Keynote Address

Privacy Online: What Now?

Ian Goldberg

Recent revelations about data and metadata collection of Internet users' communications have been extremely worrying. Not only are governments collecting this information, but online service providers, including cloud providers, are part of the picture as well.

What can we, as individuals, do to limit the collection of our online messages, friends lists, and usage patterns? In this talk, we will look at existing and upcoming privacy enhancing technologies that can help you control the spread of this personal information, and present some calls to action for improving the state of the world in this regard.

Ian Goldberg is an Associate Professor of Computer Science and a University Research Chair at the University of Waterloo, where he is a founding member of the Cryptography, Security, and Privacy (CrySP) research group. His research focuses on developing usable and useful technologies to help Internet users maintain their security and privacy. He is a Senior Member of the ACM and a winner of the Electronic Frontier Foundation's Pioneer Award.

Closing Plenary

Large Scale Network and Application Scanning

Bruce Potter (moderator), Robert David Graham, Paul McMillan, Dan Tentler, and Alejandro Caceres

From proff's strobe to modern day distributed network scanners, probing remote systems and applications to assess a system's security posture is a core part of our offensive and defensive tool kits. This panel discussion will examine the state of the art of network and application scanning. During the session, the entire Internet will be scanned at least once by the panelists--maybe even a few times. We will discuss the results of a recent scan of large scale cloud providers and the issues the scan uncovered. The panel will also examine new tools utilizing application scan results to enable real-time defenses against compromised or weak systems. Finally, the panelists will engage in a discussion on the ethics of network scanning, especially as it pertains to the modern capability of large scale, nearly instantaneous scanning of the entire Internet.

Back in 1998, Robert Graham created one of the first popular desktop firewalls (BlackICE Defender) and the first IPS (BlackICE Guard). In 2007, he created the first "sidejacking" tool for hijacking sessions by sniffing cookies. He's been a regular speaker at conferences for the last 13 years.

Paul McMillan is a security engineer at Nebula. He is also a member of the security teams for Python and Django. When he's not building or breaking clouds, he enjoys cocktails and photography.

Dan Tentler is the sole proprietor of Aten Labs, a freelance Information Security consultancy firm in San Diego and is routinely parachuted into various clients in southern California. Dan carries a wide breadth of clients and engagements, ranging from threat intelligence, to wireless site surveys and penetration testing, to full blown social engineering campaigns, to lockpicking and threat & vulnerability assessments. Dan has presented at DefCon, BlackHat, various BarCamps, Toorcon San Diego, ToorCon Seattle, regional OWASP meetings, Refresh San Diego, and SDSU computer security advanced lecture classes. Dan has been interviewed by the BBC, CNN, The San Diego Reader, and a variety of information security blogs and publications. If you need a bad guy, call Dan.

Alejandro Caceres is a distributed computing fanatic and security researcher or whatever hackers are supposed to call themselves these days (he lost track of buzzwords when the acronym APT was invented). He's conducted research and presented at the big cons on offensive distributed computing techniques against massive targets (e.g. significant portions of the Internet or the entire Internet when he's feeling frisky). His research is cool and stuff, but he is most proud of getting hit repeatedly with a wooden paddle by a DEF CON goon at DEF CON 21 as well as annoying Bruce Potter on Twitter one time.

Abusing ACPI Control Methods


The Advanced Power Control Interface (ACPI) is an integral part of modern PCs, used for managing a broad spectrum of diverse peripherals during the normal operation of the system. The system's BIOS provides code for carrying out ACPI-related functions in the form of ACPI Machine Language (AML) code that is executed in a lightweight virtual machine provided by the operating system. This VM can read and write memory, as well as issue I/O to peripherals. This talk will explore ways of abusing AML code, as executed by the operating system, to carry out various tasks, from kernel exploitation to damaging hardware.

Assambly is a security enthusiast with a wide range of interests in low level subjects.

Operationalizing Threat Information Sharing: Beyond Policies and Platitudes

Sean Barnum and Aharon Chernin

Threat intelligence sharing is a hot topic of conversation today that already affects or soon will affect most of us in the infosec community. Like most hot topics this tends to generate a lot of cliched buzzworditis and well-meant but unrealistic policy. Cue the shmooballs!

But what does it take to move beyond just talking about cyber threat intelligence sharing and making it an operational reality. This session will include discussion of the challenges involved in operational implementations and will provide real-world lessons learned from one of the world's leading threat intel sharing programs (the Financial Services Information Sharing and Analysis Center (FS-ISAC).

Sean Barnum is a Principal with MITRE and leads several international community efforts to standardize structured threat intelligence information including the Structured Threat Information eXpression (STIX) and Cyber Observable eXpression (CybOX).

Aharon Chernin leads the Information Security Automation team at DTCC and chairs the Security Automation Working Group within the Financial Services Information Sharing and Analysis Center (FS-ISAC). Aharon leads the development of the Cyber Intelligence Repository, used by the Financial Services industry, to automate cyber intelligence sharing through the use of STIX and TAXII.

SafeCurves: Choosing Safe Curves for Elliptic-Curve Cryptography

Daniel J. Bernstein and Tanja Lange

There are several different standards covering selection of curves for use in elliptic-curve cryptography (ECC). Each of these standards tries to ensure that the elliptic-curve discrete-logarithm problem (ECDLP) is difficult. ECDLP is the problem of finding an ECC user's secret key, given the user's public key.

