Keynote: Seven Things: Frank Zappa, T. Coraghassen Boyle, and Twenty-one Years in Security
Dr. Gary McGraw
When I joined Cigital in 1995, it was known as Reliable Software Technologies (or RST) and had a grand total of seven employees. By the time Synopsys acquired Cigital’s 500 people in late 2016, my tenure at Cigital was old enough to drink on its own, and I had moved up from lowly research scientist to Board member. I may have learned a thing or two while building a security career, or maybe not. Perhaps Frank Zappa or T.C. Boyle would know? Without further ado:
- Passion matters
- So does a solid rhythm section
- Practice, then practice some more
- Write original music
- Find the calm
- Give back
- Know your audience
Think of these seven things as guidelines, not laws. Creating a successful security career is just as much about the journey as it is about some particular destination. Your implementation will always be uniquely yours (no matter what Zappa says).
Dr. Gary McGraw (@cigitalgem) is the Vice President Security Technology of Synopsys (SNPS), a silicon valley company headquartered in Mountain View, CA. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and 6 other books; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a periodic security column for SearchSecurity, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Max Financial, NTrepid, and Ravenwhite. He has also served as a Board member of Cigital (acquired by Synopsys) and as Advisor to Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean’s Advisory Council for the School of Informatics. Gary produces the monthly Silver Bullet Security Podcast for Synopsys and IEEE Security & Privacy magazine (syndicated by SearchSecurity).
Ripr takes a user selected slice of binary code and creates a Python script with identical functionality. This cuts down, or eliminates, time spent reimplementing functionality from a target binary such as custom cryptographic algorithms, key-generation routines, obfuscated code, et cetera. This allows a reverse engineer to spend more time focusing on the big picture, and less time on bug-prone re-implementations. Further, ripr generates its code in a natural way, allowing for convenient interaction with existing code.
Currently, ripr is implemented as a Binary-Ninja plugin and utilizes the Unicorn Engine to actually emulate binary code. This talk will discuss how ripr works at a technical level and describe the static-analysis methodologies ripr uses to package code. It will follow with several live demos and a discussion of the tool’s limitations. The code will be open sourced at the end of the talk.
Patrick Biernat is a recent graduate of Rensselaer Polytechnic Institute (RPI) and member of RPISEC. He plays CTFs whenever he can and tends to focus on either tearing up binaries or poking holes in crypto.
US wiretap and electronic surveillance law heavily depends on drawing distinctions between content and metadata. Content enjoys significant legal protection under most circumstances, while metadata generally does not, and often be obtained by the government with a simple subpoena.
So how do we tell what’s content and what’s not? Unfortunately, current law is based largely on the technology of the mid-20th century telephone system, drawing distinctions that can often be meaningless or nonsensical when applied to modern technology like the Internet. For example, are packet headers content or non-content? What about URLs? The law is largely unclear on even these basic questions.
This talk will survey the technical contradictions that are unraveling the rules for surveillance on the Internet, and suggest technical approaches for finding sensible answers to some increasingly difficult legal questions.
This talk is based partly on a forthcoming paper (co-authored with Steve Bellovin, Susan Landau, and Stephanie Pell) to appear in the Harvard Journal of Law and Technology.
Matt Blaze (@mattblaze) is a professor at the University of Pennsylvania, where he studies computer security, crypto, and public policy.
Nikita Borisov and Sze Chuen Tan
It seems that every month, a new secure messaging network arrives on the scene. Signal, Wire, Ricochet, as well as encryption in commercial tools such as iMessage and WhatsApp. Which one should you use? How do they work? And do or don’t they keep the NSA out of your messages? We will discuss the cryptographic building blocks that are used in these systems and compare the types of attacks they can and can’t withstand, including attacks on both content and metadata.
Nikita Borisov (@nikitab) is an Associate Professor of Electrical and Computer Engineering at the University of Illinois at Urbana-Champaign. His research focuses on privacy and anonymity of online communications, as well as protecting the Internet from censorship. He co-invented the Off-the-Record Messaging and the DP5 protocol for private presence; his research has also influenced the design of the Tor network and the 802.11 security suite.
Sze Chuen Tan (@sctan) is an undergraduate student with the ECE department at the University of Illinois at Urbana-Champaign. His research interests are polarized along the axes of web/network protocol security and computer architecture.
Applications are happy to tell you their current time, often accurate to the millisecond, to the casual passerby. However, your friendly app may be revealing more than just how soon until brunch or the Shmoo servers get DoS’d.
This talk will demonstrate why developers and server admins should consider current time in milliseconds as a piece of sensitive information. This talk will address, among other things, how application and penetration testers can identify time-based data. It will provide guidance for developers on how to avoid using time-based functions all together. And finally, it will demonstrate, in no uncertain terms, that hashing or encrypting predictable data to obfuscate it is merely putting a thin veil over the problem that a dedicated attacker will gleefully torch!
Practical examples will be demonstrated on how to detect and reverse time-based tokens in encrypted, hashed, or obfuscated forms. Code examples for predicting time-based UUID/GUIDs will be demonstrated and released. Methodology on how to determine the values an application uses when creating predictable tokens will be demonstrated.
Brian Cardinale (@brian_cardinale) is an information security professional, developer and info-sponge. He is currently a senior member of Veracode’s application penetration testing team. He has applied his knowledge toward securing hundreds of commercial and government networks throughout his career. Brian has played a key role in developing multiple enterprise software projects to help facilitate other organizations secure their networks. He holds the title of Certified Information Systems Security Professional and has a bachelors in Network and Communications Management.
US spending on digital advertising was estimated at $72 billion for 2016. With all this money comes a wealth of opportunities for those with “get rich quick” aspirations. The plethora of middlemen and perverse incentives mean there’s little risk of getting caught and minimal consequences if one does. Many people have heard of “click fraud,” but there are many other models for defrauding advertisers. There’s “impression fraud,” “cookie stuffing,” “traffic laundering,” and “ad injection” just to name a few. The industry–both legitimate and not-so-legitimate–is much more complex and interesting than many people realize.
