Keynote

Professor Neil Gershenfeld

Prof. Neil Gershenfeld is the Director of MIT’s Center for Bits and Atoms. His unique laboratory is breaking down boundaries between the digital and physical worlds, from creating molecular quantum computers to virtuosic musical instruments. Technology from his lab has been seen and used in settings including New York’s Museum of Modern Art and rural Indian villages, the White House and the World Economic Forum, inner-city community centers and automobile safety systems, Las Vegas shows, and Sami herds. He is the author of numerous technical publications, patents, and books including Fab, When Things Start To Think, The Nature of Mathematical Modeling, and The Physics of Information Technology, and has been featured in media such as The New York Times, The Economist, NPR, CNN, and PBS. He is a Fellow of the American Physical Society, has been named one of Scientific American’s 50 leaders in science and technology, as one of 40 Modern-Day Leonardos by the Museum of Science and Industry, one of Popular Mechanic’s 25 Makers, has been selected as a CNN/Time/Fortune Principal Voice, and by Prospect/Foreign Policy as one of the top 100 public intellectuals. Dr. Gershenfeld has a BA in Physics with High Honors from Swarthmore College, a Ph.D. in Applied Physics from Cornell University, honorary doctorates from Swarthmore College, Strathclyde University and the University of Antwerp, was a Junior Fellow of the Harvard University Society of Fellows, and a member of the research staff at Bell Labs.


Closing Plenary: Information Security Programs in Academia

Matt Blaze (moderator), Greg Conti, Rick Forno, and Jeff Foster

As information security grows nearly exponentially, it’s hard to remember back 15 years ago to a time when the industry was just starting to take off. At that time, most of the individuals in this industry were self taught with respect to this discipline. There were only a few handful of information security programs in academia. Contrast that to today where there are hundreds of programs across the nation with new ones springing up every semester. As far as academia goes, that kind of growth incredibly fast. Building of curriculum, finding professors, and filling the pipeline with students can take decades as new disciplines emerge. However, in the case of information security, academia has been put in to the position of “building the bus while going down the road.”

This panel will examine the current state of information security programs in academia. The panelists will discuss issues around dealing with administration and the peculiarities of information security, the current state of information security research, attracting and vetting students, and generally what its like to be growing the next generation of information security professionals.

Matt Blaze (moderator) is a professor at the University of Pennsylvania, where he studies cryptography, secure systems, surveillance, physical security, and public policy.

Gregory Conti (@cyberbgone) is an Associate Professor and served as Director of the Army Cyber Institute at West Point. He is the author of Security Data Visualization (No Starch Press) and Googling Security (Addison-Wesley), as well as approximately 75 articles and papers covering cyber conflict, online privacy, information security education, and security data visualization. He has spoken at numerous security conferences, including Black Hat, DEF CON, CyCon, HOPE, Interz0ne, ShmooCon, and RSA.

Dr. Richard Forno directs the Graduate Cybersecurity Program, serves as the Assistant Director of UMBC’s Center for Cybersecurity, and is a Junior Affiliate Scholar at the Stanford Law School’s Center for Internet and Society (CIS). His twenty-year career spans the government, military, and private sector, including helping build a formal cybersecurity program for the US House of Representatives, serving as the first Chief Security Officer for the InterNIC, and co-founding the CyberMaryland conference. Richard was also one of the early thought leaders on the subject of “information warfare” and he remains a longtime commentator on the influence of Internet technology upon society.

Jeffrey S. Foster is Professor and Associate Chair for Graduate Education in the Department of Computer Science at the University of Maryland, College Park. Jeff received the Ph.D. in Computer Science from the University of California, Berkeley. Jeff’s research focuses on developing programming languages and software engineering approaches to making software easier to write, more reliable, and more secure. Some of his recent efforts include improving security and privacy on Android; developing type systems for Ruby; exploring program synthesis for automatically constructing program code from specifications; and creating new approaches to safely update software at run time.


Users Are People Too: How to Make Your Tools Not Suck for Humans

Gillian Andrews and Sara Sinclair Brody

As a technologist you craft systems that are reliable, scalable, and maintainable. As a security specialist you think adversarially and poke holes in every apparatus you encounter, be it technical, social, or socio-technical. These skills are orthogonal to the ones that good user-experience (UX) designers employ in making software that is usable by “average” people, which is probably why so many security tools suck. In this talk you’ll see why your approach to designing software interfaces is broken, get a window into how professionals would make it better, and learn scrappy techniques that even the most awkward infosec nerd can use to make their software suck less for real users.

Gillian “Gus” Andrews is Senior Usability Research Fellow at Simply Secure, continuing work she did on security usability at OpenITP. Her doctorate at Teachers College explored user misunderstandings of search. She has helped organize the HOPE conference and been a panelist on Off The Hook. She produces The Media Show, a series about digital literacy.

Sara “Scout” Sinclair Brody is Executive Director at Simply Secure. She earned her CS PhD from Dartmouth College on “Access Control In and For The Real World”. She previously worked as a Product Manager at Google, where she contributed to 2­step verification and the Android operating system, among other projects.