Unfortunately, there is a gap between ECDLP difficulty and ECC security. None of these standards do a good job of ensuring ECC security. There are many attacks that break real-world ECC without solving ECDLP. The core problem is that if you implement the standard curves, chances are you're doing it wrong:

  • Your implementation produces incorrect results for some rare curve points.
  • Your implementation leaks secret data when the input isn't a curve point.
  • Your implementation leaks secret data through branch timing.
  • Your implementation leaks secret data through cache timing.

These problems are exploitable by real attackers, taking advantage of the gaps between ECDLP and real-world ECC. Secure implementations of the standard curves are theoretically possible but very hard.

Most of these attacks would have been ruled out by better choices of curves that allow simple implementations to be secure implementations. This is the primary motivation for SafeCurves, http://safecurves.cr.yp.to/. The SafeCurves criteria are designed to ensure ECC security, not just ECDLP security.

We're researchers in both constructive and destructive aspects of elliptic-curve cryptography. We started issuing warnings about the security dangers of the NIST elliptic curves before it became fashionable to do so. We've proposed alternatives that are faster and stronger, including Curve25519, Ed25519, and Curve3617. Curve25519 is now the go-to alternative curve for people wanting speed and implementation security; it's also not tainted by NIST/NSA. In 2007 we pointed out that Edwards curves are faster and easier to implement securely than standard Weierstrass curves. Edwards curves are also mathematically simpler, allowing a much friendlier introduction to ECC.

We've done some other things in crypto as well.

Raising Costs for Your Attackers Instead of Your CFO

Aaron Beuhring and Kyle Salous

Everyone knows that blacklisting is not effective and that whitelisting is a better solution, so why isn't anyone doing it? Organizations continue to spend money on the latest technologies in hopes that if they spend enough they will somehow become secure. Chances are that that these same organizations already own technology that can provide far more powerful defense than new blinking boxes but just haven't taken the time to properly implement it.

This talk will present three approaches to whitelisting. While each approach is effective on its own, they are downright deadly when used together. It will show examples of how recent targeted and untargeted attacks could be blocked and will also present scripts, sample GPOs, and methods for implementing these technologies without losing your hair or your job. By the end of the presentation you will have all the tools necessary to frustrate attackers, amaze your coworkers, and impress your CFO.

Aaron Beuhring has over 12 years of IT experience. He enjoys correcting configurations and occasionally misconfiguring things as well.

Kyle Salous has 9 years of IT Security experience. He enjoys doing more with less while keeping the bad guys on their toes.

Technology Law Issues for Security Professionals

Shannon Brown

An emerging gap exists between the demands of today's technology systems, the necessity for computer security research, and the reality of the law. The potential tension between these elements poses a challenge especially for computer security researchers--some who might be misunderstood or who may unintentionally run afoul a myriad of complex laws with potentially breathtaking penalties.

In plain language, this presentation raises awareness of some of the potential traps for the unwary. The presentation raises the issues and provides a brief and general informational overview of the law. Perhaps even more importantly, the presentation provides some background on what "the law" means, how law is actually interpreted or applied, and discusses both the federal and a sampling of, the oftentimes overlooked, state laws with potentially serious, negative consequences for researchers. Specific laws discussed include the Stored Communications Act (addressing email and other communications), the Computer Fraud and Abuse Act (increasingly applied in unintended ways such as employment contracts), Digital Millennium Copyright Act (anti-circumvention), and a sampling of potential state laws related to computer crimes.

Shannon Brown has a background as a software developer; CIO; independent technology consultant; systems administrator; national, public policy researcher; language translator; college instructor; farmer; community leader; cooperative president; lawyer; and business owner. Shannon is a licensed attorney in Pennsylvania, New Jersey, and federal court with focus on legal issues in technology, cryptography, and computer security. He also regularly writes articles and conducts training about law-and-technology for attorneys. Shannon recently developed a machine learning software application for the legal community to help provide access to justice. His research interests include computer security, cryptography, and machine learning.

Malicious Online Activities Related to the 2012 U.S. General Election

Joshua Franklin, Robert Tarlecki, Matthew Jablonski, and Dr. Damon McCoy

This presentation looks back at the number of ways that the 2012 Presidential election was bought, sold, and manipulated through malicious online activities. We identify activities that could be classified as manipulative, mischievous, or downright illegal, such as fake campaign donation sites, political spam, attempts to sell ballots, privacy violations, and rogue Super PACs. For each of these activities we provide examples of sources that demonstrate their online presence during the 2012 election and include additional information. We also include examples of malicious election activity in recent elections. Finally, we attempt to examine and discuss the motivations and methods behind these malicious activities.

Joshua, Robert, and Matthew are working towards, or have obtained, a Masters in Information Security and Assurance from George Mason University. Joshua is currently working in both mobile and election security. Matthew is currently focused on mobile and wireless security research and development. All three work in the DC metro area.

Attacker Ghost Stories: Mostly Free Defenses That Give Attackers Nightmares

Mubix "Rob" Fuller

This talk is about protections, mitigations, or detection mechanisms that I’ve seen across businesses big and small that were innovative and highly effective, yet free (or mostly free) and stopped me (as an attacker) dead in my tracks.

We will be going over 11 (or a many as we can get to) methods, tactics, and software setups that will cut down intrusions significantly. Changes that you can deploy or start deployment of the hour after the talk is done.

Mubix is a Senior Red Teamer. His professional experience starts from his time on active duty as United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications, but the titles that he holds above the rest are FATHER, HUSBAND, and United States Marine.

