Speakers

Bruce Potter (moderator), Matt Blaze, Chris Eagle, Invisigoth, Dave Marcus and Michael Schearer

The contrast between the information security research performed in academia and that performed in the hacker community is often striking. Academic research is often thoroughly cited, based on prior work, but can be theoretical and of marginal practical use. The hacker community can perform awesome, cutting edge research but can totally ignore prior art and proper research procedures without any real penalty. This panel will examine how academic and hacker research really happens. We will try to separate the good from the bad in an effort to make our community more productive and increase the quality of our research.

This is not your ordinary plenary, however - we'll be moving through this discussion in a fun and fast paced fashion. Panel members will be put through their paces as we give them a quiz, test their drawing skills and put their answers to music. There might even be dancing.*

*Ok, maybe no dancing.

Matt Blaze is on the faculty at the University of Pennsylvania, where he directs the Distributed Systems Laboratory and does research on security, cryptography, and systems. He teaches academics to be hackers and hackers to be academics.

Chris Eagle is a Senior Lecturer of Computer Science at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 27 years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering. He has been a speaker at conferences such as Black Hat, CodeCon, Shmoocon, and Defcon and is the author of "The IDA Pro Book". In his spare time he is the Dean of Hacking for the Sk3wl of r00t, past champions of the Defcon CTF, and a core member of DDTEK, the most recent organizers of Defcon CTF.

invisigoth (in-vizi-goth); or visi
  noun.
  1. Hacker.
    A student of applied offensive technology who believes in the zen of weapons grade digital artillery.
  2. Developer
    Author of vdb, vtrace, and vivisect, which are used around the world for pwning. oh and debugging and stuff.
  3. Kenshoto Member
    Bat shit crazy member of the hacker group Kenshoto who won, and subsequently designed and implemented DEFCON ctf for a bunch of years.

Dave Marcus currently serves as Director and Chief Architect of Threat Research and Intelligence for McAfee®'s Federal Advanced Programs Group. His focus includes advanced research and threat intelligence projects such as Open Source Intelligence (OSINT) analysis, financial fraud malware, hardware-assisted security architecture and SCADA/ICS research. In his spare time he rides his Harley, is an avid powerlifter, metalhead and family man. He also enjoys practicing the art of lockpicking and is a hacker of things.

Michael Schearer ("theprez98") is the founder of MyFreeState and the Assault on Privacy, projects which document abuses of freedom and liberty. He is a Senior Penetration Tester at Booz Allen and a law student at UDC- DCSL. He spent nearly nine years in the Navy as an EA-6B Prowler ECMO. His military experience includes aerial combat missions over Afghanistan and Iraq and nine months on the ground doing counter-IED with the Army. He is a graduate of Georgetown’s National Security Studies Program and a speaker at ShmooCon, DEFCON, HOPE, and other conferences. Michael lives in Maryland with his wife and children.

Sean Barnum, Doug Wilson and Ben Miller

Over the last few years, there has been an increased emphasis on sharing threat information as part of a complete approach to information security. Numerous government policies require sharing of information across agencies and with the public. And as more and more corporations discover they and their peers have been compromised, IT security organizations face more pressure to share attack and threat information internally and with external partners.

Information sharing sounds like a great idea on the surface, but the reality is very different. There are complex issues regarding privacy, intellectual property, domestic international law, and technical format of the data that need to be addressed. And at its core, if you share or receive shared information, you have to achieve some sort of benefit from that action. If your organization isn't prepared to act on the data in a meaningful and efficient manner, what is the point of sharing?

This panel will attempt to address some of the concerns regarding information sharing. Hopefully by the end of the discussion you'll have a better idea as to whether threat information sharing is right for your organization and how to successfully integrate it into your information security program.

Sean Barnum is an Information Security Principal at The MITRE Corporation where he acts as a senior advisor to US government and industry, often acting as technical architect and community leader for various information security knowledge structuring efforts including STIX, CybOX, TAXII, CAPEC, MAEC, CWE, and SAFES among others. He has a broad base of over 25 years of experience in the software & technology industry. He is a frequent contributor, speaker, trainer and author on information security topics. He is coauthor of the book “Software Security Engineering: A Guide for Project Managers”, published by AddisonWesley.

Doug Wilson is the Threat Indicator Team Lead at Mandiant. He lives in DC, and in an effort to try to get the ridiculously large community of Infosec nerds in this town to interact on a more regular basis, Doug has had his fingers in various local security pies over the years, such as founding the OWASP DC chapter, AppSec DC, and CapSec DC. He's gotten to take his passion for getting people to share information and interact into the workplace in the past year, having been the lead cheerleader and spokesperson for the open threat information sharing standard, OpenIOC (http://openioc.org).

Ben Miller works in the Electricity Sector Information Sharing Analysis Center (ES-ISAC). Among other things Ben is building out how the ES-ISAC shares threat information among the North American electricity sector. The last eight years Ben has focused on incident detection and response in a variety of roles. Ben also helps run Charmsec (http://charmsec.org); a citysec-style meetup in Baltimore.

Aestetix

Originally inspired by getting suspended from Google Plus in the #nymwars fiasco, aestetix set out exploring a multitude of facets of both online and offline identity. It turns out that identity touches a lot of topics: trust, security, free expression, and even establishing how and where we exist in society. This talk will cover, with guidance from experts like Carl Jung, both an overview of identity in general, as well as a look at current online identity solutions, where they break, and new proposals to create better solutions.

Once upon a time and a very good time it was there was a moocow coming down along the road and this moocow that was coming down along the road met a nicens little boy named baby aestetix...  His father told him that story: his father looked at him through a glass: he had a hairy face.  He was baby aestetix. The moocow came down the road where Google Plus lived: Google sold online identity information.*

* bio is a reference to James Joyce's "Portrait of the Artist as a Young Man", which will be a pleasant nod to any Joyce fans.