This talk will go over the ad-tech ecosystem in general, attempts to defraud it, and methods of defense. You’ll learn an alphabet soup of industry acronyms, the basics of how a bot is built, how attackers cash out, and a few techniques for detecting bots.
Ryan Castellucci (@ryancdotorg) really just wants to spend all day doing stupid crypto tricks but has learned to love his day job at White Ops fighting against those who commit large scale fraud against the advertising industry with a veritable horde of compromised systems. He’s previously spoken at DEF CON and HOPE about Bitcoin and how to exploit stupid things people do with it.
Alexander Chailytko and Stanislav Skuratovich
Sandboxed environments are commonly used nowadays to automatically analyze malware behavior. Most modern malicious application use detection techniques to avoid behavior analysis monitor by these environments. We will describe the ways to detect and evade Cuckoo Sandbox, which is the leading open-source automatic malware analysis system. As it is used by the largest players on the market, such as Virus Total and Malwr, as well as in internal anti-malware related projects, produced results with fake information can be critical. At the same time, we will propose fixes for found bugs and advanced virtual environment detection techniques. A user-friendly tool that can be used for virtual assessment was created as well.
Alexander Chailytko (@alex_chailytko)
Started self-education in the field of hacking and reverse engineering at the age of 14, resulting in more than 10 years of experience.
Very passionate about solving most prevalent malware problems of today as well as dealing with big data.
Highly experienced in government and state sponsored malware research.
Very passionate about sophisticated malwares research.
Interested in embedded devices.
Fan of travelling to strange places.
Tommy Chin and Peter Muller
Electroencephalography (EEG) is an emerging factor for biometric authentication due to quantifiable brainwave signaling behaviors and data patterns. Using EEG technology has been demonstrated as an approach to authenticate users to secure computing systems, but presents a challenge when users are impaired or inebriated due to alcohol consumption. The influential behavior of alcohol presents a bias into EEG measurements thus, leading to invalid authentication attempts. In this presentation, we provide discussion on the use of EEG measurements as a biometric authentication factor, and express techniques to authorize inebriated–or more specifically–drunk users. Our approach utilizes machine learning algorithms to automatically factor users’ brainwave behaviors for both normal and drunken states. We evaluate our approach using an EEG dataset as preliminary work and validate our findings with real world experiments using a 5-channel EEG wireless headset. Our experimental evaluation provides preliminary work and demonstrates how EEG measurements provide feasibility as a biometric authentication factor during scenarios when a user is impaired.
Tommy Chin is a Security Researcher at Grimm (SMFS, Inc.) and holds numerous academic degrees, certificates, and published works. His current interests focus towards networking, tracking systems, moving target defense, machine learning, and neural networks. He is also an alumnus of Rochester Institute of Technology and a member of SPARSA and RC3.
Peter Muller is a Graduate Student at Rochester Institute of Technology, where he spends his time scripting and networking. He has interests in machine learning, embedded systems, and reverse engineering, touching anything from neural networks to Nintendo 64 processors. He is also a member of SPARSA.
WaveConverter is a tool that helps you extract digital data from RF transmissions that have been captured via Software Defined Radio (SDR). After the user defines the modulation parameters, framing and encoding, WaveConverter will process a stored I-Q file and extract the data from any transmissions that match this definition. Using programmable timing tolerances and glitch filters, WaveConverter is able to extract data from signals that would otherwise appear corrupted.
This software will make the process of reverse engineering signals easier and more error-proof. Because WaveConverter includes the ability to store and retrieve signal protocols (modulation + encoding parameters), we have been generating a database of protocols that we can quickly use to iteratively attack unknown signals.
Paul Clark grew up watching Star Trek reruns and still dreams of being promoted to Chief Engineer. In the meantime he got a couple of Electrical Engineering degrees and spent a decade designing mixed-signal microcontrollers. After a stint working on firmware development tools, he set out on his own, starting Factoria Labs. Paul has solved a variety of RF InfoSec problems for his customers and developed several software tools for InfoSec and digital forensics. He’s also co-written three books in the Field Expedient SDR series, making SDR technology accessible to those who are not trained RF engineers.
cstone (aka. Brandon Creighton)
AMPS, the first widely deployed cellular network in the US, was old enough that it had been designed by pre-breakup Bell, yet robust enough to survive for decades in service. Unlike LTE or even GSM, it was also a protocol simple enough to be described in a fairly short specification; if you wanted to you could listen to calls with a TV tuner (or modified phone).
This is a talk on the design and implementation of gr-amps, a set of GNU Radio blocks that can turn a TX-capable software-defined radio into a base station for AMPS devices–including that brick phone in your basement. No background in SDR is necessary to follow along (but it doesn’t hurt).
Expect detours into near-forgotten phreaker history: the weaknesses that enabled phone cloning, the efforts of wireless carriers and the US government to fight exploitation, and more.
cstone (aka. Brandon Creighton) (@unsynchronized) is a hacker. He was part of the team responsible for the NinjaTel GSM network at DEF CON 20. He works in research at Veracode.
Web applications use secret keys to connect to lots of important external things like payment systems, emailers, and virtual machines. Committing these secret keys and other pieces of sensitive information in plaintext to a code repository is a generally Bad Idea™. Instead, developers .gitignore sensitive files, and manually put keys directly onto application servers.
That’s fine, until you need to collaborate with another developer who also needs those keys. Safe key sharing is a challenge we had at Dispel (and every other company we’d worked at). We asked around: people end up using a hodgepodge of tools with pretty variable security—anything from plaintext emails, chat messages, files copied to USB sticks, PGP encryption, and yellow sticky notes.
We thought about it for a while, and came up with Jak.
Jak lets you commit sensitive files into Git, but encrypts them for you as part of the commit hook so only encrypted versions end up in your repository. For the encryption, Jak also automatically generates, updates, and distributes encryption keys based upon whom you’ve given access to your repos. That way another developer can pull down your code and immediately get to work instead of waiting for keys to arrive.
