A Web API for Embedded Peripheral Reverse Engineering

Travis Goodspeed and EVM

Because of the way ARM licenses it’s cores, there are hundreds of ARM processor families and thousands of different processors. Often when reversing we get a firmware from a device without a known part number. Maybe the markings are scraped off or it’s conformally coated, or maybe we’re looking at a public firmware for a device we don’t actually own. Can you figure out which ARM is your ARM?

We’ve assembled a database from 300GB of embedded SDKs and port descriptions of twenty thousand chips. Ask our server for all the I/O port addresses of a particular part number, or for all the part numbers that include I/O ports with the addresses found in your mystery firmware. It’ll get you an answer in milliseconds.

EVM (@evm_sec) and Travis (@travisgoodspeed) disagree about baseball, Malört, and the fundamentals of the universe, but they teamed up to make symgrate.com, a free reverse engineering database for embedded systems.

An Introduction to Cloning RFID Keys, for Angry Bikers

Gabe Schuyler

My building requires an RFID key in order to access the garage. But I ride. Fishing out the only copy of my key, with gloved hands, on a vehicle that requires both hands to operate? Not so simple.

We all know that it’s easy to duplicate these things, but actually doing it? The devil is in the details, and those details are strewn across the internet in blog posts, readme files, and members-only forums. Where do you start?

  • So, how does RFID work, anyway?
  • What’s the frequency? (Spoiler: Kenneth does not know.)
  • What’s a chipset and which am I using?
  • How far can ten bucks on ebay get me?
  • How far can a couple hundred get me?
  • And to solve my problem, what clever form factors are available to get around the gloved motorcycle situation? (No, I did not inject a chip in myself.)

If you’ve ever boasted, “those things are so insecure,” but want to be able to back it up, ten minutes is all you need, to get the basics.

Gabe Schuyler (@gabe_sky) is a constant tinkerer with a penchant for rabbit holes. He loves mapping a path through them, and sharing the route and interesting branches with anyone who wants to learn.

During the day, he’s a web app security specialist at Palo Alto Networks and before that worked professional services at PuppetLabs. Before that, a stint at PlayStation got him into the titles of twenty-odd games.

Gabe’s been in operations for so long, he had a two-digit Internic handle, and knows how to terminate a SCSI bus.

Chaos Patching: Can’t Get Hacked If I Hack Myself

Andrew Hendela and Eric Lee

Defensive tools should always be judged on their effectiveness. But how should a tool be measured when true positives are difficult or rare to find? With the essence of chaos engineering in mind, we introduce Chaos Patching as a method to test our approach for stopping software supply chain attacks.

We inject custom code into compiled binaries using various automated binary patching techniques to simulate supply chain attacks. We employ this technique at random and mix up the types of attacks inserted to confirm our approach and run drills to increase our chances of pre-empting the next SolarWinds-style breach.

Andrew Hendela and Eric Lee have many years of experience solving hard problems for diverse topics including automated program analysis, vulnerability research, threat actor attribution, etc. Andrew has been leading and contributing to multiple cyber security projects for over a decade, ranging from automated malware reverse engineering to vulnerability research. The focus of Eric’s work has been on automated program analysis, and he competed as a member of the Deep Red team at DARPA’s Cyber Grand Challenge final event. Together, we started Karambit.AI to focus our technical expertise on addressing supply chain attacks.

Clean Up On the Serial Aisle – Developing a Systematic Hunting Methodology for Deserialization Exploits

Alyssa Rahman

Deserialization vulnerabilities are a class of bugs that have plagued multiple applications over the years, including Jira (CVE-2020-36239), Telerik (CVE-2019-18935), Jenkins (CVE-2016-9299), and more.

Attackers have leveraged these bugs for years to upload files, access unauthorized resources, and execute malicious code on targeted servers. Within the past 2 years, Mandiant has particularly observed APT41 using .NET ViewState and Java deserialization exploits to target companies and government entities within North America.

Researchers have already created tools for rapidly generating payloads. So, why not create a tool to rapidly generate detection and hunting rules?

In this talk, we will walk through the research process that led to HeySerial.py–a new rule generation tool–and we will show how we can use it to hunt for advanced attackers and potential zero-days.

