Attacking Classified Safes and Vaults from the Cold War to Now
Deviant Ollam
As a government safe and vault technician, my work routinely takes me to military bases, field offices, and secured locations across the country where it is my job to inspect, certify, repair, and occasionally “neutralize” the containers and rooms that house our nation’s sensitive secrets and deadly weapons. I have been doing this work for a little over a decade, but my knowledge of this sector spans much further back in time… and contains many details that the general public does not know when it comes to how enemies both foreign and domestic have attempted to gain entry into our secured spaces and containers. This presentation consists of a collection of stories and examples (several of which, while not classified, have not been widely disseminated or discussed in public) about the endless ladders-and-walls games that our government and our adversaries have played against one another, from the cold war and up to today. Think that the safes and vaults and SCIFs holding our nation’s secrets have never been penetrated? They have, but the stories have generally been classified or suppressed… until now. Put on your nitrile gloves, check your dosimeters, and strap in for a series of fascinating stories!
While paying the bills as a physical penetration specialist with The CORE Group and the Director of Education for Red Team Alliance, Deviant Ollam (@deviantollam) is also a SAVTA certified safe technician, a GSA certified safe and vault inspector, member of the International Association of Investigative Locksmiths, a Life Safety and ADA consultant, and an NFPA Fire Door Inspector. He has conducted physical security training sessions for Black Hat,the SANS Institute, the FBI, the NSA, DARPA, the National Defense University, Los Alamos National Lab, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point.
Azure Survey 2025: 60 million Users and Counting
nyxgeek
Over the last three years, I’ve enumerated over 60 million usernames in Azure. As part of this research I’ve performed surveys of top usernames in 20 different formats, as well as 50 common service accounts across nearly one million tenants. On top of that, I have monitored the Microsoft Teams statuses of 100,000 Microsoft employees for over 100 days, mapping their schedules, and mining their Out of Office messages for interesting keywords.
What are the most common usernames in Azure? (You’ll be surprised!) What are common service accounts? What hours does Satya prefer to work? Which Microsoft C-level is Offline the most? What company has the largest user base in Azure? How many organizations allow spying on their online presence? What are the weirdest username formats found? What words do Microsoft employees misspell most in their Out of Office messages? All of these questions will be answered and more!
nyxgeek (@nyxgeek) has an unhealthy obsession with user enumeration. Hobbies include trying to decipher IOCCC entries and collecting telco relics. Nyxgeek has been a penetration tester for nearly a decade and a hacker for much longer. He has presented at various conferences regarding the dangers posed by user enumeration, including DEF CON and
THOTCON.
Books, OMG, Books: Commence with Reading
Meghan Jacquot
Two book clubs, too little time, a parallel to the phrase too many books, too little time. This talk will focus on two very different book clubs and how both relate to cybersecurity. Every month a group of professionals meets and discusses a book. One month, it is a narrative style book, such as Cuckoo’s Egg or Tracers in the Dark, and the next month, it is a technical book. Examples of some of the technical books that the group has read include Container Security, Practical Malware Analysis, and OSINT Techniques. Another book club converses on Discord and meets every other month to discuss cyberpunk novels–all fiction all year round. The point of the book club is to continue learning and discuss what you’ve learned with fellow professionals who will likely become your friends. This fast and possibly furious talk will review how to start and run a book club, themes learned from books read over the years, and share a book reading list. Remember the community is still here when the conference ends. If you want to learn how to influence your mind and make friends then join or start a book club!
Meghan Jacquot (@CarpeDiemT3ch) is a Security Engineer at Carnegie Mellon University’s Software Engineering Institute (SEI) and focuses on risk and resilience for the cyber industry including the DIB. Meghan shares her research via conferences and publications. Throughout the year, she helps a variety of organizations and folks including DEF CON as a SOC GOON, The Diana Initiative, and OWASP. She often reviews CFPs and mentors new speakers. To relax she also spends time visiting national parks, reading, gardening, and hanging with her chinchilla.
Building and Hacking USB with FPGAs
Michael Ossmann
Cynthion, LUNA, Packetry, and Facedancer make it easier than ever before to build, test, and experiment with USB devices. These open source hardware and software projects take advantage of the reconfigurability of field-programmable gate arrays (FPGAs), enabling a powerful combination of capabilities with unprecedented flexibility and ease of use. I’ll show how these tools can be used to reverse engineer and meddle with off-the-shelf USB devices, and I will review their architecture and the open source ecosystem that makes them possible. Lastly I’ll show new ways to construct USB devices, building upon these open source projects.
Michael Ossmann (@mossmann) is the founder and CTO of Great Scott Gadgets, a company dedicated to putting open source tools into the hands of innovative people. Known as an educator and speaker and as the lead designer of the HackRF, GreatFET, and Ubertooth projects, Michael leads the research and development team at Great Scott Gadgets, building open source hardware and software for the next generation of creative technologists.
Building on the Foundation of our Shared Hacker History
Robert Weiss (pwcrack)
In keeping with the 2025 theme of “Commencement — A New Beginning”, let’s look back at hacker history, hacker culture, where we came from as a community, what makes us unique, and why this is important.
Robert Weiss (@pwcrack) is Principal Security Engineer at Warcollar; CFP and Speaker Operations Lead Goon for DEF CON; Long-time member of NoVA Hackers and Unallocated Space; and Former Co-Chair of BSidesDC.
C2 Operators Infecting Themselves: The Malware Maestro Story
Estelle Ruellan and Stuart Beck
Infostealers are a type of malware designed to secretly collect sensitive information from infected devices. They create stealer logs with valuable data such as login credentials. These malware communicate with Command-and-Control (C2) servers, which direct their actions and receive the stolen data. These stolen logs are highly valuable, forming the basis of a profitable underground market where cybercriminals sell and trade this information.
But what if C2 operators also fell victim to their own skim : the biters bit. In this presentation, we will dive into stealer logs of C2 operators, who have infected themselves accidentally with infostealer malware, to uncover hidden C2 infrastructure and their backstage. Join us as we expose the unexpected vulnerabilities within the cyber underworld.
Estelle Ruellan and Stuart Beck (@StuartBeck11) are Threat Intelligence Researchers at Flare. With a background in Mathematics and Criminology, Estelle lost her way into cybercrime and is now playing with lines of codes to help computers make sense of the cyber threat landscape. Stuart, on the other hand, has an extensive background in offensive security. He is now spending his time researching, developing exploits, creating tools, and dabbling with a hobby in reverse engineering.
Casting Light on Shadow Cloud Deployments
Brittney Argirakis and Chapin Bryce
Proof-of-concept environments too often become production. A new cloud environment is stood up to test out some new capability or tool. The team moves on and forgets about it; or worse loads in data and the app gains internal traction and slowly becomes a production system. These systems sidestepped the IT governance and are invisible to the security and controls organizations invested in. Once identified, due to IT discovery or an incident, it is crucial to scope the environment to understand what resources exist, services are running, and exposure to the internet. Our open source tool, Luminaut, is easy to deploy into a cloud environment, gathering context about services exposed to the internet from the inside-out for further assessment.