Atlas Of D00M

Leased lines are recurring costs throughout the power grid.  The bottom line demands the use of wireless solutions where possible. Dare we? We already do.  The obscurity of <GHz wireless and other less-common comms has shrouded the level of in/security, but that shroud is lifting.

Atlas is a doer of stuff.  Inspired by the illustrious sk0d0, egged on by invisigoth of kenshoto, Atlas has done a lot of said 'stuff' and lived to talk about it.  Whether he's breaking out of virtual machines, exploiting the AMI Power Meter's firmware(s), reversing medical equipment, or sending rogue routing frames in your FHSS SCADA systems, he's always entertaining, educational and fun.   Originally from under a rock north of the mason-dixon, and raised by wolves, he enjoys pointing out poor assumptions and grokking the crap out of virtually everything.

Mark Baggett And Jake Williams

Let’s face it: sooner or later you will be owned. As a security professional, you (should) know that the best plan is to format the system drive, reinstall the operating system, and start over. But management has another plan. They know that rebuilding infrastructure from scratch involves costly downtime. The temptation to remove the obvious malware and declare the system clean is strong.

In session, we’ll demonstrate eight less than obvious techniques that can be used to install secondary persistence techniques on a compromised Windows system.

The point of the session is not to address specific techniques that can be used as secondary persistence mechanisms for malicious actors. The idea is to conclusively demonstrate that techniques of this type exist that hide deep in the registry and other system settings. We will show that these techniques hide even from memory forensics, the holy grail of “clean system” confirmation.

Not that we consider it a substitute for formatting and re-installing the operating system, but we will be releasing a script that checks for the use of these specific techniques.

Jake Williams is a senior analyst at CSRgroup where he has over a decade of experience in systems engineering, computer security, forensics, and malware reverse engineering. Jake is actively pursuing a PhD in Computer Science and is seeking operational networks for validating research in malware detection (jwilliams@csr-group.com).

Mark Baggett is the Technical Advisor to the DoD for SANS. He is a former CISO with the GSE and a Master in Security Engineering. Mark is a SANS Instructor and blogger for Pauldotcom. and SANS Pen-testing. Mark is also a handler for the Internet Storm Center.

Julian Bangert and Sergey Bratus

x86 processors contain a surprising amount of built-in memory translation logic, which is driven by various data tables with intricate entry formats, and can produce various kinds of traps and other interesting computational effects. These features are mostly relics of earlier, more civilized times, when Jedi Knights tried to protect the Old Republic OS’s with segmentation, supervisor bits, and hardware task support, but were defeated by processor de-optimizations and performance concerns and left unused by both Windows and UNIX systems – and explored only by hackers. While the rest of the world programs only the x86 CPU with the provided instructions, clever neighbours like the PaX team instead program the MMU to enforce security policy.

We will show that the MMU is in fact a Turing-complete processor in its own right and demonstrate some tools that help to unleash its computational power. Furthermore, we will show some design suggestions (and possibly a FPGA prototype) to make the virtual memory system more suitable and easier to use as an enforcer of runtime policy.

Julian Bangert is a junior studying computer science at Dartmouth College. When he is not working on new defence mechanisms or dropping off waterfalls in his Kayak, he is a neighbourly cowboy in the ranges of Northern Appalachia, capturing specimens for his professors Sergey Bratus weird machine zoo.

Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He tries to help fellow academics to understand the value and relevance of hacker research. It is his ambition to collect and classify all kinds of weird machines; he is also a member of the http://langsec.org conspiracy to eliminate large classes of bugs.

Bob Bigman, Craig Rosen, David Ferraiolo and Mark McGovern

Establishing, monitoring and managing access control is a basic requirement for information security. Ultimately no matter what firewall, IDS or authentication mechanisms you’ve deployed – enterprise servers and systems must decide ‘should this request for a sensitive resource be (approved || blocked || flagged)?’.

Other industries have incorporated data analytics and intelligence into their decisioning systems. Ironically, IT servers and systems rely on static lists (i.e., LDAP & ActiveDirectory) to decide if a user should be granted access to a resource. They don’t make decisions based on factors that are readily available including past user activities, endpoint characteristics, data content – or input from other security components such as firewalls, IDS or VPN.

The panel will discuss how different enterprises think about data access control; the practical challenges they’ve faced deploying these solutions; and the compelling need for both enterprises and vendors to focus on building intelligent data access control capabilities. Intelligent data access controls enable an enterprise to monitor and manage risk better – and to adopt new technologies faster.

The panel will introduce, highlight and encourage audience participation in an open source project based on NIST’s Policy Machine, a novel framework for defining and managing access control policies.

A panel of experienced security professionals, respected for their work defending enterprises and driving innovation:

• Bob Bigman (founder of 2BSecure LLC, and former CISO for the CIA)
• Craig Rosen (Director of Technology Risk & Strategy for Pacific Gas & Electric)
• Dr. David Ferraiolo (Manager of NIST’s Secure Systems and Applications Group)
• Mark McGovern (CEO, Mobile System 7)

Brad Bowers

The integration of computer technology to monitor the inner works of large office buildings, factories and plants has been evolving for years. These types of systems are often referred to as Building Automation or Building Management Systems (BMS). Companies uses these systems to monitor a myriad of sensors, gauges and alarms that provide statistics about equipment usage as well as inform technicians when a system is not functioning correctly. What use to be simple alerting has morphed into highly complex network enabled systems that provide complete operational control over such things as HVAC, elevators, electrical & water supply and even door locks and safety systems.

In this talk we’ll take a closer look at how these systems work as well as an Attacker’s view into the BacNET protocols. I’ll be introducing a new collection of tools that pentesters and system admins could use to help identify BacNET enabled systems as well as test their solvency against attack, spoofing and denial of service.

Brad Bowers is Security Operations Manager for a large financial institution with over 10 years of experience in security engineering, system forensics and incident response. Brad is a frequent writer and presenter on topics of emerging threats and threat intelligence. For the last couple years Brad has been working on projects focusing on hardware and RF security.