Alyssa Rahman (@ramen0x3f) is currently a Principal Threat Researcher on Mandiant’s Advanced Practices team. Formerly a red teamer, Alyssa specializes in puns and as a side hustle dissects the tools, techniques, and processes (TTPs) used in intrusions, so she can find creative ways to detect and hunt for threat actors.

Closing Plenary

Liam Connolly, Kathy Wang, Michael Darling, and Bruce Potter (moderator)

Join us as we close down ShmooCon 2022 with a panel discussion with a few folks helping to shape the security industry–with a focus on changes introduced by COVID, Work from Home (WFH) impacts, and the continued challenge of attracting and retaining talent during these turbulent times. Join us, and enjoy the chat!

Liam Connolly is the CISO for SEEK–a jobs, career, and training site based in Australia where people pronounce CISO the way that Bruce Potter wants it pronounced as he is perpetually frustrated that employees pronounce CISO not-the-way-he-wants. Liam has been in the industry for roughly 20 years in a wide range of roles and industries which has provided a wealth of information on what works and more importantly, does not work in security leadership. His passion in the industry is around working with organizations aligning security programs to their strategic initiatives and taking a servant leadership approach to building high-performing, multi-disciplinary teams that focus on giving back to the community as that is where so many of us received our start.

Kathy Wang is CISO at Very Good Security and is a long-time security veteran. She is also an advisor and investor to early-stage security startup companies, both individually, and as part of the Silicon Valley CISO Investments syndicate.

Michael Darling is the Senior Director of Information Security at Venable. He has over 24 years of experience in physical security and cybersecurity operations and strategy in the government, military, and private sectors.

Bruce Potter is a CISO and spends most of his time instructing people on the correct pronunciation of CISO (it’s “ciz-oh”).

Consumer VPNs: The Good, The Bad, and The Ugly

Yael Grauer

Consumer VPNs have always been a tough nut to crack. The FTC has been clear that multiple ISPs share far more personal data about users than they expect, without giving users a meaningful choice on how that data is used. We also know from numerous highly publicized examples that some VPNs can be worse than ISPs, leaving users vulnerable.

Consumer Reports’ Digital Lab evaluated the privacy and security of 16 consumer VPNs running on Windows. The evaluation was based in large part on the Digital Standard, a framework designed to evaluate how technologies respect consumers’ interests and needs.

We uncovered multiple areas where VPNs fell short. This presentation will look at what was discovered: dark patterns, the use of deprecated protocols, and hyperbolic claims about anonymity, untraceability, or “military-grade” encryption. We’ll delve into what might happen to user data in case of a merger, bankruptcy, or acquisition. You’ll also learn which VPNs state in their documentation that they will not pursue legal action against security researchers (hint: not enough).

And though the community is still divided (no, really!) on when or whether to recommend the use of a consumer VPN, we’ll demystify what one can and cannot actually do.

Yael Grauer (@yaelwrites) is an investigative tech reporter covering digital privacy and security for Consumer Reports. She is the lead content creator of CR Security Planner, a free, easy-to-use guide to staying safer online. Prior to CR, Yael spent a decade as a freelancer, covering topics such as police surveillance, data brokers, dark patterns, clandestine trackers, security vulnerabilities, hacking—and yes, VPNs—for publications including Ars Technica, Business Insider, Slate, The Intercept, OneZero, Popular Science, Vice, Wirecutter, and WIRED. In her spare time, she maintains the Big Ass Data Broker Opt Out List, which does what it says on the tin.

Coordinated Inauthentic Behavior in Honduras: An Attempt to Influence the Election Cycle

Jackie Hicks

Governments, political parties, and candidates around the world have been known to use disinformation and information operations on social media to influence political discourse and the outcomes of elections. In this case study, we will examine an inauthentic Twitter network running a negative campaign designed to impact perceptions and influence the political decision making of domestic voters.

This inauthentic network of over 300 fake accounts, all claiming to be based in Honduras, are being used to coordinate and disseminate content intended to shape the nation’s online political discourse. Additionally, they are being used to suppress voting and drive Hondurans away from voting for certain candidates. We walk the audience through how we identified early indicators of disinformation activities, how we identified the network’s existence on social media, and how we evaluated numerous attributes about the network. We found that several different narratives are being disseminated about political candidates to influence the outcome of the upcoming general election. These narratives serve either to deride and discredit the political opposition and critics of the incumbent party. We also observe the utilization of GAN images as profile pictures, stolen profile pictures, and older Twitter accounts, which may be part of its intent to create established personas.