"How I Met Your Mother" or The Brief and Secret History of Bletchley Park and How They Invented Cryptography and the Computer Age

Benjamin Gatti

In the darkest days of WWII, a small team assembled at Bletchley Park solved two problems and set a new course for computers and cryptography - fast computers, and secure communications can both be traced back to one of the ugliest estates in London suburbia, where Alan Turing, Max Newman, Tommy Flowers, and others hacked their way through the German High Command. The British released the General Report on Tunny in 2000, and since then have rebuilt a Colossus and Enigma Bombe and opened the Park as a museum. We discuss the cryptanalysis of the Enigma and Lorentz ciphers, historical exploits as well as modern exploits, and their direct connections to the modern crypto systems and highspeed computers on which the world as we know it is built.

Born to hippies in the late 60's, Benjamin Gatti grew up in California and taught himself electronics and software, travelled the World in the 90's, married abroad, and settled in Charlotte, North Carolina where he works as an independent software slacker.

Security Analytics: Less Hype, More Data

Aaron Gee-Clough

There has been a lot of talk in the industry recently about "analytics" and getting security data from non-security logs. The problem is, very few people are talking about which analysis techniques are actually useful. This talk will look at a few log types and talk through analytics techniques that can be applied to each. For each technique, I'll talk about what it assumes and how it succeeds or fails when using real-world data.

This is (obviously) not going to cover every single analysis technique you could ever run, but it is intended to start bringing facts and real-life data to the discussion of security analytics.

Aaron Gee-Clough bailed out on grad school for the .com boom and has been doing security for about 14 years. He also thinks bios are kinda dumb, since you all don't really care anyway. (But, if you insist, several years ago he hacked the ShmooCon Arcade's point display system, but he never did get around to using the video card he "won" from that.)

A Critical Review of Spatial Analysis

David Giametta and Andrew Potter

Spatial Analysis is a recently proposed idea of using static analysis based byte sequences characterized by statistical features fused and graphed into 2-D grids where new exploitable information is obtained. The new information is the spatial structure similarity of byte sequences located with files believed to be similar and related. The structure is generated using simple fixed size sliding windows moving along the byte sequences of a file and calculating features (mean and standard deviation). These features are used to determine matches of highly similar but not necessarily exact byte sequences whose features map them into grid cell regions thereby indicating "nearness."

The idea of being able to discern malware family members based on the similarity of byte sequences could prove invaluable as a quick assessment tool to the analyst currently using dynamic and static techniques. We take a first look at the validity of some of the assumptions Spatial Analysis makes to see if there is any merit to the idea and present our initial findings.

David is a relatively new analyst only having graduated in 2011 from Mississippi State University with his degree in Software Engineering. Since graduating he has published two android applications, is working on his third, and has joined Sentar in order to further develop his skills in researching malware analysis, cyber security and automated analysis algorithms.

Andrew has 30 years of experience in information systems research and development, including automated malware analysis, cyber security, multi-agent systems, expert systems, collaborative learning environments, explanation aware computing, and computer usability studies.

Controlling USB Flash Drive Controllers: Expose of Hidden Features

Richard Harman

With stories of "BadBIOS" infecting PCs simply by connecting a malicious USB flash drive to a PC, it's time we learned about flash drives and their controllers. Consumer USB flash drives are cheap, growing in capacity and shrinking in physical size. There are only around 15 prominent controller chip manufacturers whom you have never heard of, but OEM for all the popular and respected "name brands" on the market. These flash controllers have capabilities that aren't mentioned on product packaging, and can be enabled with programming you will learn during this presentation. These flash controllers can be *reprogrammed entirely* via software to do whatever you want.

Turn an old flash drive into an emulated CDROM or a CDROM + flash drive. Update the controller's firmware, disassemble it, etc. This talk will touch on the various controller manufacturers, features, and show you how to leverage them for yourself. Why spend $100 on an old SanDisk[tm] U3 Cruiser when you can spend $4 for the same features?

Richard Harman is an incident responder at SRA International's internal Security Operations Center, where he slings Perl code supporting incident response and performs analysis & reverse engineering of targeted attack malware samples. He writes and releases scripts in support of his work on github at http://github.com/warewolf. Outside of his day job, he can be found hacking on projects at the Reston, VA hackerspace Nova Labs http://www.nova-labs.org.

Arms Race: The Story of (In)-Secure Bootloaders

Lee Harrison and Kang Li

Secure boot is the process that ensures the critical parts of software (e.g. kernel) running on a device are authorized and have not been tampered with. Many wireless service providers prefer to have a locked down version of their smartphones that can only boot the official kernel, and do not allow loading customized systems developed by users. This results in an arms race between the smartphone vendors and the users that need to load customized kernel.

This talk will present this arms race in terms of 3 rounds of hacks and patches between what we discovered and the patches released from Samsung and how we bypassed the patches again. For each round, we will present the bugs we found in Samsung bootloader, the exploitation to load customized kernel, the patch from Samsung, and how new exploitations bypass the patched bootloader. All the examples are based on different versions of bootloaders from Samsung devices (from Note II to Galaxy S4). We are currently working on extending our exploitations to more mobile devices.

Lee is a computer security researcher and member of the CTF team disekt. His research interests include reverse engineering and mobile security. He currently resides in the state of Georgia.

Kang Li is currently an Associate Professor of Computer Science at the University of Georgia. He graduated with his Ph.D from Oregon Graduate Institute. Before joined University of Georgia, he was a research scientist at Georgia Tech. His research interests are in the areas of computer security and operating systems.

Timing-Based Attestation: Sexy Defense, or the Sexiest?