Brittney Argirakis and Chapin Bryce are cybersecurity professionals specializing in digital forensics and incident response. Brittney, with a degree in Forensic Chemistry, traded test tubes for incident timelines and has worked in both private and government consulting roles leading investigations and training sessions on DFIR topics. She currently serves as a Security Engineer on Amazon’s Security Incident Response Team.
Chapin switched from consulting to building tools for consultants as a Director of software development at Aon Cyber Solutions. He focuses on cloud security and threat data and has authored two books on using Python for forensic investigations.
A Commencement into Real Kubernetes Security
Jay Beale and Mark Manning
Hello ShmooCon Graduating Class of 2025: Welcome to your commencement ceremony — you’re out of the classroom and into the real world! It’s time to use practical technical demos to challenge what you’ve learned about Kubernetes security–even things you may have heard at ShmooCon. Whether you only took the first few weeks of Freshman Kubernetes 101 or made it through Professors Potter’s advanced Kubernetes seminar, you’ll see how Kubernetes attack and defense both get challenged by scaling in the “Real World.”
Jay Beale and Mark Manning will join forces for one last ShmooCon talk that will challenge assumptions about how Kubernetes works, show real-world exploits on a hardened, compliant cluster, demo new bypasses that make you feel a little nervous about relying on runtime security tools, and help you figure out whether your security controls are ready to scale. You’ll leave with a roadmap for how to assess Kubernetes security in an organization, a familiarity with the newest features in the KubeHound and Peirates OSS tools, and practical advice for which areas you should be investing your time in over others.
Join us and see how organizations have graduated to the next stage of their defensive (or offensive) journey.
Jay Beale (@jaybeale) and Mark Manning (@antitree) have a deep interest in exploiting and defending containerized environments. Jay is a long-time penetration tester, trainer, and tool developer who built tools like Peirates and Bastille Linux. Mark has years of hands-on experience in attacking Kubernetes as a penetration tester and securing Kubernetes as a security engineer at large organizations. Together they have more than a decade of Kubernetes security experience, an appreciation for keeping a beginner’s mindset, and a strong desire to help other people build their confidence in container security.
The Cost of an Incident
Amanda Draeger
For those incidents that are publicly reported, we see things like “this cost $X million dollars.” Where do those costs come from? This talk will look at data from insurance claims to explain where the costs of an incident come from.
Amanda Draeger (@TindrasGrove) is a Principal Cyber Risk Engineer at Liberty Mutual Insurance. She is an Army vet, has way too many credentials, and likes yarn.
Deception & Operations Planning Frameworks
Russell Handorf
Conventional tools and practices are not always sufficient to secure the assets you are charged with protecting. This presentation will describe the foundations of technical deception operations, how they’ve changed, and present a framework and process that can be adapted and mirrored. This will be followed by a real-world dilemma where it was necessary to implement a deception operation to protect an asset. This experience will demonstrate how deception can–and should–be customized and applied to IT environments in order to deter and degrade the capabilities of adversaries.
Dr. Russ Handorf has been a wandering minstrel in the cyber security world for more time than he cares to acknowledge. His current projects and hobbies involve being a father to the agents of chaos at ye household of insanity, playing in the woods, radio, electronics, and just being a general goofball. His neighbors are always wondering what he is up to and have come to terms that he is “that neighbor.” Check out his talk if you’d like to learn what all this really means–Rattlesnake Sanctuary.
Detecting BLE Trackers for the price of a Gas Station Hot Dog
Bil (hevnsnt) Swearingen and Larry (haxorthematrix) Pesce
How many BLE beacons are stashed in your car? I have three that I know about. In this talk, we’ll show you how to turn a cheap-ass ESP32 into a personal spy device for uncovering hidden BLE trackers that you would be proud to hang from your Temu-purchased batman utility belt. The CYA Tracker Tracker project is the perfect entry point to dive into ESP32 development–it’s easier than you might expect! If you’ve ever wanted to get into custom hardware but weren’t sure where to start, this is your moment!
During the day, Bill Swearingen (@hevnsnt) leads incident response efforts combating the most advanced state-sponsored threat actors and crushing ransomware negotiations. At night, he makes custom electronics that go beep boop.
A polymath since an early age, Larry Pesce (@haxorthematrix) likes to use big words to describe that he hacks on wireless gear, subverts IoT devices, secures the software supply chain, and can generally converse intelligently on a whole host of topics from cyber security to blacksmithing, and even the 1960’s Buick Nailhead. Larry is currently awaiting his Official Curmudgeon credentials.
Disrupting the Model: Abusing MLOps Platforms to Compromise ML Models and Enterprise Data Lakes
Brett Hawkins and Chris Thompson
MLOps platforms are used by enterprises to develop, train, deploy, and monitor Large Language Models (LLMs) and other Foundation Models (FMs), as well as the GenAI applications built on top of these models. The rush to leverage AI throughout the enterprise has meant that security has been often overlooked in the name of progress, resulting in weak controls and direct access to sensitive data lakes and crown jewel data for RAG use. Nation-state aligned Threat Actors are rushing to abuse these gaps and are pursuing early research and private toolkits to attack MLOps platforms, to steal both the expensive FMs/LLMs and weights, poison LLMs used for computer vision and military use, and compromise the sensitive enterprise datasets connected to AI-integrated applications.
This research includes a background on MLOps platforms and the MLSecOps lifecycle, along with detailing ways to abuse some of the most popular cloud-based and internally hosted platforms used by enterprises such as BigML, Azure Machine Learning, and Google Cloud Vertex AI. These attack scenarios will include data poisoning, data extraction, and model extraction. Additionally, there will be a public release of open-source tooling to perform and facilitate these attacks, along with defensive guidance for protecting these platforms.
Brett Hawkins (@h4wkst3r) has focused on both offensive and defensive disciplines, and is currently on the Adversary Services team at IBM X-Force Red. He has spoken at several conferences including Black Hat, DerbyCon and Wild West Hackin’ Fest, and has authored multiple open-source tools.
Chris Thompson (@retBandit) is the Global Head of IBM X-Force Red and former Head of the Adversary Services practice. Chris has presented his research at many conferences such as DEF CON and Black Hat. Chris has led red teaming operations against critical industry verticals and is currently focused on building AI platforms for offensive use.
Extracting the Ghost in the Machine
Guilherme Santos
What happens when the technology that has been revolutionizing so many of our industries becomes the weapon used against them? AI is ubiquitous now, powering everything from art generators to autonomous vehicles and while attacks like Prompt Injection are well-known, they represent just the tip of the iceberg.