Ron Bowes

As a group. the security industry has solved a lot of difficult problems. Firewalls do a great job blocking traffic, overflow vulnerabilities are getting hard and harder to exploit on modern systems, and spam filters/captchas are nearly perfect. But there's one place where we have dropped the ball: cryptography. Why is cryptography so hard to get right? As a developer, you have to understand random numbers, key generation, padding, block chaining, initialization vectors, proper signature generation, and more, just to be somewhat safe. Even security professionals manage to screw it up, so how do we expect an average developer to get it right?

For this talk, we'll be getting into deep detail on a bunch of well known attacks against crypto - including padding oracles (the Vaudenay attack), hash length extension, BEAST, CRIME, poorly generated random numbers, WEP, and more - to help demonstrate the problem, and begin to look at how we might be able to fix it.

Ron Bowes is a security consultant for Leviathan Security Group. His primary job is penetration testing, vulnerability assessments, reverse engineering, and teaching. In his free time, he runs a blog at skullsecurity.org, collects and studies leaked password lists, runs the local Winnipeg hackerspace, designs and competes in capture-the-flag challenges, and trolls n00bs on Reddit.

Alejandro Caceres

By combining the principles of offensive security and distributed computing we were able to build an extremely fast and scalable web application scanner, PunkSCAN. It is an extremely stable and fast web application scanner that runs on a Hadoop cluster and as part of this presentation we’re releasing it free and open source. PunkSPIDER, the main focus of this presentation, is the result of setting PunkSCAN loose on the Internet, and making the results searchable (also for free) through a web front end and REST API.

We expect PunkSPIDER will have many functions, but we are particularly hoping that by doing this, the general public becomes more aware of the security of the websites to which they are entrusting their critical data (hint: mostly they’re a mess). By holding those accountable that release these obviously insecure web applications, we hope that we will see a shift towards the average user steering clear of those websites, providing incentive for secure coding practices, or at the very least incentive for running basic vulnerability checks on a web application prior to deployment. We will be the stick that hits web app developers and web app administrators when they do something dangerously sloppy.

Alejandro Caceres is a Computer Network Operations Engineer and web application penetration testing subject matter expert with Lunarline Inc at his “real job” and is the owner/developer/engineer/everything of Hyperion Gray, LLC at his “not-so-real job.” Hyperion Gray is a small organization of coders interested in creating cool and hip offensive security tools for the open source community. He has an interest in creating applications that have a global impact through distributed computing and offensive security principles.

Roman Faynberg

Our defensive security talk is primarily targeted towards Android developers. We will share "war stories" of Android vulnerabilities and exploits to show the audience how "not to code". We will then talk about best practices and guidelines that Android developers should follow and defensive techniques that should be integrated into Secure SDLC at various stages of development. Our real-life examples will show how these techniques actually help prevent exploitation. Finally, we plan to release a sample "HackMe" Android app that will contain vulnerabilities that developers and testers alike will have fun taking apart while learning more about Android security.

Roman joined Intrepidus Group as a Principal Consultant in March 2012. Before coming on board, he was a Manager in Ernst Young’s Advanced Security Center, their network security assessment service. Roman has performed hundreds of penetration tests; served as both the technical lead and project manager for a wide variety of application security, mobile, and network vulnerability assessments for many Fortune 100 companies; and served as a technical trainer, teaching secure coding classes to software developers. Roman’s current research interests lay in the area of Android security and RFID hacking.

Martin Fisher

“Defense In Depth” is considered by most to be a useless marketing trope that vendors used to sell you more boxes with blinky lights that showed you were “serious” about security. Forget that the boxes may or may not do what was advertised, may not provide usable data, or even fail open when they crap the bed.

Instead we decided to build The Perimeter. Higher walls, bigger locks, more money. That didn't work. The Perimeter Is Dead, Long Live The Perimeter!

So what do we do now? What amazing boxes with blinky lights do we need to convince our bosses to fund next quarter?

In this talk I will posit that, more than likely, you actually have (or can easily get) most (if not all) of what you need to create an effective, pragmatic, and resilient security program. I will show that by changing our thinking, our perception of “Fail vs. Win” we can provide real value to our business.

Martin Fisher has been in IT for over 20 years and in information security for the last seven. He's worked in large and small companies in sectors ranging from commercial aviation to finance to (today) healthcare. He is passionate about “Doing Security Right” which means taking a hard pragmatic look at what you need, what you have, and what you need to do.

Martin is also the host of The Southern Fried Security Podcast (www.southernfriedsecurity.com) and is known to be something of a Twitter whore.

Robert Graham

A decade ago, engineers tackled the “c10k” scalability problems that prevented servers from handling more than 10,000 concurrent connections. This problem was solved by fixing OS kernels and moving from threaded servers like Apache to event-driven servers like Nginx/NodeJS.  This talk is about the next level in scalability: systems that handle 10 MILLION concurrent connections. Such systems already exist, though instead of being called “servers” they are called “devices”, like firewalls, IPS, DPI, load balancers, carrier NAT, etc. It’s not hardware that makes these systems scale, but software. Indeed, many of these scalable “devices” are simply x86 servers with a different logo on the front panel.  This talk broadly covers the major areas of making a scalable system from a standard x86 desktop, discussing asynchronous event driven design, custom stacks, multi-core programming, low-level optimizations, and security.

Robert David Graham CEO of Errata Security Created the first IPS (BlackICE Guard), which is now sold as “Proventia”, which scales to 10 million concurrent connections on x86 hardware.  http://erratasec.blogspot.com @ErrataRob robert_david_graham@yahoo.com

G. Mark Hardy

Once the exclusive domain of a small number of geniuses, hacking has gone "mainstream" as an element of national defense.  The United States has established a four-star Cyber Command to provide coordinated military digital response after suffering massive data breaches.  NATO established the Cooperative Cyber Defense Center of Excellence in Estonia after that nation was the target of extensive cyber attacks.  When Georgian government systems came under cyber attack during the Russian offensive in Abkhasia and South Ossetia, the nation shifted critical Internet assets to a private hosting company in Atlanta, USA.  Subsequently those systems came under attack.  At what point does hacking (read, "computer network attack") rise to the level of warfare?  Could United Nations Article 51 be invoked to engage collective self-defense against an attacker?  How well informed are political leaders that will decide how a nation will pursue its cyber objectives?  What role should we play as cyber-citizens?  We'll examine some of the skirmishes that have set the stage for all-out cyberwarfare, and explore reasons why we haven't yet fought the "big one."

G. Mark Hardy is founder and President of National Security Corporation.  He has been providing cyber security expertise to government, military, and commercial clients for over 30 years, and is an internationally recognized expert who has spoken at over 250 events world-wide.  G. Mark serves on the Advisory Board of CyberWATCH, an Information Assurance/Information Security Advanced Technology Education Center of the National Science Foundation.  A graduate of Northwestern University, he holds a BS in Computer Science, a BA in Mathematics, a Masters in Business Administration, a Masters in Strategic Studies, and holds the GSLC, CISSP, CISM and CISA certifications.

Richard Harman

Whether you're a novice or a professional at analyzing malicious code, you'll have a desire to learn or pass on that skill. Most malicious code analysis is performed by a single analyst, some times with collaboration tools for sharing comments on code between two or more analysts. In this presentation you will learn how to set up a virtualized analysis environment that is suitable for solo analysis, training a classroom of students, passing an analysis VM between analysts, and a self-service analysis “session” playback of previous analysis sessions. All of this while not getting in your way, and making efficient use of RAM & disk space.

Richard Harman is an incident responder at SRA International's internal Security Operations Center, where he slings Perl code supporting incident response and performs analysis & reverse engineering of targeted attack malware samples. He writes and releases many Perl scripts in support of his work on github at github.com/warewolf. Outside of his day job, he can be found hacking firmware on his Mini Cooper at the Nova Labs makerspace in Reston, VA.

Tyler Hudak

Malware analysis consists of two phases – static and dynamic analysis. Dynamic analysis, or analyzing the behavior of a sample, has already been automated in numerous projects. Static analysis, or analyzing key characteristics of a sample, has not. Therefore, responders must run tools by hand or put together scripts that automate the process. This leads to situations where analysis occurs more slowly or inefficiently.

To alleviate this, we have developed MASTIFF, a new open-source static analysis automation framework. This presentation will introduce MASTIFF and discuss:

• Automating static analysis and the problems associated with it.
• How MASTIFF overcomes those problems.
• MASTIFF's capabilities and how it works.
• How plug-ins can be developed to extend the functionality of the framework.
• How the security community can contribute to extending and enhancing MASTIFF.

Demonstrations of MASTIFF on malicious files will also be performed.

Tyler Hudak is a Senior Security Consultant for KoreLogic Security and has extensive real-world experience in malware analysis and incident handling for Fortune 500 firms. Tyler is a member of the Forum of Incident Response and Security Teams (FIRST) and leads the FIRST Malware Analysis Special Interest Group. He has previously presented at a number of conferences, is on the board of the NorthEast Ohio Information Security Forum and maintains a blog at http://secshoggoth.blogspot.com.

Matt Joyce

This talk is a break down of security concerns relating to the OpenStack cloud software.  OpenStack is an open source IaaS solution compatible with Amazon EC2 / S3 and Google's GCE.  The purpose of the talk is to introduce and demonstrate the working mechanics of cloud security mechanisms, or lack thereof.  The presentation will follow the flow of introducing the primary software and deployment model as it relates to security needs.  Specific limitations of the technology will be discussed.  The next phase will be the discussion of specific protocols in use, how to tap, fuzz, or otherwise work with them. I will call out known issues that are still as of yet unaddressable.  I will present statistics on where past  vulnerabilities have been found and reported.  Finally I will discuss the future plans of OpenStack's open source development community and what impact that will have on future security analysis.  I believe this talk would be beneficial for any SOC team, policy writer, or even vulnerability researchers who are not familiar with IaaS backend infrastructure.  Or anyone interested in OpenStack.

Matt Joyce is an alumni of the NASA Nebula project, where OpenStack was created.  OpenStack is an open source IaaS solution.  Matt Joyce is an active contributor to the OpenStack project, and is a member of the OpenStack Security Group.  Matt also runs an OpenStack security related blog at secstack.org.  Matt works for Cloudscaling.  Matt once created counterfeit conference badges for ShmooCon.

Orin Kerr and Marcia Hoffmann

The Computer Fraud and Abuse Act is controversial for its broad reach and potential for misuse. In this presentation, Professor Orin Kerr and Marcia Hofmann from EFF discuss several recent prosecutions brought under the Act, including cases against Aaron Swartz and Andrew Auernheimer. They will explain the disagreement in the courts about to how the interpret the Act and will also discuss efforts to reform the law following Swartz's tragic death.

Orin Kerr is the Fred C. Stevenson Research Professor at the George Washington University Law School.  He teaches and writes about computer crime law.  He is a former prosecutor at the U.S. Department of Justice and has also represented defendants in computer crime cases. He blogs at the Volokh Conspiracy.

Marcia Hofmann is a senior attorney at the Electronic Frontier Foundation, where she works on issues including computer security, electronic privacy, free expression, and copyright. She is also a non-residential fellow at Stanford Law School's Center for Internet and Society and an adjunct professor at the University of California Hastings.

Branson Matheson (Moderator), Brett Thorson, Liam Randall, Tyler Nighswander and Jordan Wiens

What makes a good Capture The Flag(CTF)? How hard is it to put one on? What things should you consider if you do it? Come meet the folks that know! Hacker gaming has become a major feature of most security conferences, large and small, as a draw for competitive types, but also for spectators to enjoy. Many different paths have been taken to make them more enjoyable for both groups. We're going to talk about the different aspects of Hacker Gaming: how to make a CTF, what the challenges are, how to score it, etc; and discuss the details of how each group has solved these challenges. The panel will have a pre-selected set of questions, and we'll solicit a few from the audience as well. We'll also have some cool stories about what worked, what didn't and some of the fun had at these events.

Moderator: Branson Matheson (sand) - Long-time sysadmin, architecture and security geek. Team Lead for Duplicity CTF

Panel Members:

• Brett Thorson (THOR!) - DuplicityCTF Story Guy, Handynerds Podcast
• Jordan Wiens - Ghost in the Shellcode
• Tyler Nighswander - PPP
• Liam Randall - DuplicityCTF Systems Guy

Daniel Mende and Pascal Turbing

Almost every recent higher class DSLR camera features multiple and complex access technologies. For example, CANON's new flagship features IP connectivity both wired via 802.3 and wireless via 802.11. All big vendors are pushing these features to the market and advertise them as realtime image transfer to the cloud. We have taken a look at the layer 2 and 3 implementations in the CamOS and the services running upon those. Not only did we discover weak plaintext protocols used in the communication, we've also been able to gain complete control of the camera, including modification of camera settings, file transfer and image live stream. So in the end the "upload to the clouds" feature resulted in an image stealing Man-in-the-Imageflow. We will present the results of our research on cutting edge cameras, exploit the weaknesses in a live demo and release a tool after the presentation.

Daniel Mende is a German security researcher specialized on network protocols and technologies. He's well known for his Layer2 extensions of the SPIKE and Sulley fuzzing frameworks and has presented on protocol security at many occasions including Troopers, Blackhat, CCC, IT Underground and ShmooCon. Usually he releases a new tool when giving a talk.

Pascal Turbing is a network geek, auditor and penetration tester who loves to explore network devices, protocols, applications and to break flawed ones.

Tim Medin

Mobile devices rely on many complex systems for security, reintroducing mistakes in implementation and design that are reminiscent of the 1990's. Certificate trust and validation checking is one area of critical importance, yet iOS fails to implement controls that are comprehensively effective.

In this One Track Mind session, Tim will present two previously unreleased attacks against Apple iOS certificate validation following several months of intense research. By discussing these flaws, and looking at opportunities to improve the security going forward, Tim will demonstrate that Apple iOS security still has a lot of opportunity for improvement, and that we can all laugh (and cry a little) at the funny mistakes and oversight that turns into significant security flaws.

Tim works for Counter Hack, developing real-world hacking challenges for organizations that need to improve their offensive and defensive security skills. He is a firm believer in the necessity of the conditional operator in every programming language, even though his colleagues think it's unnecessary. Tim is a seasoned presenter, author, and developer, with an unusual affinity for Tom Jones.

Scott Moulton

In forensics there is a new file system called ExFat. Microsoft has made a deal with the SD Card Association to make ExFat the standard for all SD cards over 32gigs. Microsoft has protected this property and is doing everything it can to collect licensing fees for ExFat for any device wanting to use the SD Associations standard. Many people do not know are happening and the changes in cameras, which will eventually affect every single new device from laptops, OSs, to tablets and phones.

We have all been blindsided and Microsoft now owns the market for SD larger than 32gigs and will BE PAID for every new device including Linux based due to this change in storage media. In turn this affects forensics, and adds additional costs to forensic equipment and software. I will break down this new format and show how this cost is implemented and educate people about SDXC, where it will be used.

Scott Moulton is a Forensic Data Recovery Expert and runs www.MyHardDriveDied.com. Scott Moulton is an expert Forensic Hard Drive Data Recovery. Scott wrote and teaches a course all over the world to both the public and Private Sectors on Recovery. Scott focuses his efforts on dispelling the myths of data recovery by showing how you can rebuild your own hard drives, perform data recovery for investigations or as business venture. Scott gets hired all over the world to train investigators on how to recover the damaged media or equipment in their cases so that they do not have to send it out to expensive shops that don't know how to do Chain of Custody properly on the equipment. Scott believes that Forensic Cases involving damaged media are very specialized and finds them exciting.

Many times working on a case, Mr. Moulton will be given hard drives that had already failed in an effort to *blame* the opposition or to slow down the work and cost the opposing forces more money. To combat the *blame* scenario, Mr. Moulton developed a skill at rebuilding hard drives and recovering data. In the five years since its inception, Mr. Moulton has handled many complex cases that include homicide, embezzlement, theft, divorce, child pornography and corporate fraud and continues to combat dead hard drives to this day. You can find him at MyHardDriveDied.com and ForensicStrategy.com. If you get arrested, you might need that number!

Meredith Patterson, Sergey Bratus and Dan 'TQ' Hirsh

Everyone agrees that aggressive input checking and validation of input-handling code are crucial to secure programming. Yet vulnerabilities still abound, and exploitation still defies all kinds of protective measures (e.g., DEP, ASLR, EMET, etc.). Suppressed in some system layers and environments, exploitation quickly resurfaces in others as even more versatile; this means that we _still_ don't know how to properly design a software stack that safely handles data on several layers of abstraction.

Any code that transforms data has to make some assumptions about what it receives; it's up to some other code to recognize if the data is as it expects. The sole purpose of this recognizer is to protect subsequent innocent code from being lured into memory corruption or from otherwise aiding and abetting pwnage.

Sadly, a lot of actual input handling code is a mixture of data processing and recognition, scattered throughout a codebase. Its "sanity checking" is neither strong enough to verify all the implicit assumptions, nor written with these assumptions in mind. We call such input handling code "shotgun parsers" and argue that it's the number 1 reason for the ubiquitous insecurity of programs facing the internet.

In this talk, we will discuss examples of shotgun parsers across the layers of a TCP/IP stack and well-attested exploits for them, drawn from the pages of Phrack and other sources. We'll discuss the kind of software engineering principles that could have prevented them, and talk about the engineering methods that we believe will lead away from the "shotgun parsers", towards software stacks that can finally be trusted to safely process inputs.

Our previous talks (see http://langsec.org/) concentrated on theory; in this talk, we take the practical software engineering view.

Meredith L. Patterson is a founder of Upstanding Hackers, LLC and a co-creator of Language-theoretic approach to security (http://langsec.org/). She developed the first language-theoretic defense against SQL injection in 2005 as a Phd student at the University of Iowa and has continued expanding the technique ever since. She lives in Brussels, Belgium.

Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He sees state-of-the-art hacking as a distinct research and engineering discipline that, although not yet recognized as such, harbors deep insights into the nature of computing.

David Pisano

The Identity-Based Internet Protocol (IBIP) Network project is experimenting with a new enterprise oriented network architecture using standard IPv6 to encode user and host identity (ID) information into the IP address. Our motivation is to increase our security posture by leveraging identity, reducing our threat exposure, enhancing situational understanding of our environment, and simplifying network operations. Our current implementation uses credentials from the Common Access Card (CAC) and from the computer's Trusted Platform Module (TPM) to establish a host and user ID and IP address. A registration process (built on top of 802.1x) that occurs between the host and a RADIUS server. After validating the credentials, the RADIUS server then automatically configures the edge router, fronting the host, with appropriate access privileges so that no IP address spoofing (or impersonation) is permitted. Hosts that are client machines do not have their IP addresses advertised, making them unreachable or hidden from reconnaissance initiated by other clients. Servers have their IP addresses advertised as usual. A unique IPv6 extension header was conceived to enable return traffic to hidden clients. Access controls are created and deployed from the RADIUS server without human intervention, enforcing established policies.

David earned a B.S. in Applied Networking and Systems Administration and an M.S. in Networking and Systems Administration from Rochester Institute of Technology. He is a contributor to The Honeynet Project. Professionally, David is active in research in the fields of network engineering and network security. His interests include data visualization and data correlation. David has coauthored multiple peer-reviewed papers in the fields of networking and cyber security.

Tyler Pitchford

At its heart, the “cloud”, as it’s so lovingly referred to, is really just shorthand for shared resources. The cloud is regularly touted as the answer to all of your IT woes, often invoking images of care-bears, marshmallows, and other such nirvanic images. But beyond the marketing pitches, and the oft-discussed technological concerns, there is a storm brewing. There are very real, and very serious, legal concerns lurking inside this brave new world of resource sharing. Sadly, it’s not just the global cloud that suffers from these concerns; even your own virtualized server is at risk.

Governments have been increasingly upping their rhetoric on cloud-based data, pushing for greater access than ever before. Do you own your data? Who else has access to your data? What happens when your co-mingled data ends up under a government investigation? And, beyond the global cloud, what is the real-world impact of a third-party subpoena showing up on your doorstep when you’ve virtualized your websites on a single physical server? This is our topic. We will discuss the current law, and the ways that you can legally and technologically.

Tyler holds a B.A. in Software Design from New College of Florida, and a J.D. from the Stetson University College of Law. He is the co-founder of the Azureus Bit-torrent client. In the software world, he has done everything from a bit-twiddler to an executive. Currently, he works as an appellate attorney, but has previously worked for the Florida State Attorney’s office, the U.S. District Court for the Middle District of Florida, and the Florida Supreme Court. Tyler has also presented and taught courses on various computer and legal topics around the country throughout the years.

Liam Randall

Bro is a stateful, protocol aware open source high speed network monitor with applications as a next generation intrusion detection system, real time network discovery tool, historical network analysis tool, real time network intelligence, and dynamic active response. Originally developed by Vern Paxson, he now leads the core team of developers/researchers at both the International Computer Science Institute in Berkeley, CA and the National Center for Supercomputing Applications in Urbana-Champaign, IL.

Bro provides a security team with logs of highly structured data about their network, a turing complete scripting language through which they can interact with real time stateful network events, and flexible open interfaces through which Bro can be programmed. Pragmatically able to interface with the entire network stack Bro includes support for IPv6, tunneled traffic, SSL and more. In this presentation we present multiple case studies and are releasing their corresponding Bro scripts with source.

1. Bro Introduction: Overview of Events and Logs
2. Beyond signature based IDS; utilizing Bro as a programmatic network monitor to detect events
3. Real time passive network service discovery with Bro on complex traffic links (MPLS/IPv4/ IPv6)
4. Brotego: a Bro/Maltego integration for incident response and network analysis

Liam was working in Information Technology long before it was hip to be in tech. After earning his CS degree he has worked as network administrator on some very large networks in both the public and private sectors. He has spent the last few years auditing, training and setting up internal security teams dealing with myriad of compliance, regulatory and technical issues primarily in the banking, telecommunications, and education sectors.

In his free time Liam volunteers on a number of open source projects, running CTFs, and produces of large variety of spirits.

Michael Rash

Cloud Computing environments such as those provided by Amazon and Google can be your passport to powerful computing resources without having to worry about typical provisioning and hardware issues, but if the recent Microsoft RDP vulnerability (CVE-2012-0002) is any guide, security is still a real problem.

This talk will present techniques to generalize Single Packet Authorization (SPA) as implemented by the "fwknop" project to most Cloud Computing environments subject to certain requirements. Cloud providers usually implement their own network ACL capabilities among other security measures to maintain data separation between clients, and yet they also need to allow functional remote access to individual cloud images via ssh or other administrative protocol. This is where fwknop comes in. Although fwknop does not integrate directly with proprietary cloud provider network ACL's, this does not present a problem, and as proof a functioning deployment of fwknop within Amazon's Virtual Private Cloud (VPC) environment will be demonstrated as a protection against the RDP vulnerability. Further, in the case of VPC networks, contrary to the typical Amazon VPC NAT model, such a deployment requires the use of only one EC2 Elastic IP in order for SPA to facilitate access to any internal system.

Michael Rash holds a Master's Degree in applied mathematics with a concentration in computer security from the University of Maryland, and is author of the book "Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort" published by No Starch Press. Michael works professionally as a Security Architect for Enterasys Networks, Inc., and previously worked as a Security Architect for G2, Inc. He is a frequent speaker at computer security conferences, and is the founder of cipherdyne.org, an organization dedicated to open source security technologies. Michael is the lead developer of the psad, fwsnort, and fwknop projects.

Teddy Reed and David Anthony

This presentation and paper provides a DIY guide to using Trusted Computing on embedded devices. This is NOT an introduction or overview of Trusted Computing. We introduce a low-cost schematic using Atmel's CryptoModule (AT97SC3204T) and CryptoAuthentication (AT88SA102S) ICs, and release drivers for UEFI, U-Boot, and the Linux kernel. Using these ICs as a base, we demonstrate (and provide code!) ways anyone can use Trusted Computing concepts for embedded projects (Linux IMA, signed data exchange), most importantly, a secured bootstrap from ROM code to a userland application. We also demonstrate how the TPM can be used to encrypt and sign Ethernet frames. This is a response (and implementation of a well-known mitigation strategy) to attack vectors using various pre-boot environments such as UEFI, BIOS, Option ROM, and other bootloaders. By the end of the presentation, participants should understand how to use a TPM to secure their creative embedded projects. We plan on making "kits" with the components needed to make a TPM breakout, and giving away as many as we can afford to jump start your projects.

Teddy is a computer science researcher working for the USA with a focus on large-scale enterprise network modeling and simulation. He has a passion for security and CTF competitions.

David is currently employed as an incident responder with a strong interest in software engineering. He is a recent college graduate with a passion for cryptography, cryptanalysis and digital privacy.

Margaret Russell

Emerging security technology –your technology—is overlooked, undersold, and underutilized partly because big customers often procure from big companies. Start up and young companies face stiff sales competition from established companies that have large marketing and sales organizations. This talk provides the secrets to winning competitive sales scenarios when the written response to an RFP is the key to being competitive.

Successful sales to businesses or governments usually rely on qualifying rounds of requests for information, proposals, quotes, and oftentimes demonstrations. For a startup or young company that concentrates on technology over marketing, this standard process can be exclusionary. Here’s how to manage a sales process that is dependent on response documents to win the business. And make money. Real Money.

Ms. Russell is a marketing professional with over 30 years experience in networking software, secure networks, and SaaS. She has written and managed hundreds of technical software and services proposals for very large, insanely large, and ginormous multi-national companies. She has run projects that have brought in billions of dollars to her corporate masters. It’s time for the little guys to know the secrets, too. She holds a BA from New York University and a Master’s from Cornell. This is her first ShmooCon talk.

Mike Ryan

We are entering a golden age of affordable broad spectrum wireless sniffing. I will demonstrate how to use the new generation of wireless hacking tools to intercept and inject Bluetooth Low Energy communications.

Bluetooth LE, aka, Bluetooth Smart, is a new low power mode defined in the recent Bluetooth 4.0 spec. Found in recent high-end smartphones, it is used in sports devices, sensors, and will soon appear in some medical devices.

This talk covers both the Bluetooth LE protocol and the tools and techniques used to study it. This talks features live demonstrations of sniffing Bluetooth LE using Ubertooth and other hardware to sniff Bluetooth LE.

The software presented in the talk was developed by Mike Ryan and is available open source as a part of the Ubertooth project.

Mike Ryan likes to take things apart, break them, and put them back together better than before. He recently joined the Ubertooth team to sniff out security issues in the latest lower-powered version of Bluetooth: Bluetooth Low Energy (LE). Mike gave a WIP talk on his work at Toorcon 14.

Michael Schearer

Agents line up at a non-descript door which houses command and control servers for a criminal botnet. They enter with a court order to shut it down and seize the servers--but these agents aren't law enforcement--they're from Microsoft. Somewhere across the ocean, a domain goes offline. Customers--some legit, some not--lose their work product. They are on the receiving end of civil asset forfeiture by ICE or DHS which seized the domain with no warning and scant due process. These are but two of the ways the law is pushing its own boundaries to go on the offensive to deal with sophisticated and complex cybercrime. It's time we stop and pause to review these tactics--the results might just surprise you.

Michael Schearer ("theprez98") is the founder of MyFreeState and the Assault on Privacy, projects which document abuses of freedom and liberty. He is a Senior Penetration Tester at Booz Allen and a law student at UDC- DCSL. He spent nearly nine years in the Navy as an EA-6B Prowler ECMO. His military experience includes aerial combat missions over Afghanistan and Iraq and nine months on the ground doing counter-IED with the Army. He is a graduate of Georgetown’s National Security Studies Program and a speaker at ShmooCon, DEFCON, HOPE, and other conferences. Michael lives in Maryland with his wife and children.

David Schuetz

We've seen the deep technical research showing what makes iOS devices secure (or sometimes not so much). But once you grok ASLR and code signing, are you really any closer to understanding the risk these devices present to your environment?

This talk reviews the key technologies available to keep data protected on iStuff, hopefully framing the discussion in a way decision makers can understand. From built-in features, to tricks for getting around them, to advanced attacks, we look at the most important things you can do to keep your data secure. And provide a non-nonsense reality check on the reasons you'll never be 100% safe.

The talk concludes with a short review of best practices, both for configuration and custom application development, as well as a review of improved controls introduced in iOS 6.

David is a Senior Consultant with Intrepidus Group, where he performs web and iOS application security testing, penetration testing, iOS research, MDM reverse engineering, and other such fun. He's fortunate to have spoken at multiple security conferences on topics from rainbow tables to MDM to puzzle contests.

When not actively engaged in paying work, David loves solving crypto puzzles, working on side projects like KhanFu.org, and, when he remembers the app on his phone, looking for Geocaches. He can be found on Twitter as DarthNull, and is way behind on his puzzle writeups at darthnull.org

Wesley Shields and Murad Khan

In incident response or intelligence gathering the question “what happened on the network” is commonplace. As adversaries are deploying remote access trojans onto target networks being able to answer that question depends upon your ability to understand the protocols being used. Some protocols are well understood by common utilities like wireshark, but what do you do when the protocol is foreign to your tools? You have to write a custom decoder. We will present Chopshop, an open source framework for protocol analysis and decoding. Chopshop tries to make the task of writing a custom protocol decoder as easy as possible by presenting a standard API for the decoder and a rich set of libraries. The decoders are modules that run on top of the framework, which makes sharing the decoders with third parties and partners considerably easier. We will demonstrate Chopshop in the context of the gh0st protocol (discussed in published reports such as The VOHO Campaign), a well-known remote access trojan.

Wesley Shields and Murad Khan are information security engineers for The MITRE Corporation, a not-for-profit organization that manages federally funded research and development centers. They work in the internal information security group on a specialized team of analysts and developers focused on dealing with targeted attacks. They build custom tools and augment commercial capabilities to mitigate targeted attacks and produce actionable intelligence on adversarial activity.

The Shmoo Group

Join us as we go over the all the background details of planning ShmooCon. We’ll share the budget, stats about speaker selection, and as always talk about the hot hot topic of ticket sales. This session is mostly informative in a fun and fast paced way. If you have questions about the con, then don’t miss it.

This Shmoo Group is the leading force behind ShmooCon. This session will be lead by Bruce and Heidi Potter.

Tim Tomes and TJ O’Connor

Geo-location allows us to translate the virtual location of an object to its physical location on Earth. For benign reasons, applications permit the use of different geo-location techniques. Some methods are transparent to users while others require explicit permission. Our talk briefly covers how geo-location works, discusses specific API Calls and available geo-location databases, and releases several new geo-location tools.

• The first tool, Honey Badger, is a robust web based framework built for geo-locating targets. Through native HTML5 and client-side Java, Honey Badger forces the browser to reveal its current physical location to a remote command and control platform. Honey Badger will be released during the talk.
• Next, Pushpin is a Python script that scrapes social media around specific geo-coordinates to reveal discussions, images, and videos that might assist during the physical reconnaissance phase of a penetration test. PushPin is currently available.
• Finally, we will release a series of Metasploit post/exploitation scripts that can assist in physically identifying a target following a successful compromise. From using a victim’s wireless card against them, to scanning the machine for exif enabled imagery and parsing browser databases – these scripts will assist in getting the “pattern of life” of a hooked victim.

Tim Tomes is a Senior Security Consultant for Black Hills Information Security with over 15 years' experience in information technology and application development. Tim spent three years as the Army Red Team Senior Team Leader and managed the Army’s first Cyber Defense Training Program. Tim has presented at Hack3rCon, Colorado Springs ISSA, and DerbyCon.

TJ O’Connor is DoD Expert on information security. He is the National Defense University Cyber Challenge Champion and co-coached two winning teams at the National Security Agency’s Cyber Defense Exercise. TJ authored Violent Python.

Andy Wick and Eoin Miller

Moloch is a highly scalable and open source full packet capture system that has just been published to the world in October of 2012 (http://github.com/aol/moloch). Moloch has the ability to parse and index billions of network sessions to provide an extremely fast and easy to use web application for navigating large collections of PCAP based on IP/GeoIP/ASN/hostname/URL/filetype and more. It can capture from the wire live for use as a network forensics tool to investigate compromises. Moloch also serves as a great way for searching and interacting with large PCAP repositories for research (malware traffic, exploit/scanning traffic). Moloch’s web API also makes it extremely easy to integrate with existing SEIM’s or other alerting tools/consoles to help speed up analysis.

Andy Wick and Eoin Miller are members of AOL’s Computer Emergency Response Team. Andy Wick has more than 15 years of development experience at AOL. He has recently come into the CERT group and has begun developing tools for defense and forensics. Eoin Miller specializes in using IDS and full packet capture systems to identify drive by exploit kits and the traffic that feeds them (malvertising in particular). He regularly contributes the developed signatures to EmergingThreats/OISF and other groups.

Phil Young

The mainframe is not legacy, far from it. Not only is it not legacy, but the majority of fortune 100 companies run a current and up to date mainframe OS. Airline, insurance, financial, power and oil industries, governments and three letter agencies, worldwide, run them, yet no one in the community knows how to properly tackle these 'iron beasts'. Be it a lack of access by the security community or the false notion that mainframes are dead, there is a distinct gap between the IT security world and the mainframe world. This presentation aims to help close this gap by talking about common security pitfalls on the mainframe and how you can take advantage of, or secure against, them. After this talk you'll be able to talk intelligently about mainframes, use SHODAN to find mainframes, enumerate and brute force users, crack the password database with John the Ripper and run netcat. Since mainframes are a big world, I will also show you how you can run your own mainframe at home on whatever old laptop you've got laying around using opensource software so that you too can get your hands dirty!

Ever since he saw the movie TRON, Phil has been fascinated with computers, mainframes especially. Throughout his career he's had the chance to review mainframe security at various large organizations. He has worked in IT security for 9 years but ever since he learned you could emulate your own mainframe he's been knee deep in JCL, print queues and OMVS. Some people build toy trains, others model airplanes, but Phil's hobby is mainframe security. He has given a talk about mainframe security at BSidesLV, has been interviewed for podcasts and maintains a blog about mainframe security research.

Carson Zimmerman

Today’s Computer Security Incident Response Team (CSIRT) should have everything they need to mount a competent defense of the ever-changing IT enterprise: a vast array of sophisticated detection and prevention technologies, a virtual sea of cyber intelligence reporting, and access to an exploding workforce of talented IT professionals. Yet most CSIRTs continue to fall short in keeping the adversary—even the unsophisticated attacker-- out of the enterprise.  Why is this? In this talk, the presenter will offer some observations on what it takes to do Computer Network Defense well in the modern IT enterprise. He will present ten fundamental qualities of an effective CSIRT that cut across elements of people, process, and technology. 

The presenter is a Lead Cyber Security Engineer with The MITRE Corporation.  He has ten years of experience working with large Computer Security Incident Response Teams (CSIRTs) to better defend against the adversary.  He has held roles in the CSIRT ranging from tier 1 analyst to senior architect.  He received a BS in Computer Engineering from Purdue University in 2002 and an MS in Information Systems from George Mason University in 2007.