Xeno Kovah, Corey Kallenberg, and John Butterworth

What if I told you it's possible to ask a drunk person if he's drunk - and get an accurate answer, by measuring the reaction time? What if I told you it's possible to design security software under the assumption that the attacker has the same privileges as the defender, and the attacker can scribble over and modify the defender's code as much as he wants, but he'll still get caught? This is what timing-based attestation is all about. Come hear about how this technique has been used in everything from PCs to PDAs and Smart Phones to wireless sensor embedded systems to the firmware for NICs and Apple USB keyboards. Then hear about how we've been stealing this fire from the ivory tower, and building it into Windows kernel drivers and Dell BIOSes, and how you can to!

Xeno, Corey, and John are Trusted Computing researchers at The MITRE Corporation. They focus on deep system security at the kernel level and below, and they have all also contributed material about these topics to OpenSecurityTraining.info.

Genuinely "Trusted Computing:" Free and Open Hardware Security Modules

Ryan Lackey

"Trusted Computing" unfortunately often means trusting a black box provided by a third party who may not be particularly trustworthy. We present an alternative -- a user assembled hardware security module, based on a published design, using simple components which can be fully inspected by the user prior to assembly and commissioning.

Ryan Lackey has 20 years of experience computer security, from running the world's first offshore datahaven "HavenCo" in 2000, building and operating networks in Iraq and Afghanistan, to founding several security startups. He also consults for private industry and government entities.

Vehicle Forensics - The Data Beyond the Dashboard

Courtney Lancaster

With vehicle technologies constantly evolving, it is important to understand the threat to the consumer that leaves personal data behind, as well as the benefit to the investigator and how accessible this data can be. Infotainment systems are being rolled out into almost every new vehicle that is manufactured today. The art of mastering the hard drive, as well as a multitude of other components, has already occurred. Now, let's take a look at multiple approaches to forensically acquire data from vehicles. Of all of the subsets of digital forensics, vehicle forensics is beginning to have a much larger presence than before and one that can potentially contain a treasure trove of forensic data. This talk will take an in-depth look at infotainment technologies and how to forensically acquire the data associated with the functionalities that exist across various manufacturers. Furthermore, we will cover the challenges of conducting digital forensics on an actual car, both physically and logistically.

Courtney's career began in the United States Navy in 2000 as a Cryptologic Technician. Additionally, she worked in the Information Assurance Directorate at the National Security Agency conducting Certification and Accreditation evaluations, COMSEC Monitoring, and also worked at Defense Cyber Crime Center (DC3) as an imaging specialist with a focus in Mobile Forensics for approximately five years. Courtney is a Paraben Certified Handheld Examiner. Furthermore, she has offered litigation support with regards to criminal cases, and has been certified in a Court of Law as an expert witness.

unROP: A Tool for In-Memory ROP Exploitation Detection and Traceback

Kang Li, Xiaoning Li, and Lee Harrison

The talk is about how to help security researcher to automatically traceback from an identified attack to the exact software bug that is the entrance point of the exploitation. Specifically, our open-source software unROP is to help researchers to analyze ROP exploitations and automatically unwrap the detected ROP chain.

Analyzing ROP based exploitations currently requires serious manual effort from security researchers for finding and unrolling the chain of hundreds and thousands of gadgets. The talk presents an approach to reduce this manual effort by identifying ROP components from memory dump and automatically tracing back to the software vulnerability. The unROP tool is based on the characteristics of ROP gadget that we collected from the popular gadget generation software. The unROP tool also scans memory for signs of other exploitation techniques, such as stack pivoting and heap spray attacks. The talk includes demonstrations of applying the software tool on recent ROP-based exploitations.

Kang Li is an Associate Professor of Computer Science at the University of Georgia. He graduated with his Ph.D from Oregon Graduate Institute. Before joined University of Georgia, he was a research scientist at Georgia Tech. His research interests are in the areas of computer security and operating systems.

Xiaoning Li is a security researcher for a Fortune 50 company. For the past 10 years, his work has been focusing on vulnerability research, new exploit development, malware analysis and reverse engineering.

Lee is a computer security researcher and member of the CTF team disekt. His research interests include reverse engineering and mobile security. He currently resides in the state of Georgia.

Introducing idb - Simplified Blackbox iOS App Pentesting

Daniel A. Mayer

More than ever, mobile apps are used to manage and store sensitive data by both corporations and individuals. In this talk, we review common iOS mobile app flaws involving data storage, inter-process communication, network communications, and user input handling as seen in real-world applications. To assist the community in assessing security risks of mobile apps, we introduce a new tool called 'idb' and show how it can be used to efficiently test for a range of iOS app flaws indicated above.

During our presentation, we will explore a number of vulnerability classes. Each class will first be introduced and discussed before demonstrating how idb can enhance the testing for instances of it. With this we illustrate how apps commonly fail at safeguarding sensitive data and demonstrate how idb can arm security professionals and developers with the means necessary to uncover these flaws from a black-box perspective. Furthermore, we will provide illustration of how to mitigate each flaw. At the conclusion of this ShmooCon talk, idb will be made open source and released to the public.

Daniel is a consultant with Matasano Security. His experience includes penetration testing, cryptographic protocol analysis and design, security research, and system and network administration.

Prior to joining Matasano, Daniel was a researcher at the Stevens Institute of Technology working on applied cryptography and privacy. He presented his research at several international security conferences.

Daniel holds a Ph.D. degree in Computer Science from Stevens and a Masters degree in Physics from Rutgers.

How Hackers for Charity (Possibly) Saved Me a Lot of Money

Branden Miller (f0zzie) and Emily Miller (ch1cken)

What do you do when your oldest child tells you she wants to be an artist? If you are me you panic under the weight of the idea that you will be supporting your kid for life! Then you use her determination to help others as a motivator and gently (re)focus her onto technology.