Jackie Hicks is a Senior Intelligence Analyst at Nisos, where she focuses on information operations, disinformation and e-crime. In her current role, she tracks disinformation campaigns and inauthentic behavior in various regions, especially with how they relate to election integrity. She also analyzes platform abuse and the evolving tactics threat actors use to exploit social media. Prior to Nisos, she was a Senior PM for OSINT at Citi’s Fraud Fusion Center, where she specialized in investigating financial crimes and fraud. She was also a cyber fraud investigator at Verizon, where she worked on investigating organized crime in telecommunications fraud.

GO Ahead — A Kubernetes-based, Sigma Rule Streaming Detection Engine

Mike Saxton and Trey Hoffman

GO Ahead is a an open-source, Sigma rule detection engine built to analyze, detect, and alert on potential malicious activity outside of the SIEM. Built with Go on top of Kubernetes, GO Ahead offers Security Operations Teams the ability to scan 100% of logs without being restricted by license costs or organizational team structures using the open-source Sigma rule format, providing a way to easily exchange signatures across organizations.

Many of the organizations we work with face 3 common problems. First, they must deal with “doing more with less” and choosing between detection and visibility while attempting to handle budget constraints and increasing data sources. Second, they must deal with large teams and various data ownership models leading to siloed visibility between architecture layers. And finally, large, global organizations have disparate detection models and lack common data standards creating inequities within their own operations teams.

GO Ahead was built with one common goal in mind–detection. We opted for a “mile-deep and an inchwide” philosophy that created a lightweight, portable, and incredibly scalable solution which can be deployed locally, on-prem, or in the cloud to standardize signature detection with a common engine built to analyze an open-source format.

Mike Saxton (@MikeyAsAService) and Trey Hoffman are Security Analysts at Booz Allen Hamilton delivering Detection Engineering capabilities to government clients across the federal and defence sectors. Mike is a prior CISO and GSOC lead who has led large Incident Response programs across the DoD. Trey is a Software Developer currently working at the intersection of Artificial Intelligence and streaming architectures. Both have dogs much cooler than them.

HACK THE, er… HEMISPHERE! How we (legally) broadcasted hacker content to all of North America (and beyond) using an end-of-life geosynchronous satellite

Karl Koscher

The Shadytel cabal had an unprecedented opportunity to legally uplink to and use a vacant transponder slot on a geostationary satellite about to be decommissioned. This talk will cover the tools we used (including the HackRF, GNU Radio, tsduck, Flussonic, OBS, and others) to convert an unused commercial uplink facility into the ultimate, legitimate information broadcast.

Karl Koscher (@supersat) represents Shadytel which began as a phreaking group playing Fantasy Phone Company on Twitter that somehow got involved in offering real telecommunication services at various hacker events. From our humble beginnings offering GSM service and landlines to your tent, Shadytel is aggressively expanding to always be in your business, including Triple Play packages with dial-up IPv6 and ShadyTV. Our Shadytel Labs subsidiary is constantly seeking out new revenue opportunities through novel applications of technology, including new ways to switch and deliver phone service, new information services, and optimizing content delivery. At Shadytel, we’re not happy ‘til you’re not happy.

Hacking the Cyber Incident Response: How Using Words Will Help You Suck Less

Katrina Cheesman and Rock Stevens

You will be hacked: it’s not if, it’s when. And when it happens, it will cost your company time, money, and reputation. This isn’t just a hack of your data, it’s an intrusion into the minds of your customers, your leadership, and your stakeholders. Despite in-your-face events we see in everyday media, organizations still seem surprised by a cyber event–and haven’t planned to holistically mitigate both a damaging security and reputation incident. Communication planning has to be inseparable from incident response, or the breach may become a breach of trust. In this talk, we equip attendees with useful tools that allow them to build their own crisis cyber response plans. Using a case study to roadmap a comprehensive playbook, we highlight ways to minimize future damage and expedite response efforts when every second matters. Companies can’t treat cybersecurity and communications as an after-thought if they want to keep their money, our data, and their reputation–in this talk, we help bridge corporate propaganda machines to technical keyboard monkeys, all to enable a better-prepared capitalistic society.