In this talk, I’ll take you beyond the familiar and reveal a new, emerging attack surface. We’ll dive deeper into more obscure and potentially dangerous threats, exploring how model inversion can extract sensitive data from AI, and how adversarial attacks subtly skew models in ways that go unnoticed.
Guilherme Santos (@r0nd0ns) is a cybersecurity architect at Kuehne+Nagel and an offensive cybersecurity specialist and researcher at Blindsight. With a strong foundation in AI and robotics from his university days, he followed a greater passion and pivoted early to cybersecurity, combining technical depth with hands-on expertise from four years of red teaming and penetration testing. Over the past two years, Guilherme has focused on uncovering vulnerabilities in machine learning models, sharing his knowledge on how these systems can be hacked–and ways to mitigate them.
Future Breaches and Past Disasters: Volunteering with ITDRC
Impos73r
Where were you when the wildfires tore through communities, severing communications to 911 dispatch centers? Or when the hurricanes knocked out critical infrastructure across the country? What about when a pandemic swept the world and thousands of people were suddenly asked to work from home without access to reliable internet? Information Technology Disaster Resource Center (ITDRC) “voluntechs” were on the front lines, helping those communities get back on their feet. Come learn about the life of a tech on deployment and the skills that it takes to make it in the field, so that you can be part of the team to help your community rebuild when disaster strikes.
Impos73r is a jack of all trades with far too many hobbies and far too little time, but with the time he has, he volunteers as the Region 3 Deputy Director for the Information Disaster Technology Resource Center (ITDRC), a volunteer driven nonprofit that strives to help communities in need when disaster strikes. Outside of that, he’s a Volunteer EMT and radio nerd in Fairfax County and a senior cyber security engineer for the RH-ISAC.
Hacker (Non)Court: Seymore, Inc. v. ThinkIz, Inc.
Andrea Matwyshyn, Carole Fennelly, Jonathan Klein, Elizabeth (Liz) Wharton, Jessica Wilkerson, and Desirae Satterlee
Join us in a fictional arbitration telling the story of Seymore, Inc. and ThnkIz, Inc,, two companies attempting to resolve their legal disputes arising from a security incident that cost both companies customers, bad press, and, potentially, millions of dollars in litigation and liability. Using fact patterns modeled on real cases and real security incidents, this presentation asks you to be the judge and help the arbitrator decide which party should bear the financial cost for security and safety failures.
Andrea Matwyshyn (@amatwyshyn) is a full professor on the law and engineering faculties at Penn State.
Carole Fennelly (@carole_fennelly) is Managing Partner at CFennelly Consulting, LLC, which provides strategic guidance for cybersecurity initiatives.
Elizabeth (Liz) Wharton (@LawyerLiz) (Founder, Silver Key Strategies) is a lawyer and business executive advising emerging startups and shaping tech policy.
Jessica Wilkerson is Senior Cyber Policy Advisor and Medical Device Cybersecurity Team Lead in the Division of Medical Device Cybersecurity (DMDC) Office of Readiness and Response (ORR) Office of Strategic Partnerships and Technology Innovation (OST) in the Center for Devices and Radiological Health of the U.S. Food and Drug Administration.
Jonathan Klein (@jonathaniklein) is a former CISO and has extensive experience in building and implementing business-driven security strategies in diverse environments.
Desirae Satterlee is a J.D. Candidate (2026) at Penn State Law University Park, Associate Editor of the Penn State Law Review, a Research Assistant in the Penn State Policy Innovation Lab of Tomorrow, and the Vice President of the Penn State Data Privacy, InfoSec, and Cyber Law Society.
Hacker Rock and Roll: Visualizing the 20 Year Evolution of ShmooCon Research
Greg Conti and Danielle Scalera
Wow, where did the past 20 years go? In this time, ShmooCon grew from the seed of an idea to an internationally respected hacker conference. This talk, inspired by Reebee Garofalo’s “The Genealogy of Pop/Rock Music,” analyzes and visualizes the 20 year evolution of ShmooCon talk topics. As part of this year-long research effort, we created a taxonomy of talk topics, dug into the archives of the internet to create a master list of all ShmooCon talks ever and then methodically categorized each talk. The results are interesting and enlightening. We’ll present analysis of how hacker community research has evolved and how these topics link to technological advances, world events, and changing hacker community norms and interests. To fuel future work, we’ll share both the taxonomy and the labeled dataset of talks, as well as the techniques we used to analyze and visualize the data. You’ll leave this talk with a greater understanding of the arc of hacker community research over time, the ability to perform similar analysis yourself, and a glimpse of where the hacker community is heading in the future.
Greg Conti (@cyberbgone) is a hacker, maker, and computer scientist. He is Principal at Kopidion, a cyber security training and professional services firm. Formerly, he served on the West Point faculty and has published approximately 100 articles and papers covering online privacy, usable security, cyber conflict, and security visualization. Greg is a graduate of West Point and Georgia Tech.
Danielle Scalera, a Marist College alum with a BS in Cybersecurity, has been with Kopidion for over two years and is currently pursuing a Master’s in Cybersecurity at the New Jersey Institute of Technology.
The Hardest Problem I’ve Ever Seen: Making US Elections More Trustworthy in a World of Untrustworthy Technology
Matt Blaze
Automation has become essential for almost every aspect of modern US elections, from voter registration to vote tallying to results reporting, but computers and software are notoriously untrustworthy. How can we make elections trustworthy when the technology we base them on is demonstrably vulnerable to tampering and error? That’s the easy part. The hard part is doing it in an environment where no one trusts the people and institutions, too.
This talk will explore the election technology landscape in 2024 America, why it’s impossibly hard, and why we should be optimistic anyway.
Matt Blaze is a hacker whose current day job is as a professor of Computer Science and Law at Georgetown. He’s interested in the intersection of technology, policy, and law. He co-runs the Voting Village at DEF CON.
I Just Wanted to Charge the Car
Richo Butts
We got whole home solar, accidentally overprovisioned it, then naturally bought an EV. A common sense project from there is to reverse engineer the solar gateway to see if we could exclusively charge the car with surplus power.
As a great man (dominic stupid) once said: I still maintain that once you can blink an LED you can do most things you want to do with a microcontroller.
The same premise here, once you can make a relay go clack remotely the rest is really just a matter of typing on the keyboard. But what if you could make everyone’s relays go clack…
What followed was a fun delve into how the disclosure process has changed in the last decade, toeing the line of getting the issue fixed without making more work for myself, and finding out if it’s actually a good idea to let home assistant manage charging your car (Spoilers: maybe).
Richo Butts (@richo) has done quite a few things, security for startups, indepedent research, aggressively defending the thesis that BASE jumping is just applied risk assessment. He’s an aerobatic pilot, a national champion rally car driver, and 7/10 dentists agree “a pretty swell dude.”
I’m Not Your Enemy: How Practitioners Can Empower Content
Kali Fencl
It’s easy to fall into silos in our organizations, but the truth is, when we are open to working together and teaching one another, our work goes further to give bad actors more bad days.