Chris DiLorenzo is an Engineering Lead at Dispel. A graduate of Uppsala University (M.Sc.), Chris started his career as a sociotechnical systems engineer and researcher at Saab Aeronautics. Today, he has taken his skills as a software developer and scientist and is applying them toward entrepreneurship: first becoming Chief Technology Officer at prominent New York startup TripleMint and now leading engineering at the cyberdefense firm Dispel. There, he spends most of his time incubating new technology ideas; advising clients, universities, and fellow technologists in developing minimum viable products; and strategizing around encryption, interface design, user experience, and digital platforms.
Cochlear implants are neural prostheses used to restore sound perception to the deaf. Jeff has an Advanced Bionics brand HiRes 90K implant and will go over the basics of how cochlear implants work, what CIs sound like, the different neural stimulation strategies involved and their effect on channel crosstalk, some human problems related to CIs, and what he’s learned attempting to reverse engineer the signal powering his own CI.
Jeff Dodge is a mildly proficient computer programmer and an aspiring hardware hacker, infosec professional, and reverse engineer. Current hobbies include building quadcopters and 3D printers, disassembling video game clients, learning to not suck at CTFs, tinkering with Cyanogenmod / AOSP “ROMs,” and stuffing as much useful knowledge into his brain as it will allow.
Allan Friedman, Nick Leiserson, Eric Mill, and Jessica Wilkerson
Government technologists and policymakers today need to work with the security community—and many even want to. This panel will review a range of security policy issues and technology initiatives from across the federal government, and how collaboration between inside and outside security experts is necessary for good outcomes. Panelists will share some honest thoughts about how the government (tries to) work. We’ll have witty banter from a range of perspectives, including how the government is trying to secure itself, what Congress is up to, and what the heck ‘public-private partnership’ actually means. We’ll reserve half the time for Q&A so participants can ask questions of (or rant at) a friendly technocrat.
Allan Friedman, former techie, former prof, coordinates security policy programs at the National Telecommunications and Information Administration
Eric Mill, does tech policy/strategy for the General Services Administration, former software engineer and open government advocate
Jessica Wilkerson, CompSci and math geek who works on cybersecurity policy issues for the House Energy & Commerce Committee
Nick Leiserson – legislative assistant to Rep. Jim Langevin (RI-02) and lead staffer for the Congressional Cybersecurity Caucus
2016. Am I right? The June 2016 revelations of the DNC breach by two Russia-based advanced persistent threat groups was only the beginning of a series of strategic leaks and conflicting attribution claims. In a series of “1-2 punches,” we saw attacks designed to breach the target and exfiltrate data reinforced by a campaign to leak information using mouthpieces posing as hacktivists. In this presentation we’ll demonstrate techniques used to identify additional malicious infrastructure, evaluate the validity of “faketivists” like the Guccifer 2.0 persona, strengths and gaps in the attribution analysis, and how the adversary might adjust their tactics going forward.
Toni Gidwani is the Director of Research Operations at ThreatConnect and leads ThreatConnect’s research team, an elite group of globally-acknowledged cybersecurity experts dedicated to tracking down existing and emerging cyber threats. Prior to joining ThreatConnect, Toni led analytic teams in the U.S. Department of Defense.
With increasing options for connectivity and reliance on drive-by-wire systems, automobiles have become targets for a variety of attacks. Researchers have exposed vulnerabilities in vehicle systems, garnering much attention and prompting government warnings. Hacking vehicles is a hot topic. However, there is one aspect of vehicle vulnerability that is underappreciated, mostly because it only applies to a minute percentage of the vehicles on the road today. Plug-in electric vehicles (PEVs) make up a tiny portion of the overall vehicle market, but they are becoming more common. PEV charging involves, authentication, payments, and, increasingly, communication for managing power flow to stabilize the electric power grid. In the design of many charging protocols, security is not always emphasized, or is only implemented in the cyber domain. As a cyber physical system, PEVs need authentication the cyber and the physical domain. In this talk we propose a means for charging stations to identify the type of PEV connected to charge without explicit communication of this information from the PEV. This approach is similar to that adopted in other fields to identify individual computers through a browser, or hardware. We report the results of initial testing, and outline future work.
Rebekah Houser is a first year graduate student pursuing a PhD in Computer and Electrical Engineering with a concentration in Computer Systems. She has a bachelor’s of electrical engineering from the University of Delaware, which is also where she studies for her PhD. Rebekah works on two research projects. The first is the fingerprinting project for plug-in electric vehicles. The second project is an infrared scene projector, for which Rebekah works on the firmware team. A random fun fact about Rebekah: she started undergrad as an interior design major.
Brian David Johnson and Natalie Vanatta
A glimpse of our digital future includes diverse actors operating on a widening attack plain with affects ranging from data disruption to death and destruction. How do we craft meaningful narratives of the future that can advise our community today? How do we combat the weaponization of data and future technology? Where do we even start?
Threatcasting is a conceptual framework and process that enables multidisciplinary groups to envision and systematically plan against threats ten years in the future. In August 2016, the Army Cyber Institute convened a cross section of public, private and academic participants to model future digital threats using this process with inputs from social science, technical research, cultural history, economics, trends, expert interviews, and even a little science fiction. Renowned futurist Brian David Johnson and Army Major Natalie Vanatta will explore the results of this project that not only describes tomorrow’s threats but also identifies specific actions, indicators, and concrete steps that can be taken today to disrupt, mitigate, and recover from these future threats.
Brian David Johnson (@BDJFuturist) is a Futurist and Fellow at Frost and Sullivan and the Futurist in Residence at Arizona State University’s Center for Science and the Imagination and a professor in the School for the Future of Innovation in Society. He works with organizations to model possible futures then works with them to specify the steps needed to get there.
Natalie Vanatta (@natalie_vanatta) is a security researcher at the Army Cyber Institute. Her PhD in math and IT background has definitely colored her way of thinking about the complex nature of offensive and defensive operations on 1s and 0s.