Using the Algebraic Eraser to Secure Low-Power and Passive IoT Devices

Derek Atkins

The Algebraic Eraser (AE) is a Group Theoretic Public-Key Cryptosystem originally published in 2006 and designed specifically to work in constrained devices with limited CPU and power capabilities such as RFID and Internet of Things (IoT) devices. Algebraic Eraser Diffie-Hellman (AEDH) provides a key-agreement protocol that performs significantly better than ECC at the same security level in both hardware and software. One hardware implementation in 65nm CMOS performs 60-200 times better than ECC in terms of speed and power usage. An ARM-based IoT implementation performed 60 times faster. And an FPGA implementation performs over 200 times faster using 400 times less power. Moreover, the basic building block of AE, called E-Multiplication, can be used to create a Hash, Block Cipher, PRNG, Stream Cipher, and a Signature Algorithm. Using AEDH we can add a proof-of-possession public-key authentication into extremely small devices like IoT and RFID and use that technology in identifying and authenticating objects to which the device is attached. This talk will present AEDH, the underlying math, and show how we’re using AEDH to create an authentication and anti-counterfeiting solution.

Derek Atkins is the Chief Technology Officer at SecureRF Corporation. He specializes in architecting, designing, developing, and deploying network and systems security applications. Previously he was a Senior Member of Technical Staff at Mocana Corporation, Senior Principal Software Engineer at Symantec (formally PGP Corporation), Senior Research Scientist at Telcordia Technologies (Bellcore), Chief Technology Officer at Arepa, Inc. (Into Networks) and a member of the technical staff at Sun Microsystems. He is active in the IETF and ISO standards bodies and has chaired multiple IETF Working Groups. He received his Bachelor and Master degrees from MIT.


Crypto and Quantum and Post Quantum

Jean-Philippe Aumasson

This is an extension of my DEFCON 23 talk “Quantum computers vs computers security” where I’ll tell you more about the recent 1000-qubit processor and about postquantum crypto’s latest developments. I’ll also tell you how today’s encryption systems are affected (PGP, TLS, OTR, and others) and what you should do if you believe that quantum computers will soon be working.

Jean-Philippe (JP) Aumasson (@veorq) is Principal Cryptographer at Kudelski Security, in Switzerland. He designed the popular cryptographic functions BLAKE2 and SipHash, and the new authenticated cipher NORX. He has spoken at Black Hat, DEFCON, RSA, CCC, SyScan, CHES. He initiated the Crypto Coding Standard and the Password Hashing Competition projects. He co-wrote the 2015 book “The Hash Function BLAKE”.


Building an Encyclopedia of Malware Configs (to punch miscreants)

Jon Bambenek

According to VirusTotal, almost 500,000 unique malware samples are seen by them every day. That doesn’t include all the malware VirusTotal doesn’t see. The shear deluge of unique malware samples makes it difficult for incident responders to keep up to protect their networks. Even more difficult is the task to investigators and law enforcement to keep up with the size and number of command-and-control networks and criminal operations.

The size and scope of malware may seem daunting, but these repositories can be mined for intelligence in a programmatic way to build not only threat intelligence feeds for current threats, but a historical encyclopedia for attacks seen in previous months and years. The ability to correlate attacks and malicious infrastructure historically has opened up new methods to attribute attackers and to support long-term disruptive activity.

This talk will discuss how a massive historical intelligence database can be used to correlate historical attacks and what the possibilities hold for this kind of analysis. The audience will come away with the knowledge in how to build a system of their own, what open source tools and repositories are available for defenders and the basics in how to apply threat intelligence techniques to automated threat data collection of this type.

John Bambenek (@bambenek) is a Sr. Threat Analyst at Fidelis Cybersecurity and an incident handler with the Internet Storm Center. He has been engaged in security for 15 years researching security threats. He is a published author of several articles, book chapters, and one book. He has contributed to IT security courses and certification exams covering such subjects as penetration testing, reverse engineering malware, forensics, and network security. He has participated in many incident investigations spanning the globe. He speaks at conferences around the world and runs several private intelligence groups focusing on takedowns and disruption of criminal entities.


Containing an Attack with Linux Containers and AppArmor/SELinux

Jay Beale

In the system hardening space, we’ve been using chroot jails to contain compromised programs. These jails were better than nothing, but were easily escaped by many attackers. As Linux containers become more mature, we can use them to replace these jails. This talk will teach you how to use Linux Containers, through both Docker and Ubuntu’s new LXD, to create far better jails for programs, containing their compromise. You will leave this demo-heavy talk immediately able to use both technologies to create containers for both attack containment and to rapidly develop and host software.

Jay Beale (@jaybeale) has created several defensive security tools, including Bastille Linux and the CIS Linux Scoring Tool, both of which have been used throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the “Stealing the Network” series. Jay is a founder and serves as both the Chief Technology Officer and Chief Operating Officer of the information security consulting company, InGuardians.


OSX Vulnerability Research and Why We Wrote Our Own Debugger

Tyler Bohan and Brandon Edwards

Although OSX has had a large gain in popularity, its underlying workings are still unknown to many. In this talk we will discuss OSX internals and how they relate to security research. Specifically, we will discuss the debugging functionality provided (or missing) on OSX, how it differs from other platforms, and the resulting state of tools (LLDB) unwieldy for many security research tasks on modern OSX. For this talk we will open source our private OSX Python scriptable debugger as a lightweight, easy-to-use programmatic alternative to the awkwardness of LLDB scripting. We will showcase the advantages of a proper scriptable debugger along with features not seen in LLDB, and demonstrate examples for vulnerability research and malware analysis.

Brandon Edwards and Tyler Bohan work as security researchers for BAE Systems, where they work on vulnerability analysis and mitigation. Their backgrounds include reverse-engineering, vulnerability discovery, exploitation, and development.


The Road to SYSTEM: Recycling Old Vulnerabilities for Unpatched Privilege Escalation and A New Network Attack

Stephen Breen

Microsoft Windows has a long history of outstanding security vulnerabilities that many of us in the security industry are well aware of. Microsoft has released advisories with mitigations for some of these vulnerabilities, however due to compatibility, performance, and time/budget constraints, these mitigations are often not deployed consistently.