After 20 years in the Navy, f0zzie became a Senior Security Analyst in the Healthcare industry. He is a family man who can't wait for the munchkins to become self-sustaining so he can retire. Emily is a brilliant 13 year old with a heart for making a difference and the ability to withstand her father's crazy antics.

You Don't Have the Evidence

Scott Moulton

Forensic imaging tools have one purpose, to soundly copy every sector on a device to a destination device and report success or failure without changing data. In the last 20 years most forensic imaging tools have not progress and continue to use the same basic code for imaging a drive. When encountering damage many of the tools have no ability to deal with the damage and quit, crash, or worse; do more damage to the drive they are trying to recover from. Imaging damaged drives are where forensic tools are delivering the most disappointing results.

Data Recovery tools and skills are important when acquiring the data from damage disks, but also understanding what you are not getting when imaging a forensic job is just as important. There are special ways to access the data, the controller on the hard drive, repair the damaged boards, and even to adjust heads by turning off damaged ones, copying all the data from the good platters before dealing with the damaged heads. Data recovery imaging tools have some very advanced functions and capabilities for imaging damaged hard drives and damaged sectors that forensic tools are incapable of finishing. I will be discussing these different techniques and the errors exhibited by the drive and sectors to better help understand what you are missing and why.

Scott Moulton is known both for his trademark 'Forensic Unit' hat and his unholy knack for finding new data recovery techniques the other experts don't want you to know. Scott is owner of both My Hard Drive Died.com and Forensic Strategy Services and fills his days recovering data from all kinds of storage devices, testifying in court, and teaching others to do data recovery. Scott teaches a full 5 Day Forensic Bootcamp Data Recovery Class that includes advanced repairs of badly damaged drives and all the tools used by Data Recovery and Forensic shops. Scott's DIY videos are on www.MyHardDriveDied.com

Data Whales and Troll Tears: Beat the Odds in InfoSec

Davi Ottenheimer and Allison Miller

The rising scale and complexity of IT is creating ever more opportunities for abuse and attack. Many for years have warned we face a losing race if we rely on patch and mend. Others for years have advocated using a threat-based priority system. Is there room to consider a middle path or can we prove with science the existence of a third wave? This data-intensive presentation highlights real-world examples of failure in both camps and then runs for the hills. No, actually, it stays around and gives detail on specific approaches that have worked in reducing overall risk for different-sized organizations. You won't fear Data Whales or fall for Troll Tears when you learn how easy it is to beat the odds in InfoSec.

Davi Ottenheimer (@daviottenheimer) is Senior Director of Trust at EMC, where he is responsible for the Trust story, including RSA, VMware, and Pivotal. He has over 19 years experience in infosec and telling puns.

Allison Miller (@selenakyle) has over 10 years of experience in designing, building, and deploying real-time threat detection and prevention systems. She hates puns.

I Found a Thing and You Can (Should) Too: ISP's Unauthenticated SOAP Service = Find (Almost) All The Things!

Nicholas Popovich

This presentation is meant to encourage individuals to put the applications and software that they may use on their own home or small business networks under the research microscope. This will be a discussion of a recent independent research project that eventually led to an information disclosure vulnerability by a major U.S. ISP. This is also an example of when a coordinated disclosure goes right.

What began with simple curiosity into the inner workings of an application lead to the ability to list wireless network names and wireless encryption keys (among other things) armed only with a WAN IP address.

Nick Popovich's passion is learning and exploring the offensive side of IT security. He works as a penetration tester, trying to raise the overall security posture of organizations through infrastructure security testing. Nick's mission is to help individuals and organizations involved with the defensive side of InfoSec understand the mechanics and methods of the attackers they defend against and to assist in realistically testing those defenses. He's a lifelong learner and loves finding new ways to get under the hood of systems and networks. He is a father of two and a husband to one.

Malicious Threats, Vulnerabilities, and Defenses in WhatsApp and Mobile Instant Messaging Platforms

Jaime Sanchez and Pablo San Emeterio

Global surveillance emerged as a phenomenon since the late 1940s and Internet and mobile technology are being developed with such pace that it is impossible to guarantee electronic privacy and nobody should expect it. How strong are the actual Instant Messaging Platforms? Do they take care of our security and privacy? We'll look inside the security of several clients (like BBM, Snapchat, and Line) and will put our focus on WhatsApp.

WhatsApp might not be as widely known as Twitter, but the company announced that it has passed 350 million active monthly users. WhatsApp has been plagued by several security issues in the past, so we decided to start the research. We've discovered several vulnerabilities more that we'll disclosure (with proof of concept code), including encryption flaws, remote DOS (making the client crash by sending a custom message), or how to spoof messages manipulating sender address information.

We'll also release a new version of our tool with different protection layers: encryption, anonymity, and using a custom XMPP server. It's necessary to implement additional measures until WhatsApp decides to take security seriously.

Jaime Sanchez (@segofensiva) is passionate about computer security that has worked for over 13 years as a specialist advisor for large national and international companies. He holds a Computer Engineering degree and also Executive MBA, as well as holding several certifications like CISA, CISM, CISSP, just to name a few.

He is a frequent speaker introducing new bugs, exploitation techniques and mitigation, as in RootedCON, Nuit du Hack, Black Hat Arsenal USA 2013, Defcon 21, DeepSec or BlackHat Sao Paulo. He also writes a blog called SeguridadOfensiva (www.seguridadofensiva.com), touching on current topics in the field of hacking and security.