Anil Karmel and Andrew Wild
Virtualization has fundamentally altered the computing landscape over the past ten years, abstracting infrastructure from operating systems, enabling IT to reduce costs and to leverage new deployment models such as cloud. One of the fundamental challenges in migrating to the cloud is breaking application dependencies on the operating system. Application containers accomplish this by providing abstraction and isolation between applications and the operating system, enabling cloud portability and scale up/scale out architectures powering the DevOps revolution. Docker, in particular, has taken Industry by storm, resulting in over 400 million downloads and 75,000+ containerized applications leveraging this open source platform. But what about Security? IT professionals need to understand how application containers and microservices architectures impact their security posture. Come learn how application containers and micro services work via the definition published in the new NIST publication SP 800-180, understand the security challenges with this approach and opportunities unveiled via best practices and strategies to enable your organization’s Secure Development Operations (SecDevOps) revolution.
What you’ll take away:
Application Containers and Microservices 101: How they work and work together
How to and who uses these solutions?
Challenges posed by application containers and Microservices
Best practices for securing application container and microservices
Anil Karmel (@anilkarmel) is the co-founder and CEO of C2 Labs, a company that assess, designs and implements IT Strategic Plans to a deep specialization in Application Rationalization and Transformation (ART), leveraging Secure Development Operations (SecDevOps). Anil also serves as the co-chair of the National Institute of Standards and Technology (NIST) Cloud Security Working Group.
Andrew Wild is currently the chief information security officer (CISO) at QTS Data Centers, a leading provider of secure, compliant, data center solutions. Wild has spent over 25 years developing effective, customer-driven information security, incident response, compliance and secure networking programs for technology and telecommunications organizations.
Nicolas Kseib and Shimon Modi
Graph data models have been a hot topic in security for a few years but analysis of these cyber graphs is still largely driven by visual assessments or rudimentary analysis techniques. Graphs can do a lot more than just paint pretty pictures. We will discuss how to develop cyber specific graph models that make analysis more effective and also open up possibilities for analysis that would otherwise be computationally impractical. We will demonstrate application of our graph analysis techniques to the Barncat RAT config dataset and also open source the analysis module to the community.
Nicolas Kseib (@NKseib) and Shimon Modi (@shimonmodi) work at TruSTAR Technology where they focus on R&D initiatives to better utilize data science techniques for cyber analysis. Nicolas received his M.S. and Ph.D. in Mechanical Engineering from Stanford University in Flow Physics and Computational Engineering. Nicolas oversees the development of TruSTAR’s advanced correlation algorithm and the company’s data analytics platform. Shimon has worked on a wide range of cyber security initiatives in industry, government, and academia and has presented at peer reviewed academia conferences and hacker cons.
Attribution is big business these days…but can we trust it? Is it more than a game of “fingerpointing?” How good are we at spotting false-flag operations? Are advanced adversaries successfully defeating threat intel feeds through disinformation campaigns? In this talk, we will demonstrate how attackers operate to counter defensive information sharing operations through a real-world demo of a successful disinformation campaign. Using existing threat intel data, we will convince analysts to misattribute our activities to another threat actor. To do this we will select our “copy-cat” adversary from existing threat intel data feeds, analyze their tradecraft, and mimic their modus operandi in the real-world. We will taint several threat intel feeds in planting the seeds for our tactful misattribution tree, and we will then launch an operation against a real-world target in order to demonstrate that analysts using our victim feeds will incorrectly misattribute our operations as the mimicked actor.
Ultimately, this talk calls into question the efficacy of threat intel solutions for attribution purposes — should we even bother with this data, or is it ultimately a “rat race?”
Mark Kuhr (@MarkKuhr) co-founded Synack after focusing over nine years on Cyber Security in Academia and Defense industries. Most recently, at the National Security Agency (NSA), Mark worked in roles that include Technical Director, Computer Network Operations Operator, Network Analyst, and Computer Scientist.
Dr. Kuhr received a Ph.D. in Computer Science from Auburn University under a DoD/NSA-sponsored fellowship. He has published several papers on enterprise cyber security and performed research under DoD contracts related to information security, network analysis, and jam-resistant network communication protocols.
This talk will cover everything you need to know about facility access control systems in 20 minutes or less.
Part 1: Access control intro – how systems are put together, what sort of controllers, sensors, latches, readers and other components are common and some of the basics on how they all work.
Part 2: Rapid-fire skimming over some of the trivial bypass techniques for various sensors and latches. This will be a speedy show-and-tell for some of the surprisingly easy ways to open doors.
Part 3: Demo/training for a new tool that opens all the doors of average corporate America and is just too darn easy. Bring your questions and best heckling.
Kenny McElroy (@octosavvi) is a security researcher, competitive lock picker, tinkerer, embedded systems hacker, jam skater, SMT solderer, SDR twiddler, amateur aerospace geek / rocket surgeon, and modwire artist.
Goodnight Moon & the House of Horrors: A look at the current IoT ecosystem and the regulations trying to control it
Whitney Merrill and Aaron Alva
The children’s classic Goodnight Moon said “goodnight” to quaint products like red balloons, mittens, and lights. But these have been replaced by IoT devices like Bluetooth-connected mobiles, biometric gloves, and “smart” lightbulbs. We’ll look at the current IoT ecosystem, then discuss the laws, regulations, and policies trying to prevent security nightmares. We’ll say “goodnight” to bad IoT and bad security practices.
Whitney Merrill (@wbm312) is a hacker-lawyer who spends her days as an attorney at the Federal Trade Commission and her nights trying to get her Hue light bulbs to work. She received her Masters in CS from the University of Illinois at Urbana-Champaign and her law degree from the University of Illinois College of Law.
Aaron Alva (@aalvatar) is also a hacker-lawyer and by day a technologist at the FTC. At night he reads Goodnight Moon and worries light bulbs will wake his baby. He received his Masters in Information Management and law degree jointly at the University of Washington.
Aaron & Whitney might be the same person. They both focus on infosec, privacy, and consumer protection law.
Allison Miller, Melissa Clarke, and Margaret Schedel
We live within data; using it to describe who we are, provide context what has happened, and filter current events; we use it to build new experiences and environments. Join us for a discussion of the art and technology behind háček, a unique interdisciplinary work that was designed to explore the unique narratives of hackers, and create a new vision of cyber spaces using data to inform all aspects of the piece from the sound to the visuals to the physical sculpture.
