
are not prepared to deal with Internet and the trust relationships “last mile” causes the security of the
built on top of Tavis Ormandy’s itself) before execution ever begins. resistant, keeping all 802.11 hacking
these sophisticated threats. on which it is built. We’ll explore rest of the communication strands to
loadlibrary project, and IDA scripts This talk is about bending that loader capabilities and standard utilities
several types of attacks that you be obsolete. The vulnerabilities that
Although the industry has to help with analyzing mpengine. to one’s whim with the Relocations as any other WiFi hacker drone,
may have seen in the news that we demonstrate can be exploited
implemented new protections such as dll and Defender’s “VDLLs” Table as a command spell. It will with only the built-in adapter of
exploit this relationship to bring on multi-user computers that may
Virtualized Based Security, Windows demonstrate how the loader can the tiny Vocore2. Also, a “just in
down websites, steal cryptocurrency, have processes of multiple users
SMM Security Mitigation Table A JOURNEY INTO be instrumented into a mutation case”, fallback control by SDR is
and monitor dissidents. running at the same time. The
(WSMT), Kernel Code Signing, HVCI, engine capable of transforming an implemented taking advantage of
attacker is a non-privileged user HEXAGON: DISSECTING A
ELAM, Secure Boot, Boot Guard, Because talking about bringing utterly mangled PE file into a valid all the goods that SDR radio gives.
trying to steal sensitive information QUALCOMM BASEBAND
BIOS Guard, and many others, it is down the Internet isn’t as much fun executable. This method starts All embedded into a hand-sized
from other users. Such computers Thursday at 13:00 in 101 Track,
still unknown the professionals of as doing, I’ll show how to create with multiple ASLR Preselection aircraft to make detection and
can be found in enterprises with Flamingo
the architecture of these protections, a mini Internet using Mininet and attacks that force binary mapping mitigation a real and new pain, with
centralized access control that 45 minutes
what are the components attacked demonstrate the attacks without at a predictable address. It then a very low budget: About $70.
gives multiple users access to the Seamus Burke
by these contemporary malwares the need for a BGP router or a mangles the PE file, garbling any
same host. Computers with guest Hacker
in the context of BIOS / UEFI and lawyer. Finally, because nation byte not required prior to relocation. YOU’D BETTER SECURE
accounts and shared computers
what are the tricks used by them. states shouldn’t get to have all Mobile phones are quite complicated Finally, it embeds a new Relocations YOUR BLE DEVICES OR
at home are similarly vulnerable.
Precisely because of the lack of the fun, I’ll use Scapy and some and feature multiple embedded Table which, when paired with a
WE’LL KICK YOUR BUTTS!
adequate understanding, most novel techniques to demonstrate processors handling wifi, cellular preselected base address, causes
REVERSE ENGINEERING connectivity, bluetooth, and other the loader to reconstruct the PE Saturday at 12:00 in Track 2
machines (BIOS / UEFI + operating how a compromised router can 45 minutes | Demo, Tool, Exploit
WINDOWS DEFENDER’S signal processing in addition to the and execute it with ease. This isn’t a
system) remain vulnerable in the be used to prevent attribution,
same way as a few years ago. frame a friend, or create a covert
EMULATOR application processor. Have you ever packer or a POC, it is a PE rebuilder Damien “virtualabs” Cauquil
Head of Research & Development, Digital Security
communication channel. Saturday at 15:00 in Track 2 been curious about how your phone which generates completely valid,
In addition, there are a growing 45 minutes | Demo, Tool actually makes calls and texts on stable, and vastly tool-breaking Sniffing and attacking Bluetooth
number of malwares that have a low level? Or maybe you want to executables. This talk will show
Alexei Bulazel Low Energy devices has always
used kernel drivers to circumvent learn more about the internals of the you how this attack twists the
Hacker
been a real pain. Proprietary tools
limitations and protections in order baseband but have no clue where to protocols of a machine against do the job but cannot be tuned
to gain full access to the operating
42 43
to fit our offensive needs, while Android version of Hacker Tracker figure out what smart city tech Kirill Levchenko PhD from using my bank’s website? possible will introduce themselves
Associate Professor of Computer Science, University of
opensource tools work sometimes, and reached out to me about a given city is using, the privacy California San Diego How are they communicating with and provide status updates. After
but are not reliable and efficient. creating an iOS version. I was implications of smart cities, the my bank? These questions ran we’re done talking, the remainder
Beau Woods
Even the recently released Man-in- thrilled that someone wanted to implications of successful attacks Hacker through my head when balancing of time will be an informal open
the-Middle BLE attack tools have join me and help grow the project. on smart city tech, and what the the family checkbook every month. floor right there in the room to
Roberto Suarez
their limits, like their complexity Not long after that, I recruited future of smart city tech may hold. mingle and talk all things DCG.
Hacker Answering these questions led me to
and lack of features to analyze Chris to work on the app as well.
Jay Radcliffe deeply explore the 20 year old Open There will be a:
encrypted or short connections. DEF CON 101 PANEL
Now, 6 years since its inception, Hacker Financial Exchange (OFX) protocol
Thursday at 15:30 in 101 Track, • Designated area in the room for
Furthermore, as vendors do not seem a small team supports the app and the over 3000 North American
Flamingo Joshua Corman those wanting to start/join a group
inclined to improve the security of development across iOS and Android Hacker banks that support it. They led me to
105 minutes | Audience Participation
their devices by following the best and the apps are being used by the over 30 different implementations • Designated area in the room for
HighWiz David Nathans
practices, we decided to create a half a dozen different conferences, Hacker running in the wild and to a broad those wanting to share project ideas
Founder, DC 101
tool to lower the ticket: BtleJack. representing several thousand users. and inviting attack surface presented
BtleJack not only provides an Nikita Healthcare cybersecurity is in critical by these banks’ digital side doors. YOUR VOICE IS MY
From nothing to something, Director of Content & Coordination, DEF CON condition. That’s not FUD, that’s the
affordable and reliable way to sniff PASSPORT
we’ve experienced quite a bit bottom line from the Congressionally Now I’d like to guide you through
and analyze Bluetooth Low Energy Roamer Friday at 16:00 in Track 3
in 6 years. Join us as we share CFP Vocal Antagonizer mandated Health Care Industry how your Quicken, QuickBooks,
devices and their protocol stacks, 45 minutes | Demo, Exploit
our moments of joy, fear, and Cybersecurity Task Force report Mint.com, or even GnuCash
but also implements a brand new Chris “Suggy” Sumner _delta_zero
panic,”things not to do”, and more. released just last year, a year which applications are gathering your
attack dubbed “BtleJacking” that Co-Founder, Online Privacy Foundation Senior Data Scientist, Salesforce
also saw the twin specters of checking account transactions, credit
provides a way to take control of Jericho
DEF CON CLOSING WannaCry and NotPetya take down card purchases, stock portfolio, Azeem Aqil
any already connected BLE device. “Squirrel” Senior Security Software Engineer, Salesforce
CEREMONIES entire hospital systems while over and tax documents. We’ll watch
We will demonstrate how this Wiseacre them flow over the wire and learn
Sunday at 16:00 in Track 1 Former Doer Of Things half a million implanted pacemakers Financial institutions, home
attack works on various devices, 105 minutes | Audience Participation were recalled in the fallout of about the jumble of software your automation products, and offices
how to protect them and avoid The Dark Tangent
Shaggy
one of the most (ir)responsible bank’s IT department deploys to near universal cryptographic
The Mountain
hijacking and of course release disclosures in recent memory. It’s provide them. We’ll discuss how decoders have increasingly used
the source code of the tool. DEF CON Closing Ceremonies Ten years ago, DEF CON 101 was secure these systems are, that keep
enough to make any concerned voice fingerprinting as a method for
founded by HighWiz as a way to white hat reach for a stiff drink. And track of your money, and we’ll send authentication. Recent advances
Vendors, be warned: BLE OUTSMARTING THE introduce n00bs to DEF CON. The that’s where we come in. After an a few simple packets at several in machine learning and text-to-
hijacking is real and should be
SMART CITY idea was to help attendees get the incredibly successful, near-fire- banks and count the number of speech have shown that synthetic,
considered in your threat model.
Saturday at 16:00 in 101 Track, best experience out of DEF CON code-violating jam packed session security WTFs along the way. high-quality audio of subjects can
Flamingo (and also tell them how to survive the be generated using transcripted
BUILDING THE HACKER at DC25 as an Evening Lounge, Lastly, I’ll demo and release a
45 minutes | Demo, Exploit weekend!). The DEF CON 101 panel
TRACKER ‘D0 N0 H4rm’ is diving deeper and tool that fingerprints an OFX speech from the target. Are current
Daniel “unicornFurnace” Crowley has been a way for people who have going longer as it transforms into a service, describes its capabilities, techniques for audio generation
Thursday at 15:00 in 101 Track, Research Baron, IBM X-Force Red
Flamingo
participated in making DEF CON what Fireside Hax, assembling an even and assesses its security. enough to spoof voice authentication
20 minutes Mauro Paredes it is today to share those experiences larger and more distinguished panel algorithms? We demonstrate, using
Hacker
and, hopefully, inspire attendees to of expert hackers, policymakers, PANEL: DEF CON GROUPS freely available machine learning
Whitney Champion
Senior Systems Engineer Jen “savagejen” Savage expand their horizons. DEF CON wonks, and health care providers Sunday at 15:00 in Track 1 models and limited budget, that
Hacker offers so much more than just talks to continue discussing, dissecting, 45 minutes | Audience Participation standard speaker recognition and
Seth Law
and the DEF CON 101 panel is the and most importantly, debating the voice authentication systems are
Application Security Consultant, Redpoint Security The term”smart city” evokes imagery Brent White (B1TK1LL3R)
perfect place to learn about all things ways to keep patients safe in an indeed fooled by targeted text-to-
of flying cars, shop windows that DEF CON Groups Global Coordinator
In 2012, back when DEF CON DEF CON so you, dear reader, can increasingly perilous space. Featuring speech attacks. We further show
double as informational touchscreens, Jeff Moss (The Dark Tangent)
still fit in the Riviera (RIP), I get the best experience possible. The continuous audience interaction and a method which reduces data
and other retro-futuristic fantasies of Founder, DEF CON
recognized a gap to fill. I wanted panel will end with the time honored with the same loose and informal required to perform such an attack,
what the future may hold. Stepping Jayson E. Street
to create a mobile version of the tradition of “Name the n00b” where flow that characterized the initial, demonstrating that more people
away from the smart city fantasy, DEF CON Groups Global Ambassador
paper DEF CON booklet that lucky attendees will be brought up libation rich hotel room gatherings, are at risk for voice impersonation
the reality is actually much more
everyone could use at the con. on stage to introduce themselves to moderators quaddi and r3plicant S0ups than previously thought.
mundane. Many of these technologies
I was unable to attend the conference you and earn the coveted 101 n00b invite you to add your voice to this Tim Roberts (byt3boy)
have already quietly been deployed
that year. I was 8 months pregnant handle. Don’t worry if you don’t make incredibly important conversation. THE RING 0 FAÇADE:
in cities across the world. In this Casey Bourbonnais
with my first child, and because it on to the stage, there will be plenty Pin this one down quickly, pre- AWAKENING THE
talk, we examine the security of a April Wright
I couldn’t be there in person, I of other prizes for you to enjoy! registration is going to go fast. PROCESSOR’S INNER
cross-section of smart city devices
spent a lot of time wishing I was. currently in use today to reveal how Do you love DEF CON? Do you DEMONS
deeply flawed they are and how the
D0 N0 H4RM: A YOUR BANK’S DIGITAL hate having to wait for it all year?
Saturday at 13:30 in Track 1
So I built it. I spent countless hours HEALTHCARE SECURITY SIDE DOOR Well, thanks to DEF CON groups,
implications of these vulnerabilities 20 minutes | Demo, Tool
pouring my heart into what became CONVERSATION you’re able to carry the spirit of
could have serious consequences. Friday at 17:00 in 101 Track, Flamingo Christopher Domas
the Hacker Tracker, shiny graphics DEF CON with you year round, and
Friday at 20:00-22:00 in Octavius 9 45 minutes | Demo, Tool Director of Research, Finite State
and all, and was committing code up In addition to discussing newly Fireside Hax with local people, transcending
until the minute I went into labor. Steven Danneman
discovered pre-auth attacks Security Engineer, Security Innovation borders, languages, and anything Your computer is not yours. You may
Christian”quaddi” Dameff MD
against multiple smart city devices else that may separate us! have shelled out thousands of dollars
Fast forward a few years: Seth was Emergency physician, Clinical Informatics fellow at
from different categories of smart The University of California San Diego. Why does my bank’s website require for it. It may be sitting right there on
frustrated with the lack of a mobile In this special event, your DEF
city technology, this presentation my MFA token but Quicken sync does your desk. You may have carved
app for iOS while attending DEF Jeff “r3plicant” Tully MD CON groups team who works
will discuss methods for how to not? How is using Quicken or any your name deep into its side with a
CON. Subsequently, he found the Pediatrician, Anesthesiologist, University of California
behind the scenes to make DCG
Davis personal financial software different
44 45
blowtorch and chisel. But it’s still not column and sort them, but only if the they could be affected, and can payments. Mobile Point of Sales IT’S ASSEMBLER, JIM, would be discussed that will
yours. Some vendors are building first column is a particular string and be used to track the number of (mPOS) terminals have propelled BUT NOT AS WE KNOW help to prevent those attacks
secret processor registers into your for some reason the case is random. affected domains over time. this growth lowering the barriers for IT: (AB)USING BINARIES when deploying software using
system’s hardware, only accessible small and micro-sized businesses FROM EMBEDDED a library with TLS 1.3 support.
In this DEF CON 101 talk, we’ll
by shadowy third parties with trusted DEFENDING THE 2018 to accept non-cash payments. DEVICES FOR FUN AND
cover a ton of bash one-liners
keys. We as the end users are being MIDTERM ELECTIONS Older payment technologies like HAVING FUN WITH IOT:
that we use to speed up our PROFIT
intentionally locked out and left in FROM FOREIGN mag-stripe still account for the REVERSE ENGINEERING
hacking. Along the way, we’ll Friday at 12:00 in 101 Track, Flamingo
the dark, unable to access the heart ADVERSARIES largest majority of all in-person AND HACKING OF XIAOMI
talk about the concepts behind 45 minutes | Demo
of our own processors, while select transactions. This is complicated IOT DEVICES
each of them and how we apply Sunday at 10:00 in Track 2 Morgan “indrora” Gangwere
organizations are granted full control further by the introduction of new
various strategies to accomplish 45 minutes | Demo, Tool Hacker Saturday at 14:00 in 101 Track,
of the internals of our CPUs. In this payment standards such as NFC. As
whatever weird data processing Joshua M. Franklin Flamingo
talk, we’ll demonstrate our work on with each new iteration in payment With the proliferation of Linux-based 45 minutes | Demo, Tool, Exploit
task comes up while testing Hacker
how to probe for and unlock these technology, inevitably weaknesses SoCs—you’ve likely got one or two
exploits and attacking a network. Kevin Franklin Dennis Giese
previously invisible secret registers, to Hacker
are introduced into this increasingly in your house, on your person or in Hacker
break into all-powerful features buried complex payment eco-system. your pocket—it is often useful to look
LOST AND FOUND While most IoT accessory
deep within the processor core, to Election Buster is an open source tool “under the hood” at what is running;
CERTIFICATES: DEALING In this talk, we ask, what are the manufacturers have a narrow
finally take back our own computers. created in 2014 to identify malicious Additionally, in-situ debugging may
WITH RESIDUAL security and fraud implications of area of focus, Xiaomi, an Asian
domains masquerading as candidate be unavailable due to read-only
CERTIFICATES FOR PRE- removing the economic barriers based vendor, controls a vast
GOD MODE UNLOCKED: webpages and voter registration filesystems, memory is often limited,
OWNED DOMAINS to accepting card payments; and IoT ecosystem, including smart
HARDWARE BACKDOORS systems. During 2016, fake domains and other factors keep us from
what are the risks associated with lightbulbs, sensors, cameras,
IN [REDACTED] X86 CPUS Sunday at 13:30 in Track 2 were used to compromise credentials attacking a live device. This talk looks
continued reliance on old card vacuum cleaners, network speakers,
20 minutes | Demo, Tool of a Democratic National Committee at attacking binaries outside their
Friday at 14:00 in Track 1 standards like mag-stripe? In the electric scooters and even washing
45 minutes | Demo, Tool, Exploit Ian Foster (DNC) IT services company, and native environment using QEMU, the
past, testing for payment attack machines. In addition, Xiaomi also
Hacker foreign adversaries probed voter Quick Emulator, as well as techniques
Christopher Domas vectors has been limited to the manufactures smartphones. Their
Dylan Ayrey registration systems. The tool now for extracting relevant content from
Director of Research, Finite State
scope of individual projects and products are sold not only in Asia, but
Hacker cross-checks domain information devices and exploring them.
Complexity is increasing. Trust to those that have permanent also in Europe and North America.
against open source threat
eroding. In the wake of Spectre and When purchasing a new domain access to POS and payment The company claims to have the
intelligence feeds, and uses a semi- PLAYBACK: A TLS 1.3
Meltdown, when it seems that things name you would expect that infrastructure. Not anymore! biggest IoT platform worldwide.
autonomous scheme for identifying STORY
cannot get any darker for processor you are the only one who can In what we believe to be the most
phundraising and false flag sites via Friday at 15:00 in Track 2 In my talk, I will give a brief overview
security, the last light goes out. This obtain a valid SSL certificate for comprehensive research conducted
ensembled data mining and deep 45 minutes | Demo of the most common, Wi-Fi based,
talk will demonstrate what everyone it, however that is not always the in this area, we consider four of the
learning techniques. We identified Xiaomi IoT devices. Their devices
has long feared but never proven: case. When the domain had a major mPOS providers spread across
Alfonso García Alguacil
Russian nationals registering Senior Penetration Tester, Cisco may have a deep integration in the
there are hardware backdoors in prior owner(s), even several years the US and Europe; Square, SumUp,
fake campaign sites, candidates daily life (like vacuum cleaners, smart
some x86 processors, and they’re prior, they may still possess a valid iZettle and Paypal. We provide live Alejo Murillo Moya
deploying defensive—and offensive— Red Team Lead EMEAR, Cisco toilet seats, cameras, sensors, lights).
buried deeper than we ever imagined SSL certificate for it and there is demonstrations of new vulnerabilities
measures against their opponents,
possible. While this research very little you can do about it. that allow you to MitM transactions, TLS 1.3 is the new secure I will focus on the features,
and candidates unintentionally
specifically examines a third-party Using Certificate Transparency, we exposing sensitive PII to the public. send arbitrary code via Bluetooth and communication protocol that computational power, sensors,
processor, we use this as a stepping examined millions of domains and This talk provides an analysis of mobile application, modify payment should be already with us. One security and ability to root the
stone to explore the feasibility of more certificates and found thousands of our 2016 Presidential Election data, values for mag-stripe transactions, of its new features is 0-RTT (Zero devices. Let’s explore how you
widespread hardware backdoors. examples where the previous owner and all data recently collected and a vulnerability in firmware; Round Trip Time Resumption) can have fun with the devices or
for a domain still possessed a valid during the 2018 midterm elections. DoS to RCE. Using this sampled that could potentially allow replay use them for something useful,
ONE-LINERS TO RULE SSL certificate for the domain long The talk also details technological geographic approach, we are able attacks. This is a known issue like mapping Wi-Fi signal strength
THEM ALL after it changed ownership. We will and procedural measures that to show the current attack surface acknowledged by the TLS 1.3 while vacuuming your house. I will
Friday at 11:00 in Track 2 review the results from our ongoing government offices and campaigns of mPOS and, to predict how this specification, as the protocol does also cover some interesting things I
45 minutes | Demo large scale quantitative analysis can use to defend themselves. will evolve over the coming years. not provide replay protections discovered while reverse engineering
over past and current domains for 0-RTT data, but proposed Xiaomi’s devices and discuss which
egypt For audience members that are
Security Analyst, Black Hills Information Security and certificates. We’ll explore the FOR THE LOVE OF countermeasures that would need protections were deployed by the
interested in integrating testing developers (and which not).
massive scale of the problem, what MONEY: FINDING to be implemented on other layers,
William Vu practices into their organization
Security Researcher, Rapid7 we can do about it, how you can AND EXPLOITING not at the protocol level. Therefore, Be prepared to see the guts of many
or research practices, we will
protect yourself, and a proposed the applications deployed with TLS of these devices. We will exploit them
It began with the forging of VULNERABILITIES IN show you how to use mPOS to
process change to make this less 1.3 support could end up exposed and use them to exploit other devices.
the command line. And some MOBILE POINT OF SALES identify weaknesses in payment
of a problem going forwards. to replay attacks depending on the
things that should not have been SYSTEMS technologies, and how to remain
implementation of those protections.
forgotten, were lost. History became We end by introducing BygoneSSL, Sunday at 10:00 in Track 3 undetected in spite of anti-fraud
legend, legend became myth. a new tool and dashboard that 45 minutes | Demo, Tool and security mechanisms. This talk will describe the technical
shows an up to date view of details regarding the TLS 1.3 0-RTT
Sometimes you just need to pull Leigh-Anne Galloway
affected domains and certificates Cyber Security Resilience Lead, Positive Technologies feature and its associated risks.
out the third column of a CSV file. It will include Proof of Concepts
using publicly available DNS data
Sometimes you just need to sort IP Tim Yunusov
and Certificate Transparency logs. Hacker
(PoC) showing real-world replay
addresses. Sometimes you have to attacks against TLS 1.3 libraries
BygoneSSL will demonstrate
pull out IP addresses from the third These days it’s hard to find a and browsers. Finally, potential
how widespread the issue is,
let domain owners determine if business that doesn’t accept faster solutions or mitigation controls
46 47
48 49
Presentations
BEYOND THE LULZ: PWNING “THE TOUGHEST DE-ANONYMIZING teams to quickly identify the device, Amazon_ Google and Apple balancing services), is dangerous by
BLACK-HAT TROLLING, TARGET”: THE EXPLOIT PROGRAMMERS FROM significance of a deserialization have introduced their own smart design and brings a yet unexplored
WHITE-HAT TROLLING, CHAIN OF WINNING THE SOURCE CODE AND vulnerability and allowing penetration speaker products. Most of these vector for web-based attacks.
ATTACKING AND LARGEST BUG BOUNTY BINARIES testers to quickly develop working smart speakers have natural language
The ESI language consists of a small
DEFENDING OUR IN THE HISTORY OF ASR exploits. At the conclusion we will recognition, chat, music playback,
Friday at 10:00 in Track 2 set of instructions represented by
45 minutes also be releasing a FOSS toolkit IoT device control, shopping, and
ATTENTION LANDSCAPE PROGRAM XML tags, served by the backend
which utilizes this methodology so on. Manufacturers use artificial
Saturday at 20:00-22:00 in Octavius 9 Thursday at 11:00 in 101 Track, Rachel Greenstadt application server, which are
and has been used to successfully intelligence technology to make
Fireside Hax Flamingo Associate Professor, Drexel University processed on the Edge servers
develop many deserialization smart speakers have similar human
Matt Goerzen 45 minutes Dr. Aylin Caliskan (load balancers, reverse proxies).
exploits in both internal applications capabilities in the chat conversation.
Researcher, Data & Society Guang Gong Assistant professor of Computer Science, George Due to the upstream-trusting nature
Washington University and open source projects. However, with the smart speakers
Dr. Jeanna Matthews
Alpha Team at Qihoo 360 of Edge servers, ESI engines are
coming into more and more homes,
Fellow at Data & Society, Associate Professor of Wenlin Yang Many hackers like to contribute not able to distinguish between ESI
4G: WHO IS PAYING YOUR and the function is becoming more
Computer Science at Clarkson University Alpha Team at Qihoo 360 code, binaries, and exploits under instructions legitimately provided by
CELLULAR PHONE BILL? powerful, its security has been
Joan Donovan Jianjun Dai pseudonyms, but how anonymous the application server and malicious
Friday at 14:00 in Track 2 questioned by many people. People
Media Manipulation/Platform Accountability Research Security researcher of Qihoo360 Alpha Team are these contributions really? In instructions injected by a malicious
Lead, Data and Society in Manhattan 45 minutes | Demo, Exploit are worried that smart speakers
this talk, we will discuss our work on party. We identified that ESI can
In recent years, Google has made will be hacked to leak their privacy,
White hat or critical grey hat trolling? programmer de-anonymization from Dr. Silke Holtmanns be used to perform SSRF, bypass
many great efforts in exploit Distinguished Member of Technical Staff, Security and our research proves that this
Trolling as art? Trolling as hybrid the standpoint of machine learning. reflected XSS filters (Chrome), and
mitigation and attack surface Expert, Nokia Bell Labs concern is very necessary.
warfare? Trolling as propaganda? In We will show how abstract syntax perform Javascript-less cookie
reduction to strengthen the security Isha Singh In this talk, we will present how to theft, including HTTPOnly cookies.
this Fireside Hax, we will challenge trees contain stylistic fingerprints and
of android system. It is becoming Master student, Aalto University in Helsinki (Finland
use multiple vulnerabilities to achieve
your assumptions about trolling. how these can be used to potentially Identified affected vendors include
more and more difficult to remotely Cellular networks are connected remote attack some of the most
Trolls are attention hackers, using identify programmers from code and Akamai, Varnish, Squid, Fastly,
compromise Android phones with each other through a worldwide popular smart speakers. Our final
social and technical means to bait binaries. We perform programmer de- WebSphere, WebLogic, F5, and
especially Google’s Pixel phone. private, but not unaccessible network, attack effects include silent listening,
journalists, set agendas, game media anonymization using both obfuscated countless language-specific
gatekeepers, and direct audiences. The Pixel phone is protected by binaries, and real-world code found in called IPX network. Through this control speaker speaking content and
solutions (NodeJS, Ruby, etc.). This
Sometimes they also have fun. many layers of security. It was the single-author GitHub repositories and network user related information is other demonstrations. And we’re also
presentation will start by introducing
We will discuss a range of trolling only device that was not pwned the leaked Nulled.IO hacker forum. exchanged for roaming purposes or going to talk about how to extract
ESI and visiting typical infrastructures
techniques like sockpuppeting, in the 2017 Mobile Pwn2Own for cross-network communication. firmware from BGA packages Flash
leveraging it. We will then delve
dogpiling, doxing, attention competition. But our team discovered AUTOMATED DISCOVERY This private network has been chips such as EMMC, EMCP, NAND
into identification, exploitation of
honeypots, and cognitive denial of a remote exploit chain—the first of OF DESERIALIZATION breached by criminals and nation Flash, etc. In addition, it contains
popular ESI engines, and mitigation.
service attacks that we have not seen its kind since the Android Security GADGET CHAINS states. Cellular networks are how to turn on debug interfaces
concisely catalogued elsewhere. Rewards (ASR) program expansion, extremely complex and many and get root privileges by modifying
Friday at 16:00 in 101 Track, Flamingo DIGITAL LEVIATHAN: A
We will also discuss high-profile which could compromise The 45 minutes | Tool
attacks have been already been firmware content and Re-soldering
found e.g. DoS, location tracking, Flash chips, which can be of great
COMPREHENSIVE LIST
examples of trolling such as”training” Pixel phone remotely. The exploit
chain was reported to Android
Ian Haken
SMS interception, data interception. help for subsequent vulnerability OF NATION-STATE BIG
the Microsoft Tay chatbot, fake Senior Security Software Engineer, Netflix
Antifa accounts, Russian sockpuppet security team directly. They took Many attacks have been seen in analysis and debugging. Finally, BROTHERS (FROM HUGE
accounts, and Phineas Fisher’s use it seriously and patched it quickly. Although vulnerabilities stemming practice, but not all attack are we will play several demo videos to TO LITTLE ONES
of Hacking Team’s twitter account- Because of the severity and our from the deserialization of untrusted understood and not all attack demonstrate how we can remotely Saturday at 14:00 in Track 2
-and ask attendees to consider detailed report, we were awarded data have been understood for avenues using the IPX network have access some Smart Speaker Root 20 minutes
each as black hat attacks or grey the highest reward ($112,500) in many years, unsafe deserialization been explored. This presentation permissions and use smart speakers Eduardo Izycki
hat attempts to point out critical the history of the ASR program. continues to be a vulnerability class shows how a S9 interface in for eavesdropping and playing voice. Hacker
societal vulnerabilities that should that isn’t going away. Attention on 4G networks, which is used for Rodrigo Colli
In this talk we will detail how we used Java deserialization vulnerabilities
be”patched.” We will also talk charging related user information EDGE SIDE INCLUDE Hacker
the exploit chain to inject arbitrary skyrocketed in 2015 when Frohoff
about”troll the troll” accounts like exchange between operators can be INJECTION: ABUSING
code into system_server process In his notorious book Leviathan, the
ImposterBuster and YesYoureRacist and Lawrence published an exploited to perform fraud attacks. CACHING SERVERS INTO
and get system user permissions. XVII century English philosopher
and the role”white hat trolls” RCE gadget chain in the Apache A demonstration with technical SSRF AND TRANSPARENT
The exploit chain includes two bugs, Thomas Hobbes stated that: we
might play in auditing platforms or Commons library and as recently details will be given and guidance
CVE-2017-5116 and CVE-2017- SESSION HIJACKING should give our obedience to an
proposing platform-based controls. as last year’s Black Hat, Muñoz on practical countermeasures.
14904. CVE-2017-5116 is a V8 engine Sunday at 13:30 in Track 3 unaccountable sovereign otherwise
Time permitting, we will discuss and Miroshis presented a survey
bug related with Webassembly and 20 minutes | Demo what awaits us is a state of nature
art projects that trollishly critiqued of dangerous JSON deserialization BREAKING SMART
SharedArrayBuffer. It is used to get ldionmarcil that closely resembles civil war—a
the European Commission, Google libraries. While much research and SPEAKERS: WE ARE
remote code execution in sandboxed Pentester at GoSecure situation of universal insecurity. It
AdSense, and the NSA. This will not automated detection technology LISTENING TO YOU.
Chrome render process. CVE- looks like a lot of current political
be a lecture and it will not shy away has so far focused on the discovery When caching servers and load
2017-14904 is a bug in Android’s Sunday at 12:00 in 101 Track, leaders have red and found the
from controversy. Join two members of vulnerable entry points (i.e. code Flamingo balancers became an integral part
libgralloc module that is used to teachings of Hobbes applicable
of the Media Manipulation Team that deserializes untrusted data), 45 minutes | Demo, Exploit of the Internet’s infrastructure,
escape from the sandbox. The way to modern day online life.
at Data & Society to collectively finding a “gadget chain” to actually vendors introduced “Edge Side
we used for sandbox escaping is Wu HuiYu
consider the role trolling can play make the vulnerability exploitable Security Researcher At Tencent Blade Team Includes” (ESI), a technology We witness the rise of the
very interesting, rarely talked about has thus far been a largely manual allowing malleability in caching Digital Leviathan. The same
in pointing out the flaws in our before. All details of vulnerabilities Qian Wenxiang
attention/media landscape. exercise. In this talk, I present a Security Researcher At Tencent Blade Team systems. This legacy technology, apps and applications that
and mitigation bypassing techniques new technique for the automated still implemented in nearly all popular people use to connect, express
will be given in this talk. discovery of deserialization gadget In the past two years, smart speakers HTTP surrogates (caching/load opinions and dissatisfaction
chains in Java, allowing defensive have become the most popular IoT
50 51
Presentations
are used by governments (even although our results affect devices DRAGNET: YOUR SOCIAL We will disclose several previously Enter OpticSpy, an open source and hardware physical layers actually
democratic ones) to perform worldwide. We will provide details ENGINEERING SIDEKICK unknown exploits in this presentation. hardware module that captures, work, and how to identify security
surveillance and censorship. of vulnerabilities in devices from all Friday at 13:30 in Track 1 They enable an unprivileged amplifies, and converts an optical issues that lie latent in these designs.
four major US carriers, as well two 20 minutes | Demo, Tool application to take over the wireless signal from a visible or infrared
This talk will focus on evidence of
smaller US carriers, among others. services, the user’s email account, light source into a digital form that THROUGH THE EYES
Nation-State spying, performing Truman Kain
The vulnerabilities we discovered Security Associate, Tevora and more. Further discussions can be analyzed or decoded with a OF THE ATTACKER:
surveillance, and censorship. The
on devices offered by the major US will center on the distribution of computer. This presentation provides DESIGNING EMBEDDED
aim is to present a systematical First, Dragnet collects dozens of
carriers are the following: arbitrary those exploits through a registered a brief history of covert channels SYSTEMS EXPLOITS FOR
approach of data regarding cyber OSINT data points on past and
command execution as the system application in the market, and the and optical communications,
attacks against political targets present social engineering targets. INDUSTRIAL CONTROL
user, obtaining the modem logs causes of the vulnerabilities in detail. explores the development
(NGO/political groups/media outlets/ Then, using conversion data from SYSTEMS
and logcat logs, wiping all user data process and operational details of
opposition), acquisition and/or use previous engagements, Dragnet Saturday at 10:00 in 101 Track,
from a device (i.e., factory reset), MICRO-RENOVATOR: OpticSpy, and gives a variety of
of spywares from private vendors, provides recommendations for use Flamingo
obtaining and modifying a user’s text BRINGING PROCESSOR demonstrations of the unit in action.
requested content/metadata from on your current targets: phishing 45 minutes | Demo
messages, sending arbitrary text FIRMWARE UP TO CODE
social media/content providers, and templates, vishing scripts and Marina Krotofil
messages, and getting the phone DESIGNING AND
blocking of websites/censorship physical pretexts- all to increase Sunday at 13:00 in Track 2 Principal Analyst, FireEye
numbers of the user’s contacts, 20 minutes | Demo, Tool APPLYING EXTENSIBLE
reported by multiple sources. conversions with minimal effort. Ali Abbasi
and more. All of the aforementioned RF FUZZING TOOLS TO
Finally, features like landing page Matt King Postdoctoral researcher, Ruhr University Bochum
The findings of the capabilities are obtained outside Hacker EXPOSE PHY LAYER
research imply that: of the normal Android permission cloning and domain registration Thorsten Holz
(alongside your standard The mitigations for Spectre VULNERABILITIES Professor, Ruhr University Bochum
- 25 nations that have already model. Including both locked and
unlocked devices, we provide details infrastructure deployment, call highlighted a weak link in the patching Sunday at 12:00 in Track 3
used cyber offensive capabilities 45 minutes | Demo, Tool, Exploit In 2017, FireEye conducted an
for 37 unique vulnerabilities affecting scheduling and email delivery) process for many users: firmware (un)
against political targets. incident response at a critical
25 Android devices with 11 of them make Dragnet one hell of a catch. availability. While updated microcode Matt Knight
Senior Security Engineer, Cruise Automation infrastructure facility where a
- 60 nations acquired/ being sold by US carriers. In this was made publicly available for many sophisticated threat actor deployed
developed spyware. talk, we will present our framework YOUR WATCH CAN processors, end-users are unable Ryan Speers
the TRITON attack framework for
that is capable of discovering WATCH YOU! GEAR to directly consume it. Instead, Director of Research, Ionic Security
implanting Safety Instrumented
- 117 nations requested
0-day vulnerabilities from binary UP FOR THE BROKEN platform and operating system In this session, we introduce an System (SIS) controllers with a
content/metadata from social
firmware images and applications PRIVILEGE PITFALLS IN vendors need to distribute firmware open source hardware and software passive backdoor, which would
media/content providers.
at scale allowing us to continuously THE SAMSUNG GEAR and kernel patches which include framework for fuzzing arbitrary RF allow an attacker to inject potentially
- 21 countries perform some level monitor devices across different the new microcode. Inconsistent protocols, all the way down to the
SMARTWATCH destructive payloads at a later point
of censorship to online content. manufacturers and firmware versions. support from those vendors has PHY. While fuzzing has long been
Sunday at 14:00 in Track 1 in time. TRITON is the most complex
During the talk, we plan to perform a 45 minutes | Demo, Tool, Exploit
left millions of users without a relied on by security researchers publicly known embedded system
VULNERABLE OUT live demo of how our system works. way to consume these critical to identify software bugs, applying exploit to date. While the functionality
Dongsung Kim
OF THE BOX: AN Graduate Student, Sungkyunkwan University
security updates, until now. Micro- fuzzing methodologies to RF and of the malware is understood, little
EVALUATION OF NSA TALKS Renovator provides the ability to hardware systems has historically known about attacker efforts when
Hyoung-Kee Choi apply microcode updates without
ANDROID CARRIER CYBERSECURITY Professor, Sungkyunkwan University been challenging due to siloed developing such an implant. With
DEVICES modifying either platform firmware tools and the limited capabilities a timeline of exploit development
Friday at 11:00 in Track 1
45 minutes You buy a brand-new smartwatch. or the operating system, through of commodity RF chipsets. like TRITON being in a year range,
45 minutes | Audience Participation, You receive emails and send simple (and reversible) modifications complex embedded exploitation is
Rob Joyce We created the TumbleRF fuzzing
Exploit National Security Agency
messages, right on your wrist. How to the EFI boot partition. currently considered to be a boutique
convenient, this mighty power! But orchestration framework to address
Ryan Johnson these shortfalls by defining core hacking. However, the public release
The National Security Agency (NSA) great power always comes with SEARCHING FOR THE
Director of Research at Kryptowire
fuzzing logic while abstracting a of much of the TRITON code can
has authorities for both foreign great responsibility. Smartwatches LIGHT: ADVENTURES
Angelos Stavrou hardware interface API that can be now facilitate less experienced threat
intelligence and cyber security. This hold precious information just like WITH OPTICSPY
CEO at Kryptowire
mapped for compatibility with any actors with designing similar exploits.
unique position gives NSA insights smartphones, so do they actually Sunday at 11:00 in 101 Track,
RF driver. Thus, supporting a new The goal of this talk is to provide the
Pre-installed apps and firmware into the ways networks are exploited fulfill their responsibilities? Flamingo
radio involves merely extending an audience with a”through the eyes
pose a risk due to vulnerabilities that and the methods that are effective 45 minutes | Demo
In this talk, we will investigate if the API, rather than writing a protocol- of the attacker” experience when
can be pre-positioned on a device, in defending against threats. Over
Samsung Gear smartwatch series Joe Grand
specific fuzzer from scratch. designing advanced embedded
rendering the device vulnerable time, NSA has adapted the focus Hacker
properly screens unauthorized access systems exploits for Industrial
on purchase. This means that the of its security efforts and continues Additionally, we introduce Orthrus,
to user information. More specifically, In the counter-future where we, Control Systems (ICS). This talk is
vulnerabilities are present even to evolve with technologies and the a low-cost 2.4 GHz offensive
we will focus on a communication the dissidents and hackers, have based on our extensive experience
before the user enables wireless adversaries we face. The talk will radio tool that provides PHY-layer
channel between applications and control of technology, sending secret in reverse engineering Real Time
communications and starts installing look back at some of the inflection mutability to offer Software Defined
system services, and how each messages through blinkenlights can Operating Systems (RTOS)/firmwares
third-party apps. To quantify the points that have influenced NSA and Radio-like features in a flexible
internal Tizen OS components let us exchange information without and developing embedded exploits
exposure of the Android end-users US Government cybersecurity efforts and low-latency embedded form
play the parts in access control. being detected by dystopian leaders. to cause physical damage.
to vulnerabilities residing within and look at what is necessary to factor. By combining the two,
pre-installed apps and firmware, we stay safe in the new environment. Based on the analysis, we have By modulating light in a way that the In the first part of the talk we
researchers will be able to fuzz and
analyzed a wide range of Android developed a new simple tool to human eye cannot see, this simple, will explain how to convert an
test RF protocols with greater depth
vendors and carriers using devices discover privilege violations in Tizen- yet clever, covert channel lets us ‘undocumented device’ into
and precision than ever before.
spanning from low-end to flagship. based products. We will present an hide in plain sight. To decode such malicious code. We will share how
Our primary focus was exposing pre- analysis on the Gear smartwatch transmissions, we must employ Attendees can expect to leave this to purchase industrial equipment
positioned threats on Android devices which turns out to include a number some sort of optical receiver. talk with an understanding of how RF and obtain needed documentation.
sold by United States (US) carriers, of vulnerabilities in system services.
52 53
Presentations
After obtaining control over an DilDog WHO CONTROLS Vyrus Ever worry about the hardware PLAYING MALWARE
Hacker, Co-Founder, Veracode Hacker
embedded system, an actual THE CONTROLLERS: you leave behind? In a world INJECTION WITH EXPLOIT
attack still need to be performed. Joe Grand, Kingpin HACKING CRESTRON IOT Typically, the activities of a malware where servers are co-located, and THOUGHTS
Hacker
In the second part of the talk AUTOMATION SYSTEMS attack occur on an execution notebooks get left in hotel rooms, Saturday at 14:00 in Track 3
will concentrate on discovering Space Rogue
timeline that generally consists of 3 the ability to resist tampering, and 20 minutes | Demo, Tool, Exploit
Global Strategy Lead for X-Force Red, IBM
exploitable firmware and hardware 45 minutes | Demo, Exploit segments—the vector, the stage, and if necessary actively respond to
Sheng-Hao Ma
design features which would allow an Mudge the persistence. First, a vector, or attack, has become increasingly CSIE, NTUST
Ricky “HeadlessZeke” Lawshae
attacker to impact industrial controller Head of Security, Stripe.
Security Researcher, Trend Micro method of exploitation is identified. important. And of course everybody
functions. We will present several Silicosis This could be anything from logging knows the best booby traps are the In the past, when hackers did
scenarios such as hijacking internal Hacker While you may not always be aware in over a credentialed method like ones you don’t know are there. This malicious program code injection,
clock, suppressing interrupts (IRQ of them or even have heard of them, RDP or SSH and running a malicious talk will prepare you for life in 1984, they used to adopt RunPE,
John Tan
config attack) and manipulation of Hacker Crestron devices are everywhere. payload directly, to exploiting a where the maids are evil, and step AtomBombing, cross-process
the interrupt vector table (IVT), CPU They can be found in universities, memory corruption vulnerability brothers can’t be trusted. Whether creation threads, and other
Weld Pond
pin configuration attack and placing Hacker, Co-Founder, Veracode modern office buildings, sports remotely. Second, that access is your running servers as a high value approaches. They could forge their
code into TCM cache so it would arenas, and even high-end Las Vegas leveraged into running malicious target, or simply want to protect your own execution program as any
not be even visible in the memory. 2018 is the 20th anniversary of the hotel rooms. If an environment has code that prepares the victim for Monero private key, this talk will show critical system service. However
hacker think-tank L0pht Heavy a lot of audio/video infrastructure, the deployment of persistence you to achieve FIPS 140-2 level 4 with increasing process of anti-
The TRITON payload can be thought Industries testimony before the needs to interconnect or automate virus techniques, these sensitive
(commonly “implant”). While security, without the FIPS 140-2 level
of as a four-stage shellcode. Attack US Senate Homeland Security & different IoT and building systems, approaches have been gradually
segments one and three have been 4 price tag. Specifically, we’ll cover
code related to first three stages Governmental Affairs Committee or just wants the shades to close proactively killed. Therefore,
extensively automated, a effective acquisition considerations, physical
constituted a discussed backdoor on the topic of weak computer when the TV is turned on, chances hackers began to aim at another
automated utility for deploying hardening, firmware mitigation,
implant capable of receiving and security in government. The are high that a Crestron device place, namely memory-level
persistence in a dynamic and unified tamper detection and more.
executing the fourth stage. This stage testimony made national news is controlling things from behind weakness, due to the breakages
context has yet to present itself.
would have been an actual ‘physical when the group announced they the scenes. And as these types of of critical system service itself.
damage payload’ performing the Enter the Genesis Scripting Engine.
PLEASE DO NOT
could take down the Internet in 30 environments become the norm
disruptive operations. However, DUPLICATE: ATTACKING This agenda will simply introduce a
minutes. It was also the first-time and grow ever more complex, the The Genesis Scripting Engine, or
the attacker was discovered while THE KNOX BOX AND new memory injection technique that
hackers using handles appeared number of systems that Crestron Gscript for short, is a framework for
preparing the implant, before OTHER KEYED ALIKE emerged after 2013, PowerLoadEx.
before a US Legislative body. devices are connected to grows as building multi-tenant executors for
advancing to physical damage stage. SYSTEMS Based on this concept, three new
Members of the L0pht have well. But it is in large part because several implants in a stager. The injection methods will be disclosed
In this part of the talk we will show of this complexity that installing Friday at 10:30 in Track 3
grown from their hacker roots to engine works by embedding runtime as well. These makes good use
how one can symbolically execute and programming these devices is 20 minutes | Demo, Tool
become distinguished leaders logic (powered by the V8 Javascript of the memory vulnerability in
TRITON using ANGR framework difficult enough without considering m010ch_
and contributors in the security Virtual Machine) for each persistence Windows to inject malicious behavior
and test a code for damage adding security. Instead of being
Hacker
community and beyond. They run technique. This logic gets run at into system critical services. The
scenario written for any CPU/ a necessity, it’s an extra headache
multi-million dollar security-focused deploy time on the victim machine, in Knox Boxes, along with other content will cover Windows reverse
hardware architecture of choice. that almost always gets entirely
organizations, have lobbied the parallel for every implant contained rapid entry systems are increasing analysis, memory weakness
Developing embedded exploits government for better security passed over. In this talk, I will take with the stager. The Gscript engine in popularity, as they allow first analysis, how to use and utilize,
requires a significant amount laws, work for some of the largest a look at different Crestron devices leverages the multi-platform support responders such as police, fire, and and so on. The relevant PoC will be
of effort but it is totally worth of companies in the world, and from a security perspective and of Golang to produce final stage one paramedics to quickly gain access released at the end of the agenda.
investment. While a small fraction of continue to spread the message of discuss the many vulnerabilities and binaries for Windows, Mac, and Linux. to a building in the event of an
asset owners is slowly embracing the positive aspects of hacking. opportunities for fun to be found emergency without having to force MAN-IN-THE-DISK
This talk will consist of an overview of
ICS network monitoring solutions, within. I will demonstrate both entry. These devices rely on the
With several of the L0pht’s original the origins of the project, a technical Sunday at 13:00 in Track 1
the attackers are going one layer documented and undocumented security and key control provided by 20 minutes | Demo, Tool, Exploit
members, this discussion will cover deep dive into the inner workings
lower—into the control equipment features that can be used to achieve various locks to prevent unauthorized
the original testimony and the including the modified Javascript Slava Makkaveev
(race-to-the-bottom). Developing full system compromise and show access to buildings. In this talk, I will
changes that have happened over VM, a walk through of the CLI Security Researcher, Check Point
embedded implants is worth the the need to make securing these focus on vulnerabilities of the widely
the last 20 years. Is the government utility, and examples of how we’ve Most of modern OS are using
efforts due to lacking tools for systems a priority, instead of an used Knox Box and Medeco cam
any more secure? Have they provided leveraged Gscript in the real world. sandboxing in order to prevent
detecting such implants and we will afterthought, in every deployment. lock to key duplication attacks. I will
see more of advanced embedded enough influence to help protect its In short, hijinx will ensue. Multiple demos involving malicious apps from affecting other
demonstrate how a sufficiently skilled
exploitation in the nearest future. citizens’ data? What steps should practical application scenarios apps or even harming the OS itself.
attacker could obtain a key that would
we take to ensure user security I’LL SEE YOUR MISSILE will be presented, as well as an Google is constantly reinforcing
grant them access to thousands
THE L0PHT TESTIMONY, and privacy in the future? We are AND RAISE YOU A MIRV: opportunity for audience members Android’s sandbox protection,
of residential and commercial
hoping for audience participation and to submit their own implants and introducing new features to prevent
20 YEARS LATER (AND AN OVERVIEW OF THE buildings throughout America,
also welcome questions about any have them built into a hydra on any kind of sandbox bypass.
OTHER THINGS YOU GENESIS SCRIPTING as well as show off new tools
other time in the L0pht’s relatively stage in a matter of minutes.
WERE AFRAID TO ASK) ENGINE designed to streamline the process In this talk we want to shed new
short, but poignant, existence.
Friday at 17:00 in Track 2 Friday at 17:00 in Track 1
of duplicating physical keys using light on a less known attack surface
45 minutes | Audience Participation 45 minutes | Demo, Audience
BOOBY TRAPPING BOXES CAD and 3D printing. What could which affects all Android devices
Participation, Tool Saturday at 15:00 in Track 3 possibly go wrong when someone and allows an attacker to hijack the
L0pht Heavy Industries
45 minutes | Demo, Tool tries to backdoor an entire city?
Hacker Collective Alex Levinson communication between privileged
Elinor Mills
Senior Security Engineer Ladar Levison apps and the disk, bypassing
Founder, Lavabit LLC
Senior Vice President of Content and Media Strategy at Dan Borges Android’s latest sandbox protection.
Bateman Group Hacker hon1nbo
Proprietor, Hacking & Coffee LLC The problem begins when
privileged apps interact with files
54 55
Presentations
stored in exposed areas, and 55 States and territories, to help algorithm can generate precise RCE with insecure SMB connections law enforcement denies when the AN ATTACKER LOOKS AT
even worse, some of them will them safeguard their systems. As ruleset able to catch 0-day malware, – and there’s a new tool to help take evidence says otherwise. Jeanna DOCKER: APPROACHING
unintentionally break the sandbox the threat environment evolves, better than human generated ones. full advantage of these opportunities. Matthews will talk about the wider MULTI-CONTAINER
by insecurely appending such DHS will continue to work with space of algorithmic accountability APPLICATIONS
data to its confinements. state and local partners to enhance ONE-CLICK TO OWA YOU’RE JUST and transparency and why even open Friday at 11:00 in 101 Track, Flamingo
our understanding of the threat, Friday at 13:00 in Track 3 COMPLAINING BECAUSE source software is not enough. 45 minutes | Demo
Can you imagine if someone could
share timely and actionable threat 20 minutes | Demo, Tool YOU’RE GUILTY: A
execute code in the context of your Wesley McGrew
information, and provide essential William Martin DEF CON GUIDE TO SEX WORK AFTER SESTA/
keyboard, or install an unwanted app Director of Cyber Operations, HORNE Cyber
physical and cybersecurity tools and Security & Privacy Senior Associate FOSTA
without your consent? Well… It’s ADVERSARIAL TESTING Containerization, such as that
resources available to the public and Saturday at 14:30 in Track 2
hardly within the realm of imagination. With the presence of 2FA/MFA OF SOFTWARE USED IN provided by Docker, is becoming
private sectors to increase security 20 minutes
The external storage and solutions growing, the attack surface THE CRIMINAL JUSTICE very popular among developers
and resiliency. DHS is committed Maggie Mayhem
network based vulnerabilities we for external attackers that have SYSTEM of large-scale applications. The
to ensuring that our adversaries MaggieMayhem.Com
discovered, can be leveraged successfully phished/captured/ Saturday at 10:00 in Track 2 good news: this is likely to make