Katrina Cheesman is a communication tactician with ten years of experience, with [too many degrees like] a Masters in English Rhetoric and Digital Media Studies from Northern Arizona University, and a Masters in Strategic Communication from George Mason University.

Rock Stevens (@ada95ftw) is a security researcher and cybersecurity advisor. He holds a Masters in National Security and Strategic Studies from the U.S. Naval War College and a PhD in Computer Science from the University of Maryland.

LetItGo — A Tool for Azure Tenant Domain Enumeration and Access

Dan Astor and David Parillo

During a red team engagement, we discovered a situation where domains registered to the client’s Azure tenant had expired and were available for purchase. Instead of using them for phishing, we attempted to enroll a user through Microsoft’s PowerBI application and found to our surprise that we were given an account in the client’s tenant! At the end of the engagement, we provided the technical details to our client and followed up with MSRC. Microsoft’s stance at the time was “clients were responsible for maintaining their domains” and closed our request.

A few weeks later we happened upon a well-timed tweet regarding some PowerShell which birthed the idea of LetItGo: a tool that allows red and blue teamers to scan tenants in Azure and return any domains that have been expired. Preliminary results found that 1 in 5 of the Fortune 500, including Microsoft, had tenants that were vulnerable to this attack path.

Our talk will include a demonstration of the attack, the impact to the tenant, the gaps in Microsoft’s Azure console for reporting state and the necessary TTPs for organizations to detect if this activity has occurred, and finally the release of the tool.

Dan Astor (@illegitimateDA) is the Principal Scientist at Security Risk Advisors. When he isn’t advocating for Pop-Tarts at the office, or making clients (or consultants) cry, he contributes to various security communities and efforts.

David Parillo is a manager of the Technical Assessments team at Security Risk Advisors. He is a founding member of BSides Philly, long-time con attendee, and maintains that the ShmooCon Wireless Village caused his dental implant screws to heat up and give him a massive headache.

0wn the Con

The Shmoo Group

For fifteen sixteen years, we’ve chosen to stand up and share all the ins and outs and inner workings of the con. Why stop now? Join us to get the break down of budget, an insight to the CFP process, a breakdown of the hours it takes to put on a con like ShmooCon, and anything thing else you might want to talk about. This is an informative, fast paced, and generally fun session as Bruce dances on stage, and Heidi tries to hide from the mic. Seriously though–if you ever wanted to know How, When, or Why when it comes to ShmooCon you shouldn’t miss this. Or go ahead and do. It’ll be online later anyway.

The Shmoo Group is the leading force behind ShmooCon. Together with our amazing volunteers we bring you ShmooCon. It truly is a group effort.

Practical Crypto of InfoSec Noobs

Rob ‘Mubix’ Fuller

Cryptography has a pretty steep learning curve, and while doing CTFs and other conference games that have crypto challenges, very rarely do they involve practical use cases. As a security professional, it’s important not just to know how to decrypt something, but how to recognize the the type of cryptography used, many times without the source code or manual to aide you. This talk dives into not Alice and Bob, but actual steps used in pentests and incident response scenarios to identify and decrypt random data found in the real world.

Mubix (Rob Fuller) (@mubix) is a Red Team Director. His professional experience starts from his time on active duty as a United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications, but the titles that he holds above the rest are FATHER, HUSBAND, and United States Marine.

Practical Information Security Metrics

Robert Weiss (pwcrack)

If you’ve been asked to quantify the business value of your information security programs, measure risk (or risk reduction), measure the maturity of your information security program and/or provide metrics to document the progress, but don’t know where to begin, this briefing will provide specific, actionable details on how you can get started with an information security metrics program.

Robert Weiss (@pwcrack) has over 20 years of experience in information security. He is the Head of Information Security for OpenVPN, the Senior Def Con Speaker Operations Goon, and a Member of NoVaHackers and Unallocated Space.