In this project we take advantage of a number of these issues to develop a local privilege escalation exploit for Microsoft Windows that is safe and reliable for Windows versions through 8.1 (further testing pending). Microsoft security team was informed on 9/22/2015 and has not responded to date. Exploit code in C# will be released in coordination with the talk.

Inspired by one of the steps in the above PoC, a second technique will be discussed that allows NBNS spoofing attacks across network broadcast domains. Code for this will be released as a feature-addition to the popular “Responder” tool.

Stephen Breen is a Principal Consultant with the Offensive Security and Red Team at NTT Com Security and member of the FoxGlove Security team. His time is split between delivering high end penetration testing engagements and R&D that is inspired by real-world experience. Stephen has been dabbling in infosec before it was called infosec, ever since his Windows 95 machine was DoS’d by an IRC skiddie using the “Ping of Death”. On paper, he has an academic and development background, with a Masters in CS at McGill University and performed development and operations roles before getting into the security industry.


AVLeak: Turning Antivirus Emulators Inside Out

Alex Bulazel

AVLeak is a tool for fingerprinting consumer antivirus emulators through automated black box testing. AVLeak can be used to extract information from AV emulators that may be used to detect their presence and evade detection, including environmental artifacts, OS API behavioral inconsistencies, emulation of network connectivity, timing inconsistencies, and CPU emulator “red pills”.

These artifacts of emulation may be discovered through painstaking, time consuming binary reverse engineering, or through black box testing with malware that conditionally chooses to unpack or not unpack based on its emulated environment. The current state of the art in black box AV emulator fingerprinting is a lot like handwriting SQL injection queries with a web browser, while AVLeak is like using using SQLmap.

In this presentation I’ll demo AVLeak in use, and show real world artifacts derived using the tool that can be used to detect popular consumer AV emulators.

Alexei Bulazel is a recent graduate of Rensselaer Polytechnic Institute (RPI). At RPI he played CTFs with RPISEC and hosted an experimental music radio show on WRPI.


LostPass: Pixel-perfect LastPass Phishing

Sean Cassidy

LastPass holds all of your secrets. Its login prompts and alerts occur within the browser window, which attackers can control. When the victim visits the target site–which can look completely inconspicuous, such as a news website–after a delay a LastPass notification will appear if the user has LastPass installed prompting the user to log in because their session has expired. The log in screen, which always appears within the browser window, is customized for each browser and operating system to appear pixel perfect. This sends the user’s credentials to the attacker, and then can be prompted for two-factor authentication if required. The attacker can then use the LastPass API to remotely download and decrypt all passwords, credit cards, and secure notes. The LostPass tool will be presented for download.

Sean (@sean_a_cassidy) is the CTO of Praesidio, a cloud-based cybersecurity startup that secures financial institutions. He has written numerous open source tools and guides and has been in the infosec community for over a decade.


No Easy Breach: Challenges and Lessons Learned from an Epic Investigation

Matt Dunwoody and Nick Carr

Every IR presents unique challenges. But–when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day–the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.

Matt Dunwoody (@matthewdunwoody) and Nick Carr (@itsreallynick) are incident responders at Mandiant, specializing in digital forensics and network analysis. Matt has several years of experience as a technical lead for large-scale IR engagements and high-tech crime investigations. Nick has experience in computer security and intelligence roles and previously served as Chief Technical Analyst and incident response team lead for DHS ICS-CERT, focusing on SCADA systems and critical infrastructure cyber attack readiness and response.


Software Security by the Numbers

Chris Eng

Every industry faces the challenge of securing software, so why do some industries “get it” while others struggle to manage the problem at scale? In this session, we will share data drawn from over 200,000 application assessments performed via Veracode’s cloud platform over an 18-month period. This is the largest data set of its kind, and it provides unique insight into the state of software security. Attendees can use this information to benchmark their AppSec program against peers, answering key questions such as:

  1. Do I have more serious vulnerabilities than my peers?
  2. What percentage of vulnerabilities do my peers remediate?
  3. How many of our applications should pass the OWASP Top 10 when initially assessed?
  4. What are the most common vulnerabilities in our vertical?
  5. How do coding vulnerabilities manifest across different programming languages?

Chris Eng (@chriseng) is vice president of research at Veracode. Throughout his career, he has led projects breaking, building, and defending software for some of the world’s largest companies. He is an unabashed supporter of the Oxford comma and hates it when you use the word ask as a noun.


#thingswikfound #omarax: What is it, and why you may care?

Jaime Filson

#thingswikfound #omarax is a by-product of hunting for phishing and other badness on the internet. Each day I scan over 2 million newly created domains from a wide range of TLDs, locating everything from 8XX tech support scams to Brand name phishing attempts.

Now I understand that scanning the internet for these things isn’t new in general, but I promise you that my approach is different (and at the very least an entertaining story).

Jaime ‘WiK’ Filson (@jaimefilson) is a Research Engineer on the Talos team at Cisco Systems, Inc. He enjoys long walks on the beach and has problems sleeping unless his computer is busy downloading, scanning, fuzzing, or cracking something.


Where Do the Phishers Live? Collecting Phishers’ Geographic Locations from Automated Honeypots

Robbie Gallagher

We’ve taken a novel approach to automating the determination of a phisher’s geographic location. With the help of Markov chains, we craft honeypot responses to phishers’ emails in an attempt to beat them at their own game. We’ll examine the underlying concepts, implementation of the system, and reveal some of the results from our ongoing experiment.