An original exhibit recently launched in New York, háček combines physical installation, VR experience, audio and visual pieces. The artists leveraged raw feeds of data to inform creation of an immersive installation that positions larger impact towards metaphors of networked landscape, security, and wayfinding. Join Melissa Clarke, Margaret Schedel, and Allison Miller as they share the framework, techniques, and narrative approach used to craft metaphorical art from real data extracted from system logs. Attendees will learn how artists are using computational techniques and tools to reshape boundaries between engineering and art, and extract compelling immersive experiences out of emerging social and networked systems.
Melissa F. Clarke is an interdisciplinary artist whose work employs data and generative self-programmed environments. Clarke works at the intersections of data, science, and art. She creates multimedia generative installations, performances, and printed images.
Margaret Schedel is a composer specializing in interactive media. Schedel is a joint author of Electronic Music and edited an issue of Organised Sound. Her research focuses on gesture in music, sustainability of technology in art, and data sonification.
Allison Miller (@selenakyle) has worked to protect consumers and platforms from online threats for over 15 years, leveraging her expertise in security analytics, risk, and detection technologies.
Falcon Darkstar Momot and Sergey Bratus
When reviewing code or protocol specifications, have you ever had a feeling that it might be a problem but couldn’t quite prove it? LangSec can help you do that. LangSec, or language-theoretic security, is the idea that basic theory of computation (that is, reasoning about grammatical complexity and automata) can act as a guiding design principle for the construction of secure parsers, and thereby increase the security of programs in general. Until this point, it has been a somewhat theoretical discipline–aside from the Hammer framework, few industry tools make specific use of it.
We discuss recent developments in LangSec and bring the community up to speed on our efforts to bridge the gap between theoretical and practical information security. We back-validated LangSec and found that it would have predicted a lot of bugs in commonly used software; we discuss these results. We’ll contextualize several real examples in the LangSec framework and demonstrate a set of rules (and corresponding proposed CWE entries) designed to help programmers avoid writing insecure parsers. Then, we’ll discuss how code reviewers can use this context to find bugs and what tooling can be constructed around LangSec principles in the future.
Falcon Darkstar Momot (@FalconDarkstar) is a penetration tester at Leviathan Security Group and a grad student at Athabasca University. His prior work includes the Lotan crashdump security analysis tool and a method for generating stealth NOP slides using undefined behaviour and opcodes in x86. He also works with Shadytel on next-generation semi-electromechanical switch development and with Neg9 on getting the all-too-elusive flag.
Sergey Bratus (@sergeybratus) is a research associate professor at Dartmouth College and has published many papers on LangSec since its beginning. His work is wide-ranging, from natural language processing to the suitability of software-generated evidence in legal proceedings.
Marc Newlin and Matt Knight
The year was 2017, and proprietary wireless protocols roamed the the earth. The age of the radio was upon us, and the future looked bleak. But then, in the midst of the darkness and chaos, hackers everywhere saw the light, and the torrent of CVEs began! Join us as we lift the veil on SDR and show that magical powers are not needed to pwn the Internet of ThingsRadios.
This session offers a tutorial on how to apply Software Defined Radio, with an emphasis on the “Radio” part. Rather than glazing over RF basics, we will frame our entire discussion about reverse engineering wireless systems around digital radio fundamentals.
The adventure begins with an offensively short crash course in digital signal processing and RF communication, covering just enough to be dangerous, before introducing a reverse engineering workflow that can be applied to any wireless system. We will show how to use this workflow to recover bits out of the air from a variety of proprietary wireless devices.
Attendees should expect to walk away with practical knowledge of how to use SDR to examine proprietary wireless protocols. We will release GNU Radio flowgraphs and shell scripts to get attendees started.
Marc Newlin (@marcnewlin) is a wireless security researcher at Bastille, where he discovered the MouseJack and KeySniffer vulnerabilities. A glutton for challenging side projects, he competed solo in two DARPA challenges, placing third in the DARPA Shredder Challenge, and second in the first tournament of the DARPA Spectrum Challenge.
Matt Knight (@embeddedsec) is a software engineer and security researcher at Bastille, with a diverse background in hardware, software, and wireless security. In 2016, he exposed the internals of the closed-source LoRa PHY based on blind signal analysis. Matt holds a BE in Electrical Engineering from Dartmouth College.
Kurt Opsahl and Andrew Crocker
Get the latest information about how the Electronic Frontier Foundation, the nation’s premiere digital civil liberties group, will be fighting for freedom and privacy in the next few years. The first half of the presentation will focus on EFF’s plans to address challenges in technology, policy and law in the upcoming Trump Administration, as well provide an update for the audience on what has happened over the last year. The second half will be given over to question-and-answer, so it’s your chance to ask EFF questions about the law and technology issues that are important to you.
The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development.
Kurt Opsahl (@kurtopsahl) and Andrew Crocker (@agcrocker) are attorneys who work on EFF’s Coders’ Rights Project, which builds on EFF’s longstanding work protecting security researchers through education, legal defense, amicus briefs, and involvement in the community with the goal of promoting innovation and safeguarding the rights of curious tinkerers and hackers.
I’ve designed the first production quality, open source U2F token. I’ve designed it to be secure, cheap, and reliable. This is important for a 2 factor auth key, which is what U2F is intended for. Additionally, I mass produced the U2F tokens using an external PCB fab and a programming pipeline I designed and implemented. Custom programming was required to meet complex security requirements. I provide metrics and cost details for bootstrapping a project like this to sell on Amazon Prime.
I will explain the security fundamentals that make U2F secure. Additionally, there are important factors a designer needs to face to correctly design secure hardware. A protocol like U2F isn’t secure until it’s in a well designed implementation. And to make a project available to others, one must consider other factors to mass produce secure hardware. How do you make sure each key is unique and that different keys are handled properly? I solved this with my design of a custom programming setup. I then pipelined it so I could to program 1000+ U2F tokens in a reasonable amount of time on my own. Lastly, I provide metrics and cost details for bootstrapping a project like this to sell on Amazon Prime.