never succeed with their campaign
by the attacker to corrupt data, cracked credentials is shrinking. 45 minutes | Demo Surveillance had been a fact of life your life easier as an attacker.
to undermine our democracy.
steal sensitive information or even However, many 2FA/MFA solutions Dr. Jeanna N. Matthews: for sex workers wherever they have
leave gaps in their coverage which While exploitation and manipulation
take control of your device. LOOKING FOR THE Associate Professor, Clarkson University and Fellow, faced prohibition. Only two elements,
can allow attackers to leverage those of traditional monolithic applications
Data and Society
communication and association, can
PERFECT SIGNATURE: AN credentials. For example, while OWA might require specialized experience
SECURING OUR Nathan Adams differentiate between commercial and
AUTOMATIC YARA RULES may be protected with 2FA, the Systems Engineer, Forensic Bioinformatic Services personal sex, criminal enforcement
and training in the target languages
NATION’S ELECTION GENERATION ALGORITHM and execution environment,
Exchange Web Services Management Jerome Greco of prostitution laws have necessarily
INFRASTRUCTURE IN THE AI-ERA API (EWS) offers many of the applications made up of services
Digital Forensics Staff Attorney, Legal Aid Society meant targeting the speech and
Friday at 10:00 in Track 3 Saturday at 13:00 in Track 3 same features and functionalities distributed among multiple containers
affiliation of perceived sex workers.
20 minutes 20 minutes | Demo, Tool without the same protections. Software is increasingly used to can be effectively explored and
Enforcement of this nature is
Jeanette Manfra make huge decisions about people’s exploited “from within” using many
Andrea Marcelli
In this talk, I will introduce facilitated by profiling, institutional
Assistant Secretary, Office of Cybersecurity and lives and often these decisions are of the system- and network-level
Communications, Department of Homeland Security
PhD Student and Security Researcher. Politecnico di
ExchangeRelayX, an NTLM relay bias, and broad overreaching
Torino made with little transparency or techniques that attackers, such as
tool that provides attackers policies that fundamentally violate
Fair elections are at the core of every accountability to individuals. If there penetration testers, already know.
Given the high pace at which new with access to an interface that individual human rights. This has
democracy and are of paramount is any place where transparency,
malware variants are generated, resembles a victim’s OWA UI and included condoms as evidence, The goal of this talk is to provide a
importance to our national security. third-party review, adversarial
antivirus programs struggle to keep has many of its functionalities - non-consensual medical screenings, hacker experienced in exploitation
The confidence in our electoral testing and true accountability is
their signatures up-to-date, and AV without ever cracking the relayed and targeted harassment of black and post-exploitation of networks
process is fundamental to ensuring essential, it is the criminal justice
scanners suffer from a considerable credentials. ExchangeRelayX takes transgender women as well as and systems with an exposure to
that every vote- and therefore every system. Nevertheless, proprietary
quantity of false negatives. The advantage of the gap in some 2FA/ license plate recording projects containerization and the implications
voice- matters. In recent years, our software is used throughout the
generation of effective signatures MFA solutions protecting Exchange, and stings that focus disrupting it has on offensive operations. Docker
Nation has become increasingly system, and the trade secrets of
against new malware variants, while potentially resulting in a single- immigration or migrant workers. is used as a concrete example for
uneasy about the potential threats software vendors are regularly
avoiding false positive detections, click phishing scheme enabling an the case study. A hacker can expect
to our election infrastructure. The deemed more important than the For all of its risks, screening potential
is a highly desirable but challenging attacker to exfiltrate sensitive data, to leave this presentation with a
activities to undermine the confidence rights of the accused to understand clients is safer over email than it
task, typically requiring a substantial perform limited active-directory practical exposure to multi-container
in the 2016 presidential election and challenge decisions made by is in person during a street based
portion of human expert’s time. enumeration, and execute further application post-exploitation.
have been well documented and the these complex systems. In this talk, negotiation often in an isolated part
Artificial intelligence techniques can internal phishing attacks.
United States (U.S.) Government we will lay out the map of software of town. SESTA (Stop Enabling Sex
be applied to solve the malware 80 TO 0 IN UNDER 5
has assessed that our adversaries in this space from DNA testing to Traffickers Act) comes at a time when
signature generation problem. SMBETRAY: SECONDS: FALSIFYING
will apply lessons learned from the facial recognition to estimating the compelling research demonstrates
2016 election and will continue The ultimate goal is to develop an BACKDOORING AND likelihood that someone will commit that Craigslist resulted in a 17% A MEDICAL PATIENT’S
in their attempts to influence the algorithm able to automatically BREAKING SIGNATURES a future crime. We will detail the drop in the female homicide rate. VITALS
U.S. and their allies’ upcoming create a generalized family signature, Saturday at 14:00 in Track 1 substantial hurdles that prevent SESTA will also put victims at risk Saturday at 16:00 in Track 1
elections, including the 2018 mid- eventually reducing threat exposure 45 minutes | Demo, Tool oversight and stunning examples of by delaying their identification and 45 minutes | Demo
term elections. As the lead agency and increasing the quality of the William Martin real problems found when hard won recovery by eliminating a digital Douglas McKee
for securing the Nation’s cyber detection. The proposed technique Security & Privacy Senior Associate third-party review is finally achieved. paper trail. Additionally, Section 230 Senior Security Researcher for the McAfee Advanced
Threat Research team
infrastructure, the Department of automatically generates an optimal Finally, we will outline what you of the Communications Decency
signature to identify a malware family When it comes to taking advantage as a concerned citizen/hacker can Act is a vital protection for a free
Homeland Security (DHS) has a It seems each day that passes brings
with very high precision and good of SMB connections, most tools do. Nathan Adams will demo his internet. Subverting SESTA will
mission to maintain public trust and new technology and an increasing
recall using heuristics, evolutionary available to penetration testers findings from reviewing NYC’s FST create greater economic disparity
protect America’s election systems. dependence upon it. The medical field
and linear programming algorithms. aim for system enumeration or for source code, which was finally made between sex workers and ultimately
In January 2017, the DHS Secretary is no exception; medical professionals
performing relay attacks to gain RCE. public by a federal judge after years empower pimps and agencies
designated election systems as In this talk I will present YaYaGen (Yet rely upon technology to provide them
If signatures are required, or if the of the city’s lab fighting disclosure over independent providers.
critical infrastructure. This designation Another YARA Rule Generator), a tool with accurate information and base
victims relayed are not local admins or even review. Jerome Greco will
means election infrastructure has to automatically generate Android life-changing decisions on this data.
anywhere, that can put a real stint in provide his insight into the wider
become a priority in shaping our malware signatures. Performances In recent years there has been
leveraging SMB to gain any serious world of software used in the criminal
planning and policy initiatives, have been evaluated on a massive more attention paid to the security
footholds in a network. Fortunately, justice system—from technology
as well as how we allocate our dataset of millions of applications of medical devices; however, there
the mentioned attacks are only the that law enforcement admits to
resources. DHS is working directly available in the Koodous project, has been little research done on
tip of the iceberg of the ways to gain using but expects the public to trust
with election officials across 8,000 showing that in a few minutes the the unique protocols used by these
election jurisdictions and throughout without question to technology that
devices. In large, health care systems
56 57
Presentations
medical personnel take advantage have to more securely administer the The police body camera market go into practical defenses and how Lastly, I will present a demo of using EFF FIRESIDE HAX (AKA
of to make decisions on patient environment. What does this mean has been growing in popularity over mitigations in HTTP/2’s HPACK and this hooking framework to cheat a ASK THE EFF)
treatment and other critical care, for the pentester or Red Teamer? the last few years. A recent (2016) other mitigation techniques are the game on emulator. With this demo, Saturday at 20:00-22:00 in Roman
use central monitoring stations. Johns Hopkins University market way forward rather than claiming I will discuss how the dark market Chillout
Admins are gradually using better
This information is gathered from survey found 60 different models ‘Thou shall not compress traffic at of mobile game cheating may Fireside Hax | Audience Participation
methods like two-factor and more
many devices on the network using have been produced specifically all.’ One of the things that we would develop in the foreseeable future. Kurt Opsahl
secure administrative channels.
uncommon networking protocols. for law enforcement use. Rapid like to showcase is how impedance Deputy Executive Director & General Counsel,
Security is improving at many Electronic Frontier Foundation
What if this information wasn’t adoption is fueling this meteoric mismatches in these different layers REVERSE ENGINEERING,
organizations, often quite rapidly.
accurate when a doctor prescribed increase in availability and utilization. of technologies affect security and HACKING DOCUMENTARY Nate Cardozo
If we can quickly identify the
medication? What if a patient was Additionally, device manufactures how they don’t play well together. SERIES EFF Senior Staff Attorney
way that administration is being
thought to be peacefully resting, when are attempting to package more Jamie Lee Williams
performed, we can better highlight Friday at 17:00 in Track 3
in fact they are under cardiac arrest? and more technology into these ONE STEP AHEAD 45 minutes | Demo
EFF Staff Attorney
the flaws in the admin process.
devices. This has caused a deficiency OF CHEATERS: Andrés Arrieta
McAfee’s Advanced Threat Research Michael Lee Nirenberg
This talk explores some common in local municipalities’ skills and INSTRUMENTING Technology Products Manager
team has discovered a weakness Director, Restraining Order, Ltd
methods Active Directory budget to accurately assess the ANDROID EMULATORS
in the RWHAT protocol, one of Dave Buchwald Katiza Rodriguez
administrators (and others) use to attack surface and exposure to International Rights Director
the networking protocols used by Saturday at 13:00 in 101 Track, Producer
protect their admin credentials and the organization. Furthermore,
medical devices to monitor a patient’s Flamingo Nathan ‘nash’ Sheard
the flaws with these approaches. departmental policies and procedures 20 minutes | Demo, Tool We will present a sample scene Grassroots Advocacy Organizer
condition. This protocol is utilized
New recon methods will be provided governing the secure deployment of and panel talk on our documentary
in some of the most critical systems Nevermoe (@n3v3rm03) Relax and enjoy a Fireside Hax chat
on how to identify if the org uses an these devices is largely insufficient. series Reverse Engineering to the
used in hospitals. This weakness Security Engineer, DeNA Co., Ltd.
while you get the latest information
AD Red Forest (aka Admin Forest) hacking community, which has been
allows the data to be modified by an At DEF CON, we will be introducing Commercial Android emulators such about how the law is racing to catch
and what that means for one hired in the works for 4 years. We have
attacker in real-time to provide false tactics, techniques, and procedures as NOX, BlueStacks and Leidian up with technological change from
to test the organization’s defenses, dozens of interviews spanning the
information to medical personnel. to assess the security of these are very popular at the moment staffers at the Electronic Frontier
as well as how to successfully first 3 decades of computer hacking,
Lack of authentication also allows devices. We will cover attacks and most games can run on these Foundation, the nation’s premiere
avoid the Red Forest and still be ultimately there will be hundreds.
rogue devices to be placed onto the against the physical devices, emulators fast and soundly. The digital civil liberties group fighting
successful on an engagement. It’s a big story, but for the purposes
network and mimic patient monitors. RF components, smartphone bad news for game vendors is that for freedom and privacy in the
of DEF CON, we’ve put together
Some of the areas app’s, and desktop software. The computer age. This Fireside Hax
This presentation will include a these emulators are usually shipped a 17 min. Scene covering the 80s
explored in this talk: capabilities demonstrated and discussion will include updates
technical dissection of the security with root permission in the first WarGames/Legion of Doom-era
• Current methods organizations discussed will encompass publicly place. On the other hand, cheating on current EFF issues such as the
issues inherent in this relatively of computer hacking in the US.
use to administer Active Directory and privately available technologies. tools developers are happy because government’s effort to undermine
unknown protocol. It will describe
Additionally, the talk will cover We’ve spoken to great people, but encryption (and add backdoors),
real-world attack scenarios and and the weaknesses around them. they can easily distribute their
multiple products and vendors, there are other viewpoints—this is a the fight for network neutrality,
demonstrate the ability to modify the tools to abusers without requiring
• Using RODCs in the environment shedding light on industry wide history that needs to be told by 1st
communications in-transit to directly the abusers to have a physical discussion of our technology projects
in ways the organization didn’t issues and trends. Finally, we will person accounts. The accuracy and
influence the receiving devices. We rooted device, nor do they need to to spread encryption across the
plan for (including persistence). be releasing software to detect and strength of our completed series
will also explore the general lack of perform laborious tuning for different Web and emails, updates on cases
• Exploiting access to agents track various devices and tie these is tantamount to the quality of who and legislation affecting security
security mitigations in the medical Android OS / firmware version.
typically installed on Domain issues into real world events. we interview and the questions that research, and much more. Half
devices field, the risks they pose, and However, luckily for game vendors,
Controllers and other highly privileged get asked. Accuracy is particularly the session will be given over to
techniques to address them. The talk commercial Android emulators
systems to run/install code when COMPRESSION ORACLE important, there’s been no shortage question-and-answer, so it’s your
will conclude with a demonstration usually use an x86/ARM mixed-
that’s not their typical purpose. ATTACKS ON VPN of media hype and lies regarding chance to ask EFF questions
using actual medical device mode emulation for speed-up. As
NETWORKS hacking since the 1980s. about the law and technology
hardware and a live modification • Discovering and exploiting an AD a result, a standard native hooking/
of a patient’s critical data. Saturday at 11:00 in Track 2 DBI framework won’t work on this Our vision for this film series is issues that are important to you.
forest that leverages an AD Admin
Forest (aka Red Forest) without
45 minutes | Demo, Tool kind of platform. This drawback could inclusive and collaborative. We’d
EXPLOITING touching the Admin Forest. If you Nafeez discourage the cheating developers. like to hear from attendees how to REVOLTING RADIOS
ACTIVE DIRECTORY are wondering how to pentest/red
Security Researcher best tell the origin story of hacking Friday at 14:00 in Track 3
In this talk, I will introduce a native
ADMINISTRATOR team against organizations that are to new generations, and more so 45 minutes | Demo, Tool
Security researchers have done a hooking framework on such a kind
improving their defenses, this talk is the outside world who’ve been fed Michael Ossmann
INSECURITIES good amount of practical attacks of mixed-mode emulators. The talk
for you. If you are a blue team looking a lot of myths by the media. Those Great Scott Gadgets
Saturday at 11:00 in Track 1 in the past using chosen plain-text will include the process start routine
for inspiration on effective defenses, are the lawmakers and citizens of
45 minutes | Demo attacks on compressed traffic to steal of both command-line applications Dominic Spill
this talk is also for you to gain better tomorrow that we need to reach. Great Scott Gadgets
Sean Metcalf sensitive data. In spite of how popular and Android JNI applications as
insight into how you can be attacked. Little attention has been paid to the
CTO, Trimarc CRIME and BREACH were, little was well as how these routines differ There are many Software Defined
pioneering hacker spirit that has
talked about how this class of attacks on an emulator. The different Radios (SDRs) available, with a great
Defenders have been slowly adapting RIDEALONG literally changed every aspect of life.
was relevant to VPN networks. emulation strategies adopted by deal of time and effort having gone in
to the new reality: Any organization We want to address and correct that.
ADVENTURES: CRITICAL Compression oracle attacks are not different emulators and runtime to their design. These are not those
is a target. They bought boxes that
ISSUES WITH POLICE limited to just TLS protected data. environments (Dalvik/ART) will also radios. We present four radios that
blink and software that floods the
BODY CAMERAS In this talk, we try these attacks on be discussed. Based on these we have designed using crude, novel,
SOC with alerts. None of this matters
Saturday at 12:00 in Track 3 browser requests and responses knowledge, I will explain why the and sometimes ridiculous methods
as much as how administration is
45 minutes | Demo, Tool, Exploit which usually tunnel their HTTP traffic existing hooking/DBI frameworks for transmitting and receiving signals.
performed: Pop an admin, own the
through VPNs. We also show a case do not work on these emulators
system. Admins are being dragged Josh Mitchell The arrival of SDR allowed more
Principal cybersecurity Consultant, Nuix study with a well-known VPN server and how to make one that works.
into a new paradigm where they hackers than ever to experiment
and their plethora of clients. We then
with radio protocols, but we’re
58 59
Presentations
still using hardware built by other THINSIM-BASED ATTACKS an”incident response exercise,” use self-made algorithms instead As George Orwell said: “Who controls some protocols used by some
people. In the time honored hacker ON MOBILE MONEY you instead got to plan an”incident of proper cryptography for data the past controls the future. Who services were reverse engineered
tradition of rolling our own tools, we’ll SYSTEMS response role playing game?” storage and transmission. Others controls the present controls the to find unauthenticated heap
demonstrate four simple radios that Thursday at 10:00 in 101 Track, do not even attempt to protect their past.” This talk will demonstrate and stack overflow vulnerabilities
Enter our IR roleplaying game,”Oh
can be home-built using commonly Flamingo communication at all and make use how a sufficiently armed red team that could be exploitable trough
Noes! An Adventure Through the
available parts for little to no cost. 45 minutes | Demo, Exploit of the unprotected http protocol, can modify the blockchain past Wireless or Ethernet connection.
Cybers and Shit.” As part of our day
or even give an attacker full access to control our digital future.
Rowan Phipps job, we do quarterly IR exercises. This OS also uses a proprietary
IT WISN’T ME, ATTACKING Undergraduate researcher, University of Washington to a vulnerable backend system.
In order to make these exercises layer 2/3 protocol called MiNT. This
INDUSTRIAL WIRELESS Hard coded database credentials in BREAKING EXTREME
Phone-based mobile money is more engaging, more fun, and more protocol is used for communication
MESH NETWORKS apps allowed access to all stored NETWORKS WINGOS:
becoming the dominant paradigm for useful, we turned these exercises between WingOS devices through
user locations. We would be able to HOW TO OWN MILLIONS
Saturday at 10:00 in Track 1 financial services in the developing into a role playing game. We found VLAN or IP. This protocol was also
45 minutes | Demo extract hundreds of thousands of OF DEVICES RUNNING
world processing more than a billion it so useful and fun, we’re releasing reverse engineered and remote
tracking profiles, even in real time. In
Erwin Paternotte dollars per day for over 690 million it at DEF CON along with numerous ON AIRCRAFTS, heap/stack overflow vulnerabilities
others, this wasn’t even necessary,
Lead security consultant at Nixu
users. For example, mPesa has scenarios for your dungeon GOVERNMENT, SMART were found on services using this
because the user authentication
Mattijs van Ommeren an annual cash flow of over thirty master to take you through. CITIES AND MORE. protocol and will be shown. As a live
could be bypassed altogether. Flaws
Principal security consultant at Nixu
billion USD, equivalent to nearly half Sunday at 11:00 in Track 1 demonstration, 2 devices will be used
At this talk, we will talk about in server API allowed us to extract
of Kenya’s GDP. Numerous other 45 minutes | Demo, Exploit to exploit a remote stack overflow
Wireless sensor networks are gamifying IR exercises and the rules all user credentials (1.7m plain text
products exist inside of nearly every chaining several vulnerabilities as the
commonly thought of as IoT devices of Oh Noes! We will equip you with passwords), further we saw full Josep Pi Rodriguez
other market, including GCash in attacker could do inside an aircraft
communicating using familiar short- dice and your own character sheet communication histories containing
Senior security consultant, IOActive
the Philippines and easyPaisa in (or other scenarios) through the Wi-Fi.
range wireless protocols like Zigbee, and we will walk you through the messages, pictures and location data. Extreme network’s embedded
Pakistan. As a part of this growth, As there are not public shellcodes
MiWi, Thread and OpenWSN. A lesser character creating process. That’s WingOS (Originally created by
competitors have appeared who In total, the state of tracker apps for mipsN32 ABI, the particularities
known fact is that about a decade right, in Oh Noes! you create your Motorola) is an operating system
leverage ThinSIMS, small SIM card is worrisome, effectively leading of creating a Shellcode for mipsN32
ago, two industrial wireless protocols own character with specific skills used in several wireless devices such
add ons, to provide alternative mobile to users unknowingly installing ABI will be also discussed.
(WirelessHART and ISA100.11a) and abilities that you level up as you as access points and controllers.
money implementations without espionage software on their devices.
have been designed for industrial play. A group of us will play through This OS is being used in Motorola
applications, which are based on the operating their own mobile networks. a short scenario so you can see how
REAPING AND BREAKING
TINEOLA: TAKING A BITE devices, Zebra devices and Extreme KEYS AT SCALE: WHEN
common IEEE 802.15.4 RF standard. However, the security implications of the game works. We will provide
OUT OF ENTERPRISE network’s devices. This research
These Wireless Industrial Sensor ThinSIMs are not well understood. several sample scenarios, some CRYPTO MEETS BIG DATA
started focusing in an access point
Networks (WISN) are used in process This talk dives into decade old ripped from the headlines (and some BLOCKCHAIN Saturday at 13:00 in Track 2
widely used in many Aircrafts by
field device networks to monitor cribbed from @badthingsdaily) as well Saturday at 12:00 in Track 1 20 minutes | Demo, Audience
telecom standards to explore how several worldwide airlines but
temperature, pressure, levels, flow as provide guidance on what makes 45 minutes | Demo, Tool Participation, Tool
ThinSIMs work and what attackers of ended up in something bigger in
or vibrations. The petrochemical mobile money systems can do when successful scenarios as you transition Stark Riedesel terms of devices affected as this Yolan Romailler
Security Researcher at Kudelski Security
industry uses WISN in oil and gas they control the interface between to be your own dungeon master. Synopsys, Senior Consultant
embedded operating system is not
fields and plants around the world. the SIM card and the phone. We Parsia Hakimian only used in AP’s for Aircrafts but Nils Amiet
Security Engineer at Kudelski Security
Both IEC ratified standards have been will also demo two proof of concept ALL YOUR FAMILY Synopsys, Senior Consultant
also in Healthcare, Government,
commonly praised by the ICS industry exploits that use ThinSIMs to steal SECRETS BELONG TO US: Blockchain adaptation has reached Transportation, Smart cities, small Public keys are everywhere, after
for their security features, including money from mobile money platforms WORRISOME SECURITY a fever pitch, and the community to big enterprises... and more. all, they are public. These keys are
strong encryption on multiple layers and detail the difficulties of defense. ISSUES IN TRACKER APPS is late to the game of securing waiting to be reaped by those who
Based on public information, we
within the protocol stack, resistance Saturday at 16:00 in Track 2 these platforms against attack. will see how vulnerable devices know their real value. Hidden behind
to RF interference, and replay OH NOES!: A ROLE 45 minutes | Demo, Exploit With the open source community this public face lurks some potentially
are actively used (outdoors) in big
protection. While the standards in PLAYING INCIDENT Dr. Siegfried Rasthofer enamored with the success of cities around the world. But also in dangerous issues which could lead to
general look safe on paper, there are RESPONSE GAME Fraunhofer SIT Ethereum, the enterprise community Universities, Hotels,Casinos, Big a compromise of data and privacy.
potential interesting attack vectors Friday at 20:00-22:00 in Roman Stephan Huber has been quietly building the next companies, Mines, Hospitals and Leveraging hundreds of minion
that require verification. However, Chillout Hacker generation of distributed trustless provides the Wi-Fi access for places devices, we built a public key
security research so far has not Fireside Hax | Demo, Audience
Dr. Steven Arzt applications on permissioned such as the New York City Subway. reaping machine (which we are
yielded any significant results beyond Participation, Tool blockchain technologies. As of
Hacker
In this presentation we will show open sourcing) and operated it on
basic attack vectors. Often these Bruce Potter early 2018, an estimated half of a global scale. Collected keys are
attacks have only been theorized, Founder, The Shmoo Group Google Play Store provides these blockchain projects relied on with technical details how several
thousands of applications for critical vulnerabilities were found tested for vulnerabilities such as
and not (publicly) demonstrated. In Robert Potter the Hyperledger Fabric platform. the recent ROCA vulnerability or
addition, vendor implementations Hacker monitoring your children/family in this embedded OS. First we
members. Since these apps deal In this talk we will discuss tools will introduce some internals and factorization using batch-GCD. We’ve
have not been thoroughly tested collected over 300 million keys so far
The term”incident response with highly sensitive information, and techniques attackers can use details about the OS and then we
for security by independent third and built a database 4 to 10 times
exercise” can strike fear in the they immediately raise questions to target Fabric. To this end we will show the techniques used to
parties, due to protocol complexity bigger than previous public works.
hearts of even the mostly steely- on privacy and security. Who else are demoing and releasing a new reverse engineering the mipsN32
and the lack of proper (hardware/
eyed professional. The idea of sitting can track the users? Is this data attack suite, Tineola, capable of ABI code for the Cavium Octeon Performing the initial computation
software) tools. We strongly believe
around a table, talking through a properly protected? To answer these performing network reconnaissance processor. It will be discussed on over 300 million keys took about
in Wright’s principle,”Security
catastrophic security event can be questions, we analyzed a selection of a Hyperledger deployment, how some code was emulated to 10 days on a 280 vCPU cluster.
does not improve until practical
both simultaneously exhausting of the most popular tracking apps adding evil network peers to this detect how a dynamic password Many optimizations allow our tool to
tools for exploration of the attack
and incredibly boring. However, from the Google Play Store. deployment, using existing trusted is generated with a cryptographic incrementally test new RSA keys for
surface are made available.”
what instead of an participating in peers for lateral network movement algorithm for a root shell backdoor. common prime factors against the
Many apps and services suffer from with reverse shells, and fuzzing
grave security issues. Some apps Besides, it will be shown how whole dataset in just a few minutes.
application code deployed on Fabric.
60 61
Presentations
As a result of our research, we could examples of identifying suspicious Existing techniques for bypassing Smartcards are secure and help her with MATLAB. No matter UEFI EXPLOITATION FOR
have impersonated hundreds of functionality, and some of the wired port security are limited trustworthy. This is the idea how horrible memories I had about THE MASSES
people by breaking their PGP keys, interesting things we’ve done with to attacking 802.1x-2004, which smartcard driver developers have MATLAB, I just couldn’t say no. So Friday at 14:00 in 101 Track, Flamingo
mimicked thousands of servers the library. We invite everyone does not provide encryption or the in mind when developing drivers the next day, there was I, sitting in 45 minutes | Demo
thanks to their factored SSH keys in the community to use it, help ability to perform authentication and smartcard software. The my room, installing the trial. And Mickey Shkatov
and performed MitM attacks on contribute and make it an increasingly on a packet-by-packet basis [1][2] work presented in this talk not that’s when the hacking started... Hacker
over 200k websites relying on valuable tool for researchers alike. [3][4]. The development of 802.1x- only challenges, but crushes this
Believe me, there were a lot to Jesse Michael
vulnerable X509 certificates. 2010 mitigates these issues by assumption by attacking smartcard Hacker
hack in this case! Several gigabytes
SYNFUZZ: BUILDING using MacSEC to provide Layer drivers using malicious smartcards.
In the end, we were able to do this of installed materials, a few So how do you debug bios and triage
A GRAMMAR BASED 2 encryption and packet integrity
in an entirely passive way. Going A fuzzing framework for *nix and web servers, cloud integration, a vulnerability for exploitability with
RE-TARGETABLE check to the protocol [5]. Since
further is possible, but it would Windows is presented along with clustering capabilities, you no stack trace or error log? How do
TEST GENERATION MacSEC encrypts data on a hop-by-
lead us to the dark side. Would some interesting bugs found by name it. These software are BIOS developers do it? Do not worry!
hop basis, it successfully protects
big brother hesitate to go there? FRAMEWORK auditing and fuzzing smartcard drivers bloated, they are basically their We will explain how anyone can
against the bridge-based attacks
Friday at 10:00 in 101 Track, Flamingo and middleware. Among them classic own little operating systems. have debug capabilities on modern
pioneered by the likes of Steve Riley,
FINDING XORI: MALWARE 45 minutes | Demo, Tool stack and heap buffer overflows, Intel platforms and show you how
Abb, and Alva Duckwall [5][6]. Yup, I used plural. Because I thought
ANALYSIS TRIAGE Joe Rozner double frees, but also a replay attack this massively simplifies exploit dev.
why discriminate MATLAB? I should
WITH AUTOMATED Hacker In addition to the development of against smartcard authentication. Developing an exploit for a BIOS
really give a chance to Maple and
DISASSEMBLY 802.1x-2010, improved 802.1x vulnerability is a different experience
Fuzzers have played an important Since smartcards are used in the Mathematica to fail too!. I did, and
support by peripheral devices such than other types of exploit dev. Your
Friday at 13:00 in Track 2 role in the discovery of reliability authentication process, a lot of they did fail, and these failures gave
as printers also poses a challenge available code base to draw from is
20 minutes | Demo, Tool and security flaws in software for vulnerabilities can be triggered by the material for my talk. Basically this
to attackers. Gone are the days unlike what you would expect when
Amanda Rousseau decades. They have allowed for test an unauthenticated user, in code will be a dump of exploits (RCEs,
in which bypassing 802.1x was running at the operating system level
Senior Malware Researcher at Endgame Inc.
case generation at a rate impossible running with high privileges. During file disclosures, etc.), and if you use
as simple as finding a printer and and you have no gdb you can use.
Rich Seymour by hand and the creation of test the authors research, bugs were any of those software and you are
spoofing address, as hardware
Senior Data Scientist at Endgame Inc cases humans may never conceive discovered in OpenSC (EPass, PIV, at least a bit security conscious, In this talk we will summarize BIOS
manufacturers have gotten smarter.
of. While there are many excellent OpenPGP, CAC, Cryptoflex,...), you should definitely listen to it. exploitation techniques and dive
In a world of high volume malware
fuzzers available most are designed In this talk, we will introduce a novel YubiKey drivers, pam_p11, pam_ deeper into the specifics of an exploit
and limited researchers we need a
for mutating source files or input technique for bypassing 802.1x-2010 pkc11, Apple smartcardservices... HOUSE OF ROMAN: we developed to provide reliable
dramatic improvement in our ability
in random ways and attempting to by demonstrating how MacSEC A “LEAKLESS” HEAP arbitrary code execution for an”over-
to process and analyze new and • Identified vulnerabilities in various
discover edge cases in the handling fails when weak forms of EAP are FENGSHUI TO ACHIEVE the-internet” bios update vulnerability
old malware at scale. Unfortunately software projects including
of them. Some others are designed used. Additionally, we will discuss RCE ON PIE BINARIES we found and responsibly disclosed.
what is currently available to the the Linux kernel, X.org and
with structured input in mind and how improved 802.1x support We will explain the relevant parts
community is incredibly cost multiple IoT Operating Systems
Saturday at 13:30 in 101 Track,
use grammars to more strategically by peripheral devices does not Flamingo of UEFI and talk more about the
prohibitive or does not rise to the
generate and mutate possible inputs necessarily translate to improved • Speaker at nullcon 2018, Internet 20 minutes | Demo, Exploit exploit mitigations that exist there.
challenge. As malware authors
that adhere to the format defined. port-security due to the widespread of Teens (Issues in IoT Operating We will also explain how to explore
and distributors share code and Sanat Sharma
These specifically are the ones we use of weak EAP. Finally, we will Hacker System Management Mode (SMM)
prepackaged tool kits, the corporate Systems)
care about for the goals of identifying consider how improvements to the in an Intel based platform, utilizing
sponsored research community is Regarding ptmalloc2, many heap
differences between multiple Linux kernel have made bridge-based • Speaker at 30C3 about Intel hardware debug capabilities on
dominated by solutions aimed at exploitation techniques have
implementations of a single language, techniques easier to implement fingerprinting Java web-applications an Intel 8th gen platform to obtain
profit as opposed to augmenting been invented in the recent years,
finding bugs in parse tree generation/ and demonstrate an alternative to SMRAM content, analyze its contents,
capabilities available to the broader (lightning talk). well documented on the famous
handling of tokens, and handling of using packet injection for network and search for vulnerable code.
community. With that in mind, how2heap repository, or as writeups
the data at runtime once it has been interaction. We have packaged • Part of the winning team of the
we are introducing our library for of famous CTF challenges (like House
successfully lexically and syntactically each of these techniques and Deutsche Post Security Cup 2013. FUZZING MALWARE FOR
malware disassembly called Xori of Orange). However, most of them
analyzed. We’ll look at some of the improvements into an open source FUN & PROFIT: APPLYING
as an open source project. Xori is require atleast a libc/heap leak ,
shortcomings of existing fuzzers tool called Silent Bridge, which we ALL YOUR MATH ARE
focused on helping reverse engineers or fail in non-PIE binaries. My new COVERAGE-GUIDED
and discuss the implementation plan on releasing at the conference. BELONG TO US
analyze binaries, optimizing for technique titled House of Roman FUZZING TO FIND
for a new platform designed to Saturday at 15:00 in Track 1
time and effort spent per sample. leverages a single bug to gain shell AND EXPLOIT BUGS IN
make fuzzer creation easier with IN SOVIET RUSSIA 45 minutes | Demo, Tool, Exploit,
Xori is an automation-ready the goal of being able utilize SMARTCARD HACKS YOU Audience Participation
leaklessly on a PIE enabled Binary. I MODERN MALWARE
disassembly and static analysis grammars from the implementations shall showcase the ease of aligning Sunday at 15:00 in Track 3
Saturday at 13:00 in Track 1 sghctoma
library that consumes shellcode of the languages themselves. 20 minutes | Demo, Tool, Exploit Lead security researcher @ PR-Audit Ltd., Hungary
the heap to perform this attack, 45 minutes | Demo, Tool, Exploit
or PE binaries and provides triage thus demonstrating its versatility. Maksim Shudrak
Eric Sesterhenn
analysis data. This Rust library BYPASSING PORT- First of all, it’s math. Not meth. So Senior Offensive Security Researcher, Salesforce
Principal Security Consultant at X41, D-Sec GmbH Since this a 20 mins talk, attendees
emulates the stack, register states, everybody be cool, I’m not gonna
SECURITY IN 2018: should be aware of basic heap Practice shows that even the most
and reference tables to identify The classic spy movie hacking touch your central nervous system
DEFEATING MACSEC AND exploitation techniques, like fastbin secure software written by the best
suspicious functionality for manual sequence: The spy inserts a stimulant substances. Now that this
802.1X-2010 attacks and unsorted bin attacks, engineers contain bugs. Malware
analysis. Xori extracts structured magic smartcard provided by is established, I can start telling my
Friday at 15:00 in Track 1 and have a general idea of how the is not an exception. In most cases
data from binaries to use in machine the agency technicians into story. And this story, like all good
45 minutes | Demo, Tool ptmalloc2 algorithm works. As a their authors do not follow the
learning and data science pipelines. the enemy’s computer, ...the stories, begins where it ends.
bonus, I also discuss how to land a best secure software development
Gabriel Ryan screen unlocks... What we all
We will go over the pain-points Wait, no, not really. fastbin chunk in memory regions with practices thereby introducing an
Co-Founder / Principal Security Consultant @ Digital
laughed about is possible!
of conventional open source Silence
It begins at a birthday party where no size alignment (like __free_hook ). interesting attack scenario which
disassemblers that Xori solves, the sister of a friend asked if I could can be used to stop or slow-
62 63
Presentations
down malware spreading, defend example, if you are a member of the to make it easier to conduct view, inviting the audience to see are the implications. To the public, design and obscuring the details
against DDoS attacks and take press with sources that you only rogue AP MitM attacks against privacy as fundamentally about fake science is indistinguishable of the PCB from view. Thru the use
control over C&Cs and botnets. meet face to face you could be a modern devices and networks. equality-something we have never from legitimate science, which of X-Ray, we are able to reverse
Several previous researches have target especially if the source is a fully had but also should never regard is facing similar accusations engineer virtually anything. Slides
After years of using mana in many
demonstrated that such bugs exist whistleblower or has information as gone.The speaker is a human itself. Our findings highlight will be presented show several
security assessments, we’ve realised
and can be exploited. To find those that their employer would rather rights lawyer and investigator, and the prevalence of the pseudo- PCB designs and how easy it was
rogue AP’ing and MitM’ing is no
bugs it would be reasonable to they didn’t give to you. Would it will draw on decades of human rights academic conferences, journals to reverse engineer the PCB. Also
simple affair. This extended talk
use coverage-guided fuzzing. seem far-fetched to think that a thinking about state surveillance as and publications and the damage presenting videos of live views and
will provide an overview of mana,
hacker, security researcher or a well as her 2017 revelations about they can and are doing to society. dynamic zoom; this will demonstrate
This talk aims to answer the following the new capabilities and features,
member of the EFF could be placed Defense Department monitoring of the true power of the X-Ray and its
two questions: ___ we defend and walk attendees through three
under surveillance? Maybe even “homegrown violent extremists.” HACKING BLE BICYCLE ability to see sub-micron features
against malware by exploiting bugs scenarios and their nuances:
some current and former DEF Adopting a feminist and race- LOCKS FOR FUN AND A within the PCB structure and devices
in them ? How can we use fuzzing
CON speakers and attendees? • Intercepting corporate credentials conscious perspective and inviting SMALL PROFIT while manipulating the PCB.
to find those bugs automatically ?
at association (PEAP/EAP-GTC) audience participation, the talk will
These teams are not the lone Private Sunday at 14:00 in Track 2
The author will show how we can challenge received wisdom about WEAPONIZING UNICODE:
Investigator sat in their car at the • Targeting one or more devices 45 minutes | Demo, Tool
apply coverage-guided fuzzing basic concepts such as privacy, HOMOGRAPHS BEYOND
bottom of your street but are highly for MitM & collecting credentials Vincent Tan Kwang Yue
to automatically find bugs in national security, the warrant IDNS
trained individuals whose job is to • “Snoopy” style geolocation &
Senior Security Consultant, MWR InfoSecurity
sophisticated malicious samples such requirement, and online radicalization.
remain undetected. Their mission is randomised MAC deanonymization As Hack a lock and get free rides! (No
Friday at 15:00 in 101 Track, Flamingo
as botnet Mirai which was used to With a view to the future, it will 45 minutes | Demo, Tool
to observe and identify interactions a bonus, you’ll be able to download free beer yet though...). This talk
conduct one of the most destructive also offer a thought-provoking
and document everything they a training environment to practise will explore the ever growing ride The Tarquin
DDoS in history and various banking history of the connections between
see. They aim to be “The Grey all of this without requiring any wifi sharing economy and look at how
Senior Security Engineer, Amazon.com
trojans. A new cross-platform tool privacy and equality in the United
Man”, that person, when asked to hardware (or breaking any laws). the BLE “Smart” locks on shared Most people are familiar with
implemented on top of WinAFL States-and the ways unchecked
describe, you are unable to. Their bicycles work. The entire solution homograph attacks due to phishing
will be released and a set of 0day surveillance operates to categorize
techniques have changed very little JAILBREAKING THE 3DS will be deconstructed and examined, or other attack campaigns using
vulnerabilities will be presented. us and reinforce divisions between
over decades because they work. from the mobile application to Internationalized Domain Names with
Do you want to see how a small
THROUGH 7 YEARS OF us.It is easy to forget that _1984_
This talk will focus on mobile HARDENING was partly a story about poverty its supporting web services and look-alike characters. But homograph
addition to HTTP-response can
and foot surveillance techniques Saturday at 11:00 in Track 3 and economic inequality. This talk finally communications with the attacks exist against wide variety
stop a large-scale DDoS attack
used by surveillance teams. It will 45 minutes | Demo, Exploit embraces Orwell’s insight into the lock. We will look at how to go of systems that have gotten far
or how a smart bitflipping can
also include tips on identifying if connection between the erosion about analysing communications less attention. This talk discusses
cause RCE in a sophisticated smea
you are under surveillance and Hacker of privacy and a dangerous loss of between a mobile device and the the use of homographs to attack
banking trojan? If the answer is
how to make their life difficult. equality, and carries it forward. lock, what works, what doesn’t. machine learning systems, to submit
yes, this is definitely your talk. The 3DS was one of Nintendo’s first malicious software patches, and to
serious attempts at security, featuring Previous talks on attacking BLE
PRACTICAL & IMPROVED INSIDE THE FAKE craft cryptographic canary traps and
WAGGING THE TAIL: a cool microkernel based OS and targeted the protocol itself using
WIFI MITM WITH MANA SCIENCE FACTORY leak repudiation mechanisms. It then
COVERT PASSIVE actual exploit mitigations. That didn’t various hardware and software
introduces a generalized defense
SURVEILLANCE AND Friday at 16:00 in Track 2
stop it from getting hacked pretty Saturday at 16:00 in Track 3 such as Ubertooth and Wireshark,
45 minutes | Demo, Audience strategy that should work against
hard, making it possible for people to
105 minutes which could be potentially difficult
HOW TO MAKE THEIR Participation, Tool homograph attacks in any context.
write their own homebrew software Dr Cindy Poppins for someone new wanting to explore
LIFE DIFFICULT singe Computer Scientist (AKA Svea Eckert) BLE and the ever connected IoT
Thursday at 14:00 in 101 Track, CTO @ SensePost
for the console. But Nintendo isn’t THE ROAD TO
one to back off from a fight and, as a Dr Dade Murphy world. I’ll simplify and stupidify
Flamingo RESILIENCE: HOW REAL
In 2014, we released the mana result, has put significant effort into Reformed Hacker (AKA Suggy) the entire process such that
45 minutes HACKING REDEEMS THIS
rogue AP toolkit at DEF CON 22. not only fixing vulnerabilities but also Professor Dr Edgar Munchhausen anyone with a mobile phone and
Si basic experience with Frida can DAMNABLE PROFESSION
Independent Security Consultant This fixed KARMA attacks which introducing new security features Struwwelpeter Fellow (AKA Till Krause)
no longer worked against modern targeted specifically at killing exploit go about breaking locks and Saturday at 17:00 in Track 2
Agent X Fake News has got a sidekick hacking BLE the world over. 45 minutes |
Hacker devices, added new capabilities techniques used by hackers. This and it’s called Fake Science.
such as KARMA against some talk will describe hacking the console This talk presents the findings
Richard Thieme, a.k.a. neural cowboy
In this modern digital age of EAP networks and provided an through all these defensive features YOU CAN RUN, BUT YOU Author and professional speaker, ThiemeWorks
and methodology from a team of
technically competent adversaries easy to use toolkit for conducting by walking through a 0-day exploit CAN’T HIDE. REVERSE Two years ago Richard Thieme
investigative journalists, hackers
we forget that there may still be a MitM attacks once associated. chain that takes us all the way from ENGINEERING USING spoke on “Playing Through the Pain:
and data scientists who delved into
need to conduct old school physical zero access to a full system jailbreak. X-RAY. The Impact of Dark Knowledge
Since then, several changes in the parallel universe of fraudulent
surveillance against a target. Many Friday at 13:30 in 101 Track, Flamingo on Security and Intelligence
wifi client devices, including MAC pseudo-academic conferences and
organisations utilise surveillance PRIVACY IS EQUALITY: 20 minutes Professionals” for Def Con 24. He
randomisation, significant use of the journals; Fake science factories,
teams and these may be in-house AND IT’S FAR FROM DEAD relied on dozens of experiences
5GHz spectrum and an increased twilight companies whose sole George Tarnovsky
in the case of government agencies Engineer, Cisco Systems provided by colleagues over a
variety of configurations has made Saturday at 20:00-22:00 in Octavius 13 purpose is to give studies an air of
or third-party teams contracted for a Fireside Hax quarter-century, colleagues from
these attacks harder to conduct. scientific credibility while cashing in Most of us have knowledge of PCB
specific task and their targets range NSA, CIA, corporate, and military.
Just firing up a vanilla script gets Sarah St. Vincent on millions of dollars in the process. construction. In the past reversing
from suspected terrorists to people Responses to the presentation have
fewer credentials than it used to. Researcher/Advocate on National Security, Until recently, these fake science someone’s design was an easy task
accused of bogus insurance claims. Surveillance, and Domestic Law Enforcement, Human
often been emotional and have
Rights Watch factories have remained relatively due to the simplicity of the PCB
Whilst most people think that To address this mana will be corroborated his thesis. The real
under the radar, with few outside of design. Now with BGA’s( Ball Grid
they may never be placed under re-released in this talk with A talk at DEF CON 25 claimed that impact of this work on people over
academia aware of their presence; Array’s), manufacturers using several
surveillance some professions several significant improvements privacy is “gone and never coming the long term has to be mitigated
but the highly profitable industry is plane layers cover the entire PCB
increase this probability. For back.” This talk offers a different growing significantly and with it, so by counter-measures and strategies
64 65
Presentations
so scars can be endured or, even BREAKING PASER Voicemail systems have been with role. Many a malware has been Load 3rd-party kernel extension? scanners also allow programming
better, incorporated and put to LOGIC: TAKE YOUR PATH us since the 80s. They played a big generically thwarted thanks to the click ...allowed. Authorize outgoing via barcodes to manipulate and
use.In this presentation, Thieme NORMALIZATION OFF role in the earlier hacking scene and watchful eye of these products. network connection? click ...allowed. inject keystrokes. See the problem?
elaborates those strategies and AND POP 0DAYS OUT! re-reading those e-zines, articles and Luckily security-conscious users By scanning a few programming
However on macOS, firewalls are
counter-measures. In what is likely tutorials paints an interesting picture. will (hopefully) heed such warning barcodes, you can infect a scanner
Friday at 12 in Track 2 rather poorly understood. Apple’s
his final speech at Def Con, he 45 minutes | Demo, Tool, Exploit Not much has changed. Not in the dialogues—stopping malicious code and access the keyboard of the host
documentation surrounding it’s
speaks directly to the “human in the technology nor in the attack vectors. in its tracks. But what if such clicks device, letting you type commands
Orange Tsai network filter interfaces is rather
machine” AS a human being. It’s Can we leverage the last 30 years can be synthetically generated and just like a Rubber Ducky. This
Security Researcher from DEVCORE lacking and all commercial macOS
not about leaving the profession: it’s innovations to further compromise interact with such prompts in a culminates in barcOwned—a small
We propose a new exploit firewalls are closed source.
about what we can do to thrive and voicemail systems? And what is the completely invisible way? Well, then web app that allows you to program
transcend the challenges. It‘s about technique that brings a whole- real impact today of pwning these? This talk aims to take a peek everything pretty much goes to hell. scanners and execute complex,
“saving this space,” this play space of new attack surface to defeat path behind the proverbial curtain device-agnostic payloads in seconds.
normalization, which is complicated In this talk I will cover voicemail Of course OS vendors such as
hacking, work and life, and knowing revealing how to both create and Possible applications include
in implementation due to many systems, it’s security and how we Apple are keenly aware of this
the cost of being fully human while ‘destroy’ macOS firewalls. keystroke injection (including special
implicit properties and edge cases. can use oldskool techniques and new ‘attack’ vector, and thus strive
encountering dehumanizing impacts. In this talk, we’ll first dive into what keys), infiltration and exfiltration of
This complication, being under- ones on top of current technology to design their UI in a manner
It is easier to focus on exploits, cool it takes to create an effective firewall data on air-gapped systems, and
estimated or ignored by developers to compromise them. I will discuss that is resistant against synthetic
tools, zero days, and the games we for macOS. Yes we’ll discuss core good ol’ denial of service attacks.
for a long time, has made our the broader impact of gaining events. Unfortunately they failed.
play in the space that “makes us concepts such as kernel-level
proposed attack vector possible, unauthorized access to voicemail
smile.” It is not so easy to know how In this talk we’ll discuss a vulnerability DISRUPTING THE DIGITAL
systems today and introduce a new socket filtering—but also how to
to play through the pain successfully. lethal, and general. Therefore, (CVE-2017-7150) found in all recent DYSTOPIA OR WHAT THE
tool that automates the process. communicate with user-mode
The damage to us does not show many 0days have been discovered versions of macOS that allowed HELL IS HAPPENING IN
components, install privileged code
up in brain scans. It shows up in via this approach in popular web unprivileged code to interact
ATTACKING THE MACOS in a secure manner, and simple COMPUTER LAW?
our families, our relationships, and frameworks written in trending with any UI component including
KERNEL GRAPHICS ways to implement self-defense Friday at 20:00-22:00 in Octavius 13
our lives. Thieme is not preaching, programming languages, including ‘protected’ security dialogues.
DRIVER mechanisms (including protecting Fireside Hax | Audience Participation
he is sharing insights based on Python, Ruby, Java, and JavaScript. Armed with the bug, it was trivial to
the UI from synthetic events). Nathan White
what he too has had to transcend Being a very fundamental problem
Sunday at 12:00 in Track 2 programmatically bypass Apple’s Senior Legislative Manager, Access Now
in his own life. They call a lot of us 45 minutes | Demo, Exploit Of course any security tool, including touted ‘User-Approved Kext’ security
that exists in path normalization
“supernormals,” which means we Yu Wang firewalls, can be broken. After feature, dump all passwords from Nate Cardozo
logic, sophisticated web frameworks Senior Staff Attorney, EFF
discovered resilient responses to Senior Staff Engineer at Didi Research America looking at various macOS malware the keychain, bypass 3rd-party
can also suffer. For example, we’ve
deprivation, abuse, profound loss specimens that proactively attempt security tools, and much more! And 1984 didn’t just happen because of
found various 0days on Java Spring Just like the Windows platform,
… or the daily challenges of work to detect such firewalls, we’ll don our as Apple’s patch was incomplete a calendar. The world of 1984 was
Framework, Ruby on Rails, Next. graphic drivers of macOS kernel are
that makes clear that evil is real. We ‘gray’ (black?) hats to discuss various (surprise surprise) we’ll drop an built by politicians who used the
js, and Python aiohttp, just to name complicated and provide a large
are driven, we never quit, we fight attacks against these products. And 0day that (still) allows unprivileged rule of law to change society into
a few. This general technique can promising attack surface for EoPs
through adversity, we create and while some attacks are well known, code to post synthetic events and an oppressive surveillance state. In