Robbie Gallagher is a security engineer with Atlassian in Austin, Texas. He received his bachelor’s degree in applied computing technology from Colorado State University, and has spent the past few years focusing on web application security and static analysis. In his free time, Robbie enjoys running, biking, economics, and coffee.


Breaking Bulbs Briskly by Bogus Broadcasts

Joseph Hall and Ben Ramsey

Smart energy and building automation are powerful technologies with significant promise. Unfortunately, the global rush to connect as many devices to the network as possible leads to unintended vulnerabilities. The ability to physically damage hardware by abusing network access is particularly interesting. This talk has two goals: 1) introduce an open source tool for pen-testing proprietary Z-Wave wireless automation networks and 2) discuss a rapid process for destroying florescent lights. Frustrated at the lack of functionality in current Z-Wave hacking tools, we introduce a tool called EZ-Wave. Once access is gained to an automated lighting system, regardless of the protocol used, we demonstrate how to destroy florescent lamps rated for 30K hours within a single night of abuse.

Joseph Hall has eight years of experience in information security management. Eager to get his hands dirty, he focused his attention on investigating Z-Wave over the past year.

Ben Ramsey has been hacking networks for over a decade; he finds it therapeutic.


Making Milware: An Interdisciplinary Tryst

Trey Herr and Eric Armbrust

How can political and computer science get together to make something beautiful? The pervasive development and deployment of malicious software by states presents a new challenge for the information security and policy communities because of the resource advantage and legal status of governments. The difference between state and non-state authored code is typically described in vague terms of sophistication, contributing to the inaccurate confirmation bias of many that states simply ‘do it better.’ This talk presents work to describe how state authored code is demonstrably different from that written by non-state actors. We examine a collection of malware samples which, through existing analytic techniques, have been attributed to a mix of state and non-state actors. Reviewing technical information available in the public domain for each sample, reverse-engineering a sub-set, we determine that there is a set of criteria by which state authored code can be differentiated from the conventional malware of non-state groups. We’ll talk about our findings, the interdisciplinary magic that got us here, and what comes next.

Trey is a researcher with the Cyber Security Policy and Research Institute as well as a PhD Candidate in Political Science at GWU. He is also non-resident fellow at New America’s Cybersecurity Initiative and works on malware, regulatory policy, and risk modeling.

Eric is a junior in Computer Science and International Affairs at GWU. He is also an amateur OS and exploit developer who began tinkering with assembly with the crazy idea that it would be ‘fun.’ At GWU he works on breaking things and putting them back together.


Speak Security and Enter: Better Ways to Communicate with Non-Technical Users

Jessy Irwin

Every day, passionate security professionals encounter a common problem: after bringing a student or colleague up to speed on best practices, it feels like nothing stuck. Why does this happen? And how can we change it up to get better outcomes? This talk will help IT and security professionals find common ground with non-technical users. In addition to sharing people-friendly metaphors, it will give attendees a solid set of communication strategies, and approaches to educate the average user about the mindset behind security to develop secure behaviors. And yes–spoiler alert–there will definitely be some Lord of the Rings involved!

Jessy Irwin lives in San Francisco, and is Security Empress at AgileBits, makers of 1Password. Her work focuses on security awareness and end-user education for nontechnical audiences. She is an prolific writer, regular speaker, and outspoken advocate for stronger privacy and security protections in schools and education technology software.


LTE Security and Protocol Exploits

Roger Piqueras Jover

The Long Term Evolution (LTE) is the newest standard being deployed globally for mobile communications. Despite the well understood security flaws of legacy 2G networks, which lack of mutual authentication and implement an outdated encryption algorithm, LTE is generally considered secure given its mutual authentication and strong encryption scheme. To the day, the main cellular vulnerabilities being exploited in most IMSI catchers and stingrays are based on 2G base stations. Nevertheless, rogue base stations and protocol exploits are also possible in LTE. Before the authentication and encryption steps of a connection are executed, a mobile device engages in a substantial exchange of messages with *any* LTE base station (real or rogue) that advertises itself with the right broadcast information. And this broadcast information is sent in the clear and can be easily sniffed. This talk overviews my work on LTE protocol exploits ranging from full-LTE IMSI catchers, blocking of the SIM or the device until device reboot, severe battery drain, location leaks and low-power jamming. Some of these exploits have been previously released in some form and some others have not, such as a new way to track devices as they hand over from tower to tower.

Roger Piqueras Jover is a Wireless Security Research Scientist at the Security Architecture team of Bloomberg LP. Previous to that, he spent 5 years as Principal Member of Technical Staff at the AT&T Security Research Center. His work focuses on LTE mobile network security, protocol exploits and exploring the security of anything that communicates wirelessly.


Online, No One Knows You’re Dead

Andrew Kalat

Most hackers have a massive digital footprint: social media, servers at co-location sites, servers at home, overly-complicated IT infrastructure, and various other IT gear connected in crazy ways. What happens when one of us suddenly dies? How do our loved ones pick up the pieces, figure out all of our random IT crap that we’ve setup, and move forward? This talk explores the challenges, opportunities, and lessons learned as I aided in figure out the IT gear after the passing of a dear friend to the hacking community, HackerJoe, aka Michael Hamelin. I will share details of the challenges Michael’s widow and I faced, how we overcame them, and advice to better prepare your loved ones if you were to suddenly shake off the mortal coil…

Andrew Kalat (@Lerg) has been in the information security field for over 20 years. He’s worked in many roles, including operations, architecture, sales engineering, consulting, and other roles. He currently works for a financial company as a security architect and is the co-host of the Defensive Security podcast with Jerry Bell.