In my Fast and Furious presentation, I’d like to discuss how practitioners’ willingness to collaborate with marketing creates what I call “method marketers,” where previously non-technical folks are able to build their research chops and track their own campaigns. The example I will use is one of my own, where understanding and using my organization’s tools along with OSINT solutions provided insight into bad actors looking to impersonate the American Girl Doll brand, which opened up an investigation to larger campaigns including domain e-commerce fraud and ponzi schemes.
Kali Fencl (@KaliFencl) serves as Senior Content Marketing Manager at DomainTools as well as the co-host and producer of their Breaking Badness Cybersecurity Podcast. She is responsible for owning content-based demand generation initiatives as well as producing high caliber blogs, email copy, case studies, and social content. Outside of work, Kali enjoys all sorts of crafting including working with paper, felt, and wood and trying new recipes to share with family and friends. She is a graduate of The College of Wooster and previously held positions in the manufacturing and aerospace industries.
Imposter Detection with Watchman
Matthew Wollenweber
Imposter domains are the bane of security operations. Organizations are peppered with phishing attacks and email scams utilizing domains similar to the target. There are many solutions on the market. Unfortunately many are haphazardly built and alert days after attack campaigns begin. Other solutions are buried in expensive threat intelligence packages with promises of sentient AI collecting intelligence from elite nation state attackers. In this talk we explain the barebones technology required to effectively detect imposter domains and share our open source solution Watchman. You’ll leave the talk understanding imposter domain detection and armed with a free tool to detect domains infringing on your organization.
Matthew Wollenweber (@MWollenweber) is a security engineer at Axonius. He has over 20 years experience as a cybersecurity engineer and developer. Matthew is passionate about analyzing real-world security problems as inspiration to build tools. He is a progressive political organizer in New Orleans, a BJJ purple belt, and bulldog rescuer.
Inside the Information Stealer Ecosystem: From Compromise to Countermeasure
Olivier Bilodeau and Eric Clay
Modern information stealers have evolved far beyond simple credential harvesters into sophisticated tools that capture complete digital fingerprints of their victims. In this technical deep-dive, we unveil groundbreaking research into stealer architecture, attack chains, and defensive countermeasures. Through analysis of real-world compromise scenarios, including desktop screenshots captured at infection moments, we reveal how threat actors leverage compromised ad networks and trojanized software for mass deployment. The presentation examines the Operation Magnus takedown, a collaborative effort with ESET and law enforcement, demonstrating the complex infrastructure behind professional criminal enterprises.
Building on hands-on experience with stealer log analysis, the speakers detail how modern threats bypass multi-factor authentication, compromise password managers, and extract cryptocurrency wallets. They examine Chrome’s application-bound encryption and why, although already circumvented, it creates new detection opportunities. The session concludes with practical defensive strategies and the release of two community resources: a PowerShell framework for automated credential testing against Entra ID and a curated dataset of stealer logs for security research.
This presentation equips security practitioners with concrete insights and tools to defend against one of today’s most consequential yet underexamined threats.
Olivier Bilodeau (@obilodeau), a principal researcher at Flare, brings 12+ years of cutting-edge infosec expertise in honeypot operations, binary reverse-engineering, and RDP interception. Passionate communicator, Olivier spoke at conferences like Black Hat, DEF CON, SecTor, DerbyCon, and more. Invested in his community, he co-organizes MontréHack, is NorthSec’s President, and runs its Hacker Jeopardy.
Eric Clay is likely the most threat-intelligence-obsessed CMO in cybersecurity and is involved in research at Flare. His security analysis has been featured in NBC News, TheHackerNews, and major ISACs. A DEF CON 32 Red-Team village speaker who translates complex cybercrime insights into actionable intelligence for the world.
Is this /s/C/F/ake? Content Provenance Tech to Fight Online Disinformation
Christian Paquin
In this era of disinformation, exacerbated by rapidly advancing AI tools, the creation of seemingly authentic fake content poses significant dangers, ranging from reputational damage to widespread societal impacts. Our lives have become an online, content-driven version of ‘Is this Cake?’ Fortunately, cryptographic provenance technologies are emerging as essential tools for establishing the origin and authenticity of online content. I’ll present the work of the C2PA, a leading specification adopted by a growing ecosystem of content producers (e.g., gen AI, news media, cameras, photo editors) and validators (e.g., content platforms and social media). Additionally, I’ll demonstrate the open-source tools we’ve developed to validate content credentials. Finally, I’ll describe novel zero-knowledge cryptographic research, offering new ways to achieve stronger security and privacy in C2PA.
Christian Paquin (@chpaquin) is a security specialist in the Microsoft Research Cryptography team with a mission to bridge the gap between academic research and real-world systems. With 25 years of experience, Christian has been involved in many industry-wide initiatives such as the development of anonymous credentials, the ongoing post-quantum cryptographic migration, and the development of the COVID-19 vaccination Smart Health Card framework. As a core member of the Coalition of Content Provenance and Authentication (C2PA), Christian is currently focused on developing its specification and driving ecosystem adoption to combat disinformation.
Keeping Our Home Addresses Offline: How To Graduate From Opt-Out Whack-A-Mole
Yael Grauer
After seven years of scrubbing my home address from every people search site I could find (and even creating a DIY opt-out list to help others do the same), I playfully asked a friend who wanted to mail me something to try to find my address himself. Not only was HIS friend able to locate my public data within 15 minutes, he could link that data to variations of that one password I used everywhere before I knew any better and a spicy email address I used for about ten seconds over a decade ago.
I am not alone. There are many people who opt others out for a living, but still can’t keep their own data from cropping up repeatedly, not to mention what a dedicated adversary can find by simply perusing real estate records, voter records, or a free trial of a skip tracing service. When even foremost experts in this space can’t keep their data private, what recourse do the rest of us have? Opting ourselves out of every new people-search site that crops up can still leave us exposed, but with some smart policy changes, we can graduate from this perpetual game of whack-a-mole.
Yael Grauer (@yaelwrites) is a cybersecurity program manager at Consumer Reports, where she writes white papers about everything from memory safety to people search removal services, and manages Security Planner, a free, easy-to-use tool offering customized digital security plans. Yael is also an award-winning investigative journalist. She’s written about privacy, security, and surveillance for Ars Technica, the Atlantic, Popular Science, Vice, Wired, and other publications. She likes investigating sketchy VPNs, sketchy online voting vendors, and companies that say they have end-to-end encryption even though they only use TLS.
Lighting Up ShmooCon: Interactive Light Wands for an Epic Opening
Rob Joyce
Imagine every attendee at ShmooCon with a light wand in hand–each of these wands receiving color-changing commands via a computer-controlled RF link. This setup allows for an unforgettable synchronized lighting experience as the conference opens. This talk will introduce the light wands and demonstrate their capabilities, including how attendees can control them independently using simple RF devices.