Pablo San Emeterio (@psaneme) is a computer security enthusiast. He has worked the last five years in the R&D department of Optenet, a Spanish company specialized in network security with a presence in major ISPs worldwide. He is a Computer Engineer and Master in Auditing and Information Security by UPM and is certified as CISA, CISM and Oracle DBA. He has spoken at conferences like RootedCON, NcN, and CiberSeg.

LTE vs. Darwin

Hendrik Schmidt and Brian Butterly

Whether believing in Darwin or not, the Darwin-Award states an important fact of mankind, technology and probably everything that exists: You only make certain mistakes once. For mankind this usually implies taking oneself out of the gene pool, for companies it can mean to vanish of the market and for technology, well, early death.

So when looking at "Long Term Evolution," providers need to implement proposed features properly and work out secure configurations for their networks. Otherwise, they might be struck by Darwin; being hacked and having break ins in back - or front-end structures, could result in a situation from which companies might not be able to recover.

Having stated very ambitious plans, concepts and standards for LTE, the 3GPP group has designed a complex but self-organizing system. Surely, with new methods come new attack vectors. Our research is aimed at these new methods and split into three chapters: awareness of user equipment, an overview on self-organizing networks, and theoretical and practical attacks against themselves and their interfaces. This includes potential attack vectors, information gathering and an analysis of component implementation and the overall architecture.

Hendrik Schmidt and Brian Butterly are seasoned security researchers with vast experiences in large and complex enterprise networks. Over the years they focused on evaluating and reviewing all kinds of network protocols and applications. They love to play with packets and use them for their own purposes. In this context they learned how to play around with telecommunication networks, wrote protocol fuzzers and spoofers for testing their implementation and security architecture. Both are pentesters and consultants at the German based ERNW GmbH and will happily share their knowledge with the audience.

The NSA: Capabilities and Countermeasures

Bruce Schneier

Edward Snowden has given us an unprecedented window into the NSA's surveillance activities. Drawing from both the Snowden documents and revelations from previous whistleblowers, I will describe the sorts of surveillance the NSA does and how it does it. The emphasis is on the technical capabilities of the NSA, not the politics of their actions. This includes how it conducts Internet surveillance on the backbone, but is primarily focused on their offensive capabilities: packet injection attacks from the Internet backbone, exploits against endpoint computers and implants to exfiltrate information, fingerprinting computers through cookies and other means, and so on.

I will then talk about what sorts of countermeasures are likely to frustrate the NSA. Basically, these are techniques to raise the cost of wholesale surveillance in favor of targeted surveillance: encryption, target hardening, dispersal, and so on.

Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 12 books--including Liars and Outliers: Enabling the Trust Society Needs to Survive--as well as hundreds of articles, essays, and academic papers. His newsletter and blog are read by over 250,000 people. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, and a board member of the Electronic Frontier Foundation.

CCTV: Setup, Attack Vectors, and Laws

Joshua Schroeder and Spencer Brooks

Ever wonder how to setup a CCTV Digital Video Recording security system? This talk will show how to do that, as well as key factors like attack vectors and recording laws.

First, we will go over basic setup on how we planned out this project and current price points for entry. This will include things to be mindful of such as camera quality, disk space and other features.

In the second part, we will cover attack vectors we considered while setting the system. For example, wireless cameras could be disabled with radio frequency jammers and outdoor cameras could have the power cut if not correctly secured in conduit.

Finally, we will go over things that you should have in mind in the legal realm for this kind of project. Be forewarned; we are not a lawyers or judges, but got advice from a NC judge and we have done research to find laws for VA, DC, MD, TN, and NC that cover recording and wiretapping laws. We will follow it up with court cases that surround these laws in order to back up some of the conclusions and decisions we made to build this system.

Joshua Schroeder (joshingeneral) works in DC as a System Administrator for the Federal Government. His past experience consists of: Founding the 49th Security Division Security Club at UNC Charlotte; working as a web and network pen tester for the CISO of UNC Charlotte; Building IA/NIST validation programs for the Navy; and, performing pre-approval web testing for the Air Force Headquarters call center.

Spencer Brooks (brooks8888) is a dabbler in many areas of personal tech hoping to increase his knowledge of the hidden world. He specializes in: Idea generation; Designing various attack vectors (physical and virtual); and, most importantly, moral support.

Practical Applications of Data Science in Detection

Mike Sconzo and Brian Wylie

It seems recently offensive tactics, exploits and vulnerabilities are getting all the Info Sec sexy-points. We're going to try and swing this back towards detection as we apply some new-fangled math and techniques to solve some existing problems and tackling new ones. We'll take Data Science off its pedestal and show how, with problem and data understanding you can apply different techniques to make analysis more exciting and effective.

We'll use several open source tools and libraries to perform the data exploration and analysis, including iPython and pandas as well as a data hacking library we've already released. After discovering some useful patterns we'll show how we were able to implement the results so that they can be used for actual network analysis (with some real-world results). Some of the use cases used to demonstrate the concepts will be passive browser fingerprinting and SQL injection detection.

Audience members are welcome and encouraged to play buzzword bingo.

Brian Wylie's interests are data analysis, machine learning and information visualization. Current projects include a breadth of work applying data analysis to security problems. Brian has been a long time advocate of open community projects including the Visualization ToolKit (VTK) and the Titan Informatics Toolkit. Brian's Erdˆs number is 3. Mike Sconzo has been around the Security Industry for quite some time, and really enjoys looking at network traffic. He has recently been using various data analysis techniques to look security related data in a new light where before he'd just use a hex editor.