also adapt to multi-layered web and sandbox escapes from low-
recreate personas that work, we do others are currently undisclosed bypass various security mechanisms Washington D.C., politicians today
architecture, such as using Nginx or privileged processes. After auditing
what has to be done. It pays to know and can generically bypass even on a fully patched macOS box! are making decisions about what
Apache as a proxy for Tomcat. In that part of the binaries, I discovered a
how we do that and know THAT we today’s most vigilant Mac firewalls. technologies we’re permitted to use
case, reverse proxy protections can number of vulnerabilities last year. And while it may seem that such
know so we can recreate resilience be bypassed. To make things worse, Including, NULL pointer dereference, But all is not lost. By proactively synthetic interactions with the UI and how they’ll be used in society.
in the face of whatever comes our we’re able to chain path normalization stack-based buffer overflow, arbitrary discussing such attacks, will be visible to the user, we’ll In this talk we’ll break down 4-5
way. A contractor for NSA suggested bugs to bypass authentication and kernel memory read and write, combined with our newly-found discuss an elegant way to ensure bills currently under discussion in
that everyone inside the agency achieve RCE in real world Bug Bounty use-after-free, etc. Some of these understandings of firewall internals, they happen completely invisibly! Congress and explain who they’ll
should see the video of “Playing Programs. Several scenarios will vulnerabilities were reported to Apple we can improve the existing impact the DEF CON community.
Through the Pain.” A long-time Def be demonstrated to illustrate how Inc., such as the CVE-2017-7155, status quo, advancing firewall WELCOME TO DEF CON &
Con attendee asks all new hires to path normalization can be exploited CVE-2017-7163, CVE-2017-13883. development. With a little luck, such BETRAYED BY THE
BADGE MAKER TALK
watch “Staring into the Abyss,” a talk to achieve sensitive information advancements may foil, or at least KEYBOARD: HOW WHAT
Thieme did a few years before. This In this presentation, I will share with Friday at 10:00 in Track 1
disclosure, SMB-Relay and RCE. complicate the lives of tomorrow’s 45 minutes | Demo YOU TYPE CAN GIVE YOU
subject matter is seldom discussed you the detailed information about
sophisticated Mac malware! AWAY
aloud “out here” and by all accounts Understanding the basics of this these vulnerabilities. Furthermore, The Dark Tangent
technique, the audience won’t be from the attacker’s perspective, I Sunday at 14:00 in 101 Track,
is not taken seriously “inside,” which THE MOUSE IS MIGHTIER Flamingo
is perhaps why there have been half surprised to know that more than will also reveal some new exploit BARCOWNED: POPPING
THAN THE SWORD 45 minutes
a dozen suicides lately at NSA and a 10 vulnerabilities have been found techniques and zero-days. SHELLS WITH YOUR
in sophisticated frameworks and Sunday at 10:00 in 101 Track, Matt Wixey
CIA veteran said, “I have 23 suicides Flamingo
CEREAL BOX Vulnerability R&D Lead, PwC
on my mind, the most recent senior multi-layered web architectures FIRE & ICE: MAKING Sunday at 13:00 in Track 3
45 minutes | Demo, Exploit
people who could not live with what aforementioned via this technique. AND BREAKING MACOS 20 minutes | Demo Attribution is hard. Typically, the
Patrick Wardle most useful identifiers—IP addresses,
they knew.”The assumption baked FIREWALLS Chief Research Officer, Digita Security Michael West
into this talk: real hacking, its ethos COMPROMISING ONLINE Saturday at 14:30 in Track 3 Technical Advisor at CyberArk email address, domains, and so
and its execution, provides the tools ACCOUNTS BY CRACKING 20 minutes | Demo, Tool, Exploit In today’s digital world the mouse, not on—are also the easiest things to
magicspacekiwi (Colin Campbell)
we need to do this damn thing right. VOICEMAIL SYSTEMS Patrick Wardle the pen is arguably mightier than the Web Developer spoof, obfuscate, or anonymise.
Friday at 13:00 in Track 1 Chief Research Officer, Digita Security sword. Via a single click, countless Whilst more advanced techniques,
This talk is in honor of Perry security mechanisms may be Barcodes and barcode scanners are such as correlating malicious
20 minutes | Demo, Audience
Barlow and the EFF. Participation, Tool
In the ever raging battle between completely bypassed. Run untrusted ubiquitous in many industries and activity with timezones, or linking
malicious code and anti-malware app? click ...allowed. Authorize work with untrusted data on labels, attacks through the use of similar
Martin Vigo
Hacker
tools, firewalls play an essential keychain access? click ...allowed. boxes, and even phone screens. Most techniques or malware, can be
66 67
Presentations
useful, they tend to take investigators Jianwei Huang 4. showcases of interesting attack vectors that these embedded model of the toy was released with engineering of internal structures
Hacker
further away from the individuals Custom Attack chains in real- development tools expose users to, improvements including Bluetooth and all historical background info
responsible; at best, some inference Peng LiuRaymond G. Tronzo, M.D. world SDN projects. and why users should not blindly connectivity, LCD eyes, and a needed to understand how the
Professor of Cybersecurity
about the country or specific actor trust their tools. This talk will detail a companion mobile application. exploit chains for ETERNALBLUE,
group/collective can be made. Software-Defined Networking PRIVACY variety reverse engineering, fuzzing, While the new bear features a ETERNALCHAMPION,
(SDN) is now widely deployed in INFRASTRUCTURE, exploit development and protocol number of improvements, the Teddy ETERNALROMANCE, and
In this talk, I present a method
production environments with an CHALLENGES AND analysis techniques that we used to Ruxpin’s original ability to add new ETERNALSYNERGY work
for linking incidents to individual
ever-growing community. Though OPPORTUNITIES analyze and exploit the security of stories by replacing the included will be provided.
attackers with a high degree of
SDN’s software-based architecture a common embedded debugger. cassettes is no longer applicable,
accuracy, based on extremely fine- Friday at 15:00 in Track 3 This talk will also describe how
enables network programmability, and it requires users to supply files
grained behavioural characteristics. 45 minutes the MS17-010 patch fixed the
it also introduces dangerous code LORA SMART WATER to the bear in a proprietary format.
This involves an investigatory yawnbox vulnerabilities, and identify
technique known as “case linkage vulnerabilities into SDN controllers. Executive Director, Emerald Onion METER SECURITY This presentation aims to show how additional vulnerabilities that were
analysis” (CLA), which uses granular However, the decoupled SDN ANALYSIS the new Teddy Ruxpin was reverse patched around the same time.
control plane and data plane only We started our own transit Internet
aspects of crime scene behaviours Friday at 11:00 in Track 3 engineered down to a very low level
communicate with each other with Service Provider (ISP) to safely route 45 minutes | Tool
to link common offenders together in order to create new content. I FASTEN YOUR
pre-defined protocol interactions, anonymized packets across the
through statistical comparison. It’s Yingtao Zeng will reveal the inner workings of the SEATBELTS: WE ARE
which largely increases the globe, and you can too. Emerald
been applied to some crime types Security Researcher at UnicornTeam, Radio Security
hardware and software within the ESCAPING IOS 11
difficulty of exploiting such security Onion is a Seattle-based 501(c)3 Research Department of 360 Security Technology
before, but never to cyber attacks. bear and document the process SANDBOX!
weaknesses from the data plane. not-for-profit and we want to help Lin Huang used to reverse engineer it. I will
I’ll cover how CLA works, its other hacker collectives start their Senior Wireless Security Researcher and SDR Friday at 13:30 in Track 3
In this talk, we extend the attack then examine the communication
advantages and disadvantages, own. Getting your own Autonomous technology expert, 360 Security Technology 20 minutes | Demo, Exploit
surface and introduce Custom between the mobile application
and how it has previously been System Number (ASN), managing Jun Li Min (Spark) Zheng
Attack, a novel attack against SDN and Teddy Ruxpin as well as the
applied to a range of crimes, from Internet Protocol (IP) scopes, using Senior Security Researcher, Radio Security Security Expert, Alibaba Inc.
controllers that leverages legitimate Department of 360 Security Technology custom structure of the digital
burglary to homicide. I’ll place it Border Gateway Protocol (BGP) in Xiaolong Bai
SDN protocol messages (i.e., the books read by the bear. I will end
within the context of personality Internet Exchange Points (IXPs), To avoid the tedious task of collecting Security Engineer, Alibaba Inc.
custom protocol field) to facilitate the presentation by releasing a
psychology, biometrics, forensic dealing with abuse complaints or water usage data by go user’s home
Java code vulnerability exploitation. toolset that allows users to create Apple’s sandbox was introduced
criminology, offender profiling, and government requests for user data— _ water meters that are equipped
Our research shows that it was their own stories followed by a as “SeatBelt” in macOS 10.5
forensic linguistics; and will walk this is all stuff that you can do. Not with wireless communication
possible for a weak adversary demo showcasing the Teddy Ruxpin which provided the first full-
through applying it practically. every technologist is comfortable with modules are now being put into
to execute arbitrary command greeting the DEF CON audience. fledged implementation of the
launching and managing a nonprofit use, in this talk we will take a water
I’ll then show the results of a novel or manipulate data in the SDN MACF policy. After a successful
organization let alone has all of the meter _which is using Lora wireless
experiment I conducted applying CLA controller without accessing the SDN DEMYSTIFYING MS17-010: trial on macOS, Apple applied
technical knowhow to run an ISP. protocol_ as an example to analyze
to network intrusion attacks, which controller or any applications, but REVERSE ENGINEERING sandbox mechanism to iOS 6. In its
We didn’t either when we started. the security and privacy risks of this
involved logging the keystrokes of only controlling a host or a switch. THE ETERNAL EXPLOITS implementation, the policy hooked
We had a goal, and that was to route kind of meters_we will explain how
volunteer attackers across different dozens of operations. The number
To the best of our knowledge, unfiltered Tor exit traffic in the Seattle to reverse engineer and analyze Sunday at 11:00 in Track 3
simulated intrusions, breaking these 45 minutes | Demo, Tool, Exploit, of hooks has been growing steadily
Custom Attack is the first attack Internet Exchange despite National both the firmware and the hardware
down into specific behaviours and Audience Participation when new system calls or newly
that can remotely compromise SDN Security Agency (NSA) wiretaps in of a water meter system, we will be
syntax, and using these to link discovered threats appeared. In the
software stack to simultaneously the Westin Exchange Building. This talking about its security risks from zerosum0x0
individuals to their offences. The end Hacker beginning, Apple’s sandbox used
cause multiple kinds of attack talk will cover high level challenges multiple perspectives , physical,
result: the way you type commands, a black list approach which means
effects in SDN controllers. Till now and opportunities surrounding privacy data link, and sensors. Do notice MS17-010 is the most important
including your choice and order Apple originally concentrated on
we have tested 5 most popular SDN infrastructure in the United States. that LORA is not only used in water patch in the history of operating
of syntax, switches, and options, the known dangerous APIs and
can form distinctive behavioural controllers and their applications and meter ,it is being used in a lot of systems, fixing remote code blocked them, allowing all others
signatures, which can be used to link found all of them are vulnerable to INFECTING THE IoT scenarios_so the methods we execution vulnerabilities in the world by default. However, with the
attackers together. Linking accuracy Custom Attack in some degree. 14 EMBEDDED SUPPLY employed to analyze LORA in this of modern Windows. The ETERNAL evolution of Apple’s sandbox, it
rates as high as 99% were achieved. serious vulnerabilities are discovered, CHAIN talk are also useful when you do exploits, written by the Equation applies a white list approach that
all of which can be exploited remotely Saturday at 13:30 in Track 3 tests of other LORA based systems. Group and dumped by the Shadow
Finally, I’ll talk about the implications denies all APIs and only allows
to launch advanced attacks against 45 minutes | Demo, Exploit Brokers, have been used in the most
for both defenders and everyone secure ones that Apple trusts.
controllers (e.g., executing arbitrary Zach DISSECTING THE TEDDY damaging cyber attacks in computing
else (particularly focusing on the commands, exfiltrating confidential Security Researcher at Somerset Recon RUXPIN: REVERSE history: WannaCry, NotPetya, In this talk, we will first introduce
privacy implications), explore ways files, crashing SDN service, etc.). Olympic Destroyer, and many others. Apple’s sandbox mechanism and
Alex ENGINEERING THE
in which these techniques could be profiles in the latest iOS. Then, we
defeated, and outline some ideas This presentation will include: Security Researcher at Somerset Recon SMART BEAR Yet, how these complicated discuss iOS IPC mechanism and
for future research in these areas. 1. an overview of SDN security With a surge in the production of Friday at 13:00 in 101 Track, Flamingo exploits work has not been review several old classic sandbox
20 minutes | Demo, Audience made clear to most. This is due
research and practices. internet of things (IoT) devices, escape bugs. Most importantly, we
Participation, Tool to the ETERNAL exploits taking
HACKING THE BRAIN: embedded development tools are show two new zero-day sandbox
2. a new attack methodology becoming commonplace and the zenofex advantage of undocumented
CUSTOMIZE EVIL escape vulnerabilities we recently
for SDN that is capable of software they run on is often trusted
Hacker
features of the Windows kernel and
PROTOCOL TO PWN AN discovered in the latest iOS 11.4.
compromising the entire network. to run in escalated modes. However, the esoteric SMBv1 protocol.
SDN CONTROLLER The Teddy Ruxpin is an iconic Besides, we share our experience
3. our research process that leads some of the embedded development toy from the 1980’s featuring This talk will condense years of of exploiting vulnerabilities in
20 minutes | Demo, Exploit to these discoveries, including tools on the market contain serious an animatronic teddy bear that research into Windows internals system services through OOL
technical specifics of exploits. vulnerabilities that put users at risk. reads stories from cassette tapes and the SMBv1 protocol driver. msg heap spray and ROP (Return-
Feng Xiao
Hacker
In this talk we discuss the various to children. In late 2017, a new Descriptions of full reverse oriented programming). In addition,
68 69
workshops
WORKSHOP REGISTRATION WAS HELD ONLINE JULY 8TH.
THERE IS NO ONSITE REGISTRATION, SIGNUP SHEET, AND
we discuss a task port exploit POLITICS AND THE There is no need for any technical
ALL SEATS (INCLUDING STANDBY) ARE SOLD OUT. FOR MORE
technique which can be used to SURVEILLANCE STATE. or political insight to be able to
INFO ON THE WORKSHOPS VISIT THE DEF CON WEBSITE.
control the whole remote process THE STORY OF A appreciate this topic and the work
PRE-REGISTRATION WILL BE ONLINE AGAIN FOR DEF CON 27!
through Mach messages. By YOUNG POLITICIAN’S Daniel has done on behalf of the more
using these techniques, security SUCCESSFUL EFFORTS technologically savvy enthusiasts. THURSDAY
researchers could find and exploit
TO FIGHT SURVEILLANCE The theme of DEF CON 26 would
sandbox escape bugs to control
AND PASS THE NATION’S be inconsistent without taking into ICON A ICON B ICON C ICON D ICON E ICON F
iOS user mode system services
STRONGEST PRIVACY consideration policy and how it ties in Guided Tour to Pentesting ICS Where’s My Finding Building Packet Mining
and further attack the kernel.
BILLS. closely with technology. Technology IEEE 802.15.4 101 Browser? Needles in Autonomous for Privacy
10:00-14:00
Sunday at 11:00 in Track 2
relies on policy, and policy has and BLE Ex- Learn Hacking Haystacks AppSec Test Leakage
YOUR PERIPHERAL HAS the implications of dictating the ploitation Alexandrine iOS and Pipelines with
PLANTED MALWARE: AN 45 minutes | Audience Participation Torrents & Arnaud Android Web- Louis Nyffenegger the Robot Dave Porcello &
use of technology. The two can go Views Framework
Daniel Zolnikov Arun Mane & SOULLIÉ & Luke Jahnke Sean Gallagher
EXPLOIT OF NXP SOCS hand in hand, or end up squaring Rushikesh D.
Montana State Representative
VULNERABILITY up against each other. You are an Nandedkar David Turco & Abhay Bhargav
Friday at 16:00 in Track 1 Orwell’s concept of 1984 has more important, and lesser heard voice Jon Overgaard & Sharath Kumar
to do with government misuse of Christiansen Ramadas
45 minutes | Demo, Exploit in the world of aged politicians with
Yuwei Zheng technology than technology itself. limited vision. The Orwellian state Forensic Inves- Introduction to Advanced Fuzzing FTW Playing with The Truth is in
New technology allows for more
14:30-18:30
Senior Security Researcher, Unicorn Team, 360 existed due to a mixture of bad tigation for the Cryptographic Wireless At- RFID the Network
Technology
opportunity, but unchecked, it allows policies and technology. Although Non-Forensic Attacks tacks Against Bryce Kunz &
for complete government control. Investigator Enterprise Kevin Lustic Vinnie Vanhoecke David Pearson
Shaokun Cao the theme focuses on technology Networks
Freelance Security Researcher Matt Cheung & Lorenzo Bernardi
Representative Daniel Zolnikov is the used to disrupt the surveillance Gary Bates
Yunding Jian nation’s leading politician regarding state, the other half of the battle is Gabriel Ryan &
Senior Security Researcher, Unicorn Team, 360
privacy and surveillance and has ensuring this state does not reach Justin Whitehead
Technology
enacted numerous laws safeguarding the disastrous conclusions of 1984.
Mingchuang Qun
Senior security researcher at the Radio Security fourth amendment rights regarding Daniel believes we can move FRIDAY
Research Department of 360 Technology, digital communications and forward with technology without
technology. Daniel will walk you living in fear of our government. If ICON A ICON B ICON C ICON D ICON E ICON F
There are billions of ARM Cortex
down the road of how political you want to have some hope and Bypassing Reverse Attacking Ac- ARM eXploita- Attacking & Crypto Hero
M based SOC being deployed in
misuse of technology can and will direction towards the future of Windows Driv- Engineering tive Directory tion 101 Auditing Dock-
10:00-14:00
embedded systems. Most of these
turn the Federal Government into policy regarding surveillance and er Signature with Open- and Advanced er Containers Sam Bowne, Dylan
devices are Internet ready and Enforcement SCAD and 3D Defense Meth- Using Open
an unprecedented nanny state that technology, Daniel will leave you Sneha Rajguru James Smith, &
definitely security is always the main Printing ods in 2018 Source Elizabeth Biddle-
will lead to a suppressed free flow with the optimism that there is still
concern. Vendors would always Csaba Fitzl come
of information and fear of stepping a chance that our nation can have a Nick Tait Adam Steed & Madhu Akula
apply security measurements into
out of line. His story includes balanced approach that ensures 1984 James Albany
the ARM Cortex M product for few
insights on how unique left and right does not become the norm in the
major reasons: 1) People will not
coalitions were formed to pass these future and will help you understand
be able to copy and replicate the
laws in his home state of Montana, how to take part in this action.
product; 2) License control for the Hacking Buzzing Smart Threat Hunting JWAT...Attack- Penetra- Deploying,
14:30-18:30
and how he prevailed against law Thingz Devices: Smart with ELK ing JSON Web tion Testing Attacking, and
hardware and software; 3) Prevent
enforcement groups who opposed Powered Band Hacking Tokens Environments: Securing Soft-
malicious code injection in to the By Machine Client & Test ware Defined
implementing warrant requirements. Ben Hughes, Fred
firmware. Vendors normally rely on Learning Arun Magesh Mastrippolito, & Louis Nyffenegger Security Networks
the security measurements built This discussion is aimed at sharing Jeff Magloire & Luke Jahnke
within the chip (unique ID number/ insights no matter your political Clarence Chio & Wesley McGrew & Jon Medina
affiliation. All of Daniel’s legislation Anto Joseph Kendall Blaylock
signature) or security measurements
built around the chip (secure boot). has passed with overwhelming
bi-partisan support through both
SATURDAY
In this talk, we will share the ARM
bodies in Montana’s legislature
Cortex M SOC vulnerability that we ICON A ICON B ICON C ICON D ICON E ICON F
and was signed by the governor of
discovered and it will be two parts:
the opposite party. Although most Joe Grand’s Fuzzing with Advanced Adventures in Attack & De- Decentralized
10:00-14:00
The first is security measurement speeches involving politicians tend to Hardware AFL (American Custom Net- Radio Scan- fense in AWS Hacker Net
Hacking Fuzzy Lop) work Protocol ning Environments
build within the SOC and how we lead towards rhetoric, Daniel’s goal Basics Fuzzing Eijah
break it. We could gain control of is to share enough information to be Jakub Botwicz & Richard Hen- Vaibhav Gupta &
changing the SOC unique ID and able to understand why change has Joe Grand Wojciech Rauner Joshua Pereyda & derson & Bryan Sandeep Singh
write the firmware or even turn not taken place yet, and leave you Timothy Clemans Passifiume
the device into a trojan or bot. understanding how to remedy that.
The second is security measure His story will give you insights into Build Your Weapons Building En- Lateral Move- Analyzing Securing
14:30-18:30
built around the SOC and how we Own OpticSpy Training for the vironmentally ment 101: 2018 Malscripts: Big Data in
the politics that states and the nation
Receiver Empire Responsive Update Return of the Hadoop
break the Secure Boot elements face when reforming these issues, Module Implants with Exploits!
and write into the firmware. and his down to earth approach Jeremy Johnson Gscript Walter Cuestas & Miguel Guirao
will bring the topic down to a level Joe Grand Mauricio Velazco Sergei Frankoff &
of humor and easy understanding. Vyrus, Dan Sean Wilson
Borges, & Alex
Levinson
70 71
-Demo labs-
#WIFICACTUS ANGAD: A MALWARE DETECTION Nishant Sharma, Jeswin Mathai home internet devices (IOT, Computers, Cellphones,
Saturday 08/11/18 from 1000-1150 at Table One FRAMEWORK USING MULTI- BLEMystique is an ESP32 based custom BLE target Tablets, etc). CHIRON is integrated with AKTAION
Offense, defense, hardware DIMENSIONAL VISUALIZATION which can be configured by the user to behave like which detects exploit delivery ransomware/phishing.
Saturday 08/11/18 from 1600-1750 at Table Two one of the multiple BLE devices. BLEMystique allows a https://github.com/jzadeh/chiron-elk
Mike Spicer
Defense, Forensics, Network, Malware
pentester to play with the BLE side of different kind of
The newly upgraded #WiFiCactus for DEF CON smart devices with a single piece of affordable ESP32 CLOUD SECURITY SUITE: ONE STOP
26 is a passive wireless monitoring backpack that Ankur Tyagi chip. BLEMystique contains multiple device profiles, TOOL FOR AWS, GCP & AZURE
listens to 60 channels of 2.4 and 5 gHz WiFi at the Angad is a framework to automate classification of an for example, Smart Lock, Smart health band, Smart
same time. New this year is the ability to capture bulb, Heart rate monitor, Smart Bottle and more.
SECURITY AUDIT
unlabelled malware dataset using multi-dimensional
Saturday 08/11/18 from 1200-1350 at Table Two
802.11AC traffic and upgrades to remove bandwidth modelling. The input dataset is analyzed to collect The BLEMystique code and manuals will be released to
bottlenecks. This tool uses Kismet to capture the various attributes which are then arranged in a number
Defense, Cloud professionals
general public. So, apart from using the pre-configured
data from the each radio and aggregates them into of feature vectors. These vectors are then individually Jayesh Singh Chauhan
devices, the users can also add support for devices
a single searchable web interface. This tool is also visualized, indexed and then queried for each new for their choice and use their ESP32 board for target Nowadays, cloud infrastructure is pretty much the
capable of identifying wireless threats, troubleshooting input file. Matching vectors are labelled as per their practice. In this manner, this tool can improve the de-facto service used by large/small companies. Most
complex wireless environments and helping with AV detection categories for now but this could be overall experience of learning BLE pentesting. of the organisations have partially or entirely moved
correlation analysis between Bluetooth and WiFi. changed to a heuristics approach if needed. If dynamic
to cloud. With more and more companies moving to
http://palshack.org/the-hashtag-wifi- behavior or network traffic details are available, BOOFUZZ cloud, the security of cloud becomes a major concern.
cactus-wificactus-def-con-25/ vectors are also converted into activity graphs that Saturday 08/11/18 from 1600-1750 at Table Five
depict evolution of activity with a predefined time While AWS, GCP & Azure provide you protection with
Vulnerability Analysis, AppSec, Offense.
ADRECON: ACTIVE DIRECTORY scale. This results into an animation of malware/ traditional security methodologies and have a neat
malware category’s behavior traits and is also useful in Joshua Pereyda structure for authorisation/configuration, their security
RECON is as robust as the person in-charge of creating/
identifying activity overlaps across the input dataset. boofuzz is an open source network protocol
Saturday 08/11/18 from 1200-1350 at Table Six
assigning these configuration policies. We all know,
Malware detection is a challenging task as the fuzzing framework, competing with closed source
Security professionals (Blue Team, Red Team), system administrators, etc.
human error is inevitable and any such human mistake
landscape is ever-evolving. Every other day, a new commercial products like Defensics and Peach.
Prashant Mahajan could lead to catastrophic damage to the environment.
variant or a known malware family is reported and Inheriting from the open source tools Spike
ADRecon is a tool which extracts various artifacts signature driven tools race against time to add Knowing this, audit of cloud infrastructure becomes
and Sulley, boofuzz improves on a long line
(as highlighted below) out of an AD environment in a detection. The process worsens when the rate of a hectic task! There are a few open source tools
of block-based fuzzing frameworks.
specially formatted Microsoft Excel report that includes incoming samples is in thousands on a daily basis, which help in cloud auditing but none of them have
summary views with metrics to facilitate analysis. The making static/dynamic analysis alone of no use. The framework allows hackers to specify protocol an exhaustive checklist. Also, collecting, setting up all
report can provide a holistic picture of the current formats, and boofuzz does the heavy lifting of generating the tools and looking at different result sets is a painful
Angad tries to address this issue by leveraging well-known mutations specific to the format. boofuzz makes
state of the target AD environment. The tool is useful task. Moreover, while maintaining big infrastructures,
data classification techniques to the malware domain. It developing protocol-specific “smart” fuzzers relatively
to various classes of security professionals like system system audit of server instances is a major task as well.
tries to provide a known interface to the multi-dimensional easy. Make no mistake, designing a smart network
administrators, security professionals, DFIR, etc. It CS Suite is a one stop tool for auditing the security
modelling approach within a standalone package. protocol fuzzer is no trivial task, but boofuzz provides
can also be an invaluable post-exploitation tool for a posture of the AWS/GCP/Azure infrastructures and
penetration tester. It can be run from any workstation https://github.com/7h3rAm/angad a solid foundation for producing quality fuzzers.
does OS audits as well. CS Suite leverages current
that is connected to the environment, even hosts that Written in Python, boofuzz builds on its predecessor, open source tools capabilities and has custom
are not domain members. Furthermore, the tool can ARCHERY: OPEN SOURCE Sulley, with key features including: checks added into one tool to rule them all.
be executed in the context of a non-privileged (i.e. VULNERABILITY ASSESSMENT AND
standard domain user) accounts. Fine Grained Password MANAGEMENT • Online documentation. https://github.com/SecurityFTW/cs-suite
Policy, LAPS and BitLocker may require Privileged user Saturday 08/11/18 from 1000-1150 at Table Two • More extensibility including support for
accounts. The tool will use Microsoft Remote Server arbitrary communications mediums.
CONFORMER
Offense
Administration Tools (RSAT) if available, otherwise it will Sunday 08/12/18 from 1000-1150 at Table Six
communicate with the Domain Controller using LDAP. Anand Tiwari • Built-in support for serial fuzzing, ethernet-
Offense, AppSec
and IP-layer, UDP broadcast.
The following information is gathered by the tool: Forest; Archery is an opensource vulnerability assessment Mikhail Burshteyn
Domain; Trusts; Sites; Subnets; Default Password and management tool which helps developers and • Much easier install experience!
pentesters to perform scans and manage vulnerabilities. Conformer is a penetration testing tool, mostly used
Policy; Fine Grained Password Policy (if implemented); • Far fewer bugs.
Archery uses popular opensource tools to perform for external assessments to perform password based
Domain Controllers, SMB versions, whether SMB
comprehensive scanning for web application and network. https://github.com/jtpereyda/boofuzz attacks against common webforms. Conformer was
Signing is supported and FSMO roles; Users and their
It also performs web application dynamic authenticated created from a need for password guessing against
attributes; Service Principal Names (SPNs); Groups
scanning and covers the whole applications by using CHIRON new web forms, without having to do prior burp work
and memberships; Organizational Units (OUs); ACLs
selenium. The developers can also utilize the tool for Sunday 08/12/18 from 1000-1150 at Table Three each time, and wanting to automate such attacks.
for the Domain, OUs, Root Containers and GroupPolicy
implementation of their DevOps CI/CD environment. Conformer is modular with many different parameters
objects; Group Policy Object details; DNS Zones and Defense
and options that can be customized to make for a
Records; Printers; Computers and their attributes; LAPS https://github.com/archerysec/archerysec/ Rod Soto, Joseph Zadeh powerful attack. Conformer has been used in countless
passwords (if implemented); BitLocker Recovery Keys
Home-based open source network analytics assessments to obtain valid user credentials for
(if implemented); and GPOReport (requires RSAT). BLEMYSTIQUE: AFFORDABLE and machine learning threat detection. accessing the internal environment through VPN, other
https://github.com/sense-of-security/ADRecon CUSTOM BLE TARGET internal resources or data to further the assessment.
Saturday 08/11/18 from 1200-1350 at Table Five CHIRON is a home analytics based on ELK stack
combined with Machine Learning threat detection https://github.com/mikhbur/conformer
Attack and Defence
framework AKTAION. CHIRON parses and displays
data from P0f, Nmap, and BRO IDS. CHIRON is
designed for home use and will give great visibility to
72 73
-Demo labs-
DEJAVU: AN OPEN SOURCE We’ve also added some cool feature like Hashcat support, capture file (pcap) of the network and tries to identify HALCYON IDE
DECEPTION FRAMEWORK Karma, and SSID cloaking, as well as an extended UI normal traffic profile. According to results, it creates Saturday 08/11/18 from 1000-1150 at Table Six
Sunday 08/12/18 from 1200-1350 at Table Three and config management system for advanced users who an Empire HTTP listener with appropriate options. Offense, Defense, AppSec, Network Security, Nmap Scanners & Developers
Offense/Defense
require granular control over their rogue access points.
GREYNOISE Sanoop Thomas
Bhadreshkumar Patel, Harish Ramadoss To check out the codebase, head to https://
github.com/s0lst1c3/eaphammer Saturday 08/11/18 from 1200-1350 at Table Three Halcyon IDE lets you quickly and easily develop Nmap
Deception techniques—if deployed well—can be very Defenders, blue teamers, SOC and network analysts scripts for performing advanced scans on applications
effective for organizations to improve network defense EXPL-IOT: IOT SECURITY TESTING and infrastructures with a wide range capabilities from
Andrew Morris
and can be a useful arsenal for blue teams to detect recon to exploitation. It is the first IDE released exclusively
AND EXPLOITATION FRAMEWORK
attacks at very early stage of cyber kill chain. But the GreyNoise is a system that collects all of the background for Nmap script development. Halcyon IDE is free and
Sunday 08/12/18 from 1200-1350 at Table Two
challenge we have seen is deploying, managing and noise of the Internet. Using a large network of open source project (always will be) released under
administering decoys across large networks. Although
IoT Testers- Pentesters- IoT developers- Offense- Hardware
geographically and logically dispersed passive collector MIT license to provide an easier development interface
there are lot of commercial tools in this space, we haven’t Aseem Jakhar nodes, GreyNoise collects, labels, and analyzes all of for rapidly growing information security community
come across open source tools which can achieve this. the omnidirectional, indiscriminate Internet-wide scan around the world. The project was initially started as an
Expl-iot is an open source flexible and extendable
and attack traffic. GreyNoise data can be used to filter evening free time “coffee shop” project and has taken
With this in mind, we have developed DejaVu which is an framework for IoT Security Testing and exploitation. It will
pointless alerts in the SOC, identify compromised devices, a serious step for its developer/contributors to spend
open source deception framework which can be used to provide the building block for writing exploits and other
pinpoint targeted reconnaissance, track emerging threats, dedicated time for its improvements very actively. More
deploy, configure and administer decoys centrally across IoT security assessment test cases with ease. Expliot will
and quantify vulnerability weaponization timelines. information and source code: https://halcyon-ide.org
the infrastructure. A web-based management console can support most IoT communication protocols, firmware
be used by the defender to deploy multiple interactive analysis, hardware interfacing functionality and test cases https://greynoise.io/ https://halcyon-ide.org
decoys (HTTP Servers,SQL,SMB,FTP,SSH,client side– that can be used from within the framework to quickly
NBNS) strategically across their network on different map and exploit an IoT product or IoT Infrastructure.It will GYOITHON HEALTHYPI: CONNECTED HEALTH
VLANs. Logging and alerting dashboard displays help the security community in writing quick IoT test cases Sunday 08/12/18 from 1000-1150 at Table Two Saturday 08/11/18 from 1400-1550 at Table Four
detailed information about the alerts generated and and exploits. The objectives of the framework are: 1. Easy Offense Hardware and biohacking
can be further configured to generate high accuracy of use 2. Extendable 3. Support for hardware, radio and
Isao Takaesu, Masuya Masafumi, Toshitsugu Yoneyama Ashwin K Whitchurch
alert; and how these alerts should be handled. IoT protocol analysisWe released Expl-iot ruby version in
2017. Once we started implementing hardware and radio GyoiThon is a fully automated penetration We (at ProtoCentral) developed the HealthyPi HAT for
Decoys can also be placed on the client VLANs to detect
functionality, we realized that ruby does not have much testing tool against web server. the Raspberry Pi as a way of opening up the healthcare
client side attacks such as responder/LLMNR attacks
support for hardware and radio analysis which led us to and open source medical to anyone. The HealthyPi
using client side decoys. Additionally, common attacks GyoiThon nondestructively identifies the software installed
deprecate it and re-write it in python to support more is made of the same “medical-grade” components
which the adversary uses to compromise such as abusing on web server (OS, Middleware, Framework, CMS,
functionality. We are currently working on the python3 found in regular vital sign monitors, for a fraction of the
Tomcat/SQL server for initial foothold can be deployed etc...) using multiple methods such as machine learning,
version and will release it in a month. The new beta cost of such system. This is our way of democratizing
as decoys, luring the attacker and enabling detection. Google Hacking, pattern matching. After that, GyoiThon
release is envisioned to have support for UART(serial), medical hardware to develop new areas of research.
executes valid exploits for the identified software. Finally,
https://github.com/bhdresh/Dejavu ZigBee, BLE, MQTT, CoAP (next version will have support
GyoiThon generates report of scan results. GyoiThon Our objective when we began developing the HealthyPi
for JTAG, I2C and SPI) and few miscellaneous test cases.
executes the above processing fully automatically. was to make a simple vital sign monitoring system
EAPHAMMER
https://bitbucket.org/aseemjakhar/expliot_framework which is simple, affordable, open-source (important
Saturday 08/11/18 from 1400-1550 at Table One GyoiThon consists of three engines:
!) and accessible. HealthyPI is completely open-
Offensive security professionals, red teamers, penetration testers, researchers. • Software analysis engine: It identifies software source and is our way of “hacking” patient monitoring
• ExplIoT
Gabriel Ryan based on HTTP response obtained by normal access systems by getting data that you need, in the way
• IoT Exploitation Framework
to web server using Machine Learning base and that you need and extending on that without getting
EAPHammer is a toolkit for performing targeted evil • DIVA Android (Damn Insecure and
signature base. In addition, it uses Google Hacking. involved in sticky proprietary NDAs and such.
twin attacks against WPA2-Enterprise networks. It is Vulnerable App)- Jugaad/Indroid
designed to be used in full scope wireless assessments • Linux Thread injection kit for x86 and ARM • Vulnerability determination engine: It collects *Demo will allow people to come, check out and
and red team engagements. As such, focus is placed • Dexfuzzer vulnerability information corresponding to identified play with (and possibly hack) the HealthyPi device
on providing an easy-to-use interface that can be • Dex file format fuzzer software by the software analysis engine. And, while getting their vital signs monitored.*
leveraged to execute powerful wireless attacks with it executes an exploit corresponding to the
https://github.com/Protocentral/protocentral-healthypi-v3
minimal manual configuration. To illustrate how fast FIRSTORDER vulnerability of the software and checks whether
this tool is, here’s an example of how to setup and Saturday 08/11/18 from 1000-1150 at Table Three the software is affected by the vulnerability. Honeycomb: An extensible honeypot framework
execute a credential stealing evil twin attack against Offense • Report generation engine: It generates Saturday 08/11/18 from 1600-1750 at Table Three
a WPA2-EAP network in just two commands: a report that summarizes the risks of
Utku Sen, Gozde Sinturk Incident Responders, Security Researchers, Developers
# generate certificates vulnerabilities and the countermeasure.
./eaphammer --cert-wizard Perimeter defenses are holding an important role in Omer Cohen, Imri Goldberg
# launch attack computer security. However, when we check the method Traditional penetration testing tools are very
./eaphammer -i wlan0 --channel 4 --auth of APT groups, a single spear-phishing usually enough to inefficient because they execute all signatures. On We present Honeycomb—A repository of
wpa --essid CorpWifi --creds gain a foothold on the network. Therefore, red teams are the other hand, GyoiThon is very efficient because honeypot services and integrations for the
mostly focused on “assume breach” type of scenarios. In it executes only valid exploits for the identified information security community.
EAPHammer’s userbase has doubled since its software. As a result, the user’s burden will be greatly
these scenarios, testers need to use a post-exploitation Our vision: Honeycomb will be the
debut in early 2017, and the project has matured reduce, and GyoiThon will greatly contribute to the
framework. Besides that, testers also need to hide pip or apt-get for honeypots.
substantially to meet this demand. It is now the security improvement of many web servers.
the server-agent communication from NIDS (Network
first rogue AP attack tool to offer out-of-the-box While working hard to create various honeypots for
Intrusion Detection Systems). firstorder is designed to https://github.com/gyoisamurai/GyoiThon
support for attacks against 802.11n/ac. Most of the several high profile vulnerabilities, we realized we were
evade Empire’s C2-Agent communication from anomaly-
added complexity associated with these protocols repeating some of the underlying work that’s involved
based intrusion detection systems. It takes a traffic
is managed automatically by EAPHammer. in creating a honeypot—a useful honeypot is easy to
74 75
-Demo labs-
deploy, configure and collects reports. We have these The largest known deployment (made by a different realistic clients and access points. Together with the analyzer and threat hunter. PA Toolkit contains
capabilities in Cymmetria’s commercial deception less efficient program) is 160 TB. It is assumed that general collection of all 802.11 management frames plugins (both dissectors and taps) covering various
product but we wanted to open source this functionality people are running similar ones to attack brain wallets. already offered in the existing release, nzyme now scenarios for multiple protocols, including:
to the community so everyone could benefit from it. replays all relevant communication to and from our
https://tobtu.com/lhtcalc.php • WiFi (WiFi network summary, Detecting
decoy transceivers to a log management system like
Eventually came the idea for honeycomb—an beacon, deauth floods, Evil twin etc.)
Graylog for analysis and alerting. This combination allows
extensible platform for writing honeypots which LOCAL SHERIFF • VoIP ( Overview of extensions, servers, Detecting
tricking attackers into revealing themselves by leaving
comes with a repository of useful honeypots which Saturday 08/11/18 from 1000-1150 at Table Five
easy to identify traces during all exploitation phases. invite flood, message flood, SIP auth bruteforcing,
makes it super easy to create new honeypots. Target audience would be AppSec, Code Assesments, and privacy researchers. Decrypting encrypted VoIP conversation)
Honeycomb and the honeypot repository together Applying WiFi deception to defensive perimeters gives
form a powerful tool for security professionals looking Konark Modi the blue team a chance to reveal, delay, and condition • HTTP (Listing all visited websites, downloaded
to gain threat intelligence on the latest threats. Think of Local sheriff as a reconnaissance attackers.https://wtf.horse/2017/10/02/introducing- files, streaming files, Detecting HTTP Tunnels)
tool in your browser for gathering information nzyme-wifi-802-11-frame-recording-and-forensics/ • HTTPS (Listing all websites opened on
We are currently in the process of finalizing the
release of the project and working on releasing about what companies know about you. HTTPS, Detecting self-signed certificates)
additional plugins. Join us to learn how to utilize
GUI TOOL FOR OPENC2 COMMAND
While you as a user normally browse the internet it works • ARP (MAC-IP table, Detect MAC
existing honeycomb capabilities as well as writing in the background and helps you identify what sensitive
GENERATION
spoofing and ARP poisoning)
honeypot services and integrations on your own! Sunday 08/12/18 from 1200-1350 at Table Six
information(PII—Name, Date Of Birth, Email, Passwords,
Passport number, Auth tokens.) are being shared/leaked Defense • DNS (Listing DNS servers used and DNS
https://github.com/Cymmetria/honeycomb resolution, Detecting DNS Tunnels)
to which all third-parties and by which all websites. Efrain Ortiz
IOC2RPZ The issues that Local Sheriff helps identify: The key advantage of using PA toolkit is that any
The tool is a stand alone web self service application
Saturday 08/11/18 from 1400-1550 at Table Three user can check security related summary and detect
• What sensitive information with is that graphically represents all the evolving OpenC2
common attacks just by running Wireshark. And, he
Defence/Network security
being shared this which parties? commands to allow OpenC2 application developers
can do this on the platform of his choice. Also, as the
to click and generate OpenC2 commands. The tool
Vadim Pavlov
• What companies are behind these third parties? project is open source and written in newbie-friendly
makes it extremely easy for even beginners to work
DNS is the control plane of the Internet. Lua language, one can easily extend existing plugins
• What can they doing with this information? EG: de- on the creation of OpenC2 commands. The tool
Usually DNS is used for good but: or reuse the code to write plugins of his own.
anonymize users on the internet, create shadow profiles. provides the OpenC2 command output in JSON and
• It can be used to track users in curl, nodejs and python code to be easily integrate
Local Sheriff can also be used by organizations to audit: into Incident Response or Orchestration platforms.
PASSIONFRUIT
locations and their behaviour; Sunday 08/12/18 from 1000-1150 at Table Five
• Which all the third-parties that are https://github.com/netcoredor/openc2-cmdgen
• Malware uses DNS to command and being used on their websites. iOS reverse engineer, Mobile security research
control, exfiltrate data or redirect traffic;
ORTHRUS Zhi Zhou, Yifeng Zhang
• The third-parties on the websites are implemented
• According with 2016 Cisco annual security in a way that respect user’s privacy and Saturday 08/11/18 from 1000-1150 at Table Four Passionfruit is a cross-platform app analyze tool for
report, 91.3% of malware use DNS; sensitive data is not being leaked to them. InfoSec iOS. It aims to provide a powerful and user friendly
• Advertisements companies usually use Local Sheriff is a web-extension that can gui for app pentesting and reverse engineering. In
Nick Sayer
separate and obscure domains to show ads; used with Chrome, Opera, Firefox. this demo we’ll cover the most common tasks in iOS
Orthrus is a small appliance that allows the user to RE, like dumping decrypted apps from AppStore,
• Free DNS services (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9 etc) https://github.com/cliqz-oss/local-sheriff create a cryptographically secured USB volume from exploring filesystem and other runtime introspections.
can help you to address some concerns but you can
two microSD cards. The data on the two cards is
not define your own protection settings or ad filters. NZYME https://github.com/chaitin/passionfruit
encrypted with AES-256 XEX mode, and all of the
ioc2rpz is a custom DNS server which automatically Sunday 08/12/18 from 1000-1150 at Table One key material used to derive the volume key is spread
converts indicators (e.g. malicious FQDNs, IPs) from between the two cards. There are no passwords to
PCILEECH
Defense, RF, WiFi/802.11
various sources into RPZ feeds and automatically Sunday 08/12/18 from 1000-1150 at Table Four
manage. If you have both cards, you have everything.
Lennart Koopmann
maintains/updates them. The feeds can be distributed If you have only one, you have half the data encrypted Offense, Hardware, DFIR
to any open source and/or commercial DNS servers Detecting attackers who use WiFi as a vector is hard with a key you cannot reconstruct. This allows for Ulf Frisk, Ian Vitek
which support RPZ, e.g. ISC Bind, PowerDNS. because of security issues inherent in the 802.11 protocol, “two-man control” over a dataset. Orthrus itself has no
as well as commoditized ways of near-perfect spoofing keys of its own and a volume created or written with The PCILeech direct memory access attack toolkit
You can run your own DNS server with RPZ was presented at DEF CON 24 and quickly became
of WiFi enabled devices. Security professionals work one Orthrus can be used with any other (or on any other
filtering on a router, desktop, server and even popular amongst red teamers and governments alike.
around this by treating WiFi traffic as insecure and thing that implements the Orthrus open specification).
Arduino. System memory is the only limitation. Hardware sold out, FPGA support was introduced
encrypting data on higher layers of the protocol stack. Orthrus is open source hardware and firmware.
With ioc2rpz you can define your own feeds, Sophisticated attackers do not limit their efforts to and devices are once again available! We will
actions and prevent undesired communications. https://hackaday.io/project/20772-orthrus demonstrate how to take total control of still vulnerable
jamming or tapping of wireless communication, but try
to use deception techniques to trick human operators of systems via PCIe DMA code injection. Kernels will
https://github.com/Homas/ioc2rpz PA TOOLKIT: WIRESHARK PLUGINS be subverted, full disk encryption defeated and
WiFi devices into revealing secrets. The list of attacks that
are possible after a user has been convinced to connect FOR PENTESTERS shells spawned! Processes will be enumerated and
LHT (LOSSY HASH TABLE) Saturday 08/11/18 from 1600-1750 at Table Six their virtual memory abused—all by using affordable
to a rogue access point that is under the attacker’s
Saturday 08/11/18 from 1400-1550 at Table Six hardware and the open source PCILeech toolkit.
control ranges from DNS spoofing to crafted captive Defence
Offense
portals that can be used for classic phishing attempts. Nishant Sharma, Jeswin Mathai http://github.com/ufrisk/pcileech
Steve Thomas
This is why the new nzyme release introduces its own PA Toolkit is a collection of traffic analysis plugins to
Cracks passwords or keys from a small key space near set of WiFi deception techniques. It is turning the extend the functionality of Wireshark from a micro-
instantly. A small key space being a few trillion (40+ tables and attempts to trick attackers into attacking our analysis tool and protocol dissector to the macro
bits). It costs about 3 bytes/key and usually <100ms. own simulated, wireless infrastructure that resembles
76 77
-Demo labs-
SH00T: AN OPEN PLATFORM FOR WALRUS WIPI-HUNTER: IT STRIKES AGAINST PiSavar: Detects activities of PineAP module and
MANUAL SECURITY TESTERS & BUG Saturday 08/11/18 from 1400-1550 at Table Five ILLEGAL WIRELESS NETWORK starts deauthentication attack (for fake access
HUNTERS Offense (physical security assessors), Defense (contactless access control system ACTIVITIES (DETECT AND ACTIVE points - WiFi Pineapple Activities Detection)
Saturday 08/11/18 from 1400-1550 at Table Two users)
RESPONSE) PiFinger: Searches for illegal wireless activities in networks
AppSec, Mobile and Offensive security Daniel Underhay, Matthew Daley Saturday 08/11/18 from 1600-1750 at Table One you are connected and calculate wireless network
Walrus is an open-source Android app for contactless Offense, Defense security score (detect wifi pineapple and other fakeAPs)
Pavan Mohan
card cloning devices such as the Proxmark3 and Besim Altinok, Mehmet Kutlay Kocer, M.Can KURNAZ PiDense: Monitor illegal wireless network
An open platform for bug hunters emphasizing
Chameleon Mini. Using a simple interface in the activities. (Fake Access Points)
on manual security testing. WiPi Hunter is developed for detecting illegal wireless
style of Google Pay, access control cards can be
network activities. But, it shouldn’t be seen only as a PiKarma: Detects wireless network attacks
Sh00t is a dynamic task manager to replace simple text read into a wallet to be written or emulated later.
piece of code. Instead, actually, it is a philosophy. You performed by KARMA module (fake AP). Starts
editors or task management tools that are NOT meant
Designed for physical security assessors during red can infere from this project new wireless network illegal deauthentication attack (for fake access points)
for security testing provides checklists for security
team engagements, Walrus supports basic tasks such activity detection methods. New methods new ideas and
testing helps in reporting with custom bug templates PiNokyo: If threats like wifi pineapple attacks or
as card reading, writing and emulation, as well as different point of views can be obtained from this project.
Sh00t benefits best for pen testers, bug bounty hunters, karma attacks are active around, users will be
device-specific functionality such as antenna tuning
security researchers and anybody who love bugs! Example: WiFi Pineapple attacks, Fruitywifi, mana-toolkit informed about these threats.Like proxy (New)
and device configuration. More advanced functionality
Written in Python and powered by such as location tagging makes handling multiple WiPi-Hunter Modules: https://github.com/WiPi-Hunter
Django web framework.. targets easy, while bulk reading allows the stealthy
capture of multiple cards while “war-walking” a target.
SWISSDUINO: STEALTHY USB HID We’ll be demoing Walrus live with multiple short-
NETWORKING & ATTACK and long-range card cloning devices, as well as
Saturday 08/11/18 from 1600-1750 at Table Four giving a sneak peek of future plans for the app.
Offense
https://walrus.app/
Mike Westmacott
The Swissduino is a set of tools on an Arduino Yun WHID INJECTOR: HOT TO BRING HID
that allow for the upload of binaries to target systems ATTACKS TO THE NEXT LEVEL
remotely via USB HID Keyboard, and then provide TCP Saturday 08/11/18 from 1200-1350 at Table Four
connectivity between the remote attacker system and the Red Teams, Blue Teams and Hardware Hackers.
target purely through USB HID. The demonstration shows
Luca Bongiorni
a Metasploit Meterpreter stub being uploaded, and then
actively used without triggering anti-virus (Win 7 host…). Nowadays, security threats and cyber-attacks
against ICS assets, became a topic of public interest
New for 2018: (In development) Expanded toolset
worldwide. Within this demo, will be presented how
that allows for password extraction from login and
HID attacks can still be used by threat actors to
automated installation of toolkit in Windows 10 with
compromise industrial air-gapped environments.
anti-malware/local firewall, also targeting of Linux.
WHID Injector was born from the need for a cheap and
TRACKERJACKER dedicated hardware that could be remotely controlled
Saturday 08/11/18 from 1200-1350 at Table One in order to conduct HID attacks. WHID’s core is mainly
an Atmega 32u4 (commonly used in many Arduino
Offensive and Defensive Wireless Hackers
boards) and an ESP-12s (which provides the WiFi https://infocon.org/ is a community Want in on the file action? Check out:
Caleb Madrigal capabilities and is commonly used in IoT projects). supported archive of hacker and
trackerjacker is a new wifi tool that allows you to (a) Nontheless, during the last months, a new infosec related conferences, podcasts, - The con media server, https://dc26-
see all wifi devices and which wifi networks they’re hardware was under R&D (i.e. WHID-Elite). It documentaries, and rainbow tables. media.defcon.org/
connected to, along with how much data they’ve sent, replaces the Wi-Fi capabilities with a 2G baseband,
how close by they are, etc, and (b) look for interesting which gives unlimited operational range. - The Data Duplication Village for 6TB
traffic patterns and trigger arbitrary actions based on Video is transcoded to HEVC (H.265)
those patterns. The “mapping” functionality is sort of This cute piece of hardware is perfect to be concealed format to save space, put on our web HDD duplication
like nmap for wifi—it lists all wifi networks nearby, and into USB gadgets and used during engagements to get
remote shell over an air-gapped environment. In practice, server, and torrents are created to - https://infocon.org/ for the latest files
under each network it lists all the clients connected to
that network. The “trigger” functionality allows users is the “wet dream” of any ICS Red Teamer out there. share. and torrents
to do things like “if this device sends more than 10000 During the demo we will see in depth how WHID and
bytes in 30 seconds, do something”. It also includes a WHID-Elite were designed and their functionalities. We Currently hosting: See something we are not hosting?
powerful Python plugin system that makes it simple to will also look at which tools and techniques Blue Teams
write plugins to do things like “if I see an Apple device can use to detect and mitigate this kind of attacks. 151 conference, 59,520 files, 3.51 TB Tell us about it so we can add it to the
with a power level greater than -40dBm, deauth it”. If archive. email [email protected] or on
https://github.com/whid-injector/WHID
you want to do any sort of wifi recon/monitoring/hacking, 50+ podcasts, 20,000+ files, 800+ Gigs twitter DM @ infoconorg
trackerjacker will almost certainly make the job easier!
https://github.com/calebmadrigal/trackerjacker 5 rainbow tables, 19,869 files, 10.3 TB
New for 2018, infocon.org is reachable as a v3 Tor onion at:

http://w27irt6ldaydjoacyovepuzlethuoypazhhbot6tljuywy52emetn7qd.onion/
78 79
-Purveyors of fine
-Vendors- hacker-related merchandise-
toorcon, phreaknic, or other conferences we have technology challenges for various non-profits and
B R E AK P O I NT BO O K S been at, you definitely know what so of shenanigans provide equipment, job training and computer K E YP O R T Ç
we are up to. If you have never seen us, feel free to education to the world’s poorest citizens.
come by and take a look at what we have to offer.
http://breakpointbooks.com/ https://www.mykeyport.com/
Always fun, always contemporary, GhettoGeeks has
Stop by and browse the wide HAK 5 Keyport® combines
some for the tech enthusiast (or if you prefer, hacker)
selection of security-related books keys, pocket tools, &
on display this weekend. The smart tech into one
latest and greatest books available https://www.hak5.org/ everyday multi-tool. This
G U N NAR Complete your Hacking
in the industry also include books year we are bringing our
authored by Def Con presenters. Arsenal with tools from brand new modular product line including the Keyport
Check out the wide selection of https://gunnar.com/ Hak5 - makers of the Slide 3.0 & Keyport Pivot (holds your existing keys),
games available – strategy, card, infamous WiFi Pineapple, along with our new tech & tool modules which includes
dice, and deck-building. Buy a USB Rubber Ducky, a Pocketknife, Bluetooth Locator, and Mini-Flashlight.
game and start playing today. and newly released Sign up for our new Maker Program and design/
GUNNAR Optiks is the only patented computer LAN Turtle. The Hak5 hack/build you’re own compatible Keyport modules.
eyewear recommended by doctors to protect and crew, including hosts Darren Kitchen, Shannon Morse Don’t forget to bring your keys to the vendor area!
CAP ITO L TE CH N O LOGY enhance your vision. Our premium computer eyewear and Patrick Norton, are VENDING ALL THE THINGS
U N IVE R S IT Y defends eyes from the effects of digital eye strain and celebrating 10 year of Hak5! Come say EHLO
which can include; dry eyes, headaches, blurry and check out our sweet new tactical hacking gear! N O S TAR CH P R E S S
vision, eye fatigue, altered Circadian Rhythms, and Everything from WiFi Hot-Spot Honey-Pots to Keystroke
https://www.captechu.edu/ Injection tools, Software Defined Radios and Covert
insomnia. End the pain of DIGITAL EYE STRAIN. https://www.nostarch.com/
Capitol Technology LAN Hijackers are available at the Hak5 booth.
University, located in Laurel Thanks to you, we’ve been
Maryland, offers degrees in publishing books for hackers
HACK E R BOXE S
engineering, computer science, HAR DWAR E ZO O since 1994. Our titles have
cybersecurity, and business. personality, our authors are
www.hackerboxes.com Did someone say badges? Check out our unique passionate, and our books
Offering online certificates,
blinky badges and add-ons before they’re all gone! tackle topics that people
bachelor’s and master’s degrees, HackerBoxes is the subscription
which includes a master’s box service for DIY electronics care about. We read and edit
in astronautical engineering. and hardware hacking. Each everything we publish—titles
As well as doctoral programs in cybersecurity and monthly HackerBox includes like Gray Hat C#, Hacking: The
management and decision sciences. Capitol is regionally a carefully curated collection H E ALTH Y M E NTAL S Art of Exploitation, Automate
accredited by Middle States Association of Colleges. of projects, components, the Boring Stuff with Python,
modules, tools, supplies, and exclusive items. https://healthymentals.com/ Python Crash Course, The Hardware Hacker, and more.
HackerBox Hackers are electronics hobbyists, makers, This year we’re excited to release the PoC||GTFO bible;
Healthy Mentals offers
E FF hardware hackers, and computer enthusiasts. Many complete with a leatherette cover, ribbon bookmark,
nootropics and other
connect through social media channels to create a and gilded pages. It’s packed with missives from your
supplements.
community of experience, support, and ideas. Let’s favorite hackers. Everything in our booth is at least 30%
https://www.eff.org/
see what you make with your HackerBoxes. off and all print purchases include DRM-free ebooks.
The Electronic Frontier We’ve got new swag and early access print editions of
Foundation (EFF) is the forthcoming titles like Serious Cryptography, Attacking
leading organization HACK E R WAR E H O U S E Network Protocols, and Rootkits and Bootkits.
defending civil liberties in H U MAN R IG HTS FO U N DATI O N
the digital world. We defend
free speech on the Internet, http://hackerwarehouse.com/ OWA S P
fight illegal surveillance, support freedom-enhancing HACKER WAREHOUSE https://www.hrf.org/
technologies, promote the rights of digital innovators, and is your one stop shop Human Rights OWASP is the thriving global community
work to ensure that the rights and freedoms we enjoy are for hacking equipment. Foundation (HRF) that drives visibility and evolution in
enhanced, rather than eroded, as our use of technology We understand the is a nonpartisan the safety and security of the world’s
grows. Stop by our table to find out more, pick up some importance of tools nonprofit organization software. We are run by rough consensus
gear, or even support EFF as an official member. and gear which is why that promotes and & running code. Our community
we carry only the highest quality gear from the best protects human supports hackers, developers, and
brands in the industry. From WiFi Hacking to Hardware rights globally, with defenders in the security industry.
G H E T TO G E E K S Hacking to Lock Picks, we carry equipment that all a focus on closed societies. HRF unites people in the
hackers need. Check us out at HackerWarehouse.com. common cause of defending human rights and promoting
liberal democracy. Its mission is to ensure that freedom N UAN D
is both preserved and promoted around the world.
HACK E R S FO R CHAR IT Y https://www.nuand.com/
Nuand develops Software
Well we’re back at it again, and have been working http://www.hackersforcharity.org/ Defined Radio (SDR) platforms
hard all year to bring you the freshest awesome that Hackers for Charity for students, hobbyists,
we can. If you have been to DEF CON, layerone, is a non-profit and professionals. Their
organization that main offering, the bladeRF,
leverages the skills of
technologists. We solve
80 81
-Purveyors of fine
-Vendors- hacker-related merchandise-
is a versatile USB 3.0 device that provides a 300 MHz Titanium toolsets, Entry Tools, Practice locks, Bypass with expertise in both security and privacy. Our
to 3.8 GHz tuning range, full duplex operation, 12- tools, Urban Escape & Evasion hardware and items that UAT work includes education, mentoring & networking,
bit samples at up to 40 MSPS, and an instantaneous until recently were sales restricted. SPARROWS LOCK career advancement, leadership, and research. To
bandwidth up to 28 MHz. This device has found a PICKS and TOOLS will be displaying a full range of gear learn more, visit us at https://www.wisporg.com.
http://www.uat.edu/
home in application domains including GSM and including their newly released Core Shims., Sandman
LTE base stations, digital television, GPS simulation, and Lock Outs. The WOLF will also be available to The University of Advancing
medical imaging research, and wireless security. the public for the first time in limited quantities. All Technology (UAT) is a private
Check out their booth to see demos and learn more! products will be demonstrated at various times and university located in Tempe,
AT TI F Y
can be personally tested for use and efficacy. Arizona, offering academic
degrees focused on new and
R AP I D7 emerging technology disciplines.
UAT offers a robust suite of
CLO U D F L AR E
S HAD OW VE X I N D U S TR I E S
regionally accredited graduate
https://www.rapid7.com/ and undergraduate courses
http://store.shadowvexindustries.com/ ranging from Computer Science and Information Security DAR K N E T LLC
Shadowvex Industries to Gaming and New Media. UAT has been designated
(SVX) - more than 20 years as a Center for Academic Excellence in Information
of pouring blood, sweat & Systems Security Education by the US National Security FREENODE
Rapid7 cybersecurity analytics software and services gears into hacker-relevant, Agency. Programs are available online and on-campus.
reduce threat exposure and detect compromise for 4,150 limited edition clothing, DJ mixes, stickers, buttons, art
organizations, including 34% of the Fortune 1000. From prints and more. Miss DJ Jackalope, aka DEFCON’s HACK E R S TI CK E R S
the endpoint to cloud, we provide comprehensive real- resident DJ mixtress, has been teaming up 3 6 0 U N I CO R N TE AM
time data collection, advanced correlation, and unique with us for more than a decade with her
insight into attacker techniques to fix critical vulnerabilities, own DJ mixes and awesome swag. Follow
http://unicorn.360.cn/
stop attacks, and advance security programs. the music in the vending area to find our
booth! If you want to bring home your 360 Security Research
piece of DEFCON history, you need to get Innovation Alliance K I N K AYO
S CAM S TU FF here early - our year-specific designs are consists of many teams,
only available @DEFCON and only while supplies last! UnicornTeam, RocTeam
and PegasusTeam are MALI CI O U S LI F E P O D CA S T
http://scamstuff.com among them, each team
Scam Stuff is gear for the modern rogue: S I M P LE WI FI boosts many brilliant
magic tricks, lockpicking, puzzle boxes, researchers in their S E CU R IT Y WE E K LY
clever novelty items, spy gear, and more! if it’s corresponding field of focus.
designed to get you ahead, you’ll find it here. https://www.simplewifi.com/
UnicornTeam is focusing on wireless security they
For PenTesting assess the security of anything that uses radio S EWA S H R E E
and unwired technologies, from small things like RFID, NFC and
Internet Security WSN to big things like GPS, UAV, Smart Cars, Telecom
Specialists: Wireless, WiFi antennas, cables, and SATCOM. They have presented their researches at
connectors, USB and Ethernet wireless high power
TH E CALY X I N S TITUTE
S E CU R IT Y S N O B S premier security conferences like Blackhat, DEFCON,
cards and devices, other interesting goodies to be HITB, CanSecWest, RuxCon, POC, SyScan360 etc.
seen only at the table! And new design T-shirts.
https://securitysnobs.com/ RocTeam is focusing on hardware security TE N CE NT
research and the R&D of hardwares that can
Security Snobs offers High
be used for defensive and offensive purposes,
Security Mechanical Locks TO O O L
they built many hardware security gadgets.
and Physical Security
Products including PegasusTeam is focusing on wireless intrusion prevention,
http://toool.us/ wireless threat sensing and wireless penetration test. They
door locks, padlocks,
The Open have designed and built ‘MianYangQiang’ to demonstrate
cutaways, security devices, and more. We feature the
Organisation Of the threats of public WIFI, wireless honeypot, wireless
latest in security items including top brands like Abloy,
Lockpickers is back intrusion prevention system ‘360TianXun’ which have
BiLock, EVVA, KeyPort, Mobeye, Anchor Las, and Sargent
as always, offering a been widely deployed city wide and in enterprises.
and Greenleaf. Visit https://SecuritySnobs.com for our
wide selection of tasty
complete range of products. Stop by to see the new and
lock goodies for both
coming soon products in high security and con specials!
the novice and master lockpicker! A variety of commercial WI S P
picks, handmade picks, custom designs, practice locks,
S E R E P I CK handcuffs, cutaways, and other neat tools will be available
https://www.wisporg.com/
for your perusing and enjoyment! Stop by our table for
interactive demos of this fine lockpicking gear or just to Women in Security and
http://www.serepick.com/ pick up a T-shirt and show your support for locksport. Privacy (WISP) is a fiscally
With the largest selection of lock sponsored non-profit
All sales exclusively benefit TOOOL, a 501(c)3
picks, covert entry and SERE project of Community
non-profit organization. You can purchase picks
tools available at DEF CON it¹s Initiatives (501(c)(3)).
from many fine vendors, but ours is the only
guaranteed we will have gear WISP advances women
table where you know that 100% of your money
you have not seen before. New to lead the future of security and privacy. We believe
goes directly back to the hacker community.
tools and classics will be on that empowerment requires the inclusion of all women,
display and available for sale in
82 a hands on environment. Our 83
FIRESIDE
HAX -thursday- -friday-
DEF CON 101 Track 1 Track 2 Track 3
FRIDAY
101 Track Synfuzz: Building a Badge/DT Welcome De-anonymizing Program- Securing our Nation’s
Grammar Based Re-tar- mers from Source Code Election Infrastructure
10:00
OH NOES! A ROLE PLAYING INCIDENT ThinSIM-based Attacks on Mobile Money Systems getable Test Generation and Binaries
RESPONSE GAME Framework Jeanette Manfra
10:00
Rowan Phipps Rachel Greenstadt & Dr. Aylin
20:00-22:00 in Roman Chillout
Joe Rozner Caliskan
Bruce Potter Please do not Duplicate:

Attacking the Knox Box
10:30
and other keyed alike
D0 N0 H4RM: A HEALTHCARE Pwning “the toughest target”: the exploit chain of systems
SECURITY CONVERSATION winning the largest bug bounty in the history of ASR
11:00
20:00-22:00 in Octavius 9 program m010ch_
Guang Gong
Christian “quaddi” Dameff MD & Jeff “r3plicant” Tully An Attacker Looks at NSA Talks Cybersecurity One-liners to Rule Them Lora Smart Water Meter
MD Docker: Approaching All Security Analysis
11:00
Multi-Container Appli- Rob Joyce
Ring 0/-2 Rootkits: bypassing defenses cations Egypt Yingtao Zeng
DISRUPTING THE DIGITAL DYSTOPIA
12:00
OR WHAT THE HELL IS HAPPENING IN Alexandre Borges
Wesley McGrew
COMPUTER LAW
20:00-22:00 in Octavius 13 It's Assembler, Jim, but Vulnerable Out of the Box: Breaking Paser Logic: Who Controls the Control-
not as we know it: (ab) An Evaluation of Android Take Your Path Normal- lers - Hacking Crestron
12:00
Nathan White & Nate Cardozo using binaries from Carrier Devices ization Off and Pop 0days IoT Automation Systems
A Journey Into Hexagon: Dissecting a Qualcomm embedded devices for fun Out!
Baseband and profit Ryan Johnson Ricky "HeadlessZeke" Lawshae
13:00
Orange Tsai
Seamus Burke Morgan "indrora" Gangwere
SATURDAY
Dissecting the Teddy Rux- Compromising online Finding Xori: Malware One-Click to OWA
pin: Reverse Engineering accounts by cracking Analysis Triage with Auto-
EFF FIRESIDE HAX (AKA ASK THE
13:00
the Smart Bear voicemail systems mated Disassembly William Martin
EFF) Wagging The Tail - Covert Passive Surveillance And
How To Make Their Life Difficult Zenofex Martin Vigo Amanda Rousseau & Rich
20:00-22:00 in Roman Chillout
14:00
Seymour
Si & Agent X
BEYOND THE LULZ: BLACK-HAT
TROLLING, WHITE-HAT TROLLING, You can run, but you can’t Dragnet - Your Social Attacking the Brain: Fasten your seatbelts:
hide. Reverse engineer- Engineering Sidekick Customize Evil Protocol to We are escaping iOS 11
AND HACKING THE ATTENTION
13:30
ing using X-Ray. Pwn an SDN Controller sandbox!
LANDSCAPE Building the Hacker Tracker Truman Kain
20:00-22:00 in Octavius 9 George Tarnovsky Feng Xiao Min Zheng
15:00
Whitney Champion & Seth Law
Matt Goerzen & Jeanna Matthews