Rob Joyce (@rgblights) served over 34 years at the NSA, finishing as the head of the Agency’s Cybersecurity Directorate. He led NSA’s cyber exploitation operations (TAO), served at the White House as a Special Assistant to the President for Cybersecurity, and acted as Homeland Security Advisor. Throughout his career, Rob led efforts innovating technologies to protect vital national assets–including US classified networks and the nuclear authorization codes. Along the way, he developed a passion for computer-controlled Christmas lights.
Meshtastic Attacktastic
Dave “Heal” Schwartzberg
In emergencies or off-grid scenarios, Meshtastic shines, but it can crumple when adversaries go off-script. Meshtastic is an open-source platform that allows for long-range, off-grid communication through LoRa-based mesh networks. While offering powerful tools for decentralized communication, particularly in remote areas or during emergencies, Meshtastic also introduces a set of security risks that could be exploited by adversaries. This talk explores the potential vulnerabilities within Meshtastic networks, focusing on attack vectors such as physical attacks, privacy leaks, key management, and jamming. Additionally, we will analyze the effectiveness of the platform’s encryption and authentication mechanisms, offering insights into how these systems can be compromised and how users can fend off attackers.
This session will include a technical breakdown of known vulnerabilities and present both simulated and real-world examples of attacks on Meshtastic networks. Attendees will gain a deeper understanding of how to defend against these threats, hardening their mesh networks against malicious actors. Whether you’re a hobbyist experimenting with off-grid communications or a security professional assessing decentralized systems, this presentation will equip you with the tools and knowledge to secure your Meshtastic devices.
Join us as we take a deep dive into the world of mesh network security and uncover the potential dangers lurking within these powerful systems.
Dave Schwartzberg (@DSchwartzberg) is a cybersecurity professional, known for his expertise in infosec, ethical hacking, and data protection. With 20+ years of experience in the cybersecurity field, David has worked with leading organizations to develop strategies for safeguarding sensitive data and defending against evolving cyber threats. David is the founder of Hak4Kidz, a non-profit organization focused on teaching cybersecurity skills to youths. As an educator and mentor, David has spoken at major security conferences such as DEF CON, Black Hat, THOTCON, GrrCON, DerbyCon, CypherCon, and several BSides, sharing his knowledge on topics ranging from endpoint security to advanced threat detection.
Murthy v. Missouri, Jawboning, and How What the Supreme Court Had to Say Could Bear on Cybersecurity and Online Speech
Cathy Gellis
In 2024, the Supreme Court considered a few cases involving “jawboning,” or the unconstitutional efforts by the government to affect what speech can appear online by pressuring the Internet platforms facilitating it. One such case was Murthy v. Missouri, where plaintiffs had challenged as unconstitutional censorship all sorts of Biden Administration communications–including those of CISA–with major social media platforms about potential harms manifest in the user expression on their systems. In its decision however, the Supreme Court largely rejected their claims…at least for now. But although the decision was generally, and deservedly, a loss for the plaintiffs, who were attempting to use their lawsuit to cause their own censorial harm, the case itself and the issues it raised will still linger beyond it. This presentation discusses those issues, why they are important for online expression even if not prevailing here, and what might follow from the decision when it comes to the government sharing information and expertise with private platforms, including about cybersecurity threats, and especially as we head into a new administration that may have different things to say than the last.
Frustrated that people were making the law without asking for her opinion, Cathy Gellis (@cathygellis) gave up a career in web development to become a lawyer to help them not make it badly, especially regarding technology. A former aspiring journalist and longtime fan of civil liberties, her legal work includes defending the rights of Internet users and advocating for policy that protects speech and innovation. When not advising clients on platform liability, copyright, trademark, privacy, or cybersecurity, she frequently writes about these subjects and more for outlets such as the Daily Beast, Law.com, and Techdirt.com, where she is a regular contributor.
Modern-day SOC Evolution from Open Source to Unlimited Budget
Neil (Grifter) Wyler and James (pope)
Building and maintaining a modern-day SOC can be an overwhelming challenge. What are the right technologies to use? What’s going to have the most impact to your security program? Where should you spend your limited budget in a sea of overlapping solutions?
As leads of the Black Hat NOC, we often get asked these questions and more, and we’ve spent the last 23 years learning the answers, sometimes the hard way. There were many successes, there were many failures, and all of it led to an understanding of where to invest time, money, or both if you’re trying to defend a network when it really counts.
Let’s explore how organizations can make strategic choices by leveraging open source tools to fill critical gaps, or even replace commercial solutions outright, and where vendors get it wrong, right(*gasp*), or fall somewhere in between.
Grifter (@Grifter801) and pope (@BlesstheInfoSec) have been in cybersecurity in one form or fashion practically their entire lives. What started as a passion became a career … that they are no less passionate about. By day they have corporate jobs where they help defend the networks of some of the largest companies in the world, by night they are two leads in the Black Hat NOC where they design, deploy, and defend what is often billed as “one of the most hostile networks in the world.”
On Covert Channels Using QUIC Protocol Headers
David Cheeseman
This presentation explores a covert communication channel leveraging high-entropy fields in the QUIC protocol headers. With fields like connection IDs and address validation tokens, QUIC provides an ideal platform for creating channels that evade detection while conforming to protocol entropy requirements. By implementing encryption techniques and leveraging the aioquic library, this work demonstrates covert communication feasibility and discusses potential detection and mitigation strategies. This research provides critical insights into protocol exploitation by leveraging high entropy fields.
David Cheeseman is a US Navy Veteran and cybersecurity professional with experience ranging from AI startups, government contractors, and fortune 50 companies where he’s currently employed. As a US Navy Veteran, he served as a Submarine Officer and Information Professional officer working with nuclear reactors, radio, cryptography, and networking. On the blue team side, he managed cybersecurity for 2 startups, one of which was a government contractor, and later worked in a fortune 50 helping to maintain services which scanned 900k+ assets internally. On the red team side, he studies Cybersecurity at Johns Hopkins University with a focus on Red Team subjects and participate in CTF competitions where he’s made podium placements in small teams and solo competitions.
OpSec for Grandma
Rich Mogull
You’re a rock-star hacker and security professional with rock-solid OpSec. Your network is tight, your devices locked down, and the only phishing attack you worry about involves a boat and the proper use of the letter “f.”
Then your grandma calls and asks why she can’t get back into her computer or bank account after talking to the nice man on the phone she called when the number popped up in the security alert on her screen while browsing the web.
We spend out days protecting ourselves and society, but sometimes the hardest job of them all is protecting our aging family members. In this Fast and Furious session, Rich will talk about his multi-year journey to stop the incessant phishing attacks his elderly (mostly) family was getting hit with and sometimes falling for. He’ll recommend specific technologies that are lightweight, effective, and maintainable even at a distance.