ProcAID: Process Anomaly-based Intrusion Detection

Austin Read

Advanced Persistent Threats (APTs) prey on government entities and corporations via previously unknown attack vectors and complex techniques with overwhelming success. Though industry has attempted to engineer effective solutions to combat APTs, the solutions consistently lack the ability to respond and react to novel threats. This presentation covers an effective, two-stage unsupervised graph anomaly-based detection algorithm called “ProcAID” that fills the gap of industry’s current detection and response capabilities. In general, ProcAID concentrates on anomalous process creation, inverse graph leadership, and inverse graph density to discover malicious processes on a single host. In the first stage, the solution detects anomalous host process creation events via unsupervised graph link prediction. In the second stage, ProcAID evaluates and assigns scores to a process based on its observed behavior. ProcAID was tested on a real-world enterprise dataset with known APT activity. This research proved proficient in distinguishing between malicious and benign host processes with options to expand to an enterprise implementation. ProcAID also out-performed other graph and machine learning anomaly detection algorithms in the detection of malicious activity. With already existing assets like Windows Security Event Logs, the implementation costs for ProcAID are minimal while the benefits are vast.

Austin Read (@ajread3) is an active-duty Coast Guard (CG) officer, currently completing his Masters degree at The George Washington University (GW) where he also works as a research assistant within the Graph Computing Lab (GraphLab). Prior to graduate school, he completed his undergraduate education at the US Coast Guard Academy in 2018. His first assignment was to CG Cyber Command (CGCYBER) as the Deputy Director of the Cybersecurity Operations Center (CSOC). This winter, he will be returning to CGCYBER within the Cyber Protection Team (CPT). His certifications include CISSP, GCIH, GCFA, GREM, and ITIL Foundations. His hobbies include soccer, CrossFit, playing with his dog, and CTFs.

Reversing the Pokémon Snap Station without a Snap Station

James Chambers

Back in 1999 when the original Pokémon Snap was released for Nintendo 64, one of its coolest features was that you could head to a local Blockbuster and use a “Snap Station” to print out stickers of the photos you took in-game. Snap Stations are now rare collector’s items that few have access to, rendering the printing feature inaccessible.

Learning that they consisted of a Nintendo 64 console hooked up to a printer via video cables and a controller port, I set out to reverse engineer Pokémon Snap to see if I could restore the print functionality without access to the original kiosk hardware. This project involved a combination of software and hardware reverse engineering, facilitated by using an FPGA to make a physical link interface for Nintendo’s proprietary Joy Bus protocol. The resulting FPGA-based tool can also be used to simulate and interface with other peripherals, such as the Transfer Pak accessory which can be used to dump Game Boy cartridge data.

This presentation will demonstrate the reverse engineering and tooling processes, including tips on how hackers with a software background can go from following basic FPGA tutorials to creating real world hardware hacking tools.

James Chambers (@jamchamb_) is a Senior Security Consultant in the NCC Group Hardware & Embedded Systems security practice. He enjoys reverse engineering video games to find opportunities for creative code execution, as well as resurrecting lost features. His past projects include reverse engineering Animal Crossing to discover an unused NES ROM loading feature that could also be used to patch code in memory, fuzzing GameCube games in emulation using Dolphin, and programming a Proxmark to fuzz Amiibo data over NFC.

Safe and Secure WordPress. Easy!

Alex Ivkin

No, I am not high and, yes, I am talking about the same WordPress your marketing and sales departments demand, so they can publish all their contents. Once upon a time I too had nightmares with the “WordPress plugins” neon signs flashing in the rain. But no more. I’ll show you how to get rid of the PHP and the SQL, while still having everything what made WordPress great for content creators.

Alex Ivkin (@alexivkinx) leads a security solutions group at Eclypsium, a US security startup. His focus is on researching secure deployments of (in)secure software, including container orchestration, application security, and firmware security. Alex has two decades of security evaluation experience, delivered security trainings, holds MS in Computer Science, co-authored security certifications, and climbs mountains in his spare time.

Sceaphierde Sheep in Wolf’s Clothing

Michael Hoffman

This talk will showcase a new custom C2, Scheapierde, written in golang that implements a full TTY shell, file upload and download, and port forwarding, all over websockets protected by MTLS. The core functionality of Scheapierde allows for creation of a purposefully vulnerable service to be exploited yet provides no weakened attack surface. This talk will go through the design decisions while making the C2, as well as the reason it was created instead of just grabbing something off the self.