Reverse-Engineering Wireless SCADA Systems

Karl Koscher

Over the past few years, interest in ICS/SCADA systems security has grown immensely. However, most of this interest has been focused on IP-connected SCADA networks, largely ignoring numerous deployments relying on other technologies such as wireless serial links. In this talk, I’ll introduce a new GNU Radio module which lets you sniff SCADA networks that use a popular RF modem for their communications. I’ll also describe the process of reverse-engineering the proprietary RF protocol used. Finally, I’ll talk about the higher-layer protocols used in SCADA networks, including ModBus and DNP3, demonstrate how we are able to monitor the (unencrypted and unauthenticated) sensing and control systems used by a large electricity distribution network, and discuss some of its implications.

Karl is a postdoctoral researcher at the University of California San Diego where he specializes in embedded systems security. In 2011, he and his collaborators were the first to demonstrate a complete remote compromise of a car over cellular, Bluetooth, and other channels. In addition to breaking systems, he also works on creating tools and technologies to enable developers to automatically find (and fix) potential security vulnerabilities in their embedded systems. Since earning his ham license in 2014 (and later upgrading to Amateur Extra), he has become interested in many aspects of wireless communications.


This Message Will Self-Destruct in 10 Seconds: Avoiding Bilateral Enucleation

3AlarmLampscooter

Are you a Bond villain, whistle-blower, clandestine operative, secret courier, paranoid schizophrenic or generally sketchy character who wants the ability to make your data go up in a puff of smoke at the drop of a hat when the bad guys close in? This talk will focus on implementing practical, low cost, and not entirely unsafe mobile data destruction solutions for your hopefully imaginary needs. Going beyond Shane Lawson, Bruce Potter, and Deviant Ollam’s 3U rackmount requirements from DEFCON 19 for obliterating hard drives and building on zoz’s work presented at DEFCON 23, the objective of destructive focus shifts from hard drives to NAND flash with a strong focus on minimizing and containing reactive reagents likely to cause irreparable ocular mutilation by utilizing the latest high performance composites from the construction trades in an ultra-compact form factor. If that isn’t enough fancy buzzwords for you, I’ll throw in a free mission-critical stovepipe for one lucky attendee!

3AlarmLampscooter is an enigmatic armored mammal of the genus homo sapiens sapiens sapiens troglodytae found in caves and tunnels across the southeastern United States. As moderator of /r/Neutron, 3AlarmLampscooter’s activites include making lame physics jokes, *not* importing tritium in instant coffee bags from Thailand for DEFCON 23 Black Badges, developing 3D printed construction materials, and advocating transhumanism.


Political Pwnage: The Hacker’s Guide to Cybersecurity Policy

Nick Leiserson and Jen Ellis

In 2015, 74 bills containing the term “cybersecurity” were introduced in Congress; the Library of Congress approved a security research exemption for the DMCA; the President signed two cybersecurity-related Executive Orders; and various Government agencies debated how to control exports of intrusion technologies. This trend will continue in 2016 as more breaches and vulnerabilities hit the headlines, and technology continues to become more pervasive in our lives.

Government policy impacts our community, and as experts in a field that is complex and often misunderstood, we need to educate lawmakers and to help them reach positive outcomes, and mitigate negative ones. This talk will provide an overview of the legislative landscape for cybersecurity and investigate how it really affects our industry and community.

We will also give security pros a chance to hear directly from a Congressional staffer who focuses on cybersecurity issues. Nick Leiserson, cybersecurity lead for Congressman Jim Langevin (D-RI), will be interviewed by Jen Ellis, VP of public affairs at Rapid7 on potential legislative developments, how the security community can get involved in the debate, and what the process is for creating cybersecurity legislation.

Nick Leiserson is the cybersecurity lead for Representative Jim Langevin (D-RI), and the co-lead staff for the Congressional Cyber Caucus. He works extensively on cybersecurity policy, with a strong focus on national security and consumer safety.

Jen Ellis is Vice President of Community and Public Affairs at Rapid7 and spends most of her time trying to positively shape policy that may impact the security community. She also works extensively with security researchers to help get the word out about threats so they can be properly understood and mitigated. She has testified to Congress as an expert witness on the CFAA.


Penetration Testing Custom TLS Stacks

Alex Moneger

With the ever growing number of attacks against SSL/TLS, quick turnaround time is required to write proof of concept code to test new attacks. Extending existing TLS stacks to implement such code is difficult and error prone. Due to that need, we developed an offensive focused TLS stack which allows to quickly prototype attacks against all elements of the stack (protocol, crypto, certificates, …)

scapy-ssl_tls is an offensive TLS stack which lives above scapy. I will demonstrate how to look for protocol and crypto related flaws in custom TLS stacks, and how to quickly build prototypes.

Alex Moneger enjoys working on security which relates to bits and bytes such as cryptography, exploit development, fuzzing and binary instrumentation. He has presented at several security conferences (Defcon, Nuit Du Hack, Seccon) on the above topics. Overall, his interests in security topics are too broad for the time he has available. He also writes (numstitch, fuzzmon) and contributes to open-source security tools (scapy-ssl_tls, afl, …). In his day job, he works for Citrix Systems, taking care of product security.