Rich Mogull has been in the security industry for over 20 years and describes himself as a rogue disaster response paramedic. A former Gartner analyst, he reformed himself and founded Securosis in 2007 and has published entirely too much free, practitioner-focused research there or via the Cloud Security Alliance. He also founded a cloud security startup that was acquired by FireMon. He’s a licensed paramedic and private pilot, a sandtrooper in the 501st legion, a lapsed black belt, and serial hobbyist.
Our Time in a Product Review Cabal: And All the Malware and Bugs that Came With It
Adam Schaal and Matt Virus
What did you do during the pandemic? We started a Product Review Cabal. Follow our journey from getting a postcard in a product box to us exhausting all of our many retailer sock accounts. We’ll teach you how we got free packages nearly every day… but there’s a catch. Most of the products arrive with malware, backdoors, or glaring vulnerabilities. In our talk, we plan to detail a subset of these vulnerable products, how to detect issues, and how to mitigate them. From cameras to light switches, from routers to vacuum cleaners, the product list is expansive. There’s nothing these vendors won’t copy, and nothing they won’t offer up. The story is a good conversation starter, but be sure to stay for the tear-down and technical analysis. A blend of social engineering, hardware hackery, and software vulnerabilities–this discussion has something for everyone!
Adam Schaal (@clevernyyyy) leads the Security Hub for Innovation and Efciency (SHINE) engineering team at AWS. Adam is a seasoned speaker with talks at Chaos Communication Camp, the Linux Foundation Member Summit, Blue Team Con, DEF CON villages, and more. Adam is also an active security community member, cofounding Kernelcon and DEF CON 402, as well as sitting on the organizing committee for LocoMocoSec.
Matt Virus (real name) (@themattvirus) is an IoT engineer @ Cisco (15+ years), part-time farmer, fan of angry rock music, former DoD forensic/malware analyst, and has a strong belief in helping people reach beyond their technical comfort zone.
0wn the Con
The Shmoo Group
For eighteen nineteen years, we’ve chosen to stand up and share all the ins and outs and inner workings of the con. Why stop now? Join us to get the break down of budget, an insight to the CFP process, a breakdown of the hours it takes to put on a con like ShmooCon, and anything thing else you might want to talk about. This is an informative, fast paced, and generally fun session as Bruce dances on stage, and Heidi tries to hide from the mic. Seriously though–if you ever wanted to know How, When, or Why when it comes to ShmooCon you shouldn’t miss this. Or go ahead and do. It’ll be online later anyway.
The Shmoo Group is the leading force behind ShmooCon. Together with our amazing volunteers, we bring you ShmooCon. It truly is a group effort.
Pages from a Sword-Makers Notebook pt. III, “The cursed blade”
Vyrus
In this presentation, I will discuss the development, deployment, and subsequent tracking of custom malware that was unexpectedly adopted by threat actors. The malware drew attention from threat intelligence operators, suggesting it had been weaponized by malicious entities. Recognizing this, I decided to covertly backdoor my own malware, enabling me to monitor and gather intelligence on the individuals and groups utilizing it. This strategy provided valuable insights into the operations of these actors, their infrastructure, and tactics. The talk will cover the technical methods used to implement the backdoor, the challenges encountered, and the intelligence gathered as a result.
Vyrus (@vyrus001) is a grumpy old soul trapped inside the body of a grumpy looking young man who’s spent the majority of his adolescent and adult lives slinging some version of hacking and hacking accessories. He hates that we replaced the word “programming” with “coding,” insists that everything is a loader if you polyglot it hard enough, and spends a significant amount of time yelling at clouds.
The Permission Slip Attack — Leveraging a Confused Deputy in Android with ‘pSlip’
Edward Warren
With Android’s complex permission model, Confused Deputy vulnerabilities present significant risks, allowing attackers to escalate privileges and execute unintended actions. While permission escalation via intent injection isn’t novel, my open-source tool ‘pSlip’ offers a solution to detect instances of these vulnerabilities often overlooked by existing tools.
This toolkit parses APK files to extract manifest information and identify exported components (activities, services, receivers) that may expose dangerous permissions or be susceptible to intent injection attacks. The tool detects components with exposed CALL permissions, identifies potential JavaScript injection vulnerabilities via the javascript scheme, and scans for hardcoded AES/DES keys and initialization vectors (IVs) in the application code which could be indicative of insecure cryptographic practices. It also flags custom permissions set to a ‘normal’ protection level, which can pose security risks.
‘pSlip’ AKA ‘Permission Slip’ provides practical ADB commands to test identified vulnerabilities and can generate detailed HTML reports for further analysis. This talk is tailored for anyone interested in mobile app security like security enthusiasts, and developers keen on advancing defensive tooling and security automation.
Edward Warren (@actuator_) is an Independent Security Researcher specializing in Android app & IoT security. He has identified dozens of 0-day vulnerabilities in networking devices and mobile applications & currently cited in numerous CVE publications. Additionally, Edward is the developer of ‘pSlip,’ an open-source toolkit which aims to automate the detection of Confused Deputy vulnerabilities and adjacent security issues in Android apps.
Rayhunter: Recording PCAPs from Stingrays With a $20 Hotspot
Cooper Quintin and Will Greenberg
What if you could use Wireshark on the connection between your cellphone and the tower it’s connected to?
In this talk we present Rayhunter, a cell site simulator detector built on top of a cheap cellular hotspot. It works by collecting and analyzing real-time control plane traffic between a cellular modem and the base station it’s connected to. We will outline the hardware and the software developed to get low level information from the Qualcomm DIAG protocol, as well as go on a deep dive into the methods we think are used by modern cell-site simulators. We’ll present independently validated results from tests of our device in a simulated attack environment and real world scenarios. Finally, we will discuss how we hope to put this device into the hands of journalists, researchers, and human rights defenders around the world to answer the question: how often are we being spied on by cell site simulators?
Cooper Quintin (@cooperq.com) is a senior public interest technologist with the EFF Threat Lab. He has given talks about security research at prestigious security conferences including Black Hat, DEF CON, ShmooCon, and REcon about issues ranging from IMSI Catcher detection to Femtech privacy issues to newly discovered APTs. He has two children and is very tired.
Will Greenberg is a staff technologist at EFF working on Certbot, issues of police surveillance, carceral use of technology, and researching the data broker industry. He has two cats and gets plenty of sleep.
Sandboxing Agentic Workflows with WASM
Joe Lucas
The newest generation of LLM-enabled applications focus on “agentic” behavior — automatically executing LLM generated commands to expand the scope beyond simple text generation. What could go wrong? Current application-layer controls are often insufficient and hypervisor-level hardening is resource-intensive. Instead, we can benefit from browser sandboxes by shifting the execution into WebAssembly. Come learn why and how to execute Python code in browsers.
Joe Lucas (@josephtlucas) is a senior offensive security researcher focused on AI at NVIDIA. He is the founder and chair of the NumFOCUS Security Committee and is a member of the Jupyter Security Council. He was one of the architects and hosts of the DEF CON 30 AI Village Capture the Flag competition and is passionate about machine learning security education. He served in the US Army at US Cyber Command and the 101st Airborne Division.