UEFI exploitation for the GOD MODE UNLOCKED 4G - Who is paying your Revolting Radios
PRIVACY IS EQUALITY: AND IT’S FAR masses - hardware backdoors in cellular phone bill?
14:00
x86 CPUs Michael Ossmann & Dominic
FROM DEAD DC 101 PANEL
Mickey Shkatov Dr. Silke Holtmanns & Isha Singh Spill
20:00-22:00 in Octavius 13 Christopher Domas
15:30
(Until 16:45)
Sarah St.Vincent
Weaponizing Unicode: Bypassing Port-Secu- Playback: a TLS 1.3 story Privacy infrastructure,
Homographs Beyond rity In 2018: Defeating challenges and opportu-
15:00
IDNs MacSEC and 802.1x-2010 Alfonso Garcia Alguacil & Alejo nities
Murillo
CONTEST CLOSING CEREMONIES The Tarquin Gabriel Ryan yawnbox
WANNA KNOW WHO IS THE BEST AT FINDING RANDOM STUFF AROUND

LAS VEGAS DURING DEF CON? CURIOUS WHO IS THE BEST AT SOCIAL Automated Discovery of Your Peripheral Has Practical & Improved Wifi Your Voice is My Passport
ENGINEERING SOMEONE INTO GIVING UP PRIVILEGED PERSONAL OR Deserialization Gadget Planted Malware - An MitM with Mana
16:00
COMPANY DATA? WHAT ABOUT THE BEST TEAM TO BE HARASSED, FED Chains Exploit of NXP SOCs _delta_zero
Vulnerability Singe
LOTS OF BOOZE AND STILL ABLE TO WRITE AND COMPILE EPIC CODE? Ian Haken
Yuwei Zheng
COME JOIN US AS WE ANNOUNCE THE WINNERS OF THE DEF CON 25
CONTESTS AT OUR CONTESTS CLOSING CEREMONIES, FROM 14:00 - Your Bank’s Digital Side I’ll See Your Missile and Panel - The L0pht Testi- Reverse Engineering,
15:30PM ON THE STAGE ON THE MAIN CONTEST FLOOR! Door Raise You A MIRV: An mony, 20 Years Later (and hacking documentary
17:00
overview of the Genesis Other Things You Were series