The "Science of Cyber" and the Next Generation of Security Tools

Paulo Shakarian

Governments around the world are investing heavily in the so called "science of cyber" in order to create a rigorous scientific base for the next generation of security tools. But what's going on in the walled-off world of academia? Will this new science eventually lead to more improved security in cyber space? In this talk, I will describe three ongoing projects at West Point in collaboration with Oxford University, the Netherlands Defense Academy, and George Mason University where we are actively conducting research in this new area of science. We will look at how a new logical theory is being developed to shed light on the attribution problem, how we are looking to use graph theory to defend against an already-compromised network, and how a game theoretic model can help us protect from particularly devious attacks against the smart grid. We firmly believe that exposing such research to the community of practitioners (i.e. the ShmooCon audience) will help initiate a dialogue with academic in order to both ground scientific endeavors in the real world as well as lead to more rapidly fielding of cutting-edge innovation.

Paulo Shakarian is a Major in the U.S. Army who possesses not only a Ph.D. in computer science, but has over two years of combat experience on the ground in Operation Iraqi Freedom. He currently teaches computer science and conducts research at the U.S. Military Academy at West Point. He is the author of over 30 peer-reviewed academic papers as well as two books, including Introduction to Cyber Warfare (Syngress, 2013). His work has previously been featured in The Economist (print), WIRED, BBC News, MIT Technology Review, Help Net Security, and others.

The Evolution of Linux Kernel Module Signing

Rebecca ".bx" Shapiro

When the Linux development community decided it was high time to implement kernel module signing, different developers had different ideas on how module signatures should be constructed and verified. I will discuss how Linux kernel module signing evolved over that past ten years, pointing out mistakes made and fixed throughout the last 10 years. The challenges the Linux community faced in designing and implementing kernel module signing are not unique to Linux modules, we probably can see the same mistakes make in other code-signing schemes that are in use today. By studying the evolution of Linux code signing we can learn to find and remove bugs in both present and future code-signing schemes.

Rebecca ".bx" Shapiro is a graduate student at a small college in Northern Appalachia, known as Dartmouth College. She enjoys tinkering with systems in undocumented manners to find hidden sources of computation. She hopes to continue this work to find more specimens for Sergey Bratus' weird machine zoo.

0wn the Con

The Shmoo Group

For ten years we've chosen to stand up and share all the ins and outs and inner workings of the con. Why stop now? Join us to get the break down of budget, an insight to the CFP process, a breakdown of the hours it takes to put on a con like ShmooCon and anything thing else you might want to talk about. This is an informative, fast paced and generally fun session as Bruce dances on stage, and Heidi tries to hide from the mic. Seriously though--if you ever wanted to know How, When, or Why when it comes to ShmooCon you shouldn't miss this. Or go ahead and do. It'll be online later anyway.

The Shmoo Group is the leading force behind ShmooCon. Together with our amazing volunteers we bring you ShmooCon. It truly is a group effort.

An Open and Affordable USB Man in the Middle Device

Dominic Spill

With the introduction of FaceDancer, there has been a surge of interest in USB security. USBProxy is an open framework for the BeagleBone Black to make it simpler for anyone to monitor, inject or modify data carried over a USB connection. While the FaceDancer will allow devices to be written on a host system, we are able to go further and man-in-the-middle connections to existing devices as well. The BeagleBone Black also enables us to operate at USB 2.0 Hi-Speed.

Dominic Spill has been building Bluetooth packet sniffers since 2007; he now works on Ubertooth and Daisho among other communications sniffing projects.

Unambiguous Encapsulation - Separating Data and Signaling

Dominic Spill and Michael Ossmann

Attacks against in band signaling systems have been demonstrated against Zigbee and Ethernet in the past few years. In many ways these are similar to memory corruption attacks as both rely on data being interpreted as meta-data by the target system. We have built tools to generate sets of error correcting codes that can be used to prevent untrusted user supplied data from being interpreted as meta-data by target systems.

Dominic Spill has been building Bluetooth packet sniffers since 2007; he now works on Ubertooth and Daisho among other communications sniffing projects.

Michael Ossmann is a wireless security researcher who makes hardware for hackers. He founded Great Scott Gadgets in an effort to put exciting new tools into the hands of innovative people.

How to Train your Snapdragon: Exploring Power Frameworks on Android

Josh "m0nk" Thomas

Have you ever wondered how power is routed around your phone, how it is stored and if it could be made dangerous? I have, and I somehow talked the DARPA Cyber Fast Track group into funding my research into the subject and allowing me to name it: "Project Burner: El Telefono Inteligente de Fuego." The overall goal of the project was: "Can I catch a phone on fire using nothing but the stored energy in the battery?" and / or "Can I break it beyond repair?". The answer was a resounding "yes."

This talk will center around how the Android (and Linux) kernels manage power and electricity, both from the wall and the battery. I will cover how those software based controls can be manipulated to fry internal components and brick phones in abundance. I will also walk through what protections have been put in place to prevent these types of attacks and how those mechanisms can be circumvented.

Also, I might just break a phone or two...

Josh Thomas is currently the Chief Breaking Officer at Atredis partners. His specialties include advanced hardware and software reverse engineering, malware and rootkit development / discovery and software development. Josh has extensive experience in developing secure solutions for mobile platforms and a deep understanding of cellular architecture. He has also recently published advanced hardware vulnerability research on NAND Flash technologies and on the Linux kernel power utilization frameworks.

AV Evasion With the Veil Framework

Christopher Truncer, Will Schroeder, and Michael Wright

As antivirus (finally) has started to slowly increase in effectiveness, more and more of the payloads used during penetration tests are being caught. While the industry as a whole has demonstrated its capabilities of bypassing AV solutions in nearly all situations, valuable assessment time is often lost.