Michael Hoffman (@0x1nd0) is a offensive security red team operator working for Oracle Cloud Infrastructure (OCI). He has interests in the creation of offensive malware development and security research in MacOS and Linux operating systems. Prior to OCI, he worked as a penetration tester for PayPal and a partner in a security startup. Recently, his main focus is writing golang malware and MacOS persistence mechanisms.

“She doesn’t even go here!” Using Denial, Deception, and Adversary Engagement for Defense

Karen Lamb, Gabby Raymond, and Maretta Morovitz

With the growing supply of valuable network-accessible data, network intrusion remains a cheap and risk averse way for threat actors to conduct operations. We can raise the barrier to entry with defense-in-depth, but what happens when we poison the supply? In this talk, we’ll discuss adversary engagement and how we’ve used it to regain the defensive advantage.

MITRE, whose adversary engagement operations go back 10+ years, has joined up with HSBC, who started running operations in the last two years. We’ll introduce the concepts behind adversary engagement and talk about how you can start running your own operations with open-source tools and MITRE’s new adversary engagement framework, Engage (engage.mitre.org). Together, we’ll walk through operation run by HSBC where we engaged with criminal threat actor FIN7, how we aligned the operation against MITRE Engage, and what we learned in the process.

We want to make adversary engagement an accessible and pervasive cyber defense strategy for all. The more adversary engagement operations we run as defenders, the more we collectively raise the cost and reduce the value of operations for our adversaries.

Karen Lamb is a Cyber Intelligence Lead Analyst at HSBC where she leads the intelligence team’s development efforts, malware analysis, and adversary engagement operations.

Gabby Raymond is the Capability Area Lead for Adversary Engagement at The MITRE Corporation. She has helped define and mature MITRE’s AE work in research, operations, and tool development.

Maretta Morovitz (@mmorovitz) leads the MITRE Engage team and has helped shape MITRE’s adversary engagement work for the last two years. She was recently named as one of the AFCEA 40 Under 40 Awardees for 2021.

There is Wardriving, and There is GWARDRIVING

Mike Spicer and El Kentaro

With the world continuing to add wireless to everything, wardriving is an exciting way to see what’s in the air around you. No longer are we looking for free Internet but weird, strange and unexpected things that are connected when maybe they shouldn’t be. This talk will look at how 2 wardriving obsessed people tackle the challenges and build equipment and tune software to catch ’em all!

Whether you are just starting out or your capture goals are to conceal ultra portable devices or get full frame captures of everything, this presentation will share with you the tools and strategies so you can become obsessed with wardriving and start capturing wireless today.

Mike Spicer (@d4rkm4tter) is a hacker who likes to meddle with hardware and software. He is the creator of the #WiFiCactus and has been seen presenting at a number of conferences around the world. He is a Kismet cultist and obsessed with wardriving.

El Kentaro (@elkentaro) is the guy who builds wifi gadgets for fun and has been involved with the hacker community for over two decades. Kentaro enjoys watching movies and taking long warwalks at night strolling through the dark corners of Tokyo.

Together they host The Wireless Shit Show on all things wireless wardriving.


Russell Handorf

Join me on the whimsical journey of acquiring a teletype machine, the restoration process, and adapting them to modern systems. Yes, there will be a full functioning kit in this presentation for live demo’s, and that good ol’ nostalgic smell that conjures memories of “gandpa’s basement.” This talk will also discuss the importance of maintaining and understanding these older systems as they hold close resemblance to modern systems today; we should not lose attention from technological rosetta stones.

Dr. Russell Handorf (@dntlookbehindu) currently is an agent of chaos at Twitter. Just recently he was a principal threat intelligence hacker where he spent his time making criminal’s curse his very existence. He is also a recovering fed after ten years of service defending the country in a variety of matters. He’s done a lot of other odd things here and there, but that isn’t important. Let’s just have a conversation, but you’ll have to endure my dad jokes.

Van Buren: Everything you need to know about the Supreme Court’s recent take on the CFAA

Kurt Opsahl

The Supreme Court’s recent decision in Van Buren v United States is good news for security researchers, overturning a dangerous precedent on criminalizing access in violation of terms of service and EULAs, clarifying the notoriously ambiguous meaning of “exceeding authorized access” in the Computer Fraud and Abuse Act, as well as endorsing the interpretation of the statute’s terms using their technical meaning.