Steven Danneman Scripting Engine Afraid to Ask)
BLACK BADGE WINNERS WILL BE ANNOUNCED DURING THE MAIN Michael Lee Nirenberg
CLOSING CEREMONIES AT 16:30PM IN TRACK 2! Alex Levinson
84 85
-Saturday- -Sunday-
DEF CON 101 Track 1 Track 2 Track 3 DEF CON 101 Track 1 Track 2 Track 3
Through the Eyes of the It WISN't me, attacking You're just complaining You may have paid The Mouse is Mightier Rock appround the clock: Defending the 2018 For the Love of Money:
Attacker: Designing Em- industrial wireless mesh because you're guilty: A more than you imag- than the Sword Tracking malware devel- Midterm Elections from Finding and exploit-
10:00
bedded Systems Exploits networks Guide for Citizens and ine - Replay Attacks opers by Android "AAPT" Foreign Adversaries ing vulnerabilities in
10:00
for Industrial Control Hackers to Adversarial on Ethereum Smart Patrick Wardle timezone disclosure bug. mobile point of sales
Systems Erwin Paternotte Testing of Software Used Contracts Joshua M Franklin systems
In the Criminal Justice Sheila A. Berta & Sergio De Los
Marina Krotofil System Zhenxuan Bai Santos Leigh-Anne Galloway
Jeanna Matthews Searching for the Light: Breaking Extreme Net- Politics and the Surveil- Demystifying MS17-
Adventures with OpticSpy works WingOS: How to lance State. The story 010: Reverse Engi-
Hacking PLCs and Exploiting Active Di- Compression Oracle At- Jailbreaking the 3DS own millions of devices of a young politician’s neering the ETERNAL
Causing Havoc on Critical rectory Administrator tacks on VPN Networks through 7 years of
11:00
Joe Grand (Kingpin) running on Aircrafts, successful efforts to fight Exploits
11:00
Infrastructures Insecurities hardening Government, Smart cities surveillance and pass the
Nafeez and more. nation’s strongest privacy zerosum0x0
Thiago Alves Sean Metcalf smea bills.
Josep Pi Rodriguez
Daniel Zolnikov
TBA Tineola: Taking a Bite Out You'd better secure your Ridealong Adventures Breaking Smart Speakers: Last mile authentication Attacking the macOS Designing and
of Enterprise Blockchain BLE devices or we'll kick - Critical Issues with
12:00
We are Listening to You. problem: Exploiting the Kernel Graphics Driver Applying Extensible
your butts! Police Body Cameras
12:00
missing link in end-to-end RF Fuzzing Tools to
Stark Riedesel Wu HuiYu secure communication Yu Wang Expose PHY Layer
Damien "virtualabs" Cauquil Josh Mitchell Vulnerabilities
Thanh Bui
One Step Ahead of In Soviet Russia Smart- Reaping and breaking Looking for the Matt Knight
Cheaters -- Instrumenting card Hacks You keys at scale: when crypto perfect signature: an
13:00
Android Emulators meets big data automatic YARA rules Trouble in the tubes: How Man-In-The-Disk Micro-Renovator: Bring- barcOwned - Popping
Eric Sesterhenn generation algorithm in internet routing security ing Processor Firmware shells with your cereal
13:00
Nevermoe Yolan Romailler the AI-era breaks down and how you Slava Makkaveev up to Code box
can do it at home
Andrea Marcelli Matt King Michael West
Lane Broadbent
House of Roman - a The ring 0 façade: awak- Detecting Blue Team Re- Infecting The Embed-
"leakless" heap fengshui ening the processor's search Through Targeted ded Supply Chain
13:30
to achieve RCE on PIE inner demons Ads Asura: A huge PCAP file Lost and Found Cer- Edge Side Include
Binaries Zach analyzer for anomaly tificates: dealing with Injection: Abusing
13:30
Christopher Domas 0x200b packets detection using residual certificates for Caching Servers into
Sanat Sharma massive multithreading pre-owned domains SSRF and Transparent
Session Hijacking
Ruo Ando Ian Foster
Having fun with IoT: SMBetray - Backdooring Digital Leviathan: a Playing Malware ldionmarcil
Reverse Engineering and and breaking signatures comprehensive list of Injection with Exploit
14:00
Hacking of Xiaomi IoT Nation-State Big Brothers thoughts Betrayed by the keyboard: Your Watch Can Watch Hacking BLE Bicycle One bite and all your
Devices William Martin (from huge to little ones) How what you type can You! Gear Up for the Locks for Fun and a Small dreams will come
14:00
Sheng-Hao Ma give you away Broken Privilege Pitfalls Profit true: Analyzing and
Dennis Giese Eduardo Izycki in the Samsung Gear Attacking Apple Kernel
Matt Wixey Smartwatch Vincent Tan Kwang Yue Drivers
Sex Work After SESTA/ Fire & Ice: Making
Dongsung Kim Xiaolong Bai & Min Zheng
14:30
FOSTA and Breaking macOS