You Ain’t Seen Nothing Yet: New Paradigms for Policy, Regulation, and Community Engagement

Greg Conti (moderator), Mara Tam, Vincenzo Iozzo, Jeff Moss, and Randy Wheeler

‘[E]very speaker, every writer, every practitioner in the field of cyber security who has wished that its topic, and us with it, were taken seriously has gotten their wish….”[W]e” and the cyber security issue have never been more at the forefront of policy. And you ain’t seen nothing yet.’ — Dan Geer, “Cybersecurity as Realpolitik”

We still haven’t. The regulatory and policy landscape around information security is expanding and shifting rapidly. Challenges faced by the community in this arena are many and multiplying. So too for policy-makers and regulators.

While the current climate may be exceptional, this is far from the first time information security has been the subject of policy debates, or the object of regulatory intervention. Over the past four decades, relations between government officials and security practitioners might reasonably have been expected to improve and mature … so why haven’t they? And how should we handle the upcoming regulatory challenges that the industry will face?

This panel brings together over a century of experience to examine participation of the security research community in policy formation and regulatory affairs : what works, what doesn’t, what’s next, and what you can do to help.

MARA TAM is the Director of Government Affairs at HackerOne.

VINCENZO IOZZO is an Entrepreneur in Residence at Rakoku Holdings.

JEFF MOSS is the founder of DEF CON and Black Hat, a non-resident fellow for the Atlantic Council’s Cyber Statecraft Initiative, and member of the U.S. Department of Homeland Security Advisory Council.

CATHERINE “RANDY” WHEELER is the Director of the IT Controls Division in the U.S. Dept. of Commerce’s Bureau of Industry and Security.

GREGORY CONTI (moderator) (@cyberbgone) is an Associate Professor and served as Director of the Army Cyber Institute at West Point.


Ask the EFF

Kurt Opsahl, Andrew Crocker, Bill Buddington, and Eva Galperin

Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation’s premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as NSA surveillance and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, discussion of our technology projects to protect privacy and speech online, updates on cases and legislation affecting security research, and much more. Half the session will be given over to question-and-answer, so it’s your chance to ask EFF questions about the law and technology issues that are important to you.

The Electronic Frontier Foundation (@EFF) is the leading nonprofit organization defending civil liberties in the digital world. EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. Nate Cardozo and Kurt Opsahl are attorneys who work on EFF’s Coders’ Rights Project, which builds on EFF’s longstanding work protecting security researchers through education, legal defense, amicus briefs, and involvement in the community with the goal of promoting innovation and safeguarding the rights of curious tinkerers and hackers.


Be Free, Little GuardBunny!

Kristin Paget

A few years ago I had cause to do some research into RFID “shielding” wallets, and decided that most of them weren’t very good. Even the good ones could be disabled by simply increasing power; I came away thoroughly unimpressed with the entire concept.

I thought about it for a bit, and then came up with GuardBunny. It prevents RFID tags from being read in a different way – by jamming the reader with its own energy. In its current form GuardBunny provides decent protection but it isn’t perfect, and I feel bad letting it sit alone and unloved solely because I haven’t the time to work on improvements. Instead, I’m open-sourcing it in the hope that someone else can develop it further. This talk will discuss what GuardBunny is, walk through its functional and electrical theories of operation, list its weaknesses and explore possible solutions to them. I’ll also drop a bunch of tips about how to productize it (if that’s your thing), and open-source all of the schematics and gerber files – I may even have some samples to hand out.

Be free, tiny bunny! Go play with the moose! :)

Kristin Paget (@KristinPaget) has never had fun writing a bio, so she’s always a bit unsure what to put in this section of a CFP submission. She has to write something or you’ll be disappointed, but to her it always feels a little immodest to advertise herself like that. So, instead of using this space to try and fluff her feathers up enough to make you want to go and see her talk, she would instead like to invite you to find out more about her through appropriate use of two tools: Google, and fruity vodka drinks :)


Hiding from the Investigator: Understanding OS X and iOS Code Signing to Hide Data

Joshua Pitts

To hide data from a the forensic practitioner you need to exploit either a gap in their knowledge, their processes, and/or their tools. This is a talk about all three in regards to Apple OS X and iOS code signing. Much research has been conducted around code signing with respect to preventing malicious code execution at binary load time. This strictly about forensics, binary tampering, and data smuggling.

Josh Pitts (@midnite_runr) likes to write code that patches code with other code via The Backdoor Factory. Sometimes this leads to the discovery of funny bugs and to Russians patching stuff over the Internet. He has worked for the military, the US government, private consulting, and startups doing pentesting, defending networks, designing secure systems, and breaking security products.


Resistance is Futile: SDN Assimilating Our Networks

Sarah Rees and Jonathan Medina

In the age of an “Internet of Things,” centralized control over a wide variety of devices is creeping down from the clouds and into our everyday lives. Software Defined Networking (SDN) is replacing traditional networks with some of the biggest names in the tech industry. Google, Microsoft, Facebook, Yahoo, Amazon, and AT&T are utilizing SDN for its advanced flexibility and automated network control. Unfortunately some functions of SDN and the OpenFlow protocol should be raising significant security concerns both for current cloud implementations and proposed ISP to home network presence. The framework the protocol uses to communicate is susceptible to disruption, interception and undetected manipulation. Using a little python ingenuity, the foundation of an SDN can be compromised on the southbound interface where data flows originate and interact with the controller. While SDN offers amazing possibilities in secure networking, there is a dark side as well. This discussion brings to light security issues and advantages that SDN provides, and security imperatives for implementation of SDN within enterprise networks.

Jon and Sarah are both highly technical nerds at their very core. Jon is a Network Security Engineer who focuses on networks and virtualization, and Sarah is a Cisco Instructor who would love nothing more than to explain the finer points of complex networking. Both have well over a decade of experience in commercial and government networks, with numerous pretty certificates on their walls. Together, this unlikely duo has decided to take on the stigma that security folks and network folks don’t play well together.


Attack on Titans: A Survey of New Attacks Against Big Data and Machine Learning

Andrew Ruef and Rock Stevens

Big Data Analytics and Machine Learning are pervasive in the decision-making processes of major corporations and governments around the world. This fact introduces a new opportunity and attack vector for hackers — instead of stealing data, attackers can potentially influence or control the decisions of their victims. In our talk we highlight the poor decisions that developers make in their code that enables attackers to drastically skew machine learning models, deliver denial of service attacks, or outright gain remote code execution. We’ll target applications such as Apache Hadoop with a throwback attack from 2001 and kick the doors open on OpenCV using automatic vulnerability discovery techniques. We’ll also recommend a plausible dynamic defense against our novel attacks.

Andrew Ruef is a PhD student at the University of Maryland, College Park, advised by Michael Hicks. Ruef is also a researcher at Trail of Bits and is interested in reverse engineering and program analysis.

Rock Stevens (@ada95ftw) began working in IT as an under-paid network administrator at the age of 15. He was selected as a 2015 Madison Policy Forum Military-Business Cybersecurity Fellow and is currently pursuing a master’s degree in Computer Science at the University of Maryland College Park.


Exploiting Memory Corruption Vulnerabilities on the FreeRTOS Operating System

Joel Sandin

The platforms powering the growth of the Internet-of-Things include tried-and-true embedded Real-Time Operating Systems (RTOSes). These lean OSes are designed for performance and reliability, but they force application developers to use C and often lack the exploit mitigations implemented in consumer OSes. This unforgiving environment places the burden of security entirely on the programmer and makes the risk of memory corruption vulnerabilities on these increasingly ubiquitous systems very real.

This talk will focus on FreeRTOS as an example of an RTOS that has seen widespread adoption by vendors and developers for the IoT. We will present security-relevant internals of the OS, put common memory corruption vulnerabilities in context, explain the steps an attacker can take to achieve reliable exploitation, and make recommendations that can help developers build more secure systems. This research is based on experience code reviewing, fuzzing, and developing attacks against both vendor SDKs and open-source libraries.

Attendees will understand the risks facing users of this new class of devices. Pentesters will learn how to review applications built for this operating system and determine the impact of bugs they identify. Defensive security practitioners will get an inside look at attacks against software written for this platform.

Joel works as an independent security researcher and has recently focused on security in embedded systems. He was previously a Senior Security Consultant for Matasano Security (part of NCC Group). Before joining Matasano’s consulting team, he worked in the Network Safety and Network Security groups at Akamai Technologies, where he helped build and maintain distributed systems for security monitoring and defense.

Credit and thanks to Siavash of NCC Group for suggesting Real-time Operating Systems as a research area. Siavash’s research interests include the security of embedded systems and software defined networks, machine learning, malware analysis and wireless sensor networks.


My Hash is My Passport: Understanding Web and Mobile Authentication

David Schuetz

The great thing about standards is there are so many to choose from. That’s especially true in the realm of web and mobile application authentication. From Base-64 to OAuth, there are nearly as many ways to send your password to a server as there are ways to store that password.

But how do these work? Is any one system better than another, and if so, why?

Application testers need to understand how an app authenticates, in order to properly assess risk. Developers need to be able to make good design decisions. And end users may wonder just how safe their password really is online.

This talk explains, with simple examples, how some of the most frequently-seen authentication systems work. It identifies the characteristics of an “ideal” authentication system, compares the common methods against that ideal, and demonstrates how to verify that they’ve been implemented correctly.

Finally, the talk will demonstrate a tool which can help make it easier to identify, test, and verify these systems.

David (@DarthNull) is a Senior Consultant with NCC Group, where he performs web and iOS application security testing, iOS research, MDM reverse engineering, and other such fun. He’s honored to have spoken at multiple security conferences on topics from rainbow tables to iOS and MDM to puzzle contests. When not actively engaged in paying work, David loves solving crypto puzzles, working on side projects like KhanFu, and playing Ingress.


Hacking The Wireless World — Software Defined Radio Exploits

Balint Seeber

This presentation will explore how you can survey the wireless world of the radio spectrum to get an idea of the signals around you, and decode transmissions that can be received by pointing an antenna towards satellites in space. Both are accomplished using Software Defined Radio and open source software, and emphasis is placed on the security (or lack thereof) in these communications systems.

Using a drone, you can create your very own airborne RF surveying platform, so that you can fly your SDR payload through routes, and to altitudes, that you cannot normally access. Using open source tools and embedded hardware, you can gain greater visibility into the spatial deployment of different wireless protocols, and therefore where to mount an aerial RF attack, or fortify your defenses.

Looking then beyond these terrestrial signals, with a decent satellite dish, it is possible to demodulate and decode signals sent down from geostationary ‘birds’ – often thought to be out of reach. The development of a GNU Radio-based INMARSAT Aero channel decoder will be shown, so you can read aircraft communications from space, and more. This will cover tips and techniques that can be employed to reverse engineer wireless signals in general.

A software engineer by training, Balint is a perpetual hacker, the Director of Vulnerability Research at Bastille Networks, and guy behind spench.net. His passion is Software Defined Radio and discovering all that can be decoded from the ether, as well as extracting interesting information from lesser-known data sources and visualising them in novel ways. When not receiving electromagnetic radiation, he likes to develop interactive web apps for presenting spatial data. Originally from Australia, he moved to the United States in 2012 to pursue his love of SDR as the Applications Specialist and SDR Evangelist at Ettus Research.


0wn the Con

The Shmoo Group

For eleven years, we’ve chosen to stand up and share all the ins and outs and inner workings of the con. Why stop now? Join us to get the break down of budget, an insight to the CFP process, a breakdown of the hours it takes to put on a con like ShmooCon, and anything thing else you might want to talk about. This is an informative, fast paced, and generally fun session as Bruce dances on stage, and Heidi tries to hide from the mic. Seriously though–if you ever wanted to know How, When, or Why when it comes to ShmooCon you shouldn’t miss this. Or go ahead and do. It’ll be online later anyway.

The Shmoo Group is the leading force behind ShmooCon. Together with our amazing volunteers we bring you ShmooCon. It truly is a group effort.


(P|G)Ohst Exploitation

Carl Vincent

This talk focuses on showcasing examples of the GO programming language being utilized to rapidly prototype, and ultimately maintain software designed to perform common or useful post-exploitation tasks. Source code for each feature will be provided, and is intended to exaggerate the limited amount of code and code familiarity required to construct relatively complex payloads capable of performing offensive security tasks fully either in an automated, or fully antonymous context.

Carl is a Customer Solutions Consultant for the recently consolidated Cisco Security Solutions group, where he performs a variety of security assessment types. As information security professional, as well as personal hobbyist, his passion is to continually research ever increasingly elaborate methods of elegantly executed hypothetical crime.


Gatekeeper Exposed

Patrick Wardle

Gatekeeper is an anti-malware feature baked directly into OS X. Its single goal is to block the execution of untrusted code from the internet. Apple boldly claims that because of Gatekeeper, both trojans and tampered downloads are generically blocked. So hooray! Mac users are all secure…right? Well, perhaps not :/

Until now, there has been little technical information about Gatekeeper’s closed-source internals. This talk seeks to remedy this by exposing the inner workings of Gatekeeper and more broadly, delve into the concept of quarantined files. We’ll also discuss architectural limitations of Gatekeeper (CVE 2015-3715, CVE-2015-7024), which were discovered during my reversing efforts. Both vulnerabilities could trivially be abused to allow for the execution of malicious unsigned binaries from the internet. In other words; complete Gatekeeper FAIL.

As all reported issues are now patched, this provides an opportunity for some ‘patch analysis’ to determine if the underlying causes were fully addressed. Finally the talk will conclude by illustrating how such bypasses could have been fully and generically thwarted from day one.

Patrick Wardle (@patrickwardle) is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes OS X security tools.


Compressed Context Based Analytic Results for Use in Computer Vision System for Network Defense

Rob Weiss and John Eberhardt

John & Rob have been developing interesting ideas in how to present large analytic results to analysts for making decisions in defending their networks. This idea is an evolution of a talk presented at THOTCON & CarolinaCon last year and development John & Rob have done over the past 4 years on streaming network analytics.

We have developed a concept to provide the output network data and analytics through mathematically driven visualizations. In this example, we show 1024 analytics in a 16 by 16 pixel BMP. This is a capability to store 4 analytic results in 1 pixel, each pixel has a context and tells a story. Utilizing a Hilbert Space Filling Curve to plot this pixel in the BMP, this story-context lends itself to representing a computer network architecture very well, as each octet of the network address space can be plotted in a 16 by 16 grid, and the grid can be updated in real time to show time (like the Grateful Dead). The analytic results are used to create a single BMP every 5 seconds. We then apply a computer vision algorithm to send alerts to the analyst, when the change in the results meet their criteria for alert generation. This conveys the context-based story of the changes to the network over time to the analyst, helping them better defend their network.

Rob Weiss (@3XPlo1T2) is a senior systems engineer at G2 with over 24 years of experience in government and commercial markets. He started with Legos and is now a tool builder and problem solver. Currently performs information security research for G2, looking for hard problems to solve.

John Eberhardt (@JohnSEberhardt3) is a Data Scientist at 3E Services with 20 years of quantitative problem solving and a penchant for trying to decipher symbolism in obscure 16th century literature. John has experience in analytical problem solving in healthcare, life sciences, security, financial services, consumer products, and transportation.


Static Malware and SMTP Mail Analysis using General Purpose Graphical Processing Units (GPGPU)

Rick Wesson

Explore a base level problem in static malware analysis, that we have too many samples to analyze, by leveraging the parallelization of GPGPUs — an advantage is gained by moving the problem into the visual plane and solving similarity by texture analysis in parallel.

I’ve clustered a few hundred million PEs by organizing them by how the “look.” Debugging is accompanied by making movies of the visualization. The real utility of the art is speed. A malware sample can be analyzed on an average of 33 milliseconds. Leveraging CPUs for scheduling one can accommodate 32 threads scheduling analysis on a GPGPU provide two methods of parallelization in two architectures — win!

I will explore why the algorithms are slower on newer hardware and what changed in silicon over time providing, speedups for both older and newer hardware.

Rick Wesson (KK6IOG) is a farmer and reformed coder. Between moving rocks on his seven acre urban farm in the bay area. He prefers to study manufacturing firearms, brewing beer and direct current brain stimulation. Mr Wesson has served on ICANN’s Security and Stability committee for 15 years. He serves as a member of the Board for Groundwork Richmond which focuses on teaching at risk youth nutrition, agriculture and technology. Groundwork Richmond is committed to planting trees with wifi antennas to both beautify the community and provide free wifi to low income residents. Mr Wesson is Dyslexic and is a founding member of the Bay Area DEN ­ Network of Dyslexic Entrepreneurs.