The Veil-Evasion Framework (Veil) was developed to solve this problem by offering a modular, open-source, and UI focused framework for generating AV-evading payloads in a programming language and technique agnostic way. Veil's structure greatly simplifies payload generation and allows for the integration of public and private AV evasion methods. In this talk we will go over the genesis of the framework, its structure and features, and how to develop your own payload modules. Recently released modules will also be covered, and our implementation of a lesser known shellcode injection method will be released.

We will also cover public reaction and disclosure ethics, and we plan on releasing Veil-Catapult, our payload delivery tool. Veil-Catapult extends the capabilities of the existing Veil framework by utilizing various methods to deliver and trigger payloads across targeted machines. We will conclude with a discussion of current and future mitigation strategies to combat Veil's effectiveness.

The Veil development team is comprised of Will Schroeder (@harmj0y), Chris Truncer (@christruncer), and Mike Wright (@TheMightyShiv), a group of pentesters based in the D.C. region and primarily employed by the Veris group. They spend their days doing assessments and their nights researching and building new tools such as Veil.

Introducing DARPA's Cyber Grand Challenge

Mike Walker

Could a purpose-built supercomputer play DEFCON capture the flag?

Mike Walker joined DARPA as a Program Manager in January 2013. His research interests relate to machine reasoning about software in situ and the automation of application security lifecycles.

Mr. Walker has extensive industry experience. Prior to joining DARPA he worked as a security software developer, enterprise security architect, and research lab leader.

Dissipation of Hackers in the Enterprise


From the early days of the InfoSec industry to today there has been a constant seeping of deep-knowledge technologists into a slew of disciplines that are not primarily focused on the protection of enterprise assets.

This dialog will explore and question the contributors to the diminishing attractiveness of the enterprise as a logical career path for hackers. We will go over data that shows that shift from enterprises being a primary employer for hackers to being, at best, an early-career training ground. With things like specialized training, bug bounties, independent research, and certifications; it's feasible to develop a long InfoSec career that is funded by enterprise by-product without ever having ever held a security role in an enterprise.

We will go over some data that questions the benefits and validity of this model. There will be lots of audience interaction and the end result should be informative to all.

Weasel is a long-time hacker who has spent the past 15 years of his professional career focusing on security-centric topics; bouncing between large enterprises and small startups. Weasel has worn many hats in the industry including pen tester, reverse engineer, vulnerability researcher, as well various levels of InfoSec management. Weasel is a long-standing member of the Nomad Mobile Research Centre hacking group.

Syncing Mentorship Between Winners And Beginners

Tarah Wheeler Van Vlack and Liz Dahlstrom

Mentorship in technology is broken. Many minorities feel unwelcome in tech. The number of women in technology is actually decreasing. The only solution which is proven to increase positive outcomes is mentorship. Unfortunately, winners in tech either don't realize their help is needed or don't know how to get started. Beginners are often afraid to ask for help or don't know where to find it. We at Hack The People bring together mentors and mentees. We're teaching mentors to improve their interactions with mentees and teaching mentees how to develop real relationships with their mentors.

We'll premiere clips from our web series, as well as showing some of the first footage from our small mentorship groups. We'll show how our small mentorship groups connect the people who can help with the people that need it.

Ever wanted desperately to tell someone that it's their clothing or their attitude keeping them from being promoted? Our groups teach mentees how to succeed at interviews, job performance, promotions, entrepreneurship, and provide mentors with a new network of potential hires. Now, mentees can finally get real constructive criticism, and mentors can honestly help others without fearing for their own careers.

Tarah Wheeler Van Vlack and Liz Dahlstrom co-founded Hack The People and ran the LadyCoders Kickstarter in 2012. Liz Dahlstrom codes Python, is an Air Force veteran, has developed for T1 research universities, contributed to the Plone project, and is the CTO of Fizzmint, an HR automation tech startup. Tarah Wheeler Van Vlack has web developed for two Xbox games including Halo, has publications in international conflict and game theory, and is the CEO of Fizzmint. Liz and Tarah met while dancing Argentine Tango in Portland, Oregon. Not together.

ADD -- Complicating Memory Forensics Through Memory Disarray

Jake Williams and Alissa Torres

In this presentation, we'll present ADD (attention deficit disorder), a tool that litters Windows physical memory with (configurable amounts and types of) garbage to disrupt memory forensics. Memory forensics has become so mainstream that it's catching too many malware authors during routine investigations (making Jake a sad panda). If memory forensics were much harder to perform, then attackers would retain an upper hand. ADD increases the cost of memory forensics by allocating new structures in memory that serve only to disrupt an investigation.

We'll present some basic memory forensics techniques (just to set the stage for those who aren't familiar with the concepts). We'll explain how volatility, a core memory forensics tool, actually performs its analysis. In particular, we'll show how it locates hidden processes, drivers, and modules.

Next, we'll show how running ADD on a machine under investigation completely changes the memory forensics landscape. We'll show how an investigator must weed through astounding numbers of false positives before identifying the investigation targets.

Finally, Alissa will show how all is not lost. Even though ADD may confuse junior analysts, she'll show the invariants in memory that analysts should always be able to come back to complete their forensic analysis.

Jake is the Chief Scientist at CSRgroup where he does lots of offensive and defensive research. He is also a SANS instructor and member of the DFIR author team. Occasionally, CSRgroup still lets Jake do penetration tests (where he feels like a kid in a candy store).

Alissa is a digital forensics examiner and incident response consultant for Sibertor Forensics. Also a SANS Instructor, she teaches hundreds of security professionals a year how to find evil in the form of trace artifacts and hidden processes.