Firewalls
Closed Panel What the Fax!? Fuzzing Malware For
Maggie Mayhem
Fun & Profit. Applying
Patrick Wardle
DCGroups Yaniv Balmas Coverage-guided
Project Interceptor: All your math are belong Reverse Engineering Win- Booby Trapping Boxes 15:00 Fuzzing to Find and
Exploit Bugs in Modern
avoiding counter-drone to us dows Defender's Emulator
Malware
15:00
systems with nanodrones Ladar Levison

sghctoma Alexei Bulazel
Maksim Shudrak
David Melendez Cano
Closed Closing Ceremonies Closed Closed
16:30
Outsmarting the Smart 80 to 0 in under 5 sec- All your family secrets Inside the Fake Sci-
City onds: Falsifying a medical belong to us – Worrisome ence Factory
16:00
patient's vitals security issues in tracker

Daniel "unicornFurnace" Crowley apps Dr. Isabella Stein
17:00
Douglas McKee
Dr. Siegfried Rasthofer
CLOSED The Road to Resilience: Relocation Bonus: Attack-

How Real Hacking ing the Windows Loader
17:00
Redeems this Damnable Makes Analysts Switch

Profession Careers
Richard Thieme Nick Cano
86 87
CAESAR’S PALACE CONFERENCE CENTER FLAMINGO LAS VEGAS EXECUTIVE CONFERENCE CENTER
LOWER LEVEL
PUFF CAAD
PROMENADE LEVEL EMPEROR’S LEVEL VVALLEY
VA
PUFFLLEY OF VILLAGE
FIRE
LAKE
VILLAGE MEAD II
II
BRYCE ZION VILLAGE ICS
TALKS VILLAGE
RED ROCK
PROMENADE SOUTH Escalator/
Stairs
VIVII VIII
NIGHT: VALLEY OF
VVALLEY LAKE
NEOPOLITAN
NEOPOLI
PACKETOHACKING
T BALLROOM
TAN BALLROOMO
VILLAGE WHOSE SLIDE IS IT ANYWAY? FIRE I MEAD I
I II III IV V HACKER HISTORY VI
DRUNK
VILLAGES
WIRELESS
V VI PACKET
VII VIII DEF CON CAR HACKING
RED ROCK
TRACK
23 2 VENDORS 1 VILLAGE HACKING INFO BOOTH VILLAGE
UMBRIA
MOVIE NIGHT
22 2 TALKS
MILANO
A
MAIN
III CONTEST
A
AGUSTUSAREAIV 101 Vista I II III IVV
SPEAKER OPS
BALLROOM
A
Elevator
Elevator
21
24 25
3 CRYPTO &BALLROOM
BALLR
ALLROOM
ROOM
ROOTZ TRACK
SE PRIVACY ASYLUM
TUSCANY 20 OCT
TTAAVIUS
OCTAVIUS 4
VILLAGE Office I
VILLAGE II III IV
8
19 BALLLLROOM
BALLROOM CTF II
5 I
18 SUNSET BALLROOM
Ramp
Registration
IMPERIAL
17 6 BOARD SALERNO SORRENTO
Scenic
Desk
Office 4
ROOM
INFO
BOOTH
16 15 14 13 12 11 10 9 8 7 Banquet
Kitchen
Balcony Office 6
Twilight
Elevator INFO
Registration
IOTVERONA BOOTH
VILLAGE Desk
BIO CHILLOUT
II
HACKING TURIN HACKER Escalators
VILLAGE
PISA EMPERORS
KARAOKE
TREVI
BALLROOM RegistrationDesk
I
POOL LEVEL PPALERMO
SIENA LASER
TARRANTO
VENICE
SHOOTING BANQUET KITCHEN

I
GALLERY
SICILY
RENO
NAPLES ETHICS
MODENA
VILLAGE Freight
Freight
Elevators
Elevators
BOARDROOM
SENATE
II
Registration
Desk
23 LOCKPICK TRACK 3 1 CHIP-OFF

TRIBUNE
VILLAGE
BCOS/
MONERO INFO
VILLAGE POMPEIAN
POMPP BALLROOM
BOARDROOM
CONSUL
VILLAGE
Registration
HACKER JEOPARDY BOOTH Office 3

CAMPANIA
22 2 Office 3
I II III IV
Desk
DEAFCON
24 25 OPS
PPATRICIAN
PA
ATRICIAN
TRACK 1
Elevator
21 I I
HARDWARE 3 VILLAGE INFO PRE-FUNCTION
CORPORATE CONVENTION CENTER

AREA 1
Registration
LASER HACKING TALKS BOOTH NIGHT: MUSIC EVENTS

Office 7
LIVORNO
CALABRIA
Desk
CUTTING VILLAGE INFO

VILLAGE & 20 FORUM
FOORRUM 4 BOOTH
SWAGI CHILLOUT
L
LAUGHLIN
DRONE
II P
PALACE BALLROOM
THIRD FLOOR
SOLDERING
ABRUZZI
Business Kiosks
WARZ SKILLS BALLLROOM

BALLROOM MESSINA Elevators
Elevator
Elevator
19
Elevators
Phones
Promenade
VILLAGE
5 ROMAN
ROMMAN
M
CHILLOUT
II
NORTH PROMENADE
Escalators
18 TAMPER BALLROOM
BALLR
ALLRROOM
Elevators
A II
EVIDENT
17 6
VILLAGE III IV DEMO LABS
B
GENOA
VOTING Escalators PRE-FUNCTION

III
VILLAGE
16 15 14 13 12 11 10 9 8 7 AREA 2
REGISTRATION
ROOFTOP
BACCHUS Office 2
Garden View
Registration
RECON AI MOBILE
Desk
FLORENTINE
FLOREEENTINE
CHILLOUT
VILLAGE VILLAGE MUSEUM
DATA
DUPLIC. BALLROOM
BALLRRROOM III Terrace
T
Terrace
Elevator CAPRI INHUMAN
VILLAGE
I II III IV
HAM Elevators VVIRGINIA
IRGINIA CITYY
SKYTALKS/303 Escalators
RADIO
ANZIO
EXAMS
IIIIII Eldorado CARSON CITY MESQUITE Savoy
Foyer Foyer
I II
Internet Junction
Elevators
BLUE TEAM
ELDORADO BALLROOM Banquet SAVOY
VILLAGE
Kitchen
88 89
-SHOUT OUTS-
The Dark Tangent would like to thank Jeff, Nikita, DISPATCH: PRODUCTION: Sumdunce, Synn, TBD, TieFighter, timball, WarFlower,
Sleestak, Neil, Charel, Will, and Janet for putting up with wham, WhiteB0rd, wilnix, Wreaktifier, YoursTruly,
me year round, through the thick and thin of starting RF and Ahab would like to thank AsmodianX, Charel in Hotel and Production would like to ZephrFish, zerofux, and Zulu. Pax Per Imperium.
DEF CON China, and the questions sent at all hours. Taclane, and Voltage Spike for helping to lead thank: C0njur3r, kampf, 4C3, Betsy, Ira, Killerspud,
the Dispatch team, and wish to thank the rest of V-Gorilla, jup1t3r, supertechguy, L34N, metacortex, SPEAKER OPS:
I would especially like to thank everyone who attended the Dispatch Staff for always going above and skyria, Dumby, Prod_Goon_22, HiveQueen,
DEF CON 26 and for believing in our community. It is beyond: BonBon, Fosgood, L0G1C, Dimes, Rixon, and sn1ck3r5. Call us when you need us! Proctor would like to thank the Speaker Operations
your enthusiasm, energy, and creativity that fuels us w00k, dll3ma, Archangel, dirtclod and miggles. staff for another year of great service to DEF CON
and keeps DEF CON on the edge. I would also like PRESS: its speakers. These goons are pwcrack, Pasties,
to thank the 1,600+ people, from the Goons to the INFO: Crash, Pardus, Mnky, CLI, Jur1st, Scout, Goeke,
hotel staff and speakers to the contest organizers, A Big Thank You to all the press who not only cover the Bitmonk, phliKtid, Bushy, Vaedron, idontdrivecars,
who made this all possible by building the content, InfoBooth: Mello and LittleBruzer would like to thank all DEF CON community, but are part of it, as well as all K-hole, St0nehouse, notkevin, Flattire, nerfherder,
experiences, and memories for us all to enjoy! the InfoBooth goons for bad information and sending the Press Goons: Alan, Alex, Jeff, Heather, Landyn, Lin, Jutral, Milhouse, g8, DaKahuna, Gattaca, Mubix,
humans in the wrong direction. We would also like to Linda, Mel, Melanie, Mike, Monika, Nicole, and Sylvia! Surreal Killer, RoundRiver, Jinx and AMFYOYO!
A&E: thank the humans for the interesting questions they asked.
QM: SWAG:
ChrisAM would like to thank everyone responsible NOC:
for this year’s entertainment & decor: Krisz Klink, “There is a part of DEF CON that will be forever Secret would like to thank all the Swag goons: Lisa33,
Great Scott, Zziks, dead, CTRL, stitch, davesbase, Welcome to DEF CON 26! As usual effffn and DEF CON England” - at least I think that’s the quote... QM Stores Daria, rudy, 10rn4, spiggy, pelican, Themikeconnor,
Zebbler Studios, Mobius, and SomaFM. would like to thank all the hard work and planning of our is a magical place of pelican cases and barcodes, Csp3r, Daedala, Skyfall, gingerjet, gLoBuS, H4zy,
rockstar NOC team, they put a lot of work in so you guys British Water (or Juniper Mallets), the gentle sounds of endsu, Serenity, BearClaw, Magnar, Alligatro,
CONTENT: can enjoy many aspects of the con. As usual, by the time Goons at work - the odd grunt here, the whizz of the Heal, Brizan, furysama, Loak, PeeJ, Zubion, Alex,
you’re reading this, months of planning happened and coffee grinder there, the chirrup of a printer churning D20OwlBear, TheViking, Trevot, webjedi, and
Nikita would like to thank the DEF CON 26 Reviewers crazy few days of execution on site have been lived to out a sign-in sheet, and last but not least, the heady Mr.Katt for all their hard work and all the other
for their help in selecting the content for two DEF CON’s cover everything we do for the con, especially now with aroma of sweaty Goon arse crack, namely those of: departments who make DEF CON possible!
this year, DC26 and DC China. We are very thankful for multiple venues. We strive to attend requests from mostly ETA, Waz, Zac, Buttersnatcher, Sunsh1ne, Multigrain,
the dedication and support we showed eachother as a all departments of the con, from vendors, speakers, press, Youngblood, Red Ace, Lord Drimacus, Noise, mrb0t,
team. We have banded together four days of content
VILLAGES:
contests, DC TV, workshops, infobooth and so on. mac, The Saint, Big Eezee, Seven, Ge0, shell_e, Cell Wizard
in the form of presentations, workshops, firesides. #sparky, CRV, c0mmiebstrd, c7five, Jon2, deadication, and Major Malfunction. BTW (an acronym, not a handle!), Zantdoit would like to thank Br00zer for being crazy
Thank you! CFP Board: Claviger, The Dark Tangent, musa, wish and john sacrificed a great portion of their DEF RijilV, Slacker, RageQuit, Uncle IRA, Josh and Minor, we enough to join me on the quest for standing up a
Dead Addict, High Wizard, Jericho, Malware Unicorn, CON experience to making sure everything breaks the miss you!!! May Bob bless us, and all who flail in us! new section and the trials of growing that section all
MavAntagonist, Medic, Nikita, PWCrack, Roamer, right way (so we know how to fix it ASAP). If you happen in one year. A huge shoutout to Amlazar, Runner-
Security Barbie, Shaggy, Suggy, Tuna, Vyrus, Wiseacre, to run into any of them, please make sure you thank them REGISTRATION: up, Zant’s daughter, and Hony for all their help in
Yan, ZFasel, Zoz. Special Reviewers: Andrea Matwyshyn, and possibly buy them a beverage. The entire NOC team keeping things organized. Villages have grown a lot
Chris Sistrunk, Grifter, snow, Wonk. Workshop would like to thank the Caesar’s IT and Encore teams for The awesome folks on the human and inhuman reg this year, which would not be possible without the
Reviewers: Ash, Beaker, CyberSulu, Da Kahuna, the tireless support in making it all a bit easier for us. teams; f1dget and apebit, taking charge; all those help of all the Goons who help keep it running. So
HighWiz, Munin, SinderzNAshes, Tottenkoph, Wiseacre who always come through in the clutch but won’t be to the Village Goons... Thanks to those who are
PARTY: mentioned here; TW; Tyler and Matt; SOC, QM, Swag, returning and welcome to all the new ones joining
CONTESTS & EVENTS: and Info Booth; the line wranglers; anyone anywhere who the team. Zantdoit and Br00zer also want to thank
The DEF CON Party GOONS (Beef “xistence” Supreme, spends their con moving heavy stuff from one place to all the Village leads and organizers for everything
Grifter would like to thank every Goon on the Delchi, Apok, Pyr0, and our “Noons”) would like to another; and the attendees, as always, for their patience. they do to make all these great villages possible.
Contests Team. Many thanks to panadero, thanks the hacker community, 303, Security Tribe, the
stumper, phorkus, phartacus, saltr, heisenberg, Skytalks staff, 1057, The Dark Tangent, ALL DEF CON SOC:
Apexxor, Secove, ArmyTra1n3d, gomer, rcu83d,
WORKSHOPS:
GOONS (past, present, and future). Respect, memory,
Zero3, lol_newb, fr33jack, Gmark, Trevor. and love to those who are no longer with us. Xistence Cjunky and tacitus would like to thank every past, present, Tottenkoph thanks all of those who worked to review
would like to give a special thanks to Delchi for his work and future SOC Goon who have built this team and family the workshop proposals this year, Neil and Nikita for all
DCGROUPS: leading up to con and the party organizers, without that we are proud to be a part of, including this year’s of the hard work and help they do, her amazing team
them we would be rather bored since there wouldn’t be team: AdaZebra, Alpha Kilo, Amber, Angie, heartbreaker, of goons (SinderzNAshes, beaker, cybersulu, flipper,
Thank you to April, Brent, Casey, Darington, Jayson Arc, arcon, Ast0r, Atriyan, b3l, BeaMeR, Bogaaron,
anything fun to do at night. Thanks be to Sk0d , who Joel & Jenn Cardella, Jay Radcliffe, mav, binarybuddha,
E Street, Neil/Drifter, s0ups, and byt3boy. Br1ck, Carric, cheronobyl, Chosen1, CHRIS, cRusad3r,
sits at the side of Odin and watches over our analysts. fallible, gillis, Rand0h, and lawyerliz), and the teams/
In memoriam recolitur The Nightstalker ( cDc/NSF ) , cymike, Dallas, Darkwolf, deelo, dr.kaos, DrFed, duckie, leads that help to support us before/during the show.
DESIGN: The Dorsai Embassy NYC Hackerspace. Shai Dorsai! echosixx, Emex, Faz, Fox, g33kspeed, gadams, George,
Glasswalk3r, GodFix, hamster, Hanzo, iCandy, iole, iv4t, VENDORS:
Neil would like to thank Nikita, Sleestak, and Mar,
PHOTO: Jbone, JohnD, Judo, Junior, KRS, kruger, Labrat, Lordy,
for all the creative help behind the scenes pre-con.
M0rph1x, mattrix, mauvehed, MIM, Mr. M, n1cfury, n3x7, Will & Janet from Vendors would like to thank Lsly, pinball,
Thanks to Posterboy for the awesome signage
Photo Goons would like to thank: ASTCell, NextInLine, nohackme, Nothingness, onetwo, Oselot, Redbeard, Rob Collins and Wad for all their hard work,
and putting up with all the last minute stuff. Shout
Cannibal, Loather, noise, mrB0t and InfoSystir. P33v3, ph3r, Phat_Hobbit, Plasma, polish_dave, prec0re, and all the other departments for making DEF CON
out to Supafraud for some sweet videos. Cathy at
Priest, Rabbit, RadioActive, Randy_Wat?, Raven, Red, an incredible community based Hacker convention!
Olympus for having my back. And finally, thanks to
rotor_rabbit, SAGE, Salem, Sam, sl3dge, Slick, Siviak,
my new on-site deployment team Medic, Xaphan, and
SomeNinja, Sonicos, sp00ns, Spedione, stan, stealth,
friends, and to all of you for making it worth doing!
90 91

Defcon 26 Program

Uploaded by

Copyright:

Available Formats

Defcon 26 Program

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Defcon 26 Program

Uploaded by

Copyright:

Available Formats

What are the different Wi-Fi networks available at DEF CON and what are the differences between them?

What are the different Wi-Fi networks available at DEF CON and what are the differences between them?

What are some recommendations for connecting to the DEF CON Wi-Fi networks?

What are some recommendations for connecting to the DEF CON Wi-Fi networks?

WELCOME TO DEF CON 26 Underground network

DEF CON provides a forum for open discussion

We do not condone harassment against any

Participants asked to stop any harassing behavior D E F CO N SU PP O RT

Times: Thursday the 9th: 12 noon and 5 pm, Friday

ELDORADO BALLROOM Banquet SAVOY

11:30-12:00: PRIVACY AND

Capture 0The 0Packet 0 00 - CTP

Wall of Sheep DJ Community - WoSDJCo PHV Workshops

TH E G O LD BU G - CRYP TO & Twitter: @ICS_Village

“Whose Slide Is It Twitter: @cycle_override

HACK E R K AR AO K E L A S E R S H O OTI N G GALLE RY

New for 2018, infocon.org is reachable as a v3 Tor onion at:

Bruce Potter Please do not Duplicate:

Whitney Champion & Seth Law

Matt Goerzen & Jeanna Matthews

WANNA KNOW WHO IS THE BEST AT FINDING RANDOM STUFF AROUND

overview of the Genesis Other Things You Were series

FOSTA and Breaking macOS

systems with nanodrones Ladar Levison

patient's vitals security issues in tracker

CLOSED The Road to Resilience: Relocation Bonus: Attack-

Redeems this Damnable Makes Analysts Switch

Richard Thieme Nick Cano

SHOOTING BANQUET KITCHEN

23 LOCKPICK TRACK 3 1 CHIP-OFF

HACKER JEOPARDY BOOTH Office 3

CORPORATE CONVENTION CENTER

LASER HACKING TALKS BOOTH NIGHT: MUSIC EVENTS

CUTTING VILLAGE INFO

WARZ SKILLS BALLLROOM

VOTING Escalators PRE-FUNCTION

You might also like