Shmooganography, Looking Back from Behind the Scenes and into Plain Sight
Will Newton and Mike Bowen
Shmooganography is a contest that’s been held at ShmooCon for 17 years, minus the first year and 2022. This challenge is focused on steganography using no-tech, low-tech, and high-tech techniques as players navigate 5 stages to win the grand prize. There are a variety of considerations when facilitating a technical challenge at any conference to include attendee/player time balance, quality assurance verification with all techniques, avoiding conflicts with hotel and ShmooCon operations, and deconfliction from happenstance overlap with other contests. Game play structure and theming is important to provide a fun and competitive, yet memorable experience. We have learned that some techniques were perfect for the challenge while others did not meet expectations, leading players down some unusual paths and frustration. Now, as we become ShmooCon graduates, we share our story through success, failures, and lessons learned over the 17 years of facilitating Shmooganography at ShmooCon.
Will Newton is the founder of Shmooganography. He co-led technical challenges including for the Association of Old Crows. Will hosts a Christmas light show with over 40,000 lights, synchronized to 45 minutes of pun-filled narration and music. Will gives back to his community as a volunteer firefighter and EMT.
Mike Bowen joined Will a couple years into Shmooganography’s run, building techniques and collabing on the game’s evolution. At work, he leads software and architecture design for signal processing suites. Offline, he is an active Freemason and past president of local AOC and AFCEA chapters, and RVs with his wife.
SkyScan — Autonomously Filming Aircraft
Luke Berndt and Mike Chadwick
Aircraft are always zipping around overhead, most often going unnoticed. This talk will walk through how we built a system that autonomously photographs all of the aircraft flying by and how you can setup this too!
Mike Chadwick and Luke Berndt (@LukeBerndt) work in IQT’s Rapid Prototyping Group, where they show how their Portfolio of startups can be applied to address government challenges. Both are known to run to the office window whenever an interesting jet flies by.
Software Screws Around, Reverse Engineering Finds Out: How Independent, Adversarial Research Informs Government Regulation
Andy Sellars and Mike Specter
For all of the discussion on how best to regulate software platforms and systems, there is little attention paid to how software is held accountable today. What allows agencies like the Federal Trade Commission to effectively police the security and privacy properties of information technology? It is often assumed that independent research–including vulnerability discovery and reverse engineering–plays some role, but its overall prominence has been under examined.
We review the past several years of FTC actions in software security and privacy, and show that an enormous amount of the Commission’s work –between a quarter and a third of all FTC actions–owe their discovery directly to the input of independent research. This places independent research as a signicant regulatory partner with the government, and elevates its importance beyond what has been previously assumed. We also examine why this is unsurprising on a theoretical level, drawing from economic theory that explains the phenomenon. Finally, we propose a series of law and policy interventions that can help improve the independent software research ecosystem in light of its important regulatory role, attending to the specic legal concerns of academics, journalists, advocates, and other independent actors.
Andy Sellars is a Partner at Albert Sellars LLP, a public interest technology and media law firm, and a Clinical Associate Professor at Boston University School of Law. He is the outgoing Executive Director of the BU/MIT Student Innovations Law Clinic, a legal service for BU and MIT students.
Michael A. Specter is an Assistant Professor in Computer Science at Georgia Tech, focusing on problems in systems security and applied cryptography, with an emphasis on civic technology. He completed his PhD in EECS from MIT, and holds a Pioneer Award from the Electronic Frontier Foundation.
SQLi is /so/ Last ShmooCon
Falcon Darkstar Momot
You get SQLi and now you’re in the database. It’s all over, right? Not at all. We’ll talk about defense in depth models for databases and what exploitation looks like when you get SQL access to a well-defended Postgres.
Falcon Darkstar Momot (@falcon), M.Sc., MBA, B.Acc., is the product security manager at Aiven, and secures cloud databases. He does other things too: Shadytel, LangSec, ham radio, and piloting small aircraft in clouds. All he wants is for you to build simpler, more defensible systems, and then use the things that are provided to help you defend them.
A Story About Fighting Disinformation (Or How We Helped the Russian Trolls)
Krassimir Tzvetanov
NOTE: This talk will not be recorded or streamed.
Over the past ten years, the term ‘fake news’ has become so widespread and obnoxious that many people tune out as soon as they hear it. So, how is this kind of exposure benefiting society? To take it a step further, let me pose a provocative question: how is this narrative aiding our adversaries?
Self-proclaimed intellectuals frequently discuss “active measures” without even understanding that the translation of the original Russian is not accurate but it goes well beyond that. In today’s information age, the phrase “Beware of Greeks bearing gifts” takes on a whole new meaning. It now sounds more like, “Beware of geeks bearing gifts.”
Have you ever stopped to think that perhaps, just perhaps, this is precisely what the adversaries want them to discuss? Have you considered the second and third-order effects of seemingly simple messaging? And is that the true objective the adversary is aiming to achieve?
In this presentation, I’ll discuss the fundamentals of what are known as reflexive influence operations and how they can be employed to prompt segments of a target audience to produce messages aligned with adversary goals. I’ll also share a few examples that seem to illustrate these types of operations.
For the past five years, Krassimir Tzvetanov has been a graduate student at Purdue University focusing on Homeland Security, Threat Intelligence, Operational Security and Influence Operations, in the cyber domain. Before that, Krassimir was a security engineer at a small CDN, where he focused on incident response, investigations and threat research. Previously, he worked for companies like Cisco and A10 focusing on threat research and information exchange, DDoS mitigation, and product security. Before that, Krassimir held several operational (SRE) and security positions at companies like Google, Yahoo!, and Cisco. Krassimir is very active in the security research and investigation community and has contributed to FIRST SIGs. He is also a co-founder and ran the BayThreat security conference and has volunteered in different roles at DEF CON, ShmooCon, and DC650. Krassimir holds a Bachelors in Electrical Engineering (Communications), a Masters in Digital Forensics and Investigations, and a Masters in Homeland security.
Taiwan Digital Blockade: How Wargaming Taught Me About ICS Vulnerabilities and Small Islands
Nina Kollars and Jason (Jay) Vogt
How might a small island country defend itself against cyber-attacks against information communications and supporting industrial control systems? My research colleagues and I decided to play a tabletop wargame to find this out. The good news is that everyone agreed it was important. The bad news is, it’s worse than you think. The presenters will talk about their journey designing an ICS & communications war game, their findings, distribute their game report, and invite the audience to help them think of more solutions.
Nina (aka Kitty Hegemon) and Jay are war gamers at the United States Naval War College. She is a co-director of the Maritime Hacking Village and author of the DEF CON 27 presentation entitled ‘Confessions of a Nespresso Money Mule.’ (Jay) used to work for DIA and support CYBERCOM, now he makes wargames and does research on ICS and cyber stuff. Jay and Nina drink bourbon as a hobby and both have Russian Blue cats.