The CFAA is the federal computer crime law that’s been misused to prosecute beneficial and important online activity, and one of the primary legal risks faced by security researched, for both criminal and civil liability. The presentation will explain the Van Buren decision in the context of the evolving CFAA law, what the new “gates up or down” approach to unauthorized access means for security researchers, how the Supreme Court’s opinion will guide future courts, and what the decision left unresolved in its mysterious Footnote 8.

Kurt Opsahl (@kurtopsahl) is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders’ Rights Project, which works to protect researchers through education, legal defense, amicus briefs, and involvement in the community with the goal of promoting innovation and safeguarding the rights of curious tinkerers and hackers on the digital frontier.

Wait a meowment, which kitten is this?

Allison Wikoff

It’s commonly stated that attribution of cyber activity is an art, not a science. This adage could not be more applicable to Iran-based cyber activity, as contract organizations, recruitment from hacker communities, and operators running independent self-serving campaigns muddy the attribution waters.

In this session, Allison will rant, sorry… talk about some of the unique attribution challenges around Iran-based intrusion sets using case studies from open-source information and proprietary research. Specifically, case studies will cover the overlap in tools, techniques and procedures (TTPs) by several distinct intrusion sets–including the ones known respectively as “Oilrig,” “TortoiseShell,” and “Charming Kitten”–using the diamond model of intrusion analysis as the framework for attribution.

Through her presentation, Allison would like to reiterate how threat intelligence work can be critical both when shoring up defenses, and when responding to incidents. Attendees will walk away with an understanding of Iran-based cyber threat actors’ TTPs, appreciation for attribution complexities around Iranian intrusions, and a better understanding about why attribution matters.

Allison Wikoff is the Americas Lead for the global Threat Intelligence function at PricewaterhouseCoopers (PwC). She has 20 years of experience working as a network defender, incident responder, intelligence analyst, and researcher. The focus of the latter half of Allison’s career to date has been researching nation-state cyber activity with a focus on Iran. Though she speaks publicly about Iranian operations, she has a passion for tracking all types of cyber threats, both nation state and criminal. Her research interests include emerging threats and threat actor mistakes. She holds numerous industry certifications and an advanced degree from Columbia University where she guest lectures for several information security-focused graduate courses.

Why No One Pwned Synology at Pwn2Own and TianFu Cup This Year: Analyzing Defensive Coding Techniques from a Vulnerability Researcher’s Perspective

Eugene Lim and Loke Hui Yi

From Adobe Reader to the Sonos One, vulnerability researchers hacked a jaw-dropping array of targets at this year’s Pwn2Own and TianFu Cup hacking contests. Amid the carnage, one conspicuous survivor remained un-pwned: Synology’s DiskStation Network Attached Storage (NAS) devices. As a sponsor of this year’s Pwn2Own, Synology doubled the bounty to $40000. However, while several participants successfully cracked the DiskStation DS418play in 2020, they failed to offer a working exploit for either the DS920+ or DS220J this year. Not for lack of trying–along with other aspiring participants, we discovered a handful of vulnerabilities but could not complete a remote exploit chain due to Synology’s defense-in-depth design.

We will present a technical analysis of Synology’s defensive coding techniques as observed in the latest DiskStation Manager (DSM) 7 operating system. We will demonstrate how these techniques prevented further exploitation of significant vulnerabilities and mitigated their impact. Along the way, we will update existing research about the proprietary findhostd protocol and DSM internals. Developers and defenders will take away practical lessons in secure coding and software design from Synology’s example. Finally, we will conclude with broader observations about the economics and strategy of hacking competitions.

We will open-source findhostd fuzzing templates.

Eugene Lim and Loke Hui Yi protect citizen data at the Government Technology Agency of Singapore.

Eugene (@spaceraccoon) hacks for good–from Amazon to Zendesk, he has helped secure products globally. He recently reported remote code execution vulnerabilities in Microsoft Office and Apache OpenOffice. He discussed AI2 powered phishing at Black Hat USA and DEF CON in 2021.

Hui Yi (@angelystor) is the technical lead for the product security assessment and vulnerability research team. Her claim to fame is becoming the 2nd hit on Google for “WinAFL fuzzing” and presenting on hunting application backdoors at Black Hat Asia in 2020.