Conor Patrick (@_conorpp) is a graduate student at Virginia Tech researching secure embedded systems. He’s planning on working for the government in security after he finishes his studies. He has previously worked at the FTC doing research about security in products and at John Hopkins Applied Physics Lab doing reverse engineering. Conor likes attending bike parties with bright LED setups. He’s a beer drinker and brewer. He’s a fan of photography. He enjoys reading and blogging. He likes traveling and is planning a trip for next summer.
This isn’t a typical ShmooCon talk. I’m not an expert. I haven’t developed a new tool to share, nor am I sharing cutting edge research. This is a story. A story of adapting from a world with answers and guidance to a world where sometimes, the only way to learn is to flail blindly.
About 3 months into my first job out of school, I received a ticket for malware analysis with 68 samples attached to it. I had no clue where to start and nobody to ask. I started with sample 00a8 and waded aimlessly through the x86, stumbling through anti-analysis techniques I’d never seen. I scoured my books and ran countless Google searches all to no avail. What do you do when all you have are questions and there are no answers to be found? I flailed in the dark. I spent hour upon hour, day upon day immersed in the code. Eventually though, somewhere in the weeks of flailing, I learned and I developed. Of equal importance, I gained confidence to ask for help. I learned a lesson I’d like to share with those new to computer security–flailing is learning.
Lauren Pearce is more than a little ADD in her interests. In school, she studied history and international affairs (BA), psychology (minor), and computer science/computer criminology (BS, MS) before discovering a topic that could keep her attention–computer security. After graduating, a Scholarship for Service student with a dislike for DC, she landed at Los Alamos National Lab on their Computer Security Incident Response team as a Malware Analyst.
Brian Redbeard and Brad Ison
As users of Linux containerization have become well aware, it provides a rapid deployment mechanism for consistent environments and immutable infrastructure. As attackers have become well aware, most users do not audit the containers they run and with a shared Kernel and root privileges many things are possible.
At CoreOS we eschewed the dominant paradigm, Docker, due to what we felt were inconsistencies in its security story. This led to the development of rkt (née ‘rocket’) which builds upon the ideas of LXC, Docker, and containerization systems from the past while adding support for run time choice between containerization and virtualization.
Using rkt users can make a decision at run time whether a “container” should truly be run as a Linux based container through the traditional mechanisms of namespaces, cgroups, and SELinux or whether these should be layered with an additional kernel, allowing for increased run time isolation.
Best of all, rkt is available as free/libre open source software and has been battle tested in our production for over two years. In this talk we will outline how we use these technologies in production to secure our environment.
CoreOS is a distributed systems company focusing on automatically updating infrastructure achieved through the use of Kubernetes and Linux containerization. Redbeard has been an [ab]user of Linux since the 90s and has specialized in the administration of large scale distributed systems. He now runs the global infrastructure and SRE teams at CoreOS. Brad is a site reliability engineer at CoreOS ensuring sensible deployments of Kubernetes and a specialist on the container registry “Quay.io”.
Chat bots been have popping up everywhere for silly things, but what if they can help us make the world more safe and secure? The work of designing secure systems often involves iterating over designs with a team, but what if you don’t have a team? What if you could iterate over system design and analysis in a chat window and have a design document with safety constraints as the end product? This talk will present an original open-source chat bot that will do just that.
Rich Seymour (@rseymour) is a Senior Data Scientist at Endgame working on integrating R&D successes into the platform and experimenting with new techniques to make security sensible. He has a PhD in Materials Science and a M.S. in Computer Science from the University of Southern California where he worked on high performance computing simulations of nanoscale materials under stress.
The Shmoo Group
For twelve years, we’ve chosen to stand up and share all the ins and outs and inner workings of the con. Why stop now? Join us to get the break down of budget, an insight to the CFP process, a breakdown of the hours it takes to put on a con like ShmooCon, and anything thing else you might want to talk about. This is an informative, fast paced, and generally fun session as Bruce dances on stage, and Heidi tries to hide from the mic. Seriously though–if you ever wanted to know How, When, or Why when it comes to ShmooCon you shouldn’t miss this. Or go ahead and do. It’ll be online later anyway.
The Shmoo Group is the leading force behind ShmooCon. Together with our amazing volunteers we bring you ShmooCon. It truly is a group effort.
Gal Shpantzer and G. Mark Hardy
“ZOMGWTFBBQ! We just got hit with Ransomware!” What you don’t usually hear next is, “LOL!” You can build defenses that prevent Ransomware from paralyzing your organization — we’ll show you how. Watching business executives trying to buy Bitcoin is like watching grandmothers trying to buy heroin — awk-ward!
Ransomware is now a billion dollar industry, having exploded in popularity in 2016 and it’s only going to get tremendously HUUGE in 2017. Lost productivity costs far more than the average ransom, so execs just say, “Pay the damn thing and make it go away.” But what if you could stop Ransomware in its tracks?
We’ll discuss the technical tools and methodologies that are battle-proven and ACTUALLY WORK, as evidenced by ransomware that was prevented entirely, as well as ransomware infections that went nowhere due to proper mitigations in place. Finally, insights into the future of this exploding cybercrime niche, we’ll offer predictions on how this “industry” will evolve and what to expect next.
Gal Shpantzer (@Shpantzer) is a trusted advisor to CSOs of major corporations, technology startups, large universities and non-profits/NGOs, focusing on ransomware and other disruptive threats. Gal has been involved in multiple SANS Institute projects, including co-editing the SANS Newsbites since 2002, revising the E-Warfare course and presenting talks on cyberstalking, CAPTCHAs and endpoint security. In 2009, he founded the privacy subgroup of the NIST Smart Grid cybersecurity task group, resulting in the privacy chapter of NIST IR 7628. He is a co-author of the Managing Mobile Device Security chapter in the Information Security Management Handbook (2010) and technical editor of the O’Reilly book on Blue Team (2017). While working with EnergySec on threat intelligence sharing in the electric sector, Gal contributed to the ES-C2M2 security assessment standard (2012), and the Publicly Accessible Control Systems Working Group.