Taking Over Millions of Accounts from Abandoned Startups
Dylan Ayrey
Millions of accounts can have their data stolen right now because of a deficiency in Google’s “Sign in with Google” authentication flow. I demonstrated this by logging into accounts that did not belong to me — Google told me this is working as intended.
This is due to the combination of these facts:
- 6 million people in the US currently work for tech startups
- 90% of tech startups end
- 50% of those startups use Google Workspaces
These facts matter because Google login doesn’t protect against someone purchasing a failed startup’s domain and logging in as former employees. I went through Crunchbase’s startup dataset and found over 100,000 domains currently available for purchase from failed startups.
I purchased one of these domains and found logging into all of the following services dropped me into old employee accounts rather than making new accounts:
- ChatGPT
- Slack
- Notion
- Zoom
- HR systems (containing social security numbers)
- More…
I’ll dig into why this is a growing problem and why there is no clear solution without the support from Google.
Dylan Ayrey (@InsecureNature) is the original author of the open source version of TruffleHog, which he built after recognizing just how common credentials and other secrets were exposed in Git. Coming most recently from the Netflix security team, Dylan has spoken at a number of popular information security conferences, including DEF CON and Black Hat. The popularity of TruffleHog, and growing need for services like it, led him to co-found Truffle Security which builds on top of TruffleHog.
TaskMooster
TBA
What happens when you gather 4 hackers together to complete silly tasks, rank their execution, and see who ends up with the most points at the end? Taskmooster, that’s what. Inspired by the UK game show Taskmaster, TaskMooster is ShmooCon’s take here stateside. What? You haven’t heard of Taskmaster? Seriously, stop reading this program right now and go watch at least one episode. All seasons are available to stream on YouTube, and it’s totally binge-worthy.
Come join the contestants at the start and end of the con as they watch how their tasks went and get graded by our very own TaskMooster.
Contestants:
- TBA
The Tech That Fought Back: How I Turned My Rejected ShmooCon Talk into a Democracy-Saving Research Project for the 2024 U.S. Election
Andrew Schoka
Just how hackable are our elections? In 2024, malign actors spent over half a billion dollars to figure that out. So, we built a research platform to track their progress.
What we found was lax security practices, outdated websites, and Frankensteinian tech stacks in thousands of campaigns and party offices across the country. From tens of thousands of breached passwords to campaign infrastructure with hundreds of exposed private files, it turns out that the only thing malign actors need to compromise a swing-state party website is a web browser and an email account.
This talk tells the story of what came next–how we learned to responsibly disclose vulnerabilities to thousands of campaigns, build partnerships with industry vendors and non-profits, and navigate the chaotic world of election security. I’ll cover technical solutions that enabled large-scale breach detection and proactive defense, as well as the deeply human side of convincing overwhelmed, underfunded campaign teams to act. From the process of crafting an Election Threat Report that garnered national headlines to watching vulnerable systems transform into hardened defenses, this talk highlights the challenges, lessons, and surprising successes of protecting democracy in real time.
Andrew Schoka is a former U.S. Army Cyber Warfare Officer and is currently a graduate student at the University of Virginia. He served in a variety of offensive cyber operations assignments with the Election Security Group at U.S. Cyber Command and later with U.S. Special Operations Command. Andrew is the co-founder of an election cybersecurity startup and teaches a graduate course on cybersecurity at the University of Virginia School of Engineering. He holds a bachelor’s degree in systems engineering from Virginia Tech, a master’s degree in cybersecurity from Georgia Tech, and a number of industry security certifications.
Tracking the Triad Nexus: Investigating FUNNULL CDN’s Role in Global Fraud and Money Laundering
Noah Plotkin
Silent Push Threat Analysts have been tracking a vast web of criminal activity hosted on FUNNULL, a Chinese content delivery network (CDN), for over two years. This cluster, dubbed “Triad Nexus,” encompasses investment scams, gambling sites tied to money laundering, and phishing attacks on luxury brands. Our research highlights thousands of domain generation algorithm (DGA) domains used for fraudulent purposes, connections to Suncity Group and Lazarus Group, and even a JavaScript supply chain attack impacting over 110,000 websites. This talk will showcase Silent Push’s methodologies for identifying malicious infrastructure, provide actionable insights into FUNNULL’s operations, and outline key TTPs tied to financial and gaming fraud campaigns.
Noah Plotkin is a Senior Solutions Engineer at Silent Push with 5 years of experience in Cyber Threat Intelligence. Previously, he worked at Recorded Future and FTI Consulting. Noah is passionate about the intersection of technology and international affairs and is dedicated to continually expanding his technical expertise while deepening his understanding of CTI.
The UN Cybercrime Treaty is Final, Here’s What You Need to Know
Kurt Opsahl
In August 2024, over the objections of many civil society groups, the United Nations finalized the text of the draft international Convention on Cybercrime, which it intends to be adopted by a member state near you starting in 2025, superseding existing law. In the years since I last presented on the treaty, there have been many changes, some good, but many issues remain. This presentation will provide an overview of the cybercrime treaty, explain how and why the proposed provisions will affect security researchers and cybersecurity professionals, as well as dive into the serious civil liberties and human rights concerns with the text. While the cybercrime treaty is moving forward with momentum, there remain ways to get better or worse. We will also cover your opportunities to push back or mitigate its effects.
Kurt Opsahl (@kurtopsahl) is the Associate General Counsel for Cybersecurity and Civil Liberties Policy for the Filecoin Foundation. Formerly, Opsahl was the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation and continues to work with EFF as a Special Counsel. He is a member of the CISA Cybersecurity Advisory Committee’s Technical Advisory Council, the Open Archive Advisory Board, the Zcash Community Advisory Panel, and the Security Researchers Legal Defense Fund’s Board.
Windows Projected File System — The Reality Stone
Casey Smith
Windows Projected File System (ProjFS), a free built-in feature, allows you to create virtual placeholder files that appear real to applications but only provides content when accessed, making it excellent for deception. We can present what appears to be a large collection of interesting files without actually storing them. Further when an attacker attempts to access these files, ProjFS can log and alert on access attempts while also returning dynamic or fake content based on the request properties–Process, User, time of day, etc. This is easily done without requiring significant storage space for the fake files and has minimal system performance impact. You can see details about interactions with these from User Mode not in the Kernel making this feature easy to deploy at scale. In December 2024, our team built and released an Open Source Canarytoken called Windows Fake File System. We allow teams to quickly deploy and monitor fake files. This talk will showcase what a Projected File System is, why it is reliable, and how you can use it to build Deception Frameworks. We hope this talk drives interest and innovation in this space. We think it can be a powerful Defender primitive.
Casey Smith is a Senior Researcher with Thinkst Canary. He has a passion for understanding and testing the limits of defensive systems.