Keynote

Donna F. Dodson

Donna F. Dodson is the Chief Cybersecurity Advisor for the National Institute of Standards and Technology (NIST). She is also the Director of NIST’s National Cybersecurity Center of Excellence (NCCoE).

Donna oversees ITL’s cyber security program to conduct research, development and outreach necessary to provide standards, guidelines, tools, metrics and practices to protect the information and communication infrastructure. In addition, Donna guides ITL programs to support both national and international security standards activities. She recently led the establishment of the NIST NCCoE. Through partnerships with state, local and industry, the NCCoE collaborates with industry sectors to accelerate the widespread adoption of standards-based cyber security tools and technologies.

Donna’s research interests include applied cryptography, key management, authentication and security testing. She has led technical teams to produce standards, guidelines and tools in each of these areas.

Donna received two Department of Commerce Gold Medals and three NIST Bronze Medals. She was a Fed 100 Award winner for her innovations in cybersecurity and in 2011 was included in the top 10 influential people in government information security. Recently, Donna was recognized as one of DC’s Top 50 Women in Tech.


ShmooCon Debates

Wendy Nather, Jack Daniel, Jack Gavigan, Elizabeth Wharton, and Bruce Potter (moderator)

Four players, one moderator, two topics, and a bunch of unknowns.

A few weeks ago we armed our players with two topics and asked them to research both sides. At the start of the hour they will draw a card out of a hat, letting them know which topic and which side of the argument they will be representing. Meant to be fun? Yes. But also a somewhat serious and (hopefully) educated look into some hot subjects of infosec debate.

The Players: Wendy Nather, Jack Daniel, Jack Gavigan, Elizabeth Wharton

The Moderator: Bruce Potter

Format:
4 minutes for each side to give a statement
2 minutes for each side to follow up
Who goes first is decided by a coin toss
10 minutes for open discussion of topic amongst all players and audience.

Topics in Depth:

Crypto Currency – Fad or Future
Crypto currencies like Bitcoin and Litecoin have taken the world by storm. Global networks of increasing power and sophistication support more and more use cases for transactions for all kinds. Supporters of these new digital currencies laud the decentralized and pseudo-anonymous nature of these financial systems. Detractors scoff at the price volatility and power consumption of the coin networks.

Consumer IOT Security – Controlling the Climate or Burning Down the House
We’ve been hearing concerns about the security of consumer IOT devices for years. While small, cloud connected devices have the potential to revolutionize everything from home automation to our personal health to how we care for our pets, there seem to be a never ending list of vulnerabilities associated with these devices. Some say we’re turning a corner and the sophistication of the products is increasing. Others say this is a never ending battle and as more devices go online, the less secure we get.

Wendy Nather (@wendynather) is Principal Security Strategist at Duo Security, and wants to be Jack Daniel when she grows up.

Jack Daniel (@jack_daniel) is the host organism for Jack’s Beard and wants to be Wendy Nather *if* he grows up.

Jack Gavigan (@JackGavigan) has a background in info security and financial technology, and worked with a bunch of banks before joining the team behind the Zcash cryptocurrency. He likes steak and Old Fashioneds, and in his spare time, he trafficks chocolates from London to the US.

Elizabeth (Liz) Wharton (@LawyerLiz) is the Senior Assistant City Attorney (City of Atlanta) responsible for technology projects and policies on behalf of Atlanta and the world’s busiest airport Hartsfield-Jackson Atlanta International Airport. In her spare time she chats drones, IoT, and infosec as host of the “Buzz Off with Lawyer Liz” Radio Show & Podcast. No, she doesn’t have any pull with TSA and she doesn’t know how to find your lost luggage.

Bruce Potter (@gdead) is the CISO at Expel and spends most of his time instructing people on the correct pronunciation of CISO (it’s “ciz-oh”).


Profiling and Detecting all Things SSL with JA3

John Althouse and Jeff Atkinson

JA3 is an open source SSL/TLS client fingerprinting tool developed by John Althouse, Josh Atkins, and Jeff Atkinson. Since it’s release a few months ago in a blog post, it has gained wide adoption across the industry and we’ve seen conference talks highlighting it’s features. However, there’s been some confusion on it’s capabilities and how best to utilize it. So, then, it’s about time we do a talk on JA3 and what it can really do.

In this talk we will show the benefits of SSL fingerprinting, JA3’s capabilities, and how best to utilize it in your detection and response operations. We will show how to utilize JA3 to find and detect SSL malware on your network. Imagine detecting every Meterpreter shell, regardless of C2 and without the need for SSL interception. We will also announce JA3S, JA3 for SSL server fingerprinting. Imagine detecting every Metasploit Multi Handler or [REDACTED] C2s on AWS. Then we’ll tie it all together, making you armed to the teeth for detecting all things SSL.

John Althouse (@4A4133) is a (self proclaimed) Detection Scientist, firmly believing there’s a way to detect anything. A Bro enthusiast (the NSM). A PC master builder (AIOs are for normies). And a Race Track Instructor (I wanna go fast).

Jeff Atkinson is a security engineer with over 15 years focused in Information Security. Experienced in Incident Response, Threat Intelligence, and Malware Analysis, Jeff brings a unique perspective on defense strategies. While working in both private and public sectors and Fortune 50, he deployed scalable custom network monitoring solutions, always including his favorite tool Bro.


Cyberlaw: Year in Review

Steve Black

A (slightly irreverent) look at the most important laws, cases, regulations, and legally relevant (or, in some cases, irrelevant) cybersecurity issues during the most recent year–and maybe a little farther back if the item is particularly outrageous. Just the basic topic and fundamental principles are highlighted–most original legal texts are so complex–who would read them all the way through?

Prior to moving to Texas, Professor Steve Black (@legalh4ck3r) taught at BYU, UNH, LSU, Syracuse University, the University of Idaho, and the University of Washington. He focuses on cyberlaw, entrepreneurship, and tax issues. He has presented around the world and has been named a Visiting Scholar at the National University of Singapore. Professor Black has been cited in Forbes, and his articles have been published in leading national law journals. He recently began writing for the blog, “Legal Hacker.” He has degrees in tax, law, and mathematics, began coding at age 12, works with startups, and is teaching himself the ukulele.


Electronic Voting in 2018: Threat or Menace

Matt Blaze, Joe Hall, Margaret MacAlpine, and Harri Hursti

Modern electronic voting systems were introduced in the US at large scale after the passage of the 2002 Help America Vote Act. Almost from the moment they appeared, serious questions have been raised about the security and integrity of these systems. This talk will review the architecture of current E-voting systems, the security risks and attack surfaces inherent in these designs, the risks to back-end systems (which are often connected to the Internet), and viable alternatives that can mitigate these risks. In particular, we will review the findings of the two most comprehensive studies of E-voting systems done to date: the 2007 California and Ohio reviews (in which the authors participated) as well as the 2017 Defcon Voting Village (which the authors organized). We will also discuss how two important techniques–precinct-counted optical scan and risk limiting audits–can effectively mitigate many of the vulnerabilities inherent in e-voting.

Matt Blaze (@mattblaze), Joe Hall (@JoeBeOne), Margaret MacAlpine (@MaggieMacAlpine), and Harri Hursti were organizers of the Defcon Voting Machine Hacking Village and were also part of the 2007 California and Ohio “top to bottom” voting studies.


AWS Honey Tokens with SPACECRAB

Dan Bourke

Honeytokens are really useful. AWS tokens are also really useful, for you and your attackers. Together, they fight crime.

Well, they let you know a crime is happening, which is similar, I guess.

I’ll talk about SPACECRAB which lets you deploy a lot of AWS honey tokens with relatively little effort, and also what I learned from posting AWS keys on the internet repeatedly. I can’t tell you what I learned in this abstract because I haven’t done it yet. Stay tuned.

Dan Bourke is a security intelligence analyst at Atlassian and has no idea what goes in a con bio. He enjoyes bunnies, edge cases and writing in the third person.


When CAN CANT

Tim Brom and Mitchell Johnson

The Controller Area Network (CAN) bus has been mandated in all cars sold in the United States since 2008. But CAN is terrible in many unique and disturbing ways. CAN has served as a convenient punching bag for automotive security researches for a plethora of reasons, but all of the available analysis tools share a shortcoming. They invariably use a microcontroller with a built-in CAN peripheral that automatically takes care of the low-level (ISO layer 1 and 2) communication details, and ensures that the CAN peripheral plays nicely and behaves at those low levels. However, a good hardware hacker understands that the sole purpose of the electron is to be bent to our will, and breaking assumptions by making “That CANT happen!” happen is a surefire way to find bugs.

CANT is a (partial) CAN bus peripheral implemented in software that allows security researchers to exercise the electrical bus-level error handling capability of CAN devices. The ability to selectively attack specific ECUs in a manner that is not detectable by automotive IDS/IPS systems (see ICS-ALERT-17-209-01) is invaluable to automotive security researchers as more automakers integrate advanced security measures into their vehicles.

Tim Brom (@b1tbane) and Mitchell Johnson (@ehntoo) are security researchers at GRIMM, specializing in automotive vulnerability research. Their background includes specialized embedded software development, with a particular focus on the automotive and safety industries as well as background in other sectors including safety critical aerospace, and industrial control systems. They have contributed extensively to GRIMM’s open source “CanCat” CAN bus reverse engineering tool and on “3PO,” GRIMM’s mobile auto-hacking demonstration. Tim has also had publications about car hacking tools and techniques, like the recent Macchina M2.


Catch Me If You Can: A Decade of Evasive Malware Attack and Defense

Alexei Bulazel and Bülent Yener

In this presentation we take a look at over a decade of research into the cat-and-mouse game of evasive malware vs. automated malware analysis systems. While the challenge of evasive malware is well known, few have ever comprehensively looked at the problem. We survey almost two hundred scholarly works, industry presentations, and studies of malware in the wild over the past decade to understand how we got to where we are today, and where this battle is going.

This presentation will systematically review i) malware evasion techniques used against automated dynamic malware analysis systems, ii) evasive behavior detection, and iii) evasion mitigation. We conclude by discussing future directions in both offensive and defensive research and novel ways of thinking about these problems that may help security practitioners.

Alexei Bulazel is a security researcher with River Loop Security. He has previously presented at venues such as Black Hat, ShmooCon, DeepSec/ROOTS, and USENIX WOOT, among others. A recent graduate of Rensselaer Polytechnic Institute (RPI), Alexei worked under Dr. Bülent Yener on developing anti-emulation techniques for malware.


OK Google, Tell Me About Myself

Lisa Chang

With the rise in leaks of our personal information, most of us are well-educated about the dos and don’ts of protecting our personal data. However, we don’t always realize that the “innocuous” data that we allow companies to collect can still be used to gather valuable insight into our daily lives.

I will discuss how I used Data Science and Machine Learning techniques on my personal location tracking data to infer where I live, work, shop, and vacation. Knowing these significant locations, I was able to create a queryable record of my location at any time and day (for example: at home, at work, on vacation, away from home). This compilation of my history then enabled me to answer questions about average commute times, days when I did not follow my usual routine, and to predict, for example, what days and times I would most likely be at the grocery store.

I conclude the presentation with some thoughts on how this approach could allow businesses and organizations to subtly change the ways they interact with us, while we remain none-the-wiser.

Lisa Chang is a Data Scientist and Software Engineer at Praxis Engineering. She enjoys playing with data and teaching Data Science to others. In the past, she worked in the engine oil, fiber optics, nuclear, and semiconductor industries before she discovered computers and began solving Natural Language problems. She is still hoping to become someone who knows a lot about one thing (but so far has only succeeded in knowing a little about a lot of things).


Time Signature Based Matching for Data Fusion and Coordination Detection in Cyber Relevant Logs

Lauren Deason

The ability to detect automated behavior within cyber relevant log data is a useful tool for the network defender, as malicious activity executed by scripts or bots is likely to leave behind identifiable traces in logs. This paper presents a methodology for detecting certain types of automated activity within logs based on matching observed temporal patterns. This methodology is scalable, overcoming the infeasibility of brute force methods to identify groups of nearest neighbors in large datasets by implementing a locality sensitive hashing algorithm. This coordination detection method- ology applied to cyber relevant log data can be used to develop features for input into further analysis such as anomaly detection to flag potentially malicious activity or unsupervised clustering to char- acterize classes of automated behavior. Alternatively, the methodology could be used as a means to fuse together disparate data sources by generating a ‘temporal signature’ key and allowing for fuzzy matching on this key. Examples of each type of application are presented using a dataset of billions of records of netflow data.

Dr. Lauren Deason is a data scientist at PUNCH Cyber Analytics Group and has been working for over two years DARPA’s Network Defense program developing algorithms to automatically flag suspicious activity based on various cyber relevant logs. Prior to becoming a data scientist, she worked for over a decade as an International Trade Economist and a Math Instructor. She holds a PhD in Economics from University of Maryland, College Park, an MA in Mathematics from University of California, Berkeley, and a BS in Applied Mathematics from University of Virginia.


ODA: A Collaborative, Open Source Reversing Platform in the Cloud

Anthony DeRosa and Bill Davis

When a new globally menacing piece of malware is detected, consider how many separate efforts are launched to reverse the same binary, with teams of researchers all around the world working redundantly, creating the same functions, comments, and annotations. This gratuitous duplication of effort stems from the lack of good collaboration tools for reverse engineering. We can solve this problem with a tool for distributed collaboration–a tool that combines the project management capabilities of GitHub with the collaboration features of Google Docs and the analytical power of IDA Pro.

ODA (onlinedisassembler.com) is a reverse engineering platform that provides a collaborative reversing experience hosted in the cloud. With ODA, groups of people can collaborate on reversing the same binary and share their contributions in real time. ODA seeks to become “GitHub and Google Docs meets IDA Pro.”

Up until now, ODA has been a closed source effort. At ShmooCon 2018 we are open sourcing the entire code base and announcing several new features. This talk introduces the audience to the features and design of ODA, demonstrates new features, and presents a roadmap for the future, which can only be achieved with the help of the open source community.

Anthony DeRosa is the founder of Syscall 7, a software consulting firm in the Baltimore region. He created ODA because he was tired of setting up entire toolchains to disassemble small snippets of binary code for less common processor architectures. He hopes to see ODA become the next generation reversing platform with the help of the open source community.

Bill Davis spends his days moving bytes from databases to web browsers. By creating a centralized hub for reverse engineering, he believes the community can leverage the power of collaboration to identify and combat new threats more efficiently.


Running a Marathon Without Breaking a Sweat? Forensic Manipulation of Fitness App Data.

Mika Devonshire

Hard core athletes and wannabes alike use the Strava app to track their runs, bikes, swims, and more. Most athletes compete, nay, fight to the death for the top “leaderboard” spot on a given segment of a run. Want to be the fastest down the Mall? Want to outpace professional marathon runners in the Marine Corp Marathon? Without ever tying your shoe laces?

Let me show you the hacker’s way up the leaderboard. By examining and manipulating the GPX file format, scraping and inserting geolocation data, and using good old command line utilities I will show you how to craft a Gold Medal performance — and make you the envy of all the “elite” runners around you. This talk highlights the absence of data validation in the file upload feature of mainstream fitness tracking tools. And opens the floor to a broader discussion of expectations, reality, competition, and fraud.

Mika Devonshire (@cybermeeks) is an offensive cyber systems engineer at BAE Systems. Prior to BAE, Ms. Devonshire served on the internal security team at Silent Circle, a Swissowned encrypted communications firm, and as Product Manager of a mobile authentication app at MicroStrategy. Ms. Devonshire holds a Masters in Digital Forensics from George Washington University, and a Bachelors in Comparative Literature from Princeton. She holds several certifications including Network+, Security+, and CEH and is currently pursuing her OSCP.


The Friedman Tombstone — A Cipher in Arlington National Cemetery

Elonka Dunin

Elonka Dunin, known for her website on the World’s Most Famous Unsolved Codes, discovered a cipher on one of the tombstones in Arlington National Cemetery. Not just any tombstone, it’s that of William and Elizebeth Friedman, two giants in the fields of cryptanalysis. In fact, William Friedman created the terms of cryptanalysis, and also of “index of coincidence”. Elizebeth, who had taught William about cryptography in the first place, had an astonishing career cracking the codes of Nazis, drug smugglers, and rum-runners. They also wrote a book together examining and debunking the theories about whether William Shakespeare really wrote his own works. How did a geneticist and a Shakespearean scholar come to meet, and then have careers which grew and became the foundation of what is today known as the National Security Agency? How did they hide a cipher on their tombstone which remained undiscovered for so many years, and was found in the year that is the 100-year anniversary of their marriage? Tune in and find out!

Elonka Dunin (@ElonkaDunin), game developer and USAF veteran, has a deep and varied interest in cryptography. Her elonka.com website with the world’s most famous unsolved codes has received millions of visitors, and bestselling author Dan Brown (“Da Vinci Code”) named a character after her in one of his novels. Since 2012 she has been a Director of the National Cryptologic Museum Foundation, and is actively involved with the plans for a new museum. She is also co-founder of a group working to crack the Kryptos sculpture at CIA Headquarters, and a lifetime member of the International Game Developers Association.


Skill Building By Revisiting Past CVEs

Sandra Escandor-O’Keefe

Revisiting past CVEs can be a useful tool for finding patterns, to increase our critical thinking, gain knowledge in techniques that have been previously used, and to increase our skills to eventually be able to contribute to the wider security community. In addition, when a known exploit currently exists for a CVE, and our experiments yield different results from the known exploit, we must practice our critical thinking skills to determine the discrepancies, and to determine if any unstated assumptions exist. The following talk outlines the motivation for revisiting past CVEs, and some strategies for developing our vulnerability hunting and exploit creation skills, in the context of CVE-2013-5576.

Sandra Escandor-O’Keefe (@s3scand0r) has been working in the tech industry for almost 7 years–5 years as a Software Developer, and close to two years as a Security Engineer, currently at Fastly. She enjoys learning about vulnerability scanning techniques, cryptography, and cloud security.


Blink for Your Password, Blink Away Your Civil Rights?

Wendy Knox Everette

You’re arrested and your phone is held up to your face to be unlocked by the arresting officer, then sent to a forensics lab. Dystopian future or one where FaceID collides with weak self-incrimination protections for biometrics? This talk will explain how your 4th and 5th Amendment rights interact with advances in biometric technology. Along the way it will offer design suggestions for creators of mobile devices and tips to end users.

Wendy Knox Everette (@wendyck) is a hacker lawyer who works as an Information Security Counsel for First Information Technology Services. She began her career as a software developer at Amazon.com and Google, before going to law school, where she focused on national security law and computer security issues. She interned with the FTC, FCC, and several other three letter agencies, before completing a fellowship with ZwillGen in Washington, D.C., and then moving to Washington State where she advises companies on risk and security regulations.


Someone is Lying to You on the Internet–Using Analytics to Find Bot Submissions in the FCC Net Neutrality Submissions

Leah Figueroa

The FCC is trying to ram through anti-net neutrality legislation and are using the submissions from their call for comments. There were more than 22 million comments submitted in approximately three months dealing with net neutrality, many supporting an anti-net neutrality stance, but something is rotten in the state of the US. Other researchers have posited that there are bots and false submissions, but they used tools not commonly available to everyone.

In this case, using open source ingesters developed in house and freely available on GitHub, we pulled in all of the comments and used analytics to see if this were really the true story. When looking at the raw total number of comments, the majority fall into the anti-neutrality camp. However, after refining comments to include only those submitted via the FCC website (as opposed to those which were submitted via the FCC provided API for bulk submissions) the extreme opposite is true. People who submitted comments directly to the FCC website are overwhelmingly in support of net neutrality regulations. This talk reviews the journey to this conclusion.

Leah Figueroa is a 14 year veteran of the data analytics field and works at Gravwell as Lead Data Engineer. She holds a Master’s in Education, an ABD in research psychology, and has taught kindergarten. A data aficionado, Leah enjoys working in various areas of data, while still remaining passionate about her crusade to improve student data security. Leah also enjoys being a fiber artist (knitter) and loves cats, InfoSec, picking locks, cooking, and reading.


Don’t Ignore GDPR; It Matters Now!

Thomas Fischer

With GDPR coming into effect on May 25, 2018, any organization handling EU citizen’s personal data should be prepared to comply with stricter privacy regulations or be ready to pay up to four percent of their global annual revenue in fines or €20,000,000. This is a substantial penalty for non-compliant companies, and does not focus just on companies based in Europe — it’s for ALL companies globally who do business in the EU. With just months remaining, the clock is ticking on companies to be compliant. Let’s explore what is covered by GDPR and how it may impact your organisation answering questions such as do I need to have a DPO; I don’t do business directly in the EU when does GDPR affect me; what data is affected? While a compliance theme has been pushed by vendors, we will cover why GDPR is not about compliance but about changing key process and procedures such as incident response.

With over 25+ years experience, Thomas Fischer (@FVT) has a unique view on security in the enterprise with experience in multi domains from risk management, secure development to incident response and forensics. Thomas has held roles varying like incident responder to security architect for fortune 500 company to industry vendors and consulting organizations. Thomas currently plays a lead role in advising customers while investigating malicious activity and analyzing threats for Digital Guardian. Thomas is also an active participant in the infosec community not only as a member but also as director of Security BSides London and ISSA UK chapter board member.


Nation-State Espionage: Hunting Multi-Platform APTs on a Global Scale

Mike Flossman, Eva Galperin, and Cooper Quintin

As the modern threat landscape evolves, so have the players. Cyber-warfare has become so profitable that even lesser resourced nations are entering the arena. This talk will discuss an advanced persistent threat (APT) nation-state actor (to be named later) who is exploiting targets globally across multiple platforms, including mobile devices.

Eva Galperin (@evacide) and Cooper Quintin (@cooperq) are with the Electronic Frontier Foundation (@EFF)–the leading nonprofit organization defending civil liberties in the digital world. Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. We work to ensure that rights and freedoms are enhanced and protected as our use of technology grows.

Michael Flossman (@terminalrift) is a security researcher at Lookout where he works on reverse engineering sophisticated mobile threats while tracking their evolution, the campaigns they are used in, and the actors behind them.


CertGraph: A Tool to Crawl the Graph of SSL Certificate Alternate Names using Certificate Transparency

Ian Foster

SSL Certificates and Certificate Authorities are the backbone of how secure communication works online for most secure protocols these days. This has worked well for quite some time, but fails when you can no longer trust the Certificate Authorities as we have seen when they are breached or misbehave. Certificate Transparency was created as a way to allow anyone to publicly audit the behavior of a Certificate Authority to solve this problem, and it does just that. But there are also unintended privacy side effects not as well known about Certificate Transparency, both for the end user and server’s organization. After covering the background about how Certificate Transparency works, I will tell you what you need to know to protect yourself and your organization. Finally I introduce CertGraph, a new tool being developed to uncover and enumerate domains hiding in SSL certificate Alternative Names. CertGraph crawls internet accessible certificates through exposed hosts and Certificate Transparency logs creating a visual graph of certificates and domains. CertGraph has already been used to identify internal and public domains an organization may not want public knowledge of, host enumeration for an organization and its related partners, and misconfigured SSL certificates for incorrect domains.

Ian Foster (@lanrat) enjoys researching systems and networking problems and solutions in an effort to make the world more secure. He has published research papers analyzing the new gTLD land rush and crawling and parsing most WHOIS records. From demonstrating how insecure aftermarket OBD “dongles” can be used to compromise and take over automobiles; to measuring the paths an email traverses online with encryption in an effort to increase integrity, authenticity, and confidentiality; and more. During the day Ian is a Security Engineer at Salesforce working to keep the cloud secure.


Hacking the News: an Infosec Guide to the Media, and How to Talk to Them

Sean Gallagher, Steve Ragan, and Paul Wagenseil

Infosec researchers, experts, and hackers in general have a…fraught relationship with media, ranging from exploitive to adversarial. Recent episodes, including the doxxing of Marcus Hutchins by UK media and sensational coverage of his arrest, don’t help, nor do broadcast media reports that are often factually incorrect or even damaging to the security of those who take the reports as gospel. And researchers looking to get out word to the general public are often (based on anecdotal data) confused or intimidated by the
media machine.

This presentation seeks to demystify how news media work, the strengths and weaknesses of each channel of communications, and how to effectively interact with journalists in a way that is constructive and productive. I am an infosec and national security reporter–ask me anything.

Sean Gallagher (@thepacketrat) is the Information Technology and National Security Editor for Ars Technica. A former IT practitioner and developer with a background in information security from the US Navy, Gallagher earned an honorable mention on Google’s application security wall of fame for uncovering a plain-text data leak in search on Chrome in 2014. He runs Ars Technica’s Techology Lab. He is also a member of the organizing committee for BSides Charm City.

Steve Ragan (@SteveD3) is Senior Staff Writer at CSO, an IDG publication. Prior to joining the journalism world in 2005, Steve Ragan spent 15 years as a freelance IT contractor focused on infrastructure management and security. He’s a father of two and rounded geek with a strong technical background.

Paul Wagenseil (@snd_wagenseil) is a senior editor at Tom’s Guide focused on security and privacy. That’s all he’s going to tell you unless you meet him in person.


Building a GoodWatch

Travis Goodspeed

Back in the good ol’ days there was a toy called the GirlTech IMME, which had a sub-GHz radio chip, a display, and a keypad. It was bulky and heavy, but good folks had a lot of run writing radio exploits for it. In a fit of nostalgia for those days, I cloned the Casio 3208 calculator wristwatch module with the CC430F6137 chip, giving me a better CPU than the IMME but essentially the same radio. It runs for years on a coin cell battery, and in addition to the radio, RPN calculator, and hex editor, it just happens to tell the time.

Travis Goodspeed (@travisgoodspeed) is a reverse engineering, watchmaker and professional bum. His projects include the MD380Tools project of patched firmware for a ham radio, the International Journal of PoC||GTFO, and a non-fictional comedy novel about the 509th Airborne in WW2.


Do as I Say, Not as I Do: Hacker Self Improvement and You

Russell Handorf

“When I was your age” advice doesn’t apply readily to modern skill growth. Gone are the days of dumpster diving for lab parts to work on skill growth that would jettison your career. And even those who are lucky enough to find mentors in their industry frequently leave that advise at work and never bring it home to hone. This talk will discuss things you can do to become more disciplined on a budget, and start a community resource for others to contribute their own skills.

Russell Handorf (@dntlookbehindu) has been in the information security realm for over 15 years. He built and sold a wireless ISP, worked info sec in the financial services industry and now is a public servant of sorts. His hobbies and interests have always involved radio in some sort of fashion. When he has spare time, he teaches, does random projects not related to radio, loves working with his hands, creates mischief, and is working on his dad jokes.


Building Absurd Christmas Light Shows

Rob Joyce

Hobbyists worldwide have been developing and improving technology for awesome Christmas light shows. They are assembling displays that are computer controlled and synchronized to music broadcast over FM radio as well as implementing complex patterns and even pictures display in LED lights.

This talk covers the building blocks of sophisticated LED light shows, breaking down the concepts into the core components. Many elements of a computer controlled show can be implemented with Raspberry Pi technology and other homebrew solutions. Free and open source software to create visual patterns and run the display are available. The common pitfalls of power distribution, signal corruption and waterproofing will be discussed. Learn new things about lighting technology and come away understanding how to be the Clark Griswold of your own neighborhood!

Rob Joyce’s (@RGB_Lights) wife thinks he has a problem. He has been building computerized Christmas light shows for the last five years, adding new elements every year. His most recent display was likely visible from the international space station. In addition to an infatuation with Christmas light displays, he helped a Boy Scout troop built catapults for the annual Punkin Chunkin competition until lawyers ruined it for all of us. To pay for these hobbies, he works as the White House Cybersecurity Coordinator and has led organizations at the NSA doing both foreign intelligence and cybersecurity work.


Securing Bare Metal Hardware at Scale

Paul McMillan and Matt King

Less than three years after the Equation Group was discovered backdooring hard drive firmware, courses on how to create such backdoored firmware are available to the public. New exploits in BIOS/UEFI that enable bypassing OS and Hypervisor protections have become commonplace. Once compromised, remediation is virtually impossible; malicious firmware is perfectly positioned to block the very updates that would remove it.

Truly defending against these threats requires a different approach–traditional vendor firmware signatures and secure boot implementations aren’t good enough. Without mechanisms to detect and recover the firmware, a backdoor could be forever persistent and undetectable. Fortunately, nearly every device available has an existing mechanism to force it into a state which can be used to restore the writable firmware components. We’ll describe how we’ve made use of such capabilities at scale, the challenges in doing so, and what the future holds for securing firmware.

Matt King and Paul McMillan (@PaulM) secure cloud hardware for a living. Matt implements NSA-style implants for fun, and Paul enjoys attempting to solve impossible problems.


The Background Noise of the Internet

Andrew Morris

The last five to ten years has seen massive advancements in open source Internet-wide mass-scan tooling, on-demand cloud computing, and high speed Internet connectivity. This has lead to a massive influx of different groups mass-scanning all four billion IP address in the IPv4 space on a constant basis. Information security researchers, cyber security companies, search engines, and criminals scan the Internet for various different benign and nefarious reasons (such as the WannaCry ransomware and multiple MongoDB, ElasticSearch, and Memcached ransomware variants). It is increasingly difficult to differentiate between scan/attack traffic targeting your organization specifically and opportunistic mass-scan background radiation packets.

Grey Noise is a system that records and analyzes all the collective omnidirectional background noise of the Internet, performs enrichments and analytics, and makes the data available to researchers for free. Traffic is collected by a large network of geographically and logically diverse “listener” servers distributed around different data centers belonging to different cloud providers and ISPs around the world.

In this talk I will candidly discuss motivations for developing the system, a technical deep dive on the architecture, data pipeline, and analytics, observations and analysis of the traffic collected by the system, business impacts for network operators, pitfalls and lessons learned, and the vision for the system moving forward.

Andrew Morris (@Andrew___Morris) is an cyber security professional and the founder of Grey Noise Intelligence. He has spent the past decade studying attacker tradecraft as a researcher, gaining access to secure networks as a red team operator, and building distributed systems as an engineer. Andrew is a frequent speaker at various cyber security conferences around the world, having presented at public security conferences and private events. In his free time, he spends his time writing music and trying to figure out what his dreams mean.


Embedded Device Vulnerability Analysis Case Study Using TROMMEL

Kyle O’Meara and Madison Oliver

Researching embedded devices is not always straightforward, as such devices often vastly differ from one another. Such research is difficult to repeat and results are not easily comparable because it is difficult to conceive a standard approach for analysis. This document proposes an initial research methodology for vulnerability analysis that can be applied to any embedded device. This methodology looks beyond preliminary research findings, such as open ports and running services, and takes a holistic, macro-level approach of the embedded device, to include an analysis of the firmware, web application, mobile application, and hardware. In addition, TROMMEL, an open source tool, was also created to help researchers during embedded device vulnerability analysis.

This presentation provides security researchers with a repeatable methodology to produce more comprehensive and actionable results when analyzing embedded devices for vulnerabilities. As a case study, we analyzed a Wi-Fi camera as a class of embedded devices to demonstrate this methodology is more encompassing than standard research. This methodology can be applied to all embedded devices and should be expanded as the landscape of embedded device evolves.

Madison Oliver (@iqmadddyqi) is a Vulnerability Team Intern at the Software Engineering Institute (SEI) CERT Coordination Center (CERT/CC) currently pursuing a Master’s degree in Information Security Policy and Management at Carnegie Mellon University. She has been studying Information Technology for five years.

Kyle O’Meara (@cool_breeze26) is a Senior Member of the Technical Staff at the SEI CERT/CC and an Adjunct Faculty and Faculty Advisor at Carnegie Mellon University. He has been in information technology for 12 years, most, if not all, with a cyber security focus. Much of his current work focuses on research and analysis of embedded systems and exploits.


Pseudo-Doppler Redux

Michael Ossmann and Schuyler St. Leger

The information security community has long suffered from a lack of effective and affordable tools and techniques for locating radio devices. Many methods are available, but most of them require multiple radio receivers and/or physical motion of one or more antennas. Pseudo-doppler is an old technique that implements Direction Finding (DF) by rapidly switching between multiple fixed antennas connected to a single radio receiver.

We have taken a modern approach to the implementation of pseudo-doppler DF with Software Defined Radio (SDR). Our open source solution enables low cost DF of bursty, packet-based target systems using arbitrary digital modulations. Additionally we will discuss our future work toward asymmetric pseudo-doppler approaches that eliminate the need for direction calibration and that can be used as a countermeasure against targets that attempt to spoof direction.

Michael Ossmann (@michaelossmann) is a wireless security researcher who makes hardware for hackers. Best known for the open source HackRF, Ubertooth, and GreatFET projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.

Schuyler St. Leger (@docprofsky) is a young maker in Arizona. He enjoys working with both hardware and software. His interests include 3D printing, electronics, hardware and software programming, Software Defined Dadio (SDR), robotics, computers, and more. He is always interested in how things work.


Defending Against Robot Attacks

Brittany Postnikoff

Many people have a plan to make it through the robopocalypse (robot apocalypse), but in this talk we put these plans to the test. We start our discussion with a quick overview of physical and social abilities of current robots, mainly as a way to inform the people that haven’t taken the time to think what their life might be like if robots were to take over. We follow this by doing live demos of robot physical and social engineering attacks, and some of the defenses that we have employed to protect ourselves from these risks. By the end of this talk you can walk away with effective and practical defenses that you can use in your workspace and home today.

Brittany Postnikoff (@Straithe) is the robot maestro of the University of Waterloo Cryptography, Security and Privacy research group. During the day she keeps her research ethics board approved, but at night she can be found roving the streets of major urban centers with her pack of semi-autonomous social engineering robots. Outside of research she is president of a CTF Club, produces puzzles for CTF groups worldwide, and volunteers with infosec unlocked, C&P Village, and BSides conferences. Brittany has spoken about her life of robots at conferences such as BSidesLV, Troopers, Day-Con, BSidesWPG, and the International Conference on Robotics and Automation.


Deep Learning for Realtime Malware Detection

Domenic Puzio and Kate Highnam

Domain generation algorithm (DGA) malware makes callouts to unique web addresses to avoid detection by static rules engines. To counter this type of malware, we created an ensemble model that analyzes domains and evaluates if they were generated by a machine and thus potentially malicious. The ensemble consists of two deep learning models – a convolutional neural network and a long short-term memory network, both which were built using Keras and Tensorflow. These deep networks are flexible enough to learn complex patterns and do not require manual feature engineering. Deep learning models are also very difficult for malicious actors to reverse engineer, which makes them an ideal fit for cyber security use cases. The last piece of the ensemble is a natural-language processing model to assess whether the words in the domain make sense together. These three models are able to capture the structure and content of a domain, determining whether or not it comes from DGA malware with very high accuracy. These models have already been used to catch malware that vendor tools did not detect. Our system analyzes enterprise-scale network traffic in real time, renders predictions, and raises alerts for cyber security analysts to evaluate.

Domenic Puzio is a Data Engineer with Capital One. He graduated from the University of Virginia with degrees in Mathematics and Computer Science. On his current project he is a core developer of a custom platform for ingesting, processing, and analyzing Capital One’s cyber-security data sources. Built entirely from opensource tools (NiFi, Kafka, Storm, Elasticsearch, Kibana), this framework processes hundreds of millions of events per hour. Currently, his focus is on the creation and productionization of machine learning models that provide enrichment to the data being streamed through the system. He is a contributor to two Apache projects.

Kate Highnam has a background in Computer Science and Business, focusing on security, embedded devices, and accounting. At the University of Virginia, her thesis was a published industrial research paper containing an attack scenario and repair algorithm for drones deployed on missions with limited ground control contact. After joining Capital One as a Data Engineer, Kate has developed features within an internal DevOps Pipeline and Data Lake governance system. Currently, she builds machine learning models to assist cybersecurity experts and enhance defenses.


A Social Science Approach to Cybersecurity Education for all Disciplines

Aunshul Rege

Higher education institutions have started heavily investing in cybersecurity education programs for STEM (Science, Technology, Engineering, and Mathematics) disciplines. These programs offer standard courses, such as network security, forensics, penetration testing, intrusion detection and recovery. To offer a holistic experience, these programs also include courses on business systems lifecycle, data analytics, auditing, investigation, and cyberlaw.

Little, however, is being done to understand the human side of cyberattacks/cybersecurity. The social sciences has much to offer in this arena. However, the discipline’s potential contribution to training the next workforce generation (STEM or otherwise) remains underdeveloped.

This talk shares an educator’s attempt to address this gap via involving undergraduate students across multiple disciplines in experiential learning (EL) class projects in ‘cyber-field’ research. The talk highlights several benefits, such as fostering multidisciplinary dialog, developing qualitative research skills, understanding adversarial mindsets, and predicting defender behavior. This talk uses students’ and the educator’s reflections as a narrative to discuss ongoing efforts, struggles, challenges, and lessons learned. Audience feedback is welcomed (and much needed!) as this educator is still experimenting with the EL pedagogical approach.

Aunshul Rege (@prof_rege) is a criminology professor at Temple University. Her National Science Foundation sponsored research projects examine cyberattacks/security from a human behavioral perspective, focusing on adversarial decision‐making, adaptation to disruptions, and group dynamics. She intersects theoretical frameworks and methodologies from criminology with hard science approaches game theory, simulations, and machine learning) to foster innovative and multidisciplinary proactive cybersecurity research. She is passionate about educating the next generation workforce about the relevance of the human factor in cybersecurity. Other than being a researcher/educator, Aunshul is a mom to a spunky seven year old, a therapy dog volunteer, and new to ShmooCon!


Better Git Hacking: Extracting “Deleted” Secrets from Git Databases with Grawler

Justin Regele

Git is a widely-used Version Control System for software development projects. Because of the way Git works, “deleted” secrets don’t disappear from the filesystem. That means when a developer commits encryption keys, production passwords, or other secrets to the repository, removing them in a later commit won’t scrub them from the history. They live on in compressed plaintext on every developers’ machine, unless the history is rewritten.

Grawler is a command line utility written in Bash and Python that crawls the object trees of a Git repository searching for and extracting secrets, passwords, keys, and other sensitive information. It is useful for verifying that history rewriting successfully scrubbed all occurrences of sensitive data using git-log, as well as exposing problems in revision deltas by walking Pack files.

Justin Regele works as a Penetration Tester with Tiro Security, as well as a freelance software engineer, doing full stack, mobile and embedded development. His introduction to computer programming came from Herb Schildt’s “Teach Yourself C,” which he found in a dumpster in 2005.


radare2 in Conversation

Richard Seymour

The command line hexadecimal editor, disassembler and debugger radare2 can be an invaluable reverse engineering tool. Even users of IDA Pro can find use in radare2 when it comes to odd file formats and getting a second opinion from a different disassembly engine. The biggest barrier to easy adoption of radare2 is the funky command sequences it employs. What if we threw a chatbot on top of it, so folks could type in detailed questions about a binary and get reasonable answers? What if we put a speech to text engine in front of that, so users could get second screen information from radare2 without leaving their favorite environment? This talk would demonstrate the usefulness of such a system.

Rich Seymour is a Senior Data Scientist at Endgame working on integrating chatbots into their endpoint detection and response platform. He has a PhD in Materials Science and a M.S. in Computer Science from the University of Southern California where he worked on high performance computing simulations of nanoscale materials under stress.


Bludgeoning Bootloader Bugs: No Write Left Behind

Rebecca Shapiro

An operating system’s chain of trust is a really a chain of loaders. Although loaders, and especially bootloaders, have always been essential piece of a well-behaved system, they are typically designed with robustness and flexibility in mind — rather than security. Yet, they act as security arbitrators at the very roots of the chain of trust. My talk seeks to address these shortcomings and bootloader vulnerabilities by introducing tools and techniques for retrofitting a bootloader with behavioral constraints implemented via a typing system which governs memory write operations and exists outside the confines of the compilation toolchain. I then demonstrate the feasibility of such a typing mechanism by using it to overlay behavioral constraints onto an instance of U-Boot, the popular ARM bootloader. Finally, I will discuss how my tools and techniques may be used as a fuzzing aid and for reverse engineering for any type of software.

Rebecca “.bx” Shapiro (@bxsays) is a PhD student at Dartmouth College, a small college in the Northern Appalachia region of the US. She enjoys tinkering with systems in undocumented manners to find hidden sources of computation. She has previously studied the weird machines present in application linkers and loaders, but has since turned her focus towards loaders that live at the interface between hardware and software.


0wn the Con

The Shmoo Group

For thirteen years, we’ve chosen to stand up and share all the ins and outs and inner workings of the con. Why stop now? Join us to get the break down of budget, an insight to the CFP process, a breakdown of the hours it takes to put on a con like ShmooCon, and anything thing else you might want to talk about. This is an informative, fast paced, and generally fun session as Bruce dances on stage, and Heidi tries to hide from the mic. Seriously though–if you ever wanted to know How, When, or Why when it comes to ShmooCon you shouldn’t miss this. Or go ahead and do. It’ll be online later anyway.

The Shmoo Group is the leading force behind ShmooCon. Together with our amazing volunteers we bring you ShmooCon. It truly is a group effort.


Tap, Tap, Is This Thing On? Testing EDR Capabilities

Casey Smith

As organizations deploy EDR (Endpoint Detection & Response) solutions, it becomes imperative that these solutions are tested. The efficacy of these products depends on their correct configuration and deployment. In order to conduct these tests, we have developed a free Open Source framework called the Atomic Red Team. Designed to provide teams with small discrete tests. We want these test to be vendor agnostic, and representative of actual adversary behavior. When evaluating if these products are viable for your organization you need some standard tests to compare what provides you with the best coverage. This talk will explore our framework, discuss basic tests, chaining tests, and discuss how to contribute to the framework. Our aim is to put a testing framework in the hands of large and small security teams to confirm that they have the coverage needed to face modern adversaries. You need a plan to test on a regular basis that your systems are operational. We want to share our work, drawing from Software Engineering principles on testing, to help ensure your EDR tools are ready to face actual adversaries. Don’t wait for something horrible to happen to figure out that your solution isn’t working.

Casey Smith (@subTee) is the Director of Applied Research at Red Canary. He has a passion for testing and understanding the limits of defensive systems.


Opening Closed Systems with GlitchKit

Kate Temkin and Dominic “Domibill” Spill

Systems that hide their firmware–often deep in readout-protected flash or hidden in encrypted ROM chips–have long stymied reverse engineers, who often have to resort to inventive methods to understand closed systems. To help reduce the effort needed to get a foothold into a new system, we present GlitchKit–an open source hardware and firmware solution that significantly simplifies the process of fault-injecting your way into a new system–and of fault-injecting firmware secrets out! This talk presents the development completed thus far, demonstrates the use of GlitchKit in simple attacks, and invites participation in the development of our open-source tools.

Dominic Spill (@dominicgs) is a senior security researcher at Great Scott Gadgets where he writes software and firmware for open source hardware. His primary focus is sniffing and modifying communication protocols.

Kate Temkin (@ktemkin) leads the low-level Computer Architectures group at Assured Information Security, researching a variety of hardware hacking and architectural security topics. When not hacking hardware, she maintains and contributes to a variety of open-source projects, including FaceDancer and GreatFET, and probably spends way too much time reverse engineering and collecting electronic lab equipment.


SIGINT on a budget: Listening in, gathering data and watching–for less than $100

Phil Vachon and Andrew Wong

It’s 2018 and many people are still using unencrypted wireless communications in critical systems. We will review how to build a robust and open signals intelligence (SIGINT) platform. As a proof of concept we show the platform capturing publicly accessible radio bands and some basic analysis of that data. The talk will focus on how we demodulate, decode and analyze data across many chunks of the spectrum using a Raspberry Pi. We will cover some SDR-related design and development issues, discuss DSP and other sundries in basic detail. We’ll also make a few observations about unencrypted communications today, using data captured in midtown Manhattan. Finally, there will be a discussion of some other applications that the same capture infrastructure can be used for.

Team MILK (Phil Vachon (@pvachonnyc) and Andrew Wong) is a spectrum-curious duo of signal hoarders. Fascinated by the unexpected order in the chaos of the aether, they’ve built a platform to capture, decode, and analyze various radio signals to satisfy their data fetish. Their current project started with them looking at public radio data sources, covering multiple geographic areas. There’s a good chance they spent too much time staring into the abyss. Greets to the remaining IRC refuges. Hello to the Nefarious Five, we own the night.


afl-unicorn: Fuzzing the ‘Unfuzzable’

Nathan Voss

American Fuzzy Lop (AFL) revolutionized fuzzing. It’s easily the best thing out there for quickly performing cutting-edge automated vulnerability analysis on command line applications. But what about the situations where accessing the logic you want to fuzz via command line isn’t so simple? For example, maybe you want to fuzz a parsing function from an embedded system that receives input via an analog RF front-end. Sometimes you can write a test harness, but what if you could just emulate the parts of the code that you want to fuzz and still get all the coverage-based advantages of AFL? With afl-unicorn if you can emulate it, you can fuzz it.

afl-unicorn bridges the gap between the thoroughness of fully manual research (i.e. reading disassembly/source) and the unmatched ease-of-use of AFL. With a little bit of reverse engineering and setup time afl-unicorn lets you leverage all of the automated path-finding power of AFL to rapidly discover vulnerabilities regardless of how it gets its input. If you find yourself confidently reverse engineering the basic functionality of a target application, but would rather use an automated process to discover all the vulnerabilities it contains then afl-unicorn is for you.

afl-unicorn has been successfully used to find bugs in a wide variety of targets, from single-threaded embedded RF firmware to complex, widely used Windows and Linux applications. This talk will cover the basics of afl-unicorn, and walk you through a repeatable workflow you can use to fuzz your own target code.

Nathan Voss is currently a senior engineer at Finite State, a stealth-mode IoT security company. He spent the last 12 years developing skills in all realms of hardware and software engineering as a founding member of Battelle’s cyber security group in Columbus, Ohio, and specializes in creating novel fuzzing tools for difficult and unusual targets.


Pages from a Sword-Maker’s Notebook pt. II

Vyrus

This talk is an encapsulation of implemented solutions for achieving common requirements when constructing software designed to perform long term covert intelligence gathering. It is a “grab bag” of “tips and tricks” developed and or abstracted from previous works by the presenter in a variety of intelligence gathering operations, none of which will be specifically disclosed. Full source code (almost all of it written in Golang) will be provided for tactic snippets, as well as several publicly available practical examples of solutions to various covert intelligence gathering roadblocks.

The technical details of this presentation will be prefaced by a small summery of “which tactics work from a methodical perspective and why” from a human perspective. Beyond this, specific mappings will be drawn from these methods to the specific technical capabilities disclosed in the latter portion of the presentation. The technical subjects in question will include but not be limited to. — anti virus evasion (with special emphasis on modern machine learning based solutions) — anti attribution techniques — covert channel methods — C2 “castle guarding” — covert administration & devops — solution scaling — persistence — future proofing — counter intelligence / anti reverse engineering.

Vyrus (@vyrus001) may or may not have begun his offensive security training in early childhood through a series of allegedly criminal acts for a hacker collective still active on the internet today. Over the last approximately 2 decades these experiences have expressed themselves through participation within a variety of both independent, as well as corporate; technically legal information security professions. While the specific nature of many of these professions has yet to be disclosed, the professional skills Vyrus has been known to utilize throughout employment include but are not limited to: reverse engineering, penetration testing, “red teaming”, security controls analysis, proof of concept malware development, incident response, implant development, exploit development, long term electronic surveillance, traffic analysis, complex systems risk analysis, many forms of wireless security, hardware security assessment, and general IT solution development & support.


Getting Cozy with OpenBSM Auditing on MacOS … The Good, the Bad, & the Ugly

Patrick Wardle

With the demise of dtrace on macOS, and Apple’s push to rid the kernel of 3rd-party kexts, another option is needed to perform effective auditing on macOS. Lucky for us, OpenBSM fits the bill. Though quite powerful, this auditing mechanism is rather poorly documented and suffered from a variety of kernel vulnerabilities.

In this talk, we’ll begin with an introductory overview of OpenBSM’s goals, capabilities, and components before going ‘behind-the-scenes’ to take a closer look at it’s kernel-mode implementation. Armed with this understanding, we’ll then detail exactly how to build powerful user-mode macOS monitoring utilities such as file, process, and networking monitors based on the OpenBSM framework and APIs.

Next we’ll don our hacker hats and discuss a handful of kernel bugs discovered during a previous audit of the audit subsystem (yes, quite meta): a subtle off-by-one read error, a blotched patch that turned the off-by-one into a kernel info leak, and finally an exploitable heap overflow. Though now patched, the discussion of these bugs provides an interesting ‘case-study’ of finding and exploiting several types of bugs that lurked within the macOS kernel for many years.

Patrick Wardle (@patrickwardle) is the Chief Security Researcher at Synack, and founder of Objective-See. Having worked at NASA and the NSA, and well as presented at many security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of Mac malware. In his personal time, Patrick collects Mac malware and writes free Mac security tools. Both can be found on his site, Objective-See.com


Listing the 1337: Adventures in Curating HackerTwitter’s Institutional Knowledge

hex waxwing and Daniel Gallagher

Our community is defined by our dedication to sharing process, resources, and knowledge freely with each other—yet, we lack a coherent strategy for keeping the firehose of information organized adequately for hackers and hacklings alike. The Sisyphean task of keeping up with the day’s developments plagues the busy professional, but Twitter’s algorithms rarely suit our purposes. Hackers (of all people!) ought to be up to the task of hacking together a way to curate our own content—on our own terms. It sure would be nice to be able to…

    • give newbies a peek into the conversations happening among the most resourceful members of an intriguing subspecialty;
    • automatically rank resources based on the community reputations of those sharing a given URL;
    • study the way our own community shares information with itself—and learn how to communicate most effectively during crises like WannaCry;
    • generate daily|weekly digests of interesting threads & resources.

This talk is a call to action to contribute your own knowledge to improve the curation. We’ve gotten it started: now it’s time for ya’ll to use it and help us make it the best tool it can be—made freely available to all hackers and hackers-to-be. <3

hexwaxwing (@hexwaxwing) and Daniel Gallagher (@DanielGallagher) develop infosec training environments for a company founded by rogue AI researchers interested in toppling traditional educational paradigms. HEX is a proud two-time dropout with a former life involving anthropology, neuroscience, and other interdisciplinary nonsense prior to entering infosec. Her penchant for taking on impossibly complex projects regularly gets her into the best kind of trouble, and she wouldn’t have it any other way. GALLAGHER is a grumpycat who hunts ransomware devs for breakfast, appreciates the simple elegance of an apropos GIF, and (probably) wants it written on his gravestone that he once successfully quarantined a massive Qakbot infestation.


Your Cerebellum as an Attack Surface: How Does the Brain Stay Secure?

Avani Wildani

“Technology is the active human interface with the material world.” – UK LeGuin

Once upon a time, computer scientists spoke of semiconductors and magnetic cores, carefully designing their algorithms around the substrates that computation occurred on. Instead of programs, there were “computations,” “states” instead data, or the modern descendent, “content.”

Since then, we as computer scientists have developed layers of abstraction and from there formed a diverse ecosystem of high level paradigms to create and distribute information with speed, reliability, and efficiency. Neural networks in the brain are sparsely connected, composed of components with an over 50% failure rate, and still amazingly consistent in their high-level behavior over time. We are building models of biologically plausible neural networks to help explain how the brain can protect against a malicious adversary while keeping networks tiny, low power, and easily trained. Using parameters taken from the somatosensory cortex, we have built a prototype simulator to show the relationships between connectivity and severity of possible attacks.

Dr. Avani Wildani (neuron) is an assistant professor at Emory University, where she is, in part, applying her background in distributed systems to exploring the security profile of computational neurobiology. Her Ph.D. work included finding correlated disk activity by analyzing block I/O traces collected through tapping the SATA bus. She believes that the best way of understanding how a system is designed is to understand the attacks it can and cannot defend against. She is usually found hovering around Toool and tinkering with something small and sharp.


IoT RCE, a Study With Disney

Lilith Wyatt

As desktop and server security keeps raising the baseline for successful exploitation, IOT devices are still stuck in the 1990’s, despite their ubiquity in every home network. This, coupled with the trend of “monitor your devices from anywhere!”, is creating a time-bomb situation, in which millions of households are left vulnerable, regardless of any network security posture.

These topics will be examined using the “Circle with Disney” and Foscam devices as case studies. During the course of the vulnerabilty testing of these devices, over 50 CVEs were discovered, out of which, discussion will focus on the more novel attack techniques seen, including:

    SSL certificate Attribute validation bypasses
    SSID Broadcasting injection
    Use-Between-Realloc Memory Corruption.
    Cloud Routing Abuse

Finally, there will be discussion IOT device’s use of traditionally offensive tools (arp-poisoning, backdoors, and payload beaconing) for central functionality.

Lilith Wyatt is a Research Engineer with the Talos Security Intelligence and Research Group at Cisco. She’s done open source and closed source research on a variety of products, resulting in CVEs on products from vendors including Vmware and Zabbix, and has also done internal research on Cisco devices. She’s OSCP and OSCE certified, and previously to her first real security job with Cisco ASIG, she was a Network Engineer, Boxer, and an Android app/firmware patcher.


CITL — Quantitative, Comparable Software Risk Reporting

Sarah Zatko, Tim Carstens, Parker Thompson, Peiter “Mudge” Zatko, and Patrick Stach

Software vendors like to claim that their software is secure, but the effort and techniques applied to this end vary significantly across the industry. From an end-user’s perspective, how do you identify those vendors who are effective at securing their software? From a vendor’s perspective, how do you identify those techniques which are effective at improving security? Where are the longitudinal studies showing a large body of binaries with and without stack guards, or source fortification, or some other proposed best practice, and the resulting difference in exploitability? Where are the studies and reports on software content and safety, so that consumers can minimize their risk and make informed choices about what software is worth the risk it adds to an environment? We at CITL are working to fill in these blind spots, so that security professionals can back up their recommendations with solid scientific findings, and consumers can be empowered to better protect themselves. We’ll be talking about the automated static analysis and fuzzing frameworks we’re developing and presenting early results from our large scale software testing efforts.

Tim Carstens, CITL Acting Director (@intoverflow)
Sarah Zatko, CITL Chief Scientist
Parker Thompson, CITL Lead Engineer (@m0thran)
Patrick Stach, CITL Special Advisor
Peiter “Mudge” Zatko, CITL Board Chairman (@dotMudge)

CITL (Cyber Independent Testing Laboratory) is a non-profit scientific research organization with the mission of advising software consumers through expert scientific inquiry into software safety and risk. We engage in scientific research to test software and computing products, and then we will publish the results of that research in a way that will best empower and educate software consumers. Our mission is to work for a fair, just, and safe software marketplace for all consumers and to empower consumers to protect themselves.


This Is Not Your Grandfather’s SIEM

Carson Zimmerman

For many CSOCs, there was a simpler time. A time when their security event collection and monitoring problems could, in theory, be solved by buying, installing, and optimizing one product. Today, life is not so simple. The SIEM marketspace started with many startups, consolidated to a handful of leaders, and has diversified again. Acquiring and operating an analytic platform for large and mature CSOCs is a major investment of time, money and effort. The best approach to common tasks–normalization, near-real-time correlation, analyst triage, pivot, and workflow–is not always cut and dry. In this talk, the presenter will give an overview of major design considerations and opportunities in implementing, and evolving the modern CSOC analytic platform.

Carson Zimmerman is currently a CSOC engineering team lead with Microsoft. He has worked in and around CSOCs for about 15 years, holding roles in the CSOC ranging from tier 1 analyst to CSOC architect. Previously with MITRE, Carson wrote “Ten Strategies of a World-Class Cybersecurity Operations Center,” which can be downloaded for free at http://bit.ly/1sKCOH9. He received a BS in Computer Engineering from Purdue University and an MS in Information Systems from George Mason University. Spotting Carson at Shmoocon is easy–just look for the guy in a kilt running around with two cameras.


Firetalk #1: That’s No Moon(shot)!

Beau Woods

We don’t need a Cyber Moonshot; we’ve got enough already. Computing technology is enabling multiple concurrent revolutions, in biotechnology, manufacturing, robotics, AI, and literal rocket engineering. These are our Moonshots, fueled by governments, companies, and tinkerers, powering the growth engine of the global economy and reshaping society. Our futures, linked together, and dependent on the same vulnerable, exposed technology we cannot seem to safeguarded from deliberate attacks and indiscriminate accidents.

In one sense we are crash test dummies on untried rocketsleds; in another, we hold the capabilities for preservation within our own hands. The collective Infosec knowledgbase is fairly well understood, yet fairly poorly distributed. We may not know just how to succeed; but we know a lot about how to fail and what to avoid. We don’t lack fundamental science or engineering practices, we lack the will and incentives to do what we already know.

Beau Woods (@beauwoods) was one of the first people to hack a medical device (2008), won Best Mustache at Movember London (2013), evaded Russian Mafiosi near Moscow, hiked (did not summit) Mt. Everest in Winter, brought two Congressmen to DEF CON, and learned to throw a curve from a major league pitcher. Beau also helps lead I Am The Cavalry, holds a Fellowship with the Atlantic Council, is Founder/CEO of Stratigos Security, DEF CON Goon, Village organizer, BSidesLV staff, runs Hackers on the Hill, has a BS in Psychology from Georgia Tech, and lives in DC.


Firetalk #2: Everything You Wanted to Know About Creating an Insider Threat Program (But Were Afraid To Ask)

Tess Schrodinger

Oh no! You just got tasked with creating THE Insider Threat Program for your organization! Where do you start? How do you start? This is the quickie speed brief I gave an old mentor at Starbucks recently.

Tess Schrodinger (@TessSchrodinger) is a jack of all trades and a master of some. She has spoken at a variety of security conferences on such topics as counter-intelligence, insider threat, quantum computing, and security awareness training.


Firetalk #3: Stack Cleaning — A Quest in Hunting for FLIRT

Jon Erickson

While reverse engineering, an annoying malware sample broke my Hex-Ray’s decompiler – the “cheat code” of IDA Pro. In this talk, I’ll walk you through my exploration of the bug that causes HexRays to fail, hunting for the malware’s source, and finding the exact source code and compiler which was used to create the sample. I’ll wrap up by showing techniques that you can use make analysis of future malware samples like this one easier.

Jon Erickson (@2130706433) is a Senior Staff Reverse Engineer on the FLARE team at FireEye. Before joining FireEye, Jon made the rounds with various government contractors and served in the United States Air Force. Jon has worked in the security industry for over a decade and has a Master’s Degree from George Mason University. Jon has spoken at numerous conferences including Blackhat Asia, CodeBlue, and SyScan 360. He’s contributed to several CVE’s and loves working with new security researchers to help them better themselves.


Firetalk #4: Your Defense is Flawed (it’s only kinda your fault)

Bryson Bort

The elite hacker is a myth we’ve given power to because breaches continue to happen. A zero breach mentality does not work. Learn how an attacker actually thinks and how they always can turn your enterprise defense into swiss-cheese. It’s only kinda your fault because all those pretty products you bought are all failing you the same way.

Bryson Bort (@brysonbort) is the Founder and CEO of SCYTHE and Chairman of GRIMM. Prior to launching SCYTHE and GRIMM, Bryson led an elite research & development (R&D) division that directly contributed towards National Security priorities and interest. Prior to that he developed an enterprise R&D program and supported creation of a cybersecurity strategy as a Deputy CTO and Program Director focused on supporting technology research and global infrastructure for the DoD and the Intelligence Community. Bryson received his Bachelor of Science in Computer Science with honors from the United States Military Academy at West Point.


Firetalk #5: The First Thing We Do, Let’s Kill all the [CISOs]

Alexander Romero and Steve Luczynski

A former CISO, a future CISO, and a hacker walk into a bar… a profound realization over cocktails: no kid dreams of being a CISO – nor should they. So we hatched a plan – send a Terminator unit back to the 90s and eliminate the role we know today, to save all humanity. We suck at robots and hot tub time machines are creepy so we settled on a Firetalk.

As global spending on infosec is projected to eclipse $1 Trillion in the next 5 years, the failure rate will be near 100%. After 20+ years of CISOs, has infosec gotten better; and if so, is it because of or in spite of the role?

The presenters will speculate wildly, drift into unsupportable projections, and probably piss off everyone at some point. Brilliant topic or devious plot to harvest ALL THE SHMOOBALLS? You decide.

Alexander Romero, a BSides Goon, is a CISO in DOD and “Digital Services Expert” at the Defense Digital Service. He worked as a Marine and now as a civilian to improve government infosec. He ensured the success of the government’s first bug bounty program, Hack the Pentagon.

Steve Luczynski (@cyberpilot22) recently retired from the Air Force. His new civilian job… CISO.


Firetalk #6: Patching — It’s Complicated

Cheryl Biswas

Patching – it’s complicated! As much as we like to point fingers of blame and malign the processes in place, the fact is that one size does not fit all when security updates get issued.

What’s the definition of insanity: doing the same thing over and over. Organizations at every level seem to be struggling with staying on top of patching, but it feels more like a necessary evil rather than a best practice. We’re damned if we do and damned if we don’t.

We need to go beyond just finding the sweet spot between mitigating business risk with vulnerability exposure. Let’s talk about how can we fix this process that seems inherently broken, especially as it now affects IoT, OT and medical devices. Because the cure isn’t supposed to be worse than the disease.

Cheryl Biswas (@3ncr1pt3d) is a Threat Intel Analyst with TD Bank in Toronto, Canada. Previously, she was a Cyber Security Consultant with KPMG and worked on GRC, privacy, breaches, and DRP. She has an ITIL certification and degree in Political Science. Her areas of interest include APTs, mainframes, ransomware, ICS SCADA, and building threat intel. She actively shares her passion for security in blogs, in print, on podcasts, and speaking at conferences.


Firetalk #7: Libation Escalation — Scotch and Bubbles

Erin Jacobs

For many years many of us “infosec” professionals have been working late into the midnight hours and enjoying certain libations as celebration of our wins and losses alike. In order to ensure everyone has the best possible options at their disposal, we are taking a journey together (a very, very fast one) to the north parts of the United Kingdom, and the near center of France. It’s not just Whiskey and Sparkling Wine, it’s Scotch and Bubbles (really Champagne)! Come join me on this journey on what it is, where it comes from, how to drink it, how to impress the gender of your choice, and how to dispel the ‘Champagne gives me headaches’ or ‘Scotch is too hard of liquor for me’ comments.

Erin Jacobs (@secbarbie): All the normal infosec bio things, and currently in year 3 of pursuing her Advanced Sommelier certification by the Court of Master Sommelier’s.