G. Mark Hardy (@g_mark) is founder and President of National Security Corporation, and has provided cyber security expertise to government, military, and commercial clients for over 30 years. He is also founder and CEO of CardKill Inc., a credit card fraud prevention company that has invented technology to preemptively kill stolen credit cards even before they are used in fraud. He is a retired U.S. Navy Captain, having been entrusted with nine command tours throughout his career. A graduate of Northwestern University, he holds a BS in Computer Science, a BA in Mathematics, a Masters in Business Administration, a Masters in Strategic Studies, and holds the CISSP, CISM, GSLC, and CISA industry certifications.
Cyber Squirrel 1 (aka. Space Rogue)
Despite years and years of rhetoric concerning the weaknesses in the electronic defenses of the power grid there has yet to be one long term power outage directly caused by a cyber attack. While cyber attacks have not yet taken out the power squirrels have, hundreds of times every year. This talk will examine previous claims of infrastructure cyber attacks such as the Brazil blackout, Turkish pipeline explosion, German steel plant blast furnace and the recent power outage in the Ukraine among others. We will also examine decades of confirmed attacks by squirrels, birds, snakes, and other animals. We will breakdown our meticulously gathered data of cyber squirrel attacks by country, number of people impacted and length of outages and compare that with the same data caused by cyber attack. While some may see cyber squirrel attacks as funny the underlying message is deadly serious. #cyberwar4ever
Cyber Squirrel 1 (aka. Space Rogue, (@spacerog)) is the minister of Information and Propaganda for the Cyber Squirrel Army. He meticulously catalogs and documents all declassified cyber squirrel operations world wide. In addition he likes to debunk suspected hacker attacks that were never really caused by hackers. He prefers walnuts to acorns and loves birdfeeders.
Dominic Spill and Michael Ossmann
There have never been more infrared signals, from the remote control toys and televisions that we all know, to audio distribution systems and unintentional emissions from electronic equipment.
Reusing existing receivers has allowed researchers to decode IR signals in the past. However, that technique lacks the ability to detect arbitrary communication signals without prior knowledge of protocol. This is exactly the type of problem that we solve every day with Software Defined Radio (SDR), so we decided to apply those Digital Signal Processing techniques to Infrared.
Using low cost open source hardware of our own design, we have been able to apply our traditional wireless reverse engineering techniques to infrared signals, giving us the opportunity to sniff and inject. We will show some of the infrared systems that we have investigated and demonstrate the ways in which our hardware platform can meddle with them.
Michael Ossmann (@michaelossmann) is a wireless security researcher who makes hardware for hackers. He founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.
Dominic Spill (@dominicgs) is senior security researcher for Great Scott Gadgets. The US government recently labelled him as “extraordinary.” This has gone to his head.
Many secure end-to-end messaging protocols exist in the wild, most of which claim to provide the same basic security properties. However, each protocol exists in a different context and has different requirements to fulfill. The protocol and the security that is achieved is not independent of that context. In particular we take a look at the Silent Circle instant messaging protocol (SCIMP), the former default messaging protocol on the BlackPhone. We construct a model of the protocol using the formal verifier ProVerif, with which we prove that version one of the protocol is secure, and we find a man-in-the-middle attack against version two. By comparing the model against the actual implementation we find a discrepancy that allows an attacker to perform the attack completely undetected. A similar situation arises in OMEMO (an multi-device XMPP implementation of the Signal protocol), which did not achieve the full potential security when deployed in a multi-device setting. Both protocols have been patched and should no longer be vulnerable against the found attacks.
Sebastian Verschoor got his Masters degree in Information Security Technology at the Eindhoven University of Technology. In his thesis, supervised by Dan Bernstein and Tanja Lange, he analyzed the Silent Circle instant messaging protocol. While working at Radically Open Security, he audited the proposed OMEMO protocol, the patched version of which is currently being considered for standardization. He is currently a PhD student at the Institute for Quantum Computing at the University of Waterloo.
Tim Vidas, Chris Eagle, Jason Wright, Brian Caswell, Mike Thompson, and Holt Sorenson
On August 4th, 2016, in conjunction with the DEF CON hacking convention, seven fully autonomous systems vied against each other for a two million dollar grand prize. These systems were designed to hack and defend previously unseen computer software, ultimately making sense of zero-day attacks — without any human assistance. Answering DARPA’s call, international teams from academia and industry designed these systems for more than two years pushing the art and science of program analysis, vulnerability discovery and mitigation. During the final event, the competing autonomous systems demonstrated that machines could discover, prove, and patch zero-day software flaws in just a few minutes, a feat beyond the capabilities of any human network defense team. DARPA’s Cyber Grand Challenge employed a custom operating system, a unique executable file format, and novel IDS format resulting the the most reproducible head-to-head capture-the-flag contest ever conducted. This panel is comprised of the Competition Framework Development team, the team responsible for architecting and engineering the contest as well as orchestration of the competition. In this panel, the speakers will convey insight into the design and implementation of the Cyber Grand Challenge, revealing previously secret strategies and tools and answering questions from the audience.
Tim (@tvidas), Chris (@sk3wl), Brian (@evilcazz), and Holt are all part of the Sk3wl of r00t hacking team, organized DEF CON CTF for years as DDTEK, and are members of The Shmoo Group. In addition to these four, Jason (@risenrigel) also has a DEF CON CTF Black Badge earned as part of the ACME Pharm hacking team. The relative outsider to the CTF world, Mike brings secure system design experience rooted in GEMSOS. Among the team are a Ph.D, the The IDA Pro Book author, the primary author of the foremost IDS ruleset, an OpenBSD kernel contributor, and two DC3 Forensics Challenge Grand Champions.
Andrew White and Jesse Kriss
User Focused Security is an approach we are using to address employee information security at Netflix. If we provide employees with the right information and low-friction tools, we believe they can get their devices into a more secure state without heavy-handed policy enforcement.
Letting people retain control over their devices means that they can maintain flexibility and productivity and address security recommendations as appropriate to their levels of access. This approach will only be successful, though, if we can provide clear and specific action, and make it easy to do the right thing.
Stethoscope is a web-based tool that gives Netflix employees a view into the security state of their devices, with specific recommendations regarding disk encryption, firewalls, and other device settings. The website, in conjunction with email alerts, gives Netflix employees a straightforward way to see what actions they should take to remain safe.
Andrew White and Jesse Kriss are both members of the Information Security team at Netflix, where they work on designing and building software tools that help people make good decisions around corporate security.
Andrew holds a PhD in Computer Science from the University of North Carolina at Chapel Hill and a B.S. in Computer Science and B.A. in Mathematics from the University of Richmond.
Jesse (@jkriss) holds a Master’s in Human-Computer Interaction from Carnegie Mellon University and B.A. in Music from Carleton College. Prior to Netflix, he worked at NASA/JPL, Obama 2012, Figure 53, and IBM Research.
Malware is nothing but a counterfeit process. Imagine trying to find counterfeit bills with only a cursory knowledge of what money looks like. Sure it’s green and has numbers on it, but that doesn’t make you a currency expert. Sadly, that’s the equivalent knowledge level of many infosec professionals when examining Windows systems during live response.
In order to find evil, you must first know what good looks like. In this session, we’ll spend some time getting to know what behavior is expected on Windows 10 systems so you can pull the signal out of the noise (and oh is there ever noise). The time you invest today will pay huge dividends during your next investigation.
This session is appropriate for both defenders and attackers (penetration testers). Incident responders will find great value in understanding baseline Windows 10 operation. What processes are expected? Are there normal scheduled tasks? What weird behavior should I expect on Windows 10 that wasn’t there in previous operating systems. Penetration testers frequently exploit the same weaknesses in their tests that have been used by attackers. Look carefully and you may find you’re not the only one on that box you just popped.
Jake Williams (@MalwareJake) is a co-founder of Rendition Infosec, TS//NF (Tactical Security//Network Forensics), and E-Guardian Global Services where he focuses on incident response, computer forensics, penetration testing, malware reverse engineering, and exploit development. Jake is a certified SANS Instructor and course author and trains thousands annually in information security topics. Prior to founding Rendition Infosec, Jake worked in various roles with the US DoD performing offensive and defensive cyber operations in classified environments. Jake regularly briefs Fortune 500 executives on information security topics and has a knack for translating complex technical topics into verbiage that anyone can understand.
David Wu and Sergey Bratus
Our phones go wherever we go. Ever present, and with ever more data and connections, smartphones hold as much sensitive data as traditional systems but do not have the same protections. Android’s recent 6.0 (Marshmallow) release introduced much needed dynamic permission checks for applications. However, this does not go far enough in adapting to mobile phone’s unique security needs. Smartphones encounter a wide variety of settings and situations that current security solutions fail to account for. We introduce a context-aware IPC firewall for Android that dynamically filters messages based on environmental data. Our BinderFilter can both block and modify Android IPC messages sent through Binder, which is in a position of complete mediation in Android. Our Binder hooking framework and message parser are unique in their scope and implementation—and mitigate broad classes of cross-app attacks, such as “collusion” and “UI-based activity hijacking” attacks. We also provide a policy application, Picky, with which users can set policy rules for any message and target applications.
David Wu (@Davidwuuuuuuuu) is a recent graduate of Dartmouth College. There he worked with Sergey Bratus on projects involving VPN fingerprinting and Linux instrumentation. He has developed particle physics simulations for Brookhaven National Laboratory and website analysis tools for Ionic Security. He is currently working as a Software Engineer in Boston.
Sergey Bratus (@sergeybratus) is a research associate professor at Dartmouth College. He and his students demonstrated many powerful execution mechanisms where least expected: in DWARF debugging, in ELF metadata, in the x86 MMU, and collaborated with industry researchers to build security tools for protocols such as USB, 802.15.4/ZigBee, and 802.11 fingerprinting.
This talk will cover the essence of storytelling, psychology behind how information is perceived by an audience, and how to apply this information to giving presentations. Which, will potentially spoil every movie you may ever watch again, but will help you present to others for the rest of your life.
Jason Blanchard (@BanjoCrashland) does stand-up comedy, has taught storytelling and marketing, and works for an information security training company. Also, hilarious.
Emulators are useful but mistakenly thought to be too much trouble to write when reverse engineering an embedded system. In this lecture I’ll teach you how to painlessly re-link the memory dump of a microcontroller into an ARM/Linux executable that runs through qemu-user. Emulation will finally be easy!
Travis Goodspeed (@travisgoodspeed) is a neighborly reverse engineer of embedded systems from Southern Appalachia. His MD380Tools project was first announced at last year’s Firetalks, and he drives a television news van. You can reach him during the conference by amateur DMR at 441.0 MHz, TS1, TG99. His LLID is 3147-092.
This presentation will reveal NAVRIE Athena, an open source graph database based tool to unify data and workflow between infosec tools for all teams and purposes with the intent to streamline work behind a unified database with a REST interface.
Peter Clemenko is a Pentester by day, founder of a VR/AR company by night who has a habit of asking people to hold his beer.
This talk delivers a fast-paced summary of a decade’s worth of rejected presentation pitches.
Not just a list of bad ideas, it’s an exploration of changing interests and technologies. We’ll cover a range of topics, from Tor hidden services to Windows credential protection, and review lessons from numerous failed projects.
Charlie Vedaa (@CharlieVedaa), GSE #112, is a fork and spoon operator for the US government. He has presented at several conferences including DEF CON, SummerCon, and HOPE.
A work in progress tool will be demonstrated. It enables modeling application/system security requirements, then expands the list of requirements to a more actionable list for design, risk-benefit trade-off analysis, testing and compliance purposes. Security functional requirements libraries and threat modeling mitigation libraries will be community maintained.
John M. Willis is a security architect who seeks to build security in by coming up with new and different ways of looking at things.
Think things are “on the wrong track?” Turns out, regardless of political leanings, so does everyone else. Fixes require more than money; since software ate the world (and then bugs ate the software), the whole world needs your help. Let’s take small steps toward building the society we need.
Brendan O’Connor (@ussjoin) went to law school to explain tech policy to the government. Instead, he explains security to auditors. Occasionally, he hurts himself while